caspervk/nixos
1
0
Fork 0
Code Activity Actions

Compare commits

base: caspervk:ae04955a9da0c74db1e4d32d5799271d399854fc
Branches Tags
caspervk:master
caspervk:dev
..
compare: caspervk:f44d899cd75f2fb08959ec83721bf7a60c617097
Branches Tags
caspervk:master
caspervk:dev

2 commits
ae04955a9d ... f44d899cd7

Author SHA1 Message Date
Casper V. Kristensen
f44d899cd7 Only enable acme module on servers where certificates are configured 2024-04-05 02:21:18 +02:00
Casper V. Kristensen
b00beeb501 proper systemd-resolved dns 2024-04-05 02:21:18 +02:00
1 changed files with 15 additions and 13 deletions
Show stats Expand all files Collapse all files

28
modules/base/network.nix
View file

@ -23,6 +23,12 @@
# D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
# and DNSSEC validation. We configure it to only, and always, use
# dns.caspervk.net over TLS.
# NOTE: It's surprisingly hard to get the system to always follow the custom
# DNS servers rather than the DHCP-provided ones. Check the traffic with:
# > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
# or
# > sudo resolvectl log-level debug
# > sudo journalctl -fu systemd-resolved.service
# https://nixos.wiki/wiki/Encrypted_DNS
# https://nixos.wiki/wiki/Systemd-resolved
services.resolved = {
@ -32,25 +38,21 @@
# incomplete. Upstream will validate for us anyway, and we trust it.
# https://wiki.archlinux.org/title/systemd-resolved#DNSSEC
dnssec = "false";
# 'Domains' is used for two distinct purposes; first, any domains *not*
# prefixed with '~' are used as search suffixes when resolving single-label
# hostnames into FQDNs. The NixOS default is to set this to
# `config.networking.search`, which we maintain. Second, domains prefixed
# with '~' ("route-only domains") define a search path that preferably
# directs DNS queries to this interface. The '~.' construct use the DNS
# servers defined here preferably for the root (all) domain(s).
# https://man.archlinux.org/man/resolved.conf.5
domains = config.networking.search ++ ["~."];
# Resolved falls back to DNS servers operated by American internet
# surveillance and adtech companies by default. No thanks, I'd rather have
# no DNS at all.
fallbackDns = config.networking.nameservers;
};
# It's surprisingly hard to get the system to always follow the custom DNS
# servers rather than the DHCP-provided ones. Force-ignore DHCP DNS on all
# interfaces. Check the traffic with:
# > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
# or
# > sudo resolvectl log-level debug
# > sudo journalctl -fu systemd-resolved.service
systemd.network.networks."00-no-dhcp-dns" = {
matchConfig.Name = "*";
dhcpV4Config.UseDNS = false;
dhcpV6Config.UseDNS = false;
};
# TCP BBR has significantly increased throughput and reduced latency. Note
# that the IPv4 setting controls both IPv4 and IPv6.
boot.kernel.sysctl = {