skydick/networking: tidy bond40g comments + reference cisco Po5

skydick/networking: drop bond0, rename references to bond40g ...

bond0 (ConnectX-4 LX 25G, active-backup) was carrying 10.0.1.1/16
until the 2026-05-15 cutover onto bond40g (2× 40G ConnectX-3 LACP
layer3+4, MTU 9200). With cutover done and verified — Aggregator ID
1 on both slaves, jumbo end-to-end to gateway, traffic flowing —
the old bond is dead weight.

* Remove the `bonds.bond0` and `interfaces.bond0` blocks.
* Rename the remaining active `bond0` references to `bond40g`:
  - `systemd.network.networks."40-bond0"` → `."40-bond40g"`
  - `"net.ipv6.conf.bond0.accept_ra"` sysctl
  - `skyworks.monitoring.netInterfaces = [ "bond0" ]`
  - wait-online and RA-leak comments
* The freed enp4s0f0np0/enp4s0f1np1 are now standalone DOWN,
  available for future use.

The live kernel `bond0` device persisted past nixos-rebuild
because networkd doesn't destroy unmanaged ifaces; cleaned up
manually with `ip link set <slave> nomaster; ip link del bond0`.

Revert "skydick/samba: enable SMB-Direct" ...

The previous commit (407a0b3) was based on a wrong premise. Userspace
Samba's smbd does NOT implement an SMB-Direct (RDMA) transport even
with --with-smb-direct passed to waf — the flag is silently accepted
but the resulting binary contains no ibverbs code (verified post-
deploy: ldd /bin/smbd shows no libibverbs linkage, smbd doesn't
listen on port 5445, and testparm rejects "smb direct" as an unknown
parameter).

SMB Direct in Linux is implemented in the kernel server `ksmbd`
(net/smb/server/ in the kernel tree), which is a separate
implementation from Samba. ksmbd would lose us:
  - passdb backend = ldapsam (LDAP-backed posix users)
  - Spotlight + tinysparql tracker integration
  - vfs_fruit (metadata stream / macOS attrs / Time Machine sparse-
    bundle support — central to ldx-timemachine share)

Not a worthwhile trade for the SMB workload, which is interactive
Finder browsing not bulk throughput. NFS-over-RDMA on the same
RoCE fabric (mlx4_ib via bond40g) covers the bulk-throughput case
already.

Replaced the misleading "SMB Direct" comment block with an explicit
"why this is NOT enabled" note so this doesn't get re-tried.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

skydick/samba: enable SMB-Direct (SMB3 over RDMA, port 5445) ...

Two coordinated changes:

1. sambaFull overlay extended to build with SMB-Direct support:
   - rdma-core added to buildInputs (provides libibverbs + librdmacm)
   - --with-smb-direct passed via configureFlags so waf wires up the
     transport layer at compile time

2. settings.global gains `smb direct = yes` + 8 MiB read/write knobs
   matching the NFS rsize/wsize on the same fabric. smbd now advertises
   capability 0x40 on protocol negotiate; clients that speak SMB-Direct
   (Win Server / Win Pro for Workstations / macOS Sequoia 15.4+) can
   upgrade SMB3 sessions onto the bond40g RoCE fabric. Clients without
   SMB-Direct silently fall back to plain TCP on 445.

The 2×40 GbE bond40g (ConnectX-3, post-cutover 2026-05-15) is the same
RDMA fabric NFS uses; SMB-Direct shares it without contention since
the queue-pair fanout is per-session. The "10 GbE NIC" comment in the
settings block is stale — replaced with the current 80 Gbps reality.

Build cost: sambaFull overlay forces a local rebuild on deploy
(~10-15 min, one CPU bound on smbd compilation).

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

skydick/nfs: enable NFS-over-RDMA listener on port 20049 ...

Additive to the existing TCP listener — clients choose one transport
per mount, so adding RDMA doesn't disrupt anything. The hardware path
exists: mlx5_bond_0 (the LACP bond's RDMA representation) is ACTIVE
with link_layer=Ethernet (RoCEv2). Bonded RoCE on ConnectX-5 surfaces
both 25 GbE slaves as a single RDMA device, so RDMA traffic uses the
full 50 Gbps aggregate via the firmware's own LAG handling.

Clients (door-pek) use proto=rdma,port=20049 in nfs.nix to opt in.
RDMA transports have intrinsic parallelism (queue pairs), so nconnect
becomes a no-op — drop it from the mount options when switching.

Idempotent listener registration: nfsd's portlist accepts duplicate
adds with EINVAL, so the oneshot pre-checks before writing.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

skydick/networking: skyw VLAN MTU 9000 → 9200 jumbo frames ...

Match the skyw storage VLAN end-to-end:
  cisco Po4 (switch port-channel):  9216
  skydick (bond0 + skyw VLAN):      9200  ← this commit
  door-pek (bond0 + skyw VLAN):     9200

The 9000 → 9200 bump leaves 16 bytes of headroom under cisco Po4 9216
for VLAN tag + L2 overhead.

Pairs with nix-infra commit 0xxxxxxx (door-pek/networking: skyw VLAN
MTU 9200 jumbo frames).

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

skydick/nfs: crossmnt on per-user exports so child datasets are reachable ...

Per-user namespace is structured as:
  dick/users/ldx                — parent (quota boundary, no content of its own)
  dick/users/ldx/files          — SMB-exposed personal files (\\SKYDICK\ldx)
  dick/users/ldx/bt-state       — *arr / qBT runtime state
  dick/users/ldx/timemachine    — macOS sparsebundle target (\\SKYDICK\ldx-timemachine)
  dick/users/ldx/vm             — VM disk roots

Without crossmnt on the parent export, NFS clients mounting
/srv/users/ldx only see the parent dataset and hit empty placeholders
where the children mount. 2026-05-14 incident: door-pek's baidunetdisk
container bound /mnt/users/ldx/baidu (top-level placeholder location)
because /mnt/users/ldx/files showed empty over NFSv3 — downloads landed
outside the SMB-visible namespace until the dataset boundary was
diagnosed.

Adding crossmnt makes the children visible from the existing parent
export with no separate export entries; equivalent to `nohide` on each
child. Options (all_squash, anonuid=1000) inherit naturally — exactly
the behaviour the parent already provides.

Also applied to /srv/users/ye-lw21 for parity (same dataset shape).

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

monitoring: smart_sas_info{vendor,product,revision,serial} for alert enrichment

monitoring: SAS SMART + ZFS pool textfile collectors for skydick ...

Closes the parity gap with door1 telegraf. node-exporter does not parse
SAS-specific smartctl output (predictive failure: grown defects, non-medium
errors, pending defects, ECC totals) — only SATA/NVMe attribute tables.
And the zfs collector exposes ARC + pool I/O but not pool health enum.

Adds skyw-textfile-collectors.service + .timer (5min cadence) that emits:
  smart_sas_power_on_hours{device}
  smart_sas_grown_defects{device}
  smart_sas_non_medium_errors{device}
  smart_sas_pending_defects{device}
  smart_sas_read_uncorrected{device}
  smart_sas_write_uncorrected{device}
  zpool_health{pool,state}     0=ONLINE 1=DEGRADED 2=FAULTED ...

Files chmod 0644 so node-exporter user can read them via the textfile
collector.

(Findings: sdd and sde on skydick already at 445 grown defects each.)

gitignore: add .DS_Store

monitoring: add nodeExporter option, enable on skydick ...

Replaces telegraf-as-only-monitoring with a declarative node-exporter that
the skyw-gw Prometheus scrapes directly. Telegraf->InfluxDB(door1) keeps
running until door1 retirement so the legacy skydick.json grafana
dashboard does not go dark mid-migration.

xlab-gw: fix MSS clamp — match SYN-ACK too, use rt mtu ...

Old rule `tcp flags & (syn|ack) == syn` only matched plain SYN.
SYN-ACK from the server has SYN+ACK both set, so masking with
syn|ack and comparing == syn FAILED for SYN-ACK. Result: server
responses came back unclamped, full-MTU TCP segments overflowed
the WG path's effective MTU (1420 inner), large pages silently
stalled — YouTube didn't load, Microsoft pages partial-loaded,
Google was slow. Browsers retried indefinitely, looked like
"the network is broken" from a user perspective.

Replaced with `& (syn|rst) == syn` which matches both plain SYN
and SYN-ACK (only excludes RST, which carries no data). Combined
with `set rt mtu` instead of the hard 1280 — lets the kernel
pick the right MSS per egress interface (wg-to-wgnet → 1380 v4 /
1360 v6) instead of pessimistically clamping everything.

User's commented-out line had the right idea (rt mtu) but wrong
flag mask; fixed both at once.

add README — host roles + deploy + DNS gotchas

skydick: also disable RA in systemd-networkd userspace ...

Sysctl accept_ra=0 only stops the kernel — systemd-networkd does
its own RA processing in userspace and was caching the link-DNS
even after the kernel sysctl was applied. Override the auto-
generated 40-bond0.network with networkConfig.IPv6AcceptRA=false.

skydick: suppress IPv6 RA processing on bond0 ...

`networking.enableIPv6 = false` only disables IPv6 forwarding/use;
the kernel still accepts router advertisements unless told otherwise.
The gateway's radvd was seeding fd99:23eb:1682::1 as a per-link DNS
on bond0, which then took precedence in systemd-resolved for AAAA
queries — making blocked names error as 'Connection refused' instead
of returning a clean NXDOMAIN through 10.0.0.1's mosdns.

Set accept_ra=0 globally + on bond0 explicitly. Existing 'enableIPv6
= false' continues to handle the higher-level disable.

skydick: route DNS via 10.0.0.1 only, AliDNS as fallback ...

Was: nameservers = [ "10.0.0.1" "223.5.5.5" ] — both treated as
primary by systemd-resolved, which then load-balanced to AliDNS
and bypassed mosdns's analytics blocking (resolvectl confirmed
hm.baidu.com / google-analytics.com leaking through).

Now: 10.0.0.1 only as primary, AliDNS demoted to fallbackDns so
it activates only when 10.0.0.1 is unreachable.

xlab-gateway: route DNS via local mosdns at 10.0.0.1 ...

Adds services.resolved with primary DNS 10.0.0.1 (network-local mosdns)
and Cloudflare as fallback. Removes the hardcoded DNS=166.111.8.28/29
on the wan99.0 link — those Tsinghua resolvers are subject to GFW
poisoning, and per-link DNS overrode the global resolved policy.

When 10.0.0.1 is reachable, this host inherits CN-aware split routing
and the network analytics-blocking policy. When 10.0.0.1 is down,
resolved transparently falls back to Cloudflare so internet keeps
working; queries return to 10.0.0.1 once it responds again.

sas-smart: reduce exec interval from 30m to 5m ...

With round_interval=true and 30m, the next gather happens at the next
30m wall-clock boundary, which can mean up to 30 min of gaps after a
restart. 5m gives near-real-time visibility into defect counts —
relevant during resilver operations where new defects might appear.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

sas-smart: use /run/wrappers/bin/sudo instead of Nix store sudo ...

The Nix store sudo binary lacks the setuid bit (Nix store is not
setuid-capable), so calling it as the telegraf user fails silently
with "must be owned by uid 0 and have the setuid bit set". This
caused the sas-smart exec to emit nothing and smart_sas data never
refreshed after the initial manual write.

Switch to the NixOS security wrapper at /run/wrappers/bin/sudo
which is the proper setuid wrapper.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

smart plugin: nocheck=never so spun-down drives still report ...

Telegraf's inputs.smart uses smartctl -n standby by default, which
returns exit(2) for drives in low-power mode and Telegraf records no
data for them. On skydick this caused sdd/sde (drive1, ZKL05VPS...FMAC)
to be silently missing from smart_device metrics — the exact drive
that accumulated 63 grown defects and had sg_format failures during
initial setup.

Setting nocheck=never forces smartctl to wake spun-down drives. In a
ZFS pool with active mirrors, drives shouldn't be spinning down
anyway, so the 30-min wakeup overhead is negligible.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Fix SAS SMART parsing for pending defects and alt power-on format ...

- pending_defects: was matching word "Pending" instead of the number
  in "Pending defect count:0 Pending Defects" — use sed to extract
  digits between colon and space
- power_on_hours: some SAS drives report "number of hours powered up"
  instead of "Accumulated power on time" — try both formats

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Add SAS SMART collector for skydick predictive failure metrics ...

Telegraf's inputs.smart parses the SATA/NVMe attribute table but ignores
the SAS-specific sections of `smartctl -a` output. The 18 SAS HDDs on
skydick were therefore reporting only health/temp, with no visibility
into power-on hours, grown defects, non-medium errors, pending defects,
or read/write uncorrected errors.

New sasSmartScript walks /dev/sd?, filters to SAS drives by transport
protocol, and emits a smart_sas line per device with the predictive
failure fields. Wired into telegraf via inputs.exec at 30m interval.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

skydick: use async NFS export for media dataset ...

Media data is re-downloadable torrents — sync write guarantees are
unnecessary. Switching to async bypasses SLOG round-trips and improves
write throughput from 358 to 490 MB/s. All other exports remain sync.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

skydick: add mirrored NVMe special vdev + mirrored SLOG ...

Replaced single-drive SLOG + L2ARC with dual-Optane mirrored setup:
- 690G mirrored special vdev for metadata + files ≤128K
- 8G mirrored SLOG for sync writes
- special_small_blocks=128K set in ZFS properties service
- nvme1 formatted to 4Kn to match nvme0

The special vdev is the biggest performance win for an HDD pool: all
metadata lookups, directory listings, and small files now hit NVMe.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Update skydick README with InfluxDB and monitoring docs ...

Documents the fleet monitoring architecture: InfluxDB on ZFS,
Telegraf data sources, Grafana datasource layout, and ZFS
dataset management.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Fix influxdb-token encryption (was empty) ...

Re-encrypted with rage directly instead of agenix EDITOR flow
which silently produced an empty ciphertext.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Update influxdb-token for skydick InfluxDB instance ...

Token now authenticates against the local InfluxDB on skydick
instead of the old door1 instance.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Add InfluxDB v2 on skydick for fleet monitoring ...

- New modules/influxdb.nix: declarative InfluxDB v2 with ZFS-backed
  storage (dick/system/influxdb, bind-mounted to /var/lib/influxdb2)
- monitoring.nix: make influxUrl configurable (default: skydick)
- skydick/default.nix: enable influxdb, point telegraf to localhost
- datapool.nix: document influxdb dataset in hierarchy + creation cmds

Consolidates all monitoring data (door1 + skydick + IoT sensors) into
a single InfluxDB on the ZFS storage server for infinite retention.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

seems only mtu 1280 works for rdp

修复MSS