about summary refs log tree commit diff
path: root/nix/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'nix/hosts')
-rw-r--r--nix/hosts/lampadas/README.md3
-rw-r--r--nix/hosts/lampadas/configuration.nix217
-rw-r--r--nix/hosts/lampadas/hardware-configuration.nix60
-rw-r--r--nix/hosts/lampadas/ssh.pub1
4 files changed, 281 insertions, 0 deletions
diff --git a/nix/hosts/lampadas/README.md b/nix/hosts/lampadas/README.md
new file mode 100644
index 0000000..4884732
--- /dev/null
+++ b/nix/hosts/lampadas/README.md
@@ -0,0 +1,3 @@
+# lampadas
+
+the NAS
diff --git a/nix/hosts/lampadas/configuration.nix b/nix/hosts/lampadas/configuration.nix
new file mode 100644
index 0000000..6ef4f0f
--- /dev/null
+++ b/nix/hosts/lampadas/configuration.nix
@@ -0,0 +1,217 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ pkgs, ... }:
+
+let 
+  emile_keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLZ56SEgwZZ0OusTdSDDhpMlxSg1zPNdRLuxKOfrR5 emile@chusuk"
+  ];
+in {
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelParams = [ "ip=dhcp" ];
+    initrd = {
+      availableKernelModules = [ "r8169" ];
+      systemd.users.root.shell = "/bin/cryptsetup-askpass";
+      network = {
+        enable = true;
+        ssh = {
+          enable = true;
+          port = 22;
+          hostKeys = ["/initrd_ssh_host_key_ed25519"];
+          authorizedKeys = emile_keys;
+        };
+        postCommands = ''
+          echo 'cryptsetup-askpass' > /root/.profile
+        '';
+      };
+      luks.devices = {
+
+	# unsure why luksdata1 is recognized and added to the
+	# hardware-configuration.nix automatically, but luksdata2 isn't 
+        "luksdata2".device = "/dev/disk/by-uuid/e94d7f32-26ef-41e1-b3f3-9e63e4858001";
+      };
+    };
+  };
+
+  fileSystems = {
+    "/".options = ["compress=zstd"];
+    "/home".options = ["compress=zstd"];
+    "/nix".options = ["compress=zstd" "noatime"];
+  };
+
+  networking = {
+    hostName = "lampadas";
+    firewall.enable = true;
+  };
+
+  time.timeZone = "Europe/Berlin";
+
+  powerManagement = {
+    powertop.enable = true;
+    scsiLinkPolicy = "med_power_with_dipm";
+  };
+
+  users = {
+    mutableUsers = false;
+    users = {
+      root = {
+        hashedPassword = "";
+        openssh.authorizedKeys.keys = emile_keys;
+      };
+      emile = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = emile_keys;
+      };
+      samba-guest = {
+        isSystemUser = true;
+        description = "Samba guest user";
+        group = "samba-guest";
+        home = "/var/empty";
+        createHome = false;
+        shell = pkgs.shadow;
+      };
+    };
+  };
+  users.groups.samba-guest = {};
+
+  systemd.tmpfiles.rules = [
+    "d /data 0755 root root"
+    "d /data/private 0755 emile users"
+    "d /data/public 0755 samba-guest samba-guest"
+    "d /data/time_machine 0755 emile users"
+  ];
+
+  environment.systemPackages = with pkgs; [ vim tailscale ];
+
+  programs.mosh.enable = true;
+
+  services = {
+    # traffic metrics
+    vnstat.enable = true;
+
+    # ssh access
+    openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+      };
+    };
+
+    # VPN
+    tailscale.enable = true;
+
+    # filesystem stuff
+    btrfs = {
+      autoScrub.enable = true;
+      autoScrub.interval = "weekly";
+    };
+
+    # metric exporters
+    prometheus.exporters = {
+      node.enable = true;
+      systemd.enable = true;
+      smartctl.enable = true;
+    };
+
+    # shares
+    samba = {
+      enable = true;
+      openFirewall = true;
+      securityType = "user";
+      extraConfig = ''
+        workgroup = WORKGROUP
+        server string = lampadas
+        netbios name = lampadas
+        security = user
+        hosts allow = 100.64.0.0/255.192.0.0, 127.0.0.1/255.0.0.0, ::1, 192.168.0., 192.168.1.
+        hosts deny = 0.0.0.0/0
+        guest account = samba-guest 
+        map to guest = bad user
+        load printers = no
+        server min protocol = SMB3
+        server smb encrypt = required 
+        read raw = Yes
+        write raw = Yes
+        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
+        min receivefile size = 16384
+        use sendfile = true
+        aio read size = 16384
+        aio write size = 16384
+        server multi channel support = yes
+      '';
+      shares = {
+        public = {
+          path = "/data/public";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "yes";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "comment" = "public data";
+        };
+        private = {
+          path = "/data/private";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "no";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "emile";
+          "comment" = "private data (no flags though)";
+        };
+        time_machine = {
+          path = "/data/time_machine";
+          "public" = "no";
+          "writeable" = "yes";
+          "valid users" = "emile";
+          "force user" = "emile"; 
+          "fruit:aapl" = "yes";
+          "fruit:time machine" = "yes";
+          "fruit:delete_empty_adfiles" = "yes";
+          "fruit:veto_appledouble" = "no";
+          "fruit:wipe_intentionally_left_blank_rfork" = "yes";
+          "fruit:posix_rename" = "yes";
+          "fruit:metadata" = "stream";
+
+          # otherwise, copying on the server happens Server -> Client ->
+          # Server (but only on macos)
+          "fruit:copyfile" = "yes";
+
+          "vfs objects" = "catia fruit streams_xattr";
+          "comment" = "time machine backups";
+        };
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "23.11";
+    autoUpgrade.enable = true;
+  };
+
+  nix = {
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 14d";
+    };
+    settings = {
+      auto-optimise-store = true;
+    };
+  };
+}
+
diff --git a/nix/hosts/lampadas/hardware-configuration.nix b/nix/hosts/lampadas/hardware-configuration.nix
new file mode 100644
index 0000000..e07fadc
--- /dev/null
+++ b/nix/hosts/lampadas/hardware-configuration.nix
@@ -0,0 +1,60 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  boot.initrd.luks.devices."luksroot1".device = "/dev/disk/by-uuid/aacddcd3-c861-4a43-8a59-473b2a42e52e";
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/data" =
+    { device = "/dev/mapper/luksdata1";
+      fsType = "btrfs";
+    };
+
+  boot.initrd.luks.devices."luksdata1".device = "/dev/disk/by-uuid/0737dc4a-a320-4468-a0e1-0db9a1d16b4c";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/DE69-5562";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nix/hosts/lampadas/ssh.pub b/nix/hosts/lampadas/ssh.pub
new file mode 100644
index 0000000..f2192ec
--- /dev/null
+++ b/nix/hosts/lampadas/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbvlQjEsZO4hsfdUwhVQnxYkxyoRiVxkPGlJO2hzMOl root@lampadas