{config, ...}: { # https://nixos.wiki/wiki/Networking # https://nixos.wiki/wiki/Systemd-networkd networking = { firewall = { # Allow some ports for ad-hoc use allowedTCPPorts = [1234 1337 8000 8080]; allowedUDPPorts = [1234 1337 8000 8080]; # Do not spam dmesg/journalctl with refused connections logRefusedConnections = false; }; nameservers = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"]; search = ["caspervk.net"]; }; # TODO: these systemd networkd settings will be the default once # https://github.com/NixOS/nixpkgs/pull/202488 is merged. networking.useNetworkd = true; systemd.network.enable = true; # systemd-resolved provides DNS resolution to local applications through # D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching # and DNSSEC validation. We configure it to only, and always, use # dns.caspervk.net over TLS. # https://nixos.wiki/wiki/Encrypted_DNS # https://nixos.wiki/wiki/Systemd-resolved services.resolved = { enable = true; dnsovertls = "true"; # TODO: DNSSEC support in systemd-resolved is considered experimental and # incomplete. Upstream will validate for us anyway, and we trust it. # https://wiki.archlinux.org/title/systemd-resolved#DNSSEC dnssec = "false"; # Resolved falls back to DNS servers operated by American internet # surveillance and adtech companies by default. No thanks, I'd rather have # no DNS at all. fallbackDns = config.networking.nameservers; }; # It's surprisingly hard to get the system to always follow the custom DNS # servers rather than the DHCP-provided ones. Force-ignore DHCP DNS on all # interfaces. Check the traffic with: # > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)' # or # > sudo resolvectl log-level debug # > sudo journalctl -fu systemd-resolved.service systemd.network.networks."00-no-dhcp-dns" = { matchConfig.Name = "*"; dhcpV4Config.UseDNS = false; dhcpV6Config.UseDNS = false; }; # TCP BBR has significantly increased throughput and reduced latency. Note # that the IPv4 setting controls both IPv4 and IPv6. boot.kernel.sysctl = { "net.ipv4.tcp_congestion_control" = "bbr"; }; # vnStat keeps a log of hourly, daily and monthly network traffic services.vnstat.enable = true; environment.persistence."/nix/persist" = { directories = [ { directory = "/var/lib/vnstat"; user = "root"; group = "root"; mode = "0755"; } ]; }; }