diff --git a/docs/gentoo-desktop-setup/installation.md b/docs/gentoo-desktop-setup/installation.md index 8e07149..ed9dc87 100644 --- a/docs/gentoo-desktop-setup/installation.md +++ b/docs/gentoo-desktop-setup/installation.md @@ -183,16 +183,51 @@ root@chroot:~# echo "" > /etc/hostname ### Internet -NetworkManager is an easy to use network manager. It has compatibility with most VPN protocols, works with Eduroam etc. and also has multiple graphical interfaces. Before emerging it, consider adding some USE flags to your liking: +NetworkManager is an easy to use network manager. It has compatibility with most VPN protocols, works with Eduroam etc. and also has multiple graphical interfaces. On top of this `dnsmasq` can be used for managing DNS queries. Before emerging them, consider adding some USE flags to your liking: -``` title="/etc/portage/package.use/networkmanager" +``` title="/etc/portage/package.use/network" net-misc/networkmanager dhcpcd -wext -modemmanager -ppp +net-dns/dnsmasq dnssec ``` Also make sure the `networkmanager` USE flag is enabled in your `make.conf`. Then emerge `networkmananger`: ``` shell-session -root@chroot:~# emerge -av net-misc/networkmanager +root@chroot:~# emerge -av net-misc/networkmanager net-dns/dnsmasq +``` + +Now configure NetworkManager and Dnsmasq. This is a generally secure recommended setup: + +``` title="/etc/NetworkManager/NetworkManager.conf" +[main] +hostname-mode=none +plugins=ifupdown,keyfile +dns=dnsmasq + +[ifupdown] +managed=true + +[device] +wifi.scan-rand-mac-address=yes + +[connection-mac-randomization] +ethernet.cloned-mac-address=random +wifi.cloned-mac-address=random +``` + +``` title="/etc/dnsmasq.conf.resolv" +nameserver 9.9.9.9 +``` + +``` title="/etc/NetworkManager/dnsmasq.d/resolv" +resolv-file=/etc/dnsmasq.conf.resolv +``` + +``` title="/etc/NetworkManager/dnsmasq.d/dnssec" +dnssec +trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D +trust-anchor=.,38696,8,2,683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16 +dnssec-check-unsigned ``` Then disable any other network services before enabling the `NetworkManager`service: