nixos/tayga: add option to allow toggling WKPF strict compliance

    ${optionalString ((builtins.length cfg.log) > 0) ''

      log ${concatStringsSep " " cfg.log}

    ''}

    wkpf-strict ${if cfg.wkpfStrict then "yes" else "no"}

  '';

  addrOpts =

          [ "drop" "reject" "icmp" "self" ]

        '';

      };

      wkpfStrict = mkOption {

        type = types.bool;

        default = true;

        description = "Enable restrictions on the use of the well-known prefix (64:ff9b::/96) - prevents translation of non-global IPv4 ranges when using the well-known prefix. Must be enabled for RFC 6052 compatibility.";

      };

    };

  };

  };

  nodes = {

    # The server is configured with static IPv4 addresses. RFC 6052 Section 3.1

    # disallows the mapping of non-global IPv4 addresses like RFC 1918 into the

    # Well-Known Prefix 64:ff9b::/96. TAYGA also does not allow the mapping of

    # documentation space (RFC 5737). To circumvent this, 100.64.0.2/24 from

    # RFC 6589 (Carrier Grade NAT) is used here.

    # The server is configured with static IPv4 addresses. We have to disable the

    # well-known prefix restrictions (as required by RFC 6052 Section 3.1) because

    # we're using private space (TAYGA also considers documentation space non-global,

    # unfortunately).

    # To reach the IPv4 address pool of the NAT64 gateway, there is a static

    # route configured. In normal cases, where the router would also source NAT

    # the pool addresses to one IPv4 addresses, this would not be needed.

          "icmp"

          "self"

        ];

        wkpfStrict = false;

      };

      environment.systemPackages = [ pkgs.tcpdump ];

    };

          "icmp"

          "self"

        ];

        wkpfStrict = false;

      };

      environment.systemPackages = [ pkgs.tcpdump ];

    };