{ config, hostConfig, ... }: { dns.zones."zaphyra.eu".subdomains."router-a.dn42".AAAA = [ hostConfig.networking.ip6Address ]; sops.secrets."dn42/wgPrivateKey" = { owner = "systemd-network"; group = "systemd-network"; }; modules.networking.dn42 = { enable = true; routerId = 42171801; asn = 4242421718; address = "fd6b:6174:6a61::1"; range = "fd6b:6174:6a61::/48"; peerings = { # void = { # asn = 4242420575; # linkLocalAddress = "fe80::497a"; # endpoint = "gw.srv.eukaryote.eu:49508"; # hasPresharedKey = true; # publicKey = ""; # listenPort = 51821; # }; kioubit = { asn = 4242423914; remoteLinkLocalAddress = "fe80::ade0"; endpoint = "de2.g-load.eu:21718"; publicKey = "B1xSG/XTJRLd+GrWDsB06BqnIq8Xud93YVh/LYYYtUY="; listenPort = 51823; }; pleiades = { asn = 4242420069; remoteLinkLocalAddress = "fe80::706c:6569:6164:6573"; endpoint = "central.net.nojus.org:21718"; publicKey = "1YAga5Bhreysf/XmhOnDGh3FmbN3Mp2jZjMSAQb/TEM="; listenPort = 51824; }; echonet = { asn = 4242420714; remoteLinkLocalAddress = "fe80::718"; publicKey = "NxYj58YhWf0JXC+pQAHfh3saUkQSII0lBTDvYGe5kw4="; listenPort = 51825; }; tbspace = { asn = 76190; remoteLinkLocalAddress = "fe80::1299:e"; endpoint = "dn42.tbspace.de:49158"; publicKey = "NW8IeEmAXmwYMuMlvrb9Zpkcko6bzotDlYtGePtgzQE="; listenPort = 51826; }; antibldg = { asn = 4242421403; remoteLinkLocalAddress = "fe80::1234:9320"; endpoint = "zaphyra.dn42.antibuild.ing:15569"; publicKey = "vambITMGGpA7kxCRGFlY1X36bevxXYELT/ORNgZ72ms="; listenPort = 51827; }; dahlabandon = { asn = 4242420814; remoteLinkLocalAddress = "fe80::1718"; endpoint = "cargobridge25.iron-bear.de:1718"; publicKey = "+tg4bDDwfyQZSw0x8x9Ye2tDWPZ/VAf+KTAE1QLaKEI="; listenPort = 51828; }; pentane = { asn = 4242423253; remoteLinkLocalAddress = "fe80::43:59:43"; endpoint = "imp.aidoskyneen.eu:49507"; publicKey = "W+h0FMrxsAP7RppqFFMrfDHuu5CMW5aTW9E1MZXFf1w="; listenPort = 51829; }; # e1mo = { # asn = 4242420565; # remoteLinkLocalAddress = ""; # endpoint = ""; # publicKey = ""; # listenPort = 51830; # }; clerie = { asn = 4242422574; remoteLinkLocalAddress = "fe80::2574"; endpoint = "dn42-il-gw1.net.clerie.de:51718"; publicKey = "yJmr6lQzibmZV6/6VItXsXbcq4UKMyWFwJJt4lAkvCs="; listenPort = 51831; }; etwas = { asn = 4242422264; remoteLinkLocalAddress = "fe80::acab"; endpoint = "ncvps.dn42.etwas.me:22266"; publicKey = "7ZLtBmXN+zOYJ52jtUdZO0HiEZZrxnIO/LLejFcFnnk="; listenPort = 51832; }; pilz = { asn = 4242420663; remoteLinkLocalAddress = "fe80::acab"; publicKey = "NxHkdwZPVL+3HdrHTFOslUpUckTf0dzEG9qpZ0FTBnA="; listenPort = 51833; }; # c4tg1rl5 = { # asn = "4242421411"; # remoteLinkLocalAddress = ""; # hasPresharedKey = true; # publicKey = ""; # listenPort = 51834; # }; lgcl = { asn = 4242421825; remoteLinkLocalAddress = "fe80::4d:6172:6379"; publicKey = "7AoJ23hNMLzVM4jjusBlrGDEdwAkSdsEl3Vw/diVlns="; listenPort = 51835; }; }; }; services.kresd = { enable = true; listenPlain = [ "[fd6b:6174:6a61::1]:53" ]; extraConfig = '' modules = { 'hints > iterate', -- Allow loading /etc/hosts or custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } log_level('info') -- Cache size cache.size = 100 * MB dn42 = { 'dn42.', '20.172.in-addr.arpa.', '21.172.in-addr.arpa.', '22.172.in-addr.arpa.', '23.172.in-addr.arpa.', '10.in-addr.arpa.', 'd.f.in-addr.arpa.', } -- NXDOMAINs that could sometimes happen due to aggressive DNSSEC caching. policy.add(policy.suffix(policy.FLAGS({'NO_EDNS'}), dn42)) policy.add(policy.suffix(policy.STUB({'fd42:d42:d42:54::1', 'fd42:d42:d42:53::1'}), policy.todnames(dn42))) -- policy.add(policy.FORWARD({'1.1.1.1'})) -- trust_anchors.remove('.') trust_anchors.set_insecure(dn42) -- Disable DNSSEC for these domains modules.load('nsid') nsid.name(hostname() .. ':' .. os.getenv("SYSTEMD_INSTANCE")) ''; }; networking.firewall = { checkReversePath = "loose"; allowedUDPPorts = [ config.systemd.network.netdevs."20-dn42".wireguardConfig.ListenPort ]; trustedInterfaces = [ "dn42" ]; }; systemd.network = { config.networkConfig = { IPv6Forwarding = true; }; netdevs."20-dn42" = { netdevConfig = { Kind = "wireguard"; Name = "dn42"; MTUBytes = 1280; }; wireguardConfig = { PrivateKeyFile = config.sops.secrets."dn42/wgPrivateKey".path; ListenPort = 1718; FirewallMark = 1718; }; wireguardPeers = [ { #morio PublicKey = "BUAac0PtF+4QmsFMVoQOLWRtSRYjy1y2nKvTA9BcXC0="; AllowedIPs = [ "fd6b:6174:6a61::2/128" "fd6b:6174:6a61:53::2/128" ]; PersistentKeepalive = 10; } { #zaphyraThinkPad PublicKey = "7drlp9TmHgSgqSR1PynfAzf8BIH4LWVuFDtPqGs88EY="; AllowedIPs = [ "fd6b:6174:6a61::3/128" ]; PersistentKeepalive = 10; } { #zaphyraPhone PublicKey = "3rp8iD+Nk9DsyM/JCvrV7bBnEzioG30SDqOQhNWwsVs="; AllowedIPs = [ "fd6b:6174:6a61::4/128" ]; PersistentKeepalive = 10; } { #zaphyraHomeRouter PublicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; AllowedIPs = [ "fd6b:6174:6a61::5/128" "fd6b:6174:6a61:100::/56" ]; PersistentKeepalive = 10; } ]; }; networks."20-dn42" = { matchConfig.Name = "dn42"; linkConfig.RequiredForOnline = false; address = [ "fd6b:6174:6a61::1/48" "fd6b:6174:6a61:53::1/128" ]; }; }; }