haproxy needs to listen on IPv6

this came up during the server migration - the ACME cert failed because it was only listening on IPv4, and the new machine also does IPv6 Force-Push: it's been a long ops day and I just want this fully squared away, sorry Change-Id: Ic0a721c78059427dd38b99ff41d3e1c0566ac1cb
author: Irene Knapp <ireneista@internetsafetylabs.org> 2025-10-20 20:30:57 -0700
committer: Irene Knapp <ireneista@internetsafetylabs.org> 2025-10-20 20:32:14 -0700
commit: cedd0fee03e9ea896a7420dc79dcd51701320551 (patch)
tree: 31e9e590218dd1574e734592f159fae0e1bdff4d /services/frontend/haproxy.nix
parent: 7987c3d069ea6c2adb3c06d4bada0cef1121948b (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/services/frontend/haproxy.nix b/services/frontend/haproxy.nix
index c39fc04..8bef462 100644
--- a/services/frontend/haproxy.nix
+++ b/services/frontend/haproxy.nix
@@ -166,6 +166,11 @@ in
                  (map (name: "crt " + name + "/full.pem") [
                    config.smalltech.domain
                  ]))
+          ("bind ipv6@:443 ssl alpn h2,http/1.2 "
+           + builtins.concatStringsSep " "
+                 (map (name: "crt " + name + "/full.pem") [
+                   config.smalltech.domain
+                 ]))
 
           # Since this traffic is on the HTTPS port, we override the default
           # TCP mode.
author	Irene Knapp <ireneista@internetsafetylabs.org>	2025-10-20 20:30:57 -0700
committer	Irene Knapp <ireneista@internetsafetylabs.org>	2025-10-20 20:32:14 -0700
commit	cedd0fee03e9ea896a7420dc79dcd51701320551 (patch)
tree	31e9e590218dd1574e734592f159fae0e1bdff4d /services/frontend/haproxy.nix
parent	7987c3d069ea6c2adb3c06d4bada0cef1121948b (diff)