diff options
author | Christoph Cullmann <cullmann@kde.org> | 2023-05-02 19:32:11 +0200 |
---|---|---|
committer | Christoph Cullmann <cullmann@kde.org> | 2023-05-02 19:32:11 +0200 |
commit | e522dfefd3771922a53b451f66dab3dd74cf6461 (patch) | |
tree | 80df58a4e5f0c7433fcd9043ad40aa00ad47238f /common.nix | |
parent | f452ce64c71eee51523c0566bfc9a48691a771d8 (diff) |
plain dhcp with dnssec
Diffstat (limited to 'common.nix')
-rw-r--r-- | common.nix | 45 |
1 files changed, 35 insertions, 10 deletions
@@ -90,21 +90,46 @@ in # allow all firmware hardware.enableAllFirmware = true; - # networking via networkd - networking.useDHCP = false; - systemd.network.enable = true; - systemd.network.networks."10-lan" = { - networkConfig = { - DHCP = "yes"; - }; - # make routing on this interface a dependency for network-online.target - linkConfig.RequiredForOnline = "routable"; - }; + # networking just with the dhcp client + networking.useDHCP = true; # ensure firewall is up, allow ssh and http in networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ 22 80 ]; + # secure dns with local resolve via fritz.box + networking = { + nameservers = [ "127.0.0.1" "::1" ]; + dhcpcd.extraConfig = "nohook resolv.conf"; + resolvconf.useLocalResolver = true; + }; + environment.etc = { + forwarding_rules = { + text = '' + fritz.box 192.168.13.1 + ''; + }; + }; + services.dnscrypt-proxy2 = { + enable = true; + settings = { + ipv6_servers = true; + require_dnssec = true; + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/nix/persistent/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + forwarding_rules = "/etc/forwarding_rules"; + }; + }; + systemd.services.dnscrypt-proxy2.serviceConfig = { + StateDirectory = "dnscrypt-proxy"; + }; + # swap to RAM zramSwap.enable = true; |