summaryrefslogtreecommitdiffstats
path: root/makefu/1systems/omo/config.nix
diff options
context:
space:
mode:
Diffstat (limited to 'makefu/1systems/omo/config.nix')
-rw-r--r--makefu/1systems/omo/config.nix204
1 files changed, 204 insertions, 0 deletions
diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix
new file mode 100644
index 000000000..0f1b8e0da
--- /dev/null
+++ b/makefu/1systems/omo/config.nix
@@ -0,0 +1,204 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+let
+ toMapper = id: "/media/crypt${builtins.toString id}";
+ byid = dev: "/dev/disk/by-id/" + dev;
+ keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
+ rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904";
+ rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2";
+ primaryInterface = "enp1s0";
+ # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
+ # cryptsetup luksAddKey $dev tmpkey
+ # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096
+ # mkfs.xfs /dev/mapper/crypt0 -L crypt0
+
+ # omo Chassis:
+ # __FRONT_
+ # |* d0 |
+ # | |
+ # |* d3 |
+ # | |
+ # |* d3 |
+ # | |
+ # |* |
+ # |* d2 |
+ # | * r0 |
+ # |_______|
+ cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
+ cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
+ cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG";
+ # cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907";
+ # all physical disks
+
+ # TODO callPackage ../3modules/MonitorDisks { disks = allDisks }
+ dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 ];
+ allDisks = [ rootDisk ] ++ dataDisks;
+in {
+ imports =
+ [
+ ../.
+ # TODO: unlock home partition via ssh
+ ../2configs/fs/sda-crypto-root.nix
+ ../2configs/zsh-user.nix
+ ../2configs/backup.nix
+ ../2configs/exim-retiolum.nix
+ ../2configs/smart-monitor.nix
+ ../2configs/mail-client.nix
+ # ../2configs/disable_v6.nix
+ #../2configs/graphite-standalone.nix
+ #../2configs/share-user-sftp.nix
+ ../2configs/share/omo.nix
+ ../2configs/tinc/retiolum.nix
+
+ # Logging
+ ../2configs/stats/server.nix #influx + grafana
+ ../2configs/stats/client.nix
+ ../2configs/stats/external/aralast.nix # logs to influx
+
+ # services
+ ../2configs/syncthing.nix
+ ../2configs/mqtt.nix
+ # ../2configs/logging/central-logging-client.nix
+
+ # ../2configs/torrent.nix
+
+ # ../2configs/elchos/search.nix
+ # ../2configs/elchos/log.nix
+ # ../2configs/elchos/irc-token.nix
+
+ ## as long as pyload is not in nixpkgs:
+ # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
+ ];
+ makefu.full-populate = true;
+ makefu.server.primary-itf = primaryInterface;
+ krebs.rtorrent = {
+ downloadDir = lib.mkForce "/media/crypt0/torrent";
+ extraConfig = ''
+ upload_rate = 200
+ '';
+ };
+ users.groups.share = {
+ gid = (import <stockholm/lib>).genid "share";
+ members = [ "makefu" "misa" ];
+ };
+ networking.firewall.trustedInterfaces = [ primaryInterface ];
+ # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
+ # tcp:80 - nginx for sharing files
+ # tcp:655 udp:655 - tinc
+ # tcp:8111 - graphite
+ # tcp:8112 - pyload
+ # tcp:9090 - sabnzbd
+ # tcp:9200 - elasticsearch
+ # tcp:5601 - kibana
+ networking.firewall.allowedUDPPorts = [ 655 ];
+ networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ];
+
+ # services.openssh.allowSFTP = false;
+
+ # copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
+ services.sabnzbd.enable = true;
+ systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+
+ virtualisation.docker.enable = true;
+ makefu.ps3netsrv = {
+ enable = true;
+ servedir = "/media/cryptX/emu/ps3";
+ };
+ # HDD Array stuff
+ services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
+
+ makefu.snapraid = {
+ enable = true;
+ disks = map toMapper [ 0 1 ];
+ parity = toMapper 2;
+ };
+
+ # TODO create folders in /media
+ system.activationScripts.createCryptFolders = ''
+ ${lib.concatMapStringsSep "\n"
+ (d: "install -m 755 -d " + (toMapper d) )
+ [ 0 1 2 "X" ]}
+ '';
+ environment.systemPackages = with pkgs;[
+ mergerfs # hard requirement for mount
+ wol # wake up filepimp
+ f3
+ ];
+ fileSystems = let
+ cryptMount = name:
+ { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
+ in cryptMount "crypt0"
+ // cryptMount "crypt1"
+ // cryptMount "crypt2"
+ // { "/media/cryptX" = {
+ device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]);
+ fsType = "mergerfs";
+ noCheck = true;
+ options = [ "defaults" "allow_other" "nofail" "nonempty" ];
+ };
+ };
+
+ powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
+ ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}
+ ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk}
+ ${pkgs.hdparm}/sbin/hdparm -y ${disk}
+ '') allDisks);
+
+ # crypto unlocking
+ boot = {
+ initrd.luks = {
+ devices = let
+ usbkey = name: device: {
+ inherit name device keyFile;
+ keyFileSize = 4096;
+ allowDiscards = true;
+ };
+ in [
+ (usbkey "luksroot" rootPartition)
+ (usbkey "crypt0" cryptDisk0)
+ (usbkey "crypt1" cryptDisk1)
+ (usbkey "crypt2" cryptDisk2)
+ ];
+ };
+ loader.grub.device = lib.mkForce rootDisk;
+
+ initrd.availableKernelModules = [
+ "ahci"
+ "ohci_pci"
+ "ehci_pci"
+ "pata_atiixp"
+ "firewire_ohci"
+ "usb_storage"
+ "usbhid"
+ ];
+
+ kernelModules = [ "kvm-intel" ];
+ extraModulePackages = [ ];
+ };
+ users.users.misa = {
+ uid = 9002;
+ name = "misa";
+ };
+ # hardware.enableAllFirmware = true;
+ hardware.enableRedistributableFirmware = true;
+ hardware.cpu.intel.updateMicrocode = true;
+
+ zramSwap.enable = true;
+
+ krebs.Reaktor.reaktor = {
+ nickname = "Reaktor|bot";
+ channels = [ "#krebs" "#shackspace" "#binaergewitter" ];
+ plugins = with pkgs.ReaktorPlugins;[
+ titlebot
+ # stockholm-issue
+ nixos-version
+ shack-correct
+ sed-plugin
+ random-emoji ];
+ };
+
+ krebs.build.host = config.krebs.hosts.omo;
+}