sixnix/README.md

# sixnix

My ISP provides me a single '/64' and it's dynamically assigned. I cannot have multiple networks with functional autoconfiguration. One solution to this is use one of 4to6 [tunnel brokers](https://tunnelbroker.services/) like the one offered by [Hurricane Electric](https://tunnelbroker.net/). Since my ISP uses CGNAT this setup is tricky if not impossible.

Fortunately Linode provides free `/56` to customers and the cheapest VPS costs just $5/month. You get 256 `/64` subnets. The following table provides an example where you can have 15 delegations of `/60` and use the 16th `/60` for the wireguard peer addressing.

| Client subnet      | WireGuard subnet    |    |
|--------------------|---------------------|----|
| 2001:0db8::/60     | 2001:0db8:0:f0::/64 | 1  |
| 2001:db8:0:10::/60 | 2001:db8:0:f1::/64  | 2  |
| 2001:db8:0:20::/60 | 2001:db8:0:f2::/64  | 3  |
| 2001:db8:0:30::/60 | 2001:db8:0:f3::/64  | 4  |
| 2001:db8:0:40::/60 | 2001:db8:0:f4::/64  | 5  |
| 2001:db8:0:50::/60 | 2001:db8:0:f5::/64  | 6  |
| 2001:db8:0:60::/60 | 2001:db8:0:f6::/64  | 7  |
| 2001:db8:0:70::/60 | 2001:db8:0:f7::/64  | 8  |
| 2001:db8:0:80::/60 | 2001:db8:0:f8::/64  | 9  |
| 2001:db8:0:90::/60 | 2001:db8:0:f9::/64  | 10 |
| 2001:db8:0:a0::/60 | 2001:db8:0:fa::/64  | 11 |
| 2001:db8:0:b0::/60 | 2001:db8:0:fb::/64  | 12 |
| 2001:db8:0:c0::/60 | 2001:db8:0:fc::/64  | 13 |
| 2001:db8:0:d0::/60 | 2001:db8:0:fd::/64  | 14 |
| 2001:db8:0:e0::/60 | 2001:db8:0:fe::/64  | 15 |

| Host                  | Subnet                      |
|-----------------------|-----------------------------|
| wireguard.example.com | 2001:0db8:0:ff::/64         |

You can follow the linode's [nixos installation guide](https://www.linode.com/docs/guides/install-nixos-on-linode/) and/or then use this repo as a reference to set up your wireguard tunnels.

- sops and add secrets in `secrets/secrets.yaml`
- ssh and user account settings in `modules/access.nix`
- egress and wireguard configs in `modules/network.nix`