From 9bc15fd531da793bc2f15a486c40351974bd3f85 Mon Sep 17 00:00:00 2001 From: Alejandro Soto Date: Sat, 18 Jan 2025 13:36:50 -0600 Subject: sys: remove IPv4 on dmz, gate; enable DNS64 for dmz --- sys/nspawn/dmz.nix | 57 +++++++++++++++++++++--------------------------------- 1 file changed, 22 insertions(+), 35 deletions(-) (limited to 'sys/nspawn') diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix index 905e491..52b588c 100644 --- a/sys/nspawn/dmz.nix +++ b/sys/nspawn/dmz.nix @@ -12,13 +12,12 @@ in options.local.nspawn.dmz = { enable = mkEnableOption "DMZ services in a container"; - netName = mkOption { + dns64 = mkOption { type = types.str; }; - net = mkOption { + netName = mkOption { type = types.str; - readOnly = true; }; net6 = mkOption { @@ -26,16 +25,6 @@ in readOnly = true; }; - dmzAddr = mkOption { - type = types.str; - readOnly = true; - }; - - hostAddr = mkOption { - type = types.str; - readOnly = true; - }; - hostAddr6 = mkOption { type = types.str; readOnly = true; @@ -66,11 +55,9 @@ in config = mkIf cfg.enable { local = { - mailHost.mdaListen = cfg.hostAddr; + mailHost.mdaListen = cfg.hostAddr6; nspawn.dmz = { - dmzAddr = dmzNet.hosts.dmz.v4.address; - hostAddr = dmzNet.hosts.gateway.v4.address; hostAddr6 = dmzNet.hosts.gateway.v6.address; system = @@ -85,14 +72,14 @@ in }; mta = { - mdaAddr = mailHost.mdaListen; + mdaAddr = "[${mailHost.mdaListen}]"; inherit (mailHost) saslPort lmtpPort; }; web.sites = { home = { enable = hassEnable; - proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}"; + proxyUrl = "http://[${cfg.hostAddr6}]:${toString hassPort}"; }; }; }; @@ -117,17 +104,23 @@ in name = "host0"; networkConfig = { - DHCP = "ipv4"; + DNS = [ cfg.dns64 ]; + + DHCP = "no"; IPv6AcceptRA = "yes"; LinkLocalAddressing = "ipv6"; }; - ipv6AcceptRAConfig.Token = [ - "static:${dmzNet.hosts.dmz.v6.address}" - "eui64" - "static:${dmzNet.hosts.mta.v6.address}" - "static:${dmzNet.hosts.web.v6.address}" - ]; + ipv6AcceptRAConfig = { + Token = [ + "static:::${dmzNet.hosts.dmz.v6.suffix}" + "eui64" + "static:::${dmzNet.hosts.mta.v6.suffix}" + "static:::${dmzNet.hosts.web.v6.suffix}" + ]; + + UseDNS = false; + }; }; }; }; @@ -147,8 +140,8 @@ in services = { home-assistant.config.http = mkIf hassEnable { - server_host = [ cfg.hostAddr ]; - trusted_proxies = [ cfg.dmzAddr ]; + server_host = [ cfg.hostAddr6 ]; + trusted_proxies = [ dmzNet.hosts.web.v6.address ]; use_x_forwarded_for = true; }; }; @@ -172,21 +165,15 @@ in }; networkConfig = { - Address = [ dmzNet.hosts.gateway.v4.cidr dmzNet.hosts.gateway.v6.cidr ]; + Address = [ dmzNet.hosts.gateway.v6.cidr ]; LinkLocalAddressing = "yes"; - DHCPServer = "yes"; + DHCPServer = "no"; IPMasquerade = "no"; LLDP = "yes"; EmitLLDP = "customer-bridge"; IPv6SendRA = "yes"; }; - # IP de contenedor fijada en hostAddr + 1 - dhcpServerConfig = { - PoolOffset = 2; - PoolSize = 1; - }; - ipv6Prefixes = [ { Assign = "yes"; -- cgit v1.2.3