1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
{
inputs,
pov,
pkgs,
lib,
config,
hostConfig,
...
}:
let
inherit (lib) types;
cfg = lib.getAttrFromPath pov config;
in
{
option = {
type = types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.wireguard-tools ];
boot.initrd.kernelModules = [ "jool" ];
hardware.firmware = [
(pkgs.runCommandNoCC "rtl8168h-firmware" { } ''
mkdir -p $out/lib/firmware/rtl_nic
cp ${pkgs.linux-firmware}/lib/firmware/rtl_nic/rtl8168h-2.fw $out/lib/firmware/rtl_nic/rtl8168h-2.fw
'')
];
modules.presets.zaphyra.router = {
systemd-networkd = true;
pppd = true;
};
networking = {
useNetworkd = true;
useDHCP = false;
firewall.enable = false;
nftables.enable = true;
nftables.rulesetFile = inputs.self.resources.zaphyra.routerRuleset;
jool.enable = true;
jool.nat64.default = { };
};
services = {
resolved.enable = false;
avahi.enable = true;
avahi.reflector = true;
avahi.allowInterfaces = [ "brlan" ];
kresd.enable = true;
kresd.listenPlain = [ "53" ];
kresd.extraConfig = ''
require 'math'
math.randomseed(os.time())
modules.load('dns64')
modules.load('view')
dns64.config('64:ff9b::')
-- disable dns64 for all IPv4 source addresses
view:addr('0.0.0.0/0', policy.all(policy.FLAGS('DNS64_DISABLE')))
dns_providers = {
{ -- Quad9
'9.9.9.9', '149.112.112.112'
},
{ -- Cloudflare
'1.1.1.1', '1.0.0.1'
},
{ -- Google
'8.8.8.8', '8.8.4.4'
}
}
policy.add(function (request, query)
return policy.FORWARD(dns_providers[math.random(1, #dns_providers)])
end)
'';
};
};
}