builders get a special treatment for dns64

common/base-server.nix

@@ -4,6 +4,7 @@
   nix.package = lib.mkDefault pkgs.lix;
   services.openssh.enable = lib.mkForce true;
 
+  networking.nftables.enable = true;
   networking.firewall.enable = true;
   networking.firewall.logRefusedConnections = false;
   networking.firewall.logReversePathDrops = true;

services/baremetal-builder/default.nix

@@ -91,7 +91,20 @@ in
     deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
     deployment.tags = [ "builders" ];
 
-    networking.nameservers = lib.mkForce ["2001:4860:4860::6464"]; # todo: other dns64
+    # Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568
+    services.coredns = {
+      enable = true;
+      config = ''
+        . {
+          bind lo
+          forward . 2001:4860:4860::6464
+          template ANY A { rcode NOERROR }
+        }
+      '';
+    };
+    services.resolved.enable = false;
+    networking.resolvconf.useLocalResolver = true;
+
 
     bagel.sysadmin.enable = true;