nixos/routing-common: Fix keepalived link-local addresses

nixos/routing-common: Fix Cloudflare
nixos: Add tcpdump on all machines
2026-03-16 15:12:46 +00:00 · 2026-03-16 13:37:16 +00:00 · 2026-03-16 13:33:08 +00:00 · 2026-03-10 21:27:14 +00:00 · 2026-03-08 14:36:07 +00:00 · 2026-03-07 17:09:50 +00:00
16 changed files with 146 additions and 52 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -90,11 +90,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1763938834,
-        "narHash": "sha256-j8iB0Yr4zAvQLueCZ5abxfk6fnG/SJ5JnGUziETjwfg=",
+        "lastModified": 1772560058,
+        "narHash": "sha256-NuVKdMBJldwUXgghYpzIWJdfeB7ccsu1CC7B+NfSoZ8=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "d9e753122e51cee64eb8d2dddfe11148f339f5a2",
+        "rev": "db590d9286ed5ce22017541e36132eab4e8b3045",
        "type": "github"
      },
      "original": {
@@ -264,11 +264,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1763759067,
-        "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
+        "lastModified": 1772408722,
+        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
+        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
        "type": "github"
      },
      "original": {
@@ -474,16 +474,15 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1765032623,
-        "narHash": "sha256-BbtN5NFN2RU3KP2TLA6zOoiv5MZXWqN1mXxIkKY8Kx4=",
-        "owner": "devplayer0",
+        "lastModified": 1772679279,
+        "narHash": "sha256-ockL9qWhamkGgBYnJHTvt1oHdRvGfbS36kW9WpOhzec=",
+        "owner": "nix-community",
        "repo": "harmonia",
-        "rev": "310e2b2c6583710c52531785f1245d9621284310",
+        "rev": "4e9e03e04467b50575f6b05c8abee12407418106",
        "type": "github"
      },
      "original": {
-        "owner": "devplayer0",
-        "ref": "cache-config-daemon-store",
+        "owner": "nix-community",
        "repo": "harmonia",
        "type": "github"
      }
@@ -589,11 +588,11 @@
    "nix": {
      "flake": false,
      "locked": {
-        "lastModified": 1764532838,
-        "narHash": "sha256-hw4J7wfqXWBCvsMVXPS4nvkcSeTXAtR5h9Ylv7a7dBA=",
+        "lastModified": 1772224943,
+        "narHash": "sha256-jJIlRLPPVYu860MVFx4gsRx3sskmLDSRWXXue5tYncw=",
        "owner": "nixos",
        "repo": "nix",
-        "rev": "8be9507a88f466dd44e6e56cd00167fa10e995b8",
+        "rev": "0acd0566e85e4597269482824711bcde7b518600",
        "type": "github"
      },
      "original": {
@@ -641,11 +640,11 @@
    },
    "nixpkgs-mine": {
      "locked": {
-        "lastModified": 1770847929,
-        "narHash": "sha256-cxvC73HcT9OP67g4KNMYbJyGwAuZLvG4vNBMqFjEdxw=",
+        "lastModified": 1773177937,
+        "narHash": "sha256-HY4jRsp70w4cCID7ScA79wB+y45n2scr3Qz/N+0352I=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "3a9b7ab539186d4e9bb3c664cb4617ebd423f0bc",
+        "rev": "7d4f41507e7519949f6847e050cc0df87ce776d3",
        "type": "github"
      },
      "original": {
@@ -1053,11 +1052,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1761311587,
-        "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
+        "lastModified": 1772660329,
+        "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
+        "rev": "3710e0e1218041bbad640352a0440114b1e10428",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -35,8 +35,8 @@
    boardie.inputs.nixpkgs.follows = "nixpkgs-unstable";
    nixGL.url = "github:nix-community/nixGL";
    nixGL.inputs.nixpkgs.follows = "nixpkgs-unstable";
-    # harmonia.url = "github:nix-community/harmonia";
-    harmonia.url = "github:devplayer0/harmonia/cache-config-daemon-store";
+    harmonia.url = "github:nix-community/harmonia";
+    # harmonia.url = "github:devplayer0/harmonia/cache-config-daemon-store";
    harmonia.inputs.nixpkgs.follows = "nixpkgs-unstable";

    # Packages not in nixpkgs
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -148,6 +148,9 @@ rec {
      hillcrest = {
        v4 = subnet 6 0 p2pTunnels.v4;
      };
+      john-valorant = {
+        v4 = subnet 6 1 p2pTunnels.v4;
+      };

      cust = {
        v4 = subnet 8 100 all.v4; # single ip for routing only
@@ -446,6 +449,10 @@ rec {
    vpn.port = 51822;
  };

+  john-valorant = {
+    vpn.port = 51823;
+  };
+
  sshKeyFiles = {
    me = ../.keys/me.pub;
    deploy = ../.keys/deploy.pub;
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -188,6 +188,25 @@ in
                    ];
                  };
                }
+                {
+                  "30-john-valorant" = {
+                    netdevConfig = {
+                      Name = "john-valorant";
+                      Kind = "wireguard";
+                    };
+                    wireguardConfig = {
+                      PrivateKeyFile = config.age.secrets."estuary/john-valorant-wg.key".path;
+                      ListenPort = lib.my.c.john-valorant.vpn.port;
+                    };
+                    wireguardPeers = [
+                      {
+                        PublicKey = "xyqKF0yOAv1bObN1paL2vATFh77pdFfvN+JmuAxaTCk=";
+                        AllowedIPs = [ (net.cidr.host 2 prefixes.john-valorant.v4) ];
+                        PersistentKeepalive = 25;
+                      }
+                    ];
+                  };
+                }
              ];

              links = {
@@ -365,7 +384,7 @@ in
                };
                "95-hillcrest" = {
                  matchConfig.Name = "hillcrest";
-                  address = [ (net.cidr.host 1 prefixes.hillcrest.v4) ];
+                  address = [ "${net.cidr.host 1 prefixes.hillcrest.v4}/32" ];
                  routes = [
                    {
                      Destination = net.cidr.host 2 prefixes.hillcrest.v4;
@@ -373,6 +392,16 @@ in
                    }
                  ];
                };
+                "95-john-valorant" = {
+                  matchConfig.Name = "john-valorant";
+                  address = [ "${net.cidr.host 1 prefixes.john-valorant.v4}/32" ];
+                  routes = [
+                    {
+                      Destination = net.cidr.host 2 prefixes.john-valorant.v4;
+                      Scope = "link";
+                    }
+                  ];
+                };
              } ];
            };

@@ -386,6 +415,9 @@ in
                  "estuary/hillcrest-wg.key" = {
                    owner = "systemd-network";
                  };
+                  "estuary/john-valorant-wg.key" = {
+                    owner = "systemd-network";
+                  };
                  "l2mesh/as211024.key" = {};
                };
              };
@@ -397,7 +429,13 @@ in
                };
              };
              firewall = {
-                udp.allowed = [ 5353 lib.my.c.kelder.vpn.port lib.my.c.hillcrest.vpn.port ];
+                udp.allowed = [
+                  5353
+
+                  lib.my.c.kelder.vpn.port
+                  lib.my.c.hillcrest.vpn.port
+                  lib.my.c.john-valorant.vpn.port
+                ];
                tcp.allowed = [ 5353 "bgp" ];
                nat = {
                  enable = true;
@@ -466,7 +504,7 @@ in
                      iifname { wan, as211024, $ixps } oifname base jump filter-routing
                      oifname $ixps jump ixp
                      iifname base oifname { base, wan, $ixps } accept
-                      oifname { as211024, kelder, hillcrest } accept
+                      oifname { as211024, kelder, hillcrest, john-valorant } accept
                    }
                    chain output {
                      oifname ifog ether type != vlan reject
@@ -479,6 +517,7 @@ in
                    }
                    chain postrouting {
                      oifname hillcrest snat ip to ${net.cidr.host 1 prefixes.hillcrest.v4}
+                      oifname john-valorant snat ip to ${net.cidr.host 1 prefixes.john-valorant.v4}
                      ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address}
                    }
                  }
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -185,6 +185,9 @@ in
            jam-fwd IN A ${allAssignments.shill.internal.ipv4.address}
            jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6}

+            hillcrest-tun IN A ${net.cidr.host 2 prefixes.hillcrest.v4}
+            john-valorant-tun IN A ${net.cidr.host 2 prefixes.john-valorant.v4}
+
            $TTL 3
            _acme-challenge IN LUA TXT @@FILE@@

--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -437,6 +437,14 @@ in
        };
        useACMEHost = pubDomain;
      };
+      "hass-john.${pubDomain}" = {
+        locations."/" = {
+          proxyPass = "http://john-valorant-tun.${domain}:8123";
+          proxyWebsockets = true;
+          extraConfig = proxyHeaders;
+        };
+        useACMEHost = pubDomain;
+      };
    };

    minio =
--- a/nixos/boxes/colony/vms/shill/containers/object.nix
+++ b/nixos/boxes/colony/vms/shill/containers/object.nix
@@ -262,7 +262,7 @@ in
                signKeyPaths = [ config.age.secrets."nix-cache.key".path ];
                settings = {
                  priority = 30;
-                  daemon_store = "/nix/store";
+                  virtual_nix_store = "/nix/store";
                  real_nix_store = "/var/lib/harmonia/nix/store";
                };
              };
--- a/nixos/boxes/colony/vms/whale2/minecraft/default.nix
+++ b/nixos/boxes/colony/vms/whale2/minecraft/default.nix
@@ -206,10 +206,12 @@ in
            op
            "fffa146c-0bc8-421c-9e3a-3635c0aca2ea" # Scarlehh
            "1ea05f48-76cc-4034-bcd3-2fa1fc5a7375" # Dario
+            "4bf837b1-01db-4491-a0e0-700d98542833" # JoeSpencer
+            "d07a9554-1b05-4b0b-b558-27e4a86e1f53" # AmyClover
          ];
          EXISTING_OPS_FILE = "SYNCHRONIZE";
          OPS = op;
-          DIFFICULTY = "normal";
+          DIFFICULTY = "hard";
          SPAWN_PROTECTION = "0";
          VIEW_DISTANCE = "20";

--- a/nixos/boxes/home/castle/default.nix
+++ b/nixos/boxes/home/castle/default.nix
@@ -118,6 +118,7 @@ in
            };
          };
          blueman.enable = true;
+          avahi.enable = true;
        };

        programs = {
@@ -161,6 +162,7 @@ in
          network = {
            netdevs = mkMerge [
              (mkVLAN "lan-hi" vlans.hi)
+              (mkVLAN "lan-lo" vlans.lo)
            ];
            links = {
              "10-et2.5g" = {
@@ -182,7 +184,7 @@ in
            networks = {
              "30-et100g" = {
                matchConfig.Name = "et100g";
-                vlan = [ "lan-hi" ];
+                vlan = [ "lan-hi" "lan-lo" ];
                networkConfig.IPv6AcceptRA = false;
              };
              "40-lan-hi" = mkMerge [
@@ -190,6 +192,22 @@ in
                # So we don't drop the IP we use to connect to NVMe-oF!
                { networkConfig.KeepConfiguration = "static"; }
              ];
+              "45-lan-lo" = {
+                matchConfig.Name = "lan-lo";
+                networkConfig = {
+                  DHCP = "ipv4";
+                  IPv6AcceptRA = true;
+                  UseDomains = false;
+                };
+                dhcpV4Config = {
+                  UseDNS = false;
+                  UseGateway = false;
+                };
+                ipv6AcceptRAConfig = {
+                  UseDNS = false;
+                  UseGateway = false;
+                };
+              };
            };
          };
        };
--- a/nixos/boxes/home/routing-common/dns_update.py
+++ b/nixos/boxes/home/routing-common/dns_update.py
@@ -33,7 +33,7 @@ def main():

    print(f'Updating {args.record} -> {address}')
    cf.dns.records.edit(
-        zone_id=zone.id, dns_record_id=record.id,
+        zone_id=zone.id, dns_record_id=record.id, name=args.record,
        type='A', content=address)

 if __name__ == '__main__':
--- a/nixos/boxes/home/routing-common/kea.nix
+++ b/nixos/boxes/home/routing-common/kea.nix
@@ -165,6 +165,28 @@ in
                }
              ];
            }
+            {
+              id = 3;
+              subnet = prefixes.untrusted.v4;
+              interface = "lan-untrusted";
+              option-data = [
+                {
+                  name = "routers";
+                  data = vips.untrusted.v4;
+                }
+                {
+                  name = "domain-name-servers";
+                  data = "1.1.1.1, 1.0.0.1";
+                }
+              ];
+              pools = [
+                {
+                  pool = if index == 0
+                    then "192.168.80.10 - 192.168.80.127"
+                    else "192.168.80.128 - 192.168.80.250";
+                }
+              ];
+            }
          ];
          ddns-send-updates = true;
          ddns-replace-client-name = "when-not-present";
--- a/nixos/boxes/home/routing-common/keepalived.nix
+++ b/nixos/boxes/home/routing-common/keepalived.nix
@@ -20,10 +20,7 @@ let
  };

  vlanIface = vlan: if vlan == "as211024" then vlan else "lan-${vlan}";
-  vrrpIPs = family: concatMap (vlan: (optional (family == "v6") {
-      addr = "fe80::1/64";
-      dev = vlanIface vlan;
-    }) ++ [
+  vrrpIPs = family: concatMap (vlan: [
    {
      addr = "${vips.${vlan}.${family}}/${toString (net.cidr.length prefixes.${vlan}.${family})}";
      dev = vlanIface vlan;
@@ -64,6 +61,9 @@ in
        v4 = mkVRRP "v4" 51;
        v6 = (mkVRRP "v6" 52) // {
          extraConfig = ''
+            virtual_ipaddress_excluded {
+              ${concatMapStringsSep "\n" (vlan: "fe80::1/64 dev ${vlanIface vlan}") (attrNames vips)}
+            }
            notify_master "${config.systemd.package}/bin/systemctl start radvd.service" root
            notify_backup "${config.systemd.package}/bin/systemctl stop radvd.service" root
          '';
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -139,6 +139,7 @@ in
          bash-completion
          git
          unzip
+          tcpdump
        ]
        (mkIf config.services.netdata.enable [ netdata ])
      ];
--- a/nixos/modules/netboot/default.nix
+++ b/nixos/modules/netboot/default.nix
@@ -5,23 +5,10 @@ let

  cfg = config.my.netboot;

-  # Newer releases don't boot on desktop?
-  ipxe = pkgs.ipxe.overrideAttrs (o: rec {
-    version = "1.21.1-unstable-2024-06-27";
-    src = pkgs.fetchFromGitHub {
-      owner = "ipxe";
-      repo = "ipxe";
-      rev = "b66e27d9b29a172a097c737ab4d378d60fe01b05";
-      hash = "sha256-TKZ4WjNV2oZIYNefch7E7m1JpeoC/d7O1kofoNv8G40=";
-    };
-
-    # This upstream patch (in newer versions) is needed for newer GCC
-    patches = (if (o ? patches) then o.patches else []) ++ [ ./fix-uninitialised-var.patch ];
-  });
  tftpRoot = pkgs.linkFarm "tftp-root" [
    {
      name = "ipxe-x86_64.efi";
-      path = "${ipxe}/ipxe.efi";
+      path = "${pkgs.ipxe}/ipxe.efi";
    }
  ];
  menuFile = pkgs.runCommand "menu.ipxe" {
--- a/nixos/modules/server.nix
+++ b/nixos/modules/server.nix
@@ -36,10 +36,6 @@ in
    };

    documentation.nixos.enable = mkDefault' false;
-
-    environment.systemPackages = with pkgs; [
-      tcpdump
-    ];
  };

  meta.buildDocsInSandbox = false;
--- a/secrets/estuary/john-valorant-wg.key.age
+++ b/secrets/estuary/john-valorant-wg.key.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBvMndF
+M21hR3p2VmEzUm16eDEya2NtSW54SElScnQzRVhTYnhRNC9oS3dVCnFsS3ZyLyt2
+aVlsVEgySFpvKzA4cTd0ZnkwbGRHakJSL2JESU54KzFDNEkKLT4gWDI1NTE5IFQw
+cTN5bjJJVUoyckpjWnllM3piV3llM1VRSlN3Tlk4cG0yRzlTU1ZnMzQKQ2s2d0xs
+VjBjUlRkbUpHZDV0c2kwUGhUczhuVEV3ZE1WK2NxWndDQk9PWQotPiA+Oi1QYD47
+LWdyZWFzZSBFTEJWRHkzIE0oOVJTJQp2THpheXJqYmdPRlpTRXhQTkYzeGsyZ0dG
+aElRblgwWW1sT1NjZVNPUFNINXBPV1BxUldkCi0tLSBNOGhuUkNCV2NCZi9PdGxP
+WitZYTNwcDZXdGNjbDUzQkVZUEtUK2JsZTN3CrxYEwDQAvqeCckfsLUKB1ixsTF1
+rQNRYxioye5T7AZEnOrZg62qkOELmCwAD5UJt5tkNRrmHkm0JwiqNsThHX6qGnHl
+iDgytz/Hymij
+-----END AGE ENCRYPTED FILE-----
Author	SHA1	Message	Date
Jack O'Sullivan	2bf18319c9	nixos/routing-common: Fix keepalived link-local addresses All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h17m1s Details	2026-03-16 15:12:46 +00:00
Jack O'Sullivan	a394b9124a	nixos/routing-common: Fix Cloudflare	2026-03-16 13:37:16 +00:00
Jack O'Sullivan	5bc48d33a3	nixos: Add tcpdump on all machines	2026-03-16 13:33:08 +00:00
Jack O'Sullivan	365ef5d49d	Update nixpkgs for terraria-server All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h3m49s Details	2026-03-10 21:27:14 +00:00
Jack O'Sullivan	0206d52fa2	nixos/netboot: Remove pinned iPXE All checks were successful CI / Check, build and cache nixfiles (push) Successful in 1h15m47s Details	2026-03-08 14:36:07 +00:00
Jack O'Sullivan	5526e07e65	Update harmonia Some checks failed CI / Check, build and cache nixfiles (push) Failing after 2h25m26s Details	2026-03-07 17:09:50 +00:00
Jack O'Sullivan	dde682390f	nixos/castle: Add lan-lo Some checks failed CI / Check, build and cache nixfiles (push) Failing after 6m27s Details	2026-03-04 21:30:53 +00:00
Jack O'Sullivan	4ec59a64ce	nixos/home/routing-common: Add DHCP pool for untrusted LAN	2026-03-03 20:15:45 +00:00
Jack O'Sullivan	c9c788e261	nixos/estuary: Add john-valorant Some checks failed CI / Check, build and cache nixfiles (push) Failing after 6m15s Details	2026-03-01 22:57:03 +00:00
Jack O'Sullivan	21c24216b4	nixos/whale2: Update Graeme difficulty Some checks failed CI / Check, build and cache nixfiles (push) Failing after 6m28s Details	2026-02-17 22:47:25 +00:00
Jack O'Sullivan	2ecd350fcc	nixos/whale2: Update graeme whitelist	2026-02-17 21:54:02 +00:00