diff --git a/nix/configurations/vanadium.nix b/nix/configurations/vanadium.nix index c9e02c13..208e712e 100644 --- a/nix/configurations/vanadium.nix +++ b/nix/configurations/vanadium.nix @@ -92,6 +92,7 @@ in ./vanadium/nixos/audio.nix ./vanadium/nixos/connectivity.nix + ./vanadium/nixos/secure_dns.nix ./vanadium/nixos/input.nix ./vanadium/nixos/misc.nix diff --git a/nix/configurations/vanadium/home/firefox.nix b/nix/configurations/vanadium/home/firefox.nix index d65bde65..c91b2222 100644 --- a/nix/configurations/vanadium/home/firefox.nix +++ b/nix/configurations/vanadium/home/firefox.nix @@ -125,9 +125,6 @@ in { in [ addons.sponsorblock addons.return-youtube-dislikes - - addons.shinigami-eyes - addons.consent-o-matic ]; }; diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix index 3564f3f1..5a0891fc 100644 --- a/nix/configurations/vanadium/nixos/connectivity.nix +++ b/nix/configurations/vanadium/nixos/connectivity.nix @@ -41,9 +41,6 @@ # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`. escapePwdKey = lib.replaceStrings ["="] ["_"]; - privatePriority = 10; - limitedPriority = -10; - fromList = ns: let go = networkArgs @ { ssid, @@ -73,163 +70,11 @@ in lib.mkMerge (map go ns); in - fromList [ - { - ssid = "~"; - priority = privatePriority; - hasPassword = true; - } - { - ssid = "Pei’s Wifi"; - priority = privatePriority; - hasPassword = true; - } - { - ssid = "girlypop-net"; - priority = privatePriority; - hasPassword = true; - } - - { - ssid = "annapurna"; - priority = privatePriority; - hasPassword = true; - scanOnLowSignal = true; - } - { - ssid = "5526-1"; # TODO: set bssid preference ? - priority = privatePriority; - hasPassword = true; - scanOnLowSignal = true; - } - - { - ssid = "eduroam"; - priority = privatePriority; - scanOnLowSignal = true; - - authProtocols = ["WPA-EAP"]; - auth = '' - pairwise=CCMP - group=CCMP TKIP - eap=PEAP - ca_cert="${./certs/universite_de_rennes.pem}" - identity="ychiang@etudiant.univ-rennes.fr" - altsubject_match="DNS:radius.univ-rennes1.fr;DNS:radius1.univ-rennes1.fr;DNS:radius2.univ-rennes1.fr;DNS:vmradius-psf1.univ-rennes1.fr;DNS:vmradius-psf2.univ-rennes1.fr" - phase2="auth=MSCHAPV2" - password=ext:EDUROAM - anonymous_identity="anonymous@univ-rennes.fr" - ''; - } - - { - ssid = "A-WAY"; - priority = privatePriority; - hasPassword = true; - randomizeMac = true; - } - { - ssid = "CAT.jpgcafe"; - priority = privatePriority; - hasPassword = true; - randomizeMac = true; - } - { - ssid = "LOUISA"; # 區公所 - priority = privatePriority; - hasPassword = true; - randomizeMac = true; - } - { - ssid = "LouisaCoffee"; # 七張 - priority = privatePriority; - hasPassword = true; - randomizeMac = true; - } - { - ssid = "MetroTaipei x Louisa"; # 大安 - priority = privatePriority; - hasPassword = true; - randomizeMac = true; - } - - {ssid = "_SNCF_WIFI_INOUI";} - {ssid = "_WIFI_LYRIA";} - {ssid = "EurostarTrainsWiFi";} - {ssid = "SBB-FREE";} - {ssid = "AOT Airport Free Wi-Fi by NT";} - {ssid = "NewTaipei";} - {ssid = "Fami-WiFi";} - - { - ssid = "iPhone de Léana 江"; - priority = limitedPriority; - hasPassword = true; - } - ]; + fromList (import ./connectivity/networks.nix); }; }; services.mullvad-vpn.enable = true; hardware.bluetooth.enable = true; - - # - # Secure DNS - # - # https://nixos.wiki/wiki/Encrypted_DNS - networking = { - nameservers = ["127.0.0.1" "::1"]; - dhcpcd.extraConfig = "nohook resolv.conf"; - # networkmanager.dns = "none"; - }; - - services.resolved.enable = false; - - services.dnscrypt-proxy2 = { - enable = true; - # Settings reference: - # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml - settings = { - listen_addresses = ["127.0.0.1:53"]; - ipv4_servers = true; - - require_dnssec = true; - require_nolog = true; - require_nofilter = true; - - lb_strategy = "p2"; - lb_estimator = true; - - # Prevent building up reliance on chatbots - # Gotta preserve that thinking ability of my smoof bwain - blocked_names = { - blocked_names_file = let - sources = import ../../../../npins; - ai-blocklist = sources.ai-blocklist + "/noai_hosts.txt"; - - # Blocklists are made of one pattern per line. - # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75 - blocked_names = lib.pipe (builtins.readFile ai-blocklist) [ - (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case - (lib.splitString "\n") - (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x))) - (builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0 - ]; - in - pkgs.writeText "no-ai-blocklist" (builtins.concatStringsSep "\n" blocked_names); - }; - - # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests - # query_log.file = "/var/log/dnscrypt-proxy/query.log"; - sources.public-resolvers = { - urls = [ - "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; - cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md"; - minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; - }; - }; - }; } diff --git a/nix/configurations/vanadium/nixos/connectivity/networks.nix b/nix/configurations/vanadium/nixos/connectivity/networks.nix new file mode 100644 index 00000000..e603f0e2 --- /dev/null +++ b/nix/configurations/vanadium/nixos/connectivity/networks.nix @@ -0,0 +1,97 @@ +let + privatePriority = 10; + limitedPriority = -10; +in [ + { + ssid = "~"; + priority = privatePriority; + hasPassword = true; + } + { + ssid = "Pei’s Wifi"; + priority = privatePriority; + hasPassword = true; + } + { + ssid = "girlypop-net"; + priority = privatePriority; + hasPassword = true; + } + + { + ssid = "annapurna"; + priority = privatePriority; + hasPassword = true; + scanOnLowSignal = true; + } + { + ssid = "5526-1"; # TODO: set bssid preference ? + priority = privatePriority; + hasPassword = true; + scanOnLowSignal = true; + } + + { + ssid = "eduroam"; + priority = privatePriority; + scanOnLowSignal = true; + + authProtocols = ["WPA-EAP"]; + auth = '' + pairwise=CCMP + group=CCMP TKIP + eap=PEAP + ca_cert="${./universite_de_rennes.pem}" + identity="ychiang@etudiant.univ-rennes.fr" + altsubject_match="DNS:radius.univ-rennes1.fr;DNS:radius1.univ-rennes1.fr;DNS:radius2.univ-rennes1.fr;DNS:vmradius-psf1.univ-rennes1.fr;DNS:vmradius-psf2.univ-rennes1.fr" + phase2="auth=MSCHAPV2" + password=ext:EDUROAM + anonymous_identity="anonymous@univ-rennes.fr" + ''; + } + + { + ssid = "A-WAY"; + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "CAT.jpgcafe"; + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "LOUISA"; # 區公所 + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "LouisaCoffee"; # 七張 + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "MetroTaipei x Louisa"; # 大安 + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + + {ssid = "_SNCF_WIFI_INOUI";} + {ssid = "_WIFI_LYRIA";} + {ssid = "EurostarTrainsWiFi";} + {ssid = "SBB-FREE";} + {ssid = "AOT Airport Free Wi-Fi by NT";} + {ssid = "NewTaipei";} + {ssid = "Fami-WiFi";} + + { + ssid = "iPhone de Léana 江"; + priority = limitedPriority; + hasPassword = true; + } +] diff --git a/nix/configurations/vanadium/nixos/certs/universite_de_rennes.pem b/nix/configurations/vanadium/nixos/connectivity/universite_de_rennes.pem similarity index 100% rename from nix/configurations/vanadium/nixos/certs/universite_de_rennes.pem rename to nix/configurations/vanadium/nixos/connectivity/universite_de_rennes.pem diff --git a/nix/configurations/vanadium/nixos/secure_dns.nix b/nix/configurations/vanadium/nixos/secure_dns.nix new file mode 100644 index 00000000..eebd747a --- /dev/null +++ b/nix/configurations/vanadium/nixos/secure_dns.nix @@ -0,0 +1,80 @@ +# https://nixos.wiki/wiki/Encrypted_DNS +{ + lib, + pkgs, + ... +}: { + networking = { + nameservers = ["127.0.0.1" "::1"]; + dhcpcd.extraConfig = "nohook resolv.conf"; + # networkmanager.dns = "none"; + }; + + services.resolved.enable = false; + + services.dnscrypt-proxy2 = { + enable = true; + # Settings reference: + # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml + settings = { + listen_addresses = ["127.0.0.1:53"]; + ipv4_servers = true; + + require_dnssec = true; + require_nolog = true; + require_nofilter = true; + + lb_strategy = "p2"; + lb_estimator = true; + + # Blocklists are made of one pattern per line. + # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75 + blocked_names.blocked_names_file = let + # Prevent building up reliance on chatbots + # Gotta preserve that thinking ability of my smoof bwain + ai_list = let + src = pkgs.fetchFromGitHub { + owner = "laylavish"; + repo = "uBlockOrigin-HUGE-AI-Blocklist"; + rev = "9bb188e2701138e03f73bacebd6b19b181ca0012"; + hash = "sha256-p3wfR28DH6V8BHn9DT10d09Yq3mdbBecWwlR1CdDYUA="; + }; + in + lib.pipe (builtins.readFile "${src}/noai_hosts.txt") [ + (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case + (lib.splitString "\n") + (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x))) + (builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0 + ]; + + hategroup_list = let + src = pkgs.fetchFromGitHub { + owner = "chigh"; + repo = "hategroup-dnsbl"; + rev = "cc19c050997d5f54014bb20c764b131e003dfb17"; + hash = "sha256-SZBrjIBUw687MdrbOV7WrP5IhAAtKvPL2GqdcICHNvQ="; + }; + in + lib.pipe (builtins.readFile "${src}/blocklist.txt") [ + (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case + (lib.splitString "\n") + (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x))) + ]; + + combined_lists = ai_list ++ hategroup_list; + in + pkgs.writeText "dnsblocklist" (builtins.concatStringsSep "\n" combined_lists); + + # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests + # query_log.file = "/var/log/dnscrypt-proxy/query.log"; + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + }; + }; +} diff --git a/npins/sources.json b/npins/sources.json index c81b44a7..07131616 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -16,20 +16,6 @@ "url": "https://api.github.com/repos/ryantm/agenix/tarball/0.15.0", "hash": "01dhrghwa7zw93cybvx4gnrskqk97b004nfxgsys0736823956la" }, - "ai-blocklist": { - "type": "Git", - "repository": { - "type": "GitHub", - "owner": "laylavish", - "repo": "uBlockOrigin-HUGE-AI-Blocklist" - }, - "branch": "main", - "submodules": false, - "revision": "9bb188e2701138e03f73bacebd6b19b181ca0012", - "url": "https://github.com/laylavish/uBlockOrigin-HUGE-AI-Blocklist/archive/9bb188e2701138e03f73bacebd6b19b181ca0012.tar.gz", - "hash": "0h318ckx8l89bff1fv4xg6mmhkvpfhyhvzbr0iyaa7q3dx3iyz57", - "frozen": true - }, "disko": { "type": "GitRelease", "repository": { @@ -105,6 +91,20 @@ "hash": "0g4izwn5k7qpavlk3w41a92rhnp4plr928vmrhc75041vzm3vb1l", "frozen": true }, + "hategroup-dnsbl": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "chigh", + "repo": "hategroup-dnsbl" + }, + "branch": "master", + "submodules": false, + "revision": "cc19c050997d5f54014bb20c764b131e003dfb17", + "url": "https://github.com/chigh/hategroup-dnsbl/archive/cc19c050997d5f54014bb20c764b131e003dfb17.tar.gz", + "hash": "1x1nhy0717bav35z6aid0224izmcsrg3knys64xszhslh266p429", + "frozen": true + }, "home-manager": { "type": "Git", "repository": {