| 16 Apr 2026 |
|  @rasmata:matrix.org left the room. | 12:22:16 |
|  antifuchs | 17:35:35 |
| antifuchs | so, hm, I have not rebooted this host in a while (47 days since last boot on nixos-unstable, using systemd.networkd.enable=true) but now that I have rebooted it, it is refusing to set up its hostbr0 bridge, networkctl reports that hostbr0 is in "no-carrier configuring" state, ip -br l shows that interface as DOWN in NO-CARRIER state; it's backed by an ethernet device that also shows no carrier (but ... has a lit link LED)? I'm really at a loss how to debug this, all signs say this should work but it doesn't come up. | 18:58:21 |
| antifuchs | (deleting the bridge and setting the ethernet interface up shows traffic if I tcpdump it, I should add) | 18:59:20 |
| antifuchs | oh, that's right, there should be VLAN netdevs that aren't created | 19:06:55 |
| antifuchs | yeuuuup, looks like [Match] block semantics changed: previously in a .network file I had to match the "old" name (enp*) when now I have to match the renamed name that a preceding .link file effects | 19:09:41 |
 magic_rb | How wonderful | 20:28:33 |
 oddlama | In reply to @antifuchs:asf.computer
yeuuuup, looks like [Match] block semantics changed: previously in a .network file I had to match the "old" name (enp*) when now I have to match the renamed name that a preceding .link file effects I always had the least amount of pain when I matched hardware interfaces by MACAddress | 20:44:22 |
|  TyIsI joined the room. | 23:14:12 |
| 17 Apr 2026 |
| antifuchs | In reply to @oddlama:matrix.org
I always had the least amount of pain when I matched hardware interfaces by MACAddress Well, I did that in addition but since there are bridges with inherited Mac’s in the mix, the config also has to match on device names | 02:59:52 |
| antifuchs | It’s supremely annoying and makes me want to redo the whole thing but also … not | 03:00:11 |
 hexa (clat on linux when) | that breaks with vlans though | 03:06:55 |
| hexa (clat on linux when) | Redacted or Malformed Event | 03:07:07 |
|  c4lliope set a profile picture. | 08:36:58 |
| c4lliope changed their profile picture. | 08:41:50 |
|  dish [Fox/It/She] changed their profile picture. | 16:58:37 |
| antifuchs | Kind= might be a bit less painful tbh, but ughhh testing this means a reboot each time | 17:47:45 |
| hexa (clat on linux when) | you can check networkctl for the correct kind | 18:08:16 |
| 22 Apr 2026 |
|  gamayagama joined the room. | 19:19:00 |
| 24 Apr 2026 |
|  @d:bugpara.de left the room. | 20:52:21 |
| 25 Apr 2026 |
 Luke | I just tried to swap a wireguard client from wg-quick to systemd.network, and did not have a good time | 00:11:34 |
| hexa (clat on linux when) | how so | 00:12:28 |
| Luke | Well, I made an attempt to go from this:
networking.wg-quick.interfaces = {
wg0 = {
address = [
"10.0.0.2/24"
"fdc9:281f:04d7:9ee9::2/64"
];
dns = [
"10.0.0.1"
"fdc9:281f:04d7:9ee9::1"
];
privateKeyFile = "/root/wireguard-keys/privatekey";
peers = [
{
publicKey = "key1";
presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key";
allowedIPs = [
# only route vpn related services
#"10.0.0.0/24"
#"fdc9:281f:04d7:9ee9::/64"
# send everything and do NAT
"0.0.0.0/0"
"::/0"
];
endpoint = "ip1:ip1";
persistentKeepalive = 25;
}
];
};
wg1 = {
address = [
"10.0.1.2/24"
"fdc9:281f:04d7:9eea::2/64"
];
dns = [
"10.0.1.1"
"fdc9:281f:04d7:9eea::1"
];
privateKeyFile = "/root/wireguard-keys/privatekey_wg1";
peers = [
{
publicKey = "key2";
allowedIPs = [
"10.0.1.0/24"
"fdc9:281f:04d7:9eea::/64"
];
endpoint = "ip2:port2";
persistentKeepalive = 25;
}
];
};
};
to this:
networking.useNetworkd = true;
systemd.network = {
networks."10-enp5s0" = {
matchConfig.Name = "enp5s0";
networkConfig.DHCP = "yes";
};
networks."50-wg0" = {
matchConfig.Name = "wg0";
address = [
"fdc9:281f:04d7:9ee9::2/64"
"10.0.0.2/24"
];
domains = [ "~." ];
dns = [
"10.0.0.1"
"fdc9:281f:04d7:9ee9::1"
];
#networkConfig = {
# DNSDefaultRoute = true;
#};
routingPolicyRules = [
{
Family = "both";
InvertRule = true;
FirewallMark = 94;
Table = 1337;
Priority = 10;
}
{
To = "ip1/32"; # use /32 for IPv4
Priority = 5;
}
];
};
netdevs."50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = "/var/lib/wireguard-keys/privatekey";
#RouteTable = "main";
FirewallMark = 94;
};
wireguardPeers = [
{
PublicKey = "key1";
PresharedKeyFile = "/var/lib/wireguard-keys/preshared_from_peer0_key";
AllowedIPs = [
#"10.0.0.0/24"
#"fdc9:281f:04d7:9ee9::/64"
# send everything and do NAT
"0.0.0.0/0"
"::/0"
];
RouteTable = 1337;
Endpoint = "ip1:port1";
PersistentKeepalive = 25;
}
];
};
networks."50-wg1" = {
matchConfig.Name = "wg1";
address = [
"fdc9:281f:04d7:9eea::2/64"
"10.0.1.2/24"
];
domains = [ "~." ];
dns = [
"10.0.1.1"
"fdc9:281f:04d7:9eea::1"
];
};
netdevs."50-wg1" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg1";
};
wireguardConfig = {
PrivateKeyFile = "/var/lib/wireguard-keys/privatekey_wg1";
RouteTable = "main";
};
wireguardPeers = [
{
PublicKey = "key2";
AllowedIPs = [
"10.0.1.0/24"
"fdc9:281f:04d7:9eea::/64"
];
Endpoint = "ip2:port2";
PersistentKeepalive = 25;
}
];
};
};
and it kinda worked.
| 04:54:13 |
| Luke | But I have major gripes | 04:54:57 |
| Luke | First, systemd.network does not behave like you expect from a deterministic sense - I had to manually tear down wg interfaces multiple times because I screwed something up. | 04:55:50 |
| Luke | Second, for some reason this broke docker container to container networking when using the host network, and I have no idea why, other than that there must be something I have massively misconfigured | 04:56:45 |
| Luke | I ended up swapping back to wg-quick for now since it's been such a pain | 04:57:23 |
| Luke | I guess my routing table there was sending docker's traffic to the remote as well? I don't know, it's just a frustrating swap to try to make | 04:59:28 |
| 26 Apr 2026 |
|  debugloop joined the room. | 03:44:06 |
| debugloop left the room. | 23:25:18 |
