From 2a45b6837ea381c893d0ebde2f8cce2897331c35 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 24 May 2025 20:26:52 +0200
Subject: kimai

---
 hosts/vidhar/default.nix         |   2 +-
 hosts/vidhar/kimai/default.nix   |  89 +++++++++++++++++++++++
 hosts/vidhar/kimai/ruleset.nft   | 149 +++++++++++++++++++++++++++++++++++++++
 hosts/vidhar/network/ruleset.nft |  12 +++-
 4 files changed, 249 insertions(+), 3 deletions(-)
 create mode 100644 hosts/vidhar/kimai/default.nix
 create mode 100644 hosts/vidhar/kimai/ruleset.nft

(limited to 'hosts/vidhar')

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index c9470ee9..7da17e6f 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 
 {
   imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger ./audiobookshelf ./kimai
     tmpfs-root zfs
     initrd-all-crypto-modules default-locale openssh rebuild-machines
     build-server
diff --git a/hosts/vidhar/kimai/default.nix b/hosts/vidhar/kimai/default.nix
new file mode 100644
index 00000000..0258697b
--- /dev/null
+++ b/hosts/vidhar/kimai/default.nix
@@ -0,0 +1,89 @@
+{ flake, config, ... }:
+
+{
+  config = {
+    boot.enableContainers = true;
+    boot.kernel.sysctl = {
+      "net.netfilter.nf_log_all_netns" = true;
+    };
+
+    containers."kimai" = {
+      autoStart = true;
+      ephemeral = true;
+      bindMounts = {
+        "/var/lib/kimai" = {
+          hostPath = "/var/lib/kimai/state";
+          isReadOnly = false;
+        };
+        "/var/lib/mysql" = {
+          hostPath = "/var/lib/kimai/mysql";
+          isReadOnly = false;
+        };
+      };
+      privateNetwork = true;
+      # forwardPorts = [
+      #   { containerPort = 80;
+      #     hostPort = 28983;
+      #   }
+      # ];
+      hostAddress = "192.168.52.113";
+      localAddress = "192.168.52.114";
+      hostAddress6 = "2a03:4000:52:ada:6::1";
+      localAddress6 = "2a03:4000:52:ada:6::2";
+      config = let hostConfig = config; in { config, pkgs, lib, ... }: {
+        system.stateVersion = lib.mkIf hostConfig.containers."kimai".ephemeral config.system.nixos.release;
+        system.configurationRevision = lib.mkIf (flake ? rev) flake.rev;
+        nixpkgs.pkgs = hostConfig.nixpkgs.pkgs;
+
+        services.kimai.sites."kimai.yggdrasil.li" = {
+          database.socket = "/run/mysqld/mysqld.sock";
+        };
+
+        networking = {
+          useDHCP = false;
+          useNetworkd = true;
+          useHostResolvConf = false;
+          firewall.enable = false;
+          nftables = {
+            enable = true;
+            rulesetFile = ./ruleset.nft;
+          };
+        };
+
+        services.resolved.fallbackDns = [
+          "9.9.9.10#dns10.quad9.net"
+          "149.112.112.10#dns10.quad9.net"
+          "2620:fe::10#dns10.quad9.net"
+          "2620:fe::fe:10#dns10.quad9.net"
+        ];
+
+        systemd.network = {
+          networks.upstream = {
+            name = "eth0";
+            matchConfig = {
+              Name = "eth0";
+            };
+            linkConfig = {
+              RequiredForOnline = true;
+            };
+            networkConfig = {
+              Address = [ "192.168.52.114/32" "2a03:4000:52:ada:6::2/128" ];
+              LLMNR = false;
+              MulticastDNS = false;
+            };
+            routes = [
+              { Destination = "192.168.52.113/32"; }
+              { Destination = "2a03:4000:52:ada:6::1/128"; }
+              { Destination = "0.0.0.0/0";
+                Gateway = "192.168.52.113";
+              }
+              { Destination = "::/0";
+                Gateway = "2a03:4000:52:ada:6::1";
+              }
+            ];
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/vidhar/kimai/ruleset.nft b/hosts/vidhar/kimai/ruleset.nft
new file mode 100644
index 00000000..ad4db6d5
--- /dev/null
+++ b/hosts/vidhar/kimai/ruleset.nft
@@ -0,0 +1,149 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+  counter arp-rx {}
+  counter arp-tx {}
+
+  counter arp-ratelimit-rx {}
+  counter arp-ratelimit-tx {}
+
+  chain input {
+    type filter hook input priority filter
+    policy accept
+
+    limit name lim_arp counter name arp-ratelimit-rx drop
+
+    counter name arp-rx
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+    limit name lim_arp counter name arp-ratelimit-tx drop
+
+    counter name arp-tx
+  }
+}
+
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+  counter invalid-fw {}
+  counter fw-lo {}
+
+  counter reject-ratelimit-fw {}
+  counter reject-fw {}
+  counter reject-tcp-fw {}
+  counter reject-icmp-fw {}
+
+  counter drop-fw {}
+
+  counter invalid-rx {}
+
+  counter rx-lo {}
+  counter invalid-local4-rx {}
+  counter invalid-local6-rx {}
+
+  counter icmp-ratelimit-rx {}
+  counter icmp-rx {}
+
+  counter kimai-rx {}
+
+  counter established-rx {}
+
+  counter reject-ratelimit-rx {}
+  counter reject-rx {}
+  counter reject-tcp-rx {}
+  counter reject-icmp-rx {}
+
+  counter drop-rx {}
+
+  counter tx-lo {}
+
+  counter icmp-ratelimit-tx {}
+  counter icmp-tx {}
+
+  counter kimai-tx {}
+
+  counter tx {}
+
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "kimai: drop invalid forward: " counter name invalid-fw drop
+
+
+    iifname lo counter name fw-lo accept
+
+
+    limit name lim_reject log level debug prefix "kimai: drop forward: " counter name reject-ratelimit-fw drop
+    log level debug prefix "kimai: reject forward: " counter name reject-fw
+    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
+    ct state new counter name reject-icmp-fw reject
+
+
+    counter name drop-fw
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "kimai: drop invalid input: " counter name invalid-rx drop
+
+
+    iifname lo counter name rx-lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
+    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
+
+
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
+    meta l4proto $icmp_protos counter name icmp-rx accept
+
+
+    tcp dport 80 counter name kimai-rx accept
+
+
+    ct state { established, related } counter name established-rx accept
+
+
+    limit name lim_reject log level debug prefix "kimai: drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "kimai: reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+
+
+    counter name drop-rx
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+
+    oifname lo counter name tx-lo accept
+
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
+    meta l4proto $icmp_protos counter name icmp-tx accept
+
+
+    tcp sport 80 counter name kimai-tx
+
+
+    counter name tx
+  }
+}
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 6b0ac9fc..7897fb3d 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -60,6 +60,7 @@ table inet filter {
   counter fw-lo {}
   counter fw-lan {}
   counter fw-gpon {}
+  counter fw-kimai {}
 
   counter fw-cups {}
 
@@ -95,6 +96,7 @@ table inet filter {
   counter paperless-rx {}
   counter hledger-rx {}
   counter audiobookshelf-rx {}
+  counter kimai-rx {}
 
   counter established-rx {}
 
@@ -127,6 +129,7 @@ table inet filter {
   counter paperless-tx {}
   counter hledger-tx {}
   counter audiobookshelf-tx {}
+  counter kimai-tx {}
 
   counter tx {}
 
@@ -150,8 +153,13 @@ table inet filter {
 
     oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
     iifname lan oifname { gpon, bifrost } counter name fw-lan accept
+    iifname ve-kimai oifname gpon counter name fw-kimai accept
 
     iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
+    iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
+
+    iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
+    iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
 
 
     limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -266,7 +274,7 @@ table inet filter {
 
 table inet nat {
   counter gpon-nat {}
-  # counter container-nat {}
+  counter kimai-nat {}
 
   chain postrouting {
     type nat hook postrouting priority srcnat
@@ -274,7 +282,7 @@ table inet nat {
 
 
     meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
-    # iifname ve-* oifname gpon counter name container-nat masquerade
+    iifname ve-kimai oifname gpon counter name kimai-nat masquerade
   }
 }
 
-- 
cgit v1.2.3