From 96eebb817d0278f8e212184010e140dca8a78a97 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Mon, 11 Nov 2024 00:36:40 +0000
Subject: [PATCH] bvm-forgejo: changes to better support IPv6 mailing

---
 ops/nixos/bvm-forgejo/default.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ops/nixos/bvm-forgejo/default.nix b/ops/nixos/bvm-forgejo/default.nix
index 55d3b4adf8..0b4a721262 100644
--- a/ops/nixos/bvm-forgejo/default.nix
+++ b/ops/nixos/bvm-forgejo/default.nix
@@ -43,6 +43,11 @@ in {
   };
   my.ip.tailscale = "100.103.26.78";
   my.ip.tailscale6 = "fd7a:115c:a1e0::8d01:1a4e";
+  boot.kernel.sysctl = {
+    # We have statically-configured v6.
+    "net.ipv6.conf.all.accept_ra" = 0;
+    "net.ipv6.conf.default.accept_ra" = 0;
+  };
 
   services.openssh.ports = [ 20022 ];
   my.deploy.args = "-p 20022";
@@ -60,13 +65,13 @@ in {
       smtpd_milters = ${config.services.opendkim.socket}
       non_smtpd_milters = ${config.services.opendkim.socket}
     '';
-    networks = [ "172.17.0.0/16" ];
   };
   services.opendkim = {
     enable = true;
     domains = "csl:git.lukegb.com";
     selector = "bvm-forgejo";
   };
+  systemd.services.opendkim.serviceConfig.UMask = lib.mkForce "0007";
 
   services.pomerium = {
     settings = {