Ipv6 support for https://nixos.org

[Mic92]

Issue description

According to this document https://aws.amazon.com/blogs/aws/aws-ipv6-update-global-support-spanning-15-regions-multiple-aws-services/ there is ipv6 support for eu-west-1, where the website is apparently hosted. When we also have ipv6 support for the homepage, ipv6 support is complete.

Steps to reproduce

$ dig AAAA nixos.org

; <<>> DiG 9.10.4-P6 <<>> AAAA nixos.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27168
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nixos.org.                     IN      AAAA

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 25 10:03:41 CEST 2017
;; MSG SIZE  rcvd: 38

Things to solve this issue:

• [ ] Add ipv6 support for AWS in nixops
• [ ] Allocate an ipv6 subnet in nixos-homepage

[Mic92]

Does nixops support ipv6 allocations? If yes, I could give it a try.

[MrSorcus]

Up. Can't install/upgrade NixOS without IPv4. It's so sad.

[Mic92]

Nixops cannot handle ipv6 completely for aws, some remaining parts have to be upgraded to boto3 for that.

[Mic92]

https://github.com/NixOS/nixops/search?utf8=%E2%9C%93&q=boto&type=

[vcunat]

Up. Can't install/upgrade NixOS without IPv4. It's so sad.

cache.nixos.org has IPv6, and I think it's been so for a long time.

[Mic92]

it does not help because you still need nixos.org for channels: https://nixos.org/channels/

[lschuermann]

I'm not a big fan of Cloudflare in general, but I think they are offering a hotfix that might work in this situation. I don't know how their DDoS protection and captcha nonsense will behave with all the Nix clients however.

Regardless, IPv6 on the main website shouldn't be something that needs to be discussed in 2018. This is completely breaking my v6-only setup and makes me pretty sad. :( As https://nixos.org/channels only serves redirects to the cloudfront.net sites and therefore shouldn't cause too much load, I've now setup a proxy on a small shared hoster, effectively MITM'ing myself. Seems to be the most elegant solution in the meantime.

[vcunat]

Tangential thought: for v6-only machines I would expect it's usually practical to have some more general fallback solution anyway, e.g. NAT64 + DNS64. EDIT: though I can see that nixos channels might be the only problem for some use cases.

[bchallenor]

I would like to see this too. I have some hosts that I am trying to make IPv6-only, but cannot because of nixos.org/channels.

[rkeene]

This is holding back my use of Nix on my IPv6-only hosts (which vastly outnumber my IPv4-capable hosts at this point) as well.

[Mic92]

Please use the reaction actions in github instead of posting me too posts.

[bennofs]

This is not only important for nixos.org/channels but also for nixos.org/releases which makes it hard to setup a nix remote builder on ipv6-only hosts (which are often cheaper).

[vcunat]

On a brief look I'd expect this is all solved now. I see AAAA for nixos.org, channels.nixos.org and releases.nixos.org (all CloudFront).

[davidak]

IPv6 work for https://nixos.org but this check shows that the DNS server don't support it.

https://ipv6-test.com/validate.php

[vcunat]

Oh, right. In the worst case, people can work around that e.g. by utilizing some public resolver, but it's not ideal.

[zimbatm]

It's because we are still using the domain registrar DNS. These could be switched to using Netflify as a DNS provider.

[vcunat]

The current provider is NS1 (looking at the DNS records), and they say they plan to add IPv6 everywhere (regardless of our case). Still, I suspect you planned to switch DNS for other reasons anyway (tighter integration?).

[zimbatm]

Eelco is the only one who has access to the name registrar.

[Mic92]

Alternatively one could also cloudflare (they also support to be used for DNS hosting without the proxy stuff) or Hetzner (https://www.hetzner.de/dns-console) with no extra cost.

[vcunat]

IPv6 work for https://nixos.org but this check shows that the DNS server don't support it.

This shows green now 📈 No other problem remains, I expect?

[davidak]

I see no issues. We can close it.

When anyone has any issues, they can open a new one.

[davidak]

I see no issues. We can close it.

When anyone has any issues, they can open a new one.