diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-01-03 19:50:15 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-01-03 20:03:47 -0600 |
| commit | 1483ca86378f3cb2cbbb6075e5151468f178755e (patch) | |
| tree | feb1959872b847c86c5df7cd31a32957c3472963 /sys/nspawn/dmz.nix | |
| parent | 1563cec3ce350727e3573211b0b3dc3b415e9d32 (diff) | |
sys: allocate global IPv6 addresses for DMZ services
Diffstat (limited to 'sys/nspawn/dmz.nix')
| -rw-r--r-- | sys/nspawn/dmz.nix | 32 |
1 files changed, 20 insertions, 12 deletions
diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix index 3fe0335..c3544d6 100644 --- a/sys/nspawn/dmz.nix +++ b/sys/nspawn/dmz.nix @@ -74,8 +74,8 @@ in nspawn.dmz = { dmzAddr = dmzNet.hosts.dmz.v4.address; - hostAddr = dmzNet.hosts.host.v4.address; - hostAddr6 = dmzNet.hosts.host.v6.address; + hostAddr = dmzNet.hosts.gateway.v4.address; + hostAddr6 = dmzNet.hosts.gateway.v6.address; system = let @@ -121,6 +121,22 @@ in ''; }; }; + + systemd.network.networks."40-host0" = { + name = "host0"; + + networkConfig = { + IPv6AcceptRA = "yes"; + LinkLocalAddressing = "ipv6"; + }; + + ipv6AcceptRAConfig.Token = [ + "static:${dmzNet.hosts.dmz.v6.address}" + "eui64" + "static:${dmzNet.hosts.mta.v6.address}" + "static:${dmzNet.hosts.web.v6.address}" + ]; + }; }; }; in @@ -155,14 +171,6 @@ in "/nix/store:/nix/store:idmap" "${cfg.system.config.system.build.toplevel}/init:/sbin/init" ]; - - networkConfig.Port = [ - "tcp:25" - "tcp:80" - "tcp:443" - "tcp:465" - "tcp:587" - ]; }; network.networks."40-ve-dmz" = { @@ -172,10 +180,10 @@ in }; networkConfig = { - Address = [ dmzNet.hosts.host.v4.cidr dmzNet.hosts.host.v6.cidr ]; + Address = [ dmzNet.hosts.gateway.v4.cidr dmzNet.hosts.gateway.v6.cidr ]; LinkLocalAddressing = "yes"; DHCPServer = "yes"; - IPMasquerade = "ipv4"; + IPMasquerade = "no"; LLDP = "yes"; EmitLLDP = "customer-bridge"; IPv6SendRA = "yes"; |