From 0bf6345ff3c9d2a70bd3484f1581218d2506e0d6 Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Sat, 26 Apr 2025 16:23:44 +0200 Subject: [PATCH 1/3] Keep mpv open after finishing --- templates/personal/all/mpv/config.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/personal/all/mpv/config.j2 b/templates/personal/all/mpv/config.j2 index fe1d4a6..c51a293 100644 --- a/templates/personal/all/mpv/config.j2 +++ b/templates/personal/all/mpv/config.j2 @@ -8,3 +8,6 @@ hwdec=vaapi audio-samplerate=128000 audio-format=s64 + +# Do not close the window on exit +keep-open=yes From 6f393b4c39f094243dd5e8c199d7217212f70c38 Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Sat, 26 Apr 2025 17:10:24 +0200 Subject: [PATCH 2/3] Add BindCarrier directive To disable wireguard interfaces whenever applicable --- templates/personal/desktop/network/enp1s0.network.j2 | 2 -- templates/personal/desktop/network/wg0.network.j2 | 1 + templates/personal/desktop/network/wg1.network.j2 | 1 + templates/personal/xps/network/wg0.network.j2 | 1 + templates/personal/xps/network/wg1.network.j2 | 1 + 5 files changed, 4 insertions(+), 2 deletions(-) diff --git a/templates/personal/desktop/network/enp1s0.network.j2 b/templates/personal/desktop/network/enp1s0.network.j2 index 6f1d5e8..1bfb866 100644 --- a/templates/personal/desktop/network/enp1s0.network.j2 +++ b/templates/personal/desktop/network/enp1s0.network.j2 @@ -12,6 +12,4 @@ MulticastDNS=yes LinkLocalAddressing=no IPv6AcceptRA=no IPv6SendRA=no - -[Link] RequiredForOnline=routable diff --git a/templates/personal/desktop/network/wg0.network.j2 b/templates/personal/desktop/network/wg0.network.j2 index 36beed3..4cb1039 100644 --- a/templates/personal/desktop/network/wg0.network.j2 +++ b/templates/personal/desktop/network/wg0.network.j2 @@ -7,3 +7,4 @@ Name={{ vpn_default.interface }} Address={{ vpn_default.ip }}/{{ vpn_default.prefix }} DNS={{ vpn_default.dns }} Domains={{ vpn_default.domains | join(' ') }} +BindCarrier={{ lan_interface }} diff --git a/templates/personal/desktop/network/wg1.network.j2 b/templates/personal/desktop/network/wg1.network.j2 index 5ea0ce9..129cac1 100644 --- a/templates/personal/desktop/network/wg1.network.j2 +++ b/templates/personal/desktop/network/wg1.network.j2 @@ -7,3 +7,4 @@ Name={{ vpn_media.interface }} Address={{ vpn_media.ip }}/{{ vpn_media.prefix }} DNS={{ vpn_media.dns }} Domains={{ vpn_media.domains | join(' ') }} +BindCarrier={{ lan_interface }} diff --git a/templates/personal/xps/network/wg0.network.j2 b/templates/personal/xps/network/wg0.network.j2 index 36beed3..3832085 100644 --- a/templates/personal/xps/network/wg0.network.j2 +++ b/templates/personal/xps/network/wg0.network.j2 @@ -7,3 +7,4 @@ Name={{ vpn_default.interface }} Address={{ vpn_default.ip }}/{{ vpn_default.prefix }} DNS={{ vpn_default.dns }} Domains={{ vpn_default.domains | join(' ') }} +BindCarrier={{ wireless_interface }} diff --git a/templates/personal/xps/network/wg1.network.j2 b/templates/personal/xps/network/wg1.network.j2 index 5ea0ce9..ae3f641 100644 --- a/templates/personal/xps/network/wg1.network.j2 +++ b/templates/personal/xps/network/wg1.network.j2 @@ -7,3 +7,4 @@ Name={{ vpn_media.interface }} Address={{ vpn_media.ip }}/{{ vpn_media.prefix }} DNS={{ vpn_media.dns }} Domains={{ vpn_media.domains | join(' ') }} +BindCarrier={{ wireless_interface }} From 82a02be85a9dc451f1f127d88e168d816f5aeaca Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Sat, 26 Apr 2025 17:11:03 +0200 Subject: [PATCH 3/3] Use DNS over TLS & enable DNSSEC --- host_vars/desktop/network.yml | 2 +- host_vars/xps/network.yml | 6 ++++-- playbook.yml | 3 ++- templates/personal/desktop/network/enp1s0.network.j2 | 6 ++++-- templates/personal/xps/network/wlan0-frans.network.j2 | 6 ++++-- templates/personal/xps/network/wlan0-local.network.j2 | 6 ++++-- templates/personal/xps/network/wlan0.network.j2 | 3 +++ 7 files changed, 22 insertions(+), 10 deletions(-) diff --git a/host_vars/desktop/network.yml b/host_vars/desktop/network.yml index 8470e20..25eaf55 100644 --- a/host_vars/desktop/network.yml +++ b/host_vars/desktop/network.yml @@ -2,7 +2,7 @@ lan_interface: enp1s0 lan_interface_mac: 00:d8:61:9f:52:65 local_network_address: 192.168.2.15/24 -local_network_dns: 192.168.2.254 +local_network_dns: 9.9.9.9 149.112.112.112 local_network_gateway: 192.168.2.254 hostname: desktop diff --git a/host_vars/xps/network.yml b/host_vars/xps/network.yml index dbfa8ae..3fd2f25 100644 --- a/host_vars/xps/network.yml +++ b/host_vars/xps/network.yml @@ -3,12 +3,14 @@ wireless_interface_mac: 98:2c:bc:e3:ff:bc local_network_ssid: KPNAE51C6 local_network_address: 192.168.2.9/24 -local_network_dns: 192.168.2.254 +local_network_dns: 9.9.9.9 149.112.112.112 local_network_gateway: 192.168.2.254 frans_network_ssid: KPNDD1056 frans_network_address: 192.168.2.9/24 -frans_network_dns: 192.168.2.254 +frans_network_dns: 9.9.9.9 149.112.112.112 frans_network_gateway: 192.168.2.254 +default_network_dns: 9.9.9.9 149.112.112.112 + hostname: xps diff --git a/playbook.yml b/playbook.yml index 60eba42..be8a56a 100644 --- a/playbook.yml +++ b/playbook.yml @@ -29,7 +29,8 @@ - name: Personal provisiong when: "'personal' in group_names" block: - # TODO: require (w)lan interfaces before configuring these + # Note: set `network.dns.native_https_query` in about:config to prevent + # DoH requests by default. See https://github.com/arkenfox/user.js/issues/1881 - name: Wireguard provisioning ansible.builtin.import_tasks: 'tasks/personal/all/wireguard.yml' tags: wireguard diff --git a/templates/personal/desktop/network/enp1s0.network.j2 b/templates/personal/desktop/network/enp1s0.network.j2 index 1bfb866..af57302 100644 --- a/templates/personal/desktop/network/enp1s0.network.j2 +++ b/templates/personal/desktop/network/enp1s0.network.j2 @@ -5,10 +5,12 @@ Name={{ lan_interface }} [Network] Address={{ local_network_address }} -DNS={{ local_network_dns }} Gateway={{ local_network_gateway }} -DHCP=no +DNS={{ local_network_dns }} MulticastDNS=yes +DNSOverTLS=yes +DNSSEC=yes +DHCP=no LinkLocalAddressing=no IPv6AcceptRA=no IPv6SendRA=no diff --git a/templates/personal/xps/network/wlan0-frans.network.j2 b/templates/personal/xps/network/wlan0-frans.network.j2 index fb19ae3..522ddc3 100644 --- a/templates/personal/xps/network/wlan0-frans.network.j2 +++ b/templates/personal/xps/network/wlan0-frans.network.j2 @@ -6,10 +6,12 @@ SSID={{ frans_network_ssid }} [Network] Address={{ frans_network_address }} -DNS={{ frans_network_dns }} Gateway={{ frans_network_gateway }} -DHCP=no +DNS={{ frans_network_dns }} MulticastDNS=yes +DNSOverTLS=yes +DNSSEC=yes +DHCP=no LinkLocalAddressing=no IPv6AcceptRA=no IPv6SendRA=no diff --git a/templates/personal/xps/network/wlan0-local.network.j2 b/templates/personal/xps/network/wlan0-local.network.j2 index c01faab..3d23390 100644 --- a/templates/personal/xps/network/wlan0-local.network.j2 +++ b/templates/personal/xps/network/wlan0-local.network.j2 @@ -6,10 +6,12 @@ SSID={{ local_network_ssid }} [Network] Address={{ local_network_address }} -DNS={{ local_network_dns }} Gateway={{ local_network_gateway }} -DHCP=no +DNS={{ local_network_dns }} MulticastDNS=yes +DNSOverTLS=yes +DNSSEC=yes +DHCP=no LinkLocalAddressing=no IPv6AcceptRA=no IPv6SendRA=no diff --git a/templates/personal/xps/network/wlan0.network.j2 b/templates/personal/xps/network/wlan0.network.j2 index a90c88e..ed8191f 100644 --- a/templates/personal/xps/network/wlan0.network.j2 +++ b/templates/personal/xps/network/wlan0.network.j2 @@ -2,6 +2,9 @@ MACAddress={{ wireless_interface_mac }} [Network] +DNS={{ default_network_dns }} +DNSOverTLS=yes +DNSSEC=yes DHCP=yes RequiredForOnline=routable IgnoreCarrierLoss=3s