6 files changed, 254 insertions, 7 deletions
diff --git a/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml b/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml
index a5319e38..42920069 100644
--- a/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml
+++ b/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml
@@ -1,5 +1,5 @@
 {
-        "data": "ENC[AES256_GCM,data:60OmHwuLC7RJVNNn8lsCFjIFrtDlmmT3yAm3DYn/K2b8OJB/lzKBhMUCyPpoI2lfMm6y47/DMwXI3ExH3QwfgGRf4i/Tcv7p6FCkjFgDc0RhAM7cXNSnh1gKTff8QYtPoNIzmycFCThNr7iZsPsf2/1npVaVHTnt9nTc+cmDLc+lELlvjSE00JOXch/if7KPwFww9K83XlrFmoRvwybfXR0unJqxK2XLvj+dQuKD4Bhyb88iSgu4dX1yw2uBSZBD16S4Io0DaZ+as5Yw4Kon7WMj3Jd5kz8ZxK+0NCy1CVJHOfJIwgYl0SVPp4DpbAPtJO4R/ciXyDQ/XGpoLtHjxnKXaJlJoSiA7FhuSEk+jB/peLHrYV1obdIRE5Dstly01S5cydKlfQ+A0TSjxFSWBYMEiD89sD09Br3iSJX5FejOoS8d2IQJ5faVzgQl4T5aBKsxCNNwmYrEe8m9HN7o2eer8nTKMln5IxZi3ZWhnjgJfrJ4QTXFndxCb78jo8HroN3+7VhoM136UZkqH1OMrIgAH/XSlW08G8m9MRamKsAWklq9aVflcEsPWTHmYW7rjAapQYf+jyK6BbfHcYmyKM82TFZ5iNB60Pth6EJgb2V8PZiChGvDzQvFYYOO3p9a/J8bVqsnPZBXXYcIBt42ZuRPvyyUTfM+75V1eYE9ZGFML+QlofwNCAg+/Rnl+RRy4z+8xQxd8Dn06geDpHsr4yND72FRUTKLbjxF5xfbzBRcZEXjGkyFdEAF7rB78I8xIqii+n6Yt8uEURmd4geI9KWXRQnwofTz9pklaAnRbER8zy/BJIiIYy8zecUHJn9v/DPnsnksfL6RRmG4tHaRBDbpAag0kVkCrpO/flK6dZOl/wvoVVVqT2O69a9/RpHLSV2f//ZS6L9s6vaYe4pXL0M6QymgA22sNHaws6XggJlTxVOFGRejMGYrKqVWtC+2UNbnel+/J0N1qj4luWfQaf9+1j+fq7vyLSzXYFCiyOLAznpqOhzKu6VWy2IbR0UnCoL5ZbhIba9e2MXM7Czy9Yee4xc=,iv:M0GbtFFl1XUeq+y9H+MiD+9z/ASB9hsd06KhpPzSwEo=,tag:vTLIIf+CeZN6DU25CSP8tw==,type:str]",
+        "data": "ENC[AES256_GCM,data:7STcG1J3zLHzlHi2LZgSa+pmKlYU6X1eLvjXcx7gvCuHFkXwa/ldrHdzaBXAMrQ+C+DWM4+cyhdal3ypxXueBuBEvH3P7/KofPP2A519sdZo1vDkXCzYRD3Ow74M+hX5ej6hL1mv21HayrRMPnYfH8HUWk1kd/y69EjpjvDHyCpQuw1WG5M4FDUaTd4Vh51QRCSG/Is29dEkvQowhIvNqnAR4KW9PpfjlbUPHauZ6PQLnlJmI9QCcAGJ8hHtp5T+xctTym82GAlXugTJpHnkqcxnGteu9H7UuiDMQ3aKKGYzZCpWkNHrbD1IRhzPzSjVlN2nIX3Ydp8ENNf61EGOrp5hzmV0MhwRHKfz5rE1FRVuyHcwhwBdJzfhzrL9zXZYzn9Zuf9KWwsF+1+58i9u9hPym63r4c1+RbMjNKzHc1/yhhsRDCrTwvMd/Hc6KfUi3H1wW/r02Va2bOCkYrOkWIQpBdx4ThMgkTaHr94DBMqT8n3Fzhc7+uaUsl6I9gMwTn8QCV3g4U7Mp3+/gnQLOdsCTgKr69x1iPfp7jzzbC29MWhIk+2aig+iWRMVT0n4AWIxooc3cYnfOJNtCdJwKuPUl4xNlZ22NK3XQfxBURSw0pi5KyDO1wgTVRoRJMnXZyin3bZ10OU8QKBqLp22FXpG/+mHrm3Y6yLkqfIP5ry+b86Rb7nWJlxDTwTGSoGi8sJzwNb+H9ioG7LjaSmvr7V+2aSq0+72WopAkIFSBq/yIWX3J/rNZuia6jKMY/8bSLDJz3V/YuzeUJ5feUkOS4KW1J1UkaYd6XxZ9Y8szCS/B7Ocz0YiV8fHmOzZKRn8BTmmXUIoyxO07MmwQ1shYfiVCwXjdjq2f3/CZbXNVOPvhGBYOcutUztftu3H9DRDTKrVae1TnztCVSkBSk1o52uSj0r8t6f4l1r7UG1TviOnVLVh1/6iiJVQey0m8G6ugw22zxfhI0Uea/rB70i+2UuoxrmsOfg+TgnvKBuakEBifp4rx0S5wyz05RYXkBLJTIwi2fVGmulqjZuCQNQnI3cfPI+oGcykob9IQqdo/Dwd118hNPVAwdDHyaiGXGh8eu8N2OCLQxlGZDtkVUveaEasJaZ0WWWaK97FUeoNJfUnB7Y3lNjv5u2rzviZyk4=,iv:jT21FNnHod6btDlBa3UflK3au5VmcsABs5OTMXF6oFA=,tag:Oh8cOL+edT5Wp0I1L5+vwg==,type:str]",
        "sops": {
                "age": [
                        {
@@ -11,8 +11,8 @@
                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRWFqSHNlY1IvMkkwaEto\ncHZHa2p1Y25SakFkS2JYMlRFcFhnZGY1dVRFCkxSWmxvcHZMampQKzdKRHI0ZVMx\nUTFtR0pHbzFaQ0xQUFA2ZERDSWpwS0UKLS0tIFBaSGczY3VWdy9TKzRDZWZ2SElY\nbVQ4dDNhQllmVmViWGs5c3V4TmNscjQKeugevQJFAN/8JrzeAm4hm2JsQGb26BCb\n3dKYnN1kJU7oVHr1aVfXwMpELNYt9poX6WTY2h9lsdHuRlqoFXAA5Q==\n-----END AGE ENCRYPTED FILE-----\n"
                        }
                ],
-                "lastmodified": "2025-05-10T10:25:15Z",
+                "lastmodified": "2025-08-11T07:08:36Z",
-                "mac": "ENC[AES256_GCM,data:dhj7e+vF3uiR6I22PR5tdNdM8EyrWmGGTIqjj8H7IdNIsZBHzjeHlBDFOwN7z/JMO0BVwIi4DmhApg2BSPGsQZGDQZ28UTCC8TDtd1zmfGtSP8R8AFHADYdLK/desMtHg6BZTnLv5tpba34WWdflMNOQpwgWPZsIk/DkLaoXdvk=,iv:qkoAZngTz2sfWdxDs+h8Mb2IrkF8gqnQoR5iRoeKjbY=,tag:zXrkBJmPM4ItJxMnX8IDxQ==,type:str]",
+                "mac": "ENC[AES256_GCM,data:ZL/dOz+NC8sr8vPBsux+gFOWxUhQqMSmG1az7udhB0ckmOXtnrPBzMM1gs+5pwXLvfLux0m4xzT87+o87axIECnCq35FSuMjtEBK24OUJXsLG/q/tDv5dfRBy/976dM5W7YkBVX/uc03p8CLKf5w4XYNeRKnSwjLvWGd9runDOU=,iv:9ZIeJ5aDVVPHi3/oHqWkWtEfeivV/nFFyQ1lJWJwMu8=,tag:TfkHaopMa+Z0zk38A6/NTA==,type:str]",
                "unencrypted_suffix": "_unencrypted",
                "version": "3.10.2"
        }
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index c9470ee9..547572c6 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 {
  imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai
    tmpfs-root zfs
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
@@ -136,7 +136,7 @@ with lib;
      wantedBy = ["basic.target"];
      serviceConfig = {
        ExecStart = pkgs.writeShellScript "limit-pstate-start" ''
-          echo 50 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
+          echo 40 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
        '';
        RemainAfterExit = true;
        ExecStop = pkgs.writeShellScript "limit-pstate-stop" ''
diff --git a/hosts/vidhar/kimai/default.nix b/hosts/vidhar/kimai/default.nix
new file mode 100644
index 00000000..0258697b
--- /dev/null
+++ b/hosts/vidhar/kimai/default.nix
@@ -0,0 +1,89 @@
+{ flake, config, ... }:
+{
+  config = {
+    boot.enableContainers = true;
+    boot.kernel.sysctl = {
+      "net.netfilter.nf_log_all_netns" = true;
+    };
+    containers."kimai" = {
+      autoStart = true;
+      ephemeral = true;
+      bindMounts = {
+        "/var/lib/kimai" = {
+          hostPath = "/var/lib/kimai/state";
+          isReadOnly = false;
+        };
+        "/var/lib/mysql" = {
+          hostPath = "/var/lib/kimai/mysql";
+          isReadOnly = false;
+        };
+      };
+      privateNetwork = true;
+      # forwardPorts = [
+      #   { containerPort = 80;
+      #     hostPort = 28983;
+      #   }
+      # ];
+      hostAddress = "192.168.52.113";
+      localAddress = "192.168.52.114";
+      hostAddress6 = "2a03:4000:52:ada:6::1";
+      localAddress6 = "2a03:4000:52:ada:6::2";
+      config = let hostConfig = config; in { config, pkgs, lib, ... }: {
+        system.stateVersion = lib.mkIf hostConfig.containers."kimai".ephemeral config.system.nixos.release;
+        system.configurationRevision = lib.mkIf (flake ? rev) flake.rev;
+        nixpkgs.pkgs = hostConfig.nixpkgs.pkgs;
+        services.kimai.sites."kimai.yggdrasil.li" = {
+          database.socket = "/run/mysqld/mysqld.sock";
+        };
+        networking = {
+          useDHCP = false;
+          useNetworkd = true;
+          useHostResolvConf = false;
+          firewall.enable = false;
+          nftables = {
+            enable = true;
+            rulesetFile = ./ruleset.nft;
+          };
+        };
+        services.resolved.fallbackDns = [
+          "9.9.9.10#dns10.quad9.net"
+          "149.112.112.10#dns10.quad9.net"
+          "2620:fe::10#dns10.quad9.net"
+          "2620:fe::fe:10#dns10.quad9.net"
+        ];
+        systemd.network = {
+          networks.upstream = {
+            name = "eth0";
+            matchConfig = {
+              Name = "eth0";
+            };
+            linkConfig = {
+              RequiredForOnline = true;
+            };
+            networkConfig = {
+              Address = [ "192.168.52.114/32" "2a03:4000:52:ada:6::2/128" ];
+              LLMNR = false;
+              MulticastDNS = false;
+            };
+            routes = [
+              { Destination = "192.168.52.113/32"; }
+              { Destination = "2a03:4000:52:ada:6::1/128"; }
+              { Destination = "0.0.0.0/0";
+                Gateway = "192.168.52.113";
+              }
+              { Destination = "::/0";
+                Gateway = "2a03:4000:52:ada:6::1";
+              }
+            ];
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/vidhar/kimai/ruleset.nft b/hosts/vidhar/kimai/ruleset.nft
new file mode 100644
index 00000000..ad4db6d5
--- /dev/null
+++ b/hosts/vidhar/kimai/ruleset.nft
@@ -0,0 +1,149 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  counter arp-rx {}
+  counter arp-tx {}
+  counter arp-ratelimit-rx {}
+  counter arp-ratelimit-tx {}
+  chain input {
+    type filter hook input priority filter
+    policy accept
+    limit name lim_arp counter name arp-ratelimit-rx drop
+    counter name arp-rx
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    limit name lim_arp counter name arp-ratelimit-tx drop
+    counter name arp-tx
+  }
+}
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  counter invalid-fw {}
+  counter fw-lo {}
+  counter reject-ratelimit-fw {}
+  counter reject-fw {}
+  counter reject-tcp-fw {}
+  counter reject-icmp-fw {}
+  counter drop-fw {}
+  counter invalid-rx {}
+  counter rx-lo {}
+  counter invalid-local4-rx {}
+  counter invalid-local6-rx {}
+  counter icmp-ratelimit-rx {}
+  counter icmp-rx {}
+  counter kimai-rx {}
+  counter established-rx {}
+  counter reject-ratelimit-rx {}
+  counter reject-rx {}
+  counter reject-tcp-rx {}
+  counter reject-icmp-rx {}
+  counter drop-rx {}
+  counter tx-lo {}
+  counter icmp-ratelimit-tx {}
+  counter icmp-tx {}
+  counter kimai-tx {}
+  counter tx {}
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+    ct state invalid log level debug prefix "kimai: drop invalid forward: " counter name invalid-fw drop
+    iifname lo counter name fw-lo accept
+    limit name lim_reject log level debug prefix "kimai: drop forward: " counter name reject-ratelimit-fw drop
+    log level debug prefix "kimai: reject forward: " counter name reject-fw
+    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
+    ct state new counter name reject-icmp-fw reject
+    counter name drop-fw
+  }
+  chain input {
+    type filter hook input priority filter
+    policy drop
+    ct state invalid log level debug prefix "kimai: drop invalid input: " counter name invalid-rx drop
+    iifname lo counter name rx-lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
+    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
+    meta l4proto $icmp_protos counter name icmp-rx accept
+    tcp dport 80 counter name kimai-rx accept
+    ct state { established, related } counter name established-rx accept
+    limit name lim_reject log level debug prefix "kimai: drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "kimai: reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+    counter name drop-rx
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    oifname lo counter name tx-lo accept
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
+    meta l4proto $icmp_protos counter name icmp-tx accept
+    tcp sport 80 counter name kimai-tx
+    counter name tx
+  }
+}
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 6b0ac9fc..7897fb3d 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -60,6 +60,7 @@ table inet filter {
  counter fw-lo {}
  counter fw-lan {}
  counter fw-gpon {}
+  counter fw-kimai {}
  counter fw-cups {}
@@ -95,6 +96,7 @@ table inet filter {
  counter paperless-rx {}
  counter hledger-rx {}
  counter audiobookshelf-rx {}
+  counter kimai-rx {}
  counter established-rx {}
@@ -127,6 +129,7 @@ table inet filter {
  counter paperless-tx {}
  counter hledger-tx {}
  counter audiobookshelf-tx {}
+  counter kimai-tx {}
  counter tx {}
@@ -150,8 +153,13 @@ table inet filter {
    oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
    iifname lan oifname { gpon, bifrost } counter name fw-lan accept
+    iifname ve-kimai oifname gpon counter name fw-kimai accept
    iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
+    iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
+    iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
+    iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -266,7 +274,7 @@ table inet filter {
 table inet nat {
  counter gpon-nat {}
-  # counter container-nat {}
+  counter kimai-nat {}
  chain postrouting {
    type nat hook postrouting priority srcnat
@@ -274,7 +282,7 @@ table inet nat {
    meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
-    # iifname ve-* oifname gpon counter name container-nat masquerade
+    iifname ve-kimai oifname gpon counter name kimai-nat masquerade
  }
 }
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index b1d90d47..094f9f7a 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -27,6 +27,7 @@ in {
      extraFlags = [
        "--web.enable-remote-write-receiver"
+        "--storage.tsdb.retention.size=35GB"
      ];
      exporters = {

diff --git a/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml b/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml index a5319e38..42920069 100644 --- a/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml +++ b/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml
@@ -1,5 +1,5 @@
1	{	1	{
2	"data": "ENC[AES256_GCM,data:60OmHwuLC7RJVNNn8lsCFjIFrtDlmmT3yAm3DYn/K2b8OJB/lzKBhMUCyPpoI2lfMm6y47/DMwXI3ExH3QwfgGRf4i/Tcv7p6FCkjFgDc0RhAM7cXNSnh1gKTff8QYtPoNIzmycFCThNr7iZsPsf2/1npVaVHTnt9nTc+cmDLc+lELlvjSE00JOXch/if7KPwFww9K83XlrFmoRvwybfXR0unJqxK2XLvj+dQuKD4Bhyb88iSgu4dX1yw2uBSZBD16S4Io0DaZ+as5Yw4Kon7WMj3Jd5kz8ZxK+0NCy1CVJHOfJIwgYl0SVPp4DpbAPtJO4R/ciXyDQ/XGpoLtHjxnKXaJlJoSiA7FhuSEk+jB/peLHrYV1obdIRE5Dstly01S5cydKlfQ+A0TSjxFSWBYMEiD89sD09Br3iSJX5FejOoS8d2IQJ5faVzgQl4T5aBKsxCNNwmYrEe8m9HN7o2eer8nTKMln5IxZi3ZWhnjgJfrJ4QTXFndxCb78jo8HroN3+7VhoM136UZkqH1OMrIgAH/XSlW08G8m9MRamKsAWklq9aVflcEsPWTHmYW7rjAapQYf+jyK6BbfHcYmyKM82TFZ5iNB60Pth6EJgb2V8PZiChGvDzQvFYYOO3p9a/J8bVqsnPZBXXYcIBt42ZuRPvyyUTfM+75V1eYE9ZGFML+QlofwNCAg+/Rnl+RRy4z+8xQxd8Dn06geDpHsr4yND72FRUTKLbjxF5xfbzBRcZEXjGkyFdEAF7rB78I8xIqii+n6Yt8uEURmd4geI9KWXRQnwofTz9pklaAnRbER8zy/BJIiIYy8zecUHJn9v/DPnsnksfL6RRmG4tHaRBDbpAag0kVkCrpO/flK6dZOl/wvoVVVqT2O69a9/RpHLSV2f//ZS6L9s6vaYe4pXL0M6QymgA22sNHaws6XggJlTxVOFGRejMGYrKqVWtC+2UNbnel+/J0N1qj4luWfQaf9+1j+fq7vyLSzXYFCiyOLAznpqOhzKu6VWy2IbR0UnCoL5ZbhIba9e2MXM7Czy9Yee4xc=,iv:M0GbtFFl1XUeq+y9H+MiD+9z/ASB9hsd06KhpPzSwEo=,tag:vTLIIf+CeZN6DU25CSP8tw==,type:str]",	2	"data": "ENC[AES256_GCM,data:7STcG1J3zLHzlHi2LZgSa+pmKlYU6X1eLvjXcx7gvCuHFkXwa/ldrHdzaBXAMrQ+C+DWM4+cyhdal3ypxXueBuBEvH3P7/KofPP2A519sdZo1vDkXCzYRD3Ow74M+hX5ej6hL1mv21HayrRMPnYfH8HUWk1kd/y69EjpjvDHyCpQuw1WG5M4FDUaTd4Vh51QRCSG/Is29dEkvQowhIvNqnAR4KW9PpfjlbUPHauZ6PQLnlJmI9QCcAGJ8hHtp5T+xctTym82GAlXugTJpHnkqcxnGteu9H7UuiDMQ3aKKGYzZCpWkNHrbD1IRhzPzSjVlN2nIX3Ydp8ENNf61EGOrp5hzmV0MhwRHKfz5rE1FRVuyHcwhwBdJzfhzrL9zXZYzn9Zuf9KWwsF+1+58i9u9hPym63r4c1+RbMjNKzHc1/yhhsRDCrTwvMd/Hc6KfUi3H1wW/r02Va2bOCkYrOkWIQpBdx4ThMgkTaHr94DBMqT8n3Fzhc7+uaUsl6I9gMwTn8QCV3g4U7Mp3+/gnQLOdsCTgKr69x1iPfp7jzzbC29MWhIk+2aig+iWRMVT0n4AWIxooc3cYnfOJNtCdJwKuPUl4xNlZ22NK3XQfxBURSw0pi5KyDO1wgTVRoRJMnXZyin3bZ10OU8QKBqLp22FXpG/+mHrm3Y6yLkqfIP5ry+b86Rb7nWJlxDTwTGSoGi8sJzwNb+H9ioG7LjaSmvr7V+2aSq0+72WopAkIFSBq/yIWX3J/rNZuia6jKMY/8bSLDJz3V/YuzeUJ5feUkOS4KW1J1UkaYd6XxZ9Y8szCS/B7Ocz0YiV8fHmOzZKRn8BTmmXUIoyxO07MmwQ1shYfiVCwXjdjq2f3/CZbXNVOPvhGBYOcutUztftu3H9DRDTKrVae1TnztCVSkBSk1o52uSj0r8t6f4l1r7UG1TviOnVLVh1/6iiJVQey0m8G6ugw22zxfhI0Uea/rB70i+2UuoxrmsOfg+TgnvKBuakEBifp4rx0S5wyz05RYXkBLJTIwi2fVGmulqjZuCQNQnI3cfPI+oGcykob9IQqdo/Dwd118hNPVAwdDHyaiGXGh8eu8N2OCLQxlGZDtkVUveaEasJaZ0WWWaK97FUeoNJfUnB7Y3lNjv5u2rzviZyk4=,iv:jT21FNnHod6btDlBa3UflK3au5VmcsABs5OTMXF6oFA=,tag:Oh8cOL+edT5Wp0I1L5+vwg==,type:str]",
3	"sops": {	3	"sops": {
4	"age": [	4	"age": [
5	{	5	{
@@ -11,8 +11,8 @@
11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRWFqSHNlY1IvMkkwaEto\ncHZHa2p1Y25SakFkS2JYMlRFcFhnZGY1dVRFCkxSWmxvcHZMampQKzdKRHI0ZVMx\nUTFtR0pHbzFaQ0xQUFA2ZERDSWpwS0UKLS0tIFBaSGczY3VWdy9TKzRDZWZ2SElY\nbVQ4dDNhQllmVmViWGs5c3V4TmNscjQKeugevQJFAN/8JrzeAm4hm2JsQGb26BCb\n3dKYnN1kJU7oVHr1aVfXwMpELNYt9poX6WTY2h9lsdHuRlqoFXAA5Q==\n-----END AGE ENCRYPTED FILE-----\n"	11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRWFqSHNlY1IvMkkwaEto\ncHZHa2p1Y25SakFkS2JYMlRFcFhnZGY1dVRFCkxSWmxvcHZMampQKzdKRHI0ZVMx\nUTFtR0pHbzFaQ0xQUFA2ZERDSWpwS0UKLS0tIFBaSGczY3VWdy9TKzRDZWZ2SElY\nbVQ4dDNhQllmVmViWGs5c3V4TmNscjQKeugevQJFAN/8JrzeAm4hm2JsQGb26BCb\n3dKYnN1kJU7oVHr1aVfXwMpELNYt9poX6WTY2h9lsdHuRlqoFXAA5Q==\n-----END AGE ENCRYPTED FILE-----\n"
12	}	12	}
13	],	13	],
14	"lastmodified": "2025-05-10T10:25:15Z",	14	"lastmodified": "2025-08-11T07:08:36Z",
15	"mac": "ENC[AES256_GCM,data:dhj7e+vF3uiR6I22PR5tdNdM8EyrWmGGTIqjj8H7IdNIsZBHzjeHlBDFOwN7z/JMO0BVwIi4DmhApg2BSPGsQZGDQZ28UTCC8TDtd1zmfGtSP8R8AFHADYdLK/desMtHg6BZTnLv5tpba34WWdflMNOQpwgWPZsIk/DkLaoXdvk=,iv:qkoAZngTz2sfWdxDs+h8Mb2IrkF8gqnQoR5iRoeKjbY=,tag:zXrkBJmPM4ItJxMnX8IDxQ==,type:str]",	15	"mac": "ENC[AES256_GCM,data:ZL/dOz+NC8sr8vPBsux+gFOWxUhQqMSmG1az7udhB0ckmOXtnrPBzMM1gs+5pwXLvfLux0m4xzT87+o87axIECnCq35FSuMjtEBK24OUJXsLG/q/tDv5dfRBy/976dM5W7YkBVX/uc03p8CLKf5w4XYNeRKnSwjLvWGd9runDOU=,iv:9ZIeJ5aDVVPHi3/oHqWkWtEfeivV/nFFyQ1lJWJwMu8=,tag:TfkHaopMa+Z0zk38A6/NTA==,type:str]",
16	"unencrypted_suffix": "_unencrypted",	16	"unencrypted_suffix": "_unencrypted",
17	"version": "3.10.2"	17	"version": "3.10.2"
18	}	18	}


diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index c9470ee9..547572c6 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
4		4
5	{	5	{
6	imports = with flake.nixosModules.systemProfiles; [	6	imports = with flake.nixosModules.systemProfiles; [
7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf	7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai
8	tmpfs-root zfs	8	tmpfs-root zfs
9	initrd-all-crypto-modules default-locale openssh rebuild-machines	9	initrd-all-crypto-modules default-locale openssh rebuild-machines
10	build-server	10	build-server
@@ -136,7 +136,7 @@ with lib;
136	wantedBy = ["basic.target"];	136	wantedBy = ["basic.target"];
137	serviceConfig = {	137	serviceConfig = {
138	ExecStart = pkgs.writeShellScript "limit-pstate-start" ''	138	ExecStart = pkgs.writeShellScript "limit-pstate-start" ''
139	echo 50 > /sys/devices/system/cpu/intel_pstate/max_perf_pct	139	echo 40 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
140	'';	140	'';
141	RemainAfterExit = true;	141	RemainAfterExit = true;
142	ExecStop = pkgs.writeShellScript "limit-pstate-stop" ''	142	ExecStop = pkgs.writeShellScript "limit-pstate-stop" ''


diff --git a/hosts/vidhar/kimai/default.nix b/hosts/vidhar/kimai/default.nix new file mode 100644 index 00000000..0258697b --- /dev/null +++ b/hosts/vidhar/kimai/default.nix
@@ -0,0 +1,89 @@
		1	{ flake, config, ... }:
		2
		3	{
		4	config = {
		5	boot.enableContainers = true;
		6	boot.kernel.sysctl = {
		7	"net.netfilter.nf_log_all_netns" = true;
		8	};
		9
		10	containers."kimai" = {
		11	autoStart = true;
		12	ephemeral = true;
		13	bindMounts = {
		14	"/var/lib/kimai" = {
		15	hostPath = "/var/lib/kimai/state";
		16	isReadOnly = false;
		17	};
		18	"/var/lib/mysql" = {
		19	hostPath = "/var/lib/kimai/mysql";
		20	isReadOnly = false;
		21	};
		22	};
		23	privateNetwork = true;
		24	# forwardPorts = [
		25	# { containerPort = 80;
		26	# hostPort = 28983;
		27	# }
		28	# ];
		29	hostAddress = "192.168.52.113";
		30	localAddress = "192.168.52.114";
		31	hostAddress6 = "2a03:4000:52:ada:6::1";
		32	localAddress6 = "2a03:4000:52:ada:6::2";
		33	config = let hostConfig = config; in { config, pkgs, lib, ... }: {
		34	system.stateVersion = lib.mkIf hostConfig.containers."kimai".ephemeral config.system.nixos.release;
		35	system.configurationRevision = lib.mkIf (flake ? rev) flake.rev;
		36	nixpkgs.pkgs = hostConfig.nixpkgs.pkgs;
		37
		38	services.kimai.sites."kimai.yggdrasil.li" = {
		39	database.socket = "/run/mysqld/mysqld.sock";
		40	};
		41
		42	networking = {
		43	useDHCP = false;
		44	useNetworkd = true;
		45	useHostResolvConf = false;
		46	firewall.enable = false;
		47	nftables = {
		48	enable = true;
		49	rulesetFile = ./ruleset.nft;
		50	};
		51	};
		52
		53	services.resolved.fallbackDns = [
		54	"9.9.9.10#dns10.quad9.net"
		55	"149.112.112.10#dns10.quad9.net"
		56	"2620:fe::10#dns10.quad9.net"
		57	"2620:fe::fe:10#dns10.quad9.net"
		58	];
		59
		60	systemd.network = {
		61	networks.upstream = {
		62	name = "eth0";
		63	matchConfig = {
		64	Name = "eth0";
		65	};
		66	linkConfig = {
		67	RequiredForOnline = true;
		68	};
		69	networkConfig = {
		70	Address = [ "192.168.52.114/32" "2a03:4000:52:ada:6::2/128" ];
		71	LLMNR = false;
		72	MulticastDNS = false;
		73	};
		74	routes = [
		75	{ Destination = "192.168.52.113/32"; }
		76	{ Destination = "2a03:4000:52:ada:6::1/128"; }
		77	{ Destination = "0.0.0.0/0";
		78	Gateway = "192.168.52.113";
		79	}
		80	{ Destination = "::/0";
		81	Gateway = "2a03:4000:52:ada:6::1";
		82	}
		83	];
		84	};
		85	};
		86	};
		87	};
		88	};
		89	}


diff --git a/hosts/vidhar/kimai/ruleset.nft b/hosts/vidhar/kimai/ruleset.nft new file mode 100644 index 00000000..ad4db6d5 --- /dev/null +++ b/hosts/vidhar/kimai/ruleset.nft
@@ -0,0 +1,149 @@
		1	define icmp_protos = {ipv6-icmp, icmp, igmp}
		2
		3	table arp filter {
		4	limit lim_arp {
		5	rate over 50 mbytes/second burst 50 mbytes
		6	}
		7
		8	counter arp-rx {}
		9	counter arp-tx {}
		10
		11	counter arp-ratelimit-rx {}
		12	counter arp-ratelimit-tx {}
		13
		14	chain input {
		15	type filter hook input priority filter
		16	policy accept
		17
		18	limit name lim_arp counter name arp-ratelimit-rx drop
		19
		20	counter name arp-rx
		21	}
		22
		23	chain output {
		24	type filter hook output priority filter
		25	policy accept
		26
		27	limit name lim_arp counter name arp-ratelimit-tx drop
		28
		29	counter name arp-tx
		30	}
		31	}
		32
		33	table inet filter {
		34	limit lim_reject {
		35	rate over 1000/second burst 1000 packets
		36	}
		37
		38	limit lim_icmp {
		39	rate over 50 mbytes/second burst 50 mbytes
		40	}
		41
		42	counter invalid-fw {}
		43	counter fw-lo {}
		44
		45	counter reject-ratelimit-fw {}
		46	counter reject-fw {}
		47	counter reject-tcp-fw {}
		48	counter reject-icmp-fw {}
		49
		50	counter drop-fw {}
		51
		52	counter invalid-rx {}
		53
		54	counter rx-lo {}
		55	counter invalid-local4-rx {}
		56	counter invalid-local6-rx {}
		57
		58	counter icmp-ratelimit-rx {}
		59	counter icmp-rx {}
		60
		61	counter kimai-rx {}
		62
		63	counter established-rx {}
		64
		65	counter reject-ratelimit-rx {}
		66	counter reject-rx {}
		67	counter reject-tcp-rx {}
		68	counter reject-icmp-rx {}
		69
		70	counter drop-rx {}
		71
		72	counter tx-lo {}
		73
		74	counter icmp-ratelimit-tx {}
		75	counter icmp-tx {}
		76
		77	counter kimai-tx {}
		78
		79	counter tx {}
		80
		81	chain forward {
		82	type filter hook forward priority filter
		83	policy drop
		84
		85
		86	ct state invalid log level debug prefix "kimai: drop invalid forward: " counter name invalid-fw drop
		87
		88
		89	iifname lo counter name fw-lo accept
		90
		91
		92	limit name lim_reject log level debug prefix "kimai: drop forward: " counter name reject-ratelimit-fw drop
		93	log level debug prefix "kimai: reject forward: " counter name reject-fw
		94	meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
		95	ct state new counter name reject-icmp-fw reject
		96
		97
		98	counter name drop-fw
		99	}
		100
		101	chain input {
		102	type filter hook input priority filter
		103	policy drop
		104
		105
		106	ct state invalid log level debug prefix "kimai: drop invalid input: " counter name invalid-rx drop
		107
		108
		109	iifname lo counter name rx-lo accept
		110	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
		111	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
		112
		113
		114	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
		115	meta l4proto $icmp_protos counter name icmp-rx accept
		116
		117
		118	tcp dport 80 counter name kimai-rx accept
		119
		120
		121	ct state { established, related } counter name established-rx accept
		122
		123
		124	limit name lim_reject log level debug prefix "kimai: drop input: " counter name reject-ratelimit-rx drop
		125	log level debug prefix "kimai: reject input: " counter name reject-rx
		126	meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
		127	ct state new counter name reject-icmp-rx reject
		128
		129
		130	counter name drop-rx
		131	}
		132
		133	chain output {
		134	type filter hook output priority filter
		135	policy accept
		136
		137
		138	oifname lo counter name tx-lo accept
		139
		140	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
		141	meta l4proto $icmp_protos counter name icmp-tx accept
		142
		143
		144	tcp sport 80 counter name kimai-tx
		145
		146
		147	counter name tx
		148	}
		149	}


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 6b0ac9fc..7897fb3d 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -60,6 +60,7 @@ table inet filter {
60	counter fw-lo {}	60	counter fw-lo {}
61	counter fw-lan {}	61	counter fw-lan {}
62	counter fw-gpon {}	62	counter fw-gpon {}
		63	counter fw-kimai {}
63		64
64	counter fw-cups {}	65	counter fw-cups {}
65		66
@@ -95,6 +96,7 @@ table inet filter {
95	counter paperless-rx {}	96	counter paperless-rx {}
96	counter hledger-rx {}	97	counter hledger-rx {}
97	counter audiobookshelf-rx {}	98	counter audiobookshelf-rx {}
		99	counter kimai-rx {}
98		100
99	counter established-rx {}	101	counter established-rx {}
100		102
@@ -127,6 +129,7 @@ table inet filter {
127	counter paperless-tx {}	129	counter paperless-tx {}
128	counter hledger-tx {}	130	counter hledger-tx {}
129	counter audiobookshelf-tx {}	131	counter audiobookshelf-tx {}
		132	counter kimai-tx {}
130		133
131	counter tx {}	134	counter tx {}
132		135
@@ -150,8 +153,13 @@ table inet filter {
150		153
151	oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept	154	oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
152	iifname lan oifname { gpon, bifrost } counter name fw-lan accept	155	iifname lan oifname { gpon, bifrost } counter name fw-lan accept
		156	iifname ve-kimai oifname gpon counter name fw-kimai accept
153		157
154	iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept	158	iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
		159	iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
		160
		161	iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
		162	iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
155		163
156		164
157	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop	165	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -266,7 +274,7 @@ table inet filter {
266		274
267	table inet nat {	275	table inet nat {
268	counter gpon-nat {}	276	counter gpon-nat {}
269	# counter container-nat {}	277	counter kimai-nat {}
270		278
271	chain postrouting {	279	chain postrouting {
272	type nat hook postrouting priority srcnat	280	type nat hook postrouting priority srcnat
@@ -274,7 +282,7 @@ table inet nat {
274		282
275		283
276	meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade	284	meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
277	# iifname ve-* oifname gpon counter name container-nat masquerade	285	iifname ve-kimai oifname gpon counter name kimai-nat masquerade
278	}	286	}
279	}	287	}
280		288


diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index b1d90d47..094f9f7a 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix
@@ -27,6 +27,7 @@ in {
27		27
28	extraFlags = [	28	extraFlags = [
29	"--web.enable-remote-write-receiver"	29	"--web.enable-remote-write-receiver"
		30	"--storage.tsdb.retention.size=35GB"
30	];	31	];
31		32
32	exporters = {	33	exporters = {