{ config, pkgs, lib, hostName, ... }:
-let
- wg-intra-peers = import wireguard/wg-intra/peers.nix;
-in
+with lib;
{
-networking = {
- hostName = hostName;
- domain = lib.mkDefault "localdomain";
- #search = [ "sourcephile.fr" ];
- firewall = {
- enable = lib.mkDefault true;
- allowPing = lib.mkDefault true;
+ imports = [
+ networking/nftables.nix
+ ];
+
+ boot.kernel.sysctl = {
+ # Improve MTU detection
+ # This can thaw TCP connections stalled by a host
+ # requiring a lower MTU along the path,
+ # though it would do so after a little delay
+ # so it's better to set a low MTU when possible.
+ "net/ipv4/tcp_mtu_probing" = 1;
};
- networkmanager = {
- enable = lib.mkDefault config.services.xserver.enable;
- #dhcp = "dhcpcd";
- logLevel = lib.mkDefault "INFO";
- wifi = {
- #backend = "iwd";
- #backend = "wpa_supplicant";
- powersave = lib.mkDefault false;
+
+ networking = {
+ inherit hostName;
+ domain = mkDefault "wg";
+ #search = [ "sourcephile.fr" ];
+ firewall = {
+ enable = mkDefault true;
+ allowPing = mkDefault true;
};
+ networkmanager = {
+ enable = mkDefault config.services.xserver.enable;
+ #dhcp = "dhcpcd";
+ logLevel = mkDefault "INFO";
+ wifi = {
+ #backend = "iwd";
+ #backend = "wpa_supplicant";
+ powersave = mkDefault false;
+ };
+ };
+ usePredictableInterfaceNames = true;
};
- usePredictableInterfaceNames = true;
-};
-programs.mtr.enable = true;
-programs.usbtop.enable = true;
+ programs.mtr.enable = true;
+ programs.traceroute.enable = mkDefault true;
+ programs.usbtop.enable = true;
-services.avahi = {
- enable = lib.mkDefault true;
- nssmdns = lib.mkDefault true;
- openFirewall = lib.mkDefault false;
- publish.enable = lib.mkDefault false;
-};
-networking.nftables.ruleset = lib.mkIf config.services.avahi.enable (''
- add rule inet filter fw2lan skuid root udp sport 5353 udp dport 5353
-'' + lib.optionalString config.services.avahi.openFirewall ''
- add rule inet filter lan2fw udp dport 5353 comment "Avahi"
-'');
+ services.avahi = {
+ nssmdns = mkDefault true;
+ openFirewall = mkDefault false;
+ publish.enable = mkDefault false;
+ };
+ networking.nftables.ruleset = mkIf config.services.avahi.enable (''
+ table inet filter {
+ chain output-lan {
+ skuid root udp sport mdns udp dport mdns comment "avahi: multicast DNS"
+ }
+ }
+ '' + optionalString config.services.avahi.openFirewall ''
+ table inet filter {
+ chain input-lan {
+ udp dport mdns comment "avahi: multicast DNS"
+ }
+ }
+ '');
-services.openssh = {
- enable = lib.mkDefault true;
- forwardX11 = lib.mkDefault true;
- openFirewall = lib.mkDefault false;
- listenAddresses = [
- { addr = wg-intra-peers.${hostName}.ipv4; port = 22; }
- ];
-};
-networking.firewall.extraCommands = lib.mkIf config.services.openssh.enable ''
- ip46tables -A nixos-fw -i wg-intra -p tcp -m tcp --dport 22 -j ACCEPT
-'';
-systemd.services.sshd.after = ["wireguard-wg-intra.service"];
+ services.openssh = {
+ enable = mkDefault true;
+ settings.X11Forwarding = mkDefault true;
+ openFirewall = mkDefault false;
+ };
+
+ # Fix https://github.com/NixOS/nixpkgs/issues/180175 by removing -s (aka. --wait-for-startup)
+ systemd.services.NetworkManager-wait-online = {
+ unitConfig.StartLimitIntervalSec = 0;
+ serviceConfig = {
+ ExecStart = [ "" "${pkgs.networkmanager}/bin/nm-online -q" ];
+ Restart = "on-failure";
+ RestartSec = 1;
+ };
+ };
+ environment.etc."NetworkManager/dispatcher.d/congctl" = {
+ mode = "700";
+ source = pkgs.writeShellScript "congctl" ''
+ case $NM_DISPATCHER_ACTION in
+ up)
+ case $DEVICE_IP_IFACE in
+ # WLAN or WWAN
+ # https://en.wikipedia.org/wiki/TCP_congestion_control#TCP_Westwood+
+ wl*|ww*)
+ ip route show dev $DEVICE_IP_IFACE |
+ while read -r route; do
+ ip route change $route dev $DEVICE_IP_IFACE congctl westwood
+ done
+ ;;
+ esac
+ ;;
+ esac
+ '';
+ };
}
sourcephile / git / julm / julm-nix.git / blobdiff