diff --git a/nix/configurations/vanadium.nix b/nix/configurations/vanadium.nix index 208e712e..c9e02c13 100644 --- a/nix/configurations/vanadium.nix +++ b/nix/configurations/vanadium.nix @@ -92,7 +92,6 @@ in ./vanadium/nixos/audio.nix ./vanadium/nixos/connectivity.nix - ./vanadium/nixos/secure_dns.nix ./vanadium/nixos/input.nix ./vanadium/nixos/misc.nix diff --git a/nix/configurations/vanadium/home/firefox.nix b/nix/configurations/vanadium/home/firefox.nix index c91b2222..d65bde65 100644 --- a/nix/configurations/vanadium/home/firefox.nix +++ b/nix/configurations/vanadium/home/firefox.nix @@ -125,6 +125,9 @@ in { in [ addons.sponsorblock addons.return-youtube-dislikes + + addons.shinigami-eyes + addons.consent-o-matic ]; }; diff --git a/nix/configurations/vanadium/nixos/connectivity/universite_de_rennes.pem b/nix/configurations/vanadium/nixos/certs/universite_de_rennes.pem similarity index 100% rename from nix/configurations/vanadium/nixos/connectivity/universite_de_rennes.pem rename to nix/configurations/vanadium/nixos/certs/universite_de_rennes.pem diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix index 5a0891fc..3564f3f1 100644 --- a/nix/configurations/vanadium/nixos/connectivity.nix +++ b/nix/configurations/vanadium/nixos/connectivity.nix @@ -41,6 +41,9 @@ # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`. escapePwdKey = lib.replaceStrings ["="] ["_"]; + privatePriority = 10; + limitedPriority = -10; + fromList = ns: let go = networkArgs @ { ssid, @@ -70,11 +73,163 @@ in lib.mkMerge (map go ns); in - fromList (import ./connectivity/networks.nix); + fromList [ + { + ssid = "~"; + priority = privatePriority; + hasPassword = true; + } + { + ssid = "Pei’s Wifi"; + priority = privatePriority; + hasPassword = true; + } + { + ssid = "girlypop-net"; + priority = privatePriority; + hasPassword = true; + } + + { + ssid = "annapurna"; + priority = privatePriority; + hasPassword = true; + scanOnLowSignal = true; + } + { + ssid = "5526-1"; # TODO: set bssid preference ? + priority = privatePriority; + hasPassword = true; + scanOnLowSignal = true; + } + + { + ssid = "eduroam"; + priority = privatePriority; + scanOnLowSignal = true; + + authProtocols = ["WPA-EAP"]; + auth = '' + pairwise=CCMP + group=CCMP TKIP + eap=PEAP + ca_cert="${./certs/universite_de_rennes.pem}" + identity="ychiang@etudiant.univ-rennes.fr" + altsubject_match="DNS:radius.univ-rennes1.fr;DNS:radius1.univ-rennes1.fr;DNS:radius2.univ-rennes1.fr;DNS:vmradius-psf1.univ-rennes1.fr;DNS:vmradius-psf2.univ-rennes1.fr" + phase2="auth=MSCHAPV2" + password=ext:EDUROAM + anonymous_identity="anonymous@univ-rennes.fr" + ''; + } + + { + ssid = "A-WAY"; + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "CAT.jpgcafe"; + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "LOUISA"; # 區公所 + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "LouisaCoffee"; # 七張 + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "MetroTaipei x Louisa"; # 大安 + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + + {ssid = "_SNCF_WIFI_INOUI";} + {ssid = "_WIFI_LYRIA";} + {ssid = "EurostarTrainsWiFi";} + {ssid = "SBB-FREE";} + {ssid = "AOT Airport Free Wi-Fi by NT";} + {ssid = "NewTaipei";} + {ssid = "Fami-WiFi";} + + { + ssid = "iPhone de Léana 江"; + priority = limitedPriority; + hasPassword = true; + } + ]; }; }; services.mullvad-vpn.enable = true; hardware.bluetooth.enable = true; + + # + # Secure DNS + # + # https://nixos.wiki/wiki/Encrypted_DNS + networking = { + nameservers = ["127.0.0.1" "::1"]; + dhcpcd.extraConfig = "nohook resolv.conf"; + # networkmanager.dns = "none"; + }; + + services.resolved.enable = false; + + services.dnscrypt-proxy2 = { + enable = true; + # Settings reference: + # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml + settings = { + listen_addresses = ["127.0.0.1:53"]; + ipv4_servers = true; + + require_dnssec = true; + require_nolog = true; + require_nofilter = true; + + lb_strategy = "p2"; + lb_estimator = true; + + # Prevent building up reliance on chatbots + # Gotta preserve that thinking ability of my smoof bwain + blocked_names = { + blocked_names_file = let + sources = import ../../../../npins; + ai-blocklist = sources.ai-blocklist + "/noai_hosts.txt"; + + # Blocklists are made of one pattern per line. + # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75 + blocked_names = lib.pipe (builtins.readFile ai-blocklist) [ + (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case + (lib.splitString "\n") + (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x))) + (builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0 + ]; + in + pkgs.writeText "no-ai-blocklist" (builtins.concatStringsSep "\n" blocked_names); + }; + + # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests + # query_log.file = "/var/log/dnscrypt-proxy/query.log"; + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + }; + }; } diff --git a/nix/configurations/vanadium/nixos/connectivity/networks.nix b/nix/configurations/vanadium/nixos/connectivity/networks.nix deleted file mode 100644 index e603f0e2..00000000 --- a/nix/configurations/vanadium/nixos/connectivity/networks.nix +++ /dev/null @@ -1,97 +0,0 @@ -let - privatePriority = 10; - limitedPriority = -10; -in [ - { - ssid = "~"; - priority = privatePriority; - hasPassword = true; - } - { - ssid = "Pei’s Wifi"; - priority = privatePriority; - hasPassword = true; - } - { - ssid = "girlypop-net"; - priority = privatePriority; - hasPassword = true; - } - - { - ssid = "annapurna"; - priority = privatePriority; - hasPassword = true; - scanOnLowSignal = true; - } - { - ssid = "5526-1"; # TODO: set bssid preference ? - priority = privatePriority; - hasPassword = true; - scanOnLowSignal = true; - } - - { - ssid = "eduroam"; - priority = privatePriority; - scanOnLowSignal = true; - - authProtocols = ["WPA-EAP"]; - auth = '' - pairwise=CCMP - group=CCMP TKIP - eap=PEAP - ca_cert="${./universite_de_rennes.pem}" - identity="ychiang@etudiant.univ-rennes.fr" - altsubject_match="DNS:radius.univ-rennes1.fr;DNS:radius1.univ-rennes1.fr;DNS:radius2.univ-rennes1.fr;DNS:vmradius-psf1.univ-rennes1.fr;DNS:vmradius-psf2.univ-rennes1.fr" - phase2="auth=MSCHAPV2" - password=ext:EDUROAM - anonymous_identity="anonymous@univ-rennes.fr" - ''; - } - - { - ssid = "A-WAY"; - priority = privatePriority; - hasPassword = true; - randomizeMac = true; - } - { - ssid = "CAT.jpgcafe"; - priority = privatePriority; - hasPassword = true; - randomizeMac = true; - } - { - ssid = "LOUISA"; # 區公所 - priority = privatePriority; - hasPassword = true; - randomizeMac = true; - } - { - ssid = "LouisaCoffee"; # 七張 - priority = privatePriority; - hasPassword = true; - randomizeMac = true; - } - { - ssid = "MetroTaipei x Louisa"; # 大安 - priority = privatePriority; - hasPassword = true; - randomizeMac = true; - } - - {ssid = "_SNCF_WIFI_INOUI";} - {ssid = "_WIFI_LYRIA";} - {ssid = "EurostarTrainsWiFi";} - {ssid = "SBB-FREE";} - {ssid = "AOT Airport Free Wi-Fi by NT";} - {ssid = "NewTaipei";} - {ssid = "Fami-WiFi";} - - { - ssid = "iPhone de Léana 江"; - priority = limitedPriority; - hasPassword = true; - } -] diff --git a/nix/configurations/vanadium/nixos/secure_dns.nix b/nix/configurations/vanadium/nixos/secure_dns.nix deleted file mode 100644 index eebd747a..00000000 --- a/nix/configurations/vanadium/nixos/secure_dns.nix +++ /dev/null @@ -1,80 +0,0 @@ -# https://nixos.wiki/wiki/Encrypted_DNS -{ - lib, - pkgs, - ... -}: { - networking = { - nameservers = ["127.0.0.1" "::1"]; - dhcpcd.extraConfig = "nohook resolv.conf"; - # networkmanager.dns = "none"; - }; - - services.resolved.enable = false; - - services.dnscrypt-proxy2 = { - enable = true; - # Settings reference: - # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml - settings = { - listen_addresses = ["127.0.0.1:53"]; - ipv4_servers = true; - - require_dnssec = true; - require_nolog = true; - require_nofilter = true; - - lb_strategy = "p2"; - lb_estimator = true; - - # Blocklists are made of one pattern per line. - # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75 - blocked_names.blocked_names_file = let - # Prevent building up reliance on chatbots - # Gotta preserve that thinking ability of my smoof bwain - ai_list = let - src = pkgs.fetchFromGitHub { - owner = "laylavish"; - repo = "uBlockOrigin-HUGE-AI-Blocklist"; - rev = "9bb188e2701138e03f73bacebd6b19b181ca0012"; - hash = "sha256-p3wfR28DH6V8BHn9DT10d09Yq3mdbBecWwlR1CdDYUA="; - }; - in - lib.pipe (builtins.readFile "${src}/noai_hosts.txt") [ - (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case - (lib.splitString "\n") - (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x))) - (builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0 - ]; - - hategroup_list = let - src = pkgs.fetchFromGitHub { - owner = "chigh"; - repo = "hategroup-dnsbl"; - rev = "cc19c050997d5f54014bb20c764b131e003dfb17"; - hash = "sha256-SZBrjIBUw687MdrbOV7WrP5IhAAtKvPL2GqdcICHNvQ="; - }; - in - lib.pipe (builtins.readFile "${src}/blocklist.txt") [ - (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case - (lib.splitString "\n") - (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x))) - ]; - - combined_lists = ai_list ++ hategroup_list; - in - pkgs.writeText "dnsblocklist" (builtins.concatStringsSep "\n" combined_lists); - - # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests - # query_log.file = "/var/log/dnscrypt-proxy/query.log"; - sources.public-resolvers = { - urls = [ - "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; - cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md"; - minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; - }; - }; - }; -} diff --git a/npins/sources.json b/npins/sources.json index 07131616..c81b44a7 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -16,6 +16,20 @@ "url": "https://api.github.com/repos/ryantm/agenix/tarball/0.15.0", "hash": "01dhrghwa7zw93cybvx4gnrskqk97b004nfxgsys0736823956la" }, + "ai-blocklist": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "laylavish", + "repo": "uBlockOrigin-HUGE-AI-Blocklist" + }, + "branch": "main", + "submodules": false, + "revision": "9bb188e2701138e03f73bacebd6b19b181ca0012", + "url": "https://github.com/laylavish/uBlockOrigin-HUGE-AI-Blocklist/archive/9bb188e2701138e03f73bacebd6b19b181ca0012.tar.gz", + "hash": "0h318ckx8l89bff1fv4xg6mmhkvpfhyhvzbr0iyaa7q3dx3iyz57", + "frozen": true + }, "disko": { "type": "GitRelease", "repository": { @@ -91,20 +105,6 @@ "hash": "0g4izwn5k7qpavlk3w41a92rhnp4plr928vmrhc75041vzm3vb1l", "frozen": true }, - "hategroup-dnsbl": { - "type": "Git", - "repository": { - "type": "GitHub", - "owner": "chigh", - "repo": "hategroup-dnsbl" - }, - "branch": "master", - "submodules": false, - "revision": "cc19c050997d5f54014bb20c764b131e003dfb17", - "url": "https://github.com/chigh/hategroup-dnsbl/archive/cc19c050997d5f54014bb20c764b131e003dfb17.tar.gz", - "hash": "1x1nhy0717bav35z6aid0224izmcsrg3knys64xszhslh266p429", - "frozen": true - }, "home-manager": { "type": "Git", "repository": {