Configure DNS and Docker on Ingenico laptop

hosts/ingenico-laptop/configuration.nix

@@ -17,9 +17,31 @@
     };
   };
 
+  boot.kernel.sysctl = {
+    # Turn on execshield
+    "kernel.exec-shield" = 1;
+    "kkernel.randomize_va_space" = 1;
+    # Enable IP spoofing protection
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # Disable IP source routing
+    "knet.ipv4.conf.all.accept_source_route" = 0;
+    # Ignoring broadcasts request
+    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+    "fnet.ipv4.icmp_ignore_bogus_error_messages" = 1;
+    # Make sure spoofed packets get logged
+    "net.ipv4.conf.all.log_martians" = 1;
+    #  SYN flood protection
+    "net.ipv4.tcp_syncookies" = 1;
+    # Control IP packet forwarding
+    "net.ipv4.ip_forward" = 1;
+  };
+
   networking = {
     hostName = "enix016";
-    networkmanager.enable = true;
+    networkmanager = {
+      enable = true;
+      dns = "dnsmasq";
+    };
   };
 
   networking.interfaces.wlp59s0.useDHCP = true;
@@ -35,18 +57,56 @@
 
   time.timeZone = "Europe/Amsterdam";
 
-  environment.etc."openfortivpn/config" = {
+  environment.etc = {
-    text = ''
+   "openfortivpn/config".text = ''
-      host = devsslvpn.global.ingenico.com
+        host = devsslvpn.global.ingenico.com
-      port = 443
+        port = 443
-      trusted-cert = e09de6da3902e58b9061f28e13d33088d929f3451367d21f1721a0ed6361a883
+        trusted-cert = e09de6da3902e58b9061f28e13d33088d929f3451367d21f1721a0ed6361a883
-      trusted-cert = 33069b6d904330b3fde5c002ca4964b7f413003665e78963d73098fe5f6f7c05
+        trusted-cert = 33069b6d904330b3fde5c002ca4964b7f413003665e78963d73098fe5f6f7c05
-      trusted-cert = 599dba9bee8a920836b68ca5603a11ceee5ec0450201c7a7651f5575d6bbcd3a
+        trusted-cert = 599dba9bee8a920836b68ca5603a11ceee5ec0450201c7a7651f5575d6bbcd3a
-      set-dns = 0
+        set-dns = 0
-      set-routes = 1
+        set-routes = 1
-      insecure-ssl = 0
+        insecure-ssl = 0
-      cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
+        cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
-    '';
+      '';
+    "NetworkManager/conf.d/ingenico.conf".text = ''
+        [main]
+        dns=dnsmasq
+      '';
+    "NetworkManager/dnsmasq.d/hosts.conf".text = ''
+        addn-hosts=/etc/hosts
+      '';
+    "NetworkManager/dnsmasq.d/ingenico.conf".text = ''
+        server=/.its/172.21.1.131
+        server=/.its/172.21.1.146
+        server=/.lab.ingenico.com/172.24.15.1
+        server=/.lab.ingenico.com/172.24.15.2
+        server=/.sandbox.global.ingenico.com/10.138.24.53
+        server=/sb.eu.ginfra.net/10.138.24.53
+      '';
+    "NetworkManager/dnsmasq.d/default.conf".text = ''
+        server=/~./1.1.1.1
+        server=1.1.1.1
+        server=/~./1.0.0.1
+        server=1.0.0.1
+        server=/~./8.8.8.8
+        server=8.8.8.8
+        server=/~./8.8.4.4
+        server=8.8.4.4
+      '';
+    "docker/daemon.json".text = ''
+        {
+          "dns": [
+            "172.17.0.1"
+          ],
+          "insecure-registries": [
+            "docker-registry.services.lab.ingenico.com"
+          ]
+        }
+      '';
+    "NetworkManager/dnsmasq.d/docker-bridge.conf".text = ''
+        listen-address=172.17.0.1
+      '';
   };
 
   hardware.bluetooth = {