machine_setup/nix/configuration/roles/network/default.nix

{
  config,
  lib,
  pkgs,
  ...
}:

# Alternative DNS servers:
# "1.0.0.1#cloudflare-dns.com"
# "1.1.1.1#cloudflare-dns.com"
# "2606:4700:4700::1001#cloudflare-dns.com"
# "2606:4700:4700::1111#cloudflare-dns.com"
# "8.8.4.4#dns.google"
# "8.8.8.8#dns.google"
# "2001:4860:4860::8844#dns.google"
# "2001:4860:4860::8888#dns.google"

{
  imports = [ ];

  options.me = {
    network.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install network.";
    };
  };

  config = lib.mkIf config.me.network.enable {
    networking.dhcpcd.enable = lib.mkDefault false;
    networking.useDHCP = lib.mkDefault false;
    networking.nameservers = [
      "194.242.2.2#doh.mullvad.net"
      "2a07:e340::2#doh.mullvad.net"
    ];
    services.resolved = {
      enable = true;
      # dnssec = "true";
      domains = [ "~." ];
      fallbackDns = [ ];
      dnsovertls = "true";
    };

    # Without this, systemd-resolved will send DNS requests for <X>.home.arpa to the per-link DNS server (172.16.0.1) which does not support DNS-over-TLS. This leads to the connection hanging and timing out. This causes firefox startup to take an extra 10+ seconds.
    #
    # Test with: drill @127.0.0.53 odo.home.arpa
    # TODO: The 127.0.0.1 address should probably be moved to a host-specific file.
    networking.extraHosts = ''
      127.0.0.1 ${config.networking.hostName}.home.arpa
      10.216.1.1		homeserver
      10.216.1.6		media
      10.216.1.12		odo
      10.216.1.14		neelix
      10.216.1.15		quark
      10.217.1.1		drmario
      10.217.2.1		mrmanager
    '';

    networking.wireless.iwd = {
      enable = true;

      settings = {
        General = {
          EnableNetworkConfiguration = true;
          AddressRandomization = "network";
        };
        # Rank = {
        #   BandModifier2_4GHz = 1.0;
        #   BandModifier5GHz = 1.0;
        #   BandModifier6GHz = 1.0;
        # };
        DriverQuirks = {
          PowerSaveDisable = "*";
          # ath12k_pci
        };
        # Scan = {
        #   DisablePeriodicScan = true;
        #   DisableRoamingScan = true;
        # };
      };
    };
    environment.systemPackages = with pkgs; [
      iw
      iwd
      ldns # for drill
      arp-scan # To find devices on the network
      wavemon
      dhcpcd # For Android USB tethering.
    ];

    boot.extraModprobeConfig = ''
      # Set wifi to US
      options cfg80211 ieee80211_regdom=US
    '';

    boot.kernel.sysctl = {
      # Enable TCP packetization-layer PMTUD when an ICMP black hole is detected.
      "net.ipv4.tcp_mtu_probing" = 1;
      # Switch to bbr tcp congestion control which should be better on lossy connections like bad wifi.
      # We set this in the kernel config, but include this here for unoptimized builds.
      "net.ipv4.tcp_congestion_control" = "bbr";
      # Don't do a slow start after a connection has been idle for a single RTO.
      "net.ipv4.tcp_slow_start_after_idle" = 0;
      # 3x time to accumulate filesystem changes before flushing to disk.
      "vm.dirty_writeback_centisecs" = 1500;
      # Adjust ttl
      "net.ipv4.ip_default_ttl" = 65;
      "net.ipv6.conf.all.hop_limit" = 65;
      "net.ipv6.conf.default.hop_limit" = 65;
      # Enable IPv6 Privacy Extensions
      "net.ipv6.conf.all.use_tempaddr" = 2;
      # Enable IPv6 Privacy Extensions
      # This is enabled by default in nixos.
      # "net.ipv6.conf.default.use_tempaddr" = 2;
    };

    environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
      hideMounts = true;
      directories = [
        "/var/lib/iwd" # Wifi settings
      ];
    };
  };
}