6 files changed, 93 insertions, 278 deletions
diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix
index 11e6f55f..14d212e7 100644
--- a/hosts/vidhar/dns/default.nix
+++ b/hosts/vidhar/dns/default.nix
@@ -12,73 +12,36 @@ let
  in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));
 in {
  config = {
-    services.unbound = {
+    services.knot-resolver = {
      enable = true;
-      resolveLocalQueries = false;
-      stateDir = "/var/lib/unbound";
-      localControlSocketPath = "/run/unbound/unbound.ctl";
-      enableRootTrustAnchor = false;
      settings = {
-        server = {
+        network.listen = [
-          interface = ["lo" "lan"];
+          { interface = "lo"; }
-          prefer-ip6 = true;
+          { interface = "lan"; freebind = true; }
-          access-control = ["0.0.0.0/0 allow" "::/0 allow"];
+        ];
-          root-hints = "${pkgs.dns-root-data}/root.hints";
+        forward = [
-          trust-anchor-file = "${pkgs.dns-root-data}/root.key";
+          {
-          trust-anchor-signaling = false;
+            subtree = "yggdrasil.";
-          ip-dscp = 20;
+            servers = [ { address = "::1@5353"; } ];
+            options.dnssec = false;
-          num-threads = 12;
+          }
-          so-reuseport = true;
+          {
-          msg-cache-slabs = 16;
+            subtree = "141.10.in-addr.arpa.";
-          rrset-cache-slabs = 16;
+            servers = [ { address = "::1@5353"; } ];
-          infra-cache-slabs = 16;
+            options.dnssec = false;
-          key-cache-slabs = 16;
+          }
+          {
-          rrset-cache-size = "100m";
+            subtree = "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa.";
-          msg-cache-size = "50m";
+            servers = [ { address = "::1@5353"; } ];
-          outgoing-range = 8192;
+            options.dnssec = false;
-          num-queries-per-thread = 4096;
+          }
+        ];
-          so-rcvbuf = "4m";
-          so-sndbuf = "4m";
-          # serve-expired = true;
-          # serve-expired-ttl = 86400;
-          # serve-expired-reply-ttl = 0;
-          prefetch = true;
-          prefetch-key = true;
-          minimal-responses = false;
-          extended-statistics = true;
-          rrset-roundrobin = true;
-          use-caps-for-id = true;
-          do-not-query-localhost = false;
-          local-zone = [
-            "141.10.in-addr.arpa. transparent"
-            "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. transparent"
-            "yggdrasil. transparent"
-          ];
-          domain-insecure = [
-            "141.10.in-addr.arpa."
-            "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."
-            "yggdrasil."
-          ];
-        };
-        stub-zone = map (name: {
-          inherit name;
-          stub-addr = "127.0.0.1@5353";
-          stub-first = true;
-          stub-no-cache = true;
-          stub-prime = false;
-        }) ["yggdrasil." "arpa.in-addr.10.141." "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."];
      };
    };
+    fileSystems."/var/cache/knot-resolver" = {
+      fsType = "tmpfs";
+      options = [ "size=200M" "nosuid" "nodev" "noexec" "mode=0700" ];
+    };
    systemd.services.knot = {
      unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
diff --git a/hosts/vidhar/kimai/default.nix b/hosts/vidhar/kimai/default.nix
index 0258697b..4d1057a9 100644
--- a/hosts/vidhar/kimai/default.nix
+++ b/hosts/vidhar/kimai/default.nix
@@ -6,6 +6,10 @@
    boot.kernel.sysctl = {
      "net.netfilter.nf_log_all_netns" = true;
    };
+    systemd.network = {
+      networks."80-container-ve".enable = false;
+      links."80-container-ve".enable = false;
+    };
    containers."kimai" = {
      autoStart = true;
@@ -50,7 +54,7 @@
          };
        };
-        services.resolved.fallbackDns = [
+        services.resolved.settings.Resolve.FallbackDns = [
          "9.9.9.10#dns10.quad9.net"
          "149.112.112.10#dns10.quad9.net"
          "2620:fe::10#dns10.quad9.net"
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 6fcef9d8..02a8d648 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -78,16 +78,29 @@ with lib;
    environment.etc."dnssec-trust-anchors.d/root.positive".source = "${pkgs.dns-root-data}/root.ds";
-    systemd.network.networks = {
+    systemd.network = {
-      "eno1" = {
+      networks = {
-        matchConfig.Name = "eno1";
+        "eno1" = {
-        linkConfig = {
+          matchConfig.Name = "eno1";
-          ActivationPolicy = "down";
+          linkConfig = {
+            ActivationPolicy = "down";
+          };
+        };
+        "eno2" = {
+          matchConfig.Name = "eno2";
+          networkConfig.LinkLocalAddressing = "no";
+        };
+        "40-lan" = {
+          matchConfig.Name = "lan";
+          networkConfig = {
+            IPv6SendRA = true;
+            DHCPPrefixDelegation = true;
+          };
+          ipv6SendRAConfig = {
+            DNS = "_link_local";
+            Domains = ["lan.yggdrasil" "yggdrasil"];
+          };
        };
-      };
-      "eno2" = {
-        matchConfig.Name = "eno2";
-        networkConfig.LinkLocalAddressing = "no";
      };
    };
diff --git a/hosts/vidhar/network/pppoe.nix b/hosts/vidhar/network/pppoe.nix
index 6b4942a6..7b342b69 100644
--- a/hosts/vidhar/network/pppoe.nix
+++ b/hosts/vidhar/network/pppoe.nix
@@ -102,33 +102,31 @@ in {
      '';
    };
-    systemd.network.networks.${pppInterface} = {
+    systemd.package = pkgs.systemd.overrideAttrs (oldAttrs: {
-      matchConfig = {
+      patches = (oldAttrs.patches or []) ++ [
-        Name = pppInterface;
+        (pkgs.fetchpatch {
-      };
+          url = "https://github.com/sysedwinistrator/systemd/commit/b9691a43551739ddacdb8d53a4312964c3ddfa08.patch";
-      dns = [ "::1" "127.0.0.1" ];
+          hash = "sha256-TLfOTFodLzCVywnF4Xp4BR2Pja0Qq4ItE/yaKkzI414=";
-      domains = [ "~." ];
+        })
-      networkConfig = {
+      ];
-        LinkLocalAddressing = "no";
+    });
-        DNSSEC = true;
-      };
+    systemd.network.networks = {
-    };
+      "40-${pppInterface}" = {
+        matchConfig.Name = pppInterface;
-    services.ndppd = {
+        dns = [ "::1" "127.0.0.1" ];
-      enable = true;
+        domains = [ "~." ];
-      proxies = {
+        networkConfig = {
-        ${pppInterface} = {
+          DHCP = true;
-          router = true;
+          DNSSEC = true;
-          rules = {
+        };
-            lan = {
+        dhcpV6Config = {
-              method = "iface";
+          PrefixDelegationHint = "::/64";
-              interface = "lan";
+          WithoutRA = "solicit";
-              network = "::/0";
-            };
-          };
        };
      };
    };
    boot.kernelModules = [ "ifb" ];
    boot.kernel.sysctl = {
      "net.ipv6.conf.all.forwarding" = true;
@@ -143,159 +141,5 @@ in {
      bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
      after = [ "sys-subsystem-net-devices-telekom.device" ];
    };
-    networking.interfaces.${pppInterface}.useDHCP = true;
-    networking.dhcpcd = {
-      enable = true;
-      persistent = false;
-      setHostname = false;
-      wait = "ipv6";
-      IPv6rs = false;
-      extraConfig = ''
-        duid
-        vendorclassid
-        ipv6only
-        require dhcp_server_identifier
-        reboot 0
-        interface ${pppInterface}
-          nooption domain_name_servers, domain_name, domain_search, ntp_servers
-          nohook hostname, resolv.conf
-          option rapid_commit
-          ipv6rs
-          ia_pd 1 lan/0/64/0
-      '';
-    };
-    systemd.services.dhcpcd = {
-      wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
-      bindsTo = [ "pppd-telekom.service" ];
-      after = [ "pppd-telekom.service" ];
-      wants = [ "network.target" ];
-      before = [ "network-online.target" ];
-      serviceConfig = {
-        ExecStartPre = [
-          (pkgs.resholve.writeScript "wait-${pppInterface}-ip" {
-            interpreter = pkgs.runtimeShell;
-            inputs = with pkgs; [ iproute2 coreutils ];
-            execer = [
-              "cannot:${lib.getExe' pkgs.iproute2 "ip"}"
-            ];
-          } ''
-            i=0
-            while [[ -z "$(ip -6 addr show dev ${pppInterface} scope link)" ]]; do
-              sleep 0.1
-              i=$((i + 1))
-              if [[ "$i" -ge 10 ]]; then
-                exit 1
-              fi
-            done
-          '')
-        ];
-        RestartSec = "5";
-      };
-    };
-    systemd.services.ndppd = {
-      wantedBy = [ "dhcpcd.service" ];
-      bindsTo = [ "dhcpcd.service" ];
-      after = [ "dhcpcd.service" ];
-      serviceConfig = {
-        Restart = "always";
-        RestartSec = "5";
-      };
-    };
-    systemd.services.radvd = {
-      wantedBy = [ "dhcpcd.service" "multi-user.target" ];
-      bindsTo = [ "dhcpcd.service" ];
-      after = [ "dhcpcd.service" "network.target" ];
-      serviceConfig = {
-        Restart = "always";
-        RestartSec = "5";
-        DynamicUser = true;
-        AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_RAW"];
-        CapabilityBoundingSet = ["CAP_NET_ADMIN" "CAP_NET_RAW"];
-        RuntimeDirectory = "radvd";
-        PIDFile = "$RUNTIME_DIRECTORY/radvd.pid";
-        ExecStart = pkgs.writers.writePython3 "radvd-genconfig" {
-          libraries = with pkgs.python3Packages; [ jinja2 ];
-          doCheck = false;
-        } ''
-          import os
-          import sys
-          from tempfile import NamedTemporaryFile
-          import subprocess
-          import json
-          import jinja2
-          from pathlib import Path
-          from ipaddress import IPv6Network
-          def network_address(value, prefixlen):
-              return IPv6Network(value + "/" + str(prefixlen), strict=False).network_address
-          with subprocess.Popen(["${lib.getExe' pkgs.iproute2 "ip"}", "-j", "addr", "show", "dev", "lan"], stdout=subprocess.PIPE) as proc:
-              addresses = json.load(proc.stdout)
-          global_addresses = [ addr for addr in addresses[0]["addr_info"] if addr["family"] == "inet6" and addr["scope"] == "global" ]
-          if not global_addresses:
-            sys.exit(1)
-          with NamedTemporaryFile(mode='w', dir=os.environ["RUNTIME_DIRECTORY"], prefix="radvd.", suffix=".conf", delete=False) as fh:
-              config_file = fh.name
-              env = jinja2.Environment(
-                  loader = jinja2.FileSystemLoader("${pkgs.writeTextDir "radvd.conf.jinja2" ''
-                    interface lan {
-                      IgnoreIfMissing off;
-                      AdvSendAdvert on;
-                      MaxRtrAdvInterval 240;
-                      {% for addr in addrs %}
-                      prefix {{addr["local"] | network_address(addr["prefixlen"])}}/{{addr["prefixlen"]}} {
-                        AdvValidLifetime 86400;
-                        AdvPreferredLifetime 300;
-                        DeprecatePrefix on;
-                      };
-                      route {{addr["local"] | network_address(56)}}/56 {
-                        AdvRouteLifetime 300;
-                        RemoveRoute on;
-                      };
-                      RDNSS {{addr["local"]}} {
-                        AdvRDNSSLifetime 300;
-                      };
-                      {%- endfor %}
-                      DNSSL yggdrasil {};
-                    };
-                  ''}"),
-                  autoescape = False,
-              )
-              env.filters["network_address"] = network_address
-              env.get_template("radvd.conf.jinja2").stream({
-                "addrs": global_addresses,
-              }).dump(fh)
-          os.execv("${lib.getExe' pkgs.radvd "radvd"}", ["radvd", "-n", "-p", str(Path(os.environ["RUNTIME_DIRECTORY"]) / "radvd.pid"), "-d", "1", "-C", config_file])
-        '';
-      };
-    };
-    systemd.services.unbound = {
-      wantedBy = [ "dhcpcd.service" ];
-      bindsTo = [ "dhcpcd.service" ];
-      after = [ "dhcpcd.service" ];
-      serviceConfig = {
-        Restart = lib.mkForce "always";
-      };
-    };
  };
 }
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 4a5fa3c8..35942c53 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -39,11 +39,6 @@ in {
          enable = true;
          configurationPath = pkgs.copyPathToStore "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";
        };
-        unbound = {
-          enable = true;
-          unbound.host = "unix:///run/unbound/unbound.ctl";
-          group = config.services.unbound.group;
-        };
        wireguard = {
          enable = true;
          wireguardConfig =
@@ -164,10 +159,11 @@ in {
          ];
          scrape_interval = "10s";
        }
-        { job_name = "unbound";
+        { job_name = "knot-resolver";
          static_configs = [
-            { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
+            { targets = ["localhost:9167"]; }
          ];
+          metrics_path = "/metrics/prometheus";
          relabel_configs = relabelHosts;
          scrape_interval = "1s";
        }
@@ -241,7 +237,7 @@ in {
          [ { source_labels = ["__param_target"];
              target_label = "job";
              regex = "127\.0\.0\.1:53";
-              replacement = "unbound.dns_soa";
+              replacement = "knot-resolver.dns_soa";
            }
            { replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
              target_label = "__address__";
@@ -332,20 +328,6 @@ in {
      };
    };
-    users.users.${config.services.prometheus.exporters.unbound.user} = {
-      description = "Prometheus unbound exporter service user";
-      isSystemUser = true;
-      group = config.services.unbound.group;
-    };
-    systemd.services."prometheus-unbound-exporter" = {
-      wantedBy = [ "unbound.service" ];
-      serviceConfig = {
-        DynamicUser = false;
-        Restart = lib.mkForce "always";
-        RestartSec = "5";
-      };
-    };
    systemd.services."prometheus-nftables-exporter" = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
@@ -501,6 +483,20 @@ in {
      sopsFile = ./zte_dsl01.mgmt.yggdrasil;
    };
+    systemd.sockets."prometheus-knot-resolver-exporter" = {
+      unitConfig.WantedBy = [ "sockets.target" ];
+      socketConfig.ListenStream = "[::1]:9167";
+    };
+    systemd.services."prometheus-knot-resolver-exporter" = {
+      unitConfig = {
+        BindsTo = [ "knot-resolver.service" ];
+      };
+      serviceConfig = {
+        Type = "notify";
+        ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd /run/knot-resolver/kres-api.sock";
+      };
+    };
    services.corerad = {
      enable = true;
      settings = {
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 9d667fd6..4b009c0d 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -44,11 +44,6 @@ with lib;
          fsType = "zfs";
        };
-      # "/var/lib/unbound" =
-      #   { device = "ssd-raid1/local/var-lib-unbound";
-      #     fsType = "zfs";
-      #   };
      # "/var/lib/dhcp" =
      #   { device = "ssd-raid1/local/var-lib-dhcp";
      #     fsType = "zfs";

diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index 11e6f55f..14d212e7 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix
@@ -12,73 +12,36 @@ let
12	in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));	12	in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));
13	in {	13	in {
14	config = {	14	config = {
15	services.unbound = {	15	services.knot-resolver = {
16	enable = true;	16	enable = true;
17	resolveLocalQueries = false;
18	stateDir = "/var/lib/unbound";
19	localControlSocketPath = "/run/unbound/unbound.ctl";
20	enableRootTrustAnchor = false;
21	settings = {	17	settings = {
22	server = {	18	network.listen = [
23	interface = ["lo" "lan"];	19	{ interface = "lo"; }
24	prefer-ip6 = true;	20	{ interface = "lan"; freebind = true; }
25	access-control = ["0.0.0.0/0 allow" "::/0 allow"];	21	];
26	root-hints = "${pkgs.dns-root-data}/root.hints";	22	forward = [
27	trust-anchor-file = "${pkgs.dns-root-data}/root.key";	23	{
28	trust-anchor-signaling = false;	24	subtree = "yggdrasil.";
29	ip-dscp = 20;	25	servers = [ { address = "::1@5353"; } ];
30		26	options.dnssec = false;
31	num-threads = 12;	27	}
32	so-reuseport = true;	28	{
33	msg-cache-slabs = 16;	29	subtree = "141.10.in-addr.arpa.";
34	rrset-cache-slabs = 16;	30	servers = [ { address = "::1@5353"; } ];
35	infra-cache-slabs = 16;	31	options.dnssec = false;
36	key-cache-slabs = 16;	32	}
37		33	{
38	rrset-cache-size = "100m";	34	subtree = "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa.";
39	msg-cache-size = "50m";	35	servers = [ { address = "::1@5353"; } ];
40	outgoing-range = 8192;	36	options.dnssec = false;
41	num-queries-per-thread = 4096;	37	}
42		38	];
43	so-rcvbuf = "4m";
44	so-sndbuf = "4m";
45
46	# serve-expired = true;
47	# serve-expired-ttl = 86400;
48	# serve-expired-reply-ttl = 0;
49
50	prefetch = true;
51	prefetch-key = true;
52
53	minimal-responses = false;
54
55	extended-statistics = true;
56
57	rrset-roundrobin = true;
58	use-caps-for-id = true;
59
60	do-not-query-localhost = false;
61	local-zone = [
62	"141.10.in-addr.arpa. transparent"
63	"1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. transparent"
64	"yggdrasil. transparent"
65	];
66	domain-insecure = [
67	"141.10.in-addr.arpa."
68	"1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."
69	"yggdrasil."
70	];
71	};
72
73	stub-zone = map (name: {
74	inherit name;
75	stub-addr = "127.0.0.1@5353";
76	stub-first = true;
77	stub-no-cache = true;
78	stub-prime = false;
79	}) ["yggdrasil." "arpa.in-addr.10.141." "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa."];
80	};	39	};
81	};	40	};
		41	fileSystems."/var/cache/knot-resolver" = {
		42	fsType = "tmpfs";
		43	options = [ "size=200M" "nosuid" "nodev" "noexec" "mode=0700" ];
		44	};
82		45
83	systemd.services.knot = {	46	systemd.services.knot = {
84	unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];	47	unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];


diff --git a/hosts/vidhar/kimai/default.nix b/hosts/vidhar/kimai/default.nix index 0258697b..4d1057a9 100644 --- a/hosts/vidhar/kimai/default.nix +++ b/hosts/vidhar/kimai/default.nix
@@ -6,6 +6,10 @@
6	boot.kernel.sysctl = {	6	boot.kernel.sysctl = {
7	"net.netfilter.nf_log_all_netns" = true;	7	"net.netfilter.nf_log_all_netns" = true;
8	};	8	};
		9	systemd.network = {
		10	networks."80-container-ve".enable = false;
		11	links."80-container-ve".enable = false;
		12	};
9		13
10	containers."kimai" = {	14	containers."kimai" = {
11	autoStart = true;	15	autoStart = true;
@@ -50,7 +54,7 @@
50	};	54	};
51	};	55	};
52		56
53	services.resolved.fallbackDns = [	57	services.resolved.settings.Resolve.FallbackDns = [
54	"9.9.9.10#dns10.quad9.net"	58	"9.9.9.10#dns10.quad9.net"
55	"149.112.112.10#dns10.quad9.net"	59	"149.112.112.10#dns10.quad9.net"
56	"2620:fe::10#dns10.quad9.net"	60	"2620:fe::10#dns10.quad9.net"


diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 6fcef9d8..02a8d648 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix
@@ -78,16 +78,29 @@ with lib;
78		78
79	environment.etc."dnssec-trust-anchors.d/root.positive".source = "${pkgs.dns-root-data}/root.ds";	79	environment.etc."dnssec-trust-anchors.d/root.positive".source = "${pkgs.dns-root-data}/root.ds";
80		80
81	systemd.network.networks = {	81	systemd.network = {
82	"eno1" = {	82	networks = {
83	matchConfig.Name = "eno1";	83	"eno1" = {
84	linkConfig = {	84	matchConfig.Name = "eno1";
85	ActivationPolicy = "down";	85	linkConfig = {
		86	ActivationPolicy = "down";
		87	};
		88	};
		89	"eno2" = {
		90	matchConfig.Name = "eno2";
		91	networkConfig.LinkLocalAddressing = "no";
		92	};
		93	"40-lan" = {
		94	matchConfig.Name = "lan";
		95	networkConfig = {
		96	IPv6SendRA = true;
		97	DHCPPrefixDelegation = true;
		98	};
		99	ipv6SendRAConfig = {
		100	DNS = "_link_local";
		101	Domains = ["lan.yggdrasil" "yggdrasil"];
		102	};
86	};	103	};
87	};
88	"eno2" = {
89	matchConfig.Name = "eno2";
90	networkConfig.LinkLocalAddressing = "no";
91	};	104	};
92	};	105	};
93		106


diff --git a/hosts/vidhar/network/pppoe.nix b/hosts/vidhar/network/pppoe.nix index 6b4942a6..7b342b69 100644 --- a/hosts/vidhar/network/pppoe.nix +++ b/hosts/vidhar/network/pppoe.nix
@@ -102,33 +102,31 @@ in {
102	'';	102	'';
103	};	103	};
104		104
105	systemd.network.networks.${pppInterface} = {	105	systemd.package = pkgs.systemd.overrideAttrs (oldAttrs: {
106	matchConfig = {	106	patches = (oldAttrs.patches or []) ++ [
107	Name = pppInterface;	107	(pkgs.fetchpatch {
108	};	108	url = "https://github.com/sysedwinistrator/systemd/commit/b9691a43551739ddacdb8d53a4312964c3ddfa08.patch";
109	dns = [ "::1" "127.0.0.1" ];	109	hash = "sha256-TLfOTFodLzCVywnF4Xp4BR2Pja0Qq4ItE/yaKkzI414=";
110	domains = [ "~." ];	110	})
111	networkConfig = {	111	];
112	LinkLocalAddressing = "no";	112	});
113	DNSSEC = true;	113
114	};	114	systemd.network.networks = {
115	};	115	"40-${pppInterface}" = {
116		116	matchConfig.Name = pppInterface;
117	services.ndppd = {	117	dns = [ "::1" "127.0.0.1" ];
118	enable = true;	118	domains = [ "~." ];
119	proxies = {	119	networkConfig = {
120	${pppInterface} = {	120	DHCP = true;
121	router = true;	121	DNSSEC = true;
122	rules = {	122	};
123	lan = {	123	dhcpV6Config = {
124	method = "iface";	124	PrefixDelegationHint = "::/64";
125	interface = "lan";	125	WithoutRA = "solicit";
126	network = "::/0";
127	};
128	};
129	};	126	};
130	};	127	};
131	};	128	};
		129
132	boot.kernelModules = [ "ifb" ];	130	boot.kernelModules = [ "ifb" ];
133	boot.kernel.sysctl = {	131	boot.kernel.sysctl = {
134	"net.ipv6.conf.all.forwarding" = true;	132	"net.ipv6.conf.all.forwarding" = true;
@@ -143,159 +141,5 @@ in {
143	bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];	141	bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
144	after = [ "sys-subsystem-net-devices-telekom.device" ];	142	after = [ "sys-subsystem-net-devices-telekom.device" ];
145	};	143	};
146
147	networking.interfaces.${pppInterface}.useDHCP = true;
148	networking.dhcpcd = {
149	enable = true;
150	persistent = false;
151	setHostname = false;
152	wait = "ipv6";
153	IPv6rs = false;
154
155	extraConfig = ''
156	duid
157	vendorclassid
158	ipv6only
159
160	require dhcp_server_identifier
161
162	reboot 0
163
164	interface ${pppInterface}
165	nooption domain_name_servers, domain_name, domain_search, ntp_servers
166	nohook hostname, resolv.conf
167	option rapid_commit
168
169	ipv6rs
170
171	ia_pd 1 lan/0/64/0
172	'';
173	};
174	systemd.services.dhcpcd = {
175	wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
176	bindsTo = [ "pppd-telekom.service" ];
177	after = [ "pppd-telekom.service" ];
178	wants = [ "network.target" ];
179	before = [ "network-online.target" ];
180
181	serviceConfig = {
182	ExecStartPre = [
183	(pkgs.resholve.writeScript "wait-${pppInterface}-ip" {
184	interpreter = pkgs.runtimeShell;
185	inputs = with pkgs; [ iproute2 coreutils ];
186	execer = [
187	"cannot:${lib.getExe' pkgs.iproute2 "ip"}"
188	];
189	} ''
190	i=0
191
192	while [[ -z "$(ip -6 addr show dev ${pppInterface} scope link)" ]]; do
193	sleep 0.1
194	i=$((i + 1))
195	if [[ "$i" -ge 10 ]]; then
196	exit 1
197	fi
198	done
199	'')
200	];
201
202	RestartSec = "5";
203	};
204	};
205	systemd.services.ndppd = {
206	wantedBy = [ "dhcpcd.service" ];
207	bindsTo = [ "dhcpcd.service" ];
208	after = [ "dhcpcd.service" ];
209
210	serviceConfig = {
211	Restart = "always";
212	RestartSec = "5";
213	};
214	};
215	systemd.services.radvd = {
216	wantedBy = [ "dhcpcd.service" "multi-user.target" ];
217	bindsTo = [ "dhcpcd.service" ];
218	after = [ "dhcpcd.service" "network.target" ];
219
220	serviceConfig = {
221	Restart = "always";
222	RestartSec = "5";
223	DynamicUser = true;
224	AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_RAW"];
225	CapabilityBoundingSet = ["CAP_NET_ADMIN" "CAP_NET_RAW"];
226	RuntimeDirectory = "radvd";
227	PIDFile = "$RUNTIME_DIRECTORY/radvd.pid";
228	ExecStart = pkgs.writers.writePython3 "radvd-genconfig" {
229	libraries = with pkgs.python3Packages; [ jinja2 ];
230	doCheck = false;
231	} ''
232	import os
233	import sys
234	from tempfile import NamedTemporaryFile
235	import subprocess
236	import json
237	import jinja2
238	from pathlib import Path
239	from ipaddress import IPv6Network
240
241
242	def network_address(value, prefixlen):
243	return IPv6Network(value + "/" + str(prefixlen), strict=False).network_address
244
245
246	with subprocess.Popen(["${lib.getExe' pkgs.iproute2 "ip"}", "-j", "addr", "show", "dev", "lan"], stdout=subprocess.PIPE) as proc:
247	addresses = json.load(proc.stdout)
248
249	global_addresses = [ addr for addr in addresses[0]["addr_info"] if addr["family"] == "inet6" and addr["scope"] == "global" ]
250
251	if not global_addresses:
252	sys.exit(1)
253
254	with NamedTemporaryFile(mode='w', dir=os.environ["RUNTIME_DIRECTORY"], prefix="radvd.", suffix=".conf", delete=False) as fh:
255	config_file = fh.name
256	env = jinja2.Environment(
257	loader = jinja2.FileSystemLoader("${pkgs.writeTextDir "radvd.conf.jinja2" ''
258	interface lan {
259	IgnoreIfMissing off;
260	AdvSendAdvert on;
261	MaxRtrAdvInterval 240;
262	{% for addr in addrs %}
263	prefix {{addr["local"] \| network_address(addr["prefixlen"])}}/{{addr["prefixlen"]}} {
264	AdvValidLifetime 86400;
265	AdvPreferredLifetime 300;
266	DeprecatePrefix on;
267	};
268	route {{addr["local"] \| network_address(56)}}/56 {
269	AdvRouteLifetime 300;
270	RemoveRoute on;
271	};
272	RDNSS {{addr["local"]}} {
273	AdvRDNSSLifetime 300;
274	};
275	{%- endfor %}
276	DNSSL yggdrasil {};
277	};
278	''}"),
279	autoescape = False,
280	)
281	env.filters["network_address"] = network_address
282	env.get_template("radvd.conf.jinja2").stream({
283	"addrs": global_addresses,
284	}).dump(fh)
285
286	os.execv("${lib.getExe' pkgs.radvd "radvd"}", ["radvd", "-n", "-p", str(Path(os.environ["RUNTIME_DIRECTORY"]) / "radvd.pid"), "-d", "1", "-C", config_file])
287	'';
288	};
289	};
290
291	systemd.services.unbound = {
292	wantedBy = [ "dhcpcd.service" ];
293	bindsTo = [ "dhcpcd.service" ];
294	after = [ "dhcpcd.service" ];
295
296	serviceConfig = {
297	Restart = lib.mkForce "always";
298	};
299	};
300	};	144	};
301	}	145	}


diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 4a5fa3c8..35942c53 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix
@@ -39,11 +39,6 @@ in {
39	enable = true;	39	enable = true;
40	configurationPath = pkgs.copyPathToStore "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";	40	configurationPath = pkgs.copyPathToStore "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";
41	};	41	};
42	unbound = {
43	enable = true;
44	unbound.host = "unix:///run/unbound/unbound.ctl";
45	group = config.services.unbound.group;
46	};
47	wireguard = {	42	wireguard = {
48	enable = true;	43	enable = true;
49	wireguardConfig =	44	wireguardConfig =
@@ -164,10 +159,11 @@ in {
164	];	159	];
165	scrape_interval = "10s";	160	scrape_interval = "10s";
166	}	161	}
167	{ job_name = "unbound";	162	{ job_name = "knot-resolver";
168	static_configs = [	163	static_configs = [
169	{ targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }	164	{ targets = ["localhost:9167"]; }
170	];	165	];
		166	metrics_path = "/metrics/prometheus";
171	relabel_configs = relabelHosts;	167	relabel_configs = relabelHosts;
172	scrape_interval = "1s";	168	scrape_interval = "1s";
173	}	169	}
@@ -241,7 +237,7 @@ in {
241	[ { source_labels = ["__param_target"];	237	[ { source_labels = ["__param_target"];
242	target_label = "job";	238	target_label = "job";
243	regex = "127\.0\.0\.1:53";	239	regex = "127\.0\.0\.1:53";
244	replacement = "unbound.dns_soa";	240	replacement = "knot-resolver.dns_soa";
245	}	241	}
246	{ replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";	242	{ replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
247	target_label = "__address__";	243	target_label = "__address__";
@@ -332,20 +328,6 @@ in {
332	};	328	};
333	};	329	};
334		330
335	users.users.${config.services.prometheus.exporters.unbound.user} = {
336	description = "Prometheus unbound exporter service user";
337	isSystemUser = true;
338	group = config.services.unbound.group;
339	};
340	systemd.services."prometheus-unbound-exporter" = {
341	wantedBy = [ "unbound.service" ];
342	serviceConfig = {
343	DynamicUser = false;
344	Restart = lib.mkForce "always";
345	RestartSec = "5";
346	};
347	};
348
349	systemd.services."prometheus-nftables-exporter" = {	331	systemd.services."prometheus-nftables-exporter" = {
350	wantedBy = [ "multi-user.target" ];	332	wantedBy = [ "multi-user.target" ];
351	after = [ "network.target" ];	333	after = [ "network.target" ];
@@ -501,6 +483,20 @@ in {
501	sopsFile = ./zte_dsl01.mgmt.yggdrasil;	483	sopsFile = ./zte_dsl01.mgmt.yggdrasil;
502	};	484	};
503		485
		486	systemd.sockets."prometheus-knot-resolver-exporter" = {
		487	unitConfig.WantedBy = [ "sockets.target" ];
		488	socketConfig.ListenStream = "[::1]:9167";
		489	};
		490	systemd.services."prometheus-knot-resolver-exporter" = {
		491	unitConfig = {
		492	BindsTo = [ "knot-resolver.service" ];
		493	};
		494	serviceConfig = {
		495	Type = "notify";
		496	ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd /run/knot-resolver/kres-api.sock";
		497	};
		498	};
		499
504	services.corerad = {	500	services.corerad = {
505	enable = true;	501	enable = true;
506	settings = {	502	settings = {


diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix index 9d667fd6..4b009c0d 100644 --- a/hosts/vidhar/zfs.nix +++ b/hosts/vidhar/zfs.nix
@@ -44,11 +44,6 @@ with lib;
44	fsType = "zfs";	44	fsType = "zfs";
45	};	45	};
46		46
47	# "/var/lib/unbound" =
48	# { device = "ssd-raid1/local/var-lib-unbound";
49	# fsType = "zfs";
50	# };
51
52	# "/var/lib/dhcp" =	47	# "/var/lib/dhcp" =
53	# { device = "ssd-raid1/local/var-lib-dhcp";	48	# { device = "ssd-raid1/local/var-lib-dhcp";
54	# fsType = "zfs";	49	# fsType = "zfs";