plain dhcp with dnssec
This commit is contained in:
parent
f452ce64c7
commit
e522dfefd3
4 changed files with 35 additions and 19 deletions
45
common.nix
45
common.nix
|
@ -90,21 +90,46 @@ in
|
|||
# allow all firmware
|
||||
hardware.enableAllFirmware = true;
|
||||
|
||||
# networking via networkd
|
||||
networking.useDHCP = false;
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."10-lan" = {
|
||||
networkConfig = {
|
||||
DHCP = "yes";
|
||||
};
|
||||
# make routing on this interface a dependency for network-online.target
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
};
|
||||
# networking just with the dhcp client
|
||||
networking.useDHCP = true;
|
||||
|
||||
# ensure firewall is up, allow ssh and http in
|
||||
networking.firewall.enable = true;
|
||||
networking.firewall.allowedTCPPorts = [ 22 80 ];
|
||||
|
||||
# secure dns with local resolve via fritz.box
|
||||
networking = {
|
||||
nameservers = [ "127.0.0.1" "::1" ];
|
||||
dhcpcd.extraConfig = "nohook resolv.conf";
|
||||
resolvconf.useLocalResolver = true;
|
||||
};
|
||||
environment.etc = {
|
||||
forwarding_rules = {
|
||||
text = ''
|
||||
fritz.box 192.168.13.1
|
||||
'';
|
||||
};
|
||||
};
|
||||
services.dnscrypt-proxy2 = {
|
||||
enable = true;
|
||||
settings = {
|
||||
ipv6_servers = true;
|
||||
require_dnssec = true;
|
||||
sources.public-resolvers = {
|
||||
urls = [
|
||||
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
|
||||
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
|
||||
];
|
||||
cache_file = "/nix/persistent/public-resolvers.md";
|
||||
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
|
||||
};
|
||||
forwarding_rules = "/etc/forwarding_rules";
|
||||
};
|
||||
};
|
||||
systemd.services.dnscrypt-proxy2.serviceConfig = {
|
||||
StateDirectory = "dnscrypt-proxy";
|
||||
};
|
||||
|
||||
# swap to RAM
|
||||
zramSwap.enable = true;
|
||||
|
||||
|
|
|
@ -20,9 +20,6 @@
|
|||
|
||||
swapDevices = [ ];
|
||||
|
||||
# setup our network for later config in common.nix
|
||||
systemd.network.networks."10-lan".matchConfig.Name = "enp1s0";
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
||||
|
|
|
@ -20,9 +20,6 @@
|
|||
|
||||
swapDevices = [ ];
|
||||
|
||||
# setup our network for later config in common.nix
|
||||
systemd.network.networks."10-lan".matchConfig.Name = "eno1";
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
||||
|
|
|
@ -25,9 +25,6 @@
|
|||
|
||||
swapDevices = [ ];
|
||||
|
||||
# setup our network for later config in common.nix
|
||||
systemd.network.networks."10-lan".matchConfig.Name = "enp8s0";
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
|
|
Loading…
Reference in a new issue