Update from updated-inputs-2025-05-09-01-03

configuration/dn42/default.nix

@@ -1,22 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    wireguard-tools
-  ];
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = true;
-    "net.ipv6.conf.all.forwarding" = true;
-  };
-
-  networking.firewall.checkReversePath = false;
-
-  # Open Firewall for BGP
-  networking.firewall.allowedTCPPorts = [ 179 ];
-  # Open Fireall for OSPF
-  networking.firewall.extraCommands = ''
-  ip6tables -A INPUT -p ospfigp -j ACCEPT
-  iptables -A INPUT -p ospfigp -j ACCEPT
-  '';
-}

configuration/hydra-build-machine/default.nix

@@ -1,16 +0,0 @@
-{ ... }:
-
-{
-
-  # Allow Hydra to fetch remote URLs in restricted mode
-  nix.settings.allowed-uris = "http: https: git+https: github:";
-
-  services.openssh.settings= {
-   PermitRootLogin = "yes";
-  };
-
-  users.extraUsers.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1"
-  ];
-
-}

configuration/router/default.nix

@@ -1,27 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    wireguard-tools
-    tcpdump
-  ];
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = true;
-    "net.ipv6.conf.all.forwarding" = true;
-  };
-
-  networking.firewall.checkReversePath = false;
-
-  networking.firewall.allowedTCPPorts = [
-    # Open Firewall for BGP
-    179
-  ];
-
-  networking.firewall.extraCommands = ''
-    # Open fireall for OSPF
-    ip46tables -A nixos-fw -p ospfigp -j nixos-fw-accept
-    # Open firewall for GRE
-    ip46tables -A nixos-fw -p gre -j nixos-fw-accept
-  '';
-}

flake.lock

@@ -440,11 +440,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1683625533,
-        "narHash": "sha256-GvKE97JdQuEZ697TLSMRTNABbVJfGVnJ0vfzK4AIFyI=",
+        "lastModified": 1746733297,
+        "narHash": "sha256-CPo/F6oJq3tswg2YT6DsWDFPYXOjw00/3m45JN84PVY=",
         "ref": "refs/heads/main",
-        "rev": "5e86139ee4af27f84228708fd32903bb0c4230f0",
-        "revCount": 19,
+        "rev": "f1a832f445c9994d9729a6fa1862b8d4a123bd31",
+        "revCount": 22,
         "type": "git",
         "url": "https://git.clerie.de/clerie/nixos-exporter.git"
       },
@@ -551,11 +551,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1746461020,
-        "narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=",
+        "lastModified": 1746663147,
+        "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae",
+        "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
         "type": "github"
       },
       "original": {

hosts/carbon/configuration.nix

@@ -4,7 +4,6 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/router
 
       ./dns.nix
       ./mdns.nix
@@ -23,6 +22,7 @@
     ];
 
   profiles.clerie.common-networking.enable = false;
+  profiles.clerie.router.enable = true;
 
   boot.kernelParams = [ "console=ttyS0,115200n8" ];
 

hosts/gatekeeper/configuration.nix

@@ -4,10 +4,10 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/router
     ];
 
   profiles.clerie.hetzner-cloud.enable = true;
+  profiles.clerie.router.enable = true;
 
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";

hosts/hydra-1/configuration.nix

@@ -4,7 +4,6 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/hydra-build-machine
 
       ./build-machines.nix
       ./hydra.nix
@@ -12,6 +11,7 @@
     ];
 
   profiles.clerie.mercury-vm.enable = true;
+  profiles.clerie.hydra-build-machine.enable = true;
 
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";

hosts/hydra-2/configuration.nix

@@ -4,10 +4,10 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/hydra-build-machine
     ];
 
   profiles.clerie.cybercluster-vm.enable = true;
+  profiles.clerie.hydra-build-machine.enable = true;
 
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";

hosts/monitoring-3/prometheus.nix

@@ -200,7 +200,7 @@ in {
           relabelAddressToInstance
           {
             target_label = "__address__";
-            replacement = "[::1]:9153";
+            replacement = "monitoring-3.mon.clerie.de:9153";
           }
         ];
       }

hosts/nonat/configuration.nix

@@ -4,10 +4,10 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/router
     ];
 
   profiles.clerie.mercury-vm.enable = true;
+  profiles.clerie.router.enable = true;
 
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";

hosts/porter/configuration.nix

@@ -4,10 +4,10 @@
   imports =
     [
       ./hardware-configuration.nix
-      ../../configuration/router
     ];
 
   profiles.clerie.netcup.enable = true;
+  profiles.clerie.router.enable = true;
 
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";

modules/monitoring/default.nix

@@ -61,9 +61,6 @@ in
 
     services.prometheus.exporters.node = {
       enable = true;
-      #listenAddress = "${monitoring-network-base}${cfg.id}";
-      openFirewall = true;
-      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
       enabledCollectors = [
        "systemd"
       ];
@@ -80,14 +77,10 @@ in
 
     services.prometheus.exporters.bird = mkIf cfg.bird {
       enable = true;
-      openFirewall = true;
-      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
     };
 
     services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
       enable = true;
-      openFirewall = true;
-      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
       configFile = pkgs.writeText "blackbox.yml" ''
         modules:
           icmp6:
@@ -109,8 +102,13 @@ in
       listen = "[::]:9152";
     };
 
-    networking.firewall.extraCommands = ''
-      ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept
-    '';
+    networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
+      9100 # node-exporter
+      9152 # nixos-exporter
+    ] ++ (if cfg.bird then [
+      9324 # bird-exporter
+    ] else []) ++ (if cfg.blackbox then [
+      9115 # blackbox-exporter
+    ] else []);
   };
 }

profiles/default.nix

@@ -11,9 +11,11 @@
     ./fem-net
     ./firefox
     ./hetzner-cloud
+    ./hydra-build-machine
     ./mercury-vm
     ./netcup
     ./network-fallback-dhcp
+    ./router
     ./ruby-vm
     ./serial-console
     ./wg-clerie

profiles/hydra-build-machine/default.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.hydra-build-machine = {
+    enable = mkEnableOption "Set defaults for hydra build machines";
+  };
+
+  config = mkIf config.profiles.clerie.hydra-build-machine.enable {
+
+    # Allow Hydra to fetch remote URLs in restricted mode
+    nix.settings.allowed-uris = "http: https: git+https: github:";
+
+    services.openssh.settings= {
+     PermitRootLogin = "yes";
+    };
+
+    users.extraUsers.root.openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1"
+    ];
+
+  };
+
+}

profiles/router/default.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  options.profiles.clerie.router = {
+    enable = mkEnableOption "Basic router setup";
+  };
+
+  config = mkIf config.profiles.clerie.router.enable {
+
+    environment.systemPackages = with pkgs; [
+      wireguard-tools
+      tcpdump
+    ];
+  
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = true;
+      "net.ipv6.conf.all.forwarding" = true;
+    };
+  
+    networking.firewall.checkReversePath = false;
+
+  };
+}

profiles/wg-clerie/default.nix

@@ -180,45 +180,16 @@ in
     };
 
     systemd.services."wg-clerie-endpoint-refresh" = {
+      wantedBy = [ "multi-user.target" ];
       serviceConfig = {
-        Type = "oneshot";
+        Type = "simple";
+        Restart = "always";
+        RestartSec = 5;
       };
 
       path = [ pkgs.wireguard-tools pkgs.iproute2 ];
 
-      script = ''
-        set -euo pipefail
-
-        # Don't do anything as long as interface is not configured
-        if ! wg show wg-clerie endpoints > /dev/null; then
-          exit 0
-        fi
-
-        endpoint=""
-
-        if ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null; then
-          endpoint="[2a01:4f8:c0c:15f1::1]:51820"
-        else
-          endpoint="78.47.183.82:51820"
-        fi
-
-        wg set wg-clerie peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" endpoint "''${endpoint}"
-      '';
-
-      requires = [ "network-online.target" ];
-      after = [ "network-online.target" ];
-    };
-
-    systemd.timers."wg-clerie-endpoint-refresh" = {
-      wantedBy = [ "timers.target" ];
-
-      timerConfig = {
-        OnCalendar = "*-*-* *:*:0/5";
-        RandomizedDelaySec = "5s";
-      };
-
-      requires = [ "network-online.target" ];
-      after = [ "network-online.target" ];
+      script = builtins.readFile ./wg-clerie-endpoint-refresh.sh;
     };
 
     environment.systemPackages = [ pkgs.wireguard-tools ];

profiles/wg-clerie/wg-clerie-endpoint-refresh.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+prev_endpoint=""
+
+while true; do
+	if ! wg show wg-clerie endpoints &>/dev/null; then
+		if [[ "${prev_endpoint}" != "" ]]; then
+			echo "Interface wg-clerie unavailable, doing nothing"
+			prev_endpoint=""
+		fi
+
+		sleep 5
+		continue
+	fi
+
+	if ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null; then
+		new_endpoint="[2a01:4f8:c0c:15f1::1]:51820"
+	else
+		new_endpoint="78.47.183.82:51820"
+	fi
+
+	if [[ "${new_endpoint}" != "${prev_endpoint}" ]]; then
+		echo "Switching endpoint for wg-clerie to ${new_endpoint}"
+		wg set wg-clerie peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" endpoint "${new_endpoint}"
+		prev_endpoint="${new_endpoint}"
+	fi
+
+	sleep 5
+done