3 files changed, 187 insertions, 0 deletions
diff --git a/hosts/vidhar/network/pppoe/default.nix b/hosts/vidhar/network/pppoe/default.nix
new file mode 100644
index 00000000..36bf4f49
--- /dev/null
+++ b/hosts/vidhar/network/pppoe/default.nix
@@ -0,0 +1,156 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  inherit (config.networking) pppInterface;
+in {
+  options = {
+    networking.pppInterface = mkOption {
+      type = types.str;
+      default = "ppp";
+    };
+  };
+  config = {
+    networking.vlans = {
+      telekom = {
+        id = 7;
+        interface = "eno2";
+      };
+    };
+    services.pppd = {
+      enable = true;
+      package = pkgs.ppp.overrideAttrs (oldAttrs: {
+        patches = (oldAttrs.patches or []) ++ [
+          ./no-double-timeout.patch
+        ];
+      });
+      peers = {
+        o2.config = ''
+          user DSL0004874856014@s93.bbi-o2.de
+        '';
+      };
+    };
+    systemd.services."pppd-o2" = {
+      stopIfChanged = true;
+      restartTriggers = with config; [
+        environment.etc."ppp/pap-secrets".source
+        environment.etc."ppp/options".source
+        environment.etc."ppp/ip-pre-up".source
+        environment.etc."ppp/ip-up".source
+        environment.etc."ppp/ip-down".source
+      ];
+      serviceConfig.LoadCredential = [
+        "password:${config.sops.secrets."o2-password".path}"
+      ];
+      bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
+      after = [ "sys-subsystem-net-devices-telekom.device" ];
+    };
+    sops.secrets."o2-password" = {
+      format = "binary";
+      sopsFile = ./o2-password;
+    };
+    environment.etc = {
+      "ppp/options".text = ''
+        nodefaultroute
+        ifname ${pppInterface}
+        lcp-echo-adaptive
+        lcp-echo-failure 10
+        lcp-echo-interval 1
+        maxfail 0
+        mtu 1492
+        mru 1492
+        plugin pppoe.so
+        pppoe-padi-timeout 1
+        pppoe-padi-attempts 10
+        nic-telekom
+        debug
+        +ipv6
+      '';
+      "ppp/pap-secrets".text = ''
+        congstar * congstar *
+        DSL0004874856014@s93.bbi-o2.de * @/run/credentials/pppd-o2.service/password *
+      '';
+      "ppp/ip-pre-up".source = pkgs.resholve.writeScript "ip-pre-up" {
+        interpreter = pkgs.runtimeShell;
+        inputs = [ pkgs.iproute2 pkgs.ethtool ];
+        execer = [
+          "cannot:${lib.getExe' pkgs.iproute2 "ip"}"
+          "cannot:${lib.getExe' pkgs.iproute2 "tc"}"
+        ];
+      } ''
+        ethtool -K telekom tso off gso off gro off
+        ip link del "ifb4$1" || true
+        ip link add name "ifb4$1" type ifb
+        ip link set "ifb4$1" up
+        tc qdisc del dev "ifb4$1" root || true
+        tc qdisc del dev "$1" ingress || true
+        tc qdisc del dev "$1" root || true
+        tc qdisc add dev "$1" handle ffff: ingress
+        tc filter add dev "$1" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4$1"
+        tc qdisc replace dev "ifb4$1" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth ${toString (builtins.floor (177968 * 0.95))}kbit
+        tc qdisc replace dev "$1" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth ${toString (builtins.floor (41216 * 0.95))}kbit
+      '';
+      "ppp/ip-up".source = pkgs.resholve.writeScript "ip-up" {
+        interpreter = pkgs.runtimeShell;
+        inputs = [ pkgs.iproute2 ];
+        execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
+      } ''
+        ip addr add "$4" peer "$5"/32 dev "$1"
+        ip route add default dev "$1" metric 512
+      '';
+      "ppp/ip-down".source = pkgs.resholve.writeScript "ip-down" {
+        interpreter = pkgs.runtimeShell;
+        inputs = [ pkgs.iproute2 ];
+        execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
+      } ''
+        ip link del "ifb4$1"
+      '';
+    };
+    systemd.package = pkgs.systemd.overrideAttrs (oldAttrs: {
+      patches = (oldAttrs.patches or []) ++ [
+        (pkgs.fetchpatch {
+          url = "https://github.com/sysedwinistrator/systemd/commit/b9691a43551739ddacdb8d53a4312964c3ddfa08.patch";
+          hash = "sha256-TLfOTFodLzCVywnF4Xp4BR2Pja0Qq4ItE/yaKkzI414=";
+        })
+      ];
+    });
+    systemd.network.networks = {
+      "40-${pppInterface}" = {
+        matchConfig.Name = pppInterface;
+        dns = [ "::1" "127.0.0.1" ];
+        domains = [ "~." ];
+        networkConfig = {
+          DHCP = true;
+          DNSSEC = true;
+        };
+        dhcpV6Config = {
+          PrefixDelegationHint = "::/64";
+          WithoutRA = "solicit";
+        };
+      };
+    };
+    boot.kernelModules = [ "ifb" ];
+    boot.kernel.sysctl = {
+      "net.ipv6.conf.all.forwarding" = true;
+      "net.ipv6.conf.default.forwarding" = true;
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv4.conf.default.forwarding" = true;
+      "net.core.rmem_max" = 4194304;
+      "net.core.wmem_max" = 4194304;
+    };
+  };
+}
diff --git a/hosts/vidhar/network/pppoe/no-double-timeout.patch b/hosts/vidhar/network/pppoe/no-double-timeout.patch
new file mode 100644
index 00000000..53f41ae1
--- /dev/null
+++ b/hosts/vidhar/network/pppoe/no-double-timeout.patch
@@ -0,0 +1,13 @@
+diff --git i/pppd/plugins/pppoe/discovery.c w/pppd/plugins/pppoe/discovery.c
+index 86bda61..8060558 100644
+--- i/pppd/plugins/pppoe/discovery.c
+++ w/pppd/plugins/pppoe/discovery.c
+@@ -686,7 +686,7 @@ discovery1(PPPoEConnection *conn, int waitWholeTimeoutForPADO)
+        conn->discoveryState = STATE_SENT_PADI;
+        waitForPADO(conn, timeout, waitWholeTimeoutForPADO);
+ 
+-       timeout *= 2;
+       // timeout *= 2;
+     } while (conn->discoveryState == STATE_SENT_PADI);
+ }
+ 
diff --git a/hosts/vidhar/network/pppoe/o2-password b/hosts/vidhar/network/pppoe/o2-password
new file mode 100644
index 00000000..cd3aed78
--- /dev/null
+++ b/hosts/vidhar/network/pppoe/o2-password
@@ -0,0 +1,18 @@
+{
+        "data": "ENC[AES256_GCM,data:mxHA3rrs5Sc50jAP,iv:iW1ua7wjZR8rPwXw21TdFK+fbfosc1CmnrTG34OJ2zM=,tag:pZ/FAHupnKy0wHtF6RN7yA==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUzAvSlJkSFhhRTFLY0VO\nU1VYbFhpMEpxaFhlb2NyS0xDNU5oMm9EZzJnCm5vbTM4c3lFMU5EajhwTGd6MTVx\nZTFmNVlyaVZuRy9hL2VnWFR0TTNEemsKLS0tIDdTemNMTTllQ1pmb0JNTlVGcTlU\nWjQ2MW4yVmtvRng3TlRDbmpHdmRkbUEKtIVAq4aZD6rhtX7+67EE5eOKAtGsVpBg\nPkfjkyV8ifBEx/lwDaJSHpLPfkbI9oArTL8BloodJEEGql5PXZxtvg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmUk1oZGdjL25YbGRzdFFh\nRllkcU1IM0x6a2M2S0JicDBFYnBxMWluaEFzCjJ3WHozNkw0RThCMG5BNE5uUkZa\nTnV1OHpaSkMrTk9XM1NRWmxlTmRuUFkKLS0tIE9qdXVWOG9CL0MyS1JXbzhmbVdC\nZlRBWm1SSTZWYzBDc1U4ci94a0hMcHcKLgbJSAMUJ9VaXVmYQe+Uj13KrWFe4QvJ\nRcibCyOJH/VO3rmxU8RAkx0jaH448h9klWhs583Od5yNg7GleC+/qg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2026-04-14T15:24:19Z",
+                "mac": "ENC[AES256_GCM,data:/dr0bXAf0v5K9LdKw7RzTTL8Qw/WqiHqLk0EbahDnFg3cVplV0s+ImCnxmhutv3hxdtMZ2dmLBfb8CYb/ZLc4HtNT/K2iKGQM7pF4+XxIjS35Q1JUcXxLrsGZcpARuCZ0AJnKo8yFgtM64dYcbxHlRwGG4u4Ds9fEHHLUMigNM0=,iv:jfFlfscUB7S1JjL/uBeW3uD4bugCT9Cj/vigGvGXrlA=,tag:suol02QD4jRH/QulWoV21A==,type:str]",
+                "version": "3.12.2"
+        }
+}

diff --git a/hosts/vidhar/network/pppoe/default.nix b/hosts/vidhar/network/pppoe/default.nix new file mode 100644 index 00000000..36bf4f49 --- /dev/null +++ b/hosts/vidhar/network/pppoe/default.nix
@@ -0,0 +1,156 @@
	1	{ config, lib, pkgs, ... }:
	2
	3	with lib;
	4
	5	let
	6	inherit (config.networking) pppInterface;
	7	in {
	8	options = {
	9	networking.pppInterface = mkOption {
	10	type = types.str;
	11	default = "ppp";
	12	};
	13	};
	14
	15	config = {
	16	networking.vlans = {
	17	telekom = {
	18	id = 7;
	19	interface = "eno2";
	20	};
	21	};
	22
	23	services.pppd = {
	24	enable = true;
	25	package = pkgs.ppp.overrideAttrs (oldAttrs: {
	26	patches = (oldAttrs.patches or []) ++ [
	27	./no-double-timeout.patch
	28	];
	29	});
	30	peers = {
	31	o2.config = ''
	32	user DSL0004874856014@s93.bbi-o2.de
	33	'';
	34	};
	35	};
	36	systemd.services."pppd-o2" = {
	37	stopIfChanged = true;
	38
	39	restartTriggers = with config; [
	40	environment.etc."ppp/pap-secrets".source
	41	environment.etc."ppp/options".source
	42	environment.etc."ppp/ip-pre-up".source
	43	environment.etc."ppp/ip-up".source
	44	environment.etc."ppp/ip-down".source
	45	];
	46
	47	serviceConfig.LoadCredential = [
	48	"password:${config.sops.secrets."o2-password".path}"
	49	];
	50
	51	bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
	52	after = [ "sys-subsystem-net-devices-telekom.device" ];
	53	};
	54	sops.secrets."o2-password" = {
	55	format = "binary";
	56	sopsFile = ./o2-password;
	57	};
	58
	59	environment.etc = {
	60	"ppp/options".text = ''
	61	nodefaultroute
	62	ifname ${pppInterface}
	63	lcp-echo-adaptive
	64	lcp-echo-failure 10
	65	lcp-echo-interval 1
	66	maxfail 0
	67	mtu 1492
	68	mru 1492
	69	plugin pppoe.so
	70	pppoe-padi-timeout 1
	71	pppoe-padi-attempts 10
	72	nic-telekom
	73	debug
	74	+ipv6
	75	'';
	76	"ppp/pap-secrets".text = ''
	77	congstar * congstar *
	78	DSL0004874856014@s93.bbi-o2.de * @/run/credentials/pppd-o2.service/password *
	79	'';
	80	"ppp/ip-pre-up".source = pkgs.resholve.writeScript "ip-pre-up" {
	81	interpreter = pkgs.runtimeShell;
	82	inputs = [ pkgs.iproute2 pkgs.ethtool ];
	83	execer = [
	84	"cannot:${lib.getExe' pkgs.iproute2 "ip"}"
	85	"cannot:${lib.getExe' pkgs.iproute2 "tc"}"
	86	];
	87	} ''
	88	ethtool -K telekom tso off gso off gro off
	89
	90	ip link del "ifb4$1" \|\| true
	91	ip link add name "ifb4$1" type ifb
	92	ip link set "ifb4$1" up
	93
	94	tc qdisc del dev "ifb4$1" root \|\| true
	95	tc qdisc del dev "$1" ingress \|\| true
	96	tc qdisc del dev "$1" root \|\| true
	97
	98	tc qdisc add dev "$1" handle ffff: ingress
	99	tc filter add dev "$1" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4$1"
	100	tc qdisc replace dev "ifb4$1" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth ${toString (builtins.floor (177968 * 0.95))}kbit
	101	tc qdisc replace dev "$1" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth ${toString (builtins.floor (41216 * 0.95))}kbit
	102	'';
	103	"ppp/ip-up".source = pkgs.resholve.writeScript "ip-up" {
	104	interpreter = pkgs.runtimeShell;
	105	inputs = [ pkgs.iproute2 ];
	106	execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
	107	} ''
	108	ip addr add "$4" peer "$5"/32 dev "$1"
	109	ip route add default dev "$1" metric 512
	110	'';
	111	"ppp/ip-down".source = pkgs.resholve.writeScript "ip-down" {
	112	interpreter = pkgs.runtimeShell;
	113	inputs = [ pkgs.iproute2 ];
	114	execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
	115	} ''
	116	ip link del "ifb4$1"
	117	'';
	118	};
	119
	120	systemd.package = pkgs.systemd.overrideAttrs (oldAttrs: {
	121	patches = (oldAttrs.patches or []) ++ [
	122	(pkgs.fetchpatch {
	123	url = "https://github.com/sysedwinistrator/systemd/commit/b9691a43551739ddacdb8d53a4312964c3ddfa08.patch";
	124	hash = "sha256-TLfOTFodLzCVywnF4Xp4BR2Pja0Qq4ItE/yaKkzI414=";
	125	})
	126	];
	127	});
	128
	129	systemd.network.networks = {
	130	"40-${pppInterface}" = {
	131	matchConfig.Name = pppInterface;
	132	dns = [ "::1" "127.0.0.1" ];
	133	domains = [ "~." ];
	134	networkConfig = {
	135	DHCP = true;
	136	DNSSEC = true;
	137	};
	138	dhcpV6Config = {
	139	PrefixDelegationHint = "::/64";
	140	WithoutRA = "solicit";
	141	};
	142	};
	143	};
	144
	145	boot.kernelModules = [ "ifb" ];
	146	boot.kernel.sysctl = {
	147	"net.ipv6.conf.all.forwarding" = true;
	148	"net.ipv6.conf.default.forwarding" = true;
	149	"net.ipv4.conf.all.forwarding" = true;
	150	"net.ipv4.conf.default.forwarding" = true;
	151
	152	"net.core.rmem_max" = 4194304;
	153	"net.core.wmem_max" = 4194304;
	154	};
	155	};
	156	}


diff --git a/hosts/vidhar/network/pppoe/no-double-timeout.patch b/hosts/vidhar/network/pppoe/no-double-timeout.patch new file mode 100644 index 00000000..53f41ae1 --- /dev/null +++ b/hosts/vidhar/network/pppoe/no-double-timeout.patch
@@ -0,0 +1,13 @@
	1	diff --git i/pppd/plugins/pppoe/discovery.c w/pppd/plugins/pppoe/discovery.c
	2	index 86bda61..8060558 100644
	3	--- i/pppd/plugins/pppoe/discovery.c
	4	+++ w/pppd/plugins/pppoe/discovery.c
	5	@@ -686,7 +686,7 @@ discovery1(PPPoEConnection *conn, int waitWholeTimeoutForPADO)
	6	conn->discoveryState = STATE_SENT_PADI;
	7	waitForPADO(conn, timeout, waitWholeTimeoutForPADO);
	8
	9	- timeout *= 2;
	10	+ // timeout *= 2;
	11	} while (conn->discoveryState == STATE_SENT_PADI);
	12	}
	13


diff --git a/hosts/vidhar/network/pppoe/o2-password b/hosts/vidhar/network/pppoe/o2-password new file mode 100644 index 00000000..cd3aed78 --- /dev/null +++ b/hosts/vidhar/network/pppoe/o2-password
@@ -0,0 +1,18 @@
	1	{
	2	"data": "ENC[AES256_GCM,data:mxHA3rrs5Sc50jAP,iv:iW1ua7wjZR8rPwXw21TdFK+fbfosc1CmnrTG34OJ2zM=,tag:pZ/FAHupnKy0wHtF6RN7yA==,type:str]",
	3	"sops": {
	4	"age": [
	5	{
	6	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
	7	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUzAvSlJkSFhhRTFLY0VO\nU1VYbFhpMEpxaFhlb2NyS0xDNU5oMm9EZzJnCm5vbTM4c3lFMU5EajhwTGd6MTVx\nZTFmNVlyaVZuRy9hL2VnWFR0TTNEemsKLS0tIDdTemNMTTllQ1pmb0JNTlVGcTlU\nWjQ2MW4yVmtvRng3TlRDbmpHdmRkbUEKtIVAq4aZD6rhtX7+67EE5eOKAtGsVpBg\nPkfjkyV8ifBEx/lwDaJSHpLPfkbI9oArTL8BloodJEEGql5PXZxtvg==\n-----END AGE ENCRYPTED FILE-----\n"
	8	},
	9	{
	10	"recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
	11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmUk1oZGdjL25YbGRzdFFh\nRllkcU1IM0x6a2M2S0JicDBFYnBxMWluaEFzCjJ3WHozNkw0RThCMG5BNE5uUkZa\nTnV1OHpaSkMrTk9XM1NRWmxlTmRuUFkKLS0tIE9qdXVWOG9CL0MyS1JXbzhmbVdC\nZlRBWm1SSTZWYzBDc1U4ci94a0hMcHcKLgbJSAMUJ9VaXVmYQe+Uj13KrWFe4QvJ\nRcibCyOJH/VO3rmxU8RAkx0jaH448h9klWhs583Od5yNg7GleC+/qg==\n-----END AGE ENCRYPTED FILE-----\n"
	12	}
	13	],
	14	"lastmodified": "2026-04-14T15:24:19Z",
	15	"mac": "ENC[AES256_GCM,data:/dr0bXAf0v5K9LdKw7RzTTL8Qw/WqiHqLk0EbahDnFg3cVplV0s+ImCnxmhutv3hxdtMZ2dmLBfb8CYb/ZLc4HtNT/K2iKGQM7pF4+XxIjS35Q1JUcXxLrsGZcpARuCZ0AJnKo8yFgtM64dYcbxHlRwGG4u4Ds9fEHHLUMigNM0=,iv:jfFlfscUB7S1JjL/uBeW3uD4bugCT9Cj/vigGvGXrlA=,tag:suol02QD4jRH/QulWoV21A==,type:str]",
	16	"version": "3.12.2"
	17	}
	18	}