{ machineConfig, config, lib, ... }: { options.zpha.configure.dn42Router.enable = lib.mkEnableOption ""; config = lib.mkIf config.zpha.configure.dn42Router.enable { dns.zones."zaphyra.eu".subdomains."router-a.dn42".AAAA = [ machineConfig.networking.ip6Address ]; sops.secrets."dn42/wgPrivateKey" = { owner = "systemd-network"; group = "systemd-network"; }; networking.firewall = { checkReversePath = "loose"; allowedUDPPorts = [ config.systemd.network.netdevs."20-dn42".wireguardConfig.ListenPort ]; trustedInterfaces = [ "dn42" "wg-cautus" ]; }; systemd.network = { config.networkConfig = { IPv6Forwarding = true; }; }; common.configure.dn42Router = { enable = true; routerId = 42171801; asn = 4242421718; address = "fd6b:6174:6a61::1"; range = "fd6b:6174:6a61::/48"; peerings = { kioubit = { asn = 4242423914; remoteLinkLocalAddress = "fe80::ade0"; endpoint = "de2.g-load.eu:21718"; publicKey = "B1xSG/XTJRLd+GrWDsB06BqnIq8Xud93YVh/LYYYtUY="; listenPort = 51823; }; pleiades = { asn = 4242420069; remoteLinkLocalAddress = "fe80::706c:6569:6164:6573"; endpoint = "central.net.nojus.org:21718"; publicKey = "1YAga5Bhreysf/XmhOnDGh3FmbN3Mp2jZjMSAQb/TEM="; listenPort = 51824; }; echonet = { asn = 4242420714; remoteLinkLocalAddress = "fe80::718"; publicKey = "NxYj58YhWf0JXC+pQAHfh3saUkQSII0lBTDvYGe5kw4="; listenPort = 51825; }; tbspace = { asn = 76190; remoteLinkLocalAddress = "fe80::1299:e"; endpoint = "dn42.tbspace.de:49158"; publicKey = "NW8IeEmAXmwYMuMlvrb9Zpkcko6bzotDlYtGePtgzQE="; listenPort = 51826; }; antibldg = { asn = 4242421403; remoteLinkLocalAddress = "fe80::1234:9320"; endpoint = "zaphyra.dn42.antibuild.ing:15569"; publicKey = "vambITMGGpA7kxCRGFlY1X36bevxXYELT/ORNgZ72ms="; listenPort = 51827; }; dahlabandon = { asn = 4242420814; remoteLinkLocalAddress = "fe80::1718"; endpoint = "helios-fallen.iron-bear.de:1718"; publicKey = "+tg4bDDwfyQZSw0x8x9Ye2tDWPZ/VAf+KTAE1QLaKEI="; listenPort = 51828; }; pentane = { asn = 4242423253; remoteLinkLocalAddress = "fe80::43:59:43"; endpoint = "imp.aidoskyneen.eu:49507"; publicKey = "W+h0FMrxsAP7RppqFFMrfDHuu5CMW5aTW9E1MZXFf1w="; listenPort = 51829; }; # e1mo = { # asn = 4242420565; # remoteLinkLocalAddress = ""; # endpoint = ""; # publicKey = ""; # listenPort = 51830; # }; clerie = { asn = 4242422574; remoteLinkLocalAddress = "fe80::2574"; endpoint = "dn42-il-gw1.net.clerie.de:51718"; publicKey = "yJmr6lQzibmZV6/6VItXsXbcq4UKMyWFwJJt4lAkvCs="; listenPort = 51831; }; etwas = { asn = 4242422264; remoteLinkLocalAddress = "fe80::acab"; endpoint = "ncvps.dn42.etwas.me:22266"; publicKey = "7ZLtBmXN+zOYJ52jtUdZO0HiEZZrxnIO/LLejFcFnnk="; listenPort = 51832; }; pilz = { asn = 4242420663; remoteLinkLocalAddress = "fe80::acab"; publicKey = "NxHkdwZPVL+3HdrHTFOslUpUckTf0dzEG9qpZ0FTBnA="; listenPort = 51833; }; # c4tg1rl5 = { # asn = "4242421411"; # remoteLinkLocalAddress = ""; # hasPresharedKey = true; # publicKey = ""; # listenPort = 51834; # }; lgcl = { asn = 4242421825; remoteLinkLocalAddress = "fe80::4d:6172:6379"; publicKey = "7AoJ23hNMLzVM4jjusBlrGDEdwAkSdsEl3Vw/diVlns="; listenPort = 51835; }; mira = { asn = 4242420161; endpoint = "dn42-router-1.svc.nesaia.net:21718"; remoteLinkLocalAddress = "fe80::161"; publicKey = "AAcJ/NA68NtxKd27+HlbEZXFo+u0NKt+ksUGYJBc/AQ="; listenPort = 51836; }; lfm = { asn = 4242420632; endpoint = "gw-de1.dn42.infra.linfan.moe:41718"; remoteLinkLocalAddress = "fe80::632"; publicKey = "WfQGnN2WX5KTi3SGIde2kuVfhgDQ+ASaZfU+ORb9ukA="; listenPort = 51837; }; ember = { asn = 4242420197; endpoint = "chaldene.dn42.n0emis.eu:21718"; remoteLinkLocalAddress = "fe80::42:42:1"; publicKey = "UgGpP9j881KeHOL5qElEZ/fXbucBUgTcihbv3yGlxHo="; listenPort = 51838; }; }; }; zpha.profiles.dn42 = { enable = true; wgPublicKey = machineConfig.networking.dn42.wgPublicKey; wgPrivateKey = config.sops.secrets."dn42/wgPrivateKey".path; addresses = [ "${machineConfig.networking.dn42.ip6Address}/${toString machineConfig.networking.dn42.ip6PrefixLength}" "fd6b:6174:6a61:53::${toString machineConfig.id}/128" ]; }; services.kresd = { enable = true; listenPlain = [ "[fd6b:6174:6a61::1]:53" ]; extraConfig = '' modules = { 'hints > iterate', -- Allow loading /etc/hosts or custom root hints 'stats', -- Track internal statistics 'predict', -- Prefetch expiring/frequent records } log_level('info') -- Cache size cache.size = 100 * MB dn42 = { 'dn42.', '20.172.in-addr.arpa.', '21.172.in-addr.arpa.', '22.172.in-addr.arpa.', '23.172.in-addr.arpa.', '10.in-addr.arpa.', 'd.f.in-addr.arpa.', } -- NXDOMAINs that could sometimes happen due to aggressive DNSSEC caching. policy.add(policy.suffix(policy.FLAGS({'NO_EDNS'}), dn42)) policy.add(policy.suffix(policy.STUB({'fd42:d42:d42:54::1', 'fd42:d42:d42:53::1'}), policy.todnames(dn42))) -- policy.add(policy.FORWARD({'1.1.1.1'})) -- trust_anchors.remove('.') trust_anchors.set_insecure(dn42) -- Disable DNSSEC for these domains modules.load('nsid') nsid.name(hostname() .. ':' .. os.getenv("SYSTEMD_INSTANCE")) ''; }; }; }