Configure static public IPv6 on control, ns1, ns2

clan.nix

@@ -29,6 +29,16 @@
       roles.server.tags.nixos = { };
     };
 
+    # Direct SSH to public IPs — clan's priority-1 connection path, with the
+    # ZeroTier mesh and Tor kept as automatic fallbacks. Raw IPs (not the
+    # ns1/ns2 DNS names) so reaching these hosts never depends on their own
+    # DNS being up.
+    internet = {
+      roles.default.machines.control.settings.host = "77.42.68.181";
+      roles.default.machines.ns1.settings.host = "46.224.170.206";
+      roles.default.machines.ns2.settings.host = "157.180.70.82";
+    };
+
     # Recovery root password for console access when a machine fails to boot.
     emergency-access = {
       roles.default.tags.nixos = { };

machines/control/configuration.nix

@@ -1,10 +1,17 @@
 {
   imports = [
     ../../modules/hetzner-firewall.nix
+    ../../modules/static-ipv6.nix
   ];
 
   clan.core.sops.defaultGroups = [ "admins" ];
 
+  # Public IPv6; SLAAC doesn't bring it up here.
+  cnx.staticIPv6 = {
+    enable = true;
+    address = "2a01:4f9:c013:e6d0::1";
+  };
+
   time.timeZone = "Etc/GMT-3"; # UTC+3 (fixed offset, no DST)
   services.timesyncd.enable = true;
 

machines/ns1/configuration.nix

@@ -5,10 +5,17 @@ in
 {
   imports = [
     ../../modules/dns/authoritative.nix
+    ../../modules/static-ipv6.nix
   ];
 
   clan.core.sops.defaultGroups = [ "admins" ];
 
+  # Public IPv6 (matches the ns1 AAAA glue); SLAAC doesn't bring it up here.
+  cnx.staticIPv6 = {
+    enable = true;
+    address = "2a01:4f8:c014:b5c5::1";
+  };
+
   time.timeZone = "Etc/GMT-1"; # UTC+1 (fixed offset, no DST)
   services.timesyncd.enable = true;
 

machines/ns2/configuration.nix

@@ -5,10 +5,17 @@ in
 {
   imports = [
     ../../modules/dns/authoritative.nix
+    ../../modules/static-ipv6.nix
   ];
 
   clan.core.sops.defaultGroups = [ "admins" ];
 
+  # Public IPv6 (matches the ns2 AAAA glue); SLAAC doesn't bring it up here.
+  cnx.staticIPv6 = {
+    enable = true;
+    address = "2a01:4f9:c014:6d87::1";
+  };
+
   time.timeZone = "Etc/GMT-3"; # UTC+3 (fixed offset, no DST)
   services.timesyncd.enable = true;
 

modules/static-ipv6.nix

@@ -0,0 +1,48 @@
+# Static public IPv6 for hosts where SLAAC/RA doesn't bring up a global
+# address (e.g. Hetzner, which allocates a /64 but expects you to pick one
+# address yourself and route via the link-local gateway fe80::1).
+{ lib, config, ... }:
+let
+  cfg = config.cnx.staticIPv6;
+in
+{
+  options.cnx.staticIPv6 = {
+    enable = lib.mkEnableOption "static public IPv6 on the primary interface";
+
+    address = lib.mkOption {
+      type = lib.types.str;
+      example = "2a01:4f8:c014:b5c5::1";
+      description = "Public IPv6 address (no prefix length).";
+    };
+
+    prefixLength = lib.mkOption {
+      type = lib.types.int;
+      default = 64;
+      description = "Prefix length of the allocated block.";
+    };
+
+    interface = lib.mkOption {
+      type = lib.types.str;
+      default = "enp1s0";
+      description = "Interface to assign the address to.";
+    };
+
+    gateway = lib.mkOption {
+      type = lib.types.str;
+      default = "fe80::1";
+      description = "IPv6 default gateway (Hetzner uses the link-local fe80::1).";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.interfaces.${cfg.interface}.ipv6.addresses = [
+      {
+        inherit (cfg) address prefixLength;
+      }
+    ];
+    networking.defaultGateway6 = {
+      address = cfg.gateway;
+      interface = cfg.interface;
+    };
+  };
+}