From 9995e157604fae18bc436ca36a0f951dc946f80f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= <hello@benjaminbaedorf.eu>
Date: Wed, 25 Oct 2023 13:23:13 +0200
Subject: [PATCH] Revert "fix: remove ipv6 local addresses from wireguard"

This reverts commit cff59a1b7aad928bcad2c9f3478fcae447a09971.
---
 hosts/biolimo/networking.nix         |  5 ++++-
 hosts/chocolatebar/networking.nix    |  5 ++++-
 hosts/droppie/networking.nix         |  5 ++++-
 hosts/frikandel/wireguard.nix        | 31 +++++++++++++++++++++++-----
 hosts/pie/ddclient.nix               |  2 +-
 hosts/pie/networking.nix             |  2 +-
 hosts/pie/unbound.nix                |  8 +++++++
 modules/wireguard-client/default.nix | 10 +++++++--
 8 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/hosts/biolimo/networking.nix b/hosts/biolimo/networking.nix
index b5ebe40..ffef32f 100644
--- a/hosts/biolimo/networking.nix
+++ b/hosts/biolimo/networking.nix
@@ -8,7 +8,10 @@
     age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-biolimo.age";
 
     pub-solar.wireguard-client = {
-      ownIPs = [ "10.0.1.6/32" ];
+      ownIPs = [
+        "10.0.1.6/32"
+        "fd00:acab:1312:acab:6::/128"
+      ];
       wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
     };
   };
diff --git a/hosts/chocolatebar/networking.nix b/hosts/chocolatebar/networking.nix
index fe3ad25..c5542dc 100644
--- a/hosts/chocolatebar/networking.nix
+++ b/hosts/chocolatebar/networking.nix
@@ -8,7 +8,10 @@
     age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-chocolatebar.age";
 
     pub-solar.wireguard-client = {
-      ownIPs = [ "10.0.1.5/32" ];
+      ownIPs = [
+        "10.0.1.5/32"
+        "fd00:acab:1312:acab:5::/128"
+      ];
       wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
     };
   };
diff --git a/hosts/droppie/networking.nix b/hosts/droppie/networking.nix
index a083024..133af75 100644
--- a/hosts/droppie/networking.nix
+++ b/hosts/droppie/networking.nix
@@ -8,7 +8,10 @@
     age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";
 
     pub-solar.wireguard-client = {
-      ownIPs = [ "10.0.1.3/32" ];
+      ownIPs = [
+        "10.0.1.3/32"
+        "fd00:acab:1312:acab:3::/128"
+      ];
       wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
     };
   };
diff --git a/hosts/frikandel/wireguard.nix b/hosts/frikandel/wireguard.nix
index 74b8d79..975337c 100644
--- a/hosts/frikandel/wireguard.nix
+++ b/hosts/frikandel/wireguard.nix
@@ -8,6 +8,9 @@
 
   boot.kernel.sysctl = {
     "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+    "net.ipv6.conf.all.accept_ra" = 1;
+    "net.ipv6.conf.all.accept_ra_pinfo" = 1;
   };
 
   networking.nat = {
@@ -27,29 +30,47 @@
     wg0 = {
       listenPort = 51899;
 
-      address = [ "10.0.1.7/32" ];
+      address = [
+        "10.0.1.7/32"
+        "fd00:b12f:acab:1312:acab:7::/32"
+      ];
 
       privateKeyFile = "/run/agenix/wg-private-key-server";
 
       peers = [
         { # pie
           publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw=";
-          allowedIPs = [ "10.0.1.2/32" ];
+          allowedIPs = [
+            "10.0.1.2/32"
+            "fd00:b12f:acab:1312:acab:2::/32"
+          ];
           persistentKeepalive = 25;
         }
         { # droppie
           publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
-          allowedIPs = [ "10.0.1.3/32" ];
+          allowedIPs = [
+            "10.0.1.3/32"
+            "fd00:b12f:acab:1312:acab:3::/32"
+          ];
+
           persistentKeepalive = 25;
         }
         { # chocolatebar
           publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
-          allowedIPs = [ "10.0.1.5/32" ];
+          allowedIPs = [
+            "10.0.1.5/32"
+            "fd00:b12f:acab:1312:acab:5::/32"
+          ];
+
           persistentKeepalive = 25;
         }
         { # biolimo
           publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
-          allowedIPs = [ "10.0.1.6/32" ];
+          allowedIPs = [
+            "10.0.1.6/32"
+            "fd00:b12f:acab:1312:acab:6::/32"
+          ];
+
           persistentKeepalive = 25;
         }
       ];
diff --git a/hosts/pie/ddclient.nix b/hosts/pie/ddclient.nix
index 9a9af07..100b572 100644
--- a/hosts/pie/ddclient.nix
+++ b/hosts/pie/ddclient.nix
@@ -13,7 +13,7 @@ with lib; let
     ${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
   '';
   getIP6 = with pkgs; writeShellScriptBin "getIP" ''
-    ${curl}/bin/curl -6 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
+    echo "2a02:908:5b1:e3c0:3077:2::"
   '';
 in {
   imports = [
diff --git a/hosts/pie/networking.nix b/hosts/pie/networking.nix
index f0e71c2..bdc5b9b 100644
--- a/hosts/pie/networking.nix
+++ b/hosts/pie/networking.nix
@@ -25,7 +25,7 @@
   # Caddy reverse proxy for local services like cups
   services.caddy = {
     globalConfig = ''
-      default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2
+      default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2 fd00:acab:1312:acab:2::
       auto_https off
     '';
   };
diff --git a/hosts/pie/unbound.nix b/hosts/pie/unbound.nix
index 850b4a0..ab51a52 100644
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@@ -19,6 +19,7 @@
 
           # Allow from wireguard
           "10.0.1.0/24 allow"
+          "fd00:acab:1312:acab::/48 allow"
         ];
         local-zone = [
           "\"b12f.io\" static"
@@ -32,16 +33,23 @@
           "\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:3::\""
 
           "\"droppie.b12f.io. 10800 IN A 10.0.1.3\""
+          "\"droppie.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:3::\""
           "\"backup.b12f.io. 10800 IN A 10.0.1.3\""
+          "\"backup.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:3::\""
 
           "\"pie.local. 10800 IN A 192.168.178.2\""
           "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
 
           "\"pie.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"pie.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
           "\"firefly.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"firefly.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
           "\"firefly-importer.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"firefly-importer.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
           "\"paperless.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"paperless.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
           "\"invoicing.b12f.io. 10800 IN A 10.0.1.2\""
+          "\"invoicing.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
 
           "\"vpn.b12f.io. 10800 IN A 128.140.109.213\""
           "\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
diff --git a/modules/wireguard-client/default.nix b/modules/wireguard-client/default.nix
index ce9cb5b..3a21338 100644
--- a/modules/wireguard-client/default.nix
+++ b/modules/wireguard-client/default.nix
@@ -31,13 +31,19 @@ in {
       wg0 = {
         listenPort = 51899;
         address = cfg.ownIPs;
-        dns = [ "10.0.1.2" ];
+        dns = [
+          "10.0.1.2"
+          "fd00:b12f:acab:1312:acab:2::"
+        ];
         privateKeyFile = cfg.wireguardPrivateKeyFile;
         peers = [
           {
             # frikandel
             publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA=";
-            allowedIPs = [ "10.0.1.0/24" ];
+            allowedIPs = [
+              "10.0.1.0/24"
+              "fd00:b12f:acab:1312:acab::/48"
+            ];
             endpoint = "[2a01:4f8:c2c:b60::]:51899";
             persistentKeepalive = 25;
           }