diogocastro.net / dotfiles
this repo has no description
fork atom

improve networking

stolen from isabelroses/dotfiles <3

pls dont hate me

Diogo dc233f8b 724cc8e4

options
unified split
Changed files
+47 -6
modules
nixos
networking
default.nix
firewall.nix
openssh.nix
+19 -2
modules/nixos/networking/default.nix
··· 1 - { config, ... }: 1 + { lib, config, ... }: 2 + let 3 + inherit (lib) mkForce mkDefault mkIf; 4 + in 2 5 { 3 6 imports = [ 4 7 ./fail2ban.nix ··· 10 13 networking = { 11 14 hostId = builtins.substring 0 8 (builtins.hashString "md5" config.networking.hostName); 12 15 13 - networkmanager.enable = true; 16 + useDHCP = mkForce false; 17 + useNetworkd = mkForce true; 18 + 19 + networkmanager = { 20 + enable = true; 21 + dns = "systemd-resolved"; 22 + unmanaged = [ 23 + "interface-name:tailscale*" 24 + "type:bridge" 25 + ]; 26 + }; 27 + 28 + usePredictableInterfaceNames = mkDefault true; 14 29 15 30 nameservers = [ 16 31 "9.9.9.9" ··· 18 33 "2620:fe::fe" 19 34 "2606:4700:4700::1111" 20 35 ]; 36 + 37 + enableIPv6 = true; 21 38 }; 22 39 }
+4 -4
modules/nixos/networking/firewall.nix
··· 5 5 enable = true; 6 6 package = pkgs.iptables; 7 7 8 - allowedTCPPorts = [ 9 - 80 10 - 443 11 - ]; 8 + allowedTCPPorts = [ ]; 12 9 allowedUDPPorts = [ ]; 13 10 14 11 allowedTCPPortRanges = [ ]; 15 12 allowedUDPPortRanges = [ ]; 16 13 17 14 allowPing = config.sys.profiles.headless.enable; 15 + 16 + logReversePathDrops = true; 17 + logRefusedConnections = false; 18 18 }; 19 19 }; 20 20 }
+24
modules/nixos/networking/openssh.nix
··· 1 1 { 2 2 services.openssh = { 3 3 enable = true; 4 + startWhenNeeded = true; 5 + 6 + banner = '' 7 + Heya! 8 + ''; 4 9 5 10 settings = { 6 11 PasswordAuthentication = false; ··· 8 13 PermitRootLogin = "no"; 9 14 AuthenticationMethods = "publickey"; 10 15 PubkeyAuthentication = "yes"; 16 + ChallengeResponseAuthentication = "no"; 17 + UsePAM = false; 18 + 19 + KexAlgorithms = [ 20 + "curve25519-sha256" 21 + "curve25519-sha256@libssh.org" 22 + "diffie-hellman-group16-sha512" 23 + "diffie-hellman-group18-sha512" 24 + "sntrup761x25519-sha512@openssh.com" 25 + "diffie-hellman-group-exchange-sha256" 26 + "mlkem768x25519-sha256" 27 + "sntrup761x25519-sha512" 28 + ]; 29 + 30 + Macs = [ 31 + "hmac-sha2-512-etm@openssh.com" 32 + "hmac-sha2-256-etm@openssh.com" 33 + "umac-128-etm@openssh.com" 34 + ]; 11 35 12 36 ClientAliveCountMax = 5; 13 37 ClientAliveInterval = 60;