nixos/boxes/colony/default.nix

@@ -60,8 +60,8 @@ in
           kernelPackages = (lib.my.c.kernel.lts pkgs).extend (self: super: {
             kernel = super.kernel.override {
               structuredExtraConfig = with lib.kernel; {
-                ACPI_APEI_PCIEAER = yes;
+                #SOME_OPT = yes;
-                PCIEAER = yes;
+                #A_MOD = module;
               };
             };
           });
@@ -150,12 +150,12 @@ in
             "serial-getty@ttyS1".enable = true;
             lvm-activate-main = {
               description = "Activate remaining LVs";
-              unitConfig.DefaultDependencies = false;
+              before = [ "local-fs-pre.target" ];
               serviceConfig = {
                 Type = "oneshot";
                 ExecStart = "${pkgs.lvm2.bin}/bin/vgchange -aay main";
               };
-              wantedBy = [ "local-fs-pre.target" ];
+              wantedBy = [ "sysinit.target" ];
             };
 
             rsync-lvm-meta = {

nixos/boxes/colony/vms/estuary/default.nix

@@ -9,7 +9,6 @@ in
     vpns = {
       l2 = {
         as211024 = {
-          udpEncapsulation = true;
           vni = 211024;
           security.enable = true;
           peers = {

nixos/default.nix

@@ -135,7 +135,6 @@ let
       ipv6 = mkBoolOpt' false "Whether this mesh's underlay operates over IPv6.";
       baseMTU = mkOpt' ints.unsigned 1500 "Base MTU to calculate VXLAN MTU with.";
       l3Overhead = mkOpt' ints.unsigned 40 "Overhead of L3 header (to calculate MTU).";
-      udpEncapsulation = mkBoolOpt' false "Whether to encapsulate ESP frames in UDP.";
       firewall = mkBoolOpt' true "Whether to generate firewall rules.";
       vni = mkOpt' ints.unsigned 1 "VXLAN VNI.";
       peers = mkOpt' (attrsOf (submodule l2PeerOpts)) { } "Peers.";

nixos/modules/l2mesh.nix

@@ -36,8 +36,8 @@ let
         espOverhead =
           if (!mesh.security.enable) then 0
           else
-            # UDP encap + SPI + seq + IV + pad / header + ICV
+            # SPI + seq + IV + pad / header + ICV
-            (if mesh.udpEncapsulation then 8 else 0) + 4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
+            4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
         # UDP + VXLAN + Ethernet + L3 (IPv4/IPv6)
         overhead = espOverhead + 8 + 8 + 14 + mesh.l3Overhead;
       in
@@ -62,11 +62,7 @@ let
       chain l2mesh-${name} {
         ${optionalString mesh.security.enable ''
           udp dport isakmp accept
-          ${if mesh.udpEncapsulation then ''
+          meta l4proto esp accept
-            udp dport ipsec-nat-t accept
-          '' else ''
-            meta l4proto esp accept
-          ''}
         ''}
         ${optionalString (!mesh.security.enable) (vxlanAllow mesh.vni)}
         return
@@ -98,7 +94,6 @@ let
           esp=${if mesh.security.encrypt then "aes_gcm256" else "null-sha256"}
           ikev2=yes
           modecfgpull=no
-          encapsulation=${if mesh.udpEncapsulation then "yes" else "no"}
         '';
       })
     otherPeers);