From 825b68fc93231213e561b6fdba9c56aaa9100fa5 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Wed, 27 Jan 2021 04:18:30 +0000 Subject: [PATCH] Initial commit --- configuration.nix | 257 +++++++++++++++++++++++++++++++++++++++ keys/monitor.isidore.pub | 1 + keys/tvb.empyrean.pub | 1 + keys/tvb.palamas.pub | 1 + keys/tvb.stagirite.pub | 1 + 5 files changed, 261 insertions(+) create mode 100644 configuration.nix create mode 100644 keys/monitor.isidore.pub create mode 100644 keys/tvb.empyrean.pub create mode 100644 keys/tvb.palamas.pub create mode 100644 keys/tvb.stagirite.pub diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..40ba371 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,257 @@ +{ pkgs, ... }: + +{ + disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ]; + imports = [ ./modules/system/boot/loader/raspberrypi/raspberrypi.nix ]; + + boot = { + kernelPackages = pkgs.linuxPackages_rpi4; + supportedFilesystems = ["zfs"]; + zfs.enableUnstable = true; + loader = { + grub.enable = false; + raspberryPi = { + enable = true; + version = 4; + configurationLimit = 1; + }; + }; + }; + + # MAKE SURE THESE ARE RIGHT OR THE PI WILL NOT BOOT + fileSystems = { + "/" = { + fsType = "ext4"; + device = "/dev/disk/by-label/NIXOS_SD"; + }; + "/boot" = { + fsType = "vfat"; + device = "/dev/disk/by-label/NIXOS_BOOT"; + }; + }; + + hardware.enableRedistributableFirmware = true; + + swapDevices = [ { device = "/swap"; size = 1024; } ]; + + console.keyMap = "us"; + i18n.defaultLocale = "en_US.UTF-8"; + + environment.systemPackages = with pkgs; + let + py3-packages = python-packages: with python-packages; [ + flask + ]; + py3-with-packages = python3.withPackages py3-packages; + in [ + wget vim curl git htop bash tmux psmisc manpages pv lsof + zip unzip + nginx + py3-with-packages + usbutils + hdparm sdparm smartmontools gptfdisk gnufdisk + dosfstools + mkpasswd samba + tinc_pre + #file-rename + rsync + ]; + + networking = { + hostName = "catacomb"; + hostId = "beeeeee5"; + firewall = { + enable = true; + allowPing = true; + allowedTCPPorts = [ 22 80 139 445 7473 ]; + allowedUDPPorts = [ 137 138 ]; + }; + }; + + security = { + hideProcessInformation = true; + }; + + services.cron = { + enable = true; + systemCronJobs = [ + "* 20 * * 1 root /root/reassert-nas-permissions.sh" + ]; + }; + + services.openssh = { + enable = true; + passwordAuthentication = true; + }; + + services.nginx = { + enable = true; + + virtualHosts."catacomb-server" = { + listen = [ { addr = "10.7.3.16"; } ]; + root = "/nas"; + locations."/".tryFiles = "\$uri @indexer"; + locations."@indexer".extraConfig = " + proxy_buffering off; + proxy_pass http://127.0.0.1:5000; + "; + }; + + virtualHosts."guest-server" = { + listen = [ { addr = "10.7.3.16"; port = 7473; } ]; + extraConfig = " + access_log /var/log/nginx/access.guest-server.log; + "; + locations."/".extraConfig = " + proxy_buffering off; + proxy_pass http://127.0.0.1:7473/; + "; + }; + }; + + services.ntp = { + enable = true; + servers = ["time.nist.gov"]; + }; + + services.rsyncd.enable = true; + + services.samba = + let + sambaShare = path: validUsers: { + path = path; + comment = "Samba share for ${path}"; + browseable = "yes"; + "read only" = "no"; + "guest okay" = "no"; + "create mask" = "0640"; + "force create mode" = "0640"; + "directory mask" = "0750"; + "force directory mode" = "0750"; + "valid users" = validUsers; + "force group" = ''nas''; + }; + sambaShareRO = path: validUsers: { + path = path; + comment = "Read-only Samba share for ${path}"; + browseable = "yes"; + "read only" = "yes"; + "guest okay" = "no"; + "valid users" = validUsers; + "force group" = ''nas''; + }; + in + { + enable = true; + securityType = "user"; + extraConfig = '' + workgroup = beatific + server string = Catacomb Nix SMB + netbios name = catacomb + deadtime = 300 + + local master = yes + domain master = yes + preferred master = yes + + guest account = nobody + map to guest = bad user + + case sensitive = yes + veto files = /^.DS_Store$/^.Trash-1000$/ + + load printers = no + printcap name = /dev/null + printing = bsd + + log file = /var/log/samba/client-%m.log + log level = 2 + max log size = 64 + + hide dot files = no + hosts allow = 10.7.3. + map archive = no + unix extensions = yes + + ntlm auth = yes + ''; + shares = { + audioRO = sambaShareRO "/nas/audio" ''@nas''; + docRO = sambaShareRO "/nas/doc/" ''@nas''; + gameRO = sambaShareRO "/nas/game/" ''@nas''; + imageRO = sambaShareRO "/nas/image" ''@nas''; + videoRO = sambaShareRO "/nas/video" ''@nas''; + audio = sambaShare "/nas/audio" ''@nas''; + doc = sambaShare "/nas/doc/" ''@nas''; + game = sambaShare "/nas/game/" ''@nas''; + image = sambaShare "/nas/image" ''@nas''; + video = sambaShare "/nas/video" ''@nas''; + }; + }; + + services.tinc.networks = { + beatific = { + name = "catacomb"; + listenAddress = "0.0.0.0"; + chroot = false; + }; + }; + + services.zfs = { + autoScrub = { + enable = true; + pools = ["catapool"]; + interval = "monthly"; + }; + }; + + systemd.services.host-server = { + enable = true; + description = "catapool host index server"; + serviceConfig = { + Type = "simple"; + ExecStart = "/nas-indexer/host-server/run.sh"; + Restart = "on-failure"; + User = "tvb"; + WorkingDirectory = "/nas-indexer/host-server"; + }; + requires = [ "zfs.target" ]; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services.guest-server = { + enable = true; + description = "catapool guest index server"; + serviceConfig = { + Type = "simple"; + ExecStart = "/nas-indexer/guest-server/run.sh"; + Restart = "on-failure"; + User = "tvb"; + WorkingDirectory = "/nas-indexer/guest-server"; + }; + requires = [ "zfs.target" ]; + wantedBy = [ "multi-user.target" ]; + }; + + users.groups = { + nas = { gid = 1600; }; + }; + + users.users.tvb = { + isNormalUser = true; + uid = 1001; + password = "badpassword"; + extraGroups = ["wheel" "nas"]; + shell = pkgs.bash; + openssh.authorizedKeys.keyFiles = [ + ./keys/tvb.palamas.pub + ./keys/tvb.stagirite.pub + ./keys/monitor.isidore.pub + ]; + }; + #./keys/tvb.empyrean.pub + + users.users.nginx.extraGroups = ["nas"]; + + nix.buildCores = 4; +} diff --git a/keys/monitor.isidore.pub b/keys/monitor.isidore.pub new file mode 100644 index 0000000..5dcf0be --- /dev/null +++ b/keys/monitor.isidore.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzx37PqIaJVWdQs5meVgI4Cg1GRGk6srrix0AUvQeaBS9MOVtJLi+HfnNkcW4GPk9qVlz1E7ciQ7YUw+ny7QbHxcbib2Tawwfk3cx9xiNcN6UI9EzF/rTbNB2Cex8A4sEr5UvoE0BjT5yPaXyrjn8vLksGWq4dlZBM3xeJqe3KP+OxPL0vik3SVGOr/6ZQ7H9cwX5+/p6rCWQuVtwZMcaE6QyXYg5J5FQUaIrFvKbOVklJIkQSbXGzIYQO/QlQC0xWGBapJtGQw/lsQ3YqnFSMkkw8qrKbde07rg8p1FSuqTu+a1ePK+/F4klNel174+39YSobY2/6biPP3Uj/Yhorf4Tw141tIT75e3ebtK5faatQmNOyXcA7LULXK7XemJkZy8PmbNNTeBIKyoI6XQdzk95gpb2C4LEJmV040YMgXhOIiKsHQVgss9FuC+oP5jXWU/JuNXBRHa1IpJjcJhIhg7jnh6ZNZHyK0EpeUs3Zp7usv7mz6CGwb04yvTsWOhZRc+6EoHaHyrNvFPfkPeGsZzxhIbprCyDMtKWsI9GCtztcRhQWBgornUVEs5CurLJBbClQTrZLVv2fn9UnXWPYZTLYL7aFwRIGyKr8ZOOMFxbLOGdeFlqc5TGCP416e8PZvhE+BuDmxiKtQJ/dsQFqVzvOZb2WQRsYRPYvvXbvUw== monitor@isidore diff --git a/keys/tvb.empyrean.pub b/keys/tvb.empyrean.pub new file mode 100644 index 0000000..f6e2080 --- /dev/null +++ b/keys/tvb.empyrean.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1h/6CedtyFIjFTT7M5e0dEKJkhPbCQ1RLhtj/83H//AK6bzRbWfnKzSH0VXpsHjaU/Ipc1Jl2fQ23r8i/QyKHUKK7xPeGcY5J7oIHVggkEKW2n9R27Ml9BriKxx6ltButnwSOVYk7dyNhz93GYTTEF3ydh4X7HP2Cv7rh5fbca3s69GXRjOVGmIuuVbaJiaMmiWhBI4LYtqwpo1zGXMjfNlXcMFw7VA4EG2UpkJkcWeyN/AI3ZS/YybcTQNCAg+Xnk94CVys/b5wTuGWRplDrRlNR00MUWpr94+u/xk+sC4/6vT7je2W4GjA1jTq4XmewTEV4cxOu+l1jtHZBgvHho5X0fOogdN52MkjuaXzByZB/Br5xTkBRv0tDf5haX4HzuBC29yU9rt62SEQRzvZxObCCGDcIYR/1HTgjDZkRuwgO/1RoRh5SvwbptvPwpBMvx25S//ZJESLO++lqxjgRZSr/05YpZ5diffEIGd1J0Jz0NGv4XBPcMBnSMKFmdwOy+5jnBbW2OjPQaPslXHEKYTfOByzCA8LgppkxvmL08GIjxYfEljioHR5by+Z6SjG1VvifMFA6FN/+DN6ZH0LmeOMa5YM1Zl3bx5RaANpnSNvi6rmxkQa1oMaK0l482FvpVkg6o1h9si/AeNTEbiX9ozHdjekfuzBSk6Jfo6xw+Q== tvb@empyrean diff --git a/keys/tvb.palamas.pub b/keys/tvb.palamas.pub new file mode 100644 index 0000000..b1e1559 --- /dev/null +++ b/keys/tvb.palamas.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCKsKkD9S2gRlRgdf3JD06dRTGUQkDgBMWn+2kqVEPA/K1W/f083+odyXLVeg4IWV/fOwVKBgi9YNTavM8hkKRDGElkVq6Y8slApgu1k51QiKvAqqj4yJKE28pMCeHGGfTBdXbaRAaAfsD7Oh7dHOoadBIxUcq4RjN84+srhR2/p7xN+5rlp/uljU85uPA6JhW4tFEjsAQPUBnlI2EMf6SjKScuYsf5kiyE740NxPPpFSaKIU09dR/oR/nXORqOTzJbWC5tRlpeRFrKDrTeoAZnsl+vjqtVjJRIVjJoON50u3W9qfFKcPcfgtqUbpi1D8Xk8cibGo/0I8ruIwuZrD4Q9v1zGUGbXnAVwoJ5Yn8uVcHnFCbqndN+bDA5M0Fe7zLk6/ui9Z3LJdTWD2aT7mTSmW+5puHlNsAnqD1du1Yh7QbJSBNPdJCq/hceb4JKxUpFH8AXZ6km8j4GTYw0BhPYk2OFrFOG/KUOo1Ez8KRGIkisRTqJU2kFhQ5oSKmD+JbtDA5L6X8ibAUNh67eBJUXRvG/AWUeDDoVdYmEj6yCEi5MrcNJY+b41ywa8mTjjEJlsg+oUdD+1RA9c3px+98ulauhyFw2WfUVQc0ihCDqqqXYkwl0jK3e9Uwlgn4Lkwj9jTsWRwalAoJTXwIPbaAiwDH+UhfiPoLl5yHuoFXdw== tvb@palamas diff --git a/keys/tvb.stagirite.pub b/keys/tvb.stagirite.pub new file mode 100644 index 0000000..0efd8c3 --- /dev/null +++ b/keys/tvb.stagirite.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAbmOSvKJoW+akurv/tMD/jfaDuDg0S/FvIMAOS9WauBI9JyMaQh5NfV+fhOSbjqmvrdm+dGttthqi56MZ090Qps1340TGjY6mVap36pa+fZWSajnUjCW+Tk5T0CqbWJkeDvKwSxY73lhBG4QG+SUFkDvhR6XZXfVksJZ++3aaoSmw6E0LCVL4+CAjTf7lm6Zs9Tq62Skf/5tKhk9ASk+QwBTKpPj/0ZKtBDLJfzrwvT+6K2jFohWPKMXkgZiVFVhbIMatdyZo+Mi+To4YDicyf4KW8OuE0zYb06naWeCgEKH8nSB6xEnosdzrhNwkyJi1TEJHmsn1+PjJ/KWWBOTDFVgueWF0ql2ERAtY/hbe36lNBf0lLRzxIugbxMdix8Oqjy0E9wI3E9/X7j0JGHkDzbzX6xeaTwIRFEFtKqK4zcqOMbUWVujUEnOvIKS9dP4uP08gH9HaIE/0bTb+6RRLmnDA9T6dVXc+dCGMAeqxhZYwuO9XJNxXp4byPFRC29OdEShNp9Yqt9sgLMepAzzFiIXgzIcjg5AOnn2qv4SId2rslX0hkMN05a+Cxn2qAj1ign3BuYRzMnaHyA+R+oHN9314/hTYF7wlYws6Fu3P229arfE2d4UqvnMRmY8vWAjfJr40FyRCxS/6qdVPgJWVevkPx69MMJ+BKAomc/s7fw== tvb@stagirite