10 files changed, 433 insertions, 78 deletions

diff --git a/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml b/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml
new file mode 100644
index 00000000..a5319e38
--- /dev/null
+++ b/hosts/vidhar/audiobookshelf/abs-podcast-autoplaylist-gkleen.toml
@@ -0,0 +1,19 @@
+{
+        "data": "ENC[AES256_GCM,data:60OmHwuLC7RJVNNn8lsCFjIFrtDlmmT3yAm3DYn/K2b8OJB/lzKBhMUCyPpoI2lfMm6y47/DMwXI3ExH3QwfgGRf4i/Tcv7p6FCkjFgDc0RhAM7cXNSnh1gKTff8QYtPoNIzmycFCThNr7iZsPsf2/1npVaVHTnt9nTc+cmDLc+lELlvjSE00JOXch/if7KPwFww9K83XlrFmoRvwybfXR0unJqxK2XLvj+dQuKD4Bhyb88iSgu4dX1yw2uBSZBD16S4Io0DaZ+as5Yw4Kon7WMj3Jd5kz8ZxK+0NCy1CVJHOfJIwgYl0SVPp4DpbAPtJO4R/ciXyDQ/XGpoLtHjxnKXaJlJoSiA7FhuSEk+jB/peLHrYV1obdIRE5Dstly01S5cydKlfQ+A0TSjxFSWBYMEiD89sD09Br3iSJX5FejOoS8d2IQJ5faVzgQl4T5aBKsxCNNwmYrEe8m9HN7o2eer8nTKMln5IxZi3ZWhnjgJfrJ4QTXFndxCb78jo8HroN3+7VhoM136UZkqH1OMrIgAH/XSlW08G8m9MRamKsAWklq9aVflcEsPWTHmYW7rjAapQYf+jyK6BbfHcYmyKM82TFZ5iNB60Pth6EJgb2V8PZiChGvDzQvFYYOO3p9a/J8bVqsnPZBXXYcIBt42ZuRPvyyUTfM+75V1eYE9ZGFML+QlofwNCAg+/Rnl+RRy4z+8xQxd8Dn06geDpHsr4yND72FRUTKLbjxF5xfbzBRcZEXjGkyFdEAF7rB78I8xIqii+n6Yt8uEURmd4geI9KWXRQnwofTz9pklaAnRbER8zy/BJIiIYy8zecUHJn9v/DPnsnksfL6RRmG4tHaRBDbpAag0kVkCrpO/flK6dZOl/wvoVVVqT2O69a9/RpHLSV2f//ZS6L9s6vaYe4pXL0M6QymgA22sNHaws6XggJlTxVOFGRejMGYrKqVWtC+2UNbnel+/J0N1qj4luWfQaf9+1j+fq7vyLSzXYFCiyOLAznpqOhzKu6VWy2IbR0UnCoL5ZbhIba9e2MXM7Czy9Yee4xc=,iv:M0GbtFFl1XUeq+y9H+MiD+9z/ASB9hsd06KhpPzSwEo=,tag:vTLIIf+CeZN6DU25CSP8tw==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0aE1XNUNCM1Q5V0d3R2JG\nbjJZTmdvQ21JbmtyR0ZmODFMdVBGejRoam1vCjMzMGdTb3BReDVCa2JJU0JrSHFP\ndTdicU5TRjIrTWpteDMzeGtDT0xaelkKLS0tIFhaSlFrbzFDUjRZV0lGR0cydVdZ\nY2xma0VSVXlTM1JucFJUSys4dlRvdEUK9gQNQEdKDDf1ikWzd6uTlE50WsfO/EB0\nGH2Ono6oNWbKWTyl/wRO8NzXx0nudwqq66s0oBLIdTMQOpIBBNI0XQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRWFqSHNlY1IvMkkwaEto\ncHZHa2p1Y25SakFkS2JYMlRFcFhnZGY1dVRFCkxSWmxvcHZMampQKzdKRHI0ZVMx\nUTFtR0pHbzFaQ0xQUFA2ZERDSWpwS0UKLS0tIFBaSGczY3VWdy9TKzRDZWZ2SElY\nbVQ4dDNhQllmVmViWGs5c3V4TmNscjQKeugevQJFAN/8JrzeAm4hm2JsQGb26BCb\n3dKYnN1kJU7oVHr1aVfXwMpELNYt9poX6WTY2h9lsdHuRlqoFXAA5Q==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-05-10T10:25:15Z",
+                "mac": "ENC[AES256_GCM,data:dhj7e+vF3uiR6I22PR5tdNdM8EyrWmGGTIqjj8H7IdNIsZBHzjeHlBDFOwN7z/JMO0BVwIi4DmhApg2BSPGsQZGDQZ28UTCC8TDtd1zmfGtSP8R8AFHADYdLK/desMtHg6BZTnLv5tpba34WWdflMNOQpwgWPZsIk/DkLaoXdvk=,iv:qkoAZngTz2sfWdxDs+h8Mb2IrkF8gqnQoR5iRoeKjbY=,tag:zXrkBJmPM4ItJxMnX8IDxQ==,type:str]",
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.10.2"
+        }
+}
diff --git a/hosts/vidhar/audiobookshelf/default.nix b/hosts/vidhar/audiobookshelf/default.nix
new file mode 100644
index 00000000..136bcaff
--- /dev/null
+++ b/hosts/vidhar/audiobookshelf/default.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, lib, ... }:
+
+{
+  config = {
+    services.audiobookshelf = {
+      enable = true;
+      host = "2a03:4000:52:ada:4:1::";
+      port = 28982;
+    };
+
+    users.groups.audiobookshelf.members = [ "gkleen" ];
+
+    services.abs-podcast-autoplaylist = {
+      gkleen = {};
+    };
+    sops.secrets.${config.services.abs-podcast-autoplaylist.gkleen.configSecret} = {
+      format = "binary";
+      sopsFile = ./abs-podcast-autoplaylist-gkleen.toml;
+    };
+  };
+}
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 1af9c5e0..7da17e6f 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 
 {
   imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai
     tmpfs-root zfs
     initrd-all-crypto-modules default-locale openssh rebuild-machines
     build-server
@@ -387,7 +387,7 @@ with lib;
       algorithm = "zstd";
     };
 
-    environment.systemPackages = with pkgs; [iotop vmtouch inetutils];
+    environment.systemPackages = with pkgs; [iotop vmtouch];
 
     systemd.sysusers.enable = false;
     system.stateVersion = "21.05";
diff --git a/hosts/vidhar/kimai/default.nix b/hosts/vidhar/kimai/default.nix
new file mode 100644
index 00000000..0258697b
--- /dev/null
+++ b/hosts/vidhar/kimai/default.nix
@@ -0,0 +1,89 @@
+{ flake, config, ... }:
+
+{
+  config = {
+    boot.enableContainers = true;
+    boot.kernel.sysctl = {
+      "net.netfilter.nf_log_all_netns" = true;
+    };
+
+    containers."kimai" = {
+      autoStart = true;
+      ephemeral = true;
+      bindMounts = {
+        "/var/lib/kimai" = {
+          hostPath = "/var/lib/kimai/state";
+          isReadOnly = false;
+        };
+        "/var/lib/mysql" = {
+          hostPath = "/var/lib/kimai/mysql";
+          isReadOnly = false;
+        };
+      };
+      privateNetwork = true;
+      # forwardPorts = [
+      #   { containerPort = 80;
+      #     hostPort = 28983;
+      #   }
+      # ];
+      hostAddress = "192.168.52.113";
+      localAddress = "192.168.52.114";
+      hostAddress6 = "2a03:4000:52:ada:6::1";
+      localAddress6 = "2a03:4000:52:ada:6::2";
+      config = let hostConfig = config; in { config, pkgs, lib, ... }: {
+        system.stateVersion = lib.mkIf hostConfig.containers."kimai".ephemeral config.system.nixos.release;
+        system.configurationRevision = lib.mkIf (flake ? rev) flake.rev;
+        nixpkgs.pkgs = hostConfig.nixpkgs.pkgs;
+
+        services.kimai.sites."kimai.yggdrasil.li" = {
+          database.socket = "/run/mysqld/mysqld.sock";
+        };
+
+        networking = {
+          useDHCP = false;
+          useNetworkd = true;
+          useHostResolvConf = false;
+          firewall.enable = false;
+          nftables = {
+            enable = true;
+            rulesetFile = ./ruleset.nft;
+          };
+        };
+
+        services.resolved.fallbackDns = [
+          "9.9.9.10#dns10.quad9.net"
+          "149.112.112.10#dns10.quad9.net"
+          "2620:fe::10#dns10.quad9.net"
+          "2620:fe::fe:10#dns10.quad9.net"
+        ];
+
+        systemd.network = {
+          networks.upstream = {
+            name = "eth0";
+            matchConfig = {
+              Name = "eth0";
+            };
+            linkConfig = {
+              RequiredForOnline = true;
+            };
+            networkConfig = {
+              Address = [ "192.168.52.114/32" "2a03:4000:52:ada:6::2/128" ];
+              LLMNR = false;
+              MulticastDNS = false;
+            };
+            routes = [
+              { Destination = "192.168.52.113/32"; }
+              { Destination = "2a03:4000:52:ada:6::1/128"; }
+              { Destination = "0.0.0.0/0";
+                Gateway = "192.168.52.113";
+              }
+              { Destination = "::/0";
+                Gateway = "2a03:4000:52:ada:6::1";
+              }
+            ];
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/vidhar/kimai/ruleset.nft b/hosts/vidhar/kimai/ruleset.nft
new file mode 100644
index 00000000..ad4db6d5
--- /dev/null
+++ b/hosts/vidhar/kimai/ruleset.nft
@@ -0,0 +1,149 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+  counter arp-rx {}
+  counter arp-tx {}
+
+  counter arp-ratelimit-rx {}
+  counter arp-ratelimit-tx {}
+
+  chain input {
+    type filter hook input priority filter
+    policy accept
+
+    limit name lim_arp counter name arp-ratelimit-rx drop
+
+    counter name arp-rx
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+    limit name lim_arp counter name arp-ratelimit-tx drop
+
+    counter name arp-tx
+  }
+}
+
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+  counter invalid-fw {}
+  counter fw-lo {}
+
+  counter reject-ratelimit-fw {}
+  counter reject-fw {}
+  counter reject-tcp-fw {}
+  counter reject-icmp-fw {}
+
+  counter drop-fw {}
+
+  counter invalid-rx {}
+
+  counter rx-lo {}
+  counter invalid-local4-rx {}
+  counter invalid-local6-rx {}
+
+  counter icmp-ratelimit-rx {}
+  counter icmp-rx {}
+
+  counter kimai-rx {}
+
+  counter established-rx {}
+
+  counter reject-ratelimit-rx {}
+  counter reject-rx {}
+  counter reject-tcp-rx {}
+  counter reject-icmp-rx {}
+
+  counter drop-rx {}
+
+  counter tx-lo {}
+
+  counter icmp-ratelimit-tx {}
+  counter icmp-tx {}
+
+  counter kimai-tx {}
+
+  counter tx {}
+
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "kimai: drop invalid forward: " counter name invalid-fw drop
+
+
+    iifname lo counter name fw-lo accept
+
+
+    limit name lim_reject log level debug prefix "kimai: drop forward: " counter name reject-ratelimit-fw drop
+    log level debug prefix "kimai: reject forward: " counter name reject-fw
+    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
+    ct state new counter name reject-icmp-fw reject
+
+
+    counter name drop-fw
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "kimai: drop invalid input: " counter name invalid-rx drop
+
+
+    iifname lo counter name rx-lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
+    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
+
+
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
+    meta l4proto $icmp_protos counter name icmp-rx accept
+
+
+    tcp dport 80 counter name kimai-rx accept
+
+
+    ct state { established, related } counter name established-rx accept
+
+
+    limit name lim_reject log level debug prefix "kimai: drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "kimai: reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+
+
+    counter name drop-rx
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+
+    oifname lo counter name tx-lo accept
+
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
+    meta l4proto $icmp_protos counter name icmp-tx accept
+
+
+    tcp sport 80 counter name kimai-tx
+
+
+    counter name tx
+  }
+}
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 0643f0bb..92d755f3 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -103,7 +103,14 @@ with lib;
           /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
         '';
       };
-      settings.nfsd.vers3 = false;
+      settings.nfsd = {
+        rdma = true;
+        vers3 = false;
+        vers4 = true;
+        "vers4.0" = false;
+        "vers4.1" = false;
+        "vers4.2" = true;
+      };
     };
 
     fileSystems = {
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index 4151111d..11460393 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -1,9 +1,32 @@
-{ flake, config, pkgs, lib, ... }:
+{ flake, config, pkgs, lib, sources, ... }:
 
 with lib;
 
 let
   nfsrootBaseUrl = "http://nfsroot.vidhar.yggdrasil";
+  tftpIp = "10.141.0.1";
+  nfsIp = tftpIp;
+  ipxe = pkgs.ipxe.override {
+    additionalTargets = {
+      "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
+    };
+    additionalOptions = [
+      "NSLOOKUP_CMD"
+      "PING_CMD"
+      "CONSOLE_CMD"
+    ];
+    embedScript = pkgs.writeText "yggdrasil.ipxe" ''
+      #!ipxe
+
+      cpair --background 9 1
+      cpair --background 9 3
+      cpair --background 9 6
+
+      set user-class iPXE-yggdrasil
+
+      autoboot
+    '';
+  };
 in {
   config = {
     services.kea = {
@@ -25,41 +48,67 @@ in {
           };
 
           client-classes = [
-            { name = "eostre-ipxe";
-              test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'";
-              next-server = "10.141.0.1";
+            { name = "ipxe-eostre";
+              test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE-yggdrasil'";
+              next-server = tftpIp;
               boot-file-name = "${nfsrootBaseUrl}/eostre.menu.ipxe";
               only-if-required = true;
             }
-            { name = "ipxe";
-              test = "option[77].hex == 'iPXE'";
-              next-server = "10.141.0.1";
+            { name = "ipxe-yggdrasil";
+              test = "option[77].hex == 'iPXE-yggdrasil'";
+              next-server = tftpIp;
               boot-file-name = "${nfsrootBaseUrl}/installer-x86_64-linux.menu.ipxe";
               only-if-required = true;
             }
+
+            { name = "uefi-http";
+              test = "option[client-system].hex == 0x0010";
+              option-data = [
+                { name = "vendor-class-identifier"; data = "HTTPClient"; }
+              ];
+              boot-file-name = "${nfsrootBaseUrl}/ipxe.efi";
+              only-if-required = true;
+            }
+
+            { name = "ipxe-uefi-64";
+              test = "option[77].hex == 'iPXE' and (substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009')";
+              boot-file-name = "${nfsrootBaseUrl}/ipxe.efi";
+              only-if-required = true;
+            }
+            { name = "ipxe-uefi-32";
+              test = "option[77].hex == 'iPXE' and (substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006')";
+              boot-file-name = "${nfsrootBaseUrl}/i386-ipxe.efi";
+              only-if-required = true;
+            }
+            { name = "ipxe-legacy";
+              test = "option[77].hex == 'iPXE' and substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
+              boot-file-name = "${nfsrootBaseUrl}/ipxe.lkrn";
+              only-if-required = true;
+            }
+
             { name = "uefi-64";
               test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";
-              only-if-required = true;
               option-data = [
-                { name = "tftp-server-name"; data = "10.141.0.1"; }
+                { name = "tftp-server-name"; data = tftpIp; }
               ];
               boot-file-name = "ipxe.efi";
+              only-if-required = true;
             }
             { name = "uefi-32";
               test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006'";
-              only-if-required = true;
               option-data = [
-                { name = "tftp-server-name"; data = "10.141.0.1"; }
+                { name = "tftp-server-name"; data = tftpIp; }
               ];
               boot-file-name = "i386-ipxe.efi";
+              only-if-required = true;
             }
             { name = "legacy";
               test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
-              only-if-required = true;
               option-data = [
-                { name = "tftp-server-name"; data = "10.141.0.1"; }
+                { name = "tftp-server-name"; data = tftpIp; }
               ];
-              boot-file-name = "undionly.kpxe";
+              boot-file-name = "ipxe.lkrn";
+              only-if-required = true;
             }
           ];
 
@@ -257,30 +306,31 @@ in {
               pkgs.symlinkJoin {
                 name = "installer-${system}";
                 paths = [
-                  (let
-                    installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
+                  (builtins.addErrorContext "while evaluating installer-${system}-nfsroot" (let
+                    installerBuild' = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
                       modules = [
                         ({ ... }: {
-                          config.nfsroot.storeDevice = "10.141.0.1:nix-store";
+                          config.nfsroot.storeDevice = "${nfsIp}:nix-store";
                           config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration";
+                          config.system.nixos.label = "installer-${system}";
                         })
                       ];
-                    }).config.system.build;
-                  in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} ''
+                    });
+                    installerBuild = installerBuild'.config.system.build;
+                  in builtins.toPath (pkgs.runCommandLocal "installer-${system}" {} ''
                     mkdir -p $out/installer-${system}
                     install -m 0444 -t $out/installer-${system} \
                       ${installerBuild.initialRamdisk}/initrd \
                       ${installerBuild.kernel}/bzImage \
                       ${installerBuild.netbootIpxeScript}/netboot.ipxe \
                       ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
-                  ''))
-                  (pkgs.writeTextFile {
-                    name = "installer-${system}.menu.ipxe";
-                    destination = "/installer-${system}.menu.ipxe";
-                    text = ''
+                    install -m 0444 ${pkgs.writeText "installer-${system}.menu.ipxe" ''
+                      #!ipxe
+
                       :start
                       menu iPXE boot menu for installer-${system}
-                      item installer Boot installer-${system}
+                      item installer ${with installerBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
+                      item memtest memtest86plus
                       item netboot netboot.xyz
                       item shell iPXE shell
                       choose --timeout 0 --default installer selected || goto shell
@@ -291,29 +341,40 @@ in {
                       goto start
 
                       :installer
-                      chain ${nfsrootBaseUrl}/installer-${system}/netboot.ipxe
+                      chain installer-${system}/netboot.ipxe
                       goto start
 
                       :netboot
-                      chain --autofree ${nfsrootBaseUrl}/netboot.xyz.efi
+                      iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
                       goto start
-                    '';
-                  })
+
+                      :memtest
+                      iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
+                      goto start
+                    ''} $out/installer-${system}.menu.ipxe
+                  '')))
                 ];
               }) ["x86_64-linux"]
             ) ++ [
-              (pkgs.linkFarm "netbootxyz-efi" [
-                { name = "netboot.xyz.efi"; path = pkgs.netbootxyz-efi; }
-              ])
-              (let
-                 eostreBuild = (flake.nixosConfigurations.eostre.extendModules {
+              (pkgs.runCommandLocal "utils" {} ''
+                mkdir $out
+                install -m 0444 -t $out \
+                  ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn} \
+                  ${pkgs.memtest86plus}/{memtest.efi,memtest.bin}
+                install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi
+                install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn
+              '')
+              (builtins.addErrorContext "while evaluating eostre" (let
+                 eostreBuild' = (flake.nixosConfigurations.eostre.extendModules {
                    modules = [
                      ({ ... }: {
-                       config.nfsroot.storeDevice = "10.141.0.1:nix-store";
+                       config.nfsroot.storeDevice = "${nfsIp}:nix-store";
                        config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration";
+                       config.system.nixos.label = "eostre";
                      })
                    ];
-                 }).config.system.build;
+                 });
+                 eostreBuild = eostreBuild'.config.system.build;
                in builtins.toPath (pkgs.runCommandLocal "eostre" {} ''
                     mkdir -p $out/eostre
                     install -m 0444 -t $out/eostre \
@@ -321,35 +382,39 @@ in {
                       ${eostreBuild.kernel}/bzImage \
                       ${eostreBuild.netbootIpxeScript}/netboot.ipxe \
                       ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration
-                  ''))
-              (pkgs.writeTextFile {
-                name = "eostre.menu.ipxe";
-                destination = "/eostre.menu.ipxe";
-                text = ''
-                  set menu-timeout 5000
+                    install -m 0444 ${pkgs.writeText "eostre.menu.ipxe" ''
+                      #!ipxe
 
-                  :start
-                  menu iPXE boot menu for eostre
-                  item eostre Boot eostre
-                  item netboot netboot.xyz
-                  item shell iPXE shell
-                  choose --timeout ''${menu-timeout} --default eostre selected || goto shell
-                  goto ''${selected}
+                      set menu-timeout 5000
 
-                  :shell
-                  shell
-                  set menu-timeout 0
-                  goto start
+                      :start
+                      menu iPXE boot menu for eostre
+                      item eostre ${with eostreBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
+                      item memtest memtest86plus
+                      item netboot netboot.xyz
+                      item shell iPXE shell
+                      choose --timeout ''${menu-timeout} --default eostre selected || goto shell
+                      set menu-timeout 0
+                      goto ''${selected}
 
-                  :eostre
-                  chain ${nfsrootBaseUrl}/eostre/netboot.ipxe
-                  goto start
+                      :shell
+                      set menu-timeout 0
+                      shell
+                      goto start
+
+                      :eostre
+                      chain eostre/netboot.ipxe
+                      goto start
+
+                      :netboot
+                      iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
+                      goto start
 
-                  :netboot
-                  chain --autofree ${nfsrootBaseUrl}/netboot.xyz.efi
-                  goto start
-                '';
-              })
+                      :memtest
+                      iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin
+                      goto start
+                    ''} $out/eostre.menu.ipxe
+                  '')))
             ];
         };
       };
@@ -360,20 +425,12 @@ in {
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig.ExecStart = let
-        ipxe = pkgs.ipxe.override {
-          additionalTargets = {
-            "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
-          };
-          additionalOptions = [
-            "NSLOOKUP_CMD"
-          ];
-        };
         tftpRoot = pkgs.runCommandLocal "netboot" {} ''
           mkdir -p $out
           install -m 0444 -t $out \
-            ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe
+            ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn}
         '';
-      in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
+      in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=${tftpIp} ${tftpRoot}";
     };
   };
 }
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 1edae167..7897fb3d 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -60,6 +60,7 @@ table inet filter {
   counter fw-lo {}
   counter fw-lan {}
   counter fw-gpon {}
+  counter fw-kimai {}
 
   counter fw-cups {}
 
@@ -94,6 +95,8 @@ table inet filter {
   counter immich-rx {}
   counter paperless-rx {}
   counter hledger-rx {}
+  counter audiobookshelf-rx {}
+  counter kimai-rx {}
 
   counter established-rx {}
 
@@ -125,6 +128,8 @@ table inet filter {
   counter immich-tx {}
   counter paperless-tx {}
   counter hledger-tx {}
+  counter audiobookshelf-tx {}
+  counter kimai-tx {}
 
   counter tx {}
 
@@ -148,8 +153,13 @@ table inet filter {
 
     oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
     iifname lan oifname { gpon, bifrost } counter name fw-lan accept
+    iifname ve-kimai oifname gpon counter name fw-kimai accept
 
     iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
+    iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
+
+    iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
+    iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
 
 
     limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -203,6 +213,7 @@ table inet filter {
     iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
     iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
     iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
+    iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
 
     ct state { established, related } counter name established-rx accept
 
@@ -254,6 +265,7 @@ table inet filter {
     iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
     iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
     iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
+    iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
 
 
     counter name tx
@@ -262,7 +274,7 @@ table inet filter {
 
 table inet nat {
   counter gpon-nat {}
-  # counter container-nat {}
+  counter kimai-nat {}
 
   chain postrouting {
     type nat hook postrouting priority srcnat
@@ -270,7 +282,7 @@ table inet nat {
 
 
     meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
-    # iifname ve-* oifname gpon counter name container-nat masquerade
+    iifname ve-kimai oifname gpon counter name kimai-nat masquerade
   }
 }
 
diff --git a/hosts/vidhar/paperless/default.nix b/hosts/vidhar/paperless/default.nix
index 34cd18c4..dd02da38 100644
--- a/hosts/vidhar/paperless/default.nix
+++ b/hosts/vidhar/paperless/default.nix
@@ -4,7 +4,7 @@
   config = {
     services.paperless = {
       enable = true;
-      address = "[2a03:4000:52:ada:4:1::]";
+      address = "2a03:4000:52:ada:4:1::";
       passwordFile = config.sops.secrets."paperless-rootpw".path;
       settings = {
         PAPERLESS_OCR_LANGUAGE = "deu+eng";
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index d368ad52..094f9f7a 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -26,7 +26,8 @@ in {
       enable = true;
 
       extraFlags = [
-        "--enable-feature=remote-write-receiver"
+        "--web.enable-remote-write-receiver"
+        "--storage.tsdb.retention.size=35GB"
       ];
 
       exporters = {