Update from updated-inputs-2025-11-13-02-03

configuration/common/programs.nix

@@ -6,6 +6,7 @@
     # My system is fucked
     gptfdisk
     parted
+    grow-last-partition-and-filesystem
 
     # Normal usage
     htop

flake.lock

@@ -269,11 +269,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1751801455,
+        "lastModified": 1759516991,
-        "narHash": "sha256-hUJqtS88SbNQQSEJAPFyY2vLMh8yA8rQ6jbul50p64M=",
+        "narHash": "sha256-esoe/uYPyy4a6hAwZq1QgkSe7dnZ5c0zHHXDq/JG9Yk=",
         "ref": "lix-2.93",
-        "rev": "b940aca430a7ca41f70bdb320659dd62026fe0e9",
+        "rev": "b1328322a49e8e153635ea8b3b602db363de727f",
-        "revCount": 4261,
+        "revCount": 4284,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/hydra.git"
       },
@@ -301,11 +301,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1751235704,
+        "lastModified": 1757791921,
-        "narHash": "sha256-Jzm3KPZ2gL+0Nl3Mw/2E0B3vqDDi1Xt5+9VCXghUDZ8=",
+        "narHash": "sha256-83qbJckLOLrAsKO88UI9N4QRatNEc3gUFtLMiAPwK0g=",
         "ref": "release-2.93",
-        "rev": "f3a7bbe5f8d1a8504ddb6362d50106904523e440",
+        "rev": "b7c2f17e9133e8b85d41c58b52f9d4e3254f41da",
-        "revCount": 17874,
+        "revCount": 17892,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/lix"
       },
@@ -327,11 +327,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753282722,
+        "lastModified": 1756125859,
-        "narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=",
+        "narHash": "sha256-6a+PWILmqHCs9B5eIBLg6HSZ8jYweZpgOWO8FlyVwYI=",
         "ref": "release-2.93",
-        "rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873",
+        "rev": "d3292125035b04df00d01549a26e948631fabe1e",
-        "revCount": 149,
+        "revCount": 156,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/nixos-module.git"
       },
@@ -353,11 +353,11 @@
         "pre-commit-hooks": "pre-commit-hooks_2"
       },
       "locked": {
-        "lastModified": 1753306924,
+        "lastModified": 1759940703,
-        "narHash": "sha256-jLCEW0FvjFhC+c4RHzH+xbkSOxrnpFHnhjOw6sudhx0=",
+        "narHash": "sha256-/dXDCzYnQbkqCsvUDIxgIH4BS/fyxIu73m2v4ftJLXQ=",
         "ref": "release-2.93",
-        "rev": "1a4393d0aac31aba21f5737ede1b171e11336d77",
+        "rev": "75c03142049242a5687309e59e4f356fbc92789a",
-        "revCount": 17884,
+        "revCount": 17894,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/lix.git"
       },
@@ -404,6 +404,26 @@
         "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
       }
     },
+    "mu5001tool": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1757627777,
+        "narHash": "sha256-NGUqHQ+/BaUhjgSYQauTihTtNyhhnQRMJ8t7ZSPNpmk=",
+        "ref": "refs/heads/main",
+        "rev": "b7b0f0d5191433bca1377f7d818b800627a83fda",
+        "revCount": 9,
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/mu5001tool.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.clerie.de/clerie/mu5001tool.git"
+      }
+    },
     "nix2container": {
       "flake": false,
       "locked": {
@@ -614,11 +634,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1751582995,
+        "lastModified": 1759281824,
-        "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
+        "narHash": "sha256-FIBE1qXv9TKvSNwst6FumyHwCRH3BlWDpfsnqRDCll0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
+        "rev": "5b5be50345d4113d04ba58c444348849f5585b4a",
         "type": "github"
       },
       "original": {
@@ -646,11 +666,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1753549186,
+        "lastModified": 1762844143,
-        "narHash": "sha256-Znl7rzuxKg/Mdm6AhimcKynM7V3YeNDIcLjBuoBcmNs=",
+        "narHash": "sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "17f6bd177404d6d43017595c5264756764444ab8",
+        "rev": "9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4",
         "type": "github"
       },
       "original": {
@@ -743,6 +763,7 @@
         "hydra": "hydra",
         "lix": "lix_2",
         "lix-module": "lix-module",
+        "mu5001tool": "mu5001tool",
         "nixos-exporter": "nixos-exporter",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_5",

flake.nix

@@ -40,6 +40,10 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
+    mu5001tool = {
+      url = "git+https://git.clerie.de/clerie/mu5001tool.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     nixos-exporter = {
       url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
       inputs.nixpkgs.follows = "nixpkgs";

flake/inputs-overlay.nix

@@ -5,6 +5,7 @@
 , chaosevents
 , harmonia
 , hydra
+, mu5001tool
 , nurausstieg
 , rainbowrss
 , scan-to-gpg
@@ -25,6 +26,8 @@ final: prev: {
     harmonia;
   inherit (hydra.packages.${final.system})
     hydra;
+  inherit (mu5001tool.packages.${final.system})
+    mu5001tool;
   inherit (nurausstieg.packages.${final.system})
     nurausstieg;
   inherit (rainbowrss.packages.${final.system})

hosts/astatine/configuration.nix

@@ -4,6 +4,10 @@
   imports =
     [
       ./hardware-configuration.nix
+
+      ./grafana.nix
+      ./mu5001tool.nix
+      ./prometheus.nix
     ];
 
   profiles.clerie.network-fallback-dhcp.enable = true;
@@ -18,6 +22,16 @@
     terminal_output serial
   ";
 
+  sops.secrets.monitoring-htpasswd = {
+    owner = "nginx";
+    group = "nginx";
+  };
+  services.nginx = {
+    enable = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
   profiles.clerie.wg-clerie = {
     enable = true;
     ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];

hosts/astatine/grafana.nix

@@ -0,0 +1,45 @@
+{ config, ... }:
+{
+  services.grafana = {
+    enable  = true;
+    settings = {
+      server = {
+        domain = "grafana.astatine.net.clerie.de";
+        root_url = "https://grafana.astatine.net.clerie.de";
+        http_port = 3001;
+        http_addr = "::1";
+      };
+      "auth.anonymous" = {
+        enabled = true;
+      };
+    };
+
+    provision = {
+      enable = true;
+      datasources.settings.datasources = [
+        {
+          type = "prometheus";
+          name = "Prometheus";
+          url = "http://[::1]:9090";
+          isDefault = true;
+        }
+      ];
+    };
+  };
+
+  services.nginx = {
+    virtualHosts = {
+      "grafana.astatine.net.clerie.de" = {
+        enableACME = true;
+        forceSSL   = true;
+        basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
+        locations."/".proxyPass = "http://[::1]:3001/";
+        locations."= /api/live/ws" = {
+          proxyPass = "http://[::1]:3001";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+
+}

hosts/astatine/mu5001tool.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  systemd.services."mu5001tool" = {
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      DynamicUser = true;
+      LoadCredential = "zte-hypermobile-5g-password:${config.sops.secrets."zte-hypermobile-5g-password".path}";
+      Restart = "on-failure";
+      RestartSec = "15s";
+    };
+    script = ''
+      ${lib.getExe pkgs.mu5001tool} --password-file ''${CREDENTIALS_DIRECTORY}/zte-hypermobile-5g-password prometheus-exporter --listen-port 9242
+    '';
+  };
+
+}

hosts/astatine/prometheus.nix

@@ -0,0 +1,46 @@
+{ config, ... }:
+
+{
+  services.prometheus = {
+    enable = true;
+    enableReload = true;
+    listenAddress = "[::1]";
+    scrapeConfigs = [
+      {
+        job_name = "prometheus";
+        scrape_interval = "20s";
+        scheme = "http";
+        static_configs = [
+          {
+            targets = [
+              "[::1]:9090"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "mu5001tool";
+        scrape_interval = "20s";
+        static_configs = [
+          {
+            targets = [
+              "[::1]:9242"
+            ];
+          }
+        ];
+      }
+    ];
+  };
+
+  services.nginx = {
+    virtualHosts = {
+      "prometheus.astatine.net.clerie.de" = {
+        enableACME = true;
+        forceSSL   = true;
+        basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
+        locations."/".proxyPass = "http://[::1]:9090/";
+      };
+    };
+  };
+
+}

hosts/astatine/secrets.json

@@ -1,19 +1,17 @@
 {
 	"wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]",
+	"monitoring-htpasswd": "ENC[AES256_GCM,data:0uQ+Gwedi9kTaOzrwVzkNkS9qL0Dwmph1leK2sj/TndfSn3yaq7ur7ZHoPjWUl5Oy1poxU2rIUxWHajYC0n3yHv2AuGT,iv:FyH4MHcgW5iHkAsahNFtshnqqPOMlukg8aYfhcN9onw=,tag:q3BsnyKLrKYi/xDP6GmSkA==,type:str]",
+	"zte-hypermobile-5g-password": "ENC[AES256_GCM,data:lqxQICmWYwMejn8=,iv:TPYOs/cL/ETw7Ee0+YG/+Fhd7ASi0kr4rDLEiste+2Y=,tag:6O6AXIHkIjPm7hJVC4Y/1g==,type:str]",
 	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-04-21T16:03:13Z",
+		"lastmodified": "2025-09-08T21:03:41Z",
-		"mac": "ENC[AES256_GCM,data:fA8fhOZbX30TYgwZXB7sQDNmck0JRDyAnEXf5nCYtli/Qvs78fTs4DdC08VOpOni8uAVARkFsGSo6Fjo/MpTSDVA8VNYZig/we/bWF+LQlEMCmiqwOI1R6eQ3GPxcRXltlO2aPPlT9BpLwIVZjGGjIsmjpVE8xjkCbLUUqj+UxY=,iv:fHLyw96QLVRrAQky2kR7TDDxf8CNXDV9lVQ5RETzJEI=,tag:y+cG9u3d6vCUmPyNMDRWpA==,type:str]",
+		"mac": "ENC[AES256_GCM,data:ztS/Z6mn8hFAPsks2evJRJFocw/3oz22O2HeSEkY7Mu+bfNvClsJuvuTbnDadB0IwKiLDFWRMGs/UPFmNP6J/euro4cFHDWXopdXg7eDFGDoJDKIg4fBUtofdXIqWvDoQ9LeZNvc5Z4EEQYhs3LwFnAU0x15acwIIxr5TB9l8g8=,iv:WVjavmcrEs2CyYTfoTTP44c9TqFubUdE+PBN2jRPR+s=,tag:fBXzU69Q9MwD3o/Nyu5OZA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-04-21T16:02:41Z",
@@ -24,4 +22,4 @@
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}

hosts/carbon/configuration.nix

@@ -6,6 +6,7 @@
       ./hardware-configuration.nix
 
       ./dns.nix
+      ./ds-lite-ncfttb.nix
       ./mdns.nix
       ./net-dsl.nix
       ./net-gastnetz.nix
@@ -16,7 +17,7 @@
       ./net-printer.nix
       ./net-voip.nix
       ./ntp.nix
-      ./ppp.nix
+      ./ppp-ncfttb.nix
       ./scan-to-gpg.nix
       ./wg-clerie.nix
     ];
@@ -39,7 +40,7 @@
   networking.nat = {
     enableIPv6 = true;
     enable = true;
-    externalInterface = "ppp-dtagdsl";
+    externalInterface = "ppp-ncfttb";
     internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"];
     internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ];
   };

hosts/carbon/ds-lite-ncfttb.nix

@@ -0,0 +1,18 @@
+{ ... }:
+
+{
+
+  profiles.clerie.ds-lite = {
+    enable = true;
+    wanInterfaceName = "ppp-ncfttb";
+    tunnelInterfaceName = "ds-lite-ncfttb";
+    lanInterfaces = [
+      {
+        name = "net-heimnetz";
+        sla_id = 201;
+        prefix_len = 64;
+      }
+    ];
+  };
+
+}

hosts/carbon/net-dsl.nix

@@ -3,17 +3,17 @@
 {
 
   ## DSL-Uplink
-  networking.vlans."enp1s0.7" = {
+  networking.vlans."enp1s0.10" = {
-    id = 7;
+    id = 10;
     interface = "enp1s0";
   };
-  networking.vlans."enp3s0.7" = {
+  networking.vlans."enp3s0.10" = {
-    id = 7;
+    id = 10;
     interface = "enp3s0";
   };
   networking.bridges."net-dsl".interfaces = [
-    "enp1s0.7"
+    "enp1s0.10"
-    "enp3s0.7"
+    "enp3s0.10"
   ];
 
 }

hosts/carbon/net-gastnetz.nix

@@ -61,7 +61,7 @@
 
   # net-gastnetz can only access internet
   clerie.firewall.extraForwardFilterCommands = ''
-    ip46tables -A forward-filter -i net-gastnetz -o ppp-dtagdsl -j ACCEPT
+    ip46tables -A forward-filter -i net-gastnetz -o ppp-ncfttb -j ACCEPT
     ip46tables -A forward-filter -i net-gastnetz -j DROP
     ip46tables -A forward-filter -o net-gastnetz -j DROP
   '';

hosts/carbon/ppp-ncfttb.nix

@@ -4,11 +4,11 @@
 
   services.pppd = {
     enable = true;
-    peers.dtagdsl = {
+    peers.ncfttb = {
       config = ''
         plugin pppoe.so net-dsl
-        user "''${PPPD_DTAGDSL_USERNAME}"
+        user "''${PPPD_NETCOLOGNE_USERNAME}"
-        ifname ppp-dtagdsl
+        ifname ppp-ncfttb
         persist
         maxfail 0
         holdoff 5
@@ -24,9 +24,9 @@
     };
   };
 
-  environment.etc."ppp/peers/dtagdsl".enable = false;
+  environment.etc."ppp/peers/ncfttb".enable = false;
 
-  systemd.services."pppd-dtagdsl".serviceConfig = let
+  systemd.services."pppd-ncfttb".serviceConfig = let
     preStart = ''
       mkdir -p /etc/ppp/peers
 
@@ -34,22 +34,22 @@
       umask u=rw,g=,o=
 
       # Copy config and substitute username
-      rm -f /etc/ppp/peers/dtagdsl
+      rm -f /etc/ppp/peers/ncfttb
-      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
+      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/ncfttb".source}" > /etc/ppp/peers/ncfttb
 
       # Copy login secrets
       rm -f /etc/ppp/pap-secrets
-      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
+      cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/pap-secrets
       rm -f /etc/ppp/chap-secrets
-      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
+      cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/chap-secrets
     '';
 
     preStartFile = pkgs.writeShellApplication {
-      name = "pppd-dtagdsl-pre-start";
+      name = "pppd-ncfttb-pre-start";
       text = preStart;
     };
   in {
-    EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
+    EnvironmentFile = config.sops.secrets.pppd-ncfttb-username.path;
     ExecStartPre = [
       # "+" marks script to be executed without priviledge restrictions
       "+${lib.getExe preStartFile}"

hosts/carbon/secrets.json

@@ -1,21 +1,17 @@
 {
 	"wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]",
-	"pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]",
+	"pppd-ncfttb-username": "ENC[AES256_GCM,data:vyOCNm23xsD3Kj+R7zqnBjH4jEIfYpx/YUUGPcVzqMs9pnFEembahtFTl2sNzOFXLfYCYg==,iv:gMfi/6jldkXCnfdvhu5X1VKj58sVsPR8IX8iEECPfgk=,tag:PJGyIASP6RPAdVULEnn+Gg==,type:str]",
-	"pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]",
+	"pppd-ncfttb-secrets": "ENC[AES256_GCM,data:IEAguET78vdzRo47UvxbDdz+kKgYWVxYakPPu5rNAZ4BCui7DUG3qm2X9bBdHSMA,iv:Q8D58HXkCoVbqwFoYk+dizXNcEP1J63uMaDSNEzfg2g=,tag:R/xG3owmbVDOLM79sfBQjA==,type:str]",
 	"wg-clerie": "ENC[AES256_GCM,data:OEZg8ZoLAdVhKkvB0ai13ID3gPnVUU/xkOjZ4KiJ9MnRbcFu5HBd7Nw6iNwh,iv:edPuaehya2ZvYKkiBqNUbXVDAxAT6yNgETnWtd6it94=,tag:cX12szdQfAcC6cij6zk6Dw==,type:str]",
 	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age16mln27e2p58gu6dpxfclttmuzfnq39mv62kthjpps33g3nl3scfq449857",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-08-13T14:06:43Z",
+		"lastmodified": "2025-10-24T19:16:49Z",
-		"mac": "ENC[AES256_GCM,data:yGKY0fi3KQWGHBeyNtQ8EJ6561dKRZ5aAjO9zq3odDtX75i2RSjORIlNjBsVvegBzeo8AkwwnzxNPt2sHl6MKDZfEsysWAi8Wolh4UvHk087AnR/uKvtG6t4uUaNIWej2DEzxUtTQ8QP1afsdqGCf0vZVruNcJ4u2xiQbN2vJPc=,iv:CDXJ5/P+h0Enq/0EL1su1Mw55FVYLy4XPSoUCkRkt+U=,tag:AvRfEDYMBunyIQIVCPbXag==,type:str]",
+		"mac": "ENC[AES256_GCM,data:ADhCQ7JxrEq+5ssevuuQVf3uyHcrcNVSzdT8bkFfDFVEE1hKv8q9QsGxhIaKtv4N2gt079fy0YA+WFKH6H8zWb5ONepH4H/mAek2SYgAtmVsxwdWY13zswsJUPi2CfbaCWOqppb9IiDb8+RCbzY2u/8Qqwk8gx/0uw2hr3IJrhM=,iv:c1/TS+W4pQgh2oPT77LX+dUL929YppRYdZCmMl2yN+M=,tag:fTk1sxdeT9xFjDMhqiHZAg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-10T13:05:56Z",
@@ -24,6 +20,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.10.2"
 	}
-}
+}

hosts/clerie-backup/configuration.nix

@@ -45,13 +45,18 @@
         "/mnt/clerie-backup"
       ];
       doInit = true;
-      repo =  "u275370-sub2@u275370.your-storagebox.de:./clerie-backup/" ;
+      repo = "u275370-sub2@u275370.your-storagebox.de:./clerie-backup/";
       encryption = {
         mode = "none";
       };
       environment = { BORG_RSH = "ssh -p 23 -i /var/src/secrets/ssh/borg-backup-replication-hetzner"; };
       compression = "auto,lzma";
       startAt = "*-*-* 04:07:00";
+
+      readWritePaths = [ "/var/lib/prometheus-node-exporter/textfiles" ];
+      postPrune = ''
+        echo "backup_replication_hetzner_last_successful_run_time $(date +%s)" > /var/lib/prometheus-node-exporter/textfiles/backup-replication-hetzner.prom
+      '';
     };
   };
 

hosts/dn42-il-gw1/configuration.nix

@@ -237,7 +237,7 @@
     ];
   };
 
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
     autoUpgrade = true;
   };
 

hosts/dn42-il-gw5/configuration.nix

@@ -111,7 +111,7 @@
     '';
   };
 
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
     autoUpgrade = true;
     startAt = "*-*-* 06:22:00";
   };

hosts/dn42-il-gw6/configuration.nix

@@ -105,7 +105,7 @@
     '';
   };
 
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
     autoUpgrade = true;
     startAt = "*-*-* 07:22:00";
   };

hosts/dn42-ildix-clerie/configuration.nix

@@ -161,7 +161,7 @@
   }
   '';
 
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
     autoUpgrade = true;
   };
 

hosts/dn42-ildix-service/configuration.nix

@@ -70,7 +70,7 @@
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
     autoUpgrade = true;
   };
 

hosts/krypton/programs.nix

@@ -11,10 +11,12 @@
     signal-desktop
     dino
     fractal
+    tuba
+    flare-signal
 
     tio
     xournalpp
-    onlyoffice-bin
+    libreoffice
 
     krita
     inkscape
@@ -23,6 +25,7 @@
     wireshark
     tcpdump
     nmap
+    pkgs."http.server"
 
     kdePackages.okular
     chromium-incognito

hosts/monitoring-3/dashboards/home.json

@@ -0,0 +1,77 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 10,
+  "links": [],
+  "panels": [
+    {
+      "fieldConfig": {
+        "defaults": {},
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 11,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "includeVars": false,
+        "keepTime": false,
+        "maxItems": 10,
+        "query": "",
+        "showFolderNames": true,
+        "showHeadings": false,
+        "showRecentlyViewed": false,
+        "showSearch": true,
+        "showStarred": false,
+        "tags": []
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "title": "Dashboards",
+      "type": "dashlist"
+    }
+  ],
+  "preload": false,
+  "refresh": "",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-6h",
+    "to": "now"
+  },
+  "timepicker": {
+    "hidden": true
+  },
+  "timezone": "browser",
+  "title": "Home",
+  "uid": "OqTN9p2nz",
+  "version": 1
+}

hosts/monitoring-3/dashboards/nginx-exporter.json

@@ -0,0 +1,355 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 16,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              }
+            ]
+          },
+          "unit": "reqps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Total requests",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              }
+            ]
+          },
+          "unit": "reqps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "legendFormat": "{{server_name}}: {{method}}",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Status codes",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              }
+            ]
+          },
+          "unit": "reqps"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 10,
+        "w": 12,
+        "x": 0,
+        "y": 10
+      },
+      "id": 3,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "disableTextWrap": false,
+          "editorMode": "builder",
+          "expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "legendFormat": "{{server_name}}: HTTP {{status}}",
+          "range": true,
+          "refId": "A",
+          "useBackend": false
+        }
+      ],
+      "title": "Response codes",
+      "type": "timeseries"
+    }
+  ],
+  "preload": false,
+  "refresh": "30s",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "text": "All",
+          "value": [
+            "$__all"
+          ]
+        },
+        "definition": "label_values(nginxlog_http_response_count_total,server_name)",
+        "includeAll": true,
+        "label": "vHost",
+        "multi": true,
+        "name": "server_name",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(nginxlog_http_response_count_total,server_name)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-3h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "browser",
+  "title": "Nginx Exporter",
+  "uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
+  "version": 7
+}

hosts/monitoring-3/dashboards/nixos-status.json

@@ -0,0 +1,135 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 15,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "continuous-RdYlGr"
+          },
+          "custom": {
+            "axisPlacement": "auto",
+            "fillOpacity": 70,
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineWidth": 0,
+            "spanNulls": false
+          },
+          "mappings": [
+            {
+              "options": {
+                "0": {
+                  "index": 1,
+                  "text": "mismatch"
+                },
+                "1": {
+                  "index": 0,
+                  "text": "sync"
+                }
+              },
+              "type": "value"
+            }
+          ],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "red"
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 23,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "alignValue": "left",
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "mergeValues": true,
+        "rowHeight": 0.9,
+        "showValue": "auto",
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "editorMode": "builder",
+          "expr": "nixos_current_system_is_sync",
+          "legendFormat": "{{instance}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Config is Sync",
+      "type": "state-timeline"
+    }
+  ],
+  "preload": false,
+  "refresh": "5m",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-7d",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "NixOS Status",
+  "uid": "W4j3nz1Vz",
+  "version": 3
+}

hosts/monitoring-3/dashboards/smokeping.json

@@ -0,0 +1,211 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 11,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green"
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 22,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "12.0.2+security-01",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "editorMode": "code",
+          "exemplar": true,
+          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
+          "interval": "",
+          "legendFormat": "IPv6 {{target}} ({{instance}})",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "editorMode": "code",
+          "exemplar": true,
+          "expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
+          "hide": false,
+          "interval": "",
+          "legendFormat": "IPv4 {{target}} ({{instance}})",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Smokeping",
+      "type": "timeseries"
+    }
+  ],
+  "preload": false,
+  "refresh": "",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "text": "All",
+          "value": "$__all"
+        },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "PBFA97CFB590B2093"
+        },
+        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
+        "includeAll": true,
+        "label": "Target:",
+        "multi": true,
+        "name": "target",
+        "options": [],
+        "query": {
+          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
+          "refId": "StandardVariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      },
+      {
+        "current": {
+          "text": [
+            "All"
+          ],
+          "value": [
+            "$__all"
+          ]
+        },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "PBFA97CFB590B2093"
+        },
+        "definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
+        "includeAll": true,
+        "label": "Instance:",
+        "multi": true,
+        "name": "instance",
+        "options": [],
+        "query": {
+          "query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
+          "refId": "StandardVariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-30m",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "",
+  "title": "Smokeping",
+  "uid": "IytTVZL7z",
+  "version": 9
+}

hosts/monitoring-3/prometheus.nix

@@ -52,6 +52,12 @@ let
     attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
     monitoringHosts);
 
+  nginxlogMonitoringTargets = mapAttrsToList (name: host:
+    "${host.config.networking.hostName}.mon.clerie.de:9117")
+    (filterAttrs (name: host:
+    attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
+    monitoringHosts);
+
   eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
 
 in {
@@ -104,6 +110,21 @@ in {
           relabelAddressToInstance
         ];
       }
+      {
+        job_name = "alertmanager";
+        scrape_interval = "20s";
+        scheme = "http";
+        static_configs = [
+          {
+            targets = [
+              "monitoring-3.mon.clerie.de:9093"
+            ];
+          }
+        ];
+        relabel_configs = [
+          relabelAddressToInstance
+        ];
+      }
       {
         job_name = "node-exporter";
         scrape_interval = "20s";
@@ -521,12 +542,24 @@ in {
           }
         ];
       }
+      {
+        job_name = "nginxlog-exporter";
+        scrape_interval = "20s";
+        static_configs = [
+          {
+            targets = nginxlogMonitoringTargets;
+          }
+        ];
+        relabel_configs = [
+          relabelAddressToInstance
+        ];
+      }
     ];
     alertmanagers = [
       {
         static_configs = [ {
           targets = [
-            "[::1]:9093"
+            "monitoring-3.mon.clerie.de:9093"
           ];
         } ];
       }

hosts/monitoring-3/rules.yml

@@ -89,9 +89,24 @@ groups:
       description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
   - alert: NadjaTopIPv4ProxyBroken
     expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
-    for: 5m
+    for: 15m
     labels:
       severity: critical
     annotations:
       summary: "blog.nadja.top unreachable via IPv4"
       description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
+  - alert: AlertmanagerNotificationRequestsFailed
+    expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
+    labels:
+      severity: critical
+    annotations:
+      summary: "Too many notification requests failed"
+      description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
+  - alert: FemSocialDown
+    expr: min(probe_success{target="fem.social", job=~"blackbox_local_http.*"}) == 0
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      summary: "fem.social unavailable via HTTP"
+      description: "fem.social is not fully reachable via HTTP"

hosts/nonat/configuration.nix

@@ -41,7 +41,7 @@
 
   networking.firewall.allowedUDPPorts = [];
 
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
     autoUpgrade = true;
   };
 

hosts/porter/configuration.nix

@@ -58,7 +58,7 @@
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   networking.firewall.allowedUDPPorts = [];
 
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
     autoUpgrade = true;
   };
 

hosts/storage-2/configuration.nix

@@ -52,7 +52,7 @@
     };
   };
 
-  clerie.system-auto-upgrade = {
+  services.bijwerken = {
     autoUpgrade = true;
   };
 

hosts/storage-2/em.nix

@@ -11,7 +11,28 @@ with lib;
   };
   users.groups.data-em = {};
 
+  users.users.data-em-mp3 = {
+    group = "data-em-mp3";
+    home = "/data/em-mp3";
+    useDefaultShell = true;
+    isSystemUser = true;
+  };
+  users.groups.data-em-mp3 = {};
+
   systemd.tmpfiles.rules = [
     "d /data/em - data-em data-em - -"
+    "d /data/em-mp3 - data-em-mp3 data-em-mp3 - -"
   ];
+
+  systemd.services.convert-flac-dir-to-mp3 = {
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${lib.getExe pkgs.convert-flac-dir-to-mp3} /data/em /data/em-mp3";
+      StateDirectory = "convert-flac-dir-to-mp3";
+      WorkingDirectory = "/var/lib/convert-flac-dir-to-mp3";
+      User = "data-em-mp3";
+      Group = "data-em-mp3";
+    };
+    startAt = "*-*-* 03:47:00";
+  };
 }

hosts/storage-2/mixcloud.nix

@@ -53,17 +53,23 @@ in {
     "mixcloud.clerie.de" = {
       enableACME = true;
       forceSSL = true;
+      basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
       locations."/" = {
         alias = "/data/mixcloud/";
-        basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
         extraConfig = ''
           autoindex on;
           autoindex_exact_size off;
         '';
       };
+      locations."/api/" = {
+        alias = "/data/mixcloud/";
+        extraConfig = ''
+          autoindex on;
+          autoindex_format json;
+        '';
+      };
       locations."/media/" = {
         alias = "/data/media/";
-        basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
         extraConfig = ''
           autoindex on;
           autoindex_exact_size off;

hosts/web-2/blocked-prefixes.txt

@@ -1,862 +1,195 @@
 ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:b200:4100::/48 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:b200:4101::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:b200:4102::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2400:b200:4103::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:1000::/37 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:1800::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:2000::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:2000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:2800::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:3000::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:3000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:3800::/37 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:4000::/37 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 2404:2280:4800::/37 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4000::/32 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4000:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4001::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4001::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4001:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4002::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4002:8000::/33 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4004::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4004::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4004:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4005::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4005::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4005:8000::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1000::/45 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1000::/47 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1000::/44 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1002::/47 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1008::/45 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1010::/45 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1010::/44 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1018::/45 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1020::/45 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4006:1028::/45 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4007::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4007:8000::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4009::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4009:8000::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400b::/33 -j nixos-fw-refuse
+ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400b:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c::/40 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c::/41 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:80::/41 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:100::/41 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:100::/40 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:180::/41 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:f00::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:f01::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400c:ffff::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400d::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400d::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400d:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400e::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400e::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400e:8000::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400f::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400f::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:400f:8000::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4011::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4011:8000::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4013::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4013:8000::/33 -j nixos-fw-refuse
 ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4014::/33 -j nixos-fw-refuse
-ip6tables -I nixos-fw -s 240b:4014:8000::/33 -j nixos-fw-refuse
 iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.208.141.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.0.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.16.0/20 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.36.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.36.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.37.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.38.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.38.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.39.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.40.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.40.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.42.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.44.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.44.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.46.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.64.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.96.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.128.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.128.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.209.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.210.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.210.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.210.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.210.240.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.80.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.88.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.96.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.104.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.211.226.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.212.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.0.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.128.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.144.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.160.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.164.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.176.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.184.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.192.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.224.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.251.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.252.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.213.253.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.214.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.214.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.214.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.160.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.162.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.168.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.215.169.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.69.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.148.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.216.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.217.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.217.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.217.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.218.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.218.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.218.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.219.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.219.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.219.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.219.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.64.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.96.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.116.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.147.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.220.229.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.8.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.184.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.188.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.192.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.200.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.208.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.221.216.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.8.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.16.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.16.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.24.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.32.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.32.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.64.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.64.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.80.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.80.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.88.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.112.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.222.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 8.223.192.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 14.1.115.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.91.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.91.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.2.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.3.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.4.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.5.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.8.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.9.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.10.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.11.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.20.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.21.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.22.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.23.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.24.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.25.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.28.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.29.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.32.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.33.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.34.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.35.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.66.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.67.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.68.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.69.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.70.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.71.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.72.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.73.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.74.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.75.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.80.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.81.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.84.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.85.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.96.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.97.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.100.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.96.101.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.98.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.98.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.98.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.99.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.99.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.99.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.100.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.101.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.104.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.105.0.0/16 -j nixos-fw-refuse
 iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.108.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 43.108.64.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.52.0.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.52.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.56.0.0/16 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.57.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.74.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.75.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.75.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.75.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.76.0.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.76.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.0.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.0.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.2.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.4.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.4.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.6.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.8.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.8.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.12.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.16.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.20.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.24.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.26.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.32.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.64.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.80.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.96.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.104.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.128.0/21 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.128.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.136.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.144.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.152.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.77.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.78.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.78.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.8.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.16.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.16.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.24.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.32.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.32.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.52.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.54.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.56.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.58.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.60.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.62.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.64.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.64.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.80.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.80.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.83.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.88.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.104.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.112.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.128.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.144.0/20 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.192.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.79.224.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.80.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.81.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.8.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.10.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.12.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.14.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.32.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.82.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.32.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.40.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.48.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.56.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.83.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.144.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.152.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.160.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.84.168.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.112.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.112.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.114.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.85.128.0/17 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.86.0.0/17 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.86.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.128.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.160.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.192.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.192.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.194.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.196.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.196.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.198.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.200.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.200.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.202.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.204.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.204.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.206.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.208.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.208.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.210.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.212.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.212.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.214.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.216.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.216.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.218.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.220.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.220.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.222.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.224.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.224.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.226.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.228.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.228.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.230.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.232.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.87.234.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.41.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.42.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.43.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.109.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.135.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.88.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.0.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.32.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.72.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.72.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.74.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.76.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.76.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.78.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.80.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.82.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.88.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.88.0/22 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.90.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.92.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.92.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.94.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.96.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.97.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.98.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.99.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.100.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.101.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.102.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.103.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.104.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.104.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.108.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.122.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.123.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.124.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.125.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.128.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.128.0/19 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.221.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.89.224.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.90.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.16.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.32.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.48.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.64.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.80.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.112.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.91.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.0.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.0.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.1.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.2.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.4.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.5.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.6.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.6.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.7.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.8.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.9.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.10.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.10.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.11.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.12.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.13.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.16.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.16.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.18.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.18.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.19.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.20.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.21.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.22.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.23.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.24.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.24.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.26.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.28.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.28.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.29.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.30.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.235.31.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.236.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.236.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.237.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.237.32.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.237.34.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.238.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.238.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.239.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.240.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.240.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.240.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.241.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.241.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.241.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.242.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.242.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.243.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.244.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.244.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.244.73.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.244.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.0.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.32.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.245.192.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.66.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.67.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.68.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.69.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.72.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.76.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.82.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.83.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.84.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.86.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.88.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.90.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.92.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.93.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.96.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.96.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.100.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.104.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.104.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.108.0/22 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.122.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.123.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.124.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.125.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.128.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.128.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.130.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.132.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.132.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.134.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.136.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.136.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.140.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.144.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.144.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.145.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.146.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.146.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.147.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.150.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.151.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.152.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.152.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.153.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.154.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.155.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.156.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.156.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.158.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.160.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.160.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.168.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.176.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.176.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.184.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.192.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.192.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.194.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.196.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.196.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.246.198.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.99.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.250.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.251.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.251.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.251.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.251.224.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.67.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.252.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.253.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.253.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.253.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.0.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.113.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.128.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.160.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 47.254.224.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.0.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.2.0/23 -j nixos-fw-refuse
+iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.4.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.6.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.8.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.10.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.12.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.14.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.16.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 139.95.18.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.0.0/18 -j nixos-fw-refuse
+iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.155.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 147.139.192.0/18 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.0.0/21 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.8.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.64.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.96.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.192.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 149.129.224.0/19 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.0.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.126.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.127.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.128.0/17 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.128.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.129.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.138.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 161.117.143.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.30.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.31.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.32.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.33.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.34.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.35.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.64.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.65.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.68.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.69.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.72.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.73.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.74.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.75.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.76.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.77.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.78.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.79.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.80.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.81.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.82.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.83.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.84.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.85.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.92.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.93.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.104.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.105.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.106.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.107.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.136.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 170.33.137.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
 iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
-iptables -I nixos-fw -s 198.11.137.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 198.11.184.0/21 -j nixos-fw-refuse
 iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.64.0/24 -j nixos-fw-refuse
+iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.65.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.66.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 203.107.67.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
-iptables -I nixos-fw -s 205.204.102.0/23 -j nixos-fw-refuse
-iptables -I nixos-fw -s 205.204.111.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 205.204.117.0/24 -j nixos-fw-refuse
-iptables -I nixos-fw -s 205.204.125.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
 iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse

hosts/web-2/clerie.nix

@@ -53,9 +53,6 @@
         '';
         return = "200 ''";
       };
-      extraConfig = ''
-        access_log /var/log/nginx/clerie.de.log combined_anon;
-      '';
     };
   };
 }

hosts/web-2/gitea.nix

@@ -83,9 +83,6 @@
           proxyPass = "http://[::1]:3000";
         };
       };
-      extraConfig = ''
-        access_log /var/log/nginx/git.clerie.de.log combined_anon;
-      '';
     };
   };
 }

hosts/web-2/ip.nix

@@ -53,9 +53,6 @@
           types { } default_type "text/html; charset=utf-8";
         '';
       };
-      extraConfig = ''
-        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
-      '';
     };
     "ip4.clerie.de" = {
       enableACME = true;
@@ -67,9 +64,6 @@
           add_header Access-Control-Allow-Origin *;
         '';
       };
-      extraConfig = ''
-        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
-      '';
     };
     "ip6.clerie.de" = {
       enableACME = true;
@@ -81,9 +75,6 @@
           add_header Access-Control-Allow-Origin *;
         '';
       };
-      extraConfig = ''
-        access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
-      '';
     };
   };
 }

hosts/web-2/legal.nix

@@ -7,8 +7,8 @@
       forceSSL = true;
       root = pkgs.fetchgit {
         url = "https://git.clerie.de/clerie/legal.clerie.de.git";
-        rev = "c6900226e3107a2e370a32759d83db472ab5450d";
+        rev = "b271b9729f4545c340ce9d16ecbca136031da409";
-        sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU=";
+        sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
       };
       locations."/impressum" = {
         return = ''301 https://legal.clerie.de/#impressum'';

modules/bijwerken/default.nix

@@ -3,13 +3,13 @@
 with lib;
 
 let
-  cfg = config.clerie.system-auto-upgrade;
+  cfg = config.services.bijwerken;
 in
 
 {
   options = {
-    clerie.system-auto-upgrade = {
+    services.bijwerken = {
-      enable = mkEnableOption "clerie system upgrade";
+      enable = mkEnableOption "Automatic system upgrades";
       autoUpgrade = mkOption {
         type = types.bool;
         default = false;
@@ -20,10 +20,15 @@ in
         default = null;
         description = "Systemd time string for starting the unit";
       };
+      nodeExporterTextfilePath = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        description = "Path to node exporter textfile for putting metrics";
+      };
     };
   };
   config = mkIf cfg.enable {
-    systemd.services.clerie-system-auto-upgrade = {
+    systemd.services.bijwerken-system-upgrade = {
       requires = [ "network-online.target" ];
       after = [ "network-online.target" ];
 
@@ -33,10 +38,10 @@ in
 
       serviceConfig = {
         Type = "oneshot";
-        ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}";
+        ExecStart = (getExe pkgs.bijwerken-system-upgrade) + " --no-confirm${optionalString (cfg.nodeExporterTextfilePath != null) " --node-exporter-metrics-path ${cfg.nodeExporterTextfilePath}"}";
       };
     };
-    systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade {
+    systemd.timers.bijwerken-system-upgrade = mkIf cfg.autoUpgrade {
       wantedBy = [ "timers.target" ];
       timerConfig = {
         OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt;
@@ -46,7 +51,7 @@ in
       after = [ "network-online.target" ];
     };
     environment.systemPackages = with pkgs; [
-      clerie-system-upgrade
+      bijwerken-system-upgrade
     ];
   };
 }

modules/default.nix

@@ -5,9 +5,9 @@
     ./policyrouting
     ./akne
     ./backup
+    ./bijwerken
     ./clerie-firewall
     ./clerie-gc-dir
-    ./clerie-system-upgrade
     ./dhcpcd-prefixdelegation
     ./minecraft-server
     ./monitoring

modules/monitoring/default.nix

@@ -75,6 +75,8 @@ in
 
     systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];
 
+    services.bijwerken.nodeExporterTextfilePath = "/var/lib/prometheus-node-exporter/textfiles/bijwerken-system-upgrade.prom";
+
     services.prometheus.exporters.bird = mkIf cfg.bird {
       enable = true;
     };
@@ -102,6 +104,33 @@ in
       listen = "[::]:9152";
     };
 
+    services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
+      enable = true;
+      settings = {
+        namespaces = [
+          {
+            name = "nginxlog";
+            format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
+            source = {
+              files = [
+                "/var/log/nginx/access.log"
+              ];
+            };
+            relabel_configs = [
+              {
+                target_label = "server_name";
+                from = "server_name";
+              }
+            ];
+          }
+        ];
+      };
+    };
+
+    systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
+      SupplementaryGroups = "nginx";
+    };
+
     networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
       9100 # node-exporter
       9152 # nixos-exporter
@@ -109,6 +138,8 @@ in
       9324 # bird-exporter
     ] else []) ++ (if cfg.blackbox then [
       9115 # blackbox-exporter
+    ] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
+      config.services.prometheus.exporters.nginxlog.port
     ] else []);
   };
 }

monitoring/targets.json

@@ -48,5 +48,8 @@
   },
   "cleriewi.uber.space": {
     "clerie-uberspace": { "enable": true }
+  },
+  "reichart.uber.space": {
+    "clerie-uberspace": { "enable": true }
   }
 }

pkgs/bijwerken-poke/bijwerken-poke.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+TARGETS="$(nix --extra-experimental-features "nix-command flakes" eval --raw ".#nixosConfigurations" --apply "nixosConfigurations: builtins.concatStringsSep \"\\n\" (builtins.attrValues (builtins.mapAttrs (name: host: host.config.networking.fqdn) nixosConfigurations))")"
+
+pssh -h <(echo "${TARGETS}") -i -- sudo systemctl start bijwerken-system-upgrade.service --no-block

pkgs/bijwerken-poke/default.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "bijwerken-poke";
+  text = builtins.readFile ./bijwerken-poke.sh;
+  runtimeInputs = with pkgs; [
+    pssh
+  ];
+}
+

pkgs/bijwerken-system-upgrade/bijwerken-system-upgrade.sh

@@ -40,7 +40,7 @@ if [[ -z $NO_CONFIRM ]]; then
 fi
 
 echo "Download ${STORE_PATH}"
-nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}"
+nix copy --to daemon "${STORE_PATH}"
 
 echo "Add to system profile"
 nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
@@ -50,7 +50,7 @@ echo "Set as boot target"
 
 if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then
 	echo "Write monitoring check data"
-	echo "clerie_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
+	echo "bijwerken_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
 fi
 
 BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"

pkgs/bijwerken-system-upgrade/default.nix

@@ -1,8 +1,8 @@
 { pkgs, ... }:
 
 pkgs.writeShellApplication {
-  name = "clerie-system-upgrade";
+  name = "bijwerken-system-upgrade";
-  text = builtins.readFile ./clerie-system-upgrade.sh;
+  text = builtins.readFile ./bijwerken-system-upgrade.sh;
   runtimeInputs = with pkgs; [
     curl
     jq

pkgs/build-support/writePythonScript.nix

@@ -1,6 +1,7 @@
 {
   python3,
-  writeTextFile,
+  makeWrapper,
+  runCommand,
   lib,
 }:
 
@@ -9,6 +10,7 @@
   text,
   runtimePackages ? ps: [],
   pythonPackage ? python3,
+  runtimeInputs ? [],
   meta ? {},
   passthru ? {},
   derivationArgs ? {},
@@ -18,13 +20,17 @@ let
 
   pythonWithPackages = pythonPackage.withPackages runtimePackages;
 
-in writeTextFile {
+in runCommand name ({
-  inherit
+  passAsFile = [ "text" ] ++ (derivationArgs.passAsFile or []);
-    name
+
-    meta
+  meta = {
-    passthru
+    mainProgram = name;
-    derivationArgs
+  } // meta // (derivationArgs.meta or {});
-    ;
+
+  passthru = passthru // (derivationArgs.passthru or {});
+
+  nativeBuildInputs = [ makeWrapper ] ++ (derivationArgs.nativeBuildInputs or []);
+
   executable = true;
   destination = "/bin/${name}";
   allowSubstitutes = true;
@@ -34,4 +40,17 @@ in writeTextFile {
 
     ${text}
   '';
-}
+} // (
+  builtins.removeAttrs derivationArgs [ "passAsFile" "meta" "passthru" "nativeBuildInputs" ]
+))
+''
+mkdir -p $out/bin
+
+target=$out/bin/${lib.escapeShellArg name}
+
+cp "$textPath" "$target"
+
+chmod +x "$target"
+
+wrapProgram "$target" --prefix PATH : "${lib.makeBinPath runtimeInputs}"
+''

pkgs/convert-flac-dir-to-mp3/convert-flac-dir-to-mp3.py

@@ -0,0 +1,109 @@
+#!/usr/bin/env python
+
+import argparse
+from pathlib import Path
+from progress.bar import Bar
+import shutil
+import subprocess
+
+def files_and_dirs_for_directory(path):
+    filepaths = []
+    dirpaths = []
+
+    for dirpath, dirnames, filenames in path.walk():
+        dirpaths.append(dirpath)
+
+        for filename in filenames:
+            filepath = dirpath / filename
+            filepaths.append(filepath)
+
+    return set(filepaths), set(dirpaths)
+
+def make_paths_relative(paths, relative_to_path):
+    return set(path.relative_to(relative_to_path) for path in paths)
+
+def replace_suffix(path, suffix):
+    return path.with_name(path.stem + suffix)
+
+def convert_filepath(path):
+    if path.suffix == ".flac":
+        return replace_suffix(path, ".mp3")
+
+    return path
+
+def ffmpeg_flac_to_mp3(in_path, out_path):
+    print("")
+    subprocess.run(["ffmpeg", "-hide_banner", "-loglevel", "warning", "-stats", "-i", in_path, "-ab", "320k", "-map_metadata", "0", "-id3v2_version", "3", out_path], check=True)
+    print("")
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(prog="convert-flac-dir-to-mp3")
+    parser.add_argument("from_dir", type=Path)
+    parser.add_argument("to_dir", type=Path)
+
+    args = parser.parse_args()
+
+    from_path = args.from_dir.absolute()
+    to_path = args.to_dir.absolute()
+
+    if not from_path.exists():
+        raise Exception("from_path does not exist")
+
+    if not to_path.exists():
+        raise Exception("to_path does not exist")
+
+    if not from_path.is_dir():
+        raise Exception("from_path is not a directory")
+
+    if not to_path.is_dir():
+        raise Exception("to_path is not a directory")
+
+    print(f"Converting {from_path} to {to_path}…")
+
+    from_filepaths, from_dirpaths = files_and_dirs_for_directory(from_path)
+    to_filepaths, to_dirpaths = files_and_dirs_for_directory(to_path)
+
+
+    relative_from_filepaths = make_paths_relative(from_filepaths, from_path)
+    relative_to_filepaths = make_paths_relative(to_filepaths, to_path)
+
+    converted_from_filepaths = set(convert_filepath(filepath) for filepath in relative_from_filepaths)
+
+    filepaths_missing_in_to_path = converted_from_filepaths - relative_to_filepaths
+
+
+    relative_from_dirpaths = make_paths_relative(from_dirpaths, from_path)
+    relative_to_dirpaths = make_paths_relative(to_dirpaths, to_path)
+
+    dirpaths_missing_in_to_path = relative_from_dirpaths - relative_to_dirpaths
+
+    print(f"Missing {len(filepaths_missing_in_to_path)} files and {len(dirpaths_missing_in_to_path)} directories")
+
+    if len(dirpaths_missing_in_to_path) > 0:
+        for dirpath in Bar("Creating directories").iter(dirpaths_missing_in_to_path):
+            (to_path / dirpath).mkdir(parents=True, exist_ok=True)
+
+    if len(filepaths_missing_in_to_path) > 0:
+        for filepath in Bar("Creating files").iter(filepaths_missing_in_to_path):
+            if filepath in relative_from_filepaths:
+                # Just copy the file
+                shutil.copy(from_path / filepath, to_path / filepath)
+            elif filepath.suffix == ".mp3" and replace_suffix(filepath, ".flac") in relative_from_filepaths:
+                # Convert from flac
+                print("")
+                print(f"Converting {to_path / filepath}…")
+
+                # Tempfile for ffmpeg
+                tmpfilepath = filepath.with_name(".~" + filepath.name)
+                (to_path / tmpfilepath).unlink(missing_ok=True)
+
+                print(f"Using tempfile for ffmpeg {to_path / tmpfilepath}…")
+
+                # Convert
+                ffmpeg_flac_to_mp3(from_path / replace_suffix(filepath, ".flac"), to_path / tmpfilepath)
+
+                # Rename tempfile
+                (to_path / tmpfilepath).rename(to_path / filepath)
+            else:
+                raise Exception("Unable to figure out how to get {to_path / filepath} from {from_path}")

pkgs/convert-flac-dir-to-mp3/default.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+pkgs.clerie-build-support.writePythonScript {
+  name = "convert-flac-dir-to-mp3";
+  runtimePackages = ps: with ps; [ progress ];
+  runtimeInputs = [ pkgs.ffmpeg-headless ];
+  text = builtins.readFile ./convert-flac-dir-to-mp3.py;
+}

pkgs/curl-timings/curl-timings.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+curl -w "Request to %{url}
+
+time_namelookup: %{time_namelookup}s
+time_connect: %{time_connect}s
+time_appconnect: %{time_appconnect}s
+time_pretransfer: %{time_pretransfer}s
+time_starttransfer: %{time_starttransfer}s
+time_posttransfer: %{time_posttransfer}s
+time_queue: %{time_queue}s
+time_redirect: %{time_redirect}s
+time_starttransfer: %{time_starttransfer}s
+
+time_total: %{time_total}s
+" -o /dev/null -s "$@"

pkgs/curl-timings/default.nix

@@ -0,0 +1,12 @@
+{
+  curl,
+  writeShellApplication,
+}:
+
+writeShellApplication {
+  name = "curl-timings";
+  text = builtins.readFile ./curl-timings.sh;
+  runtimeInputs = [
+    curl
+  ];
+}

pkgs/ds-lite-dhcpcd-hook/default.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "ds-lite-dhcpcd-hook";
+  text = builtins.readFile ./ds-lite-dhcpcd-hook.sh;
+  runtimeInputs = with pkgs; [
+    iproute2
+    jq
+    dig
+    gawk
+  ];
+}

pkgs/ds-lite-dhcpcd-hook/ds-lite-dhcpcd-hook.sh

@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Setting up required environment variables
+# shellcheck disable=SC2154
+WAN_INTERFACE_NAME="${DS_LITE_WAN_INTERFACE_NAME}"
+# shellcheck disable=SC2154
+TUNNEL_INTERFACE_NAME="${DS_LITE_TUNNEL_INTERFACE_NAME}"
+
+log_dhcp () {
+	echo "<ds-lite-dhcpcd-hook> ${WAN_INTERFACE_NAME}: $1"
+}
+
+log_tunnel () {
+	echo "<ds-lite-dhcpcd-hook> ${WAN_INTERFACE_NAME} (${TUNNEL_INTERFACE_NAME}): $1"
+}
+
+# Check if the event calling this hook is for the wan interface
+# exit immediately if not
+# shellcheck disable=SC2154
+if [[ "$interface" != "$WAN_INTERFACE_NAME" ]]; then
+	exit
+fi
+
+# Make sure the event calling this hook carries the environment variable
+# in question. The environment variable is not provided with every call
+# and we just want to exit if it is not provided
+# shellcheck disable=SC2154
+if [[ ! -v new_dhcp6_aftr_name ]]; then
+	# Variable is not set
+	exit
+fi
+# shellcheck disable=SC2154
+if [[ -z "${new_dhcp6_aftr_name}" ]]; then
+	# Variable is empty, can't do anything
+	exit
+fi
+
+# shellcheck disable=SC2154
+AFTR_NAME="$new_dhcp6_aftr_name"
+
+log_dhcp "Received new AFTR_NAME ${AFTR_NAME}"
+
+# Make sure we have a nameserver to resolve aftr name against
+# shellcheck disable=SC2154
+if [[ ! -v new_dhcp6_name_servers ]]; then
+	# Variable is not set
+	exit
+fi
+# shellcheck disable=SC2154
+if [[ -z "${new_dhcp6_name_servers}" ]]; then
+	# Variable is empty, can't do anything
+	exit
+fi
+
+# shellcheck disable=SC2154
+NAME_SERVERS="$new_dhcp6_name_servers"
+
+log_dhcp "Received new NAME_SERVERS ${NAME_SERVERS}"
+
+# Select first nameserver
+NAME_SERVER="$(echo "${NAME_SERVERS}" | awk '{print $1;}')"
+
+log_dhcp "Selected NAME_SERVER ${NAME_SERVER}"
+
+# Figure out a usable IPv6 address on the wan interface, to origin our DNS requests and tunnel
+WAN_INTERFACE_ADDRESS="$(ip --json address show "${WAN_INTERFACE_NAME}" | jq -r '.[0].addr_info[] | select(.family == "inet6" and .scope == "global" and .mngtmpaddr == true) | .local')"
+
+log_dhcp "Using WAN_INTERFACE_ADDRESS ${WAN_INTERFACE_ADDRESS}"
+
+AFTR_ADDRESS="$(dig "@${NAME_SERVER}" -b "${WAN_INTERFACE_ADDRESS}" AAAA "${AFTR_NAME}" +short | head -1)"
+
+log_dhcp "Resolved AFTR_NAME ${AFTR_NAME} to ${AFTR_ADDRESS}"
+
+# Check if there is already a tunnel interface
+if TUNNEL_INTERFACE_CONFIG="$(ip --json link show "${TUNNEL_INTERFACE_NAME}")"; then
+	TUNNEL_INTERFACE_OPERSTATE="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].operstate')"
+	TUNNEL_INTERFACE_ORIGIN_ADDRESS="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].address')"
+	TUNNEL_INTERFACE_REMOTE_ADDRESS="$(echo "${TUNNEL_INTERFACE_CONFIG}" | jq -r '.[0].broadcast')"
+
+	# Reconfigure tunnel interface, if not already in state we want
+	if [[ "${TUNNEL_INTERFACE_ORIGIN_ADDRESS}" != "${WAN_INTERFACE_ADDRESS}" || "${TUNNEL_INTERFACE_REMOTE_ADDRESS}" != "${AFTR_ADDRESS}" || "${TUNNEL_INTERFACE_OPERSTATE}" != "UNKNOWN" ]]; then
+		log_tunnel "Bad configuration, fixing tunnel parameter"
+
+		ip tunnel change "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}"
+		ip link set "$TUNNEL_INTERFACE_NAME" up
+	else
+		log_tunnel "Tunnel already configured"
+	fi
+else
+	log_tunnel "Setting up DS-Lite tunnel"
+
+	ip tunnel add "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}"
+	ip link set "$TUNNEL_INTERFACE_NAME" up
+fi
+
+log_tunnel "Setting default route"
+
+ip route replace default dev "${TUNNEL_INTERFACE_NAME}"
+
+log_tunnel "Tunnel setup finished"

pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py

@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 
+import ipaddress
 import requests
 
 blocked_asns = [
@@ -8,16 +9,31 @@ blocked_asns = [
 
 r = requests.get('https://bgp.tools/table.txt', stream=True, headers={
     "User-Agent": "https://git.clerie.de/clerie/nixfiles",
-    })
+})
+
+selected_ipv6_prefixes = []
+selected_ipv4_prefixes = []
+
+for line in r.iter_lines(decode_unicode=True):
+    prefix_string, asn_string = line.split()
+
+    if asn_string in blocked_asns:
+        prefix = ipaddress.ip_network(prefix_string)
+
+        if prefix.version == 6:
+            selected_ipv6_prefixes.append(prefix)
+        else:
+            selected_ipv4_prefixes.append(prefix)
+
+selected_ipv6_prefixes = list(ipaddress.collapse_addresses(selected_ipv6_prefixes))
+selected_ipv4_prefixes = list(ipaddress.collapse_addresses(selected_ipv4_prefixes))
+
+selected_ipv6_prefixes.sort()
+selected_ipv4_prefixes.sort()
 
 with open("hosts/web-2/blocked-prefixes.txt", "w") as blocked_ips_file:
-    for line in r.iter_lines(decode_unicode=True):
+    for ipv6_prefix in selected_ipv6_prefixes:
-        ip, asn = line.split()
+            blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ipv6_prefix} -j nixos-fw-refuse\n")
-
-        if asn in blocked_asns:
-            if ":" in ip:
-                blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ip} -j nixos-fw-refuse\n")
-            else:
-                blocked_ips_file.write(f"iptables -I nixos-fw -s {ip} -j nixos-fw-refuse\n")
-
 
+    for ipv4_prefix in selected_ipv4_prefixes:
+            blocked_ips_file.write(f"iptables -I nixos-fw -s {ipv4_prefix} -j nixos-fw-refuse\n")

pkgs/grow-last-partition-and-filesystem/default.nix

@@ -0,0 +1,19 @@
+{
+  e2fsprogs,
+  gptfdisk,
+  jq,
+  parted,
+  writeShellApplication,
+}:
+
+writeShellApplication {
+  name = "grow-last-partition-and-filesystem";
+  text = builtins.readFile ./grow-last-partition-and-filesystem.sh;
+  runtimeInputs = [
+    e2fsprogs
+    gptfdisk
+    jq
+    parted
+  ];
+}
+

pkgs/grow-last-partition-and-filesystem/grow-last-partition-and-filesystem.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ $# -ne 1 ]]; then
+	echo "Pass device to grow as first argument:"
+	echo "grow-last-partition-and-filesystem DEVICE"
+
+	exit 1
+fi
+
+DEVICE="$1"
+
+echo "Move GTP backup header to end of disk"
+sgdisk "${DEVICE}" --move-second-header
+
+PARTITIONDATA="$(parted --script --json --fix "${DEVICE}" print)"
+PARTNUMBER="$(echo "${PARTITIONDATA}" | jq -r '.disk.partitions | last | .number')"
+PARTNAME="$(echo "${PARTITIONDATA}" | jq -r '.disk.partitions | last | .name')"
+
+echo "Growing partition ${DEVICE}${PARTNUMBER} (${PARTNAME})"
+echo
+
+parted "${DEVICE}" resizepart "${PARTNUMBER}" 100%
+
+echo
+echo "Resizing filesystem"
+echo
+
+resize2fs "${DEVICE}${PARTNUMBER}"
+
+echo "Done."

pkgs/http.server/default.nix

@@ -0,0 +1,14 @@
+{
+  python3,
+  writeShellApplication,
+}:
+
+writeShellApplication {
+  name = "http.server";
+  text = ''
+    python3 -m http.server "$@"
+  '';
+  runtimeInputs = [
+    python3
+  ];
+}

pkgs/overlay.nix

@@ -1,16 +1,20 @@
 final: prev: {
+  bijwerken-poke = final.callPackage ./bijwerken-poke {};
+  bijwerken-system-upgrade = final.callPackage ./bijwerken-system-upgrade {};
   clerie-backup = final.callPackage ./clerie-backup {};
   clerie-cleanup-branches = final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
   clerie-keys = final.callPackage ./clerie-keys {};
   clerie-ssh-known-hosts = final.callPackage ./clerie-ssh-known-hosts {};
   clerie-system-remote-install = final.callPackage ./clerie-system-remote-install {};
-  clerie-system-upgrade = final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
   clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
   clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};
   clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {};
   clerie-sops-edit = final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
   clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
   chromium-incognito = final.callPackage ./chromium-incognito {};
+  convert-flac-dir-to-mp3 = final.callPackage ./convert-flac-dir-to-mp3 {};
+  curl-timings = final.callPackage ./curl-timings {};
+  ds-lite-dhcpcd-hook = final.callPackage ./ds-lite-dhcpcd-hook {};
   factorio-launcher = final.callPackage ./factorio-launcher {};
   feeds-dir = final.callPackage ./feeds-dir {};
   generate-blocked-prefixes = final.callPackage ./generate-blocked-prefixes {};
@@ -18,6 +22,8 @@ final: prev: {
   git-diff-word = final.callPackage ./git-diff-word {};
   git-pp = final.callPackage ./git-pp {};
   git-show-link = final.callPackage ./git-show-link {};
+  grow-last-partition-and-filesystem = final.callPackage ./grow-last-partition-and-filesystem {};
+  "http.server" = final.callPackage ./http.server {};
   nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
   nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
   nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};

pkgs/overrides/ds-lite-dhcpcd.nix

@@ -0,0 +1,20 @@
+final: prev:
+prev.dhcpcd.overrideAttrs (finalAttrs: prevAttrs: {
+
+  configureFlags = [
+    "--sysconfdir=/etc/ds-lite-dhcpcd"
+    "--localstatedir=/var"
+    "--disable-fork"
+    "--disable-privsep"
+    "--dbdir=/var/lib/ds-lite-dhcpcd"
+    "--rundir=/var/run/ds-lite-dhcpcd"
+    "--with-default-hostname=ds-lite"
+    "--disable-ipv4"
+    "--disable-arp"
+    "--disable-arpping"
+    "--disable-ipv4ll"
+    "--disable-ntp"
+  ];
+
+})
+

pkgs/overrides/overlay.nix

@@ -1,4 +1,5 @@
 final: prev: {
   dino = import ./dino.nix final prev;
+  ds-lite-dhcpcd = import ./ds-lite-dhcpcd.nix final prev;
   xmppc = import ./xmppc.nix final prev;
 }

profiles/common-nix/default.nix

@@ -19,10 +19,10 @@ in {
 
     clerie.nixfiles.enable = true;
 
-    clerie.system-auto-upgrade.enable = true;
+    services.bijwerken.enable = true;
 
     nix.settings = {
-      trusted-users = [ "@wheel" "@guests" ];
+      trusted-users = [ "@wheel" ];
       auto-optimise-store = true;
       # Keep buildtime dependencies
       keep-outputs = true;

profiles/common-webserver/default.nix

@@ -40,7 +40,12 @@ in {
         log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
                                   '"$request" $status $body_bytes_sent '
                                   '"$http_referer" "$http_user_agent"';
-        access_log /var/log/nginx/access.log vcombined_anon;
+        log_format vcombined_anon_monitoring '$host: $remote_addr_anon - $remote_user [$time_local] '
+                                  '"$request" $status $body_bytes_sent '
+                                  '"$http_referer" "$http_user_agent" '
+                                  '"$server_name" '
+                                  'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
+        access_log /var/log/nginx/access.log vcombined_anon_monitoring;
       '';
 
       virtualHosts = mkIf cfg.httpDefaultVirtualHost {

profiles/default.nix

@@ -11,6 +11,7 @@
     ./cybercluster-vm
     ./desktop
     ./dn42-router
+    ./ds-lite
     ./fem-net
     ./firefox
     ./gpg-ssh

profiles/ds-lite/default.nix

@@ -0,0 +1,150 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.profiles.clerie.ds-lite;
+
+
+  dsLiteDhcpcdConfig = ''
+    allowinterfaces ${cfg.wanInterfaceName} ${concatMapStringsSep " " (interface: interface.name) cfg.lanInterfaces}
+
+    option dhcp6_name_servers
+    option dhcp6_aftr_name
+
+    waitip 6
+
+    ipv6only
+    ipv6ra_noautoconf
+    noipv6rs
+
+    interface ${cfg.wanInterfaceName}
+      ipv6ra_autoconf
+      ipv6rs
+      ia_pd 1/::/48 ${concatMapStringsSep " " (interface: "${interface.name}/${toString interface.sla_id}/${toString interface.prefix_len}") cfg.lanInterfaces}
+
+    ${concatMapStrings (interface: ''
+    interface ${interface.name}
+      nolink
+    '') cfg.lanInterfaces}
+  '';
+
+  dsLiteDhcpcdConfigFile = pkgs.writeTextFile {
+    name = "dhcpcd.conf";
+    text = dsLiteDhcpcdConfig;
+  };
+
+  dsLiteDhcpcdHookWrapperFile = pkgs.writeShellScript "ds-lite-dhcpcd-hook-wrapper" ''
+    DS_LITE_WAN_INTERFACE_NAME=${lib.escapeShellArg cfg.wanInterfaceName};
+    export DS_LITE_WAN_INTERFACE_NAME
+    DS_LITE_TUNNEL_INTERFACE_NAME=${lib.escapeShellArg cfg.tunnelInterfaceName};
+    export DS_LITE_TUNNEL_INTERFACE_NAME
+
+    exec ${lib.getExe pkgs.ds-lite-dhcpcd-hook}
+  '';
+
+in {
+
+  options.profiles.clerie.ds-lite = {
+    enable = mkEnableOption "DS-Lite setup";
+    wanInterfaceName = mkOption {
+      type = types.str;
+      description = "Interface with IPv6 connectivity to provider";
+    };
+    tunnelInterfaceName = mkOption {
+      type = types.str;
+      description = "Interface with IPv4 connectivity to provider";
+    };
+    lanInterfaces = mkOption {
+      type = with types; listOf (submodule ({ ... }: {
+        options = {
+          name = mkOption {
+            type = types.str;
+          };
+          sla_id = mkOption {
+            type = types.ints.unsigned;
+          };
+          prefix_len = mkOption {
+            type = types.ints.between 48 128;
+          };
+        };
+      }));
+      default = [];
+      description = "Interfaces to provisn with an IPv6 prefix";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.ds-lite-dhcpcd = {
+      description = "DS-Lite dhcpcd";
+
+      wantedBy = [ "multi-user.target" ];
+
+      environment = {
+      };
+
+      serviceConfig = {
+        Type = "simple";
+        User = "ds-lite";
+        Group = "ds-lite";
+        StateDirectory = "ds-lite-dhcpcd";
+        RuntimeDirectory = "ds-lite-dhcpcd";
+
+        ExecStart = "${pkgs.ds-lite-dhcpcd}/bin/dhcpcd --ipv6only --nobackground --config ${dsLiteDhcpcdConfigFile} --script ${dsLiteDhcpcdHookWrapperFile}";
+
+        Restart = "always";
+        AmbientCapabilities = [
+          "CAP_NET_ADMIN"
+          "CAP_NET_RAW"
+          "CAP_NET_BIND_SERVICE"
+        ];
+        ReadWritePaths = [
+          "/proc/sys/net/ipv6"
+        ];
+        DeviceAllow = "";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = false;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = "tmpfs"; # allow exceptions to be added to ReadOnlyPaths, etc.
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_UNIX"
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+          "AF_PACKET"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallFilter = [
+          "@system-service"
+          "~@keyring"
+          "~@memlock"
+          "~@mount"
+        ];
+        SystemCallArchitectures = "native";
+        UMask = "0027";
+      };
+    };
+
+    users.users.ds-lite = {
+      isSystemUser = true;
+      group = "ds-lite";
+    };
+    users.groups.ds-lite = { };
+  };
+
+}