colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
9,491 Commits 141 Branches 1 Tag
dba79499433494a90d2040a5d33ca94e733eef8a
Commit Graph

67 Commits

Author SHA1 Message Date
Colin
df0ade9319 docs: dns/BIND: show how to invoke the service manually 2025-01-13 21:23:14 +00:00
Colin
fc8a6a2144 BIND: disable IPv6 
this makes it work (more reliably, at least) inside sane-vpn
 2024-12-30 08:17:07 +00:00
Colin
acd20e23d9 common: net: switch DNS resolver from unbound to BIND 2024-12-30 07:29:01 +00:00
Colin
424f61f782 WIP: enable BIND DNS recursive resolver 2024-12-30 03:15:42 +00:00
Colin
bd54291925 networkmanager patch: update the GH patch 2024-12-19 22:57:08 +00:00
Colin
f46b0ec73e common/net: unbound: configure to serve expired records 
anecdotally, this seems to aid with the networking blips i see, where hosts are marked down in the infra-cache?
 2024-12-05 06:32:21 +00:00
Colin
253a9ecc7e common/net/dns/unbound: enable DNS prefetch 2024-12-04 09:24:25 +00:00
Colin
716aa4be33 doc: common/net/dns/unbound: cleanup the explanations for why i set what i do 2024-12-04 09:24:07 +00:00
Colin
3fcf3bca8a unbound: fix up to better handle network blips 
the notes here are not all up-to-date. but the new config is better than the old, which could have failed DNS for 900s post-boot
 2024-12-04 04:32:26 +00:00
Colin
192771c99f hosts/common: dns: cleanup hickory-dns file 2024-12-03 23:28:47 +00:00
Colin
6af6768160 unbound: fix NTP/DNS circular dependency by disabling DNSSEC for pool.ntp.org. 2024-12-03 23:28:16 +00:00
Colin
4de9fcc09a refactor: hosts/common/dns: split into separate files 2024-12-03 21:13:50 +00:00
Colin
5c69765759 unbound-dns: tweak options to avoid connectivity issues 
seems lots of unbound config options combine to create bad effects: best to leave as much as possible defaulted
 2024-12-03 21:07:41 +00:00
Colin
c950d286d4 net: unbound: remove negative caching for better stability 
else sometimes addresses are unresolvable at early boot, and never become reachable again
 2024-12-03 17:42:48 +00:00
Colin
c30929e1a6 servo: switch to unbound for local DNS provider 2024-11-10 05:53:17 +00:00
Colin
0888c9e994 networkmanager: fix dbus UID check so that nmcli/etc can connect when the service is running as dedicated user 2024-10-18 01:20:43 +00:00
Colin
0c85d73466 networkmanager: improve sandboxing 2024-10-17 07:02:55 +00:00
Colin
8e9800c4e4 networkmanager: disable /etc/resolv.conf management when unbound is enabled 2024-10-17 05:40:21 +00:00
Colin
7795a3f6aa dns: disable DNSSEC to avoid circular dependency with NTP 2024-10-06 13:00:12 +00:00
Colin
6647223523 dns: replace local recursive resolver with unbound 
this affects lappy, moby AND desko, but not servo (yet)
 2024-10-04 17:44:30 +00:00
Colin
9d83f4cbf7 NetworkManager: reduce hardening options which broke IPv6 link-local addressing 
'ip -6 addr' should show an address even on networks which aren't
routable. /proc or /sys sandboxing was preventing this (with error messages logged to syslog).
 2024-09-01 23:13:30 +00:00
Colin
0419e50cc3 upnp: fix rpfilter to support IPv6, too 2024-09-01 21:21:57 +00:00
Colin
942ca82445 assorted: hosts/common: remove unused module parameters 2024-09-01 15:49:15 +00:00
Colin
d4290588bf rename: trust-dns -> hickory-dns 2024-08-12 01:23:39 +00:00
Colin
d39459d8b5 NetworkManager: tighten the systemd sandboxing 2024-08-11 22:54:47 +00:00
Colin
4d5e60756b modemmanager: make its capabilities more obvious 2024-08-11 22:54:41 +00:00
Colin
2197951e12 NetworkManager-dispatcher: cleanup an ordering cycle between it and trust-dns-localhost 2024-08-02 00:36:54 +00:00
Colin
3d91fa2475 systemd.networkd: disable the wait-online service 
it blocks boot like a idiot
 2024-07-26 14:01:31 +00:00
Colin
0460a419c5 sane-vpn: use DHCP DNS servers when use specifies none -- instead of 1.1.1.1 2024-07-24 03:05:37 +00:00
Colin
e355a4b2eb assorted: remove no-longer-needed sanebox PATH fixes 2024-07-16 07:24:56 +00:00
Colin
924a6c812c all/net: disable "predictable" interface names 2024-07-13 08:29:48 +00:00
Colin
3969fd484b networkmanager: 1.48.0 -> 1.48.2 (unpin) 2024-07-13 05:00:43 +00:00
Colin
b7c86d5867 mmcli: sandbox 2024-07-06 18:49:18 +00:00
Colin
8b7ed2cdd4 avahi: fix NSS integrations 
now moby can access its own gps-share instance at moby.local, from geoclue.service. lappy can access that too.
 2024-06-27 23:57:36 +00:00
Colin
f54f1c57bc avahi: integrate with nss 
now i can resolve .local hosts, via glibc, e.g. 'getent hosts <host>.local'
 2024-06-27 06:18:48 +00:00
Colin
394259fe21 modemmanager: harden systemd service 2024-06-03 16:41:51 +00:00
Colin
8c256c629b networkmanager: harden further with NoNewPrivileges and PrivateTmp 2024-06-03 16:23:22 +00:00
Colin
0e2d86ac96 NetworkManager-dispatcher: note why we cant use DynamicUser 2024-06-03 15:57:41 +00:00
Colin
e2a1e6730d NetworkManager-dispatcher: harden systemd service 2024-06-03 15:44:22 +00:00
Colin
a1e923f999 networkmanager: tighten ProtectSystem to "strict" 2024-06-03 15:10:14 +00:00
Colin
09333c992c wpa_supplicant: harden systemd service 2024-06-03 15:09:32 +00:00
Colin
80eb385c64 networkmanager: restrict service (using systemd options) 2024-06-03 14:27:00 +00:00
Colin
f6725f60b9 networkmanager: re-introduce my polkit patches 2024-06-03 13:04:48 +00:00
Colin
42fed64b75 NetworkManager: split specific config options out of my main net/default.nix file 2024-06-03 11:24:38 +00:00
Colin
682143d47f NetworkManager: 1.46.0 -> 1.48.0 
mostly so i can review the PR and get this update mainlined sooner :)
 2024-06-03 11:23:33 +00:00
Colin
9d109644b7 nixpkgs: 2024-06-01 -> 2024-06-03; sops-nix -> 2024-06-02 
```
• Updated input 'nixpkgs-next-unpatched':
    'github:nixos/nixpkgs/f7de25c01e4c073c06e0525226a0c2311d530cee' (2024-06-01)
  → 'github:nixos/nixpkgs/c987c730bbf2121264ebd68921b443db5bb28543' (2024-06-03)
• Updated input 'nixpkgs-unpatched':
    'github:nixos/nixpkgs/61c1d282153dbfcb5fe413c228d172d0fe7c2a7e' (2024-06-01)
  → 'github:nixos/nixpkgs/77a51024c0f953d503eb3ed364aa4bff378649f8' (2024-06-03)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/962797a8d7f15ed7033031731d0bb77244839960' (2024-05-26)
  → 'github:Mic92/sops-nix/ab2a43b0d21d1d37d4d5726a892f714eaeb4b075' (2024-06-02)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/59a450646ec8ee0397f5fa54a08573e8240eb91f' (2024-05-25)
  → 'github:NixOS/nixpkgs/3b1b4895b2c5f9f5544d02132896aeb9ceea77bc' (2024-06-01)
```
 2024-06-03 05:31:28 +00:00
Colin
e4bcbab224 hosts: networking: switch to using nixos NetworkManager/ModemManager/etc, just patched for hardening 2024-06-02 11:22:03 +00:00
Colin
452543e6f3 fix rescue host build 2024-05-31 10:37:03 +00:00
Colin
b1c7061b21 vpn: fix typos from previous 2 commits 2024-05-26 14:26:47 +00:00
Colin
002639cc76 ovpn: use a single key per-device 
this should fix the traffic collisions i'm seeing with the existing setup
 2024-05-26 14:04:52 +00:00