57 lines
1.4 KiB
Nix
57 lines
1.4 KiB
Nix
{ pkgs, ... }:
|
|
{
|
|
# Enable networking and bluetooth
|
|
networking = {
|
|
hostName = "surface";
|
|
networkmanager = {
|
|
enable = true;
|
|
wifi.macAddress = "random";
|
|
};
|
|
};
|
|
systemd.services.NetworkManager-wait-online.enable = false; #disable wait online since it is broken
|
|
hardware.bluetooth.enable = true;
|
|
|
|
# Enable encrypted DNS
|
|
services.dnscrypt-proxy2 = {
|
|
enable = true;
|
|
settings = {
|
|
ipv6_servers = true;
|
|
require_dnssec = true;
|
|
};
|
|
};
|
|
systemd.services.dnscrypt-proxy2.serviceConfig = {
|
|
StateDirectory = "dnscrypt-proxy";
|
|
};
|
|
|
|
# Enable mullvad vpn
|
|
services.mullvad-vpn.package = pkgs.mullvad-vpn;
|
|
services.mullvad-vpn.enable = true;
|
|
|
|
# Enable tailscale
|
|
services.tailscale.enable = true;
|
|
|
|
# exclude tailscale IPs from mullvad routing
|
|
networking.nftables = {
|
|
enable = true;
|
|
ruleset = ''
|
|
define TAILNET_DNS = {
|
|
100.100.100.100,
|
|
9.9.9.9
|
|
}
|
|
define TAILNET_IPV4 = {
|
|
100.64.0.0/10
|
|
}
|
|
define TAILNET_IPV6 = {
|
|
fd7a:115c:a1e0::/48
|
|
}
|
|
table inet excludeTraffic {
|
|
chain excludeDns {
|
|
type filter hook output priority -10; policy accept;
|
|
ip daddr $TAILNET_DNS udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
ip daddr $TAILNET_DNS tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
}
|