stockholm/makefu/1systems/omo.nix
2016-01-27 22:00:50 +01:00

151 lines
4.0 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
let
byid = dev: "/dev/disk/by-id/" + dev;
keyFile = "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3";
# cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
# cryptsetup luksAddKey $dev tmpkey
# cryptsetup luksOpen $dev crypt0
# mkfs.xfs /dev/mapper/crypt0 -L crypt0
cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
cryptDisk2 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WCAZA5548487";
# all physical disks
allDisks = [ rootDisk cryptDisk0 cryptDisk1 cryptDisk2 ];
in {
imports =
[
# TODO: unlock home partition via ssh
../2configs/fs/single-partition-ext4.nix
../2configs/tinc-basic-retiolum.nix
../2configs/zsh-user.nix
../2configs/exim-retiolum.nix
../2configs/smart-monitor.nix
../2configs/mail-client.nix
../2configs/share-user-sftp.nix
../2configs/nginx/omo-share.nix
../3modules
];
# services.openssh.allowSFTP = false;
krebs.build.source.git.nixpkgs.rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce";
# samba share /media/crypt1/share
users.extraUsers.smbguest = {
name = "smbguest";
uid = config.ids.uids.smbguest;
description = "smb guest user";
home = "/var/empty";
};
services.samba = {
enable = true;
shares = {
winshare = {
path = "/media/crypt1/share";
"read only" = "no";
browseable = "yes";
"guest ok" = "yes";
};
};
extraConfig = ''
guest account = smbguest
map to guest = bad user
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
'';
};
# copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
services.sabnzbd.enable = true;
systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
# HDD Array stuff
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
makefu.snapraid = let
toMapper = id: "/media/crypt${builtins.toString id}";
in {
enable = true;
disks = map toMapper [ 0 1 ];
parity = toMapper 2;
};
fileSystems = let
cryptMount = name:
{ "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
in {
"/home" = {
device = "/dev/mapper/home";
fsType = "ext4";
};
} // cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2";
powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}
${pkgs.hdparm}/sbin/hdparm -B 127 ${disk}
${pkgs.hdparm}/sbin/hdparm -y ${disk}
'') allDisks);
boot = {
initrd.luks = {
devices = let
usbkey = name: device: {
inherit name device keyFile;
keyFileSize = 4096;
};
in [
(usbkey "home" homePartition)
(usbkey "crypt0" cryptDisk0)
(usbkey "crypt1" cryptDisk1)
(usbkey "crypt2" cryptDisk2)
];
};
loader.grub.device = rootDisk;
initrd.availableKernelModules = [
"ahci"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"firewire_ohci"
"usb_storage"
"usbhid"
];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
networking.firewall.allowedUDPPorts = [
# tinc
655
# samba
137 138
];
networking.firewall.allowedTCPPorts = [
# nginx
80
# tinc
655
# samba
445 139
# sabnzbd
8080
];
hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;
krebs.build.host = config.krebs.hosts.omo;
}