infra/modules/networking.nix

{ pkgs, ... }: {
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
      # Add back openssh MACs that got removed from defaults
      # for backwards compatibility
      #
      # NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
      # This breaks compatibilty with clients that do not offer these MACs. For
      # compatibility reasons, we add back the old defaults.
      # See: https://github.com/NixOS/nixpkgs/pull/231165
      # 
      # https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
      # https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
      Macs = [
        "hmac-sha2-512-etm@openssh.com"
        "hmac-sha2-256-etm@openssh.com"
        "umac-128-etm@openssh.com"
        "hmac-sha2-512"
        "hmac-sha2-256"
        "umac-128@openssh.com"
      ];
    };
  };

  services.resolved = {
    enable = true;
    # DNSSEC=false because of random SERVFAIL responses with Greenbaum DNS
    # when using allow-downgrade, see https://github.com/systemd/systemd/issues/10579
    extraConfig = ''
      DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
      FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
      Domains=~.
      DNSOverTLS=yes
      DNSSEC=false
    '';
  };
}
refactor: change file structure to use modules dir This commit changes the file structure around, so that we have the following parts: `/modules` contains reusable logic blocks for hosts. `/hosts` contains host configurations. `/lib` contains nix library functions. `/overlays` contains overlay files. `/public-keys` contains all information regarding public keys. This change reduces the complexity of flake.nix, instead delegating this out to the `default.nix` files in the above directories. 2023-10-30 14:54:23 +00:00			`{ pkgs, ... }: {`
flora-6: refactor to use flake.parts 2023-11-06 20:28:05 +00:00			`services.openssh = {`
			`enable = true;`
			`settings = {`
			`PermitRootLogin = "prohibit-password";`
			`PasswordAuthentication = false;`
			`# Add back openssh MACs that got removed from defaults`
			`# for backwards compatibility`
			`#`
			`# NixOS default openssh MACs have changed to use "encrypt-then-mac" only.`
			`# This breaks compatibilty with clients that do not offer these MACs. For`
			`# compatibility reasons, we add back the old defaults.`
			`# See: https://github.com/NixOS/nixpkgs/pull/231165`
			`#`
			`# https://blog.stribik.technology/2015/01/04/secure-secure-shell.html`
			`# https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67`
			`Macs = [`
			`"hmac-sha2-512-etm@openssh.com"`
			`"hmac-sha2-256-etm@openssh.com"`
			`"umac-128-etm@openssh.com"`
			`"hmac-sha2-512"`
			`"hmac-sha2-256"`
			`"umac-128@openssh.com"`
			`];`
			`};`
			`};`
refactor: change file structure to use modules dir This commit changes the file structure around, so that we have the following parts: `/modules` contains reusable logic blocks for hosts. `/hosts` contains host configurations. `/lib` contains nix library functions. `/overlays` contains overlay files. `/public-keys` contains all information regarding public keys. This change reduces the complexity of flake.nix, instead delegating this out to the `default.nix` files in the above directories. 2023-10-30 14:54:23 +00:00
			`services.resolved = {`
			`enable = true;`
fix: disable DNSSEC for now because of an issue in systemd https://github.com/systemd/systemd/issues/10579 Without this change, there are random SERVFAIL responses with Greenbaum DNS when using allow-downgrade. Fixes DNS queries for lev-1.int.greenbaum.zone ❯ dig obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone ; <<>> DiG 9.18.19 <<>> obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1871 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. IN A ;; ANSWER SECTION: obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. 22 IN A 192.168.128.82 ;; Query time: 105 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Thu Nov 09 10:38:02 UTC 2023 ;; MSG SIZE rcvd: 121 2023-11-09 10:38:28 +00:00			`# DNSSEC=false because of random SERVFAIL responses with Greenbaum DNS`
			`# when using allow-downgrade, see https://github.com/systemd/systemd/issues/10579`
refactor: change file structure to use modules dir This commit changes the file structure around, so that we have the following parts: `/modules` contains reusable logic blocks for hosts. `/hosts` contains host configurations. `/lib` contains nix library functions. `/overlays` contains overlay files. `/public-keys` contains all information regarding public keys. This change reduces the complexity of flake.nix, instead delegating this out to the `default.nix` files in the above directories. 2023-10-30 14:54:23 +00:00			`extraConfig = ''`
			`DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net`
			`FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net`
			`Domains=~.`
			`DNSOverTLS=yes`
fix: disable DNSSEC for now because of an issue in systemd https://github.com/systemd/systemd/issues/10579 Without this change, there are random SERVFAIL responses with Greenbaum DNS when using allow-downgrade. Fixes DNS queries for lev-1.int.greenbaum.zone ❯ dig obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone ; <<>> DiG 9.18.19 <<>> obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1871 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. IN A ;; ANSWER SECTION: obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. 22 IN A 192.168.128.82 ;; Query time: 105 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Thu Nov 09 10:38:02 UTC 2023 ;; MSG SIZE rcvd: 121 2023-11-09 10:38:28 +00:00			`DNSSEC=false`
refactor: change file structure to use modules dir This commit changes the file structure around, so that we have the following parts: `/modules` contains reusable logic blocks for hosts. `/hosts` contains host configurations. `/lib` contains nix library functions. `/overlays` contains overlay files. `/public-keys` contains all information regarding public keys. This change reduces the complexity of flake.nix, instead delegating this out to the `default.nix` files in the above directories. 2023-10-30 14:54:23 +00:00			`'';`
			`};`
			`}`