diff options
Diffstat (limited to 'modules/system/networking')
| -rw-r--r-- | modules/system/networking/default.nix | 33 | ||||
| -rw-r--r-- | modules/system/networking/dhcpcd.nix | 6 | ||||
| -rw-r--r-- | modules/system/networking/fail2ban.nix | 18 | ||||
| -rw-r--r-- | modules/system/networking/firewall.nix | 12 | ||||
| -rw-r--r-- | modules/system/networking/ipv6.nix | 9 | ||||
| -rw-r--r-- | modules/system/networking/loopback.nix | 7 | ||||
| -rw-r--r-- | modules/system/networking/networkmanager.nix | 22 | ||||
| -rw-r--r-- | modules/system/networking/optimise.nix | 73 | ||||
| -rw-r--r-- | modules/system/networking/resolved.nix | 15 | ||||
| -rw-r--r-- | modules/system/networking/tor.nix | 6 | ||||
| -rw-r--r-- | modules/system/networking/vpn/default.nix | 6 | ||||
| -rw-r--r-- | modules/system/networking/vpn/pia.nix | 10 | ||||
| -rw-r--r-- | modules/system/networking/vpn/tailscale.nix | 4 |
13 files changed, 221 insertions, 0 deletions
diff --git a/modules/system/networking/default.nix b/modules/system/networking/default.nix new file mode 100644 index 0000000..96f89d0 --- /dev/null +++ b/modules/system/networking/default.nix @@ -0,0 +1,33 @@ +{ + imports = [ + ./vpn + ./dhcpcd.nix + ./fail2ban.nix + ./firewall.nix + ./ipv6.nix + ./loopback.nix + ./networkmanager.nix + ./optimise.nix + ./resolved.nix + ./tor.nix + ]; + + networking = { + hostName = "kansai"; + nftables.enable = true; + + nameservers = [ + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" + "149.112.112.112#dns.quad9.net" + ]; + + timeServers = [ + "0.nixos.pool.ntp.org" + "1.nixos.pool.ntp.org" + "2.nixos.pool.ntp.org" + "3.nixos.pool.ntp.org" + ]; + }; +} diff --git a/modules/system/networking/dhcpcd.nix b/modules/system/networking/dhcpcd.nix new file mode 100644 index 0000000..99ac0f3 --- /dev/null +++ b/modules/system/networking/dhcpcd.nix @@ -0,0 +1,6 @@ +{ + networking.dhcpcd = { + wait = "background"; + extraConfig = "noarp"; + }; +} diff --git a/modules/system/networking/fail2ban.nix b/modules/system/networking/fail2ban.nix new file mode 100644 index 0000000..fa45565 --- /dev/null +++ b/modules/system/networking/fail2ban.nix @@ -0,0 +1,18 @@ +{ lib, config, ... }: +{ + services.fail2ban = { + enable = false; + + ignoreIP = [ + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + ]; + + jails.sshd.settings = { + enabled = true; + filter = "sshd[mode=aggressive]"; + port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports); + }; + }; +} diff --git a/modules/system/networking/firewall.nix b/modules/system/networking/firewall.nix new file mode 100644 index 0000000..569089c --- /dev/null +++ b/modules/system/networking/firewall.nix @@ -0,0 +1,12 @@ +{ + networking.firewall = { + enable = true; + allowedUDPPorts = [ 53 ]; + allowPing = false; + + allowedTCPPorts = [ + 80 + 443 + ]; + }; +} diff --git a/modules/system/networking/ipv6.nix b/modules/system/networking/ipv6.nix new file mode 100644 index 0000000..274c1ae --- /dev/null +++ b/modules/system/networking/ipv6.nix @@ -0,0 +1,9 @@ +{ + boot.kernel.sysctl = { + "net.ipv6.conf.enp42s0.disable_ipv6" = true; + "net.ipv6.conf.wlp4s0.disable_ipv6" = true; + "net.ipv6.conf.tun0.disable_ipv6" = true; + }; + + networking.enableIPv6 = false; +} diff --git a/modules/system/networking/loopback.nix b/modules/system/networking/loopback.nix new file mode 100644 index 0000000..62e745e --- /dev/null +++ b/modules/system/networking/loopback.nix @@ -0,0 +1,7 @@ +{ config, ... }: +{ + boot = { + kernelModules = [ "v4l2loopback" ]; + extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; + }; +} diff --git a/modules/system/networking/networkmanager.nix b/modules/system/networking/networkmanager.nix new file mode 100644 index 0000000..e5fdfc1 --- /dev/null +++ b/modules/system/networking/networkmanager.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ pkgs.networkmanagerapplet ]; + + networking.networkmanager = { + enable = true; + plugins = [ pkgs.networkmanager-openvpn ]; + dns = "systemd-resolved"; + wifi.backend = "iwd"; + + unmanaged = [ + "interface-name:tailscale*" + "interface-name:br-*" + "interface-name:rndis*" + "interface-name:docker*" + "interface-name:virbr*" + "interface-name:vboxnet*" + "interface-name:waydroid*" + "type:bridge" + ]; + }; +} diff --git a/modules/system/networking/optimise.nix b/modules/system/networking/optimise.nix new file mode 100644 index 0000000..c6f2bec --- /dev/null +++ b/modules/system/networking/optimise.nix @@ -0,0 +1,73 @@ +{ + boot = { + kernelModules = [ + "tls" + "tcp_bbr" + ]; + + kernel.sysctl = { + # TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets (we're not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're on a router) + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + # And other stuff + "net.ipv4.conf.all.log_martians" = true; + "net.ipv4.conf.default.log_martians" = true; + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + "net.ipv6.conf.default.accept_ra" = 0; + "net.ipv6.conf.all.accept_ra" = 0; + "net.ipv4.tcp_timestamps" = 0; + + # TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + + # Other stuff that I am too lazy to document + "net.core.optmem_max" = 65536; + "net.core.rmem_default" = 1048576; + "net.core.rmem_max" = 16777216; + "net.core.somaxconn" = 8192; + "net.core.wmem_default" = 1048576; + "net.core.wmem_max" = 16777216; + "net.ipv4.ip_local_port_range" = "16384 65535"; + "net.ipv4.tcp_max_syn_backlog" = 8192; + "net.ipv4.tcp_max_tw_buckets" = 2000000; + "net.ipv4.tcp_mtu_probing" = 1; + "net.ipv4.tcp_rmem" = "4096 1048576 2097152"; + "net.ipv4.tcp_slow_start_after_idle" = 0; + "net.ipv4.tcp_tw_reuse" = 1; + "net.ipv4.tcp_wmem" = "4096 65536 16777216"; + "net.ipv4.udp_rmem_min" = 8192; + "net.ipv4.udp_wmem_min" = 8192; + "net.netfilter.nf_conntrack_generic_timeout" = 60; + "net.netfilter.nf_conntrack_max" = 1048576; + "net.netfilter.nf_conntrack_tcp_timeout_established" = 600; + "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1; + }; + }; +} diff --git a/modules/system/networking/resolved.nix b/modules/system/networking/resolved.nix new file mode 100644 index 0000000..632ca7a --- /dev/null +++ b/modules/system/networking/resolved.nix @@ -0,0 +1,15 @@ +{ + services.resolved = { + enable = true; + dnssec = "true"; + domains = [ "~." ]; + dnsovertls = "true"; + + fallbackDns = [ + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" + "149.112.112.112#dns.quad9.net" + ]; + }; +} diff --git a/modules/system/networking/tor.nix b/modules/system/networking/tor.nix new file mode 100644 index 0000000..3e3831f --- /dev/null +++ b/modules/system/networking/tor.nix @@ -0,0 +1,6 @@ +{ + services.tor = { + enable = true; + client.enable = true; + }; +} diff --git a/modules/system/networking/vpn/default.nix b/modules/system/networking/vpn/default.nix new file mode 100644 index 0000000..92a11b0 --- /dev/null +++ b/modules/system/networking/vpn/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./pia.nix + ./tailscale.nix + ]; +} diff --git a/modules/system/networking/vpn/pia.nix b/modules/system/networking/vpn/pia.nix new file mode 100644 index 0000000..d52dbf8 --- /dev/null +++ b/modules/system/networking/vpn/pia.nix @@ -0,0 +1,10 @@ +{ secrets, ... }: +{ + services.pia = { + enable = true; + + authUserPass = { + inherit (secrets.pia) username password; + }; + }; +} diff --git a/modules/system/networking/vpn/tailscale.nix b/modules/system/networking/vpn/tailscale.nix new file mode 100644 index 0000000..5d51594 --- /dev/null +++ b/modules/system/networking/vpn/tailscale.nix @@ -0,0 +1,4 @@ +{ + services.tailscale.enable = true; + networking.firewall.trustedInterfaces = [ "tailscale0" ]; +} |