Merge commit 'bc90ef66' into flakes

6 files changed, 56 insertions, 121 deletions

diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa
index f679b741..dede06ac 100644
--- a/hosts/vidhar/dns/zones/yggdrasil.soa
+++ b/hosts/vidhar/dns/zones/yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.
 $TTL 300
 @ IN SOA vidhar.yggdrasil. hostmaster.yggdrasil.li (
-  2023030501 ; serial
+  2024070901 ; serial
   300        ; refresh
   300        ; retry
   300        ; expire
@@ -27,4 +27,5 @@ vidhar.lan	IN	A	10.141.0.1
 vidhar.mgmt     IN      A       10.141.1.1
 switch01.mgmt   IN      A       10.141.1.2
 dsl01.mgmt      IN      A       10.141.1.3
+gpon01.mgmt     IN      A       10.10.1.1
 ap01.mgmt       IN      A       10.141.1.4
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 4a792851..0643f0bb 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -3,7 +3,7 @@
 with lib;
 
 {
-  imports = [ ./dsl.nix ./bifrost ./dhcp ];
+  imports = [ ./gpon.nix ./bifrost ./dhcp ];
 
   config = {
     networking = {
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/gpon.nix
index 1e8e9c73..1628159c 100644
--- a/hosts/vidhar/network/dsl.nix
+++ b/hosts/vidhar/network/gpon.nix
@@ -8,7 +8,7 @@ in {
   options = {
     networking.pppInterface = mkOption {
       type = types.str;
-      default = "dsl";
+      default = "gpon";
     };
   };
 
@@ -34,7 +34,7 @@ in {
         plugin pppoe.so
         name telekom
         user 002576900250551137425220#0001@t-online.de
-        telekom
+        nic-telekom
         debug
         +ipv6
       '';
@@ -45,6 +45,12 @@ in {
       serviceConfig = {
         PIDFile = "/run/pppd/${pppInterface}.pid";
       };
+      restartTriggers = with config; [
+        environment.etc."ppp/ip-pre-up".source
+        environment.etc."ppp/ip-up".source
+        environment.etc."ppp/ip-down".source
+        # sops.secrets."pap-secrets".sopsFile
+      ];
     };
     sops.secrets."pap-secrets" = {
       format = "binary";
@@ -70,8 +76,8 @@ in {
 
             tc qdisc add dev "${pppInterface}" handle ffff: ingress
             tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}"
-            tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 64Mb pppoe-ptm diffserv4 bandwidth 93mbit
-            tc qdisc replace dev "${pppInterface}" root cake memlimit 64Mb pppoe-ptm nat diffserv4 wash bandwidth 35mbit
+            tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 285mbit
+            tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 143mbit
           '';
         };
       in "${app}/bin/${app.meta.mainProgram}";
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 6eb97f85..9f519302 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -4,15 +4,15 @@ table arp filter {
   limit lim_arp_local {
     rate over 50 mbytes/second burst 50 mbytes
   }
-  limit lim_arp_dsl {
-    rate over 1400 kbytes/second burst 1400 kbytes
+  limit lim_arp_gpon {
+    rate over 7500 kbytes/second burst 7500 kbytes
   }
 
   counter arp-rx {}
   counter arp-tx {}
 
-  counter arp-ratelimit-dsl-rx {}
-  counter arp-ratelimit-dsl-tx {}
+  counter arp-ratelimit-gpon-rx {}
+  counter arp-ratelimit-gpon-tx {}
 
   counter arp-ratelimit-local-rx {}
   counter arp-ratelimit-local-tx {}
@@ -21,8 +21,8 @@ table arp filter {
     type filter hook input priority filter
     policy accept
 
-    iifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-rx drop
-    iifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-rx drop
+    iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop
+    iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop
 
     counter name arp-rx
   }
@@ -31,8 +31,8 @@ table arp filter {
     type filter hook output priority filter
     policy accept
 
-    oifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-tx drop
-    oifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-tx drop
+    oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop
+    oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop
 
     counter name arp-tx
   }
@@ -46,11 +46,11 @@ table inet filter {
   limit lim_icmp_local {
     rate over 50 mbytes/second burst 50 mbytes
   }
-  limit lim_icmp_dsl {
-    rate over 1400 kbytes/second burst 1400 kbytes
+  limit lim_icmp_gpon {
+    rate over 7500 kbytes/second burst 7500 kbytes
   }
 
-  counter icmp-ratelimit-dsl-fw {}
+  counter icmp-ratelimit-gpon-fw {}
   counter icmp-ratelimit-local-fw {}
 
   counter icmp-fw {}
@@ -58,7 +58,7 @@ table inet filter {
   counter invalid-fw {}
   counter fw-lo {}
   counter fw-lan {}
-  counter fw-dsl {}
+  counter fw-gpon {}
 
   counter fw-cups {}
 
@@ -73,7 +73,7 @@ table inet filter {
   counter invalid-local4-rx {}
   counter invalid-local6-rx {}
 
-  counter icmp-ratelimit-dsl-rx {}
+  counter icmp-ratelimit-gpon-rx {}
   counter icmp-ratelimit-local-rx {}
   counter icmp-rx {}
 
@@ -101,7 +101,7 @@ table inet filter {
 
   counter tx-lo {}
 
-  counter icmp-ratelimit-dsl-tx {}
+  counter icmp-ratelimit-gpon-tx {}
   counter icmp-ratelimit-local-tx {}
   counter icmp-tx {}
 
@@ -123,10 +123,10 @@ table inet filter {
 
 
   chain forward_icmp_accept {
-    oifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
-    iifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
-    oifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
-    iifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop
+    iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop
+    oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
     counter name icmp-fw accept
   }
   chain forward {
@@ -139,10 +139,10 @@ table inet filter {
 
     iifname lo counter name fw-lo accept
 
-    oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
-    iifname lan oifname { dsl, bifrost } counter name fw-lan accept
+    oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
+    iifname lan oifname { gpon, bifrost } counter name fw-lan accept
 
-    iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept
+    iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
 
 
     limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -163,22 +163,22 @@ table inet filter {
     iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
     iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
 
-    iifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop
-    iifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
+    iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop
+    iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
     meta l4proto $icmp_protos counter name icmp-rx accept
 
-    iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
-    iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
+    iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
+    iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
 
     iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
 
     iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
 
-    iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
-    iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
+    iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept
+    iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept
     iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
 
-    iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
+    iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
 
     iifname mgmt udp dport 123 counter name ntp-rx accept
 
@@ -209,8 +209,8 @@ table inet filter {
 
     oifname lo counter name tx-lo accept
 
-    oifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop
-    oifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
+    oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop
+    oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
     meta l4proto $icmp_protos counter name icmp-tx accept
 
 
@@ -246,7 +246,7 @@ table inet filter {
 }
 
 table inet nat {
-  counter dsl-nat {}
+  counter gpon-nat {}
   # counter container-nat {}
 
   chain postrouting {
@@ -254,20 +254,20 @@ table inet nat {
     policy accept
 
 
-    meta nfproto ipv4 oifname dsl counter name dsl-nat masquerade
-    # iifname ve-* oifname dsl counter name container-nat masquerade
+    meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
+    # iifname ve-* oifname gpon counter name container-nat masquerade
   }
 }
 
 table inet mss_clamp {
-  counter dsl-mss-clamp {}
+  counter gpon-mss-clamp {}
 
   chain postrouting {
     type filter hook postrouting priority mangle
     policy accept
 
 
-    oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu
+    oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu
   }
 }
 
@@ -402,7 +402,7 @@ table inet dscpclassify {
     chain postrouting {
         type filter hook postrouting priority filter + 1; policy accept
 
-        oifname != dsl return
+        oifname != gpon return
 
         ip dscp cs0 goto ct_set_cs0
         ip dscp lephb goto ct_set_lephb
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 1e649824..3e938933 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -63,7 +63,7 @@ in {
         systemd = {
           enable = true;
           extraFlags = [
-            "--systemd.collector.unit-include=(dhcpcd-dsl|pppd-telekom|corerad|ndppd)\.service"
+            "--systemd.collector.unit-include=(dhcpcd-.*|pppd-telekom|corerad|ndppd)\.service"
             "--systemd.collector.enable-restart-count"
             "--systemd.collector.enable-ip-accounting"
           ];
@@ -144,17 +144,6 @@ in {
           ];
           scrape_interval = "15s";
         }
-        { job_name = "zte";
-          static_configs = [
-            { targets = ["localhost:9900"]; }
-          ];
-          relabel_configs = [
-            { replacement = "dsl01";
-              target_label = "instance";
-            }
-          ];
-          scrape_interval = "15s";
-        }
         { job_name = "unbound";
           static_configs = [
             { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
@@ -274,6 +263,9 @@ in {
                 { record = "systemd_unit_runtime_seconds:resets_per_week";
                   expr = "resets(systemd_unit_runtime_seconds[1w])";
                 }
+                { record = "systemd_unit_runtime_seconds:avg_resets_per_day";
+                  expr = "avg_over_time(systemd_unit_runtime_seconds:resets_per_day[1w])";
+                }
               ];
             }
             { name = "apcupsd-transfers";
@@ -290,6 +282,9 @@ in {
                 { record = "apcupsd_last_transfer_on_battery_counter_seconds:resets_per_week";
                   expr = "resets(apcupsd_last_transfer_on_battery_counter_seconds[1w])";
                 }
+                { record = "apcupsd_last_transfer_on_battery_counter_seconds:avg_resets_per_day";
+                  expr = "avg_over_time(apcupsd_last_transfer_on_battery_counter_seconds:resets_per_day[1w])";
+                }
               ];
             }
           ];
@@ -315,47 +310,6 @@ in {
       };
     };
 
-    systemd.services."prometheus-zte-exporter@dsl01.mgmt.yggdrasil" = {
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-      serviceConfig = {
-        Restart = "always";
-        PrivateTmp = true;
-        WorkingDirectory = "/tmp";
-        DynamicUser = true;
-        CapabilityBoundingSet = [""];
-        DeviceAllow = [""];
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectSystem = "strict";
-        RemoveIPC = true;
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        UMask = "0077";
-
-        Type = "simple";
-        ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter";
-        Environment = "ZTE_BASEURL=http://%I ZTE_HOSTNAME=localhost ZTE_PORT=9900";
-        EnvironmentFile = config.sops.secrets."zte_dsl01.mgmt.yggdrasil".path;
-      };
-    };
-    sops.secrets."zte_dsl01.mgmt.yggdrasil" = {
-      format = "binary";
-      sopsFile = ./zte_dsl01.mgmt.yggdrasil;
-    };
-
     systemd.services."prometheus-nftables-exporter" = {
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
diff --git a/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil b/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil
deleted file mode 100644
index 1c9c1fe0..00000000
--- a/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-        "data": "ENC[AES256_GCM,data:nAsn7dhfDr0+V1cJjpqWn/kJQt2zGjlfQKi3n5speroJkL3IvMG/9fsTaXJQZSi2gPlrN8GbxKQ=,iv:9g0V3xRBC+sa/JPP2bUZMfg//VuKT5qI7ua9iU4QRCg=,tag:fzwih9OHUBLmx8dxL4BjGg==,type:str]",
-        "sops": {
-                "kms": null,
-                "gcp_kms": null,
-                "azure_kv": null,
-                "hc_vault": null,
-                "age": [
-                        {
-                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
-                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaEE3bUFBY0xKSDUrVnc2\nbFpjSkNOSm56amJTNjdXcTljdDNRREhITm1NCjZrOUEwNFpxN2FmTVV5T2xCbENk\nMEFmVzlPZ29CTlJ4dVNCRUsyRFFseXcKLS0tIEhscVZ4VUVsaG9OUnBIRFE4WXA2\ncGFnbWpNMlNIQzFLc1Ryc1Z3NUl1bVUKi9zYBlF2vslGKu4GP368ApbvuxjZnQpF\nuOujXSNoEps21wY6xUENm+CbYbgaJjSgmb5c1IjAmnubVI4JVY9OyQ==\n-----END AGE ENCRYPTED FILE-----\n"
-                        }
-                ],
-                "lastmodified": "2021-12-31T15:00:33Z",
-                "mac": "ENC[AES256_GCM,data:sw2NVXHLibbuOChgScLhSTjGZBjSoHpzIuRqfCW0eL3DwhL5CekG6T/oYu06KjNmxVjxwb3OmqECSU0TUvPn9ySOWwMSoBfyJpDoTHnZ+YOjOH351IOAMBNcBDJse7aLGRWW5YXKLDfmp8Dhg2hlMhCmkVwAquQjPhfmAdJfj64=,iv:wgM/BlRU2XJSGj7KvAo1WRamecffUDnFvv2+4twtsQY=,tag:0mXblJtTGMTvxndedws94A==,type:str]",
-                "pgp": [
-                        {
-                                "created_at": "2023-01-30T10:58:49Z",
-                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAcwl1Blp3J5wgpRJKbYI1G1yEZrRYeYuoDtYUh3ToMAQw\nd92/bIJJR5Ml91eDym9uBN0fFRRy72r6FOx4qZT7S4DhmuA84qCbASjF8bKSclc0\n0l4BBXvDS5Dz1Q7iYc+LxZjHASV1v73A+MaeCFvG/pjmHzF0z0EzBiAJD4ZWGcP0\nX2dDbjl+n9VFrvmeLRxQNh4XZW43iTXdRjwHDgm16zhd9X6VOVhr5UkC4Nyjq2Ar\n=4ZEa\n-----END PGP MESSAGE-----\n",
-                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
-                        }
-                ],
-                "unencrypted_suffix": "_unencrypted",
-                "version": "3.7.1"
-        }
-}
\ No newline at end of file