Networking Leaf

cells/core/networking.nix attaches network policy to the security branch.

Up: core leaves

Down: security branch | Nftables

What this leaf does

It enables systemd-resolved, configures NetworkManager to use it, enables firewall logging, enables nftables, and adds VPN client support.

networking = {
  networkmanager = {
    enable = lib.mkDefault true;
    dns = "systemd-resolved";
  };
 
  firewall = {
    enable = true;
    logRefusedConnections = true;
    allowedTCPPorts = [ ];
  };
 
  nftables.enable = true;
};

Why it belongs to security

Network defaults are part of the hardening posture. The firewall, DNS behavior, and exposed ports should be reviewed as security policy, not incidental desktop setup.

Hardened mode

The leaf can disable ping replies when my.profile.security.level is hardened.

firewall = baseFirewall // lib.optionalAttrs isHardened {
  allowPing = false;
};

Related

• security leaf
• server defaults
• Nftables