From 2a45b6837ea381c893d0ebde2f8cce2897331c35 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 24 May 2025 20:26:52 +0200 Subject: kimai --- _sources/generated.json | 6 +- _sources/generated.nix | 6 +- hosts/surtr/bifrost/default.nix | 4 +- hosts/surtr/default.nix | 2 +- hosts/surtr/dns/default.nix | 2 +- hosts/surtr/dns/keys/kimai.yggdrasil.li_acme | 19 ++++ hosts/surtr/dns/zones/li.yggdrasil.soa | 10 +- hosts/surtr/kimai.nix | 66 ++++++++++++ hosts/surtr/tls/tsig_keys/kimai.yggdrasil.li | 19 ++++ hosts/vidhar/default.nix | 2 +- hosts/vidhar/kimai/default.nix | 89 ++++++++++++++++ hosts/vidhar/kimai/ruleset.nft | 149 +++++++++++++++++++++++++++ hosts/vidhar/network/ruleset.nft | 12 ++- 13 files changed, 373 insertions(+), 13 deletions(-) create mode 100644 hosts/surtr/dns/keys/kimai.yggdrasil.li_acme create mode 100644 hosts/surtr/kimai.nix create mode 100644 hosts/surtr/tls/tsig_keys/kimai.yggdrasil.li create mode 100644 hosts/vidhar/kimai/default.nix create mode 100644 hosts/vidhar/kimai/ruleset.nft diff --git a/_sources/generated.json b/_sources/generated.json index be1e12e9..d98f141f 100644 --- a/_sources/generated.json +++ b/_sources/generated.json @@ -486,10 +486,10 @@ "pinned": false, "src": { "name": null, - "sha256": "sha256-0BNn0MOulONcseLsy3p8cOGBxMpEj07iN08mSJ0mNgM=", + "sha256": "sha256-6nOFTF2rwSTymjWo+um8XUIu8yMb6+6ivfqCrBkanCk=", "type": "url", - "url": "https://pypi.org/packages/source/y/yt_dlp/yt_dlp-2025.4.30.tar.gz" + "url": "https://pypi.org/packages/source/y/yt_dlp/yt_dlp-2025.5.22.tar.gz" }, - "version": "2025.4.30" + "version": "2025.5.22" } } \ No newline at end of file diff --git a/_sources/generated.nix b/_sources/generated.nix index ff85bc0d..3bf73fed 100644 --- a/_sources/generated.nix +++ b/_sources/generated.nix @@ -294,10 +294,10 @@ }; yt-dlp = { pname = "yt-dlp"; - version = "2025.4.30"; + version = "2025.5.22"; src = fetchurl { - url = "https://pypi.org/packages/source/y/yt_dlp/yt_dlp-2025.4.30.tar.gz"; - sha256 = "sha256-0BNn0MOulONcseLsy3p8cOGBxMpEj07iN08mSJ0mNgM="; + url = "https://pypi.org/packages/source/y/yt_dlp/yt_dlp-2025.5.22.tar.gz"; + sha256 = "sha256-6nOFTF2rwSTymjWo+um8XUIu8yMb6+6ivfqCrBkanCk="; }; }; } diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix index fbfde757..52ab43f5 100644 --- a/hosts/surtr/bifrost/default.nix +++ b/hosts/surtr/bifrost/default.nix @@ -18,7 +18,7 @@ in { ListenPort = 51822; }; wireguardPeers = [ - { AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ]; + { AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" "2a03:4000:52:ada:6::/80" ]; PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub); } ]; @@ -34,6 +34,8 @@ in { routes = [ { Destination = "2a03:4000:52:ada:4::/80"; } + { Destination = "2a03:4000:52:ada:6::/80"; + } ]; linkConfig = { RequiredForOnline = false; diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index d420040a..9d3101c0 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -7,7 +7,7 @@ with lib; tmpfs-root qemu-guest openssh rebuild-machines zfs ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql ./prometheus ./email ./vpn ./borg.nix ./etebase ./immich.nix - ./paperless.nix ./hledger.nix ./audiobookshelf.nix + ./paperless.nix ./hledger.nix ./audiobookshelf.nix ./kimai.nix ]; config = { diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 7aa3fb00..8aca2b97 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -157,7 +157,7 @@ in { ${concatMapStringsSep "\n" mkZone [ { domain = "yggdrasil.li"; addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; }; - acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li"]; + acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li" "etesync.yggdrasil.li" "immich.yggdrasil.li" "app.etesync.yggdrasil.li" "paperless.yggdrasil.li" "hledger.yggdrasil.li" "audiobookshelf.yggdrasil.li" "kimai.yggdrasil.li"]; } { domain = "nights.email"; addACLs = { "nights.email" = ["ymir_acme_acl"]; }; diff --git a/hosts/surtr/dns/keys/kimai.yggdrasil.li_acme b/hosts/surtr/dns/keys/kimai.yggdrasil.li_acme new file mode 100644 index 00000000..bdfb135a --- /dev/null +++ b/hosts/surtr/dns/keys/kimai.yggdrasil.li_acme @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:sKFt4pH0Xn7Qm6JFMg/2N7Ht7jtMJukfN+U3dQaoYXPbhRJ+heEtDpXV/WP4AlfbfpIOgTPW3mcmQCwKFNhS00vEsQA4728FfXZzDDmZCa3hwg51wDbL7XUOr0OePgzi86lt0Q193K6CkGqEAa1vFIb//ElEfBYIwdATbmcoAsM3mHhz58X7c1qf8LNuB93o/1N2xXXZI3NWOhOjlviTc2DAhffXDwlMJSYUhldnwtDKmLM1mooJzLgm2p9w7gRD7WPqEqZFq9uFDK69P9uX5T9hFHg=,iv:rAE4sYxxLou4tyD4RWTp3LjQP0cya95coy1MvwfEK/U=,tag:u4SSk8SZFlj0ks7d6tDocw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2KzdNUWhEcDB6QmtUTnVh\nNS9Nc2I4UjAzekxhRXo1UmY3SklPejV1TURJCm9NY2lVOERoMDFKTU56Mmh1NHEr\naGV4M1RoVldHV0xyc3Z0MnVqakpjMFUKLS0tIEYxSk9OUm9kMkdtcG5POWRGQVkx\nY1FEaXYwMGo0L0Z0aTVTZDA5aUFDWEUKJ+e/7lR/rNPNVnIy+wkiKiAYMxWp4L7q\nwnSTx451vSnxv9j3JWB43Y7XQC08cisWDj06ULw8FnEbKYOvTYj9mQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwOTU3dUEzaXM5T1VkbDRO\nMm14OG1mUkk2bDRhdnBsMHBkc3kvUzlyNlQwCktFSHJhMnhoQ2J6bC9vUHNLWTRC\nRFpYeHo3N2xjWUhjQnRwQ2Nrc1pRUmsKLS0tIDdPeFBVdkxDd1JWSmcxQ0tLMTBD\ncHU3VExZOUhYUlJvbGNoK3FMK2VIbGMKFk94P9aBY04CPIi983f3Aalgh4fnU+/K\n2mxawSMf9jz8704N5XJfmr2hwNy8hqLIn8bjsEMAPTfE1YBGga4w0g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-24T09:42:23Z", + "mac": "ENC[AES256_GCM,data:diCeJGvBmM0Ng722eKoFwDe7pqZrdLPSLn5j9LfdaFI64BAbSbA5bAq4NFXqdJ1vttarD2A5rEafYoXUxP8228x2GhNyWUGW5AWgBjVPUc59gjs4wYKR5HlkVMIadhTwNheEyoEjrxX40GNBgCG7X3ocOtOYKbKECp433gdAPDg=,iv:d+yJMWj2RyFnveo2ZNrpNeV+amXM+H7vdC0A2F7mwjA=,tag:yjibG2iusdprp0ORghYWhw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 7273827b..ebb298b4 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa @@ -1,7 +1,7 @@ $ORIGIN yggdrasil.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2025050900 ; serial + 2025052400 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -101,6 +101,14 @@ _acme-challenge.audiobookshelf IN NS ns.yggdrasil.li. audiobookshelf IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::" +kimai IN A 202.61.241.61 +kimai IN AAAA 2a03:4000:52:ada:: +kimai IN MX 0 surtr.yggdrasil.li +kimai IN TXT "v=spf1 redirect=surtr.yggdrasil.li" +_acme-challenge.kimai IN NS ns.yggdrasil.li. + +kimai IN HTTPS 1 . alpn="h2,h3" ipv4hint="202.61.241.61" ipv6hint="2a03:4000:52:ada::" + vidhar IN AAAA 2a03:4000:52:ada:4:1:: vidhar IN MX 0 ymir.yggdrasil.li vidhar IN TXT "v=spf1 redirect=yggdrasil.li" diff --git a/hosts/surtr/kimai.nix b/hosts/surtr/kimai.nix new file mode 100644 index 00000000..a3712bb2 --- /dev/null +++ b/hosts/surtr/kimai.nix @@ -0,0 +1,66 @@ +{ config, ... }: + +{ + config = { + security.acme.rfc2136Domains = { + "kimai.yggdrasil.li" = { + restartUnits = ["nginx.service"]; + }; + }; + + services.nginx = { + upstreams."kimai" = { + servers = { + "[2a03:4000:52:ada:6::2]:80" = {}; + }; + extraConfig = '' + keepalive 8; + ''; + }; + virtualHosts = { + "kimai.yggdrasil.li" = { + kTLS = true; + http3 = true; + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/kimai.yggdrasil.li.pem"; + sslCertificateKey = "/run/credentials/nginx.service/kimai.yggdrasil.li.key.pem"; + sslTrustedCertificate = "/run/credentials/nginx.service/kimai.yggdrasil.li.chain.pem"; + extraConfig = '' + charset utf-8; + ''; + + locations = { + "/".extraConfig = '' + proxy_pass http://kimai; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Forwarded-Proto $scheme; + + client_max_body_size 0; + proxy_request_buffering off; + proxy_buffering off; + ''; + }; + }; + }; + }; + + systemd.services.nginx = { + serviceConfig = { + LoadCredential = [ + "kimai.yggdrasil.li.key.pem:${config.security.acme.certs."kimai.yggdrasil.li".directory}/key.pem" + "kimai.yggdrasil.li.pem:${config.security.acme.certs."kimai.yggdrasil.li".directory}/fullchain.pem" + "kimai.yggdrasil.li.chain.pem:${config.security.acme.certs."kimai.yggdrasil.li".directory}/chain.pem" + ]; + }; + }; + }; +} diff --git a/hosts/surtr/tls/tsig_keys/kimai.yggdrasil.li b/hosts/surtr/tls/tsig_keys/kimai.yggdrasil.li new file mode 100644 index 00000000..b9199975 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/kimai.yggdrasil.li @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:ATcU3Ix7o5d/49rD5H8je1ozTjoghrloMh5DIZ5WE3oYauUAknpGfr9xq92V,iv:vy9YK5Ot7CCjMtgAGVeAUQuaSw4F5kmmZ0GJYV9kCdQ=,tag:F/MXTUM2AI1fGXa9Ewn8yQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMEF0cUdydERYVzJCa3pW\nTlo0NUFON0d5RGJFVnVTNVg3cjNEUERQMEdFClEvQW5odlNEd2F1VTFmMWQrL2RB\ncllFZVpIVVJrNTJsSGF4UEdZMnVmQzAKLS0tIFUrQkkzRVZiOFNiTnFCT1pEYVRM\nQm8wV1JkQ3RrR1dkL0FsNkhsY2kxa1kKGnAo/6oibgXexUU31THdLu6X+pRtrkjD\nZnXGPZ2xaESDVUVEYQPVpNrjt9brZGJBI1BasrkEwHAXMbJC236yYQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MGs1Z2ZqK2pqWHdVYTJH\naTlncHdPa3Zld0JhQW5Ccmc1SStWSnlDR0JrCmpML2d4TGdldUdoZCtaWVpPZVl0\nVm4waWVBS1orRS90ZS96N0Y2M29LY0UKLS0tIEI1Z2VVbVVxRUpOZEN4NnBRRklC\nQXloelZCb04xbmduTlVuL005TlRGMHMKfLB6zA3sj3HgDBC7VGfGVB6I1zJpt0PV\nkCV2yADgvAA2pT9HPg9IWAEpTPysOBiuE2jPNtFvylZYwTDHoumFnQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-24T09:42:23Z", + "mac": "ENC[AES256_GCM,data:0pk1LpWPmX9td/TwJFxwWp5pTDyW78UtHXMDah+V9Tmgi8hH7ONdysgjwpDwS/c4zGnMA3qtobEL286U3//CTXt2qVsiUGLsnngzs2E6yBg8oGMYlGrch4M355Fl5ZxYsc8QLA6qWcuZ4H3QW8PnoqdJixcHoYLoxG01dzh4Bc0=,iv:zchk4enI1D80BkJLji5RLm7OTk3GeF8nYHuwqBxCXIM=,tag:bgkknPMqkSidi6bDFfv6UQ==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index c9470ee9..7da17e6f 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -4,7 +4,7 @@ with lib; { imports = with flake.nixosModules.systemProfiles; [ - ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf + ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai tmpfs-root zfs initrd-all-crypto-modules default-locale openssh rebuild-machines build-server diff --git a/hosts/vidhar/kimai/default.nix b/hosts/vidhar/kimai/default.nix new file mode 100644 index 00000000..0258697b --- /dev/null +++ b/hosts/vidhar/kimai/default.nix @@ -0,0 +1,89 @@ +{ flake, config, ... }: + +{ + config = { + boot.enableContainers = true; + boot.kernel.sysctl = { + "net.netfilter.nf_log_all_netns" = true; + }; + + containers."kimai" = { + autoStart = true; + ephemeral = true; + bindMounts = { + "/var/lib/kimai" = { + hostPath = "/var/lib/kimai/state"; + isReadOnly = false; + }; + "/var/lib/mysql" = { + hostPath = "/var/lib/kimai/mysql"; + isReadOnly = false; + }; + }; + privateNetwork = true; + # forwardPorts = [ + # { containerPort = 80; + # hostPort = 28983; + # } + # ]; + hostAddress = "192.168.52.113"; + localAddress = "192.168.52.114"; + hostAddress6 = "2a03:4000:52:ada:6::1"; + localAddress6 = "2a03:4000:52:ada:6::2"; + config = let hostConfig = config; in { config, pkgs, lib, ... }: { + system.stateVersion = lib.mkIf hostConfig.containers."kimai".ephemeral config.system.nixos.release; + system.configurationRevision = lib.mkIf (flake ? rev) flake.rev; + nixpkgs.pkgs = hostConfig.nixpkgs.pkgs; + + services.kimai.sites."kimai.yggdrasil.li" = { + database.socket = "/run/mysqld/mysqld.sock"; + }; + + networking = { + useDHCP = false; + useNetworkd = true; + useHostResolvConf = false; + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + }; + + services.resolved.fallbackDns = [ + "9.9.9.10#dns10.quad9.net" + "149.112.112.10#dns10.quad9.net" + "2620:fe::10#dns10.quad9.net" + "2620:fe::fe:10#dns10.quad9.net" + ]; + + systemd.network = { + networks.upstream = { + name = "eth0"; + matchConfig = { + Name = "eth0"; + }; + linkConfig = { + RequiredForOnline = true; + }; + networkConfig = { + Address = [ "192.168.52.114/32" "2a03:4000:52:ada:6::2/128" ]; + LLMNR = false; + MulticastDNS = false; + }; + routes = [ + { Destination = "192.168.52.113/32"; } + { Destination = "2a03:4000:52:ada:6::1/128"; } + { Destination = "0.0.0.0/0"; + Gateway = "192.168.52.113"; + } + { Destination = "::/0"; + Gateway = "2a03:4000:52:ada:6::1"; + } + ]; + }; + }; + }; + }; + }; +} diff --git a/hosts/vidhar/kimai/ruleset.nft b/hosts/vidhar/kimai/ruleset.nft new file mode 100644 index 00000000..ad4db6d5 --- /dev/null +++ b/hosts/vidhar/kimai/ruleset.nft @@ -0,0 +1,149 @@ +define icmp_protos = {ipv6-icmp, icmp, igmp} + +table arp filter { + limit lim_arp { + rate over 50 mbytes/second burst 50 mbytes + } + + counter arp-rx {} + counter arp-tx {} + + counter arp-ratelimit-rx {} + counter arp-ratelimit-tx {} + + chain input { + type filter hook input priority filter + policy accept + + limit name lim_arp counter name arp-ratelimit-rx drop + + counter name arp-rx + } + + chain output { + type filter hook output priority filter + policy accept + + limit name lim_arp counter name arp-ratelimit-tx drop + + counter name arp-tx + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp { + rate over 50 mbytes/second burst 50 mbytes + } + + counter invalid-fw {} + counter fw-lo {} + + counter reject-ratelimit-fw {} + counter reject-fw {} + counter reject-tcp-fw {} + counter reject-icmp-fw {} + + counter drop-fw {} + + counter invalid-rx {} + + counter rx-lo {} + counter invalid-local4-rx {} + counter invalid-local6-rx {} + + counter icmp-ratelimit-rx {} + counter icmp-rx {} + + counter kimai-rx {} + + counter established-rx {} + + counter reject-ratelimit-rx {} + counter reject-rx {} + counter reject-tcp-rx {} + counter reject-icmp-rx {} + + counter drop-rx {} + + counter tx-lo {} + + counter icmp-ratelimit-tx {} + counter icmp-tx {} + + counter kimai-tx {} + + counter tx {} + + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log level debug prefix "kimai: drop invalid forward: " counter name invalid-fw drop + + + iifname lo counter name fw-lo accept + + + limit name lim_reject log level debug prefix "kimai: drop forward: " counter name reject-ratelimit-fw drop + log level debug prefix "kimai: reject forward: " counter name reject-fw + meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset + ct state new counter name reject-icmp-fw reject + + + counter name drop-fw + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log level debug prefix "kimai: drop invalid input: " counter name invalid-rx drop + + + iifname lo counter name rx-lo accept + iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject + iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject + + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop + meta l4proto $icmp_protos counter name icmp-rx accept + + + tcp dport 80 counter name kimai-rx accept + + + ct state { established, related } counter name established-rx accept + + + limit name lim_reject log level debug prefix "kimai: drop input: " counter name reject-ratelimit-rx drop + log level debug prefix "kimai: reject input: " counter name reject-rx + meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset + ct state new counter name reject-icmp-rx reject + + + counter name drop-rx + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter name tx-lo accept + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop + meta l4proto $icmp_protos counter name icmp-tx accept + + + tcp sport 80 counter name kimai-tx + + + counter name tx + } +} diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 6b0ac9fc..7897fb3d 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -60,6 +60,7 @@ table inet filter { counter fw-lo {} counter fw-lan {} counter fw-gpon {} + counter fw-kimai {} counter fw-cups {} @@ -95,6 +96,7 @@ table inet filter { counter paperless-rx {} counter hledger-rx {} counter audiobookshelf-rx {} + counter kimai-rx {} counter established-rx {} @@ -127,6 +129,7 @@ table inet filter { counter paperless-tx {} counter hledger-tx {} counter audiobookshelf-tx {} + counter kimai-tx {} counter tx {} @@ -150,8 +153,13 @@ table inet filter { oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept iifname lan oifname { gpon, bifrost } counter name fw-lan accept + iifname ve-kimai oifname gpon counter name fw-kimai accept iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept + iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept + + iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept + iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop @@ -266,7 +274,7 @@ table inet filter { table inet nat { counter gpon-nat {} - # counter container-nat {} + counter kimai-nat {} chain postrouting { type nat hook postrouting priority srcnat @@ -274,7 +282,7 @@ table inet nat { meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade - # iifname ve-* oifname gpon counter name container-nat masquerade + iifname ve-kimai oifname gpon counter name kimai-nat masquerade } } -- cgit v1.2.3