use systemd-resolved and setup ghostnet dns

1 files changed, 84 insertions, 65 deletions

diff --git a/hosts/work.nix b/hosts/work.nix
index ede4ffb..9f2f08d 100644
--- a/hosts/work.nix
+++ b/hosts/work.nix
@@ -19,8 +19,11 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  networking.hostName = "work"; # Define your hostname.
+  networking.hostName = "work";
   networking.networkmanager.enable = true;
+  networking.networkmanager.dns = "systemd-resolved";
+  networking.nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
+  networking.firewall.allowedTCPPorts = [];
 
   time.timeZone = "Europe/Amsterdam";
 
@@ -37,83 +40,99 @@
     LC_TIME = "nl_NL.UTF-8";
   };
 
-  programs = {
-    update-systemd-resolved.servers.ghostnet.includeAutomatically = true;
+  services.openssh.enable = true;
+  services.openvpn.servers = {
+    ghostnet = {
+      config = ''
+        client
+        remote 185.57.9.6 1194
+        cert ${config.age.secrets.ghostnet-cert.path}
+        key ${config.age.secrets.ghostnet-key.path}
+        ca ${config.age.secrets.ghostnet-ca.path}
+        auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path}
+        reneg-sec 0
+        cipher AES-256-CBC
+        comp-lzo adaptive
+        dev tun
+        proto udp
+        remote-cert-tls server
+        tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1
+        nobind
+        auth-nocache
+        script-security 2
+        persist-key
+        persist-tun
+        user nm-openvpn
+        group nm-openvpn
+      '';
+      updateResolvConf = false;
+      autoStart = false;
+    };
+    systems = {
+      config = ''
+        client
+        remote 'vpn-v2.one.com'
+        cert '${config.age.secrets.systems-cert.path}'
+        key '${config.age.secrets.systems-key.path}'
+        ca '${config.age.secrets.systems-ca.path}'
+        cipher AES-128-CBC
+        comp-lzo adaptive
+        dev tun
+        proto udp
+        port 1200
+        remote-cert-tls server
+        tls-auth '${config.age.secrets.systems-tls-auth.path}' 1
+        nobind
+        auth-nocache
+        script-security 2
+        persist-key
+        persist-tun
+        user nm-openvpn
+        group nm-openvpn
+      '';
+      updateResolvConf = false;
+      autoStart = false;
+    };
   };
 
-  services = {
-    openssh.enable = true;
-    openvpn.servers = {
-      ghostnet = {
-        config = ''
-          client
-          remote 185.57.9.6 1194
-          cert ${config.age.secrets.ghostnet-cert.path}
-          key ${config.age.secrets.ghostnet-key.path}
-          ca ${config.age.secrets.ghostnet-ca.path}
-          auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path}
-          reneg-sec 0
-          cipher AES-256-CBC
-          comp-lzo adaptive
-          dev tun
-          proto udp
-          remote-cert-tls server
-          tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1
-          nobind
-          auth-nocache
-          script-security 2
-          persist-key
-          persist-tun
-          user nm-openvpn
-          group nm-openvpn
-        '';
-        updateResolvConf = false;
-      };
-      systems = {
-        config = ''
-          client
-          remote 'vpn-v2.one.com'
-          cert '${config.age.secrets.systems-cert.path}'
-          key '${config.age.secrets.systems-key.path}'
-          ca '${config.age.secrets.systems-ca.path}'
-          cipher AES-128-CBC
-          comp-lzo adaptive
-          dev tun
-          proto udp
-          port 1200
-          remote-cert-tls server
-          tls-auth '${config.age.secrets.systems-tls-auth.path}' 1
-          nobind
-          auth-nocache
-          script-security 2
-          persist-key
-          persist-tun
-          user nm-openvpn
-          group nm-openvpn
-        '';
-        updateResolvConf = false;
+  programs.update-systemd-resolved.servers = {
+    ghostnet = {
+      includeAutomatically = true;
+      settings = {
+        routeOnlyDomains = [ "hostnetbv.nl." ];
+        defaultRoute = false;
+        multicastDNS = "no";
+        dnsOverTLS = "opportunistic";
+        dnssec = "no";
       };
     };
+  };
 
-    xserver.xkb = {
-      layout = "us";
-      variant = "";
-    };
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = [ "~." ];
+    fallbackDns = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
+    dnsovertls = "true";
+    llmnr = "true";
+  };
+
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
   };
 
   users.users.jras = {
     isNormalUser = true;
     description = "Jasper Ras";
-    extraGroups = [ "networkmanager" "wheel" ];
+    extraGroups = [ "networkmanager" "wheel" "docker" ];
     packages = with pkgs; [ git helix ];
   };
 
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    users.jras = import ../home-manager/entrypoints/work.nix;
-    extraSpecialArgs = { inherit inputs; monitor-names = ["eDP-1" "HDMI-A-1"]; };
-  };
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
+  home-manager.users.jras = import ../home-manager/entrypoints/work.nix;
+  home-manager.extraSpecialArgs = { inherit inputs; monitor-names = ["eDP-1" "HDMI-A-1"]; };
 
   system.stateVersion = "24.05"; # Do NOT change before reading configuration.nix
 }