1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
{ pkgs, ... }:
{
imports = [
./systemd-networkd.nix
./ppp.nix
];
environment.systemPackages = [ pkgs.wireguard-tools ];
networking = {
useNetworkd = true;
useDHCP = false;
firewall.enable = false;
nftables.enable = true;
nftables.rulesetFile = ./ruleset.nft;
jool.enable = true;
jool.nat64.default = { };
};
services = {
resolved.enable = false;
avahi.enable = true;
avahi.reflector = true;
avahi.allowInterfaces = [ "brlan" ];
kresd.enable = true;
kresd.listenPlain = [ "53" ];
kresd.extraConfig = ''
require 'math'
math.randomseed(os.time())
modules.load('dns64')
modules.load('view')
dns64.config('64:ff9b::')
-- disable dns64 for all IPv4 source addresses
view:addr('0.0.0.0/0', policy.all(policy.FLAGS('DNS64_DISABLE')))
dns_providers = {
{ -- Quad9
'9.9.9.9', '149.112.112.112'
},
{ -- Cloudflare
'1.1.1.1', '1.0.0.1'
},
{ -- Google
'8.8.8.8', '8.8.4.4'
}
}
policy.add(function (request, query)
return policy.FORWARD(dns_providers[math.random(1, #dns_providers)])
end)
'';
};
}