From 800b426b71e64556be79c1915540f24dab72209e Mon Sep 17 00:00:00 2001 From: azahi Date: Tue, 22 Oct 2024 01:50:45 +0300 Subject: 2024-10-22 --- lib/dns.nix | 92 ++++++++++++++++++++++++++----------------- modules/common/networking.nix | 3 +- modules/unbound.nix | 15 +------ modules/wireguard.nix | 27 +++++++++++-- 4 files changed, 81 insertions(+), 56 deletions(-) diff --git a/lib/dns.nix b/lib/dns.nix index da1f1f2..c0e4641 100644 --- a/lib/dns.nix +++ b/lib/dns.nix @@ -1,46 +1,66 @@ { lib, inputs, ... }: with lib; recursiveUpdate inputs.dns.lib { + mkDoT = { ips, tls }: map (ip: "${ip}#${tls}") ips; + const = { quad9 = { - default = [ - "9.9.9.9" - "149.112.112.112" - "2620:fe::fe" - "2620:fe::9" - ]; - unsecured = [ - "9.9.9.10" - "149.112.112.10" - "2620:fe::10" - "2620:fe::fe:10" - ]; - ecs = [ - "9.9.9.11" - "149.112.112.11" - "2620:fe::11" - "2620:fe::fe:11" - ]; + default = { + ips = [ + "9.9.9.9" + "149.112.112.112" + "2620:fe::fe" + "2620:fe::9" + ]; + tls = "dns.quad9.net"; + }; + unsecured = { + ips = [ + "9.9.9.10" + "149.112.112.10" + "2620:fe::10" + "2620:fe::fe:10" + ]; + tls = "dns10.quad9.net"; + }; + ecs = { + ips = [ + "9.9.9.11" + "149.112.112.11" + "2620:fe::11" + "2620:fe::fe:11" + ]; + tls = "dns11.quad9.net"; + }; }; cloudflare = { - default = [ - "1.1.1.1" - "1.0.0.1" - "2606:4700:4700::1111" - "2606:4700:4700::1001" - ]; - blocking = [ - "1.1.1.2" - "1.0.0.2" - "2606:4700:4700::1112" - "2606:4700:4700::1002" - ]; - blockingPlus = [ - "1.1.1.3" - "1.0.0.3" - "2606:4700:4700::1113" - "2606:4700:4700::1003" - ]; + default = { + ips = [ + "1.1.1.1" + "1.0.0.1" + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; + tls = "cloudflare-dns.com"; + }; + security = { + ips = [ + "1.1.1.2" + "1.0.0.2" + "2606:4700:4700::1112" + "2606:4700:4700::1002" + ]; + tls = "security.cloudflare-dns.com"; + }; + family = { + ips = [ + "1.1.1.3" + "1.0.0.3" + "2606:4700:4700::1113" + "2606:4700:4700::1003" + ]; + tls = "family.cloudflare-dns.com"; + }; }; }; } diff --git a/modules/common/networking.nix b/modules/common/networking.nix index 1f0f97a..b0dd282 100644 --- a/modules/common/networking.nix +++ b/modules/common/networking.nix @@ -111,8 +111,7 @@ in services.resolved = { llmnr = "false"; dnsovertls = "opportunistic"; - fallbackDns = dns.const.quad9.default; - domains = [ my.domain.shire ]; + fallbackDns = dns.mkDoT dns.const.quad9.ecs; }; environment = { diff --git a/modules/unbound.nix b/modules/unbound.nix index dae47f8..e837f89 100644 --- a/modules/unbound.nix +++ b/modules/unbound.nix @@ -135,20 +135,7 @@ in { name = "."; forward-tls-upstream = true; - forward-addr = - let - mkDnsOverTls = - ips: auth: - map ( - ip: - concatStrings [ - ip - "@" - auth - ] - ) ips; - in - mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net"; + forward-addr = dns.mkDoT dns.const.quad9.ecs; } ]; diff --git a/modules/wireguard.nix b/modules/wireguard.nix index fe01a86..f32e5ba 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -148,9 +148,15 @@ in "${ipv6.address}/16" ]; extraInterfaceConfig = mkIf this.isHeadful '' - Jc = 4 - Jmin = 40 - Jmax = 70 + jc = 228 + jmin = 42 + jmax = 420 + s1 = 69 + s2 = 96 + h1 = 1134610890 + h2 = 2137373420 + h3 = 625719520 + h4 = 2106927320 ''; }) (with cfg.server; { @@ -218,7 +224,20 @@ in ]; listenPort = port; inherit peers; - postSetup = DNSSetup; + postSetup = + DNSSetup + + '' + awg set ${cfg.interface} \ + jc 228 \ + jmin 42 \ + jmax 420 \ + s1 69 \ + s2 96 \ + h1 1134610890 \ + h2 2137373420 \ + h3 625719520 \ + h4 2106927320 + ''; allowedIPsAsRoutes = false; }; }; -- cgit 1.4.1