nixos/whale2: Update graeme whitelist

2026-02-17 18:44:34 +00:00
16 changed files with 52 additions and 146 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -90,11 +90,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1772560058,
+        "lastModified": 1763938834,
-        "narHash": "sha256-NuVKdMBJldwUXgghYpzIWJdfeB7ccsu1CC7B+NfSoZ8=",
+        "narHash": "sha256-j8iB0Yr4zAvQLueCZ5abxfk6fnG/SJ5JnGUziETjwfg=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "db590d9286ed5ce22017541e36132eab4e8b3045",
+        "rev": "d9e753122e51cee64eb8d2dddfe11148f339f5a2",
        "type": "github"
      },
      "original": {
@@ -264,11 +264,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772408722,
+        "lastModified": 1763759067,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",
        "type": "github"
      },
      "original": {
@@ -474,15 +474,16 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1772679279,
+        "lastModified": 1765032623,
-        "narHash": "sha256-ockL9qWhamkGgBYnJHTvt1oHdRvGfbS36kW9WpOhzec=",
+        "narHash": "sha256-BbtN5NFN2RU3KP2TLA6zOoiv5MZXWqN1mXxIkKY8Kx4=",
-        "owner": "nix-community",
+        "owner": "devplayer0",
        "repo": "harmonia",
-        "rev": "4e9e03e04467b50575f6b05c8abee12407418106",
+        "rev": "310e2b2c6583710c52531785f1245d9621284310",
        "type": "github"
      },
      "original": {
-        "owner": "nix-community",
+        "owner": "devplayer0",
        "ref": "cache-config-daemon-store",
        "repo": "harmonia",
        "type": "github"
      }
@@ -588,11 +589,11 @@
    "nix": {
      "flake": false,
      "locked": {
-        "lastModified": 1772224943,
+        "lastModified": 1764532838,
-        "narHash": "sha256-jJIlRLPPVYu860MVFx4gsRx3sskmLDSRWXXue5tYncw=",
+        "narHash": "sha256-hw4J7wfqXWBCvsMVXPS4nvkcSeTXAtR5h9Ylv7a7dBA=",
        "owner": "nixos",
        "repo": "nix",
-        "rev": "0acd0566e85e4597269482824711bcde7b518600",
+        "rev": "8be9507a88f466dd44e6e56cd00167fa10e995b8",
        "type": "github"
      },
      "original": {
@@ -640,11 +641,11 @@
    },
    "nixpkgs-mine": {
      "locked": {
-        "lastModified": 1773177937,
+        "lastModified": 1770847929,
-        "narHash": "sha256-HY4jRsp70w4cCID7ScA79wB+y45n2scr3Qz/N+0352I=",
+        "narHash": "sha256-cxvC73HcT9OP67g4KNMYbJyGwAuZLvG4vNBMqFjEdxw=",
        "owner": "devplayer0",
        "repo": "nixpkgs",
-        "rev": "7d4f41507e7519949f6847e050cc0df87ce776d3",
+        "rev": "3a9b7ab539186d4e9bb3c664cb4617ebd423f0bc",
        "type": "github"
      },
      "original": {
@@ -1052,11 +1053,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772660329,
+        "lastModified": 1761311587,
-        "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
+        "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "3710e0e1218041bbad640352a0440114b1e10428",
+        "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -35,8 +35,8 @@
    boardie.inputs.nixpkgs.follows = "nixpkgs-unstable";
    nixGL.url = "github:nix-community/nixGL";
    nixGL.inputs.nixpkgs.follows = "nixpkgs-unstable";
-    harmonia.url = "github:nix-community/harmonia";
+    # harmonia.url = "github:nix-community/harmonia";
-    # harmonia.url = "github:devplayer0/harmonia/cache-config-daemon-store";
+    harmonia.url = "github:devplayer0/harmonia/cache-config-daemon-store";
    harmonia.inputs.nixpkgs.follows = "nixpkgs-unstable";
    # Packages not in nixpkgs
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -148,9 +148,6 @@ rec {
      hillcrest = {
        v4 = subnet 6 0 p2pTunnels.v4;
      };
      john-valorant = {
        v4 = subnet 6 1 p2pTunnels.v4;
      };
      cust = {
        v4 = subnet 8 100 all.v4; # single ip for routing only
@@ -449,10 +446,6 @@ rec {
    vpn.port = 51822;
  };
  john-valorant = {
    vpn.port = 51823;
  };
  sshKeyFiles = {
    me = ../.keys/me.pub;
    deploy = ../.keys/deploy.pub;
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -188,25 +188,6 @@ in
                    ];
                  };
                }
                {
                  "30-john-valorant" = {
                    netdevConfig = {
                      Name = "john-valorant";
                      Kind = "wireguard";
                    };
                    wireguardConfig = {
                      PrivateKeyFile = config.age.secrets."estuary/john-valorant-wg.key".path;
                      ListenPort = lib.my.c.john-valorant.vpn.port;
                    };
                    wireguardPeers = [
                      {
                        PublicKey = "xyqKF0yOAv1bObN1paL2vATFh77pdFfvN+JmuAxaTCk=";
                        AllowedIPs = [ (net.cidr.host 2 prefixes.john-valorant.v4) ];
                        PersistentKeepalive = 25;
                      }
                    ];
                  };
                }
              ];
              links = {
@@ -384,7 +365,7 @@ in
                };
                "95-hillcrest" = {
                  matchConfig.Name = "hillcrest";
-                  address = [ "${net.cidr.host 1 prefixes.hillcrest.v4}/32" ];
+                  address = [ (net.cidr.host 1 prefixes.hillcrest.v4) ];
                  routes = [
                    {
                      Destination = net.cidr.host 2 prefixes.hillcrest.v4;
@@ -392,16 +373,6 @@ in
                    }
                  ];
                };
                "95-john-valorant" = {
                  matchConfig.Name = "john-valorant";
                  address = [ "${net.cidr.host 1 prefixes.john-valorant.v4}/32" ];
                  routes = [
                    {
                      Destination = net.cidr.host 2 prefixes.john-valorant.v4;
                      Scope = "link";
                    }
                  ];
                };
              } ];
            };
@@ -415,9 +386,6 @@ in
                  "estuary/hillcrest-wg.key" = {
                    owner = "systemd-network";
                  };
                  "estuary/john-valorant-wg.key" = {
                    owner = "systemd-network";
                  };
                  "l2mesh/as211024.key" = {};
                };
              };
@@ -429,13 +397,7 @@ in
                };
              };
              firewall = {
-                udp.allowed = [
+                udp.allowed = [ 5353 lib.my.c.kelder.vpn.port lib.my.c.hillcrest.vpn.port ];
                  5353
                  lib.my.c.kelder.vpn.port
                  lib.my.c.hillcrest.vpn.port
                  lib.my.c.john-valorant.vpn.port
                ];
                tcp.allowed = [ 5353 "bgp" ];
                nat = {
                  enable = true;
@@ -504,7 +466,7 @@ in
                      iifname { wan, as211024, $ixps } oifname base jump filter-routing
                      oifname $ixps jump ixp
                      iifname base oifname { base, wan, $ixps } accept
-                      oifname { as211024, kelder, hillcrest, john-valorant } accept
+                      oifname { as211024, kelder, hillcrest } accept
                    }
                    chain output {
                      oifname ifog ether type != vlan reject
@@ -517,7 +479,6 @@ in
                    }
                    chain postrouting {
                      oifname hillcrest snat ip to ${net.cidr.host 1 prefixes.hillcrest.v4}
                      oifname john-valorant snat ip to ${net.cidr.host 1 prefixes.john-valorant.v4}
                      ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address}
                    }
                  }
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -185,9 +185,6 @@ in
            jam-fwd IN A ${allAssignments.shill.internal.ipv4.address}
            jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6}
            hillcrest-tun IN A ${net.cidr.host 2 prefixes.hillcrest.v4}
            john-valorant-tun IN A ${net.cidr.host 2 prefixes.john-valorant.v4}
            $TTL 3
            _acme-challenge IN LUA TXT @@FILE@@
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -437,14 +437,6 @@ in
        };
        useACMEHost = pubDomain;
      };
      "hass-john.${pubDomain}" = {
        locations."/" = {
          proxyPass = "http://john-valorant-tun.${domain}:8123";
          proxyWebsockets = true;
          extraConfig = proxyHeaders;
        };
        useACMEHost = pubDomain;
      };
    };
    minio =
--- a/nixos/boxes/colony/vms/shill/containers/object.nix
+++ b/nixos/boxes/colony/vms/shill/containers/object.nix
@@ -262,7 +262,7 @@ in
                signKeyPaths = [ config.age.secrets."nix-cache.key".path ];
                settings = {
                  priority = 30;
-                  virtual_nix_store = "/nix/store";
+                  daemon_store = "/nix/store";
                  real_nix_store = "/var/lib/harmonia/nix/store";
                };
              };
--- a/nixos/boxes/colony/vms/whale2/minecraft/default.nix
+++ b/nixos/boxes/colony/vms/whale2/minecraft/default.nix
@@ -206,12 +206,10 @@ in
            op
            "fffa146c-0bc8-421c-9e3a-3635c0aca2ea" # Scarlehh
            "1ea05f48-76cc-4034-bcd3-2fa1fc5a7375" # Dario
            "4bf837b1-01db-4491-a0e0-700d98542833" # JoeSpencer
            "d07a9554-1b05-4b0b-b558-27e4a86e1f53" # AmyClover
          ];
          EXISTING_OPS_FILE = "SYNCHRONIZE";
          OPS = op;
-          DIFFICULTY = "hard";
+          DIFFICULTY = "normal";
          SPAWN_PROTECTION = "0";
          VIEW_DISTANCE = "20";
--- a/nixos/boxes/home/castle/default.nix
+++ b/nixos/boxes/home/castle/default.nix
@@ -118,7 +118,6 @@ in
            };
          };
          blueman.enable = true;
          avahi.enable = true;
        };
        programs = {
@@ -162,7 +161,6 @@ in
          network = {
            netdevs = mkMerge [
              (mkVLAN "lan-hi" vlans.hi)
              (mkVLAN "lan-lo" vlans.lo)
            ];
            links = {
              "10-et2.5g" = {
@@ -184,7 +182,7 @@ in
            networks = {
              "30-et100g" = {
                matchConfig.Name = "et100g";
-                vlan = [ "lan-hi" "lan-lo" ];
+                vlan = [ "lan-hi" ];
                networkConfig.IPv6AcceptRA = false;
              };
              "40-lan-hi" = mkMerge [
@@ -192,22 +190,6 @@ in
                # So we don't drop the IP we use to connect to NVMe-oF!
                { networkConfig.KeepConfiguration = "static"; }
              ];
              "45-lan-lo" = {
                matchConfig.Name = "lan-lo";
                networkConfig = {
                  DHCP = "ipv4";
                  IPv6AcceptRA = true;
                  UseDomains = false;
                };
                dhcpV4Config = {
                  UseDNS = false;
                  UseGateway = false;
                };
                ipv6AcceptRAConfig = {
                  UseDNS = false;
                  UseGateway = false;
                };
              };
            };
          };
        };
--- a/nixos/boxes/home/routing-common/dns_update.py
+++ b/nixos/boxes/home/routing-common/dns_update.py
@@ -33,7 +33,7 @@ def main():
    print(f'Updating {args.record} -> {address}')
    cf.dns.records.edit(
-        zone_id=zone.id, dns_record_id=record.id, name=args.record,
+        zone_id=zone.id, dns_record_id=record.id,
        type='A', content=address)
 if __name__ == '__main__':
--- a/nixos/boxes/home/routing-common/kea.nix
+++ b/nixos/boxes/home/routing-common/kea.nix
@@ -165,28 +165,6 @@ in
                }
              ];
            }
            {
              id = 3;
              subnet = prefixes.untrusted.v4;
              interface = "lan-untrusted";
              option-data = [
                {
                  name = "routers";
                  data = vips.untrusted.v4;
                }
                {
                  name = "domain-name-servers";
                  data = "1.1.1.1, 1.0.0.1";
                }
              ];
              pools = [
                {
                  pool = if index == 0
                    then "192.168.80.10 - 192.168.80.127"
                    else "192.168.80.128 - 192.168.80.250";
                }
              ];
            }
          ];
          ddns-send-updates = true;
          ddns-replace-client-name = "when-not-present";
--- a/nixos/boxes/home/routing-common/keepalived.nix
+++ b/nixos/boxes/home/routing-common/keepalived.nix
@@ -20,7 +20,10 @@ let
  };
  vlanIface = vlan: if vlan == "as211024" then vlan else "lan-${vlan}";
-  vrrpIPs = family: concatMap (vlan: [
+  vrrpIPs = family: concatMap (vlan: (optional (family == "v6") {
      addr = "fe80::1/64";
      dev = vlanIface vlan;
    }) ++ [
    {
      addr = "${vips.${vlan}.${family}}/${toString (net.cidr.length prefixes.${vlan}.${family})}";
      dev = vlanIface vlan;
@@ -61,9 +64,6 @@ in
        v4 = mkVRRP "v4" 51;
        v6 = (mkVRRP "v6" 52) // {
          extraConfig = ''
            virtual_ipaddress_excluded {
              ${concatMapStringsSep "\n" (vlan: "fe80::1/64 dev ${vlanIface vlan}") (attrNames vips)}
            }
            notify_master "${config.systemd.package}/bin/systemctl start radvd.service" root
            notify_backup "${config.systemd.package}/bin/systemctl stop radvd.service" root
          '';
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -139,7 +139,6 @@ in
          bash-completion
          git
          unzip
          tcpdump
        ]
        (mkIf config.services.netdata.enable [ netdata ])
      ];
--- a/nixos/modules/netboot/default.nix
+++ b/nixos/modules/netboot/default.nix
@@ -5,10 +5,23 @@ let
  cfg = config.my.netboot;
  # Newer releases don't boot on desktop?
  ipxe = pkgs.ipxe.overrideAttrs (o: rec {
    version = "1.21.1-unstable-2024-06-27";
    src = pkgs.fetchFromGitHub {
      owner = "ipxe";
      repo = "ipxe";
      rev = "b66e27d9b29a172a097c737ab4d378d60fe01b05";
      hash = "sha256-TKZ4WjNV2oZIYNefch7E7m1JpeoC/d7O1kofoNv8G40=";
    };
    # This upstream patch (in newer versions) is needed for newer GCC
    patches = (if (o ? patches) then o.patches else []) ++ [ ./fix-uninitialised-var.patch ];
  });
  tftpRoot = pkgs.linkFarm "tftp-root" [
    {
      name = "ipxe-x86_64.efi";
-      path = "${pkgs.ipxe}/ipxe.efi";
+      path = "${ipxe}/ipxe.efi";
    }
  ];
  menuFile = pkgs.runCommand "menu.ipxe" {
--- a/nixos/modules/server.nix
+++ b/nixos/modules/server.nix
@@ -36,6 +36,10 @@ in
    };
    documentation.nixos.enable = mkDefault' false;
    environment.systemPackages = with pkgs; [
      tcpdump
    ];
  };
  meta.buildDocsInSandbox = false;
--- a/secrets/estuary/john-valorant-wg.key.age
+++ b/secrets/estuary/john-valorant-wg.key.age
@@ -1,12 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IG44Q3BVdyBvMndF
 M21hR3p2VmEzUm16eDEya2NtSW54SElScnQzRVhTYnhRNC9oS3dVCnFsS3ZyLyt2
 aVlsVEgySFpvKzA4cTd0ZnkwbGRHakJSL2JESU54KzFDNEkKLT4gWDI1NTE5IFQw
 cTN5bjJJVUoyckpjWnllM3piV3llM1VRSlN3Tlk4cG0yRzlTU1ZnMzQKQ2s2d0xs
 VjBjUlRkbUpHZDV0c2kwUGhUczhuVEV3ZE1WK2NxWndDQk9PWQotPiA+Oi1QYD47
 LWdyZWFzZSBFTEJWRHkzIE0oOVJTJQp2THpheXJqYmdPRlpTRXhQTkYzeGsyZ0dG
 aElRblgwWW1sT1NjZVNPUFNINXBPV1BxUldkCi0tLSBNOGhuUkNCV2NCZi9PdGxP
 WitZYTNwcDZXdGNjbDUzQkVZUEtUK2JsZTN3CrxYEwDQAvqeCckfsLUKB1ixsTF1
 rQNRYxioye5T7AZEnOrZg62qkOELmCwAD5UJt5tkNRrmHkm0JwiqNsThHX6qGnHl
 iDgytz/Hymij
 -----END AGE ENCRYPTED FILE-----