feat(web-arm): inbound IPv6 pilot — AAAA for web-arm.cloonar.com #82

New issue

Open

opened 2026-06-03 15:34:10 +02:00 by dominik.polakovics · 0 comments

dominik.polakovics commented 2026-06-03 15:34:10 +02:00

Owner

Copy link

What to build

Publish a single AAAA record web-arm.cloonar.com -> 2a01:4f8:c012:43b::1 (in the Hetzner-hosted cloonar.com zone), then confirm a real IPv6 client reaches web-arm end-to-end over v6 with a valid TLS cert. This proves the inbound path on a zero-user-impact name before any production site is dual-stacked.

DNS for this fleet lives in the provider consoles (Hetzner DNS / Cloudflare), not in this repo (updns only manages 2 dynamic names). So this is a manual DNS change plus live verification, not a code change.

Acceptance criteria

• AAAA web-arm.cloonar.com -> 2a01:4f8:c012:43b::1 exists and resolves
• An IPv6 client reaches the host (curl -6 https://web-arm.cloonar.com) and gets the expected response
• TLS cert validates over the v6 path (lego/Let's Encrypt unaffected)
• No regression for IPv4 clients

Blocked by

• #81 — static IPv6 foundation must be deployed and 2a01:4f8:c012:43b::1 reachable over v6 first

## What to build Publish a single AAAA record `web-arm.cloonar.com -> 2a01:4f8:c012:43b::1` (in the Hetzner-hosted `cloonar.com` zone), then confirm a real IPv6 client reaches web-arm end-to-end over v6 with a valid TLS cert. This proves the inbound path on a zero-user-impact name before any production site is dual-stacked. DNS for this fleet lives in the provider consoles (Hetzner DNS / Cloudflare), not in this repo (`updns` only manages 2 dynamic names). So this is a manual DNS change plus live verification, not a code change. ## Acceptance criteria - [ ] AAAA `web-arm.cloonar.com -> 2a01:4f8:c012:43b::1` exists and resolves - [ ] An IPv6 client reaches the host (`curl -6 https://web-arm.cloonar.com`) and gets the expected response - [ ] TLS cert validates over the v6 path (lego/Let's Encrypt unaffected) - [ ] No regression for IPv4 clients ## Blocked by - #81 — static IPv6 foundation must be deployed and `2a01:4f8:c012:43b::1` reachable over v6 first

dominik.polakovics added the

needs-triage

label 2026-06-03 15:34:10 +02:00

dominik.polakovics referenced this issue 2026-06-03 15:34:24 +02:00

feat(web-arm): inbound IPv6 bulk rollout — sibling AAAA for all web-arm domains #83

dominik.polakovics referenced this issue 2026-06-03 16:16:50 +02:00

feat(web-arm): static IPv6 address, route, and Postfix v4-pin #81

dominik.polakovics referenced this issue 2026-06-03 16:23:23 +02:00

feat(web-arm): static outbound IPv6 with Postfix pinned to IPv4 #84

dominik.polakovics referenced this issue 2026-06-05 11:22:56 +02:00

fix(mail): claim inbound IPv6 (2a01:4f8:c012:9d85::2) so IMAP/MX over v6 work; pin Postfix outbound to v4 #97

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

chore/epicenter-vm-disk-128g

fix/lab-pin-opus-4-8

feat/diag-on-internal-vms

feat/dev-lab

feat/fw-cpu-priorities-and-nix-shell

No results found.

Labels

Clear labels   

bug

  

enhancement

  

in-progress

  

needs-info

  

needs-triage

  

p0

  

ready-for-agent

  

ready-for-human

  

wontfix

No labels

bug

enhancement

in-progress

needs-info

needs-triage

p0

ready-for-agent

ready-for-human

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

Cloonar/nixos#82

No description provided.