boot: Enable resolved/DNS-over-TLS

kilgharrah: Install libdvdcss
flake.lock: Update
2025-06-25 01:14:54 +01:00 · 2025-06-25 01:14:11 +01:00 · 2025-06-24 22:11:48 +01:00 · 2025-06-24 22:09:34 +01:00
5 changed files with 101 additions and 140 deletions
--- a/common/boot.nix
+++ b/common/boot.nix
@ -10,4 +10,13 @@ in
    systemd-boot.memtest86.enable = mkIf config.nixpkgs.hostPlatform.isx86 true;
    efi.canTouchEfiVariables = true;
  };
+
+  services.resolved = {
+    enable = true;
+    fallbackDns = [ ];
+    dnsovertls = "true";
+    extraConfig = ''
+      DNS=2a07:e340::4#base.dns.mullvad.net 194.242.2.4#base.dns.mullvad.net
+    '';
+  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -10,11 +10,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1747575206,
-        "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=",
+        "lastModified": 1750173260,
+        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "4835b1dc898959d8547a871ef484930675cb47f1",
+        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
        "type": "github"
      },
      "original": {
@ -34,11 +34,11 @@
        "stable": []
      },
      "locked": {
-        "lastModified": 1749409980,
-        "narHash": "sha256-I/Tvv5UN5DRYXTEy/+j7mYRsdoWQ+rCfrVoNEw0K/Ek=",
+        "lastModified": 1749739748,
+        "narHash": "sha256-csQQPoCA5iv+Nd9yCOCQNKflP7qUKEe7D27wsz+LPKM=",
        "owner": "zhaofengli",
        "repo": "colmena",
-        "rev": "58f1beb074881d7208def140af71b7864b6139e0",
+        "rev": "c61641b156dfa3e82fc0671e77fccf7d7ccfaa3b",
        "type": "github"
      },
      "original": {
@ -55,11 +55,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1749441800,
-        "narHash": "sha256-bN4tccrmczfR4PUuepHpxNNmWG3cLZTFIt4BaD8YyvA=",
+        "lastModified": 1750737804,
+        "narHash": "sha256-wClGd2PhxdjjphR6wIgoiDcR+Gfg4/+FyseSOjIIzVU=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "fe13e6abfe72b39ad8381595c3c404849330c3cb",
+        "rev": "aaaf4fec792bad465ea4a35c0be5bc2a54f33095",
        "type": "gitlab"
      },
      "original": {
@ -143,11 +143,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1749154018,
-        "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=",
+        "lastModified": 1750792728,
+        "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111",
+        "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557",
        "type": "github"
      },
      "original": {
@ -164,11 +164,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1749483884,
-        "narHash": "sha256-HdyfdVx0NbgrVtLY4lXdX9X/YE3PZjGZFnSyoAy1GJc=",
+        "lastModified": 1750798083,
+        "narHash": "sha256-DTCCcp6WCFaYXWKFRA6fiI2zlvOLCf5Vwx8+/0R8Wc4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "74d196c9943a67908d1883f61154e594d03863e5",
+        "rev": "ff31a4677c1a8ae506aa7e003a3dba08cb203f82",
        "type": "github"
      },
      "original": {
@ -180,15 +180,15 @@
    "lix": {
      "flake": false,
      "locked": {
-        "lastModified": 1746827285,
-        "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=",
-        "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a",
+        "lastModified": 1750762203,
+        "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=",
+        "rev": "38b358ce27203f972faa2973cf44ba80c758f46e",
        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a"
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/38b358ce27203f972faa2973cf44ba80c758f46e.tar.gz?rev=38b358ce27203f972faa2973cf44ba80c758f46e"
      },
      "original": {
        "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz"
+        "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz"
      }
    },
    "lix-module": {
@ -201,24 +201,24 @@
        ]
      },
      "locked": {
-        "lastModified": 1746838955,
-        "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=",
-        "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc",
+        "lastModified": 1750776670,
+        "narHash": "sha256-EfA5K5EZAnspmraJrXQlziffVpaT+QDBiE6yKmuaNNQ=",
+        "rev": "c3c78a32273e89d28367d8605a4c880f0b6607e3",
        "type": "tarball",
-        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc"
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/c3c78a32273e89d28367d8605a4c880f0b6607e3.tar.gz?rev=c3c78a32273e89d28367d8605a4c880f0b6607e3"
      },
      "original": {
        "type": "tarball",
-        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"
+        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1749237914,
-        "narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=",
+        "lastModified": 1750622754,
+        "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265",
+        "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1",
        "type": "github"
      },
      "original": {
@ -245,11 +245,11 @@
    },
    "nixpkgs-small": {
      "locked": {
-        "lastModified": 1749330319,
-        "narHash": "sha256-5UnNMREFRBA2UHakpk2naiCvZCW0LtZ5GMzl3u9V9HA=",
+        "lastModified": 1750784235,
+        "narHash": "sha256-IYCCkKerO3lMUcMaDRLfwnfyPopQbGWF8iHRd0XcCBc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "2b41bf05854399433a852b438bb5392dc56cbaba",
+        "rev": "a5e9291e97f5ba0b4ba7d657ddedd5f86d11acfd",
        "type": "github"
      },
      "original": {
@ -261,11 +261,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1749285348,
-        "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
+        "lastModified": 1750506804,
+        "narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
+        "rev": "4206c4cb56751df534751b058295ea61357bbbaa",
        "type": "github"
      },
      "original": {
@ -277,11 +277,11 @@
    },
    "nixpkgs-unstable-small": {
      "locked": {
-        "lastModified": 1749411262,
-        "narHash": "sha256-gRBkeW9l5lb/90lv1waQFNT+18OhITs11HENarh6vNo=",
+        "lastModified": 1750776346,
+        "narHash": "sha256-sWw7gz2B02fHQkmPSutVcoawLuiPT0hpztL0ldCnIy0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0fc422d6c394191338c9d6a05786c63fc52a0f29",
+        "rev": "4396a137499b6cc9f9fe9f3c266577bd52d455a4",
        "type": "github"
      },
      "original": {
@ -317,11 +317,11 @@
    "randomcat": {
      "flake": false,
      "locked": {
-        "lastModified": 1749435035,
-        "narHash": "sha256-hgkMTlwU1HGcGcP6Z8vuMupIBOZxqy2bX60TusJEnJA=",
+        "lastModified": 1750730821,
+        "narHash": "sha256-U5uW9mRSuA2dRaOyswmz2I0fUVQbGRSZROXIe2WKS+8=",
        "owner": "randomnetcat",
        "repo": "nix-configs",
-        "rev": "3cc561e5c7c463785f0e79a518572afaa74c8377",
+        "rev": "1a2a536f5550c3b323e19f46d166340ad01745fd",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -7,7 +7,7 @@

    lix-module = {
      # lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39
-      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz";
+      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz";
      inputs.nixpkgs.follows = "nixpkgs";
    };

--- a/hosts/kilgharrah/hardware.nix
+++ b/hosts/kilgharrah/hardware.nix
@ -38,6 +38,7 @@
        withBDplus = true;
      });
    }).overrideAttrs (originalAttrs: {
+      buildInputs = originalAttrs.buildInputs ++ [ pkgs.libdvdcss ];
      # TODO: nixpkgs bug: libbluray needs patching to look at the nix store path of jdk17 when searching for a jdk
      # as a workaround, wrap vlc and set JAVA_HOME, which it uses instead of searching when specified
      nativeBuildInputs = originalAttrs.nativeBuildInputs ++ [ pkgs.makeWrapper ];
--- a/hosts/yevaud/experiments/pennykettle.nix
+++ b/hosts/yevaud/experiments/pennykettle.nix
@ -1,115 +1,66 @@
 { config, lib, pkgs, ... }:

 {
-  networking.nat.enable = true;
-  networking.nat.enableIPv6 = true;
-  networking.nat.internalInterfaces = [ "ve-pennykettle" ];
-  networking.nat.externalInterface = "ens3";
-  networking.nat.forwardPorts = [
-    {
-      sourcePort = 51820;
-      destination = "10.231.136.2:51820";
-      proto = "udp";
-    }
-    {
-      sourcePort = 51820;
-      destination = "[fc00::2]:51820";
-      proto = "udp";
-    }
-  ];
  networking.firewall.allowedUDPPorts = [ 51820 ];
+  networking.firewall.interfaces."tailscale0".allowedTCPPorts = config.networking.firewall.allowedTCPPorts ++ [ 1080 ];

-  containers."pennykettle" = {
-    privateNetwork = true;
-    extraVeths."ve-pennykettle" = {
-      hostAddress = "10.231.136.1";
-      localAddress = "10.231.136.2";
-      hostAddress6 = "fc00::1";
-      localAddress6 = "fc00::2";
-    };
-    ephemeral = true;
-    autoStart = true;
-    bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle.path;
-
-    config = { config, pkgs, ... }: {
-      system.stateVersion = "24.05";
-      systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
-      environment.systemPackages = [ pkgs.wireguard-tools ];
-
-      networking.useDHCP = false;
-      networking.useHostResolvConf = false;
-      networking.firewall.allowedUDPPorts = [ 51820 ];
-      systemd.network = {
-        enable = true;
-
-        networks."10-ve-pennykettle" = {
-          matchConfig.Name = "ve-pennykettle";
-          networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ];
-          linkConfig.RequiredForOnline = "yes";
-          routes = [{
-            Gateway = [ "10.231.136.1" "fc00::1" ];
-            Destination = "217.138.216.162";
-          }];
-        };
-
-        networks."30-wg-protonvpn" = {
-          matchConfig.Name = "wg-protonvpn";
-          networkConfig = {
-            Address = [ "10.2.0.2/32" ];
-            DNS = "10.2.0.1";
-          };
-          linkConfig = {
-            RequiredForOnline = "yes";
-            ActivationPolicy = "always-up";
-          };
-          routes = [
-            { Gateway = [ "0.0.0.0" ]; }
-            { Gateway = [ "::" ]; } # TODO: ipv6 out is still not working for unclear reasons
-          ];
-        };
-
-        netdevs."30-wg-protonvpn" = {
-          netdevConfig = {
-            Name = "wg-protonvpn";
-            Kind = "wireguard";
-            Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)";
-          };
-          wireguardConfig = {
-            ListenPort = 51820;
-            PrivateKeyFile = "/run/secrets/wg-key";
-          };
-          wireguardPeers = [{
-            PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
-            AllowedIPs = [ "0.0.0.0/0" "::/0" ];
-            Endpoint = "217.138.216.162:51820";
-            PersistentKeepalive = 5;
-          }];
-        };
-      };
-
-      networking.nat.enable = true;
-      networking.nat.enableIPv6 = true;
-      networking.nat.internalInterfaces = [ "ve-pennykettle" ];
-      networking.nat.externalInterface = "wg-protonvpn";
-    };
+  environment.systemPackages = [ pkgs.wireguard-tools ];
+  networking.wireguard.interfaces."wg-protonvpn" = {
+    ips = [ "10.2.0.2/32" ];
+    peers = [{
+      allowedIPs = [ "0.0.0.0/0" "::/0" ];
+      endpoint = "217.138.216.162:51820";
+      publicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
+    }];
+    privateKeyFile = config.age.secrets.protonvpn-pennykettle1.path;
+    listenPort = 51820;
+    table = "957851094"; # randomly generated
  };

-  age.secrets.protonvpn-pennykettle = {
+  networking.localCommands = ''
+    ip rule add from 10.2.0.2/32 table 957851094
+  '';
+  networking.firewall.checkReversePath = "loose";
+
+  age.secrets.protonvpn-pennykettle1 = {
    file = ../../../secrets/protonvpn-pennykettle1.age;
    owner = "root";
    group = "systemd-network";
    mode = "640";
  };

-  # TODO: password-protect the proxy instead of relying on only listening over Tailscale
-  services.microsocks = {
+  services.dante = {
    enable = true;
-    port = 1080;
-    ip = "::";
-    outgoingBindIp = "fc00::2";
-    # authUsername = "testusername123";
-    # authPasswordFile = pkgs.writeText "testpassword" "testpassworddonotuse";
-    # execWrapper = "${lib.getExe pkgs.strace}";
+    config = ''
+      debug: 2
+      internal: tailscale0
+      external: wg-protonvpn
+
+      # auth/tls handled by tailscale
+      clientmethod: none
+      socksmethod: none
+
+      # allow connections from tailscale
+      # "0/0" matches any v4 or v6 address
+      client pass {
+        from: 100.64.0.0/10 to: 0/0
+        log: error connect disconnect
+      }
+      client pass {
+        from: fd7a:115c:a1e0::/48 to: 0/0
+        log: error connect disconnect
+      }
+
+      socks pass {
+        from: 0/0 to: 0/0
+        protocol: tcp udp
+        log: error connect disconnect iooperation
+      }
+    '';
+  };
+
+  systemd.services.dante = {
+    wants = [ "tailscaled-autoconnect.service" ];
+    after = [ "tailscaled-autoconnect.service" ];
  };
-  networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1080 ];
 }
Author	SHA1	Message	Date
Katherina Walshe-Grey	fa61c1523b	boot: Enable resolved/DNS-over-TLS	2025-06-25 01:14:54 +01:00
Katherina Walshe-Grey	094812e6f1	kilgharrah: Install libdvdcss	2025-06-25 01:14:11 +01:00
Katherina Walshe-Grey	43273d4689	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/4835b1dc898959d8547a871ef484930675cb47f1' (2025-05-18) → 'github:ryantm/agenix/531beac616433bac6f9e2a19feb8e99a22a66baf' (2025-06-17) • Updated input 'colmena': 'github:zhaofengli/colmena/58f1beb074881d7208def140af71b7864b6139e0' (2025-06-08) → 'github:zhaofengli/colmena/c61641b156dfa3e82fc0671e77fccf7d7ccfaa3b' (2025-06-12) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/fe13e6abfe72b39ad8381595c3c404849330c3cb?dir=pkgs/firefox-addons' (2025-06-09) → 'gitlab:rycee/nur-expressions/aaaf4fec792bad465ea4a35c0be5bc2a54f33095?dir=pkgs/firefox-addons' (2025-06-24) • Updated input 'home-manager': 'github:nix-community/home-manager/7aae0ee71a17b19708b93b3ed448a1a0952bf111' (2025-06-05) → 'github:nix-community/home-manager/366f00797b1efb70f2882d3da485e3c10fd3d557' (2025-06-24) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/74d196c9943a67908d1883f61154e594d03863e5' (2025-06-09) → 'github:nix-community/home-manager/ff31a4677c1a8ae506aa7e003a3dba08cb203f82' (2025-06-24) • Updated input 'lix-module': 'https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?narHash=sha256-11R4K3iAx4tLXjUs%2BhQ5K90JwDABD/XHhsM9nkeS5N8%3D&rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc' (2025-05-10) → 'https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/c3c78a32273e89d28367d8605a4c880f0b6607e3.tar.gz?narHash=sha256-EfA5K5EZAnspmraJrXQlziffVpaT%2BQDBiE6yKmuaNNQ%3D&rev=c3c78a32273e89d28367d8605a4c880f0b6607e3' (2025-06-24) • Updated input 'lix-module/lix': 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?narHash=sha256-hsFe4Tsqqg4l%2BFfQWphDtjC79WzNCZbEFhHI8j2KJzw%3D&rev=47aad376c87e2e65967f17099277428e4b3f8e5a' (2025-05-09) → 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/38b358ce27203f972faa2973cf44ba80c758f46e.tar.gz?narHash=sha256-LmQhjQ7c%2BAOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw%3D&rev=38b358ce27203f972faa2973cf44ba80c758f46e' (2025-06-24) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/70c74b02eac46f4e4aa071e45a6189ce0f6d9265' (2025-06-06) → 'github:NixOS/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/2b41bf05854399433a852b438bb5392dc56cbaba' (2025-06-07) → 'github:NixOS/nixpkgs/a5e9291e97f5ba0b4ba7d657ddedd5f86d11acfd' (2025-06-24) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/3e3afe5174c561dee0df6f2c2b2236990146329f' (2025-06-07) → 'github:NixOS/nixpkgs/4206c4cb56751df534751b058295ea61357bbbaa' (2025-06-21) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/0fc422d6c394191338c9d6a05786c63fc52a0f29' (2025-06-08) → 'github:NixOS/nixpkgs/4396a137499b6cc9f9fe9f3c266577bd52d455a4' (2025-06-24) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/3cc561e5c7c463785f0e79a518572afaa74c8377' (2025-06-09) → 'github:randomnetcat/nix-configs/1a2a536f5550c3b323e19f46d166340ad01745fd' (2025-06-24)	2025-06-24 22:11:48 +01:00
Katherina Walshe-Grey	3c058d9b9a	yevaud/pennykettle: Rewrite from scratch without networkd or microsocks	2025-06-24 22:09:34 +01:00