diff options
author | Kenny Ballou <kb@devnulllabs.io> | 2021-07-23 11:36:49 -0600 |
---|---|---|
committer | Kenny Ballou <kb@devnulllabs.io> | 2021-07-23 11:39:30 -0600 |
commit | 5a26ebf03cb3a3a2f16b2dc182c65424554870ba (patch) | |
tree | 7380a712fa7ebe339916ad7029e3b64e6c16e97e | |
parent | 1f00d242d279e650edc5309bf0d3874b3534570b (diff) | |
download | cfg.nix-master.tar.gz cfg.nix-master.tar.xz |
Disable networkmanager from writing `/etc/resolv.conf` and use
configured DNS servers with DNS over TLS.
Prune down list of nameservers as Level3 and OpenDNS do not currently
support DoT.
Signed-off-by: Kenny Ballou <kb@devnulllabs.io>
-rw-r--r-- | daeva/configuration.nix | 5 | ||||
-rw-r--r-- | daeva/nftables-rules.nft | 2 | ||||
-rw-r--r-- | eligos/nftables-rules.nft | 2 | ||||
-rw-r--r-- | services/networkmanager.nix | 10 | ||||
-rw-r--r-- | services/resolved.nix | 21 | ||||
-rw-r--r-- | system/networking.nix | 15 |
6 files changed, 43 insertions, 12 deletions
diff --git a/daeva/configuration.nix b/daeva/configuration.nix index fa0a9b1..f3a8481 100644 --- a/daeva/configuration.nix +++ b/daeva/configuration.nix @@ -14,11 +14,12 @@ ../secrets.nix ../services/clamav.nix ../services/dbus.nix - ../services/dnsmasq.nix + ../services/resolved.nix ../services/firewall.nix ../services/kde.nix ../services/haveged.nix ../services/logind.nix + ../services/networkmanager.nix ../services/podman.nix ../services/printing.nix ../services/sound.nix @@ -42,7 +43,7 @@ ../system/wireshark.nix ../system/yubikey-gpg.nix ../unfree.nix - ]; + ]; # Use the GRUB 2 boot loader. boot.loader.systemd-boot = { diff --git a/daeva/nftables-rules.nft b/daeva/nftables-rules.nft index 43234cd..0bc9d54 100644 --- a/daeva/nftables-rules.nft +++ b/daeva/nftables-rules.nft @@ -30,6 +30,8 @@ table inet filter { icmp type echo-request counter accept icmp type echo-reply counter accept udp dport domain counter accept + tcp dport domain-s counter accept + udp dport domain-s counter accept tcp dport http counter accept tcp dport https counter accept udp dport https counter accept diff --git a/eligos/nftables-rules.nft b/eligos/nftables-rules.nft index c26071e..d051a6d 100644 --- a/eligos/nftables-rules.nft +++ b/eligos/nftables-rules.nft @@ -39,6 +39,8 @@ table inet filter { iif lo oif lo counter accept ip saddr 127.0.0.1 ip daddr 127.0.0.1/8 counter accept udp dport domain counter accept + tcp dport domain-s counter accept + udp dport domain-s counter accept tcp dport http counter accept tcp dport https counter accept tcp dport ssh counter accept diff --git a/services/networkmanager.nix b/services/networkmanager.nix index a12d271..b7e526d 100644 --- a/services/networkmanager.nix +++ b/services/networkmanager.nix @@ -2,14 +2,6 @@ { networking.networkmanager = { enable = true; - # dnsmasq will handle this... - dns = "none"; - appendNameservers = [ - "1.1.1.1" - "1.0.0.1" - "9.9.9.9" - "208.67.222.222" - "208.67.220.220" - ]; + dns = "systemd-resolved"; }; } diff --git a/services/resolved.nix b/services/resolved.nix new file mode 100644 index 0000000..49021c4 --- /dev/null +++ b/services/resolved.nix @@ -0,0 +1,21 @@ +{ config, ... }: +{ + services.resolved = { + enable = true; + domains = []; + fallbackDns = [ + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" + "8.8.8.8#dns.google" + "8.8.4.4#dns.google" + "2606:4700:4700::1111#one.one.one.one" + "2606:4700:4700::1001#one.one.one.one" + "2620:fe::fe#quad9.net" + "2620:fe::9#quad9.net" + ]; + extraConfig = '' + DNSOverTLS=yes + ''; + }; +} diff --git a/system/networking.nix b/system/networking.nix index 0d7afbe..cb37897 100644 --- a/system/networking.nix +++ b/system/networking.nix @@ -1,4 +1,17 @@ { config, ... }: { - networking.networkmanager.enable = true; + networking = { + nameservers = [ + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" + "9.9.9.9#dns.quad9.net" + "8.8.8.8#dns.google" + "8.8.4.4#dns.google" + "2606:4700:4700::1111#one.one.one.one" + "2606:4700:4700::1001#one.one.one.one" + "2620:fe::fe#quad9.net" + "2620:fe::9#quad9.net" + ]; + networkmanager.enable = true; + }; } |