coder
diff --git a/‎.github/workflows/dogfood.yaml
+25-12 b/‎.github/workflows/dogfood.yaml
+25-12
diff --git a/‎CLAUDE.md
+27 b/‎CLAUDE.md
+27
diff --git a/‎dogfood/coder/nix.hash
+2-2 b/‎dogfood/coder/nix.hash
+2-2
diff --git a/‎flake.lock
+20-3 b/‎flake.lock
+20-3
diff --git a/‎flake.nix
+16-3 b/‎flake.nix
+16-3
diff --git a/‎tailnet/configmaps.go
+6 b/‎tailnet/configmaps.go
+6
@@ -35,7 +35,26 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Nix
-        uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16
+        uses: nixbuild/nix-quick-install-action@5bb6a3b3abe66fd09bbf250dce8ada94f856a703 # v30
+
+      - uses: nix-community/cache-nix-action@aee88ae5efbbeb38ac5d9862ecbebdb404a19e69 # v6.1.1
+        with:
+          # restore and save a cache using this key
+          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
+          # if there's no cache hit, restore a cache by this prefix
+          restore-prefixes-first-match: nix-${{ runner.os }}-
+          # collect garbage until Nix store size (in bytes) is at most this number
+          # before trying to save a new cache
+          # 1G = 1073741824
+          gc-max-store-size-linux: 2G
+          # do purge caches
+          purge: true
+          # purge all versions of the cache
+          purge-prefixes: nix-${{ runner.os }}-
+          # created more than this number of seconds ago relative to the start of the `Post Restore` phase
+          purge-created: 0
+          # except the version with the `primary-key`, if it exists
+          purge-primary-key: never
 
       - name: Get branch name
         id: branch-name
@@ -113,18 +132,12 @@ jobs:
 
       - name: Terraform init and validate
         run: |
-          pushd dogfood/
-          terraform init
-          terraform validate
-          popd
-          pushd dogfood/coder
-          terraform init
+          cd dogfood
+          terraform init -upgrade
           terraform validate
-          popd
-          pushd dogfood/coder-envbuilder
-          terraform init
+          cd contents
+          terraform init -upgrade
           terraform validate
-          popd
 
       - name: Get short commit SHA
         if: github.ref == 'refs/heads/main'
@@ -148,6 +161,6 @@ jobs:
           # Template source & details
           TF_VAR_CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }}
           TF_VAR_CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }}
-          TF_VAR_CODER_TEMPLATE_DIR: ./coder
+          TF_VAR_CODER_TEMPLATE_DIR: ./contents
           TF_VAR_CODER_TEMPLATE_MESSAGE: ${{ steps.message.outputs.pr_title }}
           TF_LOG: info
@@ -0,0 +1,27 @@
+# Coder Development Guide
+
+## Build & Test Commands
+
+- Build all: `make build-fat` or `make build`
+- Build slim version: `make build-slim`
+- Run all tests: `make test`
+- Run single test: `go test ./path/to/package -run=TestName`
+- Run tests with race detection: `make test-race`
+- Format code: `make fmt`
+- Lint code: `make lint`
+- Generate code: `make gen`
+
+## Code Style Guidelines
+
+- **Imports**: Standard lib first, third-party second, local imports last; alphabetized within groups
+- **Formatting**: Use `make fmt/go` for Go, `make fmt/ts` for TypeScript
+- **Naming**: CamelCase for exported, camelCase for unexported names; no "I" prefix for interfaces
+- **Error Handling**: Return errors with context using appropriate wrapping
+- **Testing**: Place tests in `*_test.go` files; use `t.Parallel()` when appropriate; use helper functions from `testutil`
+- **Comments**: Document exported functions, types, and constants
+
+## Common Development Tasks
+
+- Make changes to database: Update migrations and run `make gen/db`
+- End-to-end testing: `make test-e2e`
+- Clean build artifacts: `make clean`
@@ -1,2 +1,2 @@
-f41c80bd08bfef063a9cfe907d0ea1f377974ebe011751f64008a3a07a6b152a  flake.nix
-32c441011f1f3054a688c036a85eac5e4c3dbef0f8cfa4ab85acd82da577dc35  flake.lock
+f09cd2cbbcdf00f5e855c6ddecab6008d11d871dc4ca5e1bc90aa14d4e3a2cfd  flake.nix
+0d2489a26d149dade9c57ba33acfdb309b38100ac253ed0c67a2eca04a187e37  flake.lock
@@ -3,6 +3,7 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-pinned.url = "github:nixos/nixpkgs/5deee6281831847857720668867729617629ef1f";
     flake-utils.url = "github:numtide/flake-utils";
     pnpm2nix = {
@@ -22,6 +23,7 @@
       self,
       nixpkgs,
       nixpkgs-pinned,
+      nixpkgs-unstable,
       flake-utils,
       drpc,
       pnpm2nix,
@@ -31,7 +33,7 @@
       let
         pkgs = import nixpkgs {
           inherit system;
-          # Workaround for: terraform has an unfree license (‘bsl11’), refusing to evaluate.
+          # Workaround for: google-chrome has an unfree license (‘unfree’), refusing to evaluate.
           config.allowUnfree = true;
         };
 
@@ -41,6 +43,17 @@
           inherit system;
         };
 
+        unstablePkgs = import nixpkgs-unstable {
+          inherit system;
+
+          # Workaround for: terraform has an unfree license (‘bsl11’), refusing to evaluate.
+          config.allowUnfreePredicate =
+            pkg:
+            builtins.elem (pkgs.lib.getName pkg) [
+              "terraform"
+            ];
+        };
+
         formatter = pkgs.nixfmt-rfc-style;
 
         nodejs = pkgs.nodejs_20;
@@ -148,7 +161,7 @@
             shellcheck
             (pinnedPkgs.shfmt)
             sqlc
-            terraform
+            unstablePkgs.terraform
             typos
             which
             # Needed for many LD system libs!
@@ -185,7 +198,7 @@
             name = "coder-${osArch}";
             # Updated with ./scripts/update-flake.sh`.
             # This should be updated whenever go.mod changes!
-            vendorHash = "sha256-QjqF+QZ5JKMnqkpNh6ZjrJU2QcSqiT4Dip1KoicwLYc=";
+            vendorHash = "sha256-6sdvX0Wglj0CZiig2VD45JzuTcxwg7yrGoPPQUYvuqU=";
             proxyVendor = true;
             src = ./.;
             nativeBuildInputs = with pkgs; [
 
@@ -77,6 +77,9 @@ type configMaps struct {
 	derpMap        *tailcfg.DERPMap
 	logger         slog.Logger
 	blockEndpoints bool
+	// endpointFilterFn is a callback that filters endpoints based on network conditions
+	// This approach avoids a cyclic dependency between configMaps and Conn
+	endpointFilterFn func(endpoints []string) []string
 
 	// for testing
 	clock quartz.Clock
@@ -241,6 +244,9 @@ func (c *configMaps) peerConfigLocked() []*tailcfg.Node {
 		n := p.node.Clone()
 		if c.blockEndpoints {
 			n.Endpoints = nil
+		} else if c.endpointFilterFn != nil && len(n.Endpoints) > 0 {
+			// Filter endpoints based on MTU to avoid connection issues with low-MTU interfaces
+			n.Endpoints = c.endpointFilterFn(n.Endpoints)
 		}
 		out = append(out, n)
 	}