skydick: also disable RA in systemd-networkd userspace ...

Sysctl accept_ra=0 only stops the kernel — systemd-networkd does
its own RA processing in userspace and was caching the link-DNS
even after the kernel sysctl was applied. Override the auto-
generated 40-bond0.network with networkConfig.IPv6AcceptRA=false.

skydick: suppress IPv6 RA processing on bond0 ...

`networking.enableIPv6 = false` only disables IPv6 forwarding/use;
the kernel still accepts router advertisements unless told otherwise.
The gateway's radvd was seeding fd99:23eb:1682::1 as a per-link DNS
on bond0, which then took precedence in systemd-resolved for AAAA
queries — making blocked names error as 'Connection refused' instead
of returning a clean NXDOMAIN through 10.0.0.1's mosdns.

Set accept_ra=0 globally + on bond0 explicitly. Existing 'enableIPv6
= false' continues to handle the higher-level disable.

skydick: route DNS via 10.0.0.1 only, AliDNS as fallback ...

Was: nameservers = [ "10.0.0.1" "223.5.5.5" ] — both treated as
primary by systemd-resolved, which then load-balanced to AliDNS
and bypassed mosdns's analytics blocking (resolvectl confirmed
hm.baidu.com / google-analytics.com leaking through).

Now: 10.0.0.1 only as primary, AliDNS demoted to fallbackDns so
it activates only when 10.0.0.1 is unreachable.

skydick: use async NFS export for media dataset ...

Media data is re-downloadable torrents — sync write guarantees are
unnecessary. Switching to async bypasses SLOG round-trips and improves
write throughput from 358 to 490 MB/s. All other exports remain sync.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

skydick: add mirrored NVMe special vdev + mirrored SLOG ...

Replaced single-drive SLOG + L2ARC with dual-Optane mirrored setup:
- 690G mirrored special vdev for metadata + files ≤128K
- 8G mirrored SLOG for sync writes
- special_small_blocks=128K set in ZFS properties service
- nvme1 formatted to 4Kn to match nvme0

The special vdev is the biggest performance win for an HDD pool: all
metadata lookups, directory listings, and small files now hit NVMe.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Update skydick README with InfluxDB and monitoring docs ...

Documents the fleet monitoring architecture: InfluxDB on ZFS,
Telegraf data sources, Grafana datasource layout, and ZFS
dataset management.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Add InfluxDB v2 on skydick for fleet monitoring ...

- New modules/influxdb.nix: declarative InfluxDB v2 with ZFS-backed
  storage (dick/system/influxdb, bind-mounted to /var/lib/influxdb2)
- monitoring.nix: make influxUrl configurable (default: skydick)
- skydick/default.nix: enable influxdb, point telegraf to localhost
- datapool.nix: document influxdb dataset in hierarchy + creation cmds

Consolidates all monitoring data (door1 + skydick + IoT sensors) into
a single InfluxDB on the ZFS storage server for infinite retention.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

harden and fix: nftables input chain, sudo, agenix, ZFS, NAT priority ...

- Add inet input_filter table to xlab-gateway (policy drop on WAN)
- Restrict NOPASSWD sudo to ldx only; ylw uses password sudo via wheel
- Restructure secrets.nix with admins list, prepare for ylw ed25519 key
- Add ye-lw21 to trusted-users in common.nix
- Remove contradictory relatime=on when atime=off on rpool
- Fix NAT postrouting priority: filter → srcnat
- Remove duplicate nixpkgs.hostPlatform from xlab-gateway hardware-configuration

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

skydick: document drive10 added as second hot spare ...

sg_format completed on drive10 (c9bcfa0f). Both LUNs added as spares,
bringing the pool to 8 mirrors + 2 hot spares (4 spare LUNs total).

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

skydick: document pool expansion to 8 mirrors (~50.9T) ...

Added 4 new SAS Mach2 drives (drive6-9) as 4 mirror vdevs. Updated
drive inventory, layout diagram, expansion commands, and runbook
with sg_format/wipefs steps. drive10 pending sg_format completion.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

skydick: fix localsearch, I/O schedulers, wait-online, NIC tuning ...

- Replace broken localsearch oneshot with proper miner daemon running as
  ldx on ldx's session bus (lingering enabled) so Samba Spotlight queries
  from macOS clients actually work
- Fix systemd-networkd-wait-online 2-min boot timeout (anyInterface=true)
- Add storage-tuning service to enforce mq-deadline on SAS HDDs and
  increase Mellanox ring buffers (1024→4096) at boot
- Simplify udev I/O scheduler rules to match by rotational attribute
  instead of hardcoded kernel device names
- Update TM dataset recordsize comments to reflect 1M (applied on pool)
- Fix deprecated linuxPackages_6_6.perf → perf

ZFS properties applied separately on skydick:
  com.sun:auto-snapshot=true on dick (was unset — no snapshots taken)
  com.sun:auto-snapshot=false on dick/users/ldx/timemachine
  recordsize=1M on dick/users/ldx/timemachine

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: drop fruit:time machine max size (buggy bandsize parser) ...

Samba's fruit_get_bandsize() regex-based plist parser fails on valid
Info.plist files. Rely on ZFS refquota on dick/users/ldx instead.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: upgrade to nixos-25.11, add Spotlight + recycle bin ...

- Upgrade nixpkgs from nixos-24.11 to nixos-25.11 (Samba 4.20→4.22)
- Build sambaFull with Spotlight/tracker support via overlay:
  - Patch waf to detect tracker-sparql-3.0 (upstream only checks ≤2.0)
  - Patch rpcd_mdssvc for tinysparql 3.x bus API rename
    (get_async/get_finish → bus_new_async/bus_new_finish)
  - Disable tevent_glib_tracker test (uses removed tracker 2.x API, test-only)
  - Add icu for Unicode normalisation required by Spotlight
- Add Spotlight search with tracker backend for Finder search over SMB
- Add localsearch indexer service for public, media, and ldx files
- Add recycle bin (vfs recycle) for public/homes shares
- Add global fruit VFS for Apple compatibility
- Move fruit:model=TimeCapsule to ldx-timemachine share only
- Disable Spotlight on timemachine share
- Fix package renames for 25.11: targetcli→targetcli-fb, dstat→dool

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: bump TM max size to 3T for three Macs ...

1T was too tight — 579G already used across 3 sparsebundles left only
~450G visible to macOS. 3T leaves headroom for growth while keeping 7T
of the 10T ldx quota available for other datasets.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: rename TM share to ldx-timemachine ...

Per-user naming makes ownership unambiguous. The share points to ldx's
dedicated timemachine ZFS dataset, not a shared location.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: add Samba Time Machine share for macOS backups ...

Exposes dick/users/ldx/timemachine as an SMB share with Apple fruit VFS
extensions (fruit:time machine = yes) so Macs can back up directly to
skydick instead of door1. Capped at 1T via fruit:time machine max size.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: add timemachine dataset for macOS backups ...

Dedicated ZFS dataset with recordsize=64K and zstd compression, better
matched for Time Machine sparsebundle band files than the media dataset
(1M recordsize, compression=off) where backups were previously dumped.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: tune ZFS async read and prefetch for NFS throughput ...

Benchmarking showed 320 MB/s read over NFS against a 4-mirror-vdev pool
capable of much more. The default async_read_max_active=8 starves the
I/O scheduler across 4 vdevs of spinning Mach2 drives, and the prefetch
data miss rate was 93%.

- zfs_vdev_async_read_max_active: 8 → 32
- zfs_vdev_async_read_min_active: 1 → 4
- zfetch_max_streams: 8 → 16

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: document Windows NFS client path differences ...

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Merge branch 'main' of https://gitbucket.skyw.top/git/Skyworks/skyworks-Nix-infra

skydick: clean SMB tuning and enforce datapool atime

add wg-peers to SMB allowed ips

Add RSS support flag from server side

skydick: document datapool user and admin workflow

skydick: keep SMB passwords synced from LDAP

skydick: switch Samba to ldapsam, rename ylw→ye-lw21, drop legacy datasets ...

- Samba passdb backend changed from tdbsam to ldapsam:ldap://10.0.0.1
- Added samba-ldap-admin-password oneshot to seed LDAP admin cred before smbd
- Pinned storage group to GID 997 to match LDAP posixGroup
- Renamed ylw to ye-lw21 across all hosts (users.nix, skydick, xlab-gateway)
- Removed legacy tmpfiles and NFS exports (share/backup/torrent/vm destroyed)
- Added bootstrap LDIF for sambaDomain, storage group, machines OU

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: update DATAPOOL.md for ldapsam, ye-lw21 rename, and storage group model ...

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: enable LDAP-backed NSS for POSIX identity resolution ...

Add users.ldap with nslcd pointed at ldap://10.0.0.1/ for passwd/group
lookups. This is identity-only: loginPam=false keeps SSH/console auth
local, and Samba stays on tdbsam until sambaSamAccount objects exist
in LDAP.

- Add agenix secret for LDAP bind credential (cn=query_user)
- nss_initgroups_ignoreusers ALLLOCAL avoids boot-time NSS deadlock
- Add openldap package for admin ldapsearch/ldapmodify
- Update DATAPOOL.md to reflect LDAP identity model, numeric UID/GID
  in tmpfiles for LDAP-only users, and current auth boundaries

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: redesign datapool with per-user datasets and service model ...

Replace flat purpose-first layout (share/media/torrent/backup/vm) with
user-first hierarchy:

- dick/public: shared collaborative files
- dick/media: shared media with data/ + library/ in one hardlink domain
- dick/users/<user>/{files,bt-state,vm}: per-user private trees with
  ZFS quotas, per-user NFS all_squash, and Samba [homes]
- dick/system/{backup,vm}: admin-only system datasets
- dick/templates/vm: read-only shared VM base images

NFS exports split media into rw writer (all_squash to qbittorrent) and
ro reader (/media/library).  Per-user exports use explicit anonuid/gid.
Samba uses [public] for shared, [homes] for per-user, [media] ro for
library.  Legacy exports preserved for active migration.

Add DATAPOOL.md with user/admin guide covering SMB/NFS connection,
new-user provisioning, quotas, and troubleshooting.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

monitoring: auto-discover SMART devices instead of hardcoding ...

Remove smartDevices option and per-host device lists. Telegraf will
now scan all block devices automatically, so disks can be added or
removed without config changes.

Co-Authored-By: Claude Opus 4.6 <[email protected]>