From cedd0fee03e9ea896a7420dc79dcd51701320551 Mon Sep 17 00:00:00 2001
From: Irene Knapp <ireneista@internetsafetylabs.org>
Date: Mon, 20 Oct 2025 20:30:57 -0700
Subject: haproxy needs to listen on IPv6

this came up during the server migration - the ACME cert failed because
it was only listening on IPv4, and the new machine also does IPv6

Force-Push: it's been a long ops day and I just want this fully squared away, sorry
Change-Id: Ic0a721c78059427dd38b99ff41d3e1c0566ac1cb
---
 services/frontend/haproxy.nix | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'services/frontend')

diff --git a/services/frontend/haproxy.nix b/services/frontend/haproxy.nix
index c39fc04..8bef462 100644
--- a/services/frontend/haproxy.nix
+++ b/services/frontend/haproxy.nix
@@ -166,6 +166,11 @@ in
                  (map (name: "crt " + name + "/full.pem") [
                    config.smalltech.domain
                  ]))
+          ("bind ipv6@:443 ssl alpn h2,http/1.2 "
+           + builtins.concatStringsSep " "
+                 (map (name: "crt " + name + "/full.pem") [
+                   config.smalltech.domain
+                 ]))
 
           # Since this traffic is on the HTTPS port, we override the default
           # TCP mode.
-- 
cgit 1.4.1