monitoring: add nodeExporter option, enable on skydick ...

Replaces telegraf-as-only-monitoring with a declarative node-exporter that
the skyw-gw Prometheus scrapes directly. Telegraf->InfluxDB(door1) keeps
running until door1 retirement so the legacy skydick.json grafana
dashboard does not go dark mid-migration.

skydick: also disable RA in systemd-networkd userspace ...

Sysctl accept_ra=0 only stops the kernel — systemd-networkd does
its own RA processing in userspace and was caching the link-DNS
even after the kernel sysctl was applied. Override the auto-
generated 40-bond0.network with networkConfig.IPv6AcceptRA=false.

skydick: suppress IPv6 RA processing on bond0 ...

`networking.enableIPv6 = false` only disables IPv6 forwarding/use;
the kernel still accepts router advertisements unless told otherwise.
The gateway's radvd was seeding fd99:23eb:1682::1 as a per-link DNS
on bond0, which then took precedence in systemd-resolved for AAAA
queries — making blocked names error as 'Connection refused' instead
of returning a clean NXDOMAIN through 10.0.0.1's mosdns.

Set accept_ra=0 globally + on bond0 explicitly. Existing 'enableIPv6
= false' continues to handle the higher-level disable.

skydick: route DNS via 10.0.0.1 only, AliDNS as fallback ...

Was: nameservers = [ "10.0.0.1" "223.5.5.5" ] — both treated as
primary by systemd-resolved, which then load-balanced to AliDNS
and bypassed mosdns's analytics blocking (resolvectl confirmed
hm.baidu.com / google-analytics.com leaking through).

Now: 10.0.0.1 only as primary, AliDNS demoted to fallbackDns so
it activates only when 10.0.0.1 is unreachable.

Add InfluxDB v2 on skydick for fleet monitoring ...

- New modules/influxdb.nix: declarative InfluxDB v2 with ZFS-backed
  storage (dick/system/influxdb, bind-mounted to /var/lib/influxdb2)
- monitoring.nix: make influxUrl configurable (default: skydick)
- skydick/default.nix: enable influxdb, point telegraf to localhost
- datapool.nix: document influxdb dataset in hierarchy + creation cmds

Consolidates all monitoring data (door1 + skydick + IoT sensors) into
a single InfluxDB on the ZFS storage server for infinite retention.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

skydick: fix localsearch, I/O schedulers, wait-online, NIC tuning ...

- Replace broken localsearch oneshot with proper miner daemon running as
  ldx on ldx's session bus (lingering enabled) so Samba Spotlight queries
  from macOS clients actually work
- Fix systemd-networkd-wait-online 2-min boot timeout (anyInterface=true)
- Add storage-tuning service to enforce mq-deadline on SAS HDDs and
  increase Mellanox ring buffers (1024→4096) at boot
- Simplify udev I/O scheduler rules to match by rotational attribute
  instead of hardcoded kernel device names
- Update TM dataset recordsize comments to reflect 1M (applied on pool)
- Fix deprecated linuxPackages_6_6.perf → perf

ZFS properties applied separately on skydick:
  com.sun:auto-snapshot=true on dick (was unset — no snapshots taken)
  com.sun:auto-snapshot=false on dick/users/ldx/timemachine
  recordsize=1M on dick/users/ldx/timemachine

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: upgrade to nixos-25.11, add Spotlight + recycle bin ...

- Upgrade nixpkgs from nixos-24.11 to nixos-25.11 (Samba 4.20→4.22)
- Build sambaFull with Spotlight/tracker support via overlay:
  - Patch waf to detect tracker-sparql-3.0 (upstream only checks ≤2.0)
  - Patch rpcd_mdssvc for tinysparql 3.x bus API rename
    (get_async/get_finish → bus_new_async/bus_new_finish)
  - Disable tevent_glib_tracker test (uses removed tracker 2.x API, test-only)
  - Add icu for Unicode normalisation required by Spotlight
- Add Spotlight search with tracker backend for Finder search over SMB
- Add localsearch indexer service for public, media, and ldx files
- Add recycle bin (vfs recycle) for public/homes shares
- Add global fruit VFS for Apple compatibility
- Move fruit:model=TimeCapsule to ldx-timemachine share only
- Disable Spotlight on timemachine share
- Fix package renames for 25.11: targetcli→targetcli-fb, dstat→dool

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: tune ZFS async read and prefetch for NFS throughput ...

Benchmarking showed 320 MB/s read over NFS against a 4-mirror-vdev pool
capable of much more. The default async_read_max_active=8 starves the
I/O scheduler across 4 vdevs of spinning Mach2 drives, and the prefetch
data miss rate was 93%.

- zfs_vdev_async_read_max_active: 8 → 32
- zfs_vdev_async_read_min_active: 1 → 4
- zfetch_max_streams: 8 → 16

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: switch Samba to ldapsam, rename ylw→ye-lw21, drop legacy datasets ...

- Samba passdb backend changed from tdbsam to ldapsam:ldap://10.0.0.1
- Added samba-ldap-admin-password oneshot to seed LDAP admin cred before smbd
- Pinned storage group to GID 997 to match LDAP posixGroup
- Renamed ylw to ye-lw21 across all hosts (users.nix, skydick, xlab-gateway)
- Removed legacy tmpfiles and NFS exports (share/backup/torrent/vm destroyed)
- Added bootstrap LDIF for sambaDomain, storage group, machines OU

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: enable LDAP-backed NSS for POSIX identity resolution ...

Add users.ldap with nslcd pointed at ldap://10.0.0.1/ for passwd/group
lookups. This is identity-only: loginPam=false keeps SSH/console auth
local, and Samba stays on tdbsam until sambaSamAccount objects exist
in LDAP.

- Add agenix secret for LDAP bind credential (cn=query_user)
- nss_initgroups_ignoreusers ALLLOCAL avoids boot-time NSS deadlock
- Add openldap package for admin ldapsearch/ldapmodify
- Update DATAPOOL.md to reflect LDAP identity model, numeric UID/GID
  in tmpfiles for LDAP-only users, and current auth boundaries

Co-Authored-By: Claude Opus 4.6 <[email protected]>

monitoring: auto-discover SMART devices instead of hardcoding ...

Remove smartDevices option and per-host device lists. Telegraf will
now scan all block devices automatically, so disks can be added or
removed without config changes.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

common: add TUNA mirror as primary Nix substituter, add btop ...

cache.nixos.org has ~1.1s latency from CN. TUNA mirror responds
in ~29ms (38x faster). Set connect-timeout=5 and
stalled-download-timeout=15 to fail fast on unreachable mirrors.

Also add btop to skydick monitoring packages.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: add Telegraf monitoring with SMART, ZFS, and system metrics ...

Sends metrics to door1 InfluxDB (bucket: skydick) via Telegraf.
Monitors all 5 Mach2 SAS drives, NVMe P4500, and boot SSD via SMART.
InfluxDB token encrypted with agenix.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: extract datapool.nix for Mach2 ZFS storage config ...

Move all storage-serving config (NFS, Samba, iSCSI, tmpfiles, firewall
ports, storage group) from default.nix into datapool.nix. Add Mach2
dual-actuator mirror layout documentation, new datasets (torrent, vm),
and clean permission model (setgid storage group for user data).

Co-Authored-By: Claude Opus 4.6 <[email protected]>

users: unify ylw as common admin, keep host-specific passwords and groups ...

Move ylw base identity (isNormalUser, wheel, SSH key) to modules/users.nix
alongside ldx. Host configs retain only extra groups and hashedPassword.
Also renames ye-lw21 to ylw on skydick.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

skydick: disable IPv6 to avoid wg-outbound ULA masquerade timeout ...

IPv6 traffic from skydick goes through freedom routing on 10.0.0.1,
which masquerades with ULA fd99:23eb:1682:fe::2 (not globally routable).
This causes nix/cargo downloads to timeout on AAAA records. Skydick has
no IPv6 use cases as a LAN storage server.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Initial skyworks infrastructure flake ...

Unified NixOS configuration for skydick (storage server) and
xlab-gateway (lab router). Flat module structure with shared
common/users/ssh modules, agenix secrets, disko, and deploy-rs.

Co-Authored-By: Claude Opus 4.6 <[email protected]>