about summary refs log tree commit diff
diff options
context:
space:
mode:
authorazahi <azat@bahawi.net>2024-10-22 01:50:45 +0300
committerazahi <azat@bahawi.net>2024-10-22 01:50:45 +0300
commit800b426b71e64556be79c1915540f24dab72209e (patch)
treedd91d07a0428238db47da6eb9799d8731c733200
parent2024-10-21 (diff)
2024-10-22
-rw-r--r--lib/dns.nix92
-rw-r--r--modules/common/networking.nix3
-rw-r--r--modules/unbound.nix15
-rw-r--r--modules/wireguard.nix27
4 files changed, 81 insertions, 56 deletions
diff --git a/lib/dns.nix b/lib/dns.nix
index da1f1f2..c0e4641 100644
--- a/lib/dns.nix
+++ b/lib/dns.nix
@@ -1,46 +1,66 @@
 { lib, inputs, ... }:
 with lib;
 recursiveUpdate inputs.dns.lib {
+  mkDoT = { ips, tls }: map (ip: "${ip}#${tls}") ips;
+
   const = {
     quad9 = {
-      default = [
-        "9.9.9.9"
-        "149.112.112.112"
-        "2620:fe::fe"
-        "2620:fe::9"
-      ];
-      unsecured = [
-        "9.9.9.10"
-        "149.112.112.10"
-        "2620:fe::10"
-        "2620:fe::fe:10"
-      ];
-      ecs = [
-        "9.9.9.11"
-        "149.112.112.11"
-        "2620:fe::11"
-        "2620:fe::fe:11"
-      ];
+      default = {
+        ips = [
+          "9.9.9.9"
+          "149.112.112.112"
+          "2620:fe::fe"
+          "2620:fe::9"
+        ];
+        tls = "dns.quad9.net";
+      };
+      unsecured = {
+        ips = [
+          "9.9.9.10"
+          "149.112.112.10"
+          "2620:fe::10"
+          "2620:fe::fe:10"
+        ];
+        tls = "dns10.quad9.net";
+      };
+      ecs = {
+        ips = [
+          "9.9.9.11"
+          "149.112.112.11"
+          "2620:fe::11"
+          "2620:fe::fe:11"
+        ];
+        tls = "dns11.quad9.net";
+      };
     };
     cloudflare = {
-      default = [
-        "1.1.1.1"
-        "1.0.0.1"
-        "2606:4700:4700::1111"
-        "2606:4700:4700::1001"
-      ];
-      blocking = [
-        "1.1.1.2"
-        "1.0.0.2"
-        "2606:4700:4700::1112"
-        "2606:4700:4700::1002"
-      ];
-      blockingPlus = [
-        "1.1.1.3"
-        "1.0.0.3"
-        "2606:4700:4700::1113"
-        "2606:4700:4700::1003"
-      ];
+      default = {
+        ips = [
+          "1.1.1.1"
+          "1.0.0.1"
+          "2606:4700:4700::1111"
+          "2606:4700:4700::1001"
+        ];
+        tls = "cloudflare-dns.com";
+      };
+      security = {
+        ips = [
+          "1.1.1.2"
+          "1.0.0.2"
+          "2606:4700:4700::1112"
+          "2606:4700:4700::1002"
+        ];
+        tls = "security.cloudflare-dns.com";
+      };
+      family = {
+        ips = [
+          "1.1.1.3"
+          "1.0.0.3"
+          "2606:4700:4700::1113"
+          "2606:4700:4700::1003"
+        ];
+        tls = "family.cloudflare-dns.com";
+      };
     };
   };
 }
diff --git a/modules/common/networking.nix b/modules/common/networking.nix
index 1f0f97a..b0dd282 100644
--- a/modules/common/networking.nix
+++ b/modules/common/networking.nix
@@ -111,8 +111,7 @@ in
     services.resolved = {
       llmnr = "false";
       dnsovertls = "opportunistic";
-      fallbackDns = dns.const.quad9.default;
-      domains = [ my.domain.shire ];
+      fallbackDns = dns.mkDoT dns.const.quad9.ecs;
     };
 
     environment = {
diff --git a/modules/unbound.nix b/modules/unbound.nix
index dae47f8..e837f89 100644
--- a/modules/unbound.nix
+++ b/modules/unbound.nix
@@ -135,20 +135,7 @@ in
             {
               name = ".";
               forward-tls-upstream = true;
-              forward-addr =
-                let
-                  mkDnsOverTls =
-                    ips: auth:
-                    map (
-                      ip:
-                      concatStrings [
-                        ip
-                        "@"
-                        auth
-                      ]
-                    ) ips;
-                in
-                mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net";
+              forward-addr = dns.mkDoT dns.const.quad9.ecs;
             }
           ];
 
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index fe01a86..f32e5ba 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -148,9 +148,15 @@ in
               "${ipv6.address}/16"
             ];
             extraInterfaceConfig = mkIf this.isHeadful ''
-              Jc = 4
-              Jmin = 40
-              Jmax = 70
+              jc = 228
+              jmin = 42
+              jmax = 420
+              s1 = 69
+              s2 = 96
+              h1 = 1134610890
+              h2 = 2137373420
+              h3 = 625719520
+              h4 = 2106927320
             '';
           })
           (with cfg.server; {
@@ -218,7 +224,20 @@ in
               ];
               listenPort = port;
               inherit peers;
-              postSetup = DNSSetup;
+              postSetup =
+                DNSSetup
+                + ''
+                  awg set ${cfg.interface} \
+                    jc 228 \
+                    jmin 42 \
+                    jmax 420 \
+                    s1 69 \
+                    s2 96 \
+                    h1 1134610890 \
+                    h2 2137373420 \
+                    h3 625719520 \
+                    h4 2106927320
+                '';
               allowedIPsAsRoutes = false;
             };
           };

Consider giving Nix/NixOS a try! <3