98 lines
3.2 KiB
Nix
98 lines
3.2 KiB
Nix
# Module: Network Configuration
|
|
# Description: Network setup with dnscrypt-proxy for encrypted DNS, WiFi networks
|
|
# configuration via wpa_supplicant, and hostname settings
|
|
# Services: dnscrypt-proxy (primary + backup), wpa_supplicant
|
|
# Security: WiFi credentials stored via sops-nix secrets
|
|
|
|
{ config, lib, pkgs, customConfig, ... }:
|
|
|
|
let
|
|
backupToml = pkgs.writeText "dnscrypt-proxy-backup.toml" ''
|
|
listen_addresses = ["127.0.0.2:53"]
|
|
server_names = ["dns0-eu"]
|
|
|
|
[sources.public-resolvers]
|
|
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md']
|
|
cache_file = '/var/lib/dnscrypt-proxy-backup/public-resolvers.md'
|
|
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
refresh_delay = 72
|
|
'';
|
|
|
|
userHome = "/home/${customConfig.username}";
|
|
in
|
|
|
|
{
|
|
networking.nftables.enable = true;
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowPing = true;
|
|
# allowedTCPPorts = [ ... ]; # keep closed by default
|
|
interfaces.docker0 = {
|
|
allowedUDPPorts = [ 53 ];
|
|
allowedTCPPorts = [ 53 ];
|
|
};
|
|
};
|
|
|
|
networking.hostName = customConfig.hostname;
|
|
# Pick only one of the below networking options.
|
|
networking.wireless.enable = true;
|
|
# networking.wireless.userControlled = true;
|
|
# networking.wireless.secretsFile = config.sops.secrets.wifi.path;
|
|
|
|
# Load encrypted WiFi networks configuration via wpa_supplicant include files.
|
|
# This is supported by the NixOS module and keeps SSIDs out of the Nix store.
|
|
networking.wireless.extraConfigFiles = lib.mkIf (config.sops.secrets ? wifi-networks) [
|
|
config.sops.secrets.wifi-networks.path
|
|
];
|
|
|
|
networking.wireless.enableHardening = false;
|
|
|
|
# systemd.services.wpa_supplicant.after = [ "sops-install-secrets.service" ];
|
|
# systemd.services.wpa_supplicant.requires = [ "sops-install-secrets.service" ];
|
|
|
|
# You can also define networks in Nix if you prefer (less secure - names visible):
|
|
# networking.wireless.networks = { ... };
|
|
|
|
networking.interfaces.lo.ipv4.addresses = [
|
|
{ address = "127.0.0.1"; prefixLength = 8; }
|
|
{ address = "127.0.0.2"; prefixLength = 8; }
|
|
];
|
|
|
|
networking.nameservers = [ "127.0.0.1" "127.0.0.2" ];
|
|
|
|
# networking.networkmanager.dns = "none";
|
|
services.resolved.enable = false;
|
|
|
|
services.dnscrypt-proxy = {
|
|
enable = true;
|
|
settings = {
|
|
listen_addresses = [ "127.0.0.1:53" "172.17.0.1:53" ];
|
|
server_names = [ "amaury" ];
|
|
bootstrap_resolvers = [];
|
|
sources = {};
|
|
static = {
|
|
"amaury".stamp = "sdns://AgcAAAAAAAAADTgyLjY0LjIzNy4yNDYADWFtYXVyeWpvbHkuZnIUL2Rucy1xdWVyeS9pZC1hbWF1cnk";
|
|
};
|
|
cache = true;
|
|
ignore_system_dns = true;
|
|
timeout = 5000;
|
|
};
|
|
};
|
|
|
|
systemd.services."dnscrypt-proxy-backup" = {
|
|
description = "dnscrypt-proxy backup (dns0-eu)";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${backupToml}";
|
|
Restart = "on-failure";
|
|
NoNewPrivileges = true;
|
|
DynamicUser = true;
|
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
|
};
|
|
};
|
|
|
|
systemd.services.dnscrypt-proxy.serviceConfig = {
|
|
StateDirectory = "dnscrypt-proxy";
|
|
};
|
|
} |