Allow for IPv6 with RA disabled by manually providing gateway

6 files changed, 59 insertions, 38 deletions

diff --git a/cluster/staging/node/carcajou.nix b/cluster/staging/node/carcajou.nix
index e6c1653..d5211f1 100644
--- a/cluster/staging/node/carcajou.nix
+++ b/cluster/staging/node/carcajou.nix
@@ -20,7 +20,7 @@
   boot.loader.efi.canTouchEfiVariables = true;
 
   deuxfleurs.hostName = "carcajou";
-  deuxfleurs.ipv6Address = "2001:910:1204:1::22";
+  deuxfleurs.staticIPv6.address = "2001:910:1204:1::22";
 
   system.stateVersion = "21.05";
 }
diff --git a/cluster/staging/node/caribou.nix b/cluster/staging/node/caribou.nix
index ad5a65d..80293e9 100644
--- a/cluster/staging/node/caribou.nix
+++ b/cluster/staging/node/caribou.nix
@@ -9,7 +9,7 @@
   boot.loader.efi.canTouchEfiVariables = true;
 
   deuxfleurs.hostName = "caribou";
-  deuxfleurs.ipv6Address = "2001:910:1204:1::23";
+  deuxfleurs.staticIPv6.address = "2001:910:1204:1::23";
   deuxfleurs.isRaftServer = true;
 
   system.stateVersion = "21.05";
diff --git a/cluster/staging/node/df-pw5.nix b/cluster/staging/node/df-pw5.nix
index 0e5be15..e1a132c 100644
--- a/cluster/staging/node/df-pw5.nix
+++ b/cluster/staging/node/df-pw5.nix
@@ -11,7 +11,7 @@
 
   deuxfleurs.hostName = "df-pw5";
   deuxfleurs.staticIPv4.address = "192.168.5.130/24";
-  deuxfleurs.ipv6Address = "2a02:a03f:6510:5102:223:24ff:feb0:e8a7";
+  deuxfleurs.staticIPv6.address = "2a02:a03f:6510:5102:223:24ff:feb0:e8a7";
 
   system.stateVersion = "22.11";
 }
diff --git a/cluster/staging/node/origan.nix b/cluster/staging/node/origan.nix
index d900fd6..6906f4d 100644
--- a/cluster/staging/node/origan.nix
+++ b/cluster/staging/node/origan.nix
@@ -10,7 +10,7 @@
 
   deuxfleurs.hostName = "origan";
   deuxfleurs.staticIPv4.address = "192.168.1.33/24";
-  deuxfleurs.ipv6Address = "2a01:e0a:5e4:1d0:223:24ff:feaf:fdec";
+  deuxfleurs.staticIPv6.address = "2a01:e0a:5e4:1d0:223:24ff:feaf:fdec";
   deuxfleurs.isRaftServer = true;
 
   system.stateVersion = "22.11";
diff --git a/cluster/staging/node/piranha.nix b/cluster/staging/node/piranha.nix
index 2b9907d..bc1aa03 100644
--- a/cluster/staging/node/piranha.nix
+++ b/cluster/staging/node/piranha.nix
@@ -10,7 +10,7 @@
 
   deuxfleurs.hostName = "piranha";
   deuxfleurs.staticIPv4.address = "192.168.1.25/24";
-  deuxfleurs.ipv6Address = "2a01:cb05:9142:7400:223:24ff:feb0:ea82";
+  deuxfleurs.staticIPv6.address = "2a01:cb05:9142:7400:223:24ff:feb0:ea82";
   deuxfleurs.isRaftServer = true;
 
   system.stateVersion = "22.11";
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index 7632486..8b9a5ef 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -12,16 +12,15 @@ in
       description = "Node name";
       type = str;
     };
-    ipv6Address = mkOption {
-      description = "Static public IPv6 address of this node";
-      type = str;
-    };
     staticIPv4.address = mkOption {
       description = "IP address (with prefix length) of this node on the local network interface";
       type = nullOr str;
       default = null;
     };
-
+    staticIPv6.address = mkOption {
+      description = "Static public IPv6 address of this node";
+      type = str;
+    };
     isRaftServer = mkOption {
       description = "Make this node a RAFT server for the Nomad and Consul deployments";
       type = bool;
@@ -38,6 +37,19 @@ in
       type = nullOr str;
       default = null;
     };
+    staticIPv6.defaultGateway = mkOption {
+      description = ''
+        IPv6 address of the default route on the local network interface.
+        IPv6 Router Advertisements (RA) will be totally disabled.
+      '';
+      type = nullOr str;
+      default = null;
+    };
+    staticIPv6.prefixLength = mkOption {
+      description = "IPv6 prefix length";
+      type = int;
+      default = 64;
+    };
 
     publicIPv4 = mkOption {
       description = "Public IPv4 through which this node is accessible (possibly after port opening using DiploNAT), for domain names that are updated by D53";
@@ -112,7 +124,7 @@ in
       clusterAddress = clusterNodeCfg.address;
       node_meta = {
         "site" = cfg.siteName;
-        "public_ipv6" = cfg.ipv6Address;
+        "public_ipv6" = cfg.staticIPv6.address;
       } //
       (if cfg.publicIPv4 != null
         then { "public_ipv4" = cfg.publicIPv4; }
@@ -134,37 +146,46 @@ in
     # Configure network interfaces
     networking.useDHCP = false;
     networking.useNetworkd = true;
-    systemd.network.networks = {
-      "10-uplink" = {
-        matchConfig = {
-          Name = "en* eth*";
-        };
-        ipv6AcceptRAConfig = {
-          Token = "static:${cfg.ipv6Address}";
-          UseDNS = false;
-        };
-      } // (if cfg.staticIPv4.address == null || cfg.staticIPv4.defaultGateway == null then {
-        networkConfig = {
-          DHCP = "ipv4";
-        };
-        dhcpV4Config = {
-          UseDNS = false;
-        };
-      } else {
-        address = [
-          "${cfg.staticIPv4.address}"
-        ];
-        routes = [
-          {
+    systemd.network.networks."10-uplink" =
+      let
+        dyn_v4 = cfg.staticIPv4.address == null || cfg.staticIPv4.defaultGateway == null;
+        dyn_v6 = cfg.staticIPv6.defaultGateway == null;
+      in
+      {
+        matchConfig.Name = "en* eth*";
+
+        address =
+          optional (!dyn_v4) "${cfg.staticIPv4.address}"
+          ++ optional (!dyn_v6) "${cfg.staticIPv6.address}/${toString cfg.staticIPv6.prefixLength}";
+
+        routes =
+          optional (!dyn_v4) {
             routeConfig = {
               Gateway = cfg.staticIPv4.defaultGateway;
               # GatewayOnLink - Takes a boolean. If set to true, the kernel does not have to check if the gateway is reachable directly by the current machine (i.e., attached to the local network), so that we can insert the route in the kernel table without it being complained about. Defaults to "no".
               GatewayOnLink = true;
             };
-          }
-        ];
-      });
-    };
+          } ++ optional (!dyn_v6) {
+            routeConfig = {
+              Gateway = cfg.staticIPv6.defaultGateway;
+              GatewayOnLink = true;
+            };
+          };
+
+        # Dynamic IPv4: enable DHCP but not for DNS servers
+        networkConfig.DHCP = mkIf dyn_v4 "ipv4";
+        dhcpV4Config.UseDNS = mkIf dyn_v4 false;
+
+        # Dynamic IPv6: only fetch default route, use static
+        # address and no DNS servers
+        ipv6AcceptRAConfig.Token = mkIf dyn_v6 "static:${cfg.staticIPv6.address}";
+        ipv6AcceptRAConfig.UseDNS = mkIf dyn_v6 false;
+
+        # Static IPv6: disable all router advertisements and
+        # link-local addresses
+        networkConfig.IPv6AcceptRA = mkIf (!dyn_v6) false;
+        networkConfig.LinkLocalAddressing = mkIf (!dyn_v6) "no";
+      };
 
     # Configure Unbound as a central DNS server for everything
     # - is its own recursor (applies DNSSec) for everything,
@@ -211,7 +232,7 @@ in
       gossipPort = 1666;
       gossipSecretFile = "/var/lib/wgautomesh/gossip_secret";
       persistFile = "/var/lib/wgautomesh/state";
-      upnpForwardPublicPort = 
+      upnpForwardPublicPort =
         if clusterNodeCfg.endpoint != null then
           strings.toInt (lists.last (split ":" clusterNodeCfg.endpoint))
         else null;