# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { pkgs, lib, ... }: let emile_keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLZ56SEgwZZ0OusTdSDDhpMlxSg1zPNdRLuxKOfrR5 emile@chusuk" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoHWyC9r0LVk6UlkhBWAJph0F6KHYHh83EI5U9wtfq2 shortcuts@ginaz" ]; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; kernelParams = [ "ip=dhcp" ]; initrd = { availableKernelModules = [ "r8169" ]; systemd.users.root.shell = "/bin/cryptsetup-askpass"; network = { enable = true; ssh = { enable = true; port = 22; hostKeys = [ "/initrd_ssh_host_key_ed25519" ]; authorizedKeys = emile_keys; }; postCommands = '' echo 'cryptsetup-askpass' > /root/.profile ''; }; luks.devices = { # unsure why luksdata1 is recognized and added to the # hardware-configuration.nix automatically, but luksdata2 isn't "luksdata2".device = "/dev/disk/by-uuid/e94d7f32-26ef-41e1-b3f3-9e63e4858001"; }; }; }; fileSystems = { "/".options = [ "compress=zstd" ]; "/home".options = [ "compress=zstd" ]; "/nix".options = [ "compress=zstd" "noatime" ]; }; networking = { hostName = "lampadas"; firewall.enable = true; firewall.allowedTCPPorts = [ 5201 # iperf 8080 # filebrowser web ]; firewall.allowedUDPPorts = [ 5201 # iperf ]; nameservers = [ "8.8.8.8" "8.8.4.4" "1.1.1.1" ]; }; time.timeZone = "Europe/Berlin"; powerManagement = { powertop.enable = true; scsiLinkPolicy = "med_power_with_dipm"; }; users = { mutableUsers = false; users = { root = { hashedPassword = ""; openssh.authorizedKeys.keys = emile_keys; }; emile = { isNormalUser = true; extraGroups = [ "wheel" "samba-guest" ]; openssh.authorizedKeys.keys = emile_keys; }; samba-guest = { isSystemUser = true; description = "Samba guest user"; group = "samba-guest"; home = "/var/empty"; createHome = false; shell = pkgs.shadow; }; }; }; users.groups.samba-guest = { }; systemd.tmpfiles.rules = [ "d /data 0755 root root" "d /data/private 0755 emile users" "d /data/public 0755 samba-guest samba-guest" "d /data/time_machine 0755 emile users" ]; environment.systemPackages = with pkgs; [ vim tailscale nmap ffuf git unzip ]; programs.mosh.enable = true; services = { emile = { filebrowser = { enable = true; # address = "192.168.1.196"; address = "100.87.209.97"; port = 8080; root = "/data"; }; }; # traffic metrics vnstat.enable = true; # ssh access openssh = { enable = true; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; }; # VPN tailscale.enable = true; # filesystem stuff btrfs.autoScrub = { enable = true; interval = "weekly"; }; # metric exporters prometheus.exporters = { node.enable = true; # port 9100 systemd.enable = true; # port 9558 smartctl.enable = true; # port 9633 }; # shares # Disable delayed TCP ACK # ; sysctl -w net.inet.tcp.delayed_ack=0 # Don't write .DS_Store to network shares # ; defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool TRUE samba = { enable = true; openFirewall = true; settings = { global = { ## Browsing/Identification ### "workgroup" = "Pacific"; "server string" = "lampadas"; "disable netbios" = "yes"; #### Debugging/Accounting #### "log level" = "0"; "max log size" = "1000"; "logging" = "file"; "log file" = "/dev/null"; ####### Authentication ####### "server role" = "standalone server"; "obey pam restrictions" = "yes"; "unix password sync" = "yes"; "passwd program" = "/usr/bin/env passwd %u"; "passwd chat" = "*Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* ."; "pam password change" = "yes"; "map to guest" = "bad user"; "ea support" = "yes"; "client ipc signing" = "disabled"; "aio max threads" = "200"; "aio read size" = "1"; "aio write size" = "1"; # optimization adapted from https://docs.openmediavault.org/en/latest/administration/services/samba.html "load printers" = "no"; "disable spoolss" = "yes"; "printing" = "bsd"; "printcap name" = "/dev/null"; "time server" = "no"; "wins support" = "no"; # random other settings that seem to make sense "server min protocol" = "SMB3"; "security" = "user"; "invalid users" = ["root"]; "netbios name" = "lampadas"; "hosts allow" = [ "100.64.0.0/255.192.0.0" "127.0.0.1/255.0.0.0" "::1" "192.168.0." "192.168.1." ]; "hosts deny" = "0.0.0.0/0"; "guest account" = "samba-guest"; "server smb encrypt" = "required"; "min receivefile size" = "65536"; "use sendfile" = "yes"; "server multi channel support" = "yes"; "socket options" = [ "TCP_NODELAY" "IPTOS_LOWDELAY" "SO_RCVBUF=67108864" "SO_SNDBUF=67108864" ]; "read raw" = "yes"; "write raw" = "yes"; "large readwrite" = "yes"; "getwd cache" = "yes"; "deadtime" = "30"; "store dos attributes" = "yes"; "dns proxy" = "no"; "map hidden" = "no"; "map system" = "no"; "map archive" = "no"; "nt acl support" = "yes"; "inherit acls" = "yes"; "map acl inherit" = "yes"; "encrypt passwords" = "yes"; "client plaintext auth" = "no"; # make SMB work faster when being accessed from macos "file_ids_off" = "yes"; "signing_required" = "no"; }; private = { "path" = "/data/private"; "comment" = "private data (no flags though)"; "browseable" = "yes"; "create mask" = "0644"; "directory mask" = "0755"; "force user" = "emile"; "guest ok" = "no"; "read only" = "no"; # "fruit:aapl" = "yes"; # "fruit:copyfile" = "yes"; # "fruit:delete_empty_adfiles" = "yes"; # "fruit:metadata" = "stream"; # "fruit:posix_rename" = "yes"; # "fruit:time machine" = "yes"; # "fruit:veto_appledouble" = "no"; # "fruit:wipe_intentionally_left_blank_rfork" = "yes"; # "fruit:nfs_aces" = "no"; # "fruit:zero_file_id" = "yes"; # "fruit:encoding" = "native"; }; public = { "path" = "/data/public"; "comment" = "public data"; "available" = "yes"; "browseable" = "yes"; "create mask" = "2775"; "directory mask" = "2775"; "force user" = "samba-guest"; "guest ok" = "yes"; "guest only" = "yes"; "read only" = "no"; "writable" = "yes"; }; time_machine = { "path" = "/data/time_machine"; "comment" = "time machine backups"; # macOS / iOS config, adaption from https://wiki.samba.org/index.php/Configure_Samba_to_Work_Better_with_Mac_OS_X "fruit:metadata" = "stream"; "fruit:model" = "MacSamba"; "fruit:posix_rename" = "yes"; "fruit:veto_appledouble" = "no"; "fruit:nfs_aces" = "no"; "fruit:wipe_intentionally_left_blank_rfork" = "yes"; "fruit:delete_empty_adfiles" = "yes"; "fruit:encoding" = "private"; "fruit:locking" = "none"; "fruit:resource" = "file"; "force user" = "emile"; "fruit:aapl" = "yes"; "fruit:copyfile" = "yes"; "fruit:time machine" = "yes"; # "fruit:zero_file_id" = "yes"; "public" = "no"; "valid users" = "emile"; "vfs objects" = ["catia" "fruit" "streams_xattr"]; "writeable" = "yes"; }; }; }; }; system = { stateVersion = "23.11"; autoUpgrade.enable = true; }; nix = { settings.experimental-features = [ "nix-command" "flakes" ]; gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 14d"; }; settings = { auto-optimise-store = true; }; }; }