{ config, pkgs, lib, hostName, ... }:
-let
- wg-intra-peers = import wireguard/wg-intra/peers.nix;
-in
+with lib;
{
-networking = {
- hostName = hostName;
- domain = lib.mkDefault "localdomain";
- search = [ "sourcephile.fr" ];
- firewall = {
- enable = lib.mkDefault true;
- allowPing = lib.mkDefault true;
+ imports = [
+ networking/nftables.nix
+ ];
+
+ boot.kernel.sysctl = {
+ # Improve MTU detection
+ # This can thaw TCP connections stalled by a host
+ # requiring a lower MTU along the path,
+ # though it would do so after a little delay
+ # so it's better to set a low MTU when possible.
+ "net/ipv4/tcp_mtu_probing" = 1;
};
-};
-programs.mtr.enable = true;
+ networking = {
+ inherit hostName;
+ domain = mkDefault "wg";
+ #search = [ "sourcephile.fr" ];
+ firewall = {
+ enable = mkDefault true;
+ allowPing = mkDefault true;
+ };
+ networkmanager = {
+ enable = mkDefault config.services.xserver.enable;
+ #dhcp = "dhcpcd";
+ logLevel = mkDefault "INFO";
+ wifi = {
+ #backend = "iwd";
+ #backend = "wpa_supplicant";
+ powersave = mkDefault false;
+ };
+ };
+ usePredictableInterfaceNames = true;
+ };
-services.avahi = {
- enable = lib.mkDefault true;
- nssmdns = lib.mkDefault true;
- openFirewall = lib.mkDefault false;
- publish.enable = lib.mkDefault false;
-};
+ programs.mtr.enable = true;
+ programs.traceroute.enable = mkDefault true;
+ programs.usbtop.enable = true;
-services.openssh = {
- forwardX11 = lib.mkDefault true;
- openFirewall = true;
- listenAddresses = [
- { addr = wg-intra-peers.${hostName}.ipv4; port = 22; }
- ];
-};
+ services.avahi = {
+ nssmdns = mkDefault true;
+ openFirewall = mkDefault false;
+ publish.enable = mkDefault false;
+ };
+ networking.nftables.ruleset = mkIf config.services.avahi.enable (''
+ table inet filter {
+ chain output-lan {
+ skuid root udp sport mdns udp dport mdns comment "avahi: multicast DNS"
+ }
+ }
+ '' + optionalString config.services.avahi.openFirewall ''
+ table inet filter {
+ chain input-lan {
+ udp dport mdns comment "avahi: multicast DNS"
+ }
+ }
+ '');
+
+ services.openssh = {
+ enable = mkDefault true;
+ forwardX11 = mkDefault true;
+ openFirewall = mkDefault false;
+ };
+
+ environment.etc."NetworkManager/dispatcher.d/congctl" = {
+ mode = "700";
+ source = pkgs.writeShellScript "congctl" ''
+ case $NM_DISPATCHER_ACTION in
+ up)
+ case $DEVICE_IP_IFACE in
+ # WLAN or WWAN
+ # https://en.wikipedia.org/wiki/TCP_congestion_control#TCP_Westwood+
+ wl*|ww*)
+ ip route show dev $DEVICE_IP_IFACE |
+ while read -r route; do
+ ip route change $route dev $DEVICE_IP_IFACE congctl westwood
+ done
+ ;;
+ esac
+ ;;
+ esac
+ '';
+ };
}