From 24472aec496d024659701cc3243a4e2d78d94962 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 20 Oct 2024 16:42:27 +0200
Subject: [PATCH 1/4] hosts/monitoring-3: Enable Synapse Monitoring for
 matrix.fachschaften.org

---
 hosts/monitoring-3/prometheus.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hosts/monitoring-3/prometheus.nix b/hosts/monitoring-3/prometheus.nix
index e26ac41..9e9fa52 100644
--- a/hosts/monitoring-3/prometheus.nix
+++ b/hosts/monitoring-3/prometheus.nix
@@ -190,6 +190,7 @@ in {
               "www.fem.tu-ilmenau.de"
               "www.heise.de"
               "dyon.net.entr0py.de"
+              "matrix.fachschaften.org"
             ];
           }
         ];
@@ -241,6 +242,7 @@ in {
               "matrix.bau-ha.us"
               "dyon.net.entr0py.de"
               "matrix.entr0py.de"
+              "matrix.fachschaften.org"
             ];
           }
         ];
@@ -275,6 +277,7 @@ in {
           {
             targets = [
               "matrix.entr0py.de"
+              "matrix.fachschaften.org"
             ];
           }
         ];

From 09f54a05eeb2118429863af0841240e2c4016c60 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 20 Oct 2024 17:06:36 +0200
Subject: [PATCH 2/4] hosts/carbon: Do not fall back IPv6 traffic via VPN, if
 no native IPv6 is available

---
 hosts/carbon/wg-clerie.nix    | 1 +
 modules/wg-clerie/default.nix | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/hosts/carbon/wg-clerie.nix b/hosts/carbon/wg-clerie.nix
index 14bf443..36965c6 100644
--- a/hosts/carbon/wg-clerie.nix
+++ b/hosts/carbon/wg-clerie.nix
@@ -5,5 +5,6 @@
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8111/128" ];
     ipv4s = [ "10.20.30.111/32" ];
+    defaultViaVPN = false;
   };
 }
diff --git a/modules/wg-clerie/default.nix b/modules/wg-clerie/default.nix
index 234bddc..a8a845a 100644
--- a/modules/wg-clerie/default.nix
+++ b/modules/wg-clerie/default.nix
@@ -25,6 +25,11 @@ in
         default = [];
         description = "IPv4 interface addresses";
       };
+      defaultViaVPN = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Use VPN default route for a protocol, if that protocol is unavailable in the underlay";
+      };
     };
   };
 
@@ -45,7 +50,9 @@ in
         { rule = "to 2a01:4f8:c0c:15f1::1/128 ipproto udp dport 51820 unreachable"; prio = 20001; }
         # Try direct routing first, fallback to VPN
         { rule = "lookup main"; prio = 21000; }
+      ] ++ (if cfg.defaultViaVPN then [
         { rule = "lookup wg-clerie"; prio = 21001; }
+      ] else []) ++ [
         { rule = "unreachable"; prio = 22000; }
       ];
       rules4 = (concatMap (ip: [
@@ -57,7 +64,9 @@ in
         { rule = "to 78.47.183.82/32 ipproto udp dport 51820 unreachable"; prio = 20001; }
         # Try direct routing first, fallback to VPN
         { rule = "lookup main"; prio = 21000; }
+      ] ++ (if cfg.defaultViaVPN then [
         { rule = "lookup wg-clerie"; prio = 21001; }
+      ] else []) ++ [
         { rule = "unreachable"; prio = 22000; }
       ];
     };

From 5d45d3aac1955bca607d29347cf8fb89af611d61 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Tue, 22 Oct 2024 18:01:37 +0200
Subject: [PATCH 3/4] configuration/gpg-ssh: Custom gnupg without builtin ccid
 driver in scdaemon

---
 configuration/gpg-ssh/default.nix | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/configuration/gpg-ssh/default.nix b/configuration/gpg-ssh/default.nix
index fdabd61..497c280 100644
--- a/configuration/gpg-ssh/default.nix
+++ b/configuration/gpg-ssh/default.nix
@@ -1,7 +1,17 @@
 { pkgs, lib, ... }:
 
-{
+let
 
+  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
+    configureFlags = prev.configureFlags ++ [
+      # Make sure scdaemon never ever again tries to use its own ccid driver
+      "--disable-ccid-driver"
+    ];
+  });
+
+in {
+
+  programs.gnupg.package = custom_gnupg;
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
@@ -9,7 +19,7 @@
   };
 
   environment.systemPackages = with pkgs; [
-    gnupg
+    custom_gnupg
     yubikey-personalization
     openpgp-card-tools
 

From 6dab743d794a46ea0473244e01b06c9713315428 Mon Sep 17 00:00:00 2001
From: Flake Update Bot <flake-update-bot@clerie.de>
Date: Wed, 23 Oct 2024 03:04:07 +0200
Subject: [PATCH 4/4] Update nixpkgs 2024-10-23-01-03

---
 flake.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index 810f475..7abc6b6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -288,11 +288,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1725983898,
-        "narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=",
+        "lastModified": 1729413321,
+        "narHash": "sha256-I4tuhRpZFa6Fu6dcH9Dlo5LlH17peT79vx1y1SpeKt0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43",
+        "rev": "1997e4aa514312c1af7e2bda7fad1644e778ff26",
         "type": "github"
       },
       "original": {