8 files changed, 265 insertions, 349 deletions

diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 92d755f3..3b48a7fc 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,9 +1,9 @@
-{ pkgs, lib, ... }:
+{ pkgs, lib, config, ... }:
 
 with lib;
 
 {
-  imports = [ ./gpon.nix ./bifrost ./dhcp ];
+  imports = [ ./pppoe ./bifrost ./dhcp ];
 
   config = {
     networking = {
@@ -61,7 +61,9 @@ with lib;
       firewall.enable = false;
       nftables = {
         enable = true;
-        rulesetFile = ./ruleset.nft;
+        rulesetFile = pkgs.replaceVars ./ruleset.nft {
+          inherit (config.networking) pppInterface;
+        };
       };
 
       resolvconf = {
@@ -76,16 +78,29 @@ with lib;
 
     environment.etc."dnssec-trust-anchors.d/root.positive".source = "${pkgs.dns-root-data}/root.ds";
 
-    systemd.network.networks = {
-      "eno1" = {
-        matchConfig.Name = "eno1";
-        linkConfig = {
-          ActivationPolicy = "down";
+    systemd.network = {
+      networks = {
+        "eno1" = {
+          matchConfig.Name = "eno1";
+          linkConfig = {
+            ActivationPolicy = "down";
+          };
+        };
+        "eno2" = {
+          matchConfig.Name = "eno2";
+          networkConfig.LinkLocalAddressing = "no";
+        };
+        "40-lan" = {
+          matchConfig.Name = "lan";
+          networkConfig = {
+            IPv6SendRA = true;
+            DHCPPrefixDelegation = true;
+          };
+          ipv6SendRAConfig = {
+            DNS = "_link_local";
+            Domains = ["lan.yggdrasil" "yggdrasil"];
+          };
         };
-      };
-      "eno2" = {
-        matchConfig.Name = "eno2";
-        networkConfig.LinkLocalAddressing = "no";
       };
     };
 
@@ -117,6 +132,7 @@ with lib;
       "/srv/nfs/nix-store" = {
         device = "/nix/store";
         options = [ "bind" ];
+        fsType = "none";
       };
     };
   };
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index 11460393..eda27663 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -349,7 +349,7 @@ in {
                       goto start
 
                       :memtest
-                      iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
+                      chain --autofree mt86plus.efi
                       goto start
                     ''} $out/installer-${system}.menu.ipxe
                   '')))
@@ -360,7 +360,7 @@ in {
                 mkdir $out
                 install -m 0444 -t $out \
                   ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn} \
-                  ${pkgs.memtest86plus}/{memtest.efi,memtest.bin}
+                  ${pkgs.memtest86plus}/mt86plus.efi
                 install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi
                 install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn
               '')
@@ -411,7 +411,7 @@ in {
                       goto start
 
                       :memtest
-                      iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
+                      chain --autofree mt86plus.efi
                       goto start
                     ''} $out/eostre.menu.ipxe
                   '')))
diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/gpon.nix
deleted file mode 100644
index 1628159c..00000000
--- a/hosts/vidhar/network/gpon.nix
+++ /dev/null
@@ -1,271 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  pppInterface = config.networking.pppInterface;
-in {
-  options = {
-    networking.pppInterface = mkOption {
-      type = types.str;
-      default = "gpon";
-    };
-  };
-
-  config = {
-    networking.vlans = {
-      telekom = {
-        id = 7;
-        interface = "eno2";
-      };
-    };
-
-    services.pppd = {
-      enable = true;
-      peers.telekom.config = ''
-        nodefaultroute
-        ifname ${pppInterface}
-        lcp-echo-adaptive
-        lcp-echo-failure 5
-        lcp-echo-interval 1
-        maxfail 0
-        mtu 1492
-        mru 1492
-        plugin pppoe.so
-        name telekom
-        user 002576900250551137425220#0001@t-online.de
-        nic-telekom
-        debug
-        +ipv6
-      '';
-    };
-    systemd.services."pppd-telekom" = {
-      stopIfChanged = true;
-
-      serviceConfig = {
-        PIDFile = "/run/pppd/${pppInterface}.pid";
-      };
-      restartTriggers = with config; [
-        environment.etc."ppp/ip-pre-up".source
-        environment.etc."ppp/ip-up".source
-        environment.etc."ppp/ip-down".source
-        # sops.secrets."pap-secrets".sopsFile
-      ];
-    };
-    sops.secrets."pap-secrets" = {
-      format = "binary";
-      sopsFile = ./pap-secrets;
-      path = "/etc/ppp/pap-secrets";
-    };
-
-    environment.etc = {
-      "ppp/ip-pre-up".source = let
-        app = pkgs.writeShellApplication {
-          name = "ip-pre-up";
-          runtimeInputs = with pkgs; [ iproute2 ethtool ];
-          text = ''
-            ethtool -K telekom tso off gso off gro off
-
-            ip link del "ifb4${pppInterface}" || true
-            ip link add name "ifb4${pppInterface}" type ifb
-            ip link set "ifb4${pppInterface}" up
-
-            tc qdisc del dev "ifb4${pppInterface}" root || true
-            tc qdisc del dev "${pppInterface}" ingress || true
-            tc qdisc del dev "${pppInterface}" root || true
-
-            tc qdisc add dev "${pppInterface}" handle ffff: ingress
-            tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}"
-            tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 285mbit
-            tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 143mbit
-          '';
-        };
-      in "${app}/bin/${app.meta.mainProgram}";
-      "ppp/ip-up".source = let
-        app = pkgs.writeShellApplication {
-          name = "ip-up";
-          runtimeInputs = with pkgs; [ iproute2 ];
-          text = ''
-            ip route add default via "$5" dev "${pppInterface}" metric 512
-          '';
-        };
-      in "${app}/bin/${app.meta.mainProgram}";
-      "ppp/ip-down".source = let
-        app = pkgs.writeShellApplication {
-          name = "ip-down";
-          runtimeInputs = with pkgs; [ iproute2 ];
-          text = ''
-            ip link del "ifb4${pppInterface}"
-          '';
-        };
-      in "${app}/bin/${app.meta.mainProgram}";
-    };
-
-    systemd.network.networks.${pppInterface} = {
-      matchConfig = {
-        Name = pppInterface;
-      };
-      dns = [ "::1" "127.0.0.1" ];
-      domains = [ "~." ];
-      networkConfig = {
-        LinkLocalAddressing = "no";
-        DNSSEC = true;
-      };
-    };
-
-    services.corerad = {
-      enable = true;
-      settings = {
-        interfaces = [
-          { name = pppInterface;
-            monitor = true;
-            verbose = true;
-          }
-          { name = "lan";
-            advertise = true;
-            verbose = true;
-            prefix = [{ prefix = "::/64"; }];
-            route = [{ prefix = "::/0"; }];
-            rdnss = [{ servers = ["::"]; }];
-            dnssl = [{ domain_names = ["yggdrasil"]; }];
-            # other_config = true;
-          }
-        ];
-
-        debug = {
-          address = "localhost:9430";
-          prometheus = true;
-        };
-      };
-    };
-    services.ndppd = {
-      enable = true;
-      proxies = {
-        ${pppInterface} = {
-          router = true;
-          rules = {
-            lan = {
-              method = "iface";
-              interface = "lan";
-              network = "::/0";
-            };
-          };
-        };
-      };
-    };
-    boot.kernelModules = [ "ifb" ];
-    boot.kernel.sysctl = {
-      "net.ipv6.conf.all.forwarding" = true;
-      "net.ipv6.conf.default.forwarding" = true;
-      "net.ipv4.conf.all.forwarding" = true;
-      "net.ipv4.conf.default.forwarding" = true;
-
-      "net.core.rmem_max" = 4194304;
-      "net.core.wmem_max" = 4194304;
-    };
-    systemd.services."pppd-telekom" = {
-      bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
-      after = [ "sys-subsystem-net-devices-telekom.device" ];
-    };
-    systemd.services."dhcpcd-${pppInterface}" = {
-      wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
-      bindsTo = [ "pppd-telekom.service" ];
-      after = [ "pppd-telekom.service" ];
-      wants = [ "network.target" ];
-      before = [ "network-online.target" ];
-
-      path = with pkgs; [ dhcpcd nettools openresolv ];
-      unitConfig.ConditionCapability = "CAP_NET_ADMIN";
-
-      stopIfChanged = true;
-
-      preStart = ''
-        i=0
-
-        while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do
-          ${pkgs.coreutils}/bin/sleep 0.1
-          i=$((i + 1))
-          if [[ "$i" -ge 10 ]]; then
-            exit 1
-          fi
-        done
-      '';
-
-      postStop = ''
-        for dev in lan; do
-          ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
-        done
-      '';
-
-      serviceConfig = let
-        dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''
-          duid
-          vendorclassid
-          ipv6only
-
-          nooption domain_name_servers, domain_name, domain_search
-          option classless_static_routes
-          option interface_mtu
-
-          option host_name
-          option rapid_commit
-          require dhcp_server_identifier
-          slaac private
-
-          nohook resolv.conf
-          ipv6ra_autoconf
-          iaid 1195061668
-          ipv6rs                 # enable routing solicitation for WAN adapter
-          ia_pd 1 lan/0/64/0     # request a PD and assign it to the LAN
-
-          reboot 0
-
-          waitip 6
-        '';
-      in {
-        Type = "forking";
-        PIDFile = "/var/run/dhcpcd/${pppInterface}.pid";
-        RuntimeDirectory = "dhcpcd";
-        ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}";
-        ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}";
-        Restart = "always";
-        RestartSec = "5";
-      };
-    };
-    systemd.services.ndppd = {
-      wantedBy = [ "dhcpcd-${pppInterface}.service" ];
-      bindsTo = [ "dhcpcd-${pppInterface}.service" ];
-      after = [ "dhcpcd-${pppInterface}.service" ];
-
-      serviceConfig = {
-        Restart = "always";
-        RestartSec = "5";
-      };
-    };
-    systemd.services.corerad = {
-      wantedBy = [ "dhcpcd-${pppInterface}.service" ];
-      bindsTo = [ "dhcpcd-${pppInterface}.service" ];
-      after = [ "dhcpcd-${pppInterface}.service" ];
-
-      serviceConfig = {
-        Restart = lib.mkForce "always";
-        RestartSec = "5";
-      };
-    };
-    users.users.dhcpcd = {
-      isSystemUser = true;
-      group = "dhcpcd";
-    };
-    users.groups.dhcpcd = {};
-
-    systemd.services.unbound = {
-      wantedBy = [ "dhcpcd-${pppInterface}.service" ];
-      bindsTo = [ "dhcpcd-${pppInterface}.service" ];
-      after = [ "dhcpcd-${pppInterface}.service" ];
-
-      serviceConfig = {
-        Restart = lib.mkForce "always";
-      };
-    };
-  };
-}
diff --git a/hosts/vidhar/network/pap-secrets b/hosts/vidhar/network/pap-secrets
deleted file mode 100644
index 3516de6c..00000000
--- a/hosts/vidhar/network/pap-secrets
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-        "data": "ENC[AES256_GCM,data:BOyWdys7Oja54Ijv5j+kqufdokQe0onnqw/gVxpNOMf+YI/LlzJscaEtGqPh3ehVtYoSWGumCBPrjdq/zhYq4VV/PCtdeu3MnX1CH2B5bH0mFs0eXcqeGK6NErz/b5nEglv4Z19ig2CUDlbvi8h1zZAEjxTNKhT16ItCtJnBCsIoiMl2QcTTWMyh4a02v3wA1UrOQZvFuCgCHmRoBE6vpREyB23gQdrdKLk7D1LLw5C1aZnzQOhFsgs7bVjOcBnmwTao8ntXxw==,iv:X5FgYkl3DGA/lkRsoc+5XrK3Nlp/ldnFigpXpYNfSJE=,tag:qUH7m9NzuVNnOfr3rRgaOg==,type:str]",
-        "sops": {
-                "kms": null,
-                "gcp_kms": null,
-                "azure_kv": null,
-                "hc_vault": null,
-                "age": [
-                        {
-                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
-                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYTFaTDZRbDd6cFBRSTNN\nVk1kcFJXRG9TT21IMDZsVmtoZjBTNDNjeDFzCkhxNEI2Ujd6SW1STG43eE5EdzZa\nS3phenJZN0RxajBXQ1BnbUhTa3htdFEKLS0tIGVlT3lReHJSQ2UvQ1FST0M0RzVP\nNmxWNzJmNlFPclJTeDUycDJiUzA4Yk0K4JHtkEPY49TGnKPZzEoEZ131RxeQEWkR\nK1ftH2ilr2tUhiErhpqxoTqfAm33xvruqTsePxh1uC7svzKtKBlS2g==\n-----END AGE ENCRYPTED FILE-----\n"
-                        }
-                ],
-                "lastmodified": "2021-11-15T08:30:09Z",
-                "mac": "ENC[AES256_GCM,data:TAgZ4ktdN9sZPMo1UtwjKdTM2QBjLorcm84HYXTGYNNEorPoqrXAWOvyWRLjx+zxzpRuDLBPQHCkjwkVO2CctxnTaWPMwITbYtQqj/5ZxACuAeX8MaSximB8s5MJK2faCuVXEnFehbnnPr5Fs8ZsgHwu2iH6DU8ScLEkgckzGV0=,iv:keUbKwWfoIIBsp5Rsm2lEba1ZHAozQY2YpA6p5qDBiU=,tag:1llGytMGvOjSVYKJXGUmXg==,type:str]",
-                "pgp": [
-                        {
-                                "created_at": "2023-01-30T10:58:50Z",
-                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+cwEt6Gv5oKvym4ceJek+J/5guNpmsLLXWIY5CCCSXUw\npXyQpqxm7LQnasIqYNNsNCVbB1mAu6WU6MKn0BG03YWjr8buLB+7PpwZcxeZzRfD\n0l4BAsl+vKwa2YSMCR+EWYSfeEzEVHqoGBJ60dYXuiFiNZInCik+g69PdhsGygNH\nRtIcRiCB8t94GkvdWySTq5ohi1wKOe224l9evbt4zXntVngCHxixuufLrr3Cj+EE\n=3lw4\n-----END PGP MESSAGE-----\n",
-                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
-                        }
-                ],
-                "unencrypted_suffix": "_unencrypted",
-                "version": "3.7.1"
-        }
-}
\ No newline at end of file
diff --git a/hosts/vidhar/network/pppoe/default.nix b/hosts/vidhar/network/pppoe/default.nix
new file mode 100644
index 00000000..f652c29d
--- /dev/null
+++ b/hosts/vidhar/network/pppoe/default.nix
@@ -0,0 +1,155 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  inherit (config.networking) pppInterface;
+in {
+  options = {
+    networking.pppInterface = mkOption {
+      type = types.str;
+      default = "ppp";
+    };
+  };
+
+  config = {
+    networking.vlans = {
+      pppoe = {
+        id = 7;
+        interface = "eno2";
+      };
+    };
+
+    services.pppd = {
+      enable = true;
+      package = pkgs.ppp.overrideAttrs (oldAttrs: {
+        patches = [
+          ./no-double-timeout.patch
+        ] ++ (oldAttrs.patches or []);
+      });
+      peers = {
+        o2.config = ''
+          user DSL0004874856014@s93.bbi-o2.de
+        '';
+      };
+    };
+    systemd.services."pppd-o2" = {
+      stopIfChanged = true;
+
+      restartTriggers = with config; [
+        environment.etc."ppp/pap-secrets".source
+        environment.etc."ppp/options".source
+        environment.etc."ppp/ip-pre-up".source
+        environment.etc."ppp/ip-up".source
+        environment.etc."ppp/ip-down".source
+      ];
+
+      serviceConfig.LoadCredential = [
+        "password:${config.sops.secrets."o2-password".path}"
+      ];
+
+      bindsTo = [ "sys-subsystem-net-devices-pppoe.device" ];
+      after = [ "sys-subsystem-net-devices-pppoe.device" ];
+    };
+    sops.secrets."o2-password" = {
+      format = "binary";
+      sopsFile = ./o2-password;
+    };
+
+    environment.etc = {
+      "ppp/options".text = ''
+        nodefaultroute
+        ifname ${pppInterface}
+        lcp-echo-adaptive
+        lcp-echo-failure 10
+        lcp-echo-interval 1
+        maxfail 0
+        mtu 1492
+        mru 1492
+        plugin pppoe.so
+        pppoe-padi-timeout 1
+        pppoe-padi-attempts 10
+        nic-pppoe
+        debug
+        +ipv6
+      '';
+      "ppp/pap-secrets".text = ''
+        DSL0004874856014@s93.bbi-o2.de * @/run/credentials/pppd-o2.service/password *
+      '';
+      "ppp/ip-pre-up".source = pkgs.resholve.writeScript "ip-pre-up" {
+        interpreter = pkgs.runtimeShell;
+        inputs = [ pkgs.iproute2 pkgs.ethtool ];
+        execer = [
+          "cannot:${lib.getExe' pkgs.iproute2 "ip"}"
+          "cannot:${lib.getExe' pkgs.iproute2 "tc"}"
+        ];
+      } ''
+        ethtool -K pppoe tso off gso off gro off
+
+        ip link del "ifb4$1" || true
+        ip link add name "ifb4$1" type ifb
+        ip link set "ifb4$1" up
+
+        tc qdisc del dev "ifb4$1" root || true
+        tc qdisc del dev "$1" ingress || true
+        tc qdisc del dev "$1" root || true
+
+        tc qdisc add dev "$1" handle ffff: ingress
+        tc filter add dev "$1" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4$1"
+        tc qdisc replace dev "ifb4$1" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 175mbit
+        tc qdisc replace dev "$1" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 40mbit
+      '';
+      "ppp/ip-up".source = pkgs.resholve.writeScript "ip-up" {
+        interpreter = pkgs.runtimeShell;
+        inputs = [ pkgs.iproute2 ];
+        execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
+      } ''
+        ip addr add "$4" peer "$5"/32 dev "$1"
+        ip route add default dev "$1" metric 512
+      '';
+      "ppp/ip-down".source = pkgs.resholve.writeScript "ip-down" {
+        interpreter = pkgs.runtimeShell;
+        inputs = [ pkgs.iproute2 ];
+        execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
+      } ''
+        ip link del "ifb4$1"
+      '';
+    };
+
+    systemd.package = pkgs.systemd.overrideAttrs (oldAttrs: {
+      patches = (oldAttrs.patches or []) ++ [
+        (pkgs.fetchpatch {
+          url = "https://github.com/sysedwinistrator/systemd/commit/b9691a43551739ddacdb8d53a4312964c3ddfa08.patch";
+          hash = "sha256-TLfOTFodLzCVywnF4Xp4BR2Pja0Qq4ItE/yaKkzI414=";
+        })
+      ];
+    });
+
+    systemd.network.networks = {
+      "40-${pppInterface}" = {
+        matchConfig.Name = pppInterface;
+        dns = [ "::1" "127.0.0.1" ];
+        domains = [ "~." ];
+        networkConfig = {
+          DHCP = true;
+          DNSSEC = true;
+        };
+        dhcpV6Config = {
+          PrefixDelegationHint = "::/64";
+          WithoutRA = "solicit";
+        };
+      };
+    };
+
+    boot.kernelModules = [ "ifb" ];
+    boot.kernel.sysctl = {
+      "net.ipv6.conf.all.forwarding" = true;
+      "net.ipv6.conf.default.forwarding" = true;
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv4.conf.default.forwarding" = true;
+
+      "net.core.rmem_max" = 4194304;
+      "net.core.wmem_max" = 4194304;
+    };
+  };
+}
diff --git a/hosts/vidhar/network/pppoe/no-double-timeout.patch b/hosts/vidhar/network/pppoe/no-double-timeout.patch
new file mode 100644
index 00000000..53f41ae1
--- /dev/null
+++ b/hosts/vidhar/network/pppoe/no-double-timeout.patch
@@ -0,0 +1,13 @@
+diff --git i/pppd/plugins/pppoe/discovery.c w/pppd/plugins/pppoe/discovery.c
+index 86bda61..8060558 100644
+--- i/pppd/plugins/pppoe/discovery.c
++++ w/pppd/plugins/pppoe/discovery.c
+@@ -686,7 +686,7 @@ discovery1(PPPoEConnection *conn, int waitWholeTimeoutForPADO)
+        conn->discoveryState = STATE_SENT_PADI;
+        waitForPADO(conn, timeout, waitWholeTimeoutForPADO);
+ 
+-       timeout *= 2;
++       // timeout *= 2;
+     } while (conn->discoveryState == STATE_SENT_PADI);
+ }
+ 
diff --git a/hosts/vidhar/network/pppoe/o2-password b/hosts/vidhar/network/pppoe/o2-password
new file mode 100644
index 00000000..cd3aed78
--- /dev/null
+++ b/hosts/vidhar/network/pppoe/o2-password
@@ -0,0 +1,18 @@
+{
+        "data": "ENC[AES256_GCM,data:mxHA3rrs5Sc50jAP,iv:iW1ua7wjZR8rPwXw21TdFK+fbfosc1CmnrTG34OJ2zM=,tag:pZ/FAHupnKy0wHtF6RN7yA==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUzAvSlJkSFhhRTFLY0VO\nU1VYbFhpMEpxaFhlb2NyS0xDNU5oMm9EZzJnCm5vbTM4c3lFMU5EajhwTGd6MTVx\nZTFmNVlyaVZuRy9hL2VnWFR0TTNEemsKLS0tIDdTemNMTTllQ1pmb0JNTlVGcTlU\nWjQ2MW4yVmtvRng3TlRDbmpHdmRkbUEKtIVAq4aZD6rhtX7+67EE5eOKAtGsVpBg\nPkfjkyV8ifBEx/lwDaJSHpLPfkbI9oArTL8BloodJEEGql5PXZxtvg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmUk1oZGdjL25YbGRzdFFh\nRllkcU1IM0x6a2M2S0JicDBFYnBxMWluaEFzCjJ3WHozNkw0RThCMG5BNE5uUkZa\nTnV1OHpaSkMrTk9XM1NRWmxlTmRuUFkKLS0tIE9qdXVWOG9CL0MyS1JXbzhmbVdC\nZlRBWm1SSTZWYzBDc1U4ci94a0hMcHcKLgbJSAMUJ9VaXVmYQe+Uj13KrWFe4QvJ\nRcibCyOJH/VO3rmxU8RAkx0jaH448h9klWhs583Od5yNg7GleC+/qg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2026-04-14T15:24:19Z",
+                "mac": "ENC[AES256_GCM,data:/dr0bXAf0v5K9LdKw7RzTTL8Qw/WqiHqLk0EbahDnFg3cVplV0s+ImCnxmhutv3hxdtMZ2dmLBfb8CYb/ZLc4HtNT/K2iKGQM7pF4+XxIjS35Q1JUcXxLrsGZcpARuCZ0AJnKo8yFgtM64dYcbxHlRwGG4u4Ds9fEHHLUMigNM0=,iv:jfFlfscUB7S1JjL/uBeW3uD4bugCT9Cj/vigGvGXrlA=,tag:suol02QD4jRH/QulWoV21A==,type:str]",
+                "version": "3.12.2"
+        }
+}
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 7897fb3d..5df73e2f 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -5,15 +5,15 @@ table arp filter {
   limit lim_arp_local {
     rate over 50 mbytes/second burst 50 mbytes
   }
-  limit lim_arp_gpon {
+  limit lim_arp_ppp {
     rate over 7500 kbytes/second burst 7500 kbytes
   }
 
   counter arp-rx {}
   counter arp-tx {}
 
-  counter arp-ratelimit-gpon-rx {}
-  counter arp-ratelimit-gpon-tx {}
+  counter arp-ratelimit-ppp-rx {}
+  counter arp-ratelimit-ppp-tx {}
 
   counter arp-ratelimit-local-rx {}
   counter arp-ratelimit-local-tx {}
@@ -22,8 +22,8 @@ table arp filter {
     type filter hook input priority filter
     policy accept
 
-    iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop
-    iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop
+    iifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-rx drop
+    iifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-rx drop
 
     counter name arp-rx
   }
@@ -32,8 +32,8 @@ table arp filter {
     type filter hook output priority filter
     policy accept
 
-    oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop
-    oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop
+    oifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-tx drop
+    oifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-tx drop
 
     counter name arp-tx
   }
@@ -47,11 +47,11 @@ table inet filter {
   limit lim_icmp_local {
     rate over 50 mbytes/second burst 50 mbytes
   }
-  limit lim_icmp_gpon {
+  limit lim_icmp_ppp {
     rate over 7500 kbytes/second burst 7500 kbytes
   }
 
-  counter icmp-ratelimit-gpon-fw {}
+  counter icmp-ratelimit-ppp-fw {}
   counter icmp-ratelimit-local-fw {}
 
   counter icmp-fw {}
@@ -59,8 +59,9 @@ table inet filter {
   counter invalid-fw {}
   counter fw-lo {}
   counter fw-lan {}
-  counter fw-gpon {}
+  counter fw-ppp {}
   counter fw-kimai {}
+  counter fw-podman {}
 
   counter fw-cups {}
 
@@ -75,7 +76,7 @@ table inet filter {
   counter invalid-local4-rx {}
   counter invalid-local6-rx {}
 
-  counter icmp-ratelimit-gpon-rx {}
+  counter icmp-ratelimit-ppp-rx {}
   counter icmp-ratelimit-local-rx {}
   counter icmp-rx {}
 
@@ -97,6 +98,8 @@ table inet filter {
   counter hledger-rx {}
   counter audiobookshelf-rx {}
   counter kimai-rx {}
+  counter changedetection-rx {}
+  counter vikunja-rx {}
 
   counter established-rx {}
 
@@ -108,7 +111,7 @@ table inet filter {
 
   counter tx-lo {}
 
-  counter icmp-ratelimit-gpon-tx {}
+  counter icmp-ratelimit-ppp-tx {}
   counter icmp-ratelimit-local-tx {}
   counter icmp-tx {}
 
@@ -130,15 +133,17 @@ table inet filter {
   counter hledger-tx {}
   counter audiobookshelf-tx {}
   counter kimai-tx {}
+  counter changedetection-tx {}
+  counter vikunja-tx {}
 
   counter tx {}
 
 
   chain forward_icmp_accept {
-    oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop
-    iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop
-    oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
-    iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    oifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
+    iifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
+    oifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    iifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
     counter name icmp-fw accept
   }
   chain forward {
@@ -151,12 +156,14 @@ table inet filter {
 
     iifname lo counter name fw-lo accept
 
-    oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
-    iifname lan oifname { gpon, bifrost } counter name fw-lan accept
-    iifname ve-kimai oifname gpon counter name fw-kimai accept
+    oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
+    iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept
+    iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept
+    iifname podman0 ip saddr 10.88.0.5 oifname @pppInterface@ counter name fw-podman accept
 
-    iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
-    iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
+    iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept
+    iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept
+    iifname @pppInterface@ oifname podman0 ip daddr 10.88.0.5 ct state { established, related } counter name fw-podman accept
 
     iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
     iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
@@ -180,22 +187,22 @@ table inet filter {
     iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
     iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
 
-    iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop
-    iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
+    iifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-rx drop
+    iifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
     meta l4proto $icmp_protos counter name icmp-rx accept
 
-    iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
-    iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
+    iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
+    iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
 
-    iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
+    iifname { lan, mgmt, wifibh, yggdrasil, podman0 } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
 
     iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
 
-    iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept
-    iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept
+    iifname { lan, mgmt, @pppInterface@ } meta protocol ip udp dport 51820 counter name wg-rx accept
+    iifname { lan, mgmt, @pppInterface@ } meta protocol ip6 udp dport 51821 counter name wg-rx accept
     iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
 
-    iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
+    iifname @pppInterface@ meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
 
     iifname mgmt udp dport 123 counter name ntp-rx accept
 
@@ -214,6 +221,8 @@ table inet filter {
     iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
     iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
     iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
+    iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept
+    iifname bifrost tcp dport 3456 ip6 saddr $bifrost_surtr counter name vikunja-rx accept
 
     ct state { established, related } counter name established-rx accept
 
@@ -231,8 +240,8 @@ table inet filter {
 
     oifname lo counter name tx-lo accept
 
-    oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop
-    oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
+    oifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-tx drop
+    oifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
     meta l4proto $icmp_protos counter name icmp-tx accept
 
 
@@ -266,6 +275,8 @@ table inet filter {
     iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
     iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
     iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
+    iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept
+    iifname bifrost tcp sport 3456 ip6 daddr $bifrost_surtr counter name vikunja-tx accept
 
 
     counter name tx
@@ -273,7 +284,7 @@ table inet filter {
 }
 
 table inet nat {
-  counter gpon-nat {}
+  counter ppp-nat {}
   counter kimai-nat {}
 
   chain postrouting {
@@ -281,20 +292,20 @@ table inet nat {
     policy accept
 
 
-    meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
-    iifname ve-kimai oifname gpon counter name kimai-nat masquerade
+    meta nfproto ipv4 oifname @pppInterface@ counter name ppp-nat masquerade
+    iifname ve-kimai oifname @pppInterface@ counter name kimai-nat masquerade
   }
 }
 
 table inet mss_clamp {
-  counter gpon-mss-clamp {}
+  counter ppp-mss-clamp {}
 
   chain postrouting {
     type filter hook postrouting priority mangle
     policy accept
 
 
-    oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu
+    oifname @pppInterface@ tcp flags & (syn|rst) == syn counter name ppp-mss-clamp tcp option maxseg size set rt mtu
   }
 }
 
@@ -429,7 +440,7 @@ table inet dscpclassify {
     chain postrouting {
         type filter hook postrouting priority filter + 1; policy accept
 
-        oifname != gpon return
+        oifname != @pppInterface@ return
 
         ip dscp cs0 goto ct_set_cs0
         ip dscp lephb goto ct_set_lephb