{ flake, config, pkgs, lib, ... }: { # disable NetworkManager and systemd-networkd -wait-online by default systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false; systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false; networking.hosts = { "128.140.109.213" = [ "vpn.b12f.io" "frikandel-initrd.b12f.io" ]; "2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" "frikandel-initrd.b12f.io" ]; }; networking.networkmanager = { # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff. enable = lib.mkDefault true; wifi.backend = lib.mkDefault "iwd"; }; networking.firewall.enable = true; networking.nftables.enable = true; services.resolved = { enable = lib.mkDefault true; fallbackDns = [ "193.110.81.0#dns0.eu" "2a0f:fc80::#dns0.eu" "185.253.5.0#dns0.eu" "2a0f:fc81::#dns0.eu" ]; dnssec = "false"; extraConfig = '' DNSOverTLS=opportunistic ''; }; # Don't expose SSH via public interfaces networking.firewall.interfaces.wg-private.allowedTCPPorts = [22]; # For rage encryption, all hosts need a ssh key pair services.openssh = { enable = true; allowSFTP = lib.mkDefault false; openFirewall = lib.mkDefault false; settings.PasswordAuthentication = lib.mkDefault false; settings.KbdInteractiveAuthentication = false; extraConfig = '' AllowTcpForwarding yes X11Forwarding no AllowAgentForwarding no AllowStreamLocalForwarding no AuthenticationMethods publickey ''; }; }