diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2024-07-09 14:24:14 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2024-07-09 14:24:14 +0200 |
commit | 68f7b6dcf0d388ea14b0782fb62f6cb7b7ea941c (patch) | |
tree | 5835a31122b7f516f2c0f2064fb035d00c12076d | |
parent | e4e7651887bca1179348c4303a319f2f3e339942 (diff) | |
download | nixos-68f7b6dcf0d388ea14b0782fb62f6cb7b7ea941c.tar nixos-68f7b6dcf0d388ea14b0782fb62f6cb7b7ea941c.tar.gz nixos-68f7b6dcf0d388ea14b0782fb62f6cb7b7ea941c.tar.bz2 nixos-68f7b6dcf0d388ea14b0782fb62f6cb7b7ea941c.tar.xz nixos-68f7b6dcf0d388ea14b0782fb62f6cb7b7ea941c.zip |
dsl -> gpon
-rw-r--r-- | flake.lock | 3 | ||||
-rw-r--r-- | flake.nix | 1 | ||||
-rw-r--r-- | hosts/vidhar/dns/zones/yggdrasil.soa | 3 | ||||
-rw-r--r-- | hosts/vidhar/network/default.nix | 2 | ||||
-rw-r--r-- | hosts/vidhar/network/gpon.nix (renamed from hosts/vidhar/network/dsl.nix) | 8 | ||||
-rw-r--r-- | hosts/vidhar/network/ruleset.nft | 72 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/default.nix | 54 | ||||
-rw-r--r-- | hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil | 26 |
8 files changed, 48 insertions, 121 deletions
@@ -778,6 +778,9 @@ | |||
778 | "nix-index-database": "nix-index-database", | 778 | "nix-index-database": "nix-index-database", |
779 | "nixpkgs": "nixpkgs_2", | 779 | "nixpkgs": "nixpkgs_2", |
780 | "nixpkgs-eostre": "nixpkgs-eostre", | 780 | "nixpkgs-eostre": "nixpkgs-eostre", |
781 | "nixpkgs-installer": [ | ||
782 | "nixpkgs-stable" | ||
783 | ], | ||
781 | "nixpkgs-pgbackrest": "nixpkgs-pgbackrest", | 784 | "nixpkgs-pgbackrest": "nixpkgs-pgbackrest", |
782 | "nixpkgs-stable": "nixpkgs-stable_2", | 785 | "nixpkgs-stable": "nixpkgs-stable_2", |
783 | "nvfetcher": "nvfetcher", | 786 | "nvfetcher": "nvfetcher", |
@@ -37,6 +37,7 @@ | |||
37 | repo = "nixpkgs"; | 37 | repo = "nixpkgs"; |
38 | ref = "23.11"; | 38 | ref = "23.11"; |
39 | }; | 39 | }; |
40 | nixpkgs-installer.follows = "nixpkgs-stable"; | ||
40 | home-manager = { | 41 | home-manager = { |
41 | type = "github"; | 42 | type = "github"; |
42 | # owner = "nix-community"; | 43 | # owner = "nix-community"; |
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa index f679b741..dede06ac 100644 --- a/hosts/vidhar/dns/zones/yggdrasil.soa +++ b/hosts/vidhar/dns/zones/yggdrasil.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN yggdrasil. | 1 | $ORIGIN yggdrasil. |
2 | $TTL 300 | 2 | $TTL 300 |
3 | @ IN SOA vidhar.yggdrasil. hostmaster.yggdrasil.li ( | 3 | @ IN SOA vidhar.yggdrasil. hostmaster.yggdrasil.li ( |
4 | 2023030501 ; serial | 4 | 2024070901 ; serial |
5 | 300 ; refresh | 5 | 300 ; refresh |
6 | 300 ; retry | 6 | 300 ; retry |
7 | 300 ; expire | 7 | 300 ; expire |
@@ -27,4 +27,5 @@ vidhar.lan IN A 10.141.0.1 | |||
27 | vidhar.mgmt IN A 10.141.1.1 | 27 | vidhar.mgmt IN A 10.141.1.1 |
28 | switch01.mgmt IN A 10.141.1.2 | 28 | switch01.mgmt IN A 10.141.1.2 |
29 | dsl01.mgmt IN A 10.141.1.3 | 29 | dsl01.mgmt IN A 10.141.1.3 |
30 | gpon01.mgmt IN A 10.10.1.1 | ||
30 | ap01.mgmt IN A 10.141.1.4 | 31 | ap01.mgmt IN A 10.141.1.4 |
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index e961c17e..cbfbb65a 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
@@ -3,7 +3,7 @@ | |||
3 | with lib; | 3 | with lib; |
4 | 4 | ||
5 | { | 5 | { |
6 | imports = [ ./dsl.nix ./bifrost ./dhcp ]; | 6 | imports = [ ./gpon.nix ./bifrost ./dhcp ]; |
7 | 7 | ||
8 | config = { | 8 | config = { |
9 | networking = { | 9 | networking = { |
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/gpon.nix index 1e8e9c73..c15a6e8d 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/gpon.nix | |||
@@ -8,7 +8,7 @@ in { | |||
8 | options = { | 8 | options = { |
9 | networking.pppInterface = mkOption { | 9 | networking.pppInterface = mkOption { |
10 | type = types.str; | 10 | type = types.str; |
11 | default = "dsl"; | 11 | default = "gpon"; |
12 | }; | 12 | }; |
13 | }; | 13 | }; |
14 | 14 | ||
@@ -34,7 +34,7 @@ in { | |||
34 | plugin pppoe.so | 34 | plugin pppoe.so |
35 | name telekom | 35 | name telekom |
36 | user 002576900250551137425220#0001@t-online.de | 36 | user 002576900250551137425220#0001@t-online.de |
37 | telekom | 37 | nic-telekom |
38 | debug | 38 | debug |
39 | +ipv6 | 39 | +ipv6 |
40 | ''; | 40 | ''; |
@@ -70,8 +70,8 @@ in { | |||
70 | 70 | ||
71 | tc qdisc add dev "${pppInterface}" handle ffff: ingress | 71 | tc qdisc add dev "${pppInterface}" handle ffff: ingress |
72 | tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" | 72 | tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" |
73 | tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 64Mb pppoe-ptm diffserv4 bandwidth 93mbit | 73 | tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb pppoe-ptm diffserv4 bandwidth 238mbit |
74 | tc qdisc replace dev "${pppInterface}" root cake memlimit 64Mb pppoe-ptm nat diffserv4 wash bandwidth 35mbit | 74 | tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb pppoe-ptm nat diffserv4 wash bandwidth 48mbit |
75 | ''; | 75 | ''; |
76 | }; | 76 | }; |
77 | in "${app}/bin/${app.meta.mainProgram}"; | 77 | in "${app}/bin/${app.meta.mainProgram}"; |
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 6eb97f85..9843b71a 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
@@ -4,15 +4,15 @@ table arp filter { | |||
4 | limit lim_arp_local { | 4 | limit lim_arp_local { |
5 | rate over 50 mbytes/second burst 50 mbytes | 5 | rate over 50 mbytes/second burst 50 mbytes |
6 | } | 6 | } |
7 | limit lim_arp_dsl { | 7 | limit lim_arp_gpon { |
8 | rate over 1400 kbytes/second burst 1400 kbytes | 8 | rate over 1750 kbytes/second burst 1750 kbytes |
9 | } | 9 | } |
10 | 10 | ||
11 | counter arp-rx {} | 11 | counter arp-rx {} |
12 | counter arp-tx {} | 12 | counter arp-tx {} |
13 | 13 | ||
14 | counter arp-ratelimit-dsl-rx {} | 14 | counter arp-ratelimit-gpon-rx {} |
15 | counter arp-ratelimit-dsl-tx {} | 15 | counter arp-ratelimit-gpon-tx {} |
16 | 16 | ||
17 | counter arp-ratelimit-local-rx {} | 17 | counter arp-ratelimit-local-rx {} |
18 | counter arp-ratelimit-local-tx {} | 18 | counter arp-ratelimit-local-tx {} |
@@ -21,8 +21,8 @@ table arp filter { | |||
21 | type filter hook input priority filter | 21 | type filter hook input priority filter |
22 | policy accept | 22 | policy accept |
23 | 23 | ||
24 | iifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-rx drop | 24 | iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop |
25 | iifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-rx drop | 25 | iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop |
26 | 26 | ||
27 | counter name arp-rx | 27 | counter name arp-rx |
28 | } | 28 | } |
@@ -31,8 +31,8 @@ table arp filter { | |||
31 | type filter hook output priority filter | 31 | type filter hook output priority filter |
32 | policy accept | 32 | policy accept |
33 | 33 | ||
34 | oifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-tx drop | 34 | oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop |
35 | oifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-tx drop | 35 | oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop |
36 | 36 | ||
37 | counter name arp-tx | 37 | counter name arp-tx |
38 | } | 38 | } |
@@ -46,11 +46,11 @@ table inet filter { | |||
46 | limit lim_icmp_local { | 46 | limit lim_icmp_local { |
47 | rate over 50 mbytes/second burst 50 mbytes | 47 | rate over 50 mbytes/second burst 50 mbytes |
48 | } | 48 | } |
49 | limit lim_icmp_dsl { | 49 | limit lim_icmp_gpon { |
50 | rate over 1400 kbytes/second burst 1400 kbytes | 50 | rate over 1750 kbytes/second burst 1750 kbytes |
51 | } | 51 | } |
52 | 52 | ||
53 | counter icmp-ratelimit-dsl-fw {} | 53 | counter icmp-ratelimit-gpon-fw {} |
54 | counter icmp-ratelimit-local-fw {} | 54 | counter icmp-ratelimit-local-fw {} |
55 | 55 | ||
56 | counter icmp-fw {} | 56 | counter icmp-fw {} |
@@ -58,7 +58,7 @@ table inet filter { | |||
58 | counter invalid-fw {} | 58 | counter invalid-fw {} |
59 | counter fw-lo {} | 59 | counter fw-lo {} |
60 | counter fw-lan {} | 60 | counter fw-lan {} |
61 | counter fw-dsl {} | 61 | counter fw-gpon {} |
62 | 62 | ||
63 | counter fw-cups {} | 63 | counter fw-cups {} |
64 | 64 | ||
@@ -73,7 +73,7 @@ table inet filter { | |||
73 | counter invalid-local4-rx {} | 73 | counter invalid-local4-rx {} |
74 | counter invalid-local6-rx {} | 74 | counter invalid-local6-rx {} |
75 | 75 | ||
76 | counter icmp-ratelimit-dsl-rx {} | 76 | counter icmp-ratelimit-gpon-rx {} |
77 | counter icmp-ratelimit-local-rx {} | 77 | counter icmp-ratelimit-local-rx {} |
78 | counter icmp-rx {} | 78 | counter icmp-rx {} |
79 | 79 | ||
@@ -101,7 +101,7 @@ table inet filter { | |||
101 | 101 | ||
102 | counter tx-lo {} | 102 | counter tx-lo {} |
103 | 103 | ||
104 | counter icmp-ratelimit-dsl-tx {} | 104 | counter icmp-ratelimit-gpon-tx {} |
105 | counter icmp-ratelimit-local-tx {} | 105 | counter icmp-ratelimit-local-tx {} |
106 | counter icmp-tx {} | 106 | counter icmp-tx {} |
107 | 107 | ||
@@ -123,10 +123,10 @@ table inet filter { | |||
123 | 123 | ||
124 | 124 | ||
125 | chain forward_icmp_accept { | 125 | chain forward_icmp_accept { |
126 | oifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop | 126 | oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop |
127 | iifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop | 127 | iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop |
128 | oifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop | 128 | oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop |
129 | iifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop | 129 | iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop |
130 | counter name icmp-fw accept | 130 | counter name icmp-fw accept |
131 | } | 131 | } |
132 | chain forward { | 132 | chain forward { |
@@ -139,10 +139,10 @@ table inet filter { | |||
139 | 139 | ||
140 | iifname lo counter name fw-lo accept | 140 | iifname lo counter name fw-lo accept |
141 | 141 | ||
142 | oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept | 142 | oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept |
143 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept | 143 | iifname lan oifname { gpon, bifrost } counter name fw-lan accept |
144 | 144 | ||
145 | iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept | 145 | iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept |
146 | 146 | ||
147 | 147 | ||
148 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | 148 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
@@ -163,22 +163,22 @@ table inet filter { | |||
163 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | 163 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject |
164 | iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject | 164 | iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject |
165 | 165 | ||
166 | iifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop | 166 | iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop |
167 | iifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop | 167 | iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop |
168 | meta l4proto $icmp_protos counter name icmp-rx accept | 168 | meta l4proto $icmp_protos counter name icmp-rx accept |
169 | 169 | ||
170 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 170 | iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept |
171 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 171 | iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept |
172 | 172 | ||
173 | iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept | 173 | iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept |
174 | 174 | ||
175 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept | 175 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept |
176 | 176 | ||
177 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept | 177 | iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept |
178 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept | 178 | iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept |
179 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept | 179 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept |
180 | 180 | ||
181 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 181 | iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept |
182 | 182 | ||
183 | iifname mgmt udp dport 123 counter name ntp-rx accept | 183 | iifname mgmt udp dport 123 counter name ntp-rx accept |
184 | 184 | ||
@@ -209,8 +209,8 @@ table inet filter { | |||
209 | 209 | ||
210 | oifname lo counter name tx-lo accept | 210 | oifname lo counter name tx-lo accept |
211 | 211 | ||
212 | oifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop | 212 | oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop |
213 | oifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop | 213 | oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop |
214 | meta l4proto $icmp_protos counter name icmp-tx accept | 214 | meta l4proto $icmp_protos counter name icmp-tx accept |
215 | 215 | ||
216 | 216 | ||
@@ -246,7 +246,7 @@ table inet filter { | |||
246 | } | 246 | } |
247 | 247 | ||
248 | table inet nat { | 248 | table inet nat { |
249 | counter dsl-nat {} | 249 | counter gpon-nat {} |
250 | # counter container-nat {} | 250 | # counter container-nat {} |
251 | 251 | ||
252 | chain postrouting { | 252 | chain postrouting { |
@@ -254,20 +254,20 @@ table inet nat { | |||
254 | policy accept | 254 | policy accept |
255 | 255 | ||
256 | 256 | ||
257 | meta nfproto ipv4 oifname dsl counter name dsl-nat masquerade | 257 | meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade |
258 | # iifname ve-* oifname dsl counter name container-nat masquerade | 258 | # iifname ve-* oifname gpon counter name container-nat masquerade |
259 | } | 259 | } |
260 | } | 260 | } |
261 | 261 | ||
262 | table inet mss_clamp { | 262 | table inet mss_clamp { |
263 | counter dsl-mss-clamp {} | 263 | counter gpon-mss-clamp {} |
264 | 264 | ||
265 | chain postrouting { | 265 | chain postrouting { |
266 | type filter hook postrouting priority mangle | 266 | type filter hook postrouting priority mangle |
267 | policy accept | 267 | policy accept |
268 | 268 | ||
269 | 269 | ||
270 | oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu | 270 | oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu |
271 | } | 271 | } |
272 | } | 272 | } |
273 | 273 | ||
@@ -402,7 +402,7 @@ table inet dscpclassify { | |||
402 | chain postrouting { | 402 | chain postrouting { |
403 | type filter hook postrouting priority filter + 1; policy accept | 403 | type filter hook postrouting priority filter + 1; policy accept |
404 | 404 | ||
405 | oifname != dsl return | 405 | oifname != gpon return |
406 | 406 | ||
407 | ip dscp cs0 goto ct_set_cs0 | 407 | ip dscp cs0 goto ct_set_cs0 |
408 | ip dscp lephb goto ct_set_lephb | 408 | ip dscp lephb goto ct_set_lephb |
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 1e649824..330026d7 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix | |||
@@ -63,7 +63,7 @@ in { | |||
63 | systemd = { | 63 | systemd = { |
64 | enable = true; | 64 | enable = true; |
65 | extraFlags = [ | 65 | extraFlags = [ |
66 | "--systemd.collector.unit-include=(dhcpcd-dsl|pppd-telekom|corerad|ndppd)\.service" | 66 | "--systemd.collector.unit-include=(dhcpcd-.*|pppd-telekom|corerad|ndppd)\.service" |
67 | "--systemd.collector.enable-restart-count" | 67 | "--systemd.collector.enable-restart-count" |
68 | "--systemd.collector.enable-ip-accounting" | 68 | "--systemd.collector.enable-ip-accounting" |
69 | ]; | 69 | ]; |
@@ -144,17 +144,6 @@ in { | |||
144 | ]; | 144 | ]; |
145 | scrape_interval = "15s"; | 145 | scrape_interval = "15s"; |
146 | } | 146 | } |
147 | { job_name = "zte"; | ||
148 | static_configs = [ | ||
149 | { targets = ["localhost:9900"]; } | ||
150 | ]; | ||
151 | relabel_configs = [ | ||
152 | { replacement = "dsl01"; | ||
153 | target_label = "instance"; | ||
154 | } | ||
155 | ]; | ||
156 | scrape_interval = "15s"; | ||
157 | } | ||
158 | { job_name = "unbound"; | 147 | { job_name = "unbound"; |
159 | static_configs = [ | 148 | static_configs = [ |
160 | { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; } | 149 | { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; } |
@@ -315,47 +304,6 @@ in { | |||
315 | }; | 304 | }; |
316 | }; | 305 | }; |
317 | 306 | ||
318 | systemd.services."prometheus-zte-exporter@dsl01.mgmt.yggdrasil" = { | ||
319 | wantedBy = [ "multi-user.target" ]; | ||
320 | after = [ "network.target" ]; | ||
321 | serviceConfig = { | ||
322 | Restart = "always"; | ||
323 | PrivateTmp = true; | ||
324 | WorkingDirectory = "/tmp"; | ||
325 | DynamicUser = true; | ||
326 | CapabilityBoundingSet = [""]; | ||
327 | DeviceAllow = [""]; | ||
328 | LockPersonality = true; | ||
329 | MemoryDenyWriteExecute = true; | ||
330 | NoNewPrivileges = true; | ||
331 | PrivateDevices = true; | ||
332 | ProtectClock = true; | ||
333 | ProtectControlGroups = true; | ||
334 | ProtectHome = true; | ||
335 | ProtectHostname = true; | ||
336 | ProtectKernelLogs = true; | ||
337 | ProtectKernelModules = true; | ||
338 | ProtectKernelTunables = true; | ||
339 | ProtectSystem = "strict"; | ||
340 | RemoveIPC = true; | ||
341 | RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; | ||
342 | RestrictNamespaces = true; | ||
343 | RestrictRealtime = true; | ||
344 | RestrictSUIDSGID = true; | ||
345 | SystemCallArchitectures = "native"; | ||
346 | UMask = "0077"; | ||
347 | |||
348 | Type = "simple"; | ||
349 | ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter"; | ||
350 | Environment = "ZTE_BASEURL=http://%I ZTE_HOSTNAME=localhost ZTE_PORT=9900"; | ||
351 | EnvironmentFile = config.sops.secrets."zte_dsl01.mgmt.yggdrasil".path; | ||
352 | }; | ||
353 | }; | ||
354 | sops.secrets."zte_dsl01.mgmt.yggdrasil" = { | ||
355 | format = "binary"; | ||
356 | sopsFile = ./zte_dsl01.mgmt.yggdrasil; | ||
357 | }; | ||
358 | |||
359 | systemd.services."prometheus-nftables-exporter" = { | 307 | systemd.services."prometheus-nftables-exporter" = { |
360 | wantedBy = [ "multi-user.target" ]; | 308 | wantedBy = [ "multi-user.target" ]; |
361 | after = [ "network.target" ]; | 309 | after = [ "network.target" ]; |
diff --git a/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil b/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil deleted file mode 100644 index 1c9c1fe0..00000000 --- a/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil +++ /dev/null | |||
@@ -1,26 +0,0 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:nAsn7dhfDr0+V1cJjpqWn/kJQt2zGjlfQKi3n5speroJkL3IvMG/9fsTaXJQZSi2gPlrN8GbxKQ=,iv:9g0V3xRBC+sa/JPP2bUZMfg//VuKT5qI7ua9iU4QRCg=,tag:fzwih9OHUBLmx8dxL4BjGg==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": [ | ||
9 | { | ||
10 | "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l", | ||
11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaEE3bUFBY0xKSDUrVnc2\nbFpjSkNOSm56amJTNjdXcTljdDNRREhITm1NCjZrOUEwNFpxN2FmTVV5T2xCbENk\nMEFmVzlPZ29CTlJ4dVNCRUsyRFFseXcKLS0tIEhscVZ4VUVsaG9OUnBIRFE4WXA2\ncGFnbWpNMlNIQzFLc1Ryc1Z3NUl1bVUKi9zYBlF2vslGKu4GP368ApbvuxjZnQpF\nuOujXSNoEps21wY6xUENm+CbYbgaJjSgmb5c1IjAmnubVI4JVY9OyQ==\n-----END AGE ENCRYPTED FILE-----\n" | ||
12 | } | ||
13 | ], | ||
14 | "lastmodified": "2021-12-31T15:00:33Z", | ||
15 | "mac": "ENC[AES256_GCM,data:sw2NVXHLibbuOChgScLhSTjGZBjSoHpzIuRqfCW0eL3DwhL5CekG6T/oYu06KjNmxVjxwb3OmqECSU0TUvPn9ySOWwMSoBfyJpDoTHnZ+YOjOH351IOAMBNcBDJse7aLGRWW5YXKLDfmp8Dhg2hlMhCmkVwAquQjPhfmAdJfj64=,iv:wgM/BlRU2XJSGj7KvAo1WRamecffUDnFvv2+4twtsQY=,tag:0mXblJtTGMTvxndedws94A==,type:str]", | ||
16 | "pgp": [ | ||
17 | { | ||
18 | "created_at": "2023-01-30T10:58:49Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAcwl1Blp3J5wgpRJKbYI1G1yEZrRYeYuoDtYUh3ToMAQw\nd92/bIJJR5Ml91eDym9uBN0fFRRy72r6FOx4qZT7S4DhmuA84qCbASjF8bKSclc0\n0l4BBXvDS5Dz1Q7iYc+LxZjHASV1v73A+MaeCFvG/pjmHzF0z0EzBiAJD4ZWGcP0\nX2dDbjl+n9VFrvmeLRxQNh4XZW43iTXdRjwHDgm16zhd9X6VOVhr5UkC4Nyjq2Ar\n=4ZEa\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.1" | ||
25 | } | ||
26 | } \ No newline at end of file | ||