1 files changed, 8 insertions, 7 deletions

diff --git a/modules/router.nix b/modules/router.nix
index fa5b19c..3bc7dab 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -147,6 +147,9 @@ let
       wantedBy = [ "multi-user.target" ];
       path = [ pkgs.iproute ];
       script = ''
+        ip -6 rule add from 2001:470:1f06:1194::2 table main priority 19000 suppress_prefixlength 0 || true
+        ip -6 rule add from 2001:470:1f06:1194::2 table he priority 20000 || true
+
         ip -6 rule add fwmark ${toString heMark} table main priority 19000 suppress_prefixlength 0 || true
         ip -6 rule add fwmark ${toString heMark} table he priority 20000 || true
         ip -6 route replace default dev he0 table he
@@ -201,8 +204,8 @@ let
         dhcp-option=tag:servers-vport,option:dns-server,172.20.20.1
         dhcp-range=tag:servers-vport,::,static,constructor:servers-vport,5m
         dhcp-host=id:*,tag:servers-vport,172.20.20.2
-        dhcp-host=id:00:01:00:01:21:a2:4e:a8:d0:bf:9c:45:a6:ec,tag:servers-vport,[::d]
-        # dhcp-host=id:dragon,::d
+        dhcp-host=id:00:01:00:01:2e:a3:07:37:d0:bf:9c:45:a6:ec,tag:servers-vport,[::d]
+        #dhcp-host=tag:servers-vport,id:dragon,::d
 
         dhcp-range=tag:lan-vport,172.20.100.10,172.20.100.254,5m
         dhcp-option=tag:lan-vport,option:router,172.20.100.1
@@ -267,7 +270,6 @@ let
             ip6 nexthdr ipv6-icmp counter accept comment "accept all ICMP types"
 
             iifname wan-vport counter drop
-            meta nftrace set 1
             counter drop
           }
 
@@ -310,7 +312,8 @@ let
           chain prerouting {
             type filter hook prerouting priority -150
             # ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1
-            ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark}
+            ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} counter
+            ip6 saddr 2001:470:1f06:1194::/64 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} counter
             meta nfproto ipv4 iifname vpnlan-vport ip daddr != 172.20.0.0/16 meta mark set ${toString mullvadMark}
             meta nfproto ipv6 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/60 iifname vpnlan-vport meta mark set ${toString mullvadMark}
           }
@@ -394,14 +397,12 @@ in {
       additionalCapabilities = ["CAP_NET_ADMIN"];
     };
 
-    age.secrets.dragon-wireguard-key.file = ./.
-        + "/../secrets/dragon-wireguard-key.age";
     networking.wireguard.interfaces.wg-vpn = {
       # fwMark = "${toString vpnMark}";
       socketNamespace = "router";
       interfaceNamespace = "router";
       ips = [ "${vpnPrefix}::1/128" ];
-      privateKeyFile = config.age.secrets.dragon-wireguard-key.path;
+      privateKeyFile = "/opt/secret/wireguard/dragon-wireguard-key.priv";
       listenPort = vpnPort;
       peers = let mkPeer = host: ip: {
         name = host;