From a078edd621120f092c5b75bee9c95fc68196c1be Mon Sep 17 00:00:00 2001
From: Zen Fu <zen@systemli.org>
Date: Wed, 26 Mar 2025 11:25:33 -0300
Subject: [PATCH] disable IPv6 in apt.lizard

Time-based APT snapshots of debian-security have been failing, the
probable cause being instability in the connection between our colo and
Fastly.

Unfortunately, official mirrors for debian-security seem to be all
behind Fastly, and Debian doesn't encourage the use of unofficial
debian-security mirrors:

    Q: Why are there no official mirrors for security.debian.org?

    A: Actually, there are. There are several official mirrors, implemented
    through DNS aliases. The purpose of security.debian.org is to make
    security updates available as quickly and easily as possible.

    Encouraging the use of unofficial mirrors would add extra complexity
    that is usually not needed and that can cause frustration if these
    mirrors are not kept up to date.

    https://www.debian.org/security/faq#mirror

Weirdly, and even though we don't use IPv6, looks like having it enabled
in the kernel could be a trigger for this issue, so we disable it using
sysctl.

refs tpo/tpa/tails-sysadmin#18197
---
 hieradata/node/apt.lizard.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hieradata/node/apt.lizard.yaml b/hieradata/node/apt.lizard.yaml
index 3564e45..09c6b6c 100644
--- a/hieradata/node/apt.lizard.yaml
+++ b/hieradata/node/apt.lizard.yaml
@@ -37,6 +37,8 @@ tails::profile::reprepro::custom::email_recipient: rm@tails.net
 tails::profile::reprepro::custom::git_remote: git://puppet-git.lizard/tails.git
 tails::profile::reprepro::custom::onion_v3_hostname: umjqavufhoix3smyq6az2sx4istmuvsgmz4bq5u5x56rnayejoo6l2qd.onion
 tails::profile::reprepro::snapshots::time_based::email_recipient: rm@tails.net
+tails::profile::sysctl::values:
+  net.ipv6.conf.all.disable_ipv6: 1
 tails::profile::firewall::public_services:
   'SSH':
     proto: tcp
-- 
GitLab