2024-04-01 01:11:23 +02:00
|
|
|
{lib, ...}: {
|
2023-08-25 00:57:42 +02:00
|
|
|
# https://nixos.wiki/wiki/Networking
|
|
|
|
# https://nixos.wiki/wiki/Systemd-networkd
|
|
|
|
|
2023-08-01 15:35:09 +02:00
|
|
|
networking = {
|
|
|
|
firewall = {
|
2023-08-25 00:57:42 +02:00
|
|
|
# Allow some ports for ad-hoc use
|
2024-03-05 22:57:41 +01:00
|
|
|
allowedTCPPorts = [1234 1337 8000 8080];
|
|
|
|
allowedUDPPorts = [1234 1337 8000 8080];
|
2024-03-05 22:17:26 +01:00
|
|
|
# Do not spam dmesg/journalctl with refused connections
|
|
|
|
logRefusedConnections = false;
|
2023-08-01 15:35:09 +02:00
|
|
|
};
|
2024-04-01 01:11:23 +02:00
|
|
|
nameservers = ["127.0.0.1"]; # unbound
|
2024-03-05 22:57:41 +01:00
|
|
|
search = ["caspervk.net"];
|
2023-08-01 15:35:09 +02:00
|
|
|
};
|
|
|
|
|
2023-08-11 18:02:36 +02:00
|
|
|
# TODO: these systemd networkd settings will be the default once
|
|
|
|
# https://github.com/NixOS/nixpkgs/pull/202488 is merged.
|
|
|
|
networking.useNetworkd = true;
|
2023-08-25 00:57:42 +02:00
|
|
|
systemd.network.enable = true;
|
2023-08-11 18:02:36 +02:00
|
|
|
|
2024-04-01 01:11:23 +02:00
|
|
|
# Force-disable the systemd-resolved stub resolver, which is enabled
|
|
|
|
# automatically in some cases, such as when enabling systemd-networkd.
|
|
|
|
services.resolved.enable = lib.mkForce false;
|
|
|
|
|
|
|
|
# Unbound provides DNS resolution to local applications on 127.0.0.1. It
|
|
|
|
# enables caching and DNSSEC validation by default. We configure it to only,
|
|
|
|
# and always, use dns.caspervk.net over TLS.
|
|
|
|
# By the way, it's surprisingly hard to get the system to always follow the
|
|
|
|
# custom DNS servers rather than the DHCP-provided ones. Check the traffic
|
|
|
|
# with: sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
|
|
|
|
# https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
|
|
|
|
services.unbound = {
|
2023-08-01 15:35:09 +02:00
|
|
|
enable = true;
|
2024-04-01 01:11:23 +02:00
|
|
|
settings = {
|
|
|
|
server = {
|
|
|
|
interface = ["127.0.0.1"];
|
|
|
|
};
|
|
|
|
forward-zone = [
|
|
|
|
{
|
|
|
|
name = ".";
|
|
|
|
forward-addr = [
|
|
|
|
"159.69.4.2#dns.caspervk.net"
|
|
|
|
"2a01:4f8:1c0c:70d1::1#dns.caspervk.net"
|
|
|
|
];
|
|
|
|
forward-tls-upstream = "yes";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
2023-08-01 15:35:09 +02:00
|
|
|
};
|
|
|
|
|
2024-03-05 22:36:28 +01:00
|
|
|
# TCP BBR has significantly increased throughput and reduced latency. Note
|
|
|
|
# that the IPv4 setting controls both IPv4 and IPv6.
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
|
|
|
};
|
|
|
|
|
2023-08-25 00:57:42 +02:00
|
|
|
# vnStat keeps a log of hourly, daily and monthly network traffic
|
2023-08-01 15:35:09 +02:00
|
|
|
services.vnstat.enable = true;
|
2023-08-26 17:46:20 +02:00
|
|
|
environment.persistence."/nix/persist" = {
|
|
|
|
directories = [
|
2024-03-05 22:57:41 +01:00
|
|
|
{
|
|
|
|
directory = "/var/lib/vnstat";
|
|
|
|
user = "root";
|
|
|
|
group = "root";
|
|
|
|
mode = "0755";
|
|
|
|
}
|
2023-08-26 17:46:20 +02:00
|
|
|
];
|
|
|
|
};
|
2023-08-01 15:35:09 +02:00
|
|
|
}
|