14 files changed, 309 insertions, 0 deletions

diff --git a/modules/software/networking/default.nix b/modules/software/networking/default.nix
new file mode 100644
index 0000000..724693d
--- /dev/null
+++ b/modules/software/networking/default.nix
@@ -0,0 +1,41 @@
+{ secrets, ... }:
+{
+  imports = [
+    ./firewall
+    ./vpn
+    ./dhcpcd.nix
+    ./i2p.nix
+    ./ipv6.nix
+    ./loopback.nix
+    ./networkmanager.nix
+    ./optimise.nix
+    ./resolved.nix
+    ./tor.nix
+  ];
+
+  # https://discourse.nixos.org/t/rebuild-error-failed-to-start-network-manager-wait-online/41977/2
+  systemd.network.wait-online.enable = false;
+  boot.initrd.systemd.network.wait-online.enable = false;
+
+  # https://discourse.nixos.org/t/how-to-disable-networkmanager-wait-online-service-in-the-configuration-file/19963/2
+  systemd.services.NetworkManager-wait-online.enable = false;
+
+  networking = {
+    hostName = "kansai";
+    nftables.enable = true;
+
+    nameservers = [
+      "45.90.28.0#${secrets.nextdns_id}.dns.nextdns.io"
+      "2a07:a8c0::#${secrets.nextdns_id}.dns.nextdns.io"
+      "45.90.30.0#${secrets.nextdns_id}.dns.nextdns.io"
+      "2a07:a8c1::#${secrets.nextdns_id}.dns.nextdns.io"
+    ];
+
+    timeServers = [
+      "0.nixos.pool.ntp.org"
+      "1.nixos.pool.ntp.org"
+      "2.nixos.pool.ntp.org"
+      "3.nixos.pool.ntp.org"
+    ];
+  };
+}
diff --git a/modules/software/networking/dhcpcd.nix b/modules/software/networking/dhcpcd.nix
new file mode 100644
index 0000000..f46b657
--- /dev/null
+++ b/modules/software/networking/dhcpcd.nix
@@ -0,0 +1,12 @@
+{
+  networking.dhcpcd = {
+    wait = "background";
+
+    extraConfig = ''
+      noarp
+      nooption domain_name_servers, domain_name, domain_search, host_name
+      nooption ntp_servers
+      nohook resolv.conf, wpa_supplicant
+    '';
+  };
+}
diff --git a/modules/software/networking/firewall/default.nix b/modules/software/networking/firewall/default.nix
new file mode 100644
index 0000000..074f398
--- /dev/null
+++ b/modules/software/networking/firewall/default.nix
@@ -0,0 +1,11 @@
+{
+  imports = [ ./fail2ban.nix ];
+
+  networking.firewall = {
+    enable = true;
+    allowPing = false;
+    logReversePathDrops = true;
+    logRefusedConnections = false;
+    checkReversePath = "loose";
+  };
+}
diff --git a/modules/software/networking/firewall/fail2ban.nix b/modules/software/networking/firewall/fail2ban.nix
new file mode 100644
index 0000000..6311b14
--- /dev/null
+++ b/modules/software/networking/firewall/fail2ban.nix
@@ -0,0 +1,20 @@
+{ pkgs, lib, ... }:
+{
+  services.fail2ban = {
+    enable = false;
+    banaction = "nftables-multiport";
+    banaction-allports = lib.mkDefault "nftables-allport";
+
+    extraPackages = with pkgs; [
+      nftables
+      ipset
+    ];
+
+    ignoreIP = [
+      "10.0.0.0/8"
+      "172.16.0.0/12"
+      "100.64.0.0/16"
+      "192.168.0.0/16"
+    ];
+  };
+}
diff --git a/modules/software/networking/i2p.nix b/modules/software/networking/i2p.nix
new file mode 100644
index 0000000..19077ba
--- /dev/null
+++ b/modules/software/networking/i2p.nix
@@ -0,0 +1,38 @@
+{
+  # https://voidcruiser.nl/rambles/i2p-on-nixos/
+  containers.i2pd = {
+    autoStart = true;
+
+    config = {
+      system.stateVersion = "24.05";
+
+      networking.firewall.allowedTCPPorts = [
+        7656
+        7070
+        4447
+        4444
+      ];
+
+      services.i2pd = {
+        enable = true;
+        address = "0.0.0.0";
+
+        proto = {
+          http.enable = true;
+          socksProxy.enable = true;
+          httpProxy.enable = true;
+          sam.enable = true;
+          i2cp.enable = true;
+        };
+
+        addressbook.subscriptions = [
+          "http://inr.i2p/export/alive-hosts.txt"
+          "http://i2p-projekt.i2p/hosts.txt"
+          "http://stats.i2p/cgi-bin/newhosts.txt"
+          "http://reg.i2p/export/hosts.txt"
+          "http://notbob.i2p/hosts.txt"
+        ];
+      };
+    };
+  };
+}
diff --git a/modules/software/networking/ipv6.nix b/modules/software/networking/ipv6.nix
new file mode 100644
index 0000000..274c1ae
--- /dev/null
+++ b/modules/software/networking/ipv6.nix
@@ -0,0 +1,9 @@
+{
+  boot.kernel.sysctl = {
+    "net.ipv6.conf.enp42s0.disable_ipv6" = true;
+    "net.ipv6.conf.wlp4s0.disable_ipv6" = true;
+    "net.ipv6.conf.tun0.disable_ipv6" = true;
+  };
+
+  networking.enableIPv6 = false;
+}
diff --git a/modules/software/networking/loopback.nix b/modules/software/networking/loopback.nix
new file mode 100644
index 0000000..62e745e
--- /dev/null
+++ b/modules/software/networking/loopback.nix
@@ -0,0 +1,7 @@
+{ config, ... }:
+{
+  boot = {
+    kernelModules = [ "v4l2loopback" ];
+    extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
+  };
+}
diff --git a/modules/software/networking/networkmanager.nix b/modules/software/networking/networkmanager.nix
new file mode 100644
index 0000000..8672759
--- /dev/null
+++ b/modules/software/networking/networkmanager.nix
@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = [ pkgs.networkmanagerapplet ];
+
+  networking.networkmanager = {
+    enable = true;
+    plugins = [ pkgs.networkmanager-openvpn ];
+    # dns =
+    dns = "none"; # "systemd-resolved"
+    wifi.backend = "iwd";
+
+    unmanaged = [
+      "interface-name:tailscale*"
+      "interface-name:br-*"
+      "interface-name:rndis*"
+      "interface-name:docker*"
+      "interface-name:virbr*"
+      "interface-name:vboxnet*"
+      "interface-name:waydroid*"
+      "type:bridge"
+    ];
+  };
+}
diff --git a/modules/software/networking/optimise.nix b/modules/software/networking/optimise.nix
new file mode 100644
index 0000000..c6f2bec
--- /dev/null
+++ b/modules/software/networking/optimise.nix
@@ -0,0 +1,73 @@
+{
+  boot = {
+    kernelModules = [
+      "tls"
+      "tcp_bbr"
+    ];
+
+    kernel.sysctl = {
+      # TCP hardening
+      # Prevent bogus ICMP errors from filling up logs.
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+      # Reverse path filtering causes the kernel to do source validation of
+      # packets received from all interfaces. This can mitigate IP spoofing.
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+      # Do not accept IP source route packets (we're not a router)
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      # Don't send ICMP redirects (again, we're on a router)
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      # Refuse ICMP redirects (MITM mitigations)
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      # Protects against SYN flood attacks
+      "net.ipv4.tcp_syncookies" = 1;
+      # Incomplete protection again TIME-WAIT assassination
+      "net.ipv4.tcp_rfc1337" = 1;
+      # And other stuff
+      "net.ipv4.conf.all.log_martians" = true;
+      "net.ipv4.conf.default.log_martians" = true;
+      "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+      "net.ipv6.conf.default.accept_ra" = 0;
+      "net.ipv6.conf.all.accept_ra" = 0;
+      "net.ipv4.tcp_timestamps" = 0;
+
+      # TCP optimization
+      # TCP Fast Open is a TCP extension that reduces network latency by packing
+      # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+      # both incoming and outgoing connections:
+      "net.ipv4.tcp_fastopen" = 3;
+      # Bufferbloat mitigations + slight improvement in throughput & latency
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "cake";
+
+      # Other stuff that I am too lazy to document
+      "net.core.optmem_max" = 65536;
+      "net.core.rmem_default" = 1048576;
+      "net.core.rmem_max" = 16777216;
+      "net.core.somaxconn" = 8192;
+      "net.core.wmem_default" = 1048576;
+      "net.core.wmem_max" = 16777216;
+      "net.ipv4.ip_local_port_range" = "16384 65535";
+      "net.ipv4.tcp_max_syn_backlog" = 8192;
+      "net.ipv4.tcp_max_tw_buckets" = 2000000;
+      "net.ipv4.tcp_mtu_probing" = 1;
+      "net.ipv4.tcp_rmem" = "4096 1048576 2097152";
+      "net.ipv4.tcp_slow_start_after_idle" = 0;
+      "net.ipv4.tcp_tw_reuse" = 1;
+      "net.ipv4.tcp_wmem" = "4096 65536 16777216";
+      "net.ipv4.udp_rmem_min" = 8192;
+      "net.ipv4.udp_wmem_min" = 8192;
+      "net.netfilter.nf_conntrack_generic_timeout" = 60;
+      "net.netfilter.nf_conntrack_max" = 1048576;
+      "net.netfilter.nf_conntrack_tcp_timeout_established" = 600;
+      "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1;
+    };
+  };
+}
diff --git a/modules/software/networking/resolved.nix b/modules/software/networking/resolved.nix
new file mode 100644
index 0000000..82effbe
--- /dev/null
+++ b/modules/software/networking/resolved.nix
@@ -0,0 +1,17 @@
+{ secrets, ... }:
+{
+  services.resolved = {
+    enable = false;
+    dnssec = "true";
+    domains = [ "~." ];
+    dnsovertls = "true";
+    llmnr = "false";
+
+    extraConfig = ''
+      DNS=45.90.28.0#${secrets.nextdns_id}.dns.nextdns.io
+      DNS=2a07:a8c0::#${secrets.nextdns_id}.dns.nextdns.io
+      DNS=45.90.30.0#${secrets.nextdns_id}.dns.nextdns.io
+      DNS=2a07:a8c1::#${secrets.nextdns_id}.dns.nextdns.io
+    '';
+  };
+}
diff --git a/modules/software/networking/tor.nix b/modules/software/networking/tor.nix
new file mode 100644
index 0000000..dfbfb3a
--- /dev/null
+++ b/modules/software/networking/tor.nix
@@ -0,0 +1,27 @@
+{ pkgs, ... }:
+{
+  services.tor = {
+    enable = true;
+    torsocks.enable = true;
+
+    client = {
+      enable = true;
+      dns.enable = true;
+    };
+  };
+
+  programs.proxychains = {
+    enable = true;
+    quietMode = false;
+    proxyDNS = true;
+    package = pkgs.proxychains-ng;
+
+    proxies = {
+      tor = {
+        type = "socks5";
+        host = "127.0.0.1";
+        port = 9050;
+      };
+    };
+  };
+}
diff --git a/modules/software/networking/vpn/default.nix b/modules/software/networking/vpn/default.nix
new file mode 100644
index 0000000..92a11b0
--- /dev/null
+++ b/modules/software/networking/vpn/default.nix
@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./pia.nix
+    ./tailscale.nix
+  ];
+}
diff --git a/modules/software/networking/vpn/pia.nix b/modules/software/networking/vpn/pia.nix
new file mode 100644
index 0000000..d52dbf8
--- /dev/null
+++ b/modules/software/networking/vpn/pia.nix
@@ -0,0 +1,10 @@
+{ secrets, ... }:
+{
+  services.pia = {
+    enable = true;
+
+    authUserPass = {
+      inherit (secrets.pia) username password;
+    };
+  };
+}
diff --git a/modules/software/networking/vpn/tailscale.nix b/modules/software/networking/vpn/tailscale.nix
new file mode 100644
index 0000000..21f471a
--- /dev/null
+++ b/modules/software/networking/vpn/tailscale.nix
@@ -0,0 +1,15 @@
+{ config, ... }:
+{
+  networking.firewall.trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ];
+
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "both";
+  };
+
+  # <https://tailscale.com/kb/1019/subnets/?tab=linux#step-1-install-the-tailscale-client>
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+  };
+}