about summary refs log tree commit diff
path: root/nix/hosts/lampadas/configuration.nix
diff options
context:
space:
mode:
authorEmile <git@emile.space>2024-05-30 10:19:17 +0200
committerEmile <git@emile.space>2024-05-30 10:19:17 +0200
commitd7b2f8a9fe6c450ddfa843b67dea638d88424345 (patch)
tree19fd02d29072a156f6868167174f354af2b59676 /nix/hosts/lampadas/configuration.nix
parent26f702fa2afe7e9ba433fbf264bde7f49a5f3d92 (diff)
added the lampadas nas config
Diffstat (limited to 'nix/hosts/lampadas/configuration.nix')
-rw-r--r--nix/hosts/lampadas/configuration.nix217
1 files changed, 217 insertions, 0 deletions
diff --git a/nix/hosts/lampadas/configuration.nix b/nix/hosts/lampadas/configuration.nix
new file mode 100644
index 0000000..6ef4f0f
--- /dev/null
+++ b/nix/hosts/lampadas/configuration.nix
@@ -0,0 +1,217 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ pkgs, ... }:
+
+let 
+  emile_keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLZ56SEgwZZ0OusTdSDDhpMlxSg1zPNdRLuxKOfrR5 emile@chusuk"
+  ];
+in {
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelParams = [ "ip=dhcp" ];
+    initrd = {
+      availableKernelModules = [ "r8169" ];
+      systemd.users.root.shell = "/bin/cryptsetup-askpass";
+      network = {
+        enable = true;
+        ssh = {
+          enable = true;
+          port = 22;
+          hostKeys = ["/initrd_ssh_host_key_ed25519"];
+          authorizedKeys = emile_keys;
+        };
+        postCommands = ''
+          echo 'cryptsetup-askpass' > /root/.profile
+        '';
+      };
+      luks.devices = {
+
+	# unsure why luksdata1 is recognized and added to the
+	# hardware-configuration.nix automatically, but luksdata2 isn't 
+        "luksdata2".device = "/dev/disk/by-uuid/e94d7f32-26ef-41e1-b3f3-9e63e4858001";
+      };
+    };
+  };
+
+  fileSystems = {
+    "/".options = ["compress=zstd"];
+    "/home".options = ["compress=zstd"];
+    "/nix".options = ["compress=zstd" "noatime"];
+  };
+
+  networking = {
+    hostName = "lampadas";
+    firewall.enable = true;
+  };
+
+  time.timeZone = "Europe/Berlin";
+
+  powerManagement = {
+    powertop.enable = true;
+    scsiLinkPolicy = "med_power_with_dipm";
+  };
+
+  users = {
+    mutableUsers = false;
+    users = {
+      root = {
+        hashedPassword = "";
+        openssh.authorizedKeys.keys = emile_keys;
+      };
+      emile = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = emile_keys;
+      };
+      samba-guest = {
+        isSystemUser = true;
+        description = "Samba guest user";
+        group = "samba-guest";
+        home = "/var/empty";
+        createHome = false;
+        shell = pkgs.shadow;
+      };
+    };
+  };
+  users.groups.samba-guest = {};
+
+  systemd.tmpfiles.rules = [
+    "d /data 0755 root root"
+    "d /data/private 0755 emile users"
+    "d /data/public 0755 samba-guest samba-guest"
+    "d /data/time_machine 0755 emile users"
+  ];
+
+  environment.systemPackages = with pkgs; [ vim tailscale ];
+
+  programs.mosh.enable = true;
+
+  services = {
+    # traffic metrics
+    vnstat.enable = true;
+
+    # ssh access
+    openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+      };
+    };
+
+    # VPN
+    tailscale.enable = true;
+
+    # filesystem stuff
+    btrfs = {
+      autoScrub.enable = true;
+      autoScrub.interval = "weekly";
+    };
+
+    # metric exporters
+    prometheus.exporters = {
+      node.enable = true;
+      systemd.enable = true;
+      smartctl.enable = true;
+    };
+
+    # shares
+    samba = {
+      enable = true;
+      openFirewall = true;
+      securityType = "user";
+      extraConfig = ''
+        workgroup = WORKGROUP
+        server string = lampadas
+        netbios name = lampadas
+        security = user
+        hosts allow = 100.64.0.0/255.192.0.0, 127.0.0.1/255.0.0.0, ::1, 192.168.0., 192.168.1.
+        hosts deny = 0.0.0.0/0
+        guest account = samba-guest 
+        map to guest = bad user
+        load printers = no
+        server min protocol = SMB3
+        server smb encrypt = required 
+        read raw = Yes
+        write raw = Yes
+        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
+        min receivefile size = 16384
+        use sendfile = true
+        aio read size = 16384
+        aio write size = 16384
+        server multi channel support = yes
+      '';
+      shares = {
+        public = {
+          path = "/data/public";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "yes";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "comment" = "public data";
+        };
+        private = {
+          path = "/data/private";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "no";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "emile";
+          "comment" = "private data (no flags though)";
+        };
+        time_machine = {
+          path = "/data/time_machine";
+          "public" = "no";
+          "writeable" = "yes";
+          "valid users" = "emile";
+          "force user" = "emile"; 
+          "fruit:aapl" = "yes";
+          "fruit:time machine" = "yes";
+          "fruit:delete_empty_adfiles" = "yes";
+          "fruit:veto_appledouble" = "no";
+          "fruit:wipe_intentionally_left_blank_rfork" = "yes";
+          "fruit:posix_rename" = "yes";
+          "fruit:metadata" = "stream";
+
+          # otherwise, copying on the server happens Server -> Client ->
+          # Server (but only on macos)
+          "fruit:copyfile" = "yes";
+
+          "vfs objects" = "catia fruit streams_xattr";
+          "comment" = "time machine backups";
+        };
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "23.11";
+    autoUpgrade.enable = true;
+  };
+
+  nix = {
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 14d";
+    };
+    settings = {
+      auto-optimise-store = true;
+    };
+  };
+}
+