From c1f33ec5e193e6b780f098ad83b706c1dbb6797c Mon Sep 17 00:00:00 2001
From: Benno Lorenz <benno.lorenz@rsp.com>
Date: Wed, 25 Mar 2026 09:34:49 +0100
Subject: [PATCH] support for captive portals

---
 modules/core/network.nix | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/modules/core/network.nix b/modules/core/network.nix
index 92436aa..fe1f3e4 100644
--- a/modules/core/network.nix
+++ b/modules/core/network.nix
@@ -16,21 +16,32 @@ in {
   networking = {
     hostName = "${host}";
     hostId = hostId;
-    networkmanager.enable = true;
+    networkmanager = {
+      enable = true;
+      # Enable captive portal detection
+      wifi.scanRandMacAddress = true;
+    };
     timeServers = options.networking.timeServers.default ++ ["pool.ntp.org"];
-    nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
     firewall = {
       enable = true;
       allowedTCPPorts = [ 22 80 443 8080 ];
     };
   };
 
+  # Captive portal detection via NetworkManager connectivity checks
+  networking.networkmanager.settings.connectivity = {
+    uri = "http://nmcheck.gnome.org/check_network_status.txt";
+    interval = 300;
+  };
+
   services.resolved = {
     enable = true;
-    dnssec = "true";
+    # allow-downgrade: use DNSSEC when available, but don't fail on captive portals
+    dnssec = "allow-downgrade";
     domains = ["~."];
     fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
-    dnsovertls = "true";
+    # opportunistic: prefer DNS-over-TLS but fall back to plain DNS for captive portals
+    dnsovertls = "opportunistic";
   };
 
   environment.systemPackages = with pkgs; [networkmanagerapplet];