{ config, pkgs, lib, ...}: with lib; let cfg = config.dadada.networking; in { options.dadada.networking = { useLocalResolver = mkEnableOption "Enable local caching name server"; wanInterfaces = mkOption { type = with types; listOf str; description = "WAN network interfaces"; default = []; }; vpnExtension = mkOption { type = with types; nullOr str; description = "Last part of VPN address"; default = null; }; enableBsShare = mkEnableOption "Enable network share at BS location"; }; config = { networking.resolvconf.useLocalResolver = mkIf cfg.useLocalResolver true; services.unbound = mkIf cfg.useLocalResolver { enable = true; allowedAccess = [ "127.0.0.1/8" "::1" ]; extraConfig = '' tls-upstream: yes tls-cert-bundle: "/etc/ssl/certs/ca-bundle.crt" forward-zone: name: . forward-tls-upstream: yes forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-addr: 1.0.0.1@853#cloudflare-dns.com ''; }; networking.useDHCP = false; networking.interfaces = listToAttrs (forEach cfg.wanInterfaces (i: nameValuePair i { useDHCP = true; })); networking.wireguard.interfaces = mkIf (cfg.vpnExtension != null) { bs = { ips = [ "fd42:dead:beef:1337::${cfg.vpnExtension}/64" ]; listenPort = 51234; privateKeyFile = "/var/lib/wireguard/privkey"; peers = [ { publicKey = "lFB2DWtzp55ajV0Fk/OWdO9JlGvN9QsayYKQQHV3GEs="; allowedIPs = [ "fd42:dead:beef::/48" ]; endpoint = "bs.vpn.dadada.li:51234"; persistentKeepalive = 25; } ]; }; }; fileSystems."/mnt/media.dadada.li" = mkIf cfg.enableBsShare { device = "media.dadada.li:/mnt/storage/share"; fsType = "nfs"; options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ]; }; networking.firewall = { enable = true; allowedUDPPorts = [ 51234 # Wireguard 5353 # mDNS ]; }; }; }