From 7a2d8347420311d147a1bc91b3cb2756731037df Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Fri, 29 Mar 2024 13:59:28 -0700
Subject: [PATCH] feat(access): optional slaac on int

---
 modules/system/network/networks.nix | 15 ++++++++++-----
 modules/system/proxmox/network.nix  | 29 +++++++++++++++++++++++------
 nixos/int.nix                       | 29 +++++++++++++++++++++++++++++
 nixos/reisen-ct/proxmox.nix         |  2 +-
 systems/ct/nixos.nix                | 21 +++++++++++++++++++++
 systems/freeipa/int.nmconnection    |  2 ++
 systems/utsuho/nixos.nix            |  1 +
 7 files changed, 87 insertions(+), 12 deletions(-)
 create mode 100644 nixos/int.nix

diff --git a/modules/system/network/networks.nix b/modules/system/network/networks.nix
index 7fcc6edd..4878633b 100644
--- a/modules/system/network/networks.nix
+++ b/modules/system/network/networks.nix
@@ -4,9 +4,12 @@
   inherit (lib.modules) mkIf mkOptionDefault;
   inherit (lib.trivial) mapNullable;
   networkModule = { config, name, system, ... }: let
-    slaacPrefix = {
-      local = "fd0a:";
-      #int = "fd0c:";
+    knownNetworks = {
+      local.slaac = {
+        enable = true;
+        prefix = "fd0a:";
+      };
+      int.slaac.prefix = "fd0c:";
     };
   in {
     options = with lib.types; {
@@ -47,8 +50,10 @@
     };
     config = {
       slaac = {
-        enable = mkOptionDefault (slaacPrefix ? ${config.name});
-        prefix = mkIf (slaacPrefix ? ${config.name}) (mkOptionDefault slaacPrefix.${config.name});
+        enable = mkOptionDefault (knownNetworks.${config.name}.slaac.enable or false);
+        prefix = mkIf (knownNetworks.${config.name}.slaac.prefix or null != null) (
+          mkOptionDefault knownNetworks.${config.name}.slaac.prefix
+        );
         postfix = mkIf (config.macAddress != null) (mkOptionDefault (eui64 config.macAddress));
       };
       domain = mkOptionDefault "${config.name}.${system.access.domain}";
diff --git a/modules/system/proxmox/network.nix b/modules/system/proxmox/network.nix
index 41bc80ce..b3e7580e 100644
--- a/modules/system/proxmox/network.nix
+++ b/modules/system/proxmox/network.nix
@@ -1,7 +1,7 @@
 {config, lib, inputs, ...}: let
   inherit (inputs.self.lib.lib) unmerged eui64 toHexStringLower mkAlmostOptionDefault mapAlmostOptionDefaults;
   inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkMerge mkOptionDefault;
+  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
   inherit (lib.attrsets) attrValues;
   inherit (lib.lists) elem findSingle findFirst;
   inherit (lib.strings) hasPrefix removePrefix replaceStrings removeSuffix;
@@ -78,6 +78,11 @@
         enable = mkEnableOption "systemd.network" // {
           default = true;
         };
+        name = mkOption {
+          type = str;
+          default = config.name;
+          description = "network unit name";
+        };
         networkSettings = mkOption {
           type = unmerged.types.attrs;
         };
@@ -105,7 +110,7 @@
         ];
         networkd.networkSettings = {
           name = mkAlmostOptionDefault config.name;
-          ipv6AcceptRAConfig = mkIf (config.address6 == "auto" && config.local.enable) {
+          ipv6AcceptRAConfig = mkIf config.local.enable {
             UseDNS = mkOptionDefault false;
             DHCPv6Client = mkOptionDefault false;
           };
@@ -140,15 +145,27 @@
           );
         };
       };
-      confInternal = {
+      confInternal = let
+        index = system.proxmox.vm.id - internalOffset;
+      in {
         name = mkIf system.proxmox.container.enable (mkAlmostOptionDefault "eth9");
         bridge = mkAlmostOptionDefault "vmbr9";
-        address4 = mkAlmostOptionDefault "10.9.1.${toString (system.proxmox.vm.id - internalOffset)}/24";
-        address6 = mkAlmostOptionDefault "fd0c::${toHexStringLower (system.proxmox.vm.id - internalOffset)}/64";
+        address4 = mkAlmostOptionDefault "10.9.1.${toString index}/24";
+        address6 = mkAlmostOptionDefault "fd0c::${toHexStringLower index}/64";
         macAddress = mkIf (system.proxmox.network.interfaces.net0.macAddress or null != null && hasPrefix "BC:24:11:" system.proxmox.network.interfaces.net0.macAddress) (mkAlmostOptionDefault (
           replaceStrings [ "BC:24:11:" ] [ "BC:24:19:" ] system.proxmox.network.interfaces.net0.macAddress
         ));
-        networkd.networkSettings.linkConfig.RequiredForOnline = false;
+        networkd.networkSettings = {
+          domains = mkDefault [ ]; # int.${domain}?
+          linkConfig.RequiredForOnline = false;
+          ipv6AcceptRAConfig = {
+            Token = mkOptionDefault "static:::${toHexStringLower index}";
+            DHCPv6Client = mkOptionDefault false;
+          };
+          networkConfig = {
+            IPv6PrivacyExtensions = mkOptionDefault "no";
+          };
+        };
       };
     in mkMerge [
       conf
diff --git a/nixos/int.nix b/nixos/int.nix
new file mode 100644
index 00000000..558beb7c
--- /dev/null
+++ b/nixos/int.nix
@@ -0,0 +1,29 @@
+{config, lib, access, ...}: let
+  inherit (lib.modules) mkDefault;
+in {
+  config = {
+    systemd.network.networks.eth9 = {config, ...}: {
+      networkConfig = {
+        IPv6SendRA = mkDefault true;
+      };
+      ipv6SendRAConfig = {
+        Managed = mkDefault false;
+        EmitDNS = mkDefault true;
+        DNS = [ (access.getAddress6For "utsuho" "int") ];
+        # Domains = [ "int.${networking.domain}" ];
+        EmitDomains = mkDefault false;
+        RouterPreference = mkDefault "low";
+        RouterLifetimeSec = 0;
+      };
+      ipv6Prefixes = [
+        {
+          ipv6PrefixConfig = {
+            Prefix = "fd0c::/64";
+            Assign = true;
+            Token = config.ipv6AcceptRAConfig.Token;
+          };
+        }
+      ];
+    };
+  };
+}
diff --git a/nixos/reisen-ct/proxmox.nix b/nixos/reisen-ct/proxmox.nix
index bfe8c7dc..73f9ae3b 100644
--- a/nixos/reisen-ct/proxmox.nix
+++ b/nixos/reisen-ct/proxmox.nix
@@ -25,7 +25,7 @@ in {
   proxmoxLXC.privileged = mkIf (proxmox.container.enable && proxmox.container.privileged) true;
 
   systemd.network = mkIf proxmox.enabled (mkMerge (mapAttrsToList (_: interface: mkIf (interface.enable && interface.networkd.enable) {
-    networks.${interface.name} = unmerged.mergeAttrs interface.networkd.networkSettings;
+    networks.${interface.networkd.name} = unmerged.mergeAttrs interface.networkd.networkSettings;
   }) proxmox.network.interfaces));
 
   networking.firewall.interfaces.int = let
diff --git a/systems/ct/nixos.nix b/systems/ct/nixos.nix
index aaf83f84..c42432d2 100644
--- a/systems/ct/nixos.nix
+++ b/systems/ct/nixos.nix
@@ -8,4 +8,25 @@
   services.avahi.hostName = "";
 
   system.stateVersion = "23.11";
+  environment.etc."systemd/network/eth9.network.d/int.conf".text = ''
+    [Match]
+    Name=eth9
+    Type=ether
+
+    [Link]
+    RequiredForOnline=false
+
+    [Network]
+    IPv6AcceptRA=true
+    IPv6SendRA=false
+    DHCP=no
+
+    [IPv6Prefix]
+    AddressAutoconfiguration=false
+    Prefix=fd0c::/64
+    Assign=true
+
+    [IPv6AcceptRA]
+    DHCPv6Client=false
+  '';
 }
diff --git a/systems/freeipa/int.nmconnection b/systems/freeipa/int.nmconnection
index c3573197..99ee4716 100644
--- a/systems/freeipa/int.nmconnection
+++ b/systems/freeipa/int.nmconnection
@@ -11,3 +11,5 @@ method=manual
 address1=fd0c::aa/64
 may-fail=true
 method=manual
+addr-gen-mode=eui64
+token=::aa
diff --git a/systems/utsuho/nixos.nix b/systems/utsuho/nixos.nix
index da104994..504a1ed3 100644
--- a/systems/utsuho/nixos.nix
+++ b/systems/utsuho/nixos.nix
@@ -7,6 +7,7 @@ in {
     nixos.sops
     nixos.base
     nixos.reisen-ct
+    nixos.int
     nixos.ipa
     nixos.cloudflared
     nixos.nginx