From e522dfefd3771922a53b451f66dab3dd74cf6461 Mon Sep 17 00:00:00 2001 From: Christoph Cullmann Date: Tue, 2 May 2023 19:32:11 +0200 Subject: [PATCH] plain dhcp with dnssec --- common.nix | 45 +++++++++++++++++++++++++-------- kuro/hardware-configuration.nix | 3 --- mini/hardware-configuration.nix | 3 --- neko/hardware-configuration.nix | 3 --- 4 files changed, 35 insertions(+), 19 deletions(-) diff --git a/common.nix b/common.nix index cc1e5fe..70ae589 100644 --- a/common.nix +++ b/common.nix @@ -90,21 +90,46 @@ in # allow all firmware hardware.enableAllFirmware = true; - # networking via networkd - networking.useDHCP = false; - systemd.network.enable = true; - systemd.network.networks."10-lan" = { - networkConfig = { - DHCP = "yes"; - }; - # make routing on this interface a dependency for network-online.target - linkConfig.RequiredForOnline = "routable"; - }; + # networking just with the dhcp client + networking.useDHCP = true; # ensure firewall is up, allow ssh and http in networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ 22 80 ]; + # secure dns with local resolve via fritz.box + networking = { + nameservers = [ "127.0.0.1" "::1" ]; + dhcpcd.extraConfig = "nohook resolv.conf"; + resolvconf.useLocalResolver = true; + }; + environment.etc = { + forwarding_rules = { + text = '' + fritz.box 192.168.13.1 + ''; + }; + }; + services.dnscrypt-proxy2 = { + enable = true; + settings = { + ipv6_servers = true; + require_dnssec = true; + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/nix/persistent/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + forwarding_rules = "/etc/forwarding_rules"; + }; + }; + systemd.services.dnscrypt-proxy2.serviceConfig = { + StateDirectory = "dnscrypt-proxy"; + }; + # swap to RAM zramSwap.enable = true; diff --git a/kuro/hardware-configuration.nix b/kuro/hardware-configuration.nix index f185c24..95a5865 100644 --- a/kuro/hardware-configuration.nix +++ b/kuro/hardware-configuration.nix @@ -20,9 +20,6 @@ swapDevices = [ ]; - # setup our network for later config in common.nix - systemd.network.networks."10-lan".matchConfig.Name = "enp1s0"; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/mini/hardware-configuration.nix b/mini/hardware-configuration.nix index 56f6c23..b051373 100644 --- a/mini/hardware-configuration.nix +++ b/mini/hardware-configuration.nix @@ -20,9 +20,6 @@ swapDevices = [ ]; - # setup our network for later config in common.nix - systemd.network.networks."10-lan".matchConfig.Name = "eno1"; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/neko/hardware-configuration.nix b/neko/hardware-configuration.nix index 028ff5c..a6c9b84 100644 --- a/neko/hardware-configuration.nix +++ b/neko/hardware-configuration.nix @@ -25,9 +25,6 @@ swapDevices = [ ]; - # setup our network for later config in common.nix - systemd.network.networks."10-lan".matchConfig.Name = "enp8s0"; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;