diff options
author | makefu <github@syntax-fehler.de> | 2016-06-12 19:43:50 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2016-06-12 19:44:08 +0200 |
commit | 3eee2d3c860629404bf25dc55098f31b9d8bf318 (patch) | |
tree | ce0add328682b49045a955ed63ea4f0b2c41c202 /makefu | |
parent | 2f940d77f1d5f3350adbbd946f0474260d36e0b4 (diff) |
ma 1 omo: finish hw merge for omo
Diffstat (limited to 'makefu')
-rw-r--r-- | makefu/1systems/omo.nix | 47 | ||||
-rw-r--r-- | makefu/2configs/fs/sda-crypto-root.nix | 6 |
2 files changed, 29 insertions, 24 deletions
diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index fbd06a9c7..e71055f54 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -5,9 +5,10 @@ { config, pkgs, lib, ... }: let byid = dev: "/dev/disk/by-id/" + dev; - keyFile = "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; - rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN"; - homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3"; + keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; + rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904"; + rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2"; + primaryInterface = "enp1s0"; # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512 # cryptsetup luksAddKey $dev tmpkey # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096 @@ -15,14 +16,14 @@ let # omo Chassis: # __FRONT_ - # |* d2 | + # |* d0 | # | | # |* d3 | # | | - # |* d0 | + # |* d3 | # | | - # |* d1 | # |* | + # |* d2 | # | * r0 | # |_______| cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6"; @@ -38,27 +39,31 @@ in { [ ../. # TODO: unlock home partition via ssh - ../2configs/fs/single-partition-ext4.nix + ../2configs/fs/sda-crypto-root.nix ../2configs/zsh-user.nix ../2configs/exim-retiolum.nix ../2configs/smart-monitor.nix ../2configs/mail-client.nix - ../2configs/share-user-sftp.nix - ../2configs/graphite-standalone.nix + #../2configs/graphite-standalone.nix + #../2configs/share-user-sftp.nix ../2configs/omo-share.nix + + ## as long as pyload is not in nixpkgs: + # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload ]; krebs.retiolum.enable = true; - networking.firewall.trustedInterfaces = [ "enp3s0" ]; + networking.firewall.trustedInterfaces = [ primaryInterface ]; # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net # tcp:80 - nginx for sharing files # tcp:655 udp:655 - tinc # tcp:8111 - graphite + # tcp:8112 - pyload # tcp:9090 - sabnzbd # tcp:9200 - elasticsearch # tcp:5601 - kibana networking.firewall.allowedUDPPorts = [ 655 ]; - networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 9200 9090 ]; + networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ]; # services.openssh.allowSFTP = false; @@ -66,6 +71,9 @@ in { services.sabnzbd.enable = true; systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + virtualisation.docker.enable = true; + + # HDD Array stuff services.smartd.devices = builtins.map (x: { device = x; }) allDisks; @@ -76,15 +84,11 @@ in { disks = map toMapper [ 0 1 ]; parity = toMapper 2; }; + fileSystems = let cryptMount = name: { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; - in { - "/home" = { - device = "/dev/mapper/home"; - fsType = "ext4"; - }; - } // cryptMount "crypt0" + in cryptMount "crypt0" // cryptMount "crypt1" // cryptMount "crypt2"; @@ -101,15 +105,16 @@ in { usbkey = name: device: { inherit name device keyFile; keyFileSize = 4096; + allowDiscards = true; }; in [ - (usbkey "home" homePartition) + (usbkey "luksroot" rootPartition) (usbkey "crypt0" cryptDisk0) (usbkey "crypt1" cryptDisk1) (usbkey "crypt2" cryptDisk2) ]; }; - loader.grub.device = rootDisk; + loader.grub.device = lib.mkForce rootDisk; initrd.availableKernelModules = [ "ahci" @@ -121,12 +126,12 @@ in { "usbhid" ]; - kernelModules = [ "kvm-amd" ]; + kernelModules = [ "kvm-intel" ]; extraModulePackages = [ ]; }; hardware.enableAllFirmware = true; - hardware.cpu.amd.updateMicrocode = true; + hardware.cpu.intel.updateMicrocode = true; zramSwap.enable = true; diff --git a/makefu/2configs/fs/sda-crypto-root.nix b/makefu/2configs/fs/sda-crypto-root.nix index b82c0e44e..5c7cdf716 100644 --- a/makefu/2configs/fs/sda-crypto-root.nix +++ b/makefu/2configs/fs/sda-crypto-root.nix @@ -1,16 +1,16 @@ { config, lib, pkgs, ... }: # sda: bootloader grub2 -# sda1: boot ext4 (label nixboot) +# sda1: boot ext4 (label nixboot) - must be unlocked on boot if required: + # boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; # sda2: cryptoluks -> ext4 with config.krebs.lib; { boot = { loader.grub.enable = true; loader.grub.version = 2; - loader.grub.device = "/dev/sda"; + loader.grub.device = lib.mkDefault "/dev/sda"; - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; initrd.luks.cryptoModules = ["aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = ["xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; }; |