feat: enable ipv6 RA

hosts/common/core/net.nix

@@ -57,9 +57,9 @@ in {
           from = "all";
           to = ["local"];
           extraLines = [
-            "ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept"
+            "ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept"
-            "ip protocol icmp icmp type { echo-request, router-advertisement } accept"
+            "ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept"
-            #"ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept"
+            #"ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept" # (dhcpv6)
           ];
         };
 
@@ -74,10 +74,7 @@ in {
     };
   };
 
-  systemd.network = {
+  systemd.network.enable = true;
-    enable = true;
-    wait-online.anyInterface = true;
-  };
 
   # Rename known network interfaces
   extra.networking.renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (nodeSecrets.networking.interfaces or {});

hosts/common/laptop.nix

@@ -1,4 +1,6 @@
 {pkgs, ...}: {
+  systemd.network.wait-online.anyInterface = true;
+
   services = {
     tlp.enable = true;
     physlock.enable = true;

hosts/nom/net.nix

@@ -17,14 +17,14 @@
     "10-lan1" = {
       DHCP = "yes";
       matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan1.mac;
-      networkConfig.IPv6PrivacyExtensions = "kernel";
+      networkConfig.IPv6PrivacyExtensions = "yes";
       dhcpV4Config.RouteMetric = 10;
       dhcpV6Config.RouteMetric = 10;
     };
     "10-wlan1" = {
       DHCP = "yes";
       matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
-      networkConfig.IPv6PrivacyExtensions = "kernel";
+      networkConfig.IPv6PrivacyExtensions = "yes";
       dhcpV4Config.RouteMetric = 40;
       dhcpV6Config.RouteMetric = 40;
     };

hosts/ward/net.nix

@@ -7,7 +7,7 @@
   inherit (config.lib.net) cidr;
 
   net.lan.ipv4cidr = "192.168.100.1/24";
-  net.lan.ipv6cidr = "fd01::1/64";
+  net.lan.ipv6cidr = "fd00::1/64";
 in {
   networking.hostId = nodeSecrets.networking.hostId;
 
@@ -16,6 +16,8 @@ in {
     networks = {inherit (config.systemd.network.networks) "10-wan";};
   };
 
+  # Create a MACVTAP for ourselves too, so that we can communicate with
+  # other taps on the same interface.
   systemd.network.netdevs."10-lan-self" = {
     netdevConfig = {
       Name = "lan-self";
@@ -30,6 +32,11 @@ in {
   systemd.network.networks = {
     "10-lan" = {
       matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan.mac;
+      # This interface should only be used from attached macvtaps.
+      # So don't acquire a link local address and only wait for
+      # this interface to gain a carrier.
+      networkConfig.LinkLocalAddressing = "no";
+      linkConfig.RequiredForOnline = "carrier";
       extraConfig = ''
         [Network]
         MACVTAP=lan-self
@@ -39,35 +46,61 @@ in {
       DHCP = "yes";
       #address = [
       #  "192.168.178.2/24"
-      #  "fd00::1/64"
+      #  "fdee::1/64"
       #];
       #gateway = [
       #];
       matchConfig.MACAddress = nodeSecrets.networking.interfaces.wan.mac;
-      networkConfig.IPv6PrivacyExtensions = "kernel";
+      networkConfig.IPv6PrivacyExtensions = "yes";
-      dhcpV4Config.RouteMetric = 20;
+      linkConfig.RequiredForOnline = "routable";
-      dhcpV6Config.RouteMetric = 20;
     };
-    "11-lan-self" = {
+    "20-lan-self" = {
       address = [net.lan.ipv4cidr net.lan.ipv6cidr];
       matchConfig.Name = "lan-self";
       networkConfig = {
         IPForward = "yes";
-        IPv6PrivacyExtensions = "kernel";
+        IPv6PrivacyExtensions = "yes";
-        ConfigureWithoutCarrier = true;
+        IPv6SendRA = true;
       };
-      dhcpV4Config.RouteMetric = 10;
+      # Announce a static prefix
-      dhcpV6Config.RouteMetric = 10;
+      ipv6Prefixes = [
+        {ipv6PrefixConfig.Prefix = cidr.canonicalize net.lan.ipv6cidr;}
+      ];
+      # Delegate prefix from wan
+      #dhcpPrefixDelegationConfig = {
+      #  UplinkInterface = "wan";
+      #  Announce = true;
+      #  SubnetId = "auto";
+      #};
+      # Provide a DNS resolver
+      ipv6SendRAConfig = {
+        EmitDNS = true;
+        # TODO change to self later
+        #DNS = cidr.ip net.lan.ipv6cidr;
+        DNS = ["2606:4700:4700::1111" "2001:4860:4860::8888"];
+      };
+      linkConfig.RequiredForOnline = "routable";
+    };
+    # Remaining macvtap interfaces should not be touched.
+    "90-macvtap-no-ll" = {
+      matchConfig.Kind = "macvtap";
+      networkConfig.LinkLocalAddressing = "no";
+      linkConfig.ActivationPolicy = "manual";
     };
   };
 
   networking.nftables.firewall = {
     zones = lib.mkForce {
-      lan.interfaces = ["lan"];
+      lan.interfaces = ["lan-self"];
       wan.interfaces = ["wan"];
     };
 
     rules = lib.mkForce {
+      icmp = {
+        # accept ipv6 router solicit and multicast listener discovery query
+        extraLines = ["ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, nd-router-solicit } accept"];
+      };
+
       masquerade-wan = {
         from = ["lan"];
         to = ["wan"];
@@ -99,6 +132,7 @@ in {
     };
   };
 
+  # TODO to microvm!
   services.kea = {
     dhcp4 = {
       enable = true;
@@ -112,19 +146,22 @@ in {
         renew-timer = 1000;
         rebind-timer = 2000;
         interfaces-config = {
-          interfaces = ["lan"];
+          interfaces = ["lan-self"];
           service-sockets-max-retries = -1;
         };
         option-data = [
           {
             name = "domain-name-servers";
+            # TODO pihole self
             data = "1.1.1.1, 8.8.8.8";
           }
         ];
         subnet4 = [
           {
-            interface = "lan";
+            interface = "lan-self";
             subnet = cidr.canonicalize net.lan.ipv4cidr;
+            # TODO calculate this automatically, start at 40 or so
+            # to have enough for reservations
             pools = [
               {pool = "192.168.100.20 - 192.168.100.250";}
             ];
@@ -134,6 +171,7 @@ in {
                 data = cidr.ip net.lan.ipv4cidr;
               }
             ];
+            # TODO reserve addresses for each VM
             #reservations = [
             #  {
             #    duid = "aa:bb:cc:dd:ee:ff";
@@ -144,13 +182,9 @@ in {
         ];
       };
     };
-    #dhcp6 = {
-    #  enable = true;
-    #};
   };
-  systemd.services.kea-dhcp4-server.after = [
+
-    "sys-subsystem-net-devices-lan.device"
+  systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-lan.device"];
-  ];
 
   #extra.wireguard.vms = {
   #  server = {

hosts/zackbiene/net.nix

@@ -20,13 +20,13 @@ in {
     "10-lan1" = {
       DHCP = "yes";
       matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan1.mac;
-      networkConfig.IPv6PrivacyExtensions = "kernel";
+      networkConfig.IPv6PrivacyExtensions = "yes";
-      dhcpV4Config.RouteMetric = 10;
+      linkConfig.RequiredForOnline = "routable";
-      dhcpV6Config.RouteMetric = 10;
     };
     "10-wlan1" = {
       address = [net.iot.ipv4cidr net.iot.ipv6cidr];
       matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
+      linkConfig.RequiredForOnline = "no";
     };
   };
 

modules/microvms.nix

@@ -79,11 +79,10 @@
           matchConfig.Name = vmCfg.linkName;
           DHCP = "yes";
           networkConfig = {
-            IPv6PrivacyExtensions = "kernel";
+            IPv6PrivacyExtensions = "yes";
-            ConfigureWithoutCarrier = true;
+            IPv6AcceptRA = true;
           };
-          dhcpV4Config.RouteMetric = 20;
+          linkConfig.RequiredForOnline = "routable";
-          dhcpV6Config.RouteMetric = 20;
         };
       };