From d7b2f8a9fe6c450ddfa843b67dea638d88424345 Mon Sep 17 00:00:00 2001 From: Emile Date: Thu, 30 May 2024 10:19:17 +0200 Subject: added the lampadas nas config --- nix/hosts/lampadas/README.md | 3 + nix/hosts/lampadas/configuration.nix | 217 ++++++++++++++++++++++++++ nix/hosts/lampadas/hardware-configuration.nix | 60 +++++++ nix/hosts/lampadas/ssh.pub | 1 + 4 files changed, 281 insertions(+) create mode 100644 nix/hosts/lampadas/README.md create mode 100644 nix/hosts/lampadas/configuration.nix create mode 100644 nix/hosts/lampadas/hardware-configuration.nix create mode 100644 nix/hosts/lampadas/ssh.pub (limited to 'nix') diff --git a/nix/hosts/lampadas/README.md b/nix/hosts/lampadas/README.md new file mode 100644 index 0000000..4884732 --- /dev/null +++ b/nix/hosts/lampadas/README.md @@ -0,0 +1,3 @@ +# lampadas + +the NAS diff --git a/nix/hosts/lampadas/configuration.nix b/nix/hosts/lampadas/configuration.nix new file mode 100644 index 0000000..6ef4f0f --- /dev/null +++ b/nix/hosts/lampadas/configuration.nix @@ -0,0 +1,217 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ pkgs, ... }: + +let + emile_keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLZ56SEgwZZ0OusTdSDDhpMlxSg1zPNdRLuxKOfrR5 emile@chusuk" + ]; +in { + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernelParams = [ "ip=dhcp" ]; + initrd = { + availableKernelModules = [ "r8169" ]; + systemd.users.root.shell = "/bin/cryptsetup-askpass"; + network = { + enable = true; + ssh = { + enable = true; + port = 22; + hostKeys = ["/initrd_ssh_host_key_ed25519"]; + authorizedKeys = emile_keys; + }; + postCommands = '' + echo 'cryptsetup-askpass' > /root/.profile + ''; + }; + luks.devices = { + + # unsure why luksdata1 is recognized and added to the + # hardware-configuration.nix automatically, but luksdata2 isn't + "luksdata2".device = "/dev/disk/by-uuid/e94d7f32-26ef-41e1-b3f3-9e63e4858001"; + }; + }; + }; + + fileSystems = { + "/".options = ["compress=zstd"]; + "/home".options = ["compress=zstd"]; + "/nix".options = ["compress=zstd" "noatime"]; + }; + + networking = { + hostName = "lampadas"; + firewall.enable = true; + }; + + time.timeZone = "Europe/Berlin"; + + powerManagement = { + powertop.enable = true; + scsiLinkPolicy = "med_power_with_dipm"; + }; + + users = { + mutableUsers = false; + users = { + root = { + hashedPassword = ""; + openssh.authorizedKeys.keys = emile_keys; + }; + emile = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = emile_keys; + }; + samba-guest = { + isSystemUser = true; + description = "Samba guest user"; + group = "samba-guest"; + home = "/var/empty"; + createHome = false; + shell = pkgs.shadow; + }; + }; + }; + users.groups.samba-guest = {}; + + systemd.tmpfiles.rules = [ + "d /data 0755 root root" + "d /data/private 0755 emile users" + "d /data/public 0755 samba-guest samba-guest" + "d /data/time_machine 0755 emile users" + ]; + + environment.systemPackages = with pkgs; [ vim tailscale ]; + + programs.mosh.enable = true; + + services = { + # traffic metrics + vnstat.enable = true; + + # ssh access + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + + # VPN + tailscale.enable = true; + + # filesystem stuff + btrfs = { + autoScrub.enable = true; + autoScrub.interval = "weekly"; + }; + + # metric exporters + prometheus.exporters = { + node.enable = true; + systemd.enable = true; + smartctl.enable = true; + }; + + # shares + samba = { + enable = true; + openFirewall = true; + securityType = "user"; + extraConfig = '' + workgroup = WORKGROUP + server string = lampadas + netbios name = lampadas + security = user + hosts allow = 100.64.0.0/255.192.0.0, 127.0.0.1/255.0.0.0, ::1, 192.168.0., 192.168.1. + hosts deny = 0.0.0.0/0 + guest account = samba-guest + map to guest = bad user + load printers = no + server min protocol = SMB3 + server smb encrypt = required + read raw = Yes + write raw = Yes + socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 + min receivefile size = 16384 + use sendfile = true + aio read size = 16384 + aio write size = 16384 + server multi channel support = yes + ''; + shares = { + public = { + path = "/data/public"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "create mask" = "0644"; + "directory mask" = "0755"; + "comment" = "public data"; + }; + private = { + path = "/data/private"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "emile"; + "comment" = "private data (no flags though)"; + }; + time_machine = { + path = "/data/time_machine"; + "public" = "no"; + "writeable" = "yes"; + "valid users" = "emile"; + "force user" = "emile"; + "fruit:aapl" = "yes"; + "fruit:time machine" = "yes"; + "fruit:delete_empty_adfiles" = "yes"; + "fruit:veto_appledouble" = "no"; + "fruit:wipe_intentionally_left_blank_rfork" = "yes"; + "fruit:posix_rename" = "yes"; + "fruit:metadata" = "stream"; + + # otherwise, copying on the server happens Server -> Client -> + # Server (but only on macos) + "fruit:copyfile" = "yes"; + + "vfs objects" = "catia fruit streams_xattr"; + "comment" = "time machine backups"; + }; + }; + }; + }; + + system = { + stateVersion = "23.11"; + autoUpgrade.enable = true; + }; + + nix = { + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 14d"; + }; + settings = { + auto-optimise-store = true; + }; + }; +} + diff --git a/nix/hosts/lampadas/hardware-configuration.nix b/nix/hosts/lampadas/hardware-configuration.nix new file mode 100644 index 0000000..e07fadc --- /dev/null +++ b/nix/hosts/lampadas/hardware-configuration.nix @@ -0,0 +1,60 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + boot.initrd.luks.devices."luksroot1".device = "/dev/disk/by-uuid/aacddcd3-c861-4a43-8a59-473b2a42e52e"; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; + + fileSystems."/data" = + { device = "/dev/mapper/luksdata1"; + fsType = "btrfs"; + }; + + boot.initrd.luks.devices."luksdata1".device = "/dev/disk/by-uuid/0737dc4a-a320-4468-a0e1-0db9a1d16b4c"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/DE69-5562"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nix/hosts/lampadas/ssh.pub b/nix/hosts/lampadas/ssh.pub new file mode 100644 index 0000000..f2192ec --- /dev/null +++ b/nix/hosts/lampadas/ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbvlQjEsZO4hsfdUwhVQnxYkxyoRiVxkPGlJO2hzMOl root@lampadas -- cgit 1.4.1