nixos/routing-common: Fix keepalived link-local addresses

nixos/routing-common: Fix Cloudflare
nixos: Add tcpdump on all machines
2026-03-16 15:12:46 +00:00 · 2026-03-16 13:37:16 +00:00 · 2026-03-16 13:33:08 +00:00 · 2026-03-10 21:27:14 +00:00 · 2026-03-08 14:36:07 +00:00 · 2026-03-07 17:09:50 +00:00
10 changed files with 71 additions and 48 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -90,11 +90,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1763938834,
+        "lastModified": 1772560058,
-        "narHash": "sha256-j8iB0Yr4zAvQLueCZ5abxfk6fnG/SJ5JnGUziETjwfg=",
+        "narHash": "sha256-NuVKdMBJldwUXgghYpzIWJdfeB7ccsu1CC7B+NfSoZ8=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "d9e753122e51cee64eb8d2dddfe11148f339f5a2",
+        "rev": "db590d9286ed5ce22017541e36132eab4e8b3045",
        "type": "github"
      },
      "original": {
@@ -264,11 +264,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1763759067,
+        "lastModified": 1772408722,
-        "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
+        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
+        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
        "type": "github"
      },
      "original": {
@@ -474,16 +474,15 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1765032623,
+        "lastModified": 1772679279,
-        "narHash": "sha256-BbtN5NFN2RU3KP2TLA6zOoiv5MZXWqN1mXxIkKY8Kx4=",
+        "narHash": "sha256-ockL9qWhamkGgBYnJHTvt1oHdRvGfbS36kW9WpOhzec=",
-        "owner": "devplayer0",
+        "owner": "nix-community",
        "repo": "harmonia",
-        "rev": "310e2b2c6583710c52531785f1245d9621284310",
+        "rev": "4e9e03e04467b50575f6b05c8abee12407418106",
        "type": "github"
      },
      "original": {
-        "owner": "devplayer0",
+        "owner": "nix-community",
        "ref": "cache-config-daemon-store",
        "repo": "harmonia",
        "type": "github"
      }
@@ -589,11 +588,11 @@
    "nix": {
      "flake": false,
      "locked": {
-        "lastModified": 1764532838,
+        "lastModified": 1772224943,
-        "narHash": "sha256-hw4J7wfqXWBCvsMVXPS4nvkcSeTXAtR5h9Ylv7a7dBA=",
+        "narHash": "sha256-jJIlRLPPVYu860MVFx4gsRx3sskmLDSRWXXue5tYncw=",
        "owner": "nixos",
        "repo": "nix",
-        "rev": "8be9507a88f466dd44e6e56cd00167fa10e995b8",
+        "rev": "0acd0566e85e4597269482824711bcde7b518600",
        "type": "github"
      },
      "original": {
@@ -641,11 +640,11 @@
    },
    "nixpkgs-mine": {
      "locked": {
-        "lastModified": 1770847929,
+        "lastModified": 1773177937,
-        "narHash": "sha256-cxvC73HcT9OP67g4KNMYbJyGwAuZLvG4vNBMqFjEdxw=",
+        "narHash": "sha256-HY4jRsp70w4cCID7ScA79wB+y45n2scr3Qz/N+0352I=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "3a9b7ab539186d4e9bb3c664cb4617ebd423f0bc",
+        "rev": "7d4f41507e7519949f6847e050cc0df87ce776d3",
        "type": "github"
      },
      "original": {
@@ -1053,11 +1052,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1761311587,
+        "lastModified": 1772660329,
-        "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
+        "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
+        "rev": "3710e0e1218041bbad640352a0440114b1e10428",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -35,8 +35,8 @@
    boardie.inputs.nixpkgs.follows = "nixpkgs-unstable";
    nixGL.url = "github:nix-community/nixGL";
    nixGL.inputs.nixpkgs.follows = "nixpkgs-unstable";
-    # harmonia.url = "github:nix-community/harmonia";
+    harmonia.url = "github:nix-community/harmonia";
-    harmonia.url = "github:devplayer0/harmonia/cache-config-daemon-store";
+    # harmonia.url = "github:devplayer0/harmonia/cache-config-daemon-store";
    harmonia.inputs.nixpkgs.follows = "nixpkgs-unstable";
    # Packages not in nixpkgs
--- a/nixos/boxes/colony/vms/shill/containers/object.nix
+++ b/nixos/boxes/colony/vms/shill/containers/object.nix
@@ -262,7 +262,7 @@ in
                signKeyPaths = [ config.age.secrets."nix-cache.key".path ];
                settings = {
                  priority = 30;
-                  daemon_store = "/nix/store";
+                  virtual_nix_store = "/nix/store";
                  real_nix_store = "/var/lib/harmonia/nix/store";
                };
              };
--- a/nixos/boxes/home/castle/default.nix
+++ b/nixos/boxes/home/castle/default.nix
@@ -118,6 +118,7 @@ in
            };
          };
          blueman.enable = true;
          avahi.enable = true;
        };
        programs = {
@@ -161,6 +162,7 @@ in
          network = {
            netdevs = mkMerge [
              (mkVLAN "lan-hi" vlans.hi)
              (mkVLAN "lan-lo" vlans.lo)
            ];
            links = {
              "10-et2.5g" = {
@@ -182,7 +184,7 @@ in
            networks = {
              "30-et100g" = {
                matchConfig.Name = "et100g";
-                vlan = [ "lan-hi" ];
+                vlan = [ "lan-hi" "lan-lo" ];
                networkConfig.IPv6AcceptRA = false;
              };
              "40-lan-hi" = mkMerge [
@@ -190,6 +192,22 @@ in
                # So we don't drop the IP we use to connect to NVMe-oF!
                { networkConfig.KeepConfiguration = "static"; }
              ];
              "45-lan-lo" = {
                matchConfig.Name = "lan-lo";
                networkConfig = {
                  DHCP = "ipv4";
                  IPv6AcceptRA = true;
                  UseDomains = false;
                };
                dhcpV4Config = {
                  UseDNS = false;
                  UseGateway = false;
                };
                ipv6AcceptRAConfig = {
                  UseDNS = false;
                  UseGateway = false;
                };
              };
            };
          };
        };
--- a/nixos/boxes/home/routing-common/dns_update.py
+++ b/nixos/boxes/home/routing-common/dns_update.py
@@ -33,7 +33,7 @@ def main():
    print(f'Updating {args.record} -> {address}')
    cf.dns.records.edit(
-        zone_id=zone.id, dns_record_id=record.id,
+        zone_id=zone.id, dns_record_id=record.id, name=args.record,
        type='A', content=address)
 if __name__ == '__main__':
--- a/nixos/boxes/home/routing-common/kea.nix
+++ b/nixos/boxes/home/routing-common/kea.nix
@@ -165,6 +165,28 @@ in
                }
              ];
            }
            {
              id = 3;
              subnet = prefixes.untrusted.v4;
              interface = "lan-untrusted";
              option-data = [
                {
                  name = "routers";
                  data = vips.untrusted.v4;
                }
                {
                  name = "domain-name-servers";
                  data = "1.1.1.1, 1.0.0.1";
                }
              ];
              pools = [
                {
                  pool = if index == 0
                    then "192.168.80.10 - 192.168.80.127"
                    else "192.168.80.128 - 192.168.80.250";
                }
              ];
            }
          ];
          ddns-send-updates = true;
          ddns-replace-client-name = "when-not-present";
--- a/nixos/boxes/home/routing-common/keepalived.nix
+++ b/nixos/boxes/home/routing-common/keepalived.nix
@@ -20,10 +20,7 @@ let
  };
  vlanIface = vlan: if vlan == "as211024" then vlan else "lan-${vlan}";
-  vrrpIPs = family: concatMap (vlan: (optional (family == "v6") {
+  vrrpIPs = family: concatMap (vlan: [
      addr = "fe80::1/64";
      dev = vlanIface vlan;
    }) ++ [
    {
      addr = "${vips.${vlan}.${family}}/${toString (net.cidr.length prefixes.${vlan}.${family})}";
      dev = vlanIface vlan;
@@ -64,6 +61,9 @@ in
        v4 = mkVRRP "v4" 51;
        v6 = (mkVRRP "v6" 52) // {
          extraConfig = ''
            virtual_ipaddress_excluded {
              ${concatMapStringsSep "\n" (vlan: "fe80::1/64 dev ${vlanIface vlan}") (attrNames vips)}
            }
            notify_master "${config.systemd.package}/bin/systemctl start radvd.service" root
            notify_backup "${config.systemd.package}/bin/systemctl stop radvd.service" root
          '';
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -139,6 +139,7 @@ in
          bash-completion
          git
          unzip
          tcpdump
        ]
        (mkIf config.services.netdata.enable [ netdata ])
      ];
--- a/nixos/modules/netboot/default.nix
+++ b/nixos/modules/netboot/default.nix
@@ -5,23 +5,10 @@ let
  cfg = config.my.netboot;
  # Newer releases don't boot on desktop?
  ipxe = pkgs.ipxe.overrideAttrs (o: rec {
    version = "1.21.1-unstable-2024-06-27";
    src = pkgs.fetchFromGitHub {
      owner = "ipxe";
      repo = "ipxe";
      rev = "b66e27d9b29a172a097c737ab4d378d60fe01b05";
      hash = "sha256-TKZ4WjNV2oZIYNefch7E7m1JpeoC/d7O1kofoNv8G40=";
    };
    # This upstream patch (in newer versions) is needed for newer GCC
    patches = (if (o ? patches) then o.patches else []) ++ [ ./fix-uninitialised-var.patch ];
  });
  tftpRoot = pkgs.linkFarm "tftp-root" [
    {
      name = "ipxe-x86_64.efi";
-      path = "${ipxe}/ipxe.efi";
+      path = "${pkgs.ipxe}/ipxe.efi";
    }
  ];
  menuFile = pkgs.runCommand "menu.ipxe" {
--- a/nixos/modules/server.nix
+++ b/nixos/modules/server.nix
@@ -36,10 +36,6 @@ in
    };
    documentation.nixos.enable = mkDefault' false;
    environment.systemPackages = with pkgs; [
      tcpdump
    ];
  };
  meta.buildDocsInSandbox = false;
Author	SHA1	Message	Date
Jack O'Sullivan	2bf18319c9	nixos/routing-common: Fix keepalived link-local addresses All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h17m1s Details	2026-03-16 15:12:46 +00:00
Jack O'Sullivan	a394b9124a	nixos/routing-common: Fix Cloudflare	2026-03-16 13:37:16 +00:00
Jack O'Sullivan	5bc48d33a3	nixos: Add tcpdump on all machines	2026-03-16 13:33:08 +00:00
Jack O'Sullivan	365ef5d49d	Update nixpkgs for terraria-server All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h3m49s Details	2026-03-10 21:27:14 +00:00
Jack O'Sullivan	0206d52fa2	nixos/netboot: Remove pinned iPXE All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h15m47s Details	2026-03-08 14:36:07 +00:00
Jack O'Sullivan	5526e07e65	Update harmonia Some checks failed CI / Check, build and cache nixfiles (push) Failing after 2h25m26s Details	2026-03-07 17:09:50 +00:00
Jack O'Sullivan	dde682390f	nixos/castle: Add lan-lo Some checks failed CI / Check, build and cache nixfiles (push) Failing after 6m27s Details	2026-03-04 21:30:53 +00:00
Jack O'Sullivan	4ec59a64ce	nixos/home/routing-common: Add DHCP pool for untrusted LAN	2026-03-03 20:15:45 +00:00