nixos/modules/base/network.nix

87 lines
3.4 KiB
Nix
Raw Normal View History

2024-04-05 01:07:48 +02:00
{config, ...}: {
2024-06-27 20:37:34 +02:00
# https://wiki.nixos.org/wiki/Networking
# https://wiki.nixos.org/wiki/Systemd-networkd
2023-08-25 00:57:42 +02:00
2023-08-01 15:35:09 +02:00
networking = {
firewall = {
2023-08-25 00:57:42 +02:00
# Allow some ports for ad-hoc use
2024-03-05 22:57:41 +01:00
allowedTCPPorts = [1234 1337 8000 8080];
allowedUDPPorts = [1234 1337 8000 8080];
2024-03-05 22:17:26 +01:00
# Do not spam dmesg/journalctl with refused connections
logRefusedConnections = false;
2023-08-01 15:35:09 +02:00
};
2024-10-07 23:46:06 +02:00
nameservers = [
"159.69.4.2#dns.caspervk.net"
"2a01:4f8:1c0c:70d1::1#dns.caspervk.net"
];
2024-03-05 22:57:41 +01:00
search = ["caspervk.net"];
2023-08-01 15:35:09 +02:00
};
# TODO: these systemd networkd settings will be the default once
2024-06-02 22:56:02 +02:00
# https://github.com/NixOS/nixpkgs/pull/264967 is merged.
networking.useNetworkd = true;
2023-08-25 00:57:42 +02:00
systemd.network.enable = true;
2024-11-28 23:14:27 +01:00
# Never use DHCP. Servers are configured with static addresses. On desktops,
# the NixOS network-manager module disables this option too.
networking.useDHCP = false;
2024-06-11 01:13:51 +02:00
# The notion of "online" is a broken concept
# https://github.com/nix-community/srvos/blob/main/nixos/common/networking.nix
systemd.services.NetworkManager-wait-online.enable = false;
systemd.network.wait-online.enable = false;
# systemd-resolved provides DNS resolution to local applications through
# D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
# and DNSSEC validation. We configure it to only, and always, use
2024-04-05 01:07:48 +02:00
# dns.caspervk.net over TLS.
# NOTE: It's surprisingly hard to get the system to always follow the custom
# DNS servers rather than the DHCP-provided ones. Check the traffic with:
# > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
# or
# > sudo resolvectl log-level debug
# > sudo journalctl -fu systemd-resolved.service
2024-06-27 20:37:34 +02:00
# https://wiki.nixos.org/wiki/Encrypted_DNS
# https://wiki.nixos.org/wiki/Systemd-resolved
services.resolved = {
2023-08-01 15:35:09 +02:00
enable = true;
2024-04-05 01:07:48 +02:00
dnsovertls = "true";
# TODO: DNSSEC support in systemd-resolved is considered experimental and
# incomplete. Upstream will validate for us anyway, and we trust it.
# https://wiki.archlinux.org/title/systemd-resolved#DNSSEC
dnssec = "false";
# 'Domains' is used for two distinct purposes; first, any domains *not*
# prefixed with '~' are used as search suffixes when resolving single-label
# hostnames into FQDNs. The NixOS default is to set this to
# `config.networking.search`, which we maintain. Second, domains prefixed
# with '~' ("route-only domains") define a search path that preferably
# directs DNS queries to this interface. The '~.' construct use the DNS
# servers defined here preferably for the root (all) domain(s).
# https://man.archlinux.org/man/resolved.conf.5
domains = config.networking.search ++ ["~."];
# Resolved falls back to DNS servers operated by American internet
# surveillance and adtech companies by default. No thanks, I'd rather have
# no DNS at all.
2024-06-02 22:56:02 +02:00
fallbackDns = [];
2023-08-01 15:35:09 +02:00
};
2024-03-05 22:36:28 +01:00
# TCP BBR has significantly increased throughput and reduced latency. Note
# that the IPv4 setting controls both IPv4 and IPv6.
boot.kernel.sysctl = {
"net.ipv4.tcp_congestion_control" = "bbr";
};
2023-08-25 00:57:42 +02:00
# vnStat keeps a log of hourly, daily and monthly network traffic
2023-08-01 15:35:09 +02:00
services.vnstat.enable = true;
2023-08-26 17:46:20 +02:00
environment.persistence."/nix/persist" = {
directories = [
2024-03-05 22:57:41 +01:00
{
directory = "/var/lib/vnstat";
user = "root";
group = "root";
mode = "0755";
}
2023-08-26 17:46:20 +02:00
];
};
2023-08-01 15:35:09 +02:00
}