ctucx.git: nixfiles

machines/lollo: disable RA acceptance

diff --git a/machines/lollo/configuration.nix b/machines/lollo/configuration.nix
@@ -40,6 +40,12 @@
       efi.canTouchEfiVariables = true;
     };
 
+    kernel.sysctl = {
+      "net.ipv6.conf.eno1.forwarding" = 0;
+      "net.ipv6.conf.eno1.autoconf"   = 0;
+      "net.ipv6.conf.eno1.accept_ra"  = 0;
+    };
+
     initrd.network = {
       enable = true;
       ssh    = {

@@ -50,6 +56,9 @@
       };
 
       postCommands = ''
+        sysctl -w net.ipv6.conf.eno1.autoconf=0
+        sysctl -w net.ipv6.conf.eno1.accept_ra=0
+
         ip link set dev eno1 up
         ip addr add 2a0f:4ac0:acab::42/128 dev eno1
         ip route add default via fe80::1afd:74ff:fe3b:8a10 dev eno1 onlink

@@ -57,19 +66,23 @@
         ip addr add 195.39.246.42/28 dev eno1
         ip addr add 10.0.0.42/8 dev eno1
         ip route add default via 195.39.246.41 dev eno1 onlink
+
         echo 'cryptsetup-askpass' >> /root/.profile
       '';
     };
   };
 
+  systemd.network.networks = {
+    "40-eno1".networkConfig.IPv6AcceptRA = false;
+  };
+
   networking = {
     useDHCP     = false;
     nameservers = [ "8.8.8.8" ];
 
     defaultGateway  = "195.39.246.41";
     defaultGateway6 = {
-      interface = "eno1";
-      address   = "fe80::1afd:74ff:fe3b:8a10";
+      address   = "2a0f:4ac0:acab::1";
     };
 
     interfaces.eno1 = {

@@ -91,6 +104,8 @@
     };
 
     firewall.enable = true;
+    firewall.allowedTCPPorts = [ 5201 ];
+    firewall.allowedUDPPorts = [ 5201 ];
   };
 
   environment.persistence."/nix/persist" = { 

@@ -138,9 +153,6 @@
     "/nix/persist/etc/ssh/ssh_host_ed25519_key"
   ];
 
-  networking.firewall.allowedTCPPorts = [ 5201 ];
-  networking.firewall.allowedUDPPorts = [ 5201 ];
-
   services.email-notify.enable = true;
 
   system.stateVersion = "22.05"; # Did you read the comment?