From 2a65383ca689412cdc213ec3b079dcbbb763c839 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Mon, 14 Jul 2025 08:03:55 -0700
Subject: create common network configuration for nixos

---
 nix/machines/common/network.nix      | 41 ++++++++++++++++++++++++++++++++++++
 nix/machines/vm-synology/default.nix |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 nix/machines/common/network.nix

diff --git a/nix/machines/common/network.nix b/nix/machines/common/network.nix
new file mode 100644
index 0000000..fb31099
--- /dev/null
+++ b/nix/machines/common/network.nix
@@ -0,0 +1,41 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  networking.firewall.allowPing = true;
+
+  # Default to systemd-networkd usage.
+  networking.useNetworkd = lib.mkDefault true;
+  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
+
+  # Use systemd-resolved for DoT support.
+  services.resolved = {
+    enable = true;
+    dnssec = "false";
+    extraConfig = ''
+      DNSOverTLS=yes
+    '';
+  };
+
+  # Used by systemd-resolved, not directly by resolv.conf.
+  networking.nameservers = [
+    "8.8.8.8#dns.google"
+    "1.0.0.1#cloudflare-dns.com"
+  ];
+
+  networking.firewall.logRefusedConnections = false;
+
+  boot.kernel.sysctl = {
+    "net.ipv4.tcp_fastopen" = 3;
+    "net.ipv4.tcp_tw_reuse" = 1;
+  };
+
+  environment.systemPackages = with pkgs; [
+    mtr
+    tcpdump
+    traceroute
+  ];
+}
diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix
index 8f3b725..966d173 100644
--- a/nix/machines/vm-synology/default.nix
+++ b/nix/machines/vm-synology/default.nix
@@ -22,6 +22,7 @@
     ./git.nix
     ./hardware.nix
     ./ingress.nix
+    ../common/network.nix
   ];
 
   # Use the systemd-boot EFI boot loader.
-- 
cgit v1.2.3