14 files changed, 0 insertions, 319 deletions

diff --git a/modules/software/networking/default.nix b/modules/software/networking/default.nix
deleted file mode 100644
index 724693d..0000000
--- a/modules/software/networking/default.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-{ secrets, ... }:
-{
-  imports = [
-    ./firewall
-    ./vpn
-    ./dhcpcd.nix
-    ./i2p.nix
-    ./ipv6.nix
-    ./loopback.nix
-    ./networkmanager.nix
-    ./optimise.nix
-    ./resolved.nix
-    ./tor.nix
-  ];
-
-  # https://discourse.nixos.org/t/rebuild-error-failed-to-start-network-manager-wait-online/41977/2
-  systemd.network.wait-online.enable = false;
-  boot.initrd.systemd.network.wait-online.enable = false;
-
-  # https://discourse.nixos.org/t/how-to-disable-networkmanager-wait-online-service-in-the-configuration-file/19963/2
-  systemd.services.NetworkManager-wait-online.enable = false;
-
-  networking = {
-    hostName = "kansai";
-    nftables.enable = true;
-
-    nameservers = [
-      "45.90.28.0#${secrets.nextdns_id}.dns.nextdns.io"
-      "2a07:a8c0::#${secrets.nextdns_id}.dns.nextdns.io"
-      "45.90.30.0#${secrets.nextdns_id}.dns.nextdns.io"
-      "2a07:a8c1::#${secrets.nextdns_id}.dns.nextdns.io"
-    ];
-
-    timeServers = [
-      "0.nixos.pool.ntp.org"
-      "1.nixos.pool.ntp.org"
-      "2.nixos.pool.ntp.org"
-      "3.nixos.pool.ntp.org"
-    ];
-  };
-}
diff --git a/modules/software/networking/dhcpcd.nix b/modules/software/networking/dhcpcd.nix
deleted file mode 100644
index f46b657..0000000
--- a/modules/software/networking/dhcpcd.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-  networking.dhcpcd = {
-    wait = "background";
-
-    extraConfig = ''
-      noarp
-      nooption domain_name_servers, domain_name, domain_search, host_name
-      nooption ntp_servers
-      nohook resolv.conf, wpa_supplicant
-    '';
-  };
-}
diff --git a/modules/software/networking/firewall/default.nix b/modules/software/networking/firewall/default.nix
deleted file mode 100644
index 074f398..0000000
--- a/modules/software/networking/firewall/default.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-  imports = [ ./fail2ban.nix ];
-
-  networking.firewall = {
-    enable = true;
-    allowPing = false;
-    logReversePathDrops = true;
-    logRefusedConnections = false;
-    checkReversePath = "loose";
-  };
-}
diff --git a/modules/software/networking/firewall/fail2ban.nix b/modules/software/networking/firewall/fail2ban.nix
deleted file mode 100644
index 6311b14..0000000
--- a/modules/software/networking/firewall/fail2ban.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  services.fail2ban = {
-    enable = false;
-    banaction = "nftables-multiport";
-    banaction-allports = lib.mkDefault "nftables-allport";
-
-    extraPackages = with pkgs; [
-      nftables
-      ipset
-    ];
-
-    ignoreIP = [
-      "10.0.0.0/8"
-      "172.16.0.0/12"
-      "100.64.0.0/16"
-      "192.168.0.0/16"
-    ];
-  };
-}
diff --git a/modules/software/networking/i2p.nix b/modules/software/networking/i2p.nix
deleted file mode 100644
index d94b5e4..0000000
--- a/modules/software/networking/i2p.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{
-  # https://voidcruiser.nl/rambles/i2p-on-nixos/
-  containers.i2pd = {
-    autoStart = true;
-
-    config = {
-      system.stateVersion = "24.05";
-
-      networking.firewall.allowedTCPPorts = [
-        7656
-        7070
-        4447
-        4444
-      ];
-
-      services.i2pd = {
-        enable = true;
-        address = "0.0.0.0";
-        upnp.enable = true;
-        bandwidth = 256;
-
-        proto = {
-          http.enable = true;
-          socksProxy.enable = true;
-          sam.enable = true;
-          i2cp.enable = true;
-
-          httpProxy = {
-            enable = true;
-            # outproxy = "http://false.i2p";
-            # outproxy = "http://purokishi.i2p:4444";
-            # outproxy = "http://outproxy.acetone.i2p:3128";
-            outproxy = "http://exit.stormycloud.i2p:4444";
-            # outproxy = "http://outproxy.bandura.i2p:4444";
-          };
-        };
-
-        addressbook.subscriptions = [
-          "http://inr.i2p/export/alive-hosts.txt"
-          "http://i2p-projekt.i2p/hosts.txt"
-          "http://stats.i2p/cgi-bin/newhosts.txt"
-          "http://reg.i2p/export/hosts.txt"
-          "http://notbob.i2p/hosts.txt"
-        ];
-      };
-    };
-  };
-}
diff --git a/modules/software/networking/ipv6.nix b/modules/software/networking/ipv6.nix
deleted file mode 100644
index 274c1ae..0000000
--- a/modules/software/networking/ipv6.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-  boot.kernel.sysctl = {
-    "net.ipv6.conf.enp42s0.disable_ipv6" = true;
-    "net.ipv6.conf.wlp4s0.disable_ipv6" = true;
-    "net.ipv6.conf.tun0.disable_ipv6" = true;
-  };
-
-  networking.enableIPv6 = false;
-}
diff --git a/modules/software/networking/loopback.nix b/modules/software/networking/loopback.nix
deleted file mode 100644
index 62e745e..0000000
--- a/modules/software/networking/loopback.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ config, ... }:
-{
-  boot = {
-    kernelModules = [ "v4l2loopback" ];
-    extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
-  };
-}
diff --git a/modules/software/networking/networkmanager.nix b/modules/software/networking/networkmanager.nix
deleted file mode 100644
index 8672759..0000000
--- a/modules/software/networking/networkmanager.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = [ pkgs.networkmanagerapplet ];
-
-  networking.networkmanager = {
-    enable = true;
-    plugins = [ pkgs.networkmanager-openvpn ];
-    # dns =
-    dns = "none"; # "systemd-resolved"
-    wifi.backend = "iwd";
-
-    unmanaged = [
-      "interface-name:tailscale*"
-      "interface-name:br-*"
-      "interface-name:rndis*"
-      "interface-name:docker*"
-      "interface-name:virbr*"
-      "interface-name:vboxnet*"
-      "interface-name:waydroid*"
-      "type:bridge"
-    ];
-  };
-}
diff --git a/modules/software/networking/optimise.nix b/modules/software/networking/optimise.nix
deleted file mode 100644
index c6f2bec..0000000
--- a/modules/software/networking/optimise.nix
+++ /dev/null
@@ -1,73 +0,0 @@
-{
-  boot = {
-    kernelModules = [
-      "tls"
-      "tcp_bbr"
-    ];
-
-    kernel.sysctl = {
-      # TCP hardening
-      # Prevent bogus ICMP errors from filling up logs.
-      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
-      # Reverse path filtering causes the kernel to do source validation of
-      # packets received from all interfaces. This can mitigate IP spoofing.
-      "net.ipv4.conf.default.rp_filter" = 1;
-      "net.ipv4.conf.all.rp_filter" = 1;
-      # Do not accept IP source route packets (we're not a router)
-      "net.ipv4.conf.all.accept_source_route" = 0;
-      "net.ipv6.conf.all.accept_source_route" = 0;
-      # Don't send ICMP redirects (again, we're on a router)
-      "net.ipv4.conf.all.send_redirects" = 0;
-      "net.ipv4.conf.default.send_redirects" = 0;
-      # Refuse ICMP redirects (MITM mitigations)
-      "net.ipv4.conf.all.accept_redirects" = 0;
-      "net.ipv4.conf.default.accept_redirects" = 0;
-      "net.ipv4.conf.all.secure_redirects" = 0;
-      "net.ipv4.conf.default.secure_redirects" = 0;
-      "net.ipv6.conf.all.accept_redirects" = 0;
-      "net.ipv6.conf.default.accept_redirects" = 0;
-      # Protects against SYN flood attacks
-      "net.ipv4.tcp_syncookies" = 1;
-      # Incomplete protection again TIME-WAIT assassination
-      "net.ipv4.tcp_rfc1337" = 1;
-      # And other stuff
-      "net.ipv4.conf.all.log_martians" = true;
-      "net.ipv4.conf.default.log_martians" = true;
-      "net.ipv4.icmp_echo_ignore_broadcasts" = true;
-      "net.ipv6.conf.default.accept_ra" = 0;
-      "net.ipv6.conf.all.accept_ra" = 0;
-      "net.ipv4.tcp_timestamps" = 0;
-
-      # TCP optimization
-      # TCP Fast Open is a TCP extension that reduces network latency by packing
-      # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
-      # both incoming and outgoing connections:
-      "net.ipv4.tcp_fastopen" = 3;
-      # Bufferbloat mitigations + slight improvement in throughput & latency
-      "net.ipv4.tcp_congestion_control" = "bbr";
-      "net.core.default_qdisc" = "cake";
-
-      # Other stuff that I am too lazy to document
-      "net.core.optmem_max" = 65536;
-      "net.core.rmem_default" = 1048576;
-      "net.core.rmem_max" = 16777216;
-      "net.core.somaxconn" = 8192;
-      "net.core.wmem_default" = 1048576;
-      "net.core.wmem_max" = 16777216;
-      "net.ipv4.ip_local_port_range" = "16384 65535";
-      "net.ipv4.tcp_max_syn_backlog" = 8192;
-      "net.ipv4.tcp_max_tw_buckets" = 2000000;
-      "net.ipv4.tcp_mtu_probing" = 1;
-      "net.ipv4.tcp_rmem" = "4096 1048576 2097152";
-      "net.ipv4.tcp_slow_start_after_idle" = 0;
-      "net.ipv4.tcp_tw_reuse" = 1;
-      "net.ipv4.tcp_wmem" = "4096 65536 16777216";
-      "net.ipv4.udp_rmem_min" = 8192;
-      "net.ipv4.udp_wmem_min" = 8192;
-      "net.netfilter.nf_conntrack_generic_timeout" = 60;
-      "net.netfilter.nf_conntrack_max" = 1048576;
-      "net.netfilter.nf_conntrack_tcp_timeout_established" = 600;
-      "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1;
-    };
-  };
-}
diff --git a/modules/software/networking/resolved.nix b/modules/software/networking/resolved.nix
deleted file mode 100644
index 82effbe..0000000
--- a/modules/software/networking/resolved.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{ secrets, ... }:
-{
-  services.resolved = {
-    enable = false;
-    dnssec = "true";
-    domains = [ "~." ];
-    dnsovertls = "true";
-    llmnr = "false";
-
-    extraConfig = ''
-      DNS=45.90.28.0#${secrets.nextdns_id}.dns.nextdns.io
-      DNS=2a07:a8c0::#${secrets.nextdns_id}.dns.nextdns.io
-      DNS=45.90.30.0#${secrets.nextdns_id}.dns.nextdns.io
-      DNS=2a07:a8c1::#${secrets.nextdns_id}.dns.nextdns.io
-    '';
-  };
-}
diff --git a/modules/software/networking/tor.nix b/modules/software/networking/tor.nix
deleted file mode 100644
index dfbfb3a..0000000
--- a/modules/software/networking/tor.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ pkgs, ... }:
-{
-  services.tor = {
-    enable = true;
-    torsocks.enable = true;
-
-    client = {
-      enable = true;
-      dns.enable = true;
-    };
-  };
-
-  programs.proxychains = {
-    enable = true;
-    quietMode = false;
-    proxyDNS = true;
-    package = pkgs.proxychains-ng;
-
-    proxies = {
-      tor = {
-        type = "socks5";
-        host = "127.0.0.1";
-        port = 9050;
-      };
-    };
-  };
-}
diff --git a/modules/software/networking/vpn/default.nix b/modules/software/networking/vpn/default.nix
deleted file mode 100644
index 92a11b0..0000000
--- a/modules/software/networking/vpn/default.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  imports = [
-    ./pia.nix
-    ./tailscale.nix
-  ];
-}
diff --git a/modules/software/networking/vpn/pia.nix b/modules/software/networking/vpn/pia.nix
deleted file mode 100644
index d52dbf8..0000000
--- a/modules/software/networking/vpn/pia.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ secrets, ... }:
-{
-  services.pia = {
-    enable = true;
-
-    authUserPass = {
-      inherit (secrets.pia) username password;
-    };
-  };
-}
diff --git a/modules/software/networking/vpn/tailscale.nix b/modules/software/networking/vpn/tailscale.nix
deleted file mode 100644
index 21f471a..0000000
--- a/modules/software/networking/vpn/tailscale.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ config, ... }:
-{
-  networking.firewall.trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ];
-
-  services.tailscale = {
-    enable = true;
-    useRoutingFeatures = "both";
-  };
-
-  # <https://tailscale.com/kb/1019/subnets/?tab=linux#step-1-install-the-tailscale-client>
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = true;
-    "net.ipv6.conf.all.forwarding" = true;
-  };
-}