nixos/colony: Fix LVM activatio dependency cycle

nixos/colony: Enable PCIe AER
nixos/l2mesh: Add option to enable UDP encapsulation
2024-03-23 13:25:32 +00:00 · 2024-03-23 12:45:59 +00:00 · 2024-03-23 12:14:26 +00:00
4 changed files with 14 additions and 7 deletions
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@@ -60,8 +60,8 @@ in
          kernelPackages = (lib.my.c.kernel.lts pkgs).extend (self: super: {
            kernel = super.kernel.override {
              structuredExtraConfig = with lib.kernel; {
-                #SOME_OPT = yes;
-                #A_MOD = module;
+                ACPI_APEI_PCIEAER = yes;
+                PCIEAER = yes;
              };
            };
          });
@@ -150,12 +150,12 @@ in
            "serial-getty@ttyS1".enable = true;
            lvm-activate-main = {
              description = "Activate remaining LVs";
-              before = [ "local-fs-pre.target" ];
+              unitConfig.DefaultDependencies = false;
              serviceConfig = {
                Type = "oneshot";
                ExecStart = "${pkgs.lvm2.bin}/bin/vgchange -aay main";
              };
-              wantedBy = [ "sysinit.target" ];
+              wantedBy = [ "local-fs-pre.target" ];
            };

            rsync-lvm-meta = {
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -9,6 +9,7 @@ in
    vpns = {
      l2 = {
        as211024 = {
+          udpEncapsulation = true;
          vni = 211024;
          security.enable = true;
          peers = {
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -135,6 +135,7 @@ let
      ipv6 = mkBoolOpt' false "Whether this mesh's underlay operates over IPv6.";
      baseMTU = mkOpt' ints.unsigned 1500 "Base MTU to calculate VXLAN MTU with.";
      l3Overhead = mkOpt' ints.unsigned 40 "Overhead of L3 header (to calculate MTU).";
+      udpEncapsulation = mkBoolOpt' false "Whether to encapsulate ESP frames in UDP.";
      firewall = mkBoolOpt' true "Whether to generate firewall rules.";
      vni = mkOpt' ints.unsigned 1 "VXLAN VNI.";
      peers = mkOpt' (attrsOf (submodule l2PeerOpts)) { } "Peers.";
--- a/nixos/modules/l2mesh.nix
+++ b/nixos/modules/l2mesh.nix
@@ -36,8 +36,8 @@ let
        espOverhead =
          if (!mesh.security.enable) then 0
          else
-            # SPI + seq + IV + pad / header + ICV
-            4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
+            # UDP encap + SPI + seq + IV + pad / header + ICV
+            (if mesh.udpEncapsulation then 8 else 0) + 4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
        # UDP + VXLAN + Ethernet + L3 (IPv4/IPv6)
        overhead = espOverhead + 8 + 8 + 14 + mesh.l3Overhead;
      in
@@ -62,7 +62,11 @@ let
      chain l2mesh-${name} {
        ${optionalString mesh.security.enable ''
          udp dport isakmp accept
-          meta l4proto esp accept
+          ${if mesh.udpEncapsulation then ''
+            udp dport ipsec-nat-t accept
+          '' else ''
+            meta l4proto esp accept
+          ''}
        ''}
        ${optionalString (!mesh.security.enable) (vxlanAllow mesh.vni)}
        return
@@ -94,6 +98,7 @@ let
          esp=${if mesh.security.encrypt then "aes_gcm256" else "null-sha256"}
          ikev2=yes
          modecfgpull=no
+          encapsulation=${if mesh.udpEncapsulation then "yes" else "no"}
        '';
      })
    otherPeers);
Author	SHA1	Message	Date
Jack O'Sullivan	5ccf19cab8	nixos/colony: Fix LVM activatio dependency cycle All checks were successful CI / Check, build and cache Nix flake (push) Successful in 35m28s Details	2024-03-23 13:25:32 +00:00
Jack O'Sullivan	7b61dd7f03	nixos/colony: Enable PCIe AER	2024-03-23 12:45:59 +00:00
Jack O'Sullivan	682865a0e1	nixos/l2mesh: Add option to enable UDP encapsulation	2024-03-23 12:14:26 +00:00