refactor(networking): split networking into modules

system/modules/networking.nix

@@ -1,21 +0,0 @@
-{ lib, config, ... }:
-
-let
-  cfg = config.systemModules.networking;
-in
-
-{
-  config = lib.mkIf cfg.enable {
-    networking.networkmanager = {
-      enable = true;
-      dns = "systemd-resolved";
-    };
-    networking.firewall.allowedTCPPorts = [57621]; # Spotify
-
-    services = {
-      resolved.enable = true;
-    };
-
-    systemd.services.NetworkManager-wait-online.enable = lib.mkForce false;
-  };
-}

system/modules/networking/default.nix

@@ -0,0 +1,30 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.systemModules.networking;
+  inherit (lib) mkIf mkEnableOption;
+in
+
+{
+  imports = [
+    ./firewall
+    ./tools
+    ./ssh
+    ./tcp
+    ./resolved
+  ];
+
+  options.systemModule.networking.enable = mkEnableOption "Enable networking system module";
+
+  config = mkIf cfg.enable {
+    networking.networkmanager = {
+      enable = true;
+      dns = "systemd-resolved";
+    };
+
+    systemd = {
+      network.wait-online.enable = false;
+      services.NetworkManager-wait-online.enable = false;
+    };
+  };
+}

system/modules/networking/firewall/default.nix

@@ -0,0 +1,19 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.systemModules.networking;
+  inherit (lib) mkIf mkEnableOption;
+in
+
+{
+  options.systemModules.networking.firewall = mkEnableOption "Enable networking firewall system modules";
+  config = mkIf cfg.firewall {
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        443 # https
+        57621 # spotify
+      ];
+    };
+  };
+}

system/modules/networking/resolved/default.nix

@@ -0,0 +1,21 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.systemModules.networking;
+  inherit (lib) mkIf mkEnableOption;
+in
+
+{
+  options.systemModules.networking.resolved = mkEnableOption "Enable systemd resolved daemon";
+
+  config = mkIf cfg.resolved {
+    services.resolved = {
+      enable = true;
+      fallbackDns = ["9.9.9.9"];
+      # allow-downgrade is vulnerable to downgrade attacks
+      extraConfig = ''
+         DNSOverTLS=yes # or allow-downgrade
+      '';
+    };
+  };
+}

system/modules/networking/ssh/default.nix

@@ -1,18 +1,15 @@
 { lib, config, ... }:
 
 let
-  cfg = config.systemModules.openssh;
+  cfg = config.systemModules.networking;
   key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn3ff3HaZHIyH4K13k8Mwqu/o7jIABJ8rANK+r2PfJk";
+  inherit (lib) mkIf mkEnableOption;
 in
 
 {
-  options.systemModules = {
-    openssh = {
-      enable = lib.mkEnableOption "enable openssh system module";
-    };
-  };
+  options.systemModules.networking.ssh = mkEnableOption "Enable ssh networking module";
 
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.ssh {
     environment.sessionVariables.SSH_AUTH_SOCK = "~/.1password/agent.sock";
 
     users.users.ooks.openssh.authorizedKeys.keys = [ key ];
@@ -26,7 +23,5 @@ in
         StreamLocalBindUnlink = "yes";
       };
     };
-    
   };
-  
 }

system/modules/networking/tcp/default.nix

@@ -0,0 +1,80 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.systemModules.networking;
+  inherit (lib) mkIf mkEnableOption;
+in
+
+{
+  options.systemModules.networking.hardenTcp = mkEnableOption "Harden TCP";
+
+  config = mkIf cfg.hardenTcp {
+    boot = {
+      kernelModules = ["tls" "tcp_bbr"];
+      kernel.sysctl = {
+        # TCP hardening
+        # Prevent bogus ICMP errors from filling up logs.
+        "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+        # Reverse path filtering causes the kernel to do source validation of
+        # packets received from all interfaces. This can mitigate IP spoofing.
+        "net.ipv4.conf.default.rp_filter" = 1;
+        "net.ipv4.conf.all.rp_filter" = 1;
+        # Do not accept IP source route packets (we're not a router)
+        "net.ipv4.conf.all.accept_source_route" = 0;
+        "net.ipv6.conf.all.accept_source_route" = 0;
+        # Don't send ICMP redirects (again, we're on a router)
+        "net.ipv4.conf.all.send_redirects" = 0;
+        "net.ipv4.conf.default.send_redirects" = 0;
+        # Refuse ICMP redirects (MITM mitigations)
+        "net.ipv4.conf.all.accept_redirects" = 0;
+        "net.ipv4.conf.default.accept_redirects" = 0;
+        "net.ipv4.conf.all.secure_redirects" = 0;
+        "net.ipv4.conf.default.secure_redirects" = 0;
+        "net.ipv6.conf.all.accept_redirects" = 0;
+        "net.ipv6.conf.default.accept_redirects" = 0;
+        # Protects against SYN flood attacks
+        "net.ipv4.tcp_syncookies" = 1;
+        # Incomplete protection again TIME-WAIT assassination
+        "net.ipv4.tcp_rfc1337" = 1;
+        # And other stuff
+        "net.ipv4.conf.all.log_martians" = true;
+        "net.ipv4.conf.default.log_martians" = true;
+        "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+        "net.ipv6.conf.default.accept_ra" = 0;
+        "net.ipv6.conf.all.accept_ra" = 0;
+        "net.ipv4.tcp_timestamps" = 0;
+
+        # TCP optimization
+        # TCP Fast Open is a TCP extension that reduces network latency by packing
+        # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+        # both incoming and outgoing connections:
+        "net.ipv4.tcp_fastopen" = 3;
+        # Bufferbloat mitigations + slight improvement in throughput & latency
+        "net.ipv4.tcp_congestion_control" = "bbr";
+        "net.core.default_qdisc" = "cake";
+
+        # Other stuff that I am too lazy to document
+        "net.core.optmem_max" = 65536;
+        "net.core.rmem_default" = 1048576;
+        "net.core.rmem_max" = 16777216;
+        "net.core.somaxconn" = 8192;
+        "net.core.wmem_default" = 1048576;
+        "net.core.wmem_max" = 16777216;
+        "net.ipv4.ip_local_port_range" = "16384 65535";
+        "net.ipv4.tcp_max_syn_backlog" = 8192;
+        "net.ipv4.tcp_max_tw_buckets" = 2000000;
+        "net.ipv4.tcp_mtu_probing" = 1;
+        "net.ipv4.tcp_rmem" = "4096 1048576 2097152";
+        "net.ipv4.tcp_slow_start_after_idle" = 0;
+        "net.ipv4.tcp_tw_reuse" = 1;
+        "net.ipv4.tcp_wmem" = "4096 65536 16777216";
+        "net.ipv4.udp_rmem_min" = 8192;
+        "net.ipv4.udp_wmem_min" = 8192;
+        "net.netfilter.nf_conntrack_generic_timeout" = 60;
+        "net.netfilter.nf_conntrack_max" = 1048576;
+        "net.netfilter.nf_conntrack_tcp_timeout_established" = 600;
+        "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1;
+      };
+    };
+  };
+}

system/modules/networking/tools/default.nix

@@ -0,0 +1,18 @@
+{ lib, config, pkgs, ... }:
+
+let
+  cfg = config.systemModules.networking;
+  inherit (lib) mkIf mkEnableOption;
+in
+
+{
+  options.systemModules.networking.tools = mkEnableOption "Enable networking tools";
+
+  config = mkIf cfg.tools {
+    environment.systemPackages = with pkgs; [
+      traceroute
+      mtr
+      tcpdump
+    ];
+  };
+}

system/modules/security/default.nix

@@ -0,0 +1,55 @@
+{ lib, config, pkgs, ... }:
+
+let
+  cfg = config.systemModules.security;
+in
+
+{
+  config = lib.mkIf cfg.enable {
+
+    environment.systemPackages = with pkgs; [
+      polkit_gnome
+    ];
+
+    programs = {
+      gnupg.agent = {
+        enable = true;
+        enableSSHSupport = true;
+      };
+      _1password = {
+        enable = true;
+      };
+      _1password-gui = {
+        enable = true;
+        polkitPolicyOwners = [ "ooks" ];
+      };
+    };
+    security = {
+      polkit = {
+        enable = true;
+      };
+      sudo = {
+        enable = true;
+        wheelNeedsPassword = false;
+      };
+      rtkit.enable = true;
+      pam.services.hyprlock = {};
+    };
+
+    systemd = {
+      user.services.polkit-gnome-authentication-agent-1 = {
+        description = "polkit-gnome-authentication-agent-1";
+        wantedBy = [ "graphical-session.target" ];
+        wants = [ "graphical-session.target" ];
+        after = [ "graphical-session.target" ];
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+          Restart = "on-failure";
+          RestartSec = 1;
+          TimeoutStopSec = 10;
+        };
+      };
+    };
+  };
+}