From ea494e9d76a76363ac9b652dc758f3daf1d499b6 Mon Sep 17 00:00:00 2001 From: Fuwn Date: Sun, 22 Sep 2024 14:48:17 -0700 Subject: modules: move desktop networking to desktop --- modules/core/networking/caddy.nix | 17 ----- modules/core/networking/default.nix | 12 +--- modules/core/networking/dhcpcd.nix | 12 ---- modules/core/networking/firewall/default.nix | 11 --- modules/core/networking/firewall/fail2ban.nix | 20 ------ modules/core/networking/i2p.nix | 86 ------------------------ modules/core/networking/ipv6.nix | 9 --- modules/core/networking/networkmanager.nix | 22 ------ modules/core/networking/optimise.nix | 73 -------------------- modules/core/networking/resolved.nix | 17 ----- modules/core/networking/tailscale.nix | 35 ++++++++++ modules/core/networking/tor.nix | 27 -------- modules/core/networking/upnp.nix | 12 ---- modules/core/networking/vpn/default.nix | 6 -- modules/core/networking/vpn/pia.nix | 10 --- modules/core/networking/vpn/tailscale.nix | 35 ---------- modules/desktop/default.nix | 2 + modules/desktop/networking/caddy.nix | 17 +++++ modules/desktop/networking/default.nix | 15 +++++ modules/desktop/networking/dhcpcd.nix | 12 ++++ modules/desktop/networking/firewall/default.nix | 11 +++ modules/desktop/networking/firewall/fail2ban.nix | 20 ++++++ modules/desktop/networking/i2p.nix | 86 ++++++++++++++++++++++++ modules/desktop/networking/ipv6.nix | 9 +++ modules/desktop/networking/networkmanager.nix | 22 ++++++ modules/desktop/networking/optimise.nix | 73 ++++++++++++++++++++ modules/desktop/networking/pia.nix | 10 +++ modules/desktop/networking/resolved.nix | 17 +++++ modules/desktop/networking/tor.nix | 27 ++++++++ modules/desktop/networking/upnp.nix | 12 ++++ modules/server/default.nix | 2 +- 31 files changed, 370 insertions(+), 369 deletions(-) delete mode 100644 modules/core/networking/caddy.nix delete mode 100644 modules/core/networking/dhcpcd.nix delete mode 100644 modules/core/networking/firewall/default.nix delete mode 100644 modules/core/networking/firewall/fail2ban.nix delete mode 100644 modules/core/networking/i2p.nix delete mode 100644 modules/core/networking/ipv6.nix delete mode 100644 modules/core/networking/networkmanager.nix delete mode 100644 modules/core/networking/optimise.nix delete mode 100644 modules/core/networking/resolved.nix create mode 100644 modules/core/networking/tailscale.nix delete mode 100644 modules/core/networking/tor.nix delete mode 100644 modules/core/networking/upnp.nix delete mode 100644 modules/core/networking/vpn/default.nix delete mode 100644 modules/core/networking/vpn/pia.nix delete mode 100644 modules/core/networking/vpn/tailscale.nix create mode 100644 modules/desktop/networking/caddy.nix create mode 100644 modules/desktop/networking/default.nix create mode 100644 modules/desktop/networking/dhcpcd.nix create mode 100644 modules/desktop/networking/firewall/default.nix create mode 100644 modules/desktop/networking/firewall/fail2ban.nix create mode 100644 modules/desktop/networking/i2p.nix create mode 100644 modules/desktop/networking/ipv6.nix create mode 100644 modules/desktop/networking/networkmanager.nix create mode 100644 modules/desktop/networking/optimise.nix create mode 100644 modules/desktop/networking/pia.nix create mode 100644 modules/desktop/networking/resolved.nix create mode 100644 modules/desktop/networking/tor.nix create mode 100644 modules/desktop/networking/upnp.nix diff --git a/modules/core/networking/caddy.nix b/modules/core/networking/caddy.nix deleted file mode 100644 index efba3f6..0000000 --- a/modules/core/networking/caddy.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ - services.caddy = { - enable = true; - - virtualHosts = { - "i2pd.localhost".extraConfig = '' - reverse_proxy localhost:7070 - tls internal - ''; - - "glance.localhost".extraConfig = '' - reverse_proxy localhost:8080 - tls internal - ''; - }; - }; -} diff --git a/modules/core/networking/default.nix b/modules/core/networking/default.nix index c26099c..2874fa3 100644 --- a/modules/core/networking/default.nix +++ b/modules/core/networking/default.nix @@ -1,18 +1,8 @@ { secrets, ... }: { imports = [ - ./firewall - ./vpn - ./caddy.nix - ./dhcpcd.nix - ./i2p.nix - ./ipv6.nix ./loopback.nix - ./networkmanager.nix - ./optimise.nix - ./resolved.nix - ./tor.nix - ./upnp.nix + ./tailscale.nix ]; # https://discourse.nixos.org/t/rebuild-error-failed-to-start-network-manager-wait-online/41977/2 diff --git a/modules/core/networking/dhcpcd.nix b/modules/core/networking/dhcpcd.nix deleted file mode 100644 index f46b657..0000000 --- a/modules/core/networking/dhcpcd.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - networking.dhcpcd = { - wait = "background"; - - extraConfig = '' - noarp - nooption domain_name_servers, domain_name, domain_search, host_name - nooption ntp_servers - nohook resolv.conf, wpa_supplicant - ''; - }; -} diff --git a/modules/core/networking/firewall/default.nix b/modules/core/networking/firewall/default.nix deleted file mode 100644 index 074f398..0000000 --- a/modules/core/networking/firewall/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - imports = [ ./fail2ban.nix ]; - - networking.firewall = { - enable = true; - allowPing = false; - logReversePathDrops = true; - logRefusedConnections = false; - checkReversePath = "loose"; - }; -} diff --git a/modules/core/networking/firewall/fail2ban.nix b/modules/core/networking/firewall/fail2ban.nix deleted file mode 100644 index 6311b14..0000000 --- a/modules/core/networking/firewall/fail2ban.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, lib, ... }: -{ - services.fail2ban = { - enable = false; - banaction = "nftables-multiport"; - banaction-allports = lib.mkDefault "nftables-allport"; - - extraPackages = with pkgs; [ - nftables - ipset - ]; - - ignoreIP = [ - "10.0.0.0/8" - "172.16.0.0/12" - "100.64.0.0/16" - "192.168.0.0/16" - ]; - }; -} diff --git a/modules/core/networking/i2p.nix b/modules/core/networking/i2p.nix deleted file mode 100644 index 8bca73e..0000000 --- a/modules/core/networking/i2p.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ - # https://voidcruiser.nl/rambles/i2p-on-nixos/ - containers.i2pd = { - autoStart = true; - - config = { - system.stateVersion = "24.05"; - - networking.firewall.allowedTCPPorts = [ - 7656 - 7070 - 4447 - 4444 - ]; - - services.i2pd = - let - address = "0.0.0.0"; - in - { - inherit address; - - enable = true; - upnp.enable = true; - bandwidth = 512; - websocket.address = address; - yggdrasil.address = address; - reseed.verify = true; - - proto = { - bob.address = address; - - i2pControl = { - inherit address; - - enable = true; - }; - - socksProxy = { - inherit address; - - enable = true; - }; - - http = { - inherit address; - - enable = true; - strictHeaders = false; - }; - - i2cp = { - inherit address; - - enable = true; - }; - - sam = { - inherit address; - - enable = true; - }; - - httpProxy = { - inherit address; - - enable = true; - # outproxy = "http://false.i2p"; - # outproxy = "http://purokishi.i2p:4444"; - # outproxy = "http://outproxy.acetone.i2p:3128"; - outproxy = "http://exit.stormycloud.i2p:4444"; - # outproxy = "http://outproxy.bandura.i2p:4444"; - }; - }; - - addressbook.subscriptions = [ - "http://inr.i2p/export/alive-hosts.txt" - "http://i2p-projekt.i2p/hosts.txt" - "http://stats.i2p/cgi-bin/newhosts.txt" - "http://reg.i2p/export/hosts.txt" - "http://notbob.i2p/hosts.txt" - ]; - }; - }; - }; -} diff --git a/modules/core/networking/ipv6.nix b/modules/core/networking/ipv6.nix deleted file mode 100644 index 274c1ae..0000000 --- a/modules/core/networking/ipv6.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - boot.kernel.sysctl = { - "net.ipv6.conf.enp42s0.disable_ipv6" = true; - "net.ipv6.conf.wlp4s0.disable_ipv6" = true; - "net.ipv6.conf.tun0.disable_ipv6" = true; - }; - - networking.enableIPv6 = false; -} diff --git a/modules/core/networking/networkmanager.nix b/modules/core/networking/networkmanager.nix deleted file mode 100644 index 7ef0e04..0000000 --- a/modules/core/networking/networkmanager.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = [ pkgs.networkmanagerapplet ]; - - networking.networkmanager = { - enable = true; - plugins = [ pkgs.networkmanager-openvpn ]; - dns = "none"; # "systemd-resolved" - wifi.backend = "iwd"; - - unmanaged = [ - "interface-name:tailscale*" - "interface-name:br-*" - "interface-name:rndis*" - "interface-name:docker*" - "interface-name:virbr*" - "interface-name:vboxnet*" - "interface-name:waydroid*" - "type:bridge" - ]; - }; -} diff --git a/modules/core/networking/optimise.nix b/modules/core/networking/optimise.nix deleted file mode 100644 index c6f2bec..0000000 --- a/modules/core/networking/optimise.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - boot = { - kernelModules = [ - "tls" - "tcp_bbr" - ]; - - kernel.sysctl = { - # TCP hardening - # Prevent bogus ICMP errors from filling up logs. - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - # Reverse path filtering causes the kernel to do source validation of - # packets received from all interfaces. This can mitigate IP spoofing. - "net.ipv4.conf.default.rp_filter" = 1; - "net.ipv4.conf.all.rp_filter" = 1; - # Do not accept IP source route packets (we're not a router) - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv6.conf.all.accept_source_route" = 0; - # Don't send ICMP redirects (again, we're on a router) - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - # Refuse ICMP redirects (MITM mitigations) - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - # Protects against SYN flood attacks - "net.ipv4.tcp_syncookies" = 1; - # Incomplete protection again TIME-WAIT assassination - "net.ipv4.tcp_rfc1337" = 1; - # And other stuff - "net.ipv4.conf.all.log_martians" = true; - "net.ipv4.conf.default.log_martians" = true; - "net.ipv4.icmp_echo_ignore_broadcasts" = true; - "net.ipv6.conf.default.accept_ra" = 0; - "net.ipv6.conf.all.accept_ra" = 0; - "net.ipv4.tcp_timestamps" = 0; - - # TCP optimization - # TCP Fast Open is a TCP extension that reduces network latency by packing - # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for - # both incoming and outgoing connections: - "net.ipv4.tcp_fastopen" = 3; - # Bufferbloat mitigations + slight improvement in throughput & latency - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.core.default_qdisc" = "cake"; - - # Other stuff that I am too lazy to document - "net.core.optmem_max" = 65536; - "net.core.rmem_default" = 1048576; - "net.core.rmem_max" = 16777216; - "net.core.somaxconn" = 8192; - "net.core.wmem_default" = 1048576; - "net.core.wmem_max" = 16777216; - "net.ipv4.ip_local_port_range" = "16384 65535"; - "net.ipv4.tcp_max_syn_backlog" = 8192; - "net.ipv4.tcp_max_tw_buckets" = 2000000; - "net.ipv4.tcp_mtu_probing" = 1; - "net.ipv4.tcp_rmem" = "4096 1048576 2097152"; - "net.ipv4.tcp_slow_start_after_idle" = 0; - "net.ipv4.tcp_tw_reuse" = 1; - "net.ipv4.tcp_wmem" = "4096 65536 16777216"; - "net.ipv4.udp_rmem_min" = 8192; - "net.ipv4.udp_wmem_min" = 8192; - "net.netfilter.nf_conntrack_generic_timeout" = 60; - "net.netfilter.nf_conntrack_max" = 1048576; - "net.netfilter.nf_conntrack_tcp_timeout_established" = 600; - "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1; - }; - }; -} diff --git a/modules/core/networking/resolved.nix b/modules/core/networking/resolved.nix deleted file mode 100644 index 82effbe..0000000 --- a/modules/core/networking/resolved.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ secrets, ... }: -{ - services.resolved = { - enable = false; - dnssec = "true"; - domains = [ "~." ]; - dnsovertls = "true"; - llmnr = "false"; - - extraConfig = '' - DNS=45.90.28.0#${secrets.nextdns_id}.dns.nextdns.io - DNS=2a07:a8c0::#${secrets.nextdns_id}.dns.nextdns.io - DNS=45.90.30.0#${secrets.nextdns_id}.dns.nextdns.io - DNS=2a07:a8c1::#${secrets.nextdns_id}.dns.nextdns.io - ''; - }; -} diff --git a/modules/core/networking/tailscale.nix b/modules/core/networking/tailscale.nix new file mode 100644 index 0000000..0228915 --- /dev/null +++ b/modules/core/networking/tailscale.nix @@ -0,0 +1,35 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + networking.firewall.trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ]; + + # + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + + services = { + tailscale = { + enable = true; + useRoutingFeatures = "both"; + authKeyFile = config.sops.secrets.tailscale_authentication_key.path; + }; + + networkd-dispatcher = { + enable = true; + + rules."50-tailscale" = { + onState = [ "routable" ]; + + script = '' + ${lib.getExe pkgs.ethtool} -K enp42s0 rx-udp-gro-forwarding on rx-gro-list off + ''; + }; + }; + }; +} diff --git a/modules/core/networking/tor.nix b/modules/core/networking/tor.nix deleted file mode 100644 index dfbfb3a..0000000 --- a/modules/core/networking/tor.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ pkgs, ... }: -{ - services.tor = { - enable = true; - torsocks.enable = true; - - client = { - enable = true; - dns.enable = true; - }; - }; - - programs.proxychains = { - enable = true; - quietMode = false; - proxyDNS = true; - package = pkgs.proxychains-ng; - - proxies = { - tor = { - type = "socks5"; - host = "127.0.0.1"; - port = 9050; - }; - }; - }; -} diff --git a/modules/core/networking/upnp.nix b/modules/core/networking/upnp.nix deleted file mode 100644 index 998592a..0000000 --- a/modules/core/networking/upnp.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - services.miniupnpd = { - enable = true; - natpmp = true; - externalInterface = "enp42s0"; - - internalIPs = [ - "enp42s0" - "wlan0" - ]; - }; -} diff --git a/modules/core/networking/vpn/default.nix b/modules/core/networking/vpn/default.nix deleted file mode 100644 index 92a11b0..0000000 --- a/modules/core/networking/vpn/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./pia.nix - ./tailscale.nix - ]; -} diff --git a/modules/core/networking/vpn/pia.nix b/modules/core/networking/vpn/pia.nix deleted file mode 100644 index d52dbf8..0000000 --- a/modules/core/networking/vpn/pia.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ secrets, ... }: -{ - services.pia = { - enable = true; - - authUserPass = { - inherit (secrets.pia) username password; - }; - }; -} diff --git a/modules/core/networking/vpn/tailscale.nix b/modules/core/networking/vpn/tailscale.nix deleted file mode 100644 index 0228915..0000000 --- a/modules/core/networking/vpn/tailscale.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -{ - networking.firewall.trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ]; - - # - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - - services = { - tailscale = { - enable = true; - useRoutingFeatures = "both"; - authKeyFile = config.sops.secrets.tailscale_authentication_key.path; - }; - - networkd-dispatcher = { - enable = true; - - rules."50-tailscale" = { - onState = [ "routable" ]; - - script = '' - ${lib.getExe pkgs.ethtool} -K enp42s0 rx-udp-gro-forwarding on rx-gro-list off - ''; - }; - }; - }; -} diff --git a/modules/desktop/default.nix b/modules/desktop/default.nix index f50ffba..f20e009 100644 --- a/modules/desktop/default.nix +++ b/modules/desktop/default.nix @@ -1,4 +1,6 @@ { config, ... }: { + imports = [ ./networking ]; + sops.defaultSopsFile = ../../secrets/${config.networking.hostName}.yaml; } diff --git a/modules/desktop/networking/caddy.nix b/modules/desktop/networking/caddy.nix new file mode 100644 index 0000000..efba3f6 --- /dev/null +++ b/modules/desktop/networking/caddy.nix @@ -0,0 +1,17 @@ +{ + services.caddy = { + enable = true; + + virtualHosts = { + "i2pd.localhost".extraConfig = '' + reverse_proxy localhost:7070 + tls internal + ''; + + "glance.localhost".extraConfig = '' + reverse_proxy localhost:8080 + tls internal + ''; + }; + }; +} diff --git a/modules/desktop/networking/default.nix b/modules/desktop/networking/default.nix new file mode 100644 index 0000000..3148acd --- /dev/null +++ b/modules/desktop/networking/default.nix @@ -0,0 +1,15 @@ +{ + imports = [ + ./firewall + ./caddy.nix + ./dhcpcd.nix + ./i2p.nix + ./ipv6.nix + ./networkmanager.nix + ./optimise.nix + ./pia.nix + ./resolved.nix + ./tor.nix + ./upnp.nix + ]; +} diff --git a/modules/desktop/networking/dhcpcd.nix b/modules/desktop/networking/dhcpcd.nix new file mode 100644 index 0000000..f46b657 --- /dev/null +++ b/modules/desktop/networking/dhcpcd.nix @@ -0,0 +1,12 @@ +{ + networking.dhcpcd = { + wait = "background"; + + extraConfig = '' + noarp + nooption domain_name_servers, domain_name, domain_search, host_name + nooption ntp_servers + nohook resolv.conf, wpa_supplicant + ''; + }; +} diff --git a/modules/desktop/networking/firewall/default.nix b/modules/desktop/networking/firewall/default.nix new file mode 100644 index 0000000..074f398 --- /dev/null +++ b/modules/desktop/networking/firewall/default.nix @@ -0,0 +1,11 @@ +{ + imports = [ ./fail2ban.nix ]; + + networking.firewall = { + enable = true; + allowPing = false; + logReversePathDrops = true; + logRefusedConnections = false; + checkReversePath = "loose"; + }; +} diff --git a/modules/desktop/networking/firewall/fail2ban.nix b/modules/desktop/networking/firewall/fail2ban.nix new file mode 100644 index 0000000..6311b14 --- /dev/null +++ b/modules/desktop/networking/firewall/fail2ban.nix @@ -0,0 +1,20 @@ +{ pkgs, lib, ... }: +{ + services.fail2ban = { + enable = false; + banaction = "nftables-multiport"; + banaction-allports = lib.mkDefault "nftables-allport"; + + extraPackages = with pkgs; [ + nftables + ipset + ]; + + ignoreIP = [ + "10.0.0.0/8" + "172.16.0.0/12" + "100.64.0.0/16" + "192.168.0.0/16" + ]; + }; +} diff --git a/modules/desktop/networking/i2p.nix b/modules/desktop/networking/i2p.nix new file mode 100644 index 0000000..8bca73e --- /dev/null +++ b/modules/desktop/networking/i2p.nix @@ -0,0 +1,86 @@ +{ + # https://voidcruiser.nl/rambles/i2p-on-nixos/ + containers.i2pd = { + autoStart = true; + + config = { + system.stateVersion = "24.05"; + + networking.firewall.allowedTCPPorts = [ + 7656 + 7070 + 4447 + 4444 + ]; + + services.i2pd = + let + address = "0.0.0.0"; + in + { + inherit address; + + enable = true; + upnp.enable = true; + bandwidth = 512; + websocket.address = address; + yggdrasil.address = address; + reseed.verify = true; + + proto = { + bob.address = address; + + i2pControl = { + inherit address; + + enable = true; + }; + + socksProxy = { + inherit address; + + enable = true; + }; + + http = { + inherit address; + + enable = true; + strictHeaders = false; + }; + + i2cp = { + inherit address; + + enable = true; + }; + + sam = { + inherit address; + + enable = true; + }; + + httpProxy = { + inherit address; + + enable = true; + # outproxy = "http://false.i2p"; + # outproxy = "http://purokishi.i2p:4444"; + # outproxy = "http://outproxy.acetone.i2p:3128"; + outproxy = "http://exit.stormycloud.i2p:4444"; + # outproxy = "http://outproxy.bandura.i2p:4444"; + }; + }; + + addressbook.subscriptions = [ + "http://inr.i2p/export/alive-hosts.txt" + "http://i2p-projekt.i2p/hosts.txt" + "http://stats.i2p/cgi-bin/newhosts.txt" + "http://reg.i2p/export/hosts.txt" + "http://notbob.i2p/hosts.txt" + ]; + }; + }; + }; +} diff --git a/modules/desktop/networking/ipv6.nix b/modules/desktop/networking/ipv6.nix new file mode 100644 index 0000000..274c1ae --- /dev/null +++ b/modules/desktop/networking/ipv6.nix @@ -0,0 +1,9 @@ +{ + boot.kernel.sysctl = { + "net.ipv6.conf.enp42s0.disable_ipv6" = true; + "net.ipv6.conf.wlp4s0.disable_ipv6" = true; + "net.ipv6.conf.tun0.disable_ipv6" = true; + }; + + networking.enableIPv6 = false; +} diff --git a/modules/desktop/networking/networkmanager.nix b/modules/desktop/networking/networkmanager.nix new file mode 100644 index 0000000..7ef0e04 --- /dev/null +++ b/modules/desktop/networking/networkmanager.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ pkgs.networkmanagerapplet ]; + + networking.networkmanager = { + enable = true; + plugins = [ pkgs.networkmanager-openvpn ]; + dns = "none"; # "systemd-resolved" + wifi.backend = "iwd"; + + unmanaged = [ + "interface-name:tailscale*" + "interface-name:br-*" + "interface-name:rndis*" + "interface-name:docker*" + "interface-name:virbr*" + "interface-name:vboxnet*" + "interface-name:waydroid*" + "type:bridge" + ]; + }; +} diff --git a/modules/desktop/networking/optimise.nix b/modules/desktop/networking/optimise.nix new file mode 100644 index 0000000..c6f2bec --- /dev/null +++ b/modules/desktop/networking/optimise.nix @@ -0,0 +1,73 @@ +{ + boot = { + kernelModules = [ + "tls" + "tcp_bbr" + ]; + + kernel.sysctl = { + # TCP hardening + # Prevent bogus ICMP errors from filling up logs. + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # Reverse path filtering causes the kernel to do source validation of + # packets received from all interfaces. This can mitigate IP spoofing. + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.rp_filter" = 1; + # Do not accept IP source route packets (we're not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're on a router) + "net.ipv4.conf.all.send_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # Refuse ICMP redirects (MITM mitigations) + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # Protects against SYN flood attacks + "net.ipv4.tcp_syncookies" = 1; + # Incomplete protection again TIME-WAIT assassination + "net.ipv4.tcp_rfc1337" = 1; + # And other stuff + "net.ipv4.conf.all.log_martians" = true; + "net.ipv4.conf.default.log_martians" = true; + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + "net.ipv6.conf.default.accept_ra" = 0; + "net.ipv6.conf.all.accept_ra" = 0; + "net.ipv4.tcp_timestamps" = 0; + + # TCP optimization + # TCP Fast Open is a TCP extension that reduces network latency by packing + # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for + # both incoming and outgoing connections: + "net.ipv4.tcp_fastopen" = 3; + # Bufferbloat mitigations + slight improvement in throughput & latency + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.default_qdisc" = "cake"; + + # Other stuff that I am too lazy to document + "net.core.optmem_max" = 65536; + "net.core.rmem_default" = 1048576; + "net.core.rmem_max" = 16777216; + "net.core.somaxconn" = 8192; + "net.core.wmem_default" = 1048576; + "net.core.wmem_max" = 16777216; + "net.ipv4.ip_local_port_range" = "16384 65535"; + "net.ipv4.tcp_max_syn_backlog" = 8192; + "net.ipv4.tcp_max_tw_buckets" = 2000000; + "net.ipv4.tcp_mtu_probing" = 1; + "net.ipv4.tcp_rmem" = "4096 1048576 2097152"; + "net.ipv4.tcp_slow_start_after_idle" = 0; + "net.ipv4.tcp_tw_reuse" = 1; + "net.ipv4.tcp_wmem" = "4096 65536 16777216"; + "net.ipv4.udp_rmem_min" = 8192; + "net.ipv4.udp_wmem_min" = 8192; + "net.netfilter.nf_conntrack_generic_timeout" = 60; + "net.netfilter.nf_conntrack_max" = 1048576; + "net.netfilter.nf_conntrack_tcp_timeout_established" = 600; + "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1; + }; + }; +} diff --git a/modules/desktop/networking/pia.nix b/modules/desktop/networking/pia.nix new file mode 100644 index 0000000..d52dbf8 --- /dev/null +++ b/modules/desktop/networking/pia.nix @@ -0,0 +1,10 @@ +{ secrets, ... }: +{ + services.pia = { + enable = true; + + authUserPass = { + inherit (secrets.pia) username password; + }; + }; +} diff --git a/modules/desktop/networking/resolved.nix b/modules/desktop/networking/resolved.nix new file mode 100644 index 0000000..82effbe --- /dev/null +++ b/modules/desktop/networking/resolved.nix @@ -0,0 +1,17 @@ +{ secrets, ... }: +{ + services.resolved = { + enable = false; + dnssec = "true"; + domains = [ "~." ]; + dnsovertls = "true"; + llmnr = "false"; + + extraConfig = '' + DNS=45.90.28.0#${secrets.nextdns_id}.dns.nextdns.io + DNS=2a07:a8c0::#${secrets.nextdns_id}.dns.nextdns.io + DNS=45.90.30.0#${secrets.nextdns_id}.dns.nextdns.io + DNS=2a07:a8c1::#${secrets.nextdns_id}.dns.nextdns.io + ''; + }; +} diff --git a/modules/desktop/networking/tor.nix b/modules/desktop/networking/tor.nix new file mode 100644 index 0000000..dfbfb3a --- /dev/null +++ b/modules/desktop/networking/tor.nix @@ -0,0 +1,27 @@ +{ pkgs, ... }: +{ + services.tor = { + enable = true; + torsocks.enable = true; + + client = { + enable = true; + dns.enable = true; + }; + }; + + programs.proxychains = { + enable = true; + quietMode = false; + proxyDNS = true; + package = pkgs.proxychains-ng; + + proxies = { + tor = { + type = "socks5"; + host = "127.0.0.1"; + port = 9050; + }; + }; + }; +} diff --git a/modules/desktop/networking/upnp.nix b/modules/desktop/networking/upnp.nix new file mode 100644 index 0000000..998592a --- /dev/null +++ b/modules/desktop/networking/upnp.nix @@ -0,0 +1,12 @@ +{ + services.miniupnpd = { + enable = true; + natpmp = true; + externalInterface = "enp42s0"; + + internalIPs = [ + "enp42s0" + "wlan0" + ]; + }; +} diff --git a/modules/server/default.nix b/modules/server/default.nix index f5ba744..c5df823 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { imports = [ - ../core/networking/vpn/tailscale.nix + ../core/networking/tailscale.nix ../core/security/sops.nix ../core/nix ./networking -- cgit v1.2.3