verbena: configure IPv6 from tofu outputs

2025-11-21 21:15:35 +01:00
parent 3834f215f0
commit abaf429a38
4 changed files with 58 additions and 0 deletions
--- a/infra/README.md
+++ b/infra/README.md
@@ -19,3 +19,8 @@ tofu import hcloud_firewall.hcloud_firewall YYY
 ```

 For Hetzner Cloud, the resource IDs can be found in the URL of the admin console.
+
+## Outputs
+
+The nix configuration reads some values from the `outputs.json` file.
+When modifying these, the file should be regenerated with `tofu output -json > outputs.json`.
--- a/infra/outputs.json
+++ b/infra/outputs.json
@@ -0,0 +1,17 @@
+{
+  "verbena_gateway6": {
+    "sensitive": false,
+    "type": "string",
+    "value": "2001:41d0:305:2100::1"
+  },
+  "verbena_ipv4": {
+    "sensitive": false,
+    "type": "string",
+    "value": "51.68.122.153"
+  },
+  "verbena_ipv6": {
+    "sensitive": false,
+    "type": "string",
+    "value": "2001:41d0:305:2100::271e"
+  }
+}
--- a/infra/verbena.tf
+++ b/infra/verbena.tf
@@ -0,0 +1,20 @@
+output "verbena_ipv4" {
+  value = local.verbena_ipv4_addresses[0]
+}
+
+output "verbena_ipv6" {
+  value = local.verbena_ipv6_addresses[0]
+}
+
+output "verbena_gateway6" {
+  value = local.gateway6
+}
+
+locals {
+  hextets      = 4
+  parts        = split(":", local.verbena_ipv6_addresses[0])
+  prefix_parts = slice(local.parts, 0, local.hextets)
+  prefix_str   = join(":", local.prefix_parts)
+  gateway6     = "${local.prefix_str}::1"
+}
+
--- a/machines/verbena/configuration.nix
+++ b/machines/verbena/configuration.nix
@@ -1,4 +1,7 @@
 { self, lib, ... }:
+let
+  tf_outputs = builtins.fromJSON (builtins.readFile ../../infra/outputs.json);
+in
 {
  imports = [
    self.nixosModules.nix-defaults
@@ -16,6 +19,19 @@

  networking.useDHCP = lib.mkDefault true;

+  networking.defaultGateway6 = {
+    address = tf_outputs.verbena_gateway6.value;
+    interface = "ens3";
+  };
+  networking.interfaces."ens3" = {
+    ipv6.addresses = [
+      {
+        address = tf_outputs.verbena_ipv6.value;
+        prefixLength = 64;
+      }
+    ];
+  };
+
  clan.core.settings.state-version.enable = true;

  services.nginx = {