From 1483ca86378f3cb2cbbb6075e5151468f178755e Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Fri, 3 Jan 2025 19:50:15 -0600
Subject: sys: allocate global IPv6 addresses for DMZ services

---
 sys/nspawn/dmz.nix | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix
index 3fe0335..c3544d6 100644
--- a/sys/nspawn/dmz.nix
+++ b/sys/nspawn/dmz.nix
@@ -74,8 +74,8 @@ in
 
       nspawn.dmz = {
         dmzAddr = dmzNet.hosts.dmz.v4.address;
-        hostAddr = dmzNet.hosts.host.v4.address;
-        hostAddr6 = dmzNet.hosts.host.v6.address;
+        hostAddr = dmzNet.hosts.gateway.v4.address;
+        hostAddr6 = dmzNet.hosts.gateway.v6.address;
 
         system =
           let
@@ -121,6 +121,22 @@ in
                     '';
                   };
                 };
+
+                systemd.network.networks."40-host0" = {
+                  name = "host0";
+
+                  networkConfig = {
+                    IPv6AcceptRA = "yes";
+                    LinkLocalAddressing = "ipv6";
+                  };
+
+                  ipv6AcceptRAConfig.Token = [
+                    "static:${dmzNet.hosts.dmz.v6.address}"
+                    "eui64"
+                    "static:${dmzNet.hosts.mta.v6.address}"
+                    "static:${dmzNet.hosts.web.v6.address}"
+                  ];
+                };
               };
             };
           in
@@ -155,14 +171,6 @@ in
           "/nix/store:/nix/store:idmap"
           "${cfg.system.config.system.build.toplevel}/init:/sbin/init"
         ];
-
-        networkConfig.Port = [
-          "tcp:25"
-          "tcp:80"
-          "tcp:443"
-          "tcp:465"
-          "tcp:587"
-        ];
       };
 
       network.networks."40-ve-dmz" = {
@@ -172,10 +180,10 @@ in
         };
 
         networkConfig = {
-          Address = [ dmzNet.hosts.host.v4.cidr dmzNet.hosts.host.v6.cidr ];
+          Address = [ dmzNet.hosts.gateway.v4.cidr dmzNet.hosts.gateway.v6.cidr ];
           LinkLocalAddressing = "yes";
           DHCPServer = "yes";
-          IPMasquerade = "ipv4";
+          IPMasquerade = "no";
           LLDP = "yes";
           EmitLLDP = "customer-bridge";
           IPv6SendRA = "yes";
-- 
cgit v1.2.3