os/modules/core/networking.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

62 lines
1.5 KiB
Nix
Raw Normal View History

2021-05-30 19:10:28 +00:00
{
flake,
2022-11-22 11:30:54 +00:00
config,
pkgs,
lib,
...
}: {
# disable NetworkManager and systemd-networkd -wait-online by default
systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;
networking.hosts = {
2024-08-18 22:22:59 +00:00
"128.140.109.213" = ["vpn.b12f.io"];
"2a01:4f8:c2c:b60::" = ["vpn.b12f.io"];
};
networking.networkmanager = {
# Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
2023-10-07 19:11:08 +00:00
enable = lib.mkDefault true;
wifi.backend = lib.mkDefault "iwd";
};
networking.firewall.enable = true;
2023-10-24 15:56:14 +00:00
networking.nftables.enable = true;
services.resolved = {
enable = lib.mkDefault true;
fallbackDns = [
"193.110.81.0#dns0.eu"
"2a0f:fc80::#dns0.eu"
"185.253.5.0#dns0.eu"
"2a0f:fc81::#dns0.eu"
];
dnssec = "false";
extraConfig = ''
DNSOverTLS=opportunistic
'';
};
2024-03-30 14:35:32 +00:00
# Don't expose SSH via public interfaces
2024-08-18 22:22:59 +00:00
networking.firewall.interfaces.wg-private.allowedTCPPorts = [22];
2024-03-30 14:35:32 +00:00
# For rage encryption, all hosts need a ssh key pair
services.openssh = {
2023-10-10 09:56:36 +00:00
enable = true;
allowSFTP = lib.mkDefault false;
2023-10-10 09:56:36 +00:00
openFirewall = lib.mkDefault false;
settings.PasswordAuthentication = lib.mkDefault false;
settings.KbdInteractiveAuthentication = false;
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
2021-05-30 19:10:28 +00:00
};
}