2024-01-15 01:12:09 +00:00
|
|
|
{ lib, ... }:
|
2022-08-31 04:56:04 +00:00
|
|
|
|
|
|
|
{
|
2024-01-15 01:11:13 +00:00
|
|
|
imports = [
|
2024-01-15 01:16:22 +00:00
|
|
|
./dns.nix
|
2024-01-15 01:11:13 +00:00
|
|
|
./hostnames.nix
|
2024-06-02 09:48:17 +00:00
|
|
|
./modemmanager.nix
|
|
|
|
./networkmanager.nix
|
2024-01-15 01:12:09 +00:00
|
|
|
./upnp.nix
|
2024-01-15 01:11:13 +00:00
|
|
|
./vpn.nix
|
|
|
|
];
|
2024-01-16 03:20:40 +00:00
|
|
|
|
|
|
|
systemd.network.enable = true;
|
|
|
|
networking.useNetworkd = true;
|
|
|
|
|
2024-01-19 09:54:01 +00:00
|
|
|
# view refused/dropped packets with: `sudo journalctl -k`
|
2024-01-16 03:20:40 +00:00
|
|
|
# networking.firewall.logRefusedPackets = true;
|
|
|
|
# networking.firewall.logRefusedUnicastsOnly = false;
|
2024-01-19 09:54:01 +00:00
|
|
|
networking.firewall.logReversePathDrops = true;
|
|
|
|
# linux will drop inbound packets if it thinks a reply to that packet wouldn't exit via the same interface (rpfilter).
|
|
|
|
# that heuristic fails for complicated VPN-style routing, especially with SNAT.
|
|
|
|
# networking.firewall.checkReversePath = false; # or "loose" to keep it partially.
|
2024-01-16 03:20:40 +00:00
|
|
|
# networking.firewall.enable = false; #< set false to debug
|
|
|
|
|
2024-01-19 21:34:18 +00:00
|
|
|
# this is needed to forward packets from the VPN to the host.
|
|
|
|
# this is required separately by servo and by any `sane-vpn` users,
|
|
|
|
# however Nix requires this be set centrally, in only one location (i.e. here)
|
|
|
|
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
2022-08-31 04:56:04 +00:00
|
|
|
}
|