Initial commit

configuration.nix

@@ -0,0 +1,257 @@
+{ pkgs, ... }:
+
+{
+  disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ];
+  imports = [ ./modules/system/boot/loader/raspberrypi/raspberrypi.nix ];
+
+  boot = {
+    kernelPackages = pkgs.linuxPackages_rpi4;
+    supportedFilesystems = ["zfs"];
+    zfs.enableUnstable = true;
+    loader = {
+      grub.enable = false;
+      raspberryPi = {
+        enable = true;
+        version = 4;
+        configurationLimit = 1;
+      };
+    };
+  };
+  
+  # MAKE SURE THESE ARE RIGHT OR THE PI WILL NOT BOOT
+  fileSystems = {
+    "/" = {
+      fsType = "ext4";
+      device = "/dev/disk/by-label/NIXOS_SD";
+    };
+    "/boot" = {
+      fsType = "vfat";
+      device = "/dev/disk/by-label/NIXOS_BOOT";
+    };
+  };
+  
+  hardware.enableRedistributableFirmware = true;
+  
+  swapDevices = [ { device = "/swap"; size = 1024; } ];
+  
+  console.keyMap = "us";
+  i18n.defaultLocale = "en_US.UTF-8";
+  
+  environment.systemPackages = with pkgs;
+  let
+    py3-packages = python-packages: with python-packages; [
+      flask
+    ];
+    py3-with-packages = python3.withPackages py3-packages;
+  in [
+    wget vim curl git htop bash tmux psmisc manpages pv lsof
+    zip unzip
+    nginx
+    py3-with-packages
+    usbutils
+    hdparm sdparm smartmontools gptfdisk gnufdisk
+    dosfstools
+    mkpasswd samba
+    tinc_pre
+    #file-rename
+    rsync
+  ];
+  
+  networking = {
+    hostName = "catacomb";
+    hostId = "beeeeee5";
+    firewall = {
+      enable = true;
+      allowPing = true;
+      allowedTCPPorts = [ 22 80 139 445 7473 ];
+      allowedUDPPorts = [ 137 138 ];
+    };
+  };
+  
+  security = {
+    hideProcessInformation = true;
+  };
+ 
+  services.cron = {
+    enable = true;
+    systemCronJobs = [
+      "* 20 * * 1 root /root/reassert-nas-permissions.sh"
+    ];
+  };
+ 
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = true;
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."catacomb-server" = {
+      listen = [ { addr = "10.7.3.16"; } ];
+      root = "/nas";
+      locations."/".tryFiles = "\$uri @indexer";
+      locations."@indexer".extraConfig = "
+        proxy_buffering off;
+        proxy_pass http://127.0.0.1:5000;
+      ";
+    };
+
+    virtualHosts."guest-server" = {
+      listen = [ { addr = "10.7.3.16"; port = 7473; } ];
+      extraConfig  = "
+        access_log /var/log/nginx/access.guest-server.log;
+      ";
+      locations."/".extraConfig = "
+        proxy_buffering off;
+        proxy_pass http://127.0.0.1:7473/;
+      ";
+    };
+  };
+  
+  services.ntp = {
+    enable = true;
+    servers = ["time.nist.gov"];
+  };
+
+  services.rsyncd.enable = true;
+
+  services.samba =
+    let
+      sambaShare = path: validUsers: {
+        path = path;
+        comment = "Samba share for ${path}";
+        browseable = "yes";
+        "read only" = "no";
+        "guest okay" = "no";
+        "create mask" = "0640";
+        "force create mode" = "0640";
+        "directory mask" = "0750";
+        "force directory mode" = "0750";
+        "valid users" = validUsers;
+        "force group" = ''nas'';
+      };
+      sambaShareRO = path: validUsers: {
+        path = path;
+        comment = "Read-only Samba share for ${path}";
+        browseable = "yes";
+        "read only" = "yes";
+        "guest okay" = "no";
+        "valid users" = validUsers;
+        "force group" = ''nas'';
+      };
+    in
+    {
+      enable = true;
+      securityType = "user";
+      extraConfig = ''
+        workgroup = beatific
+        server string = Catacomb Nix SMB
+        netbios name = catacomb
+        deadtime = 300
+
+        local master = yes
+        domain master = yes
+        preferred master = yes
+
+        guest account = nobody
+        map to guest = bad user
+
+        case sensitive = yes
+        veto files = /^.DS_Store$/^.Trash-1000$/
+
+        load printers = no
+        printcap name = /dev/null
+        printing = bsd
+
+        log file = /var/log/samba/client-%m.log
+        log level = 2
+        max log size = 64
+
+        hide dot files = no
+        hosts allow = 10.7.3.
+        map archive = no
+        unix extensions = yes
+
+	ntlm auth = yes
+      '';
+      shares = {
+        audioRO = sambaShareRO "/nas/audio" ''@nas'';
+        docRO = sambaShareRO "/nas/doc/" ''@nas'';
+        gameRO = sambaShareRO "/nas/game/" ''@nas'';
+        imageRO = sambaShareRO "/nas/image" ''@nas'';
+        videoRO = sambaShareRO "/nas/video" ''@nas'';
+        audio = sambaShare "/nas/audio" ''@nas'';
+        doc = sambaShare "/nas/doc/" ''@nas'';
+        game = sambaShare "/nas/game/" ''@nas'';
+        image = sambaShare "/nas/image" ''@nas'';
+        video = sambaShare "/nas/video" ''@nas'';
+      };
+    };
+ 
+  services.tinc.networks = {
+    beatific = {
+      name = "catacomb";
+      listenAddress = "0.0.0.0";
+      chroot = false;
+    };
+  };
+ 
+  services.zfs = {
+    autoScrub = {
+      enable = true;
+      pools = ["catapool"];
+      interval = "monthly";
+    };
+  };
+
+  systemd.services.host-server = {
+    enable = true;
+    description = "catapool host index server";
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "/nas-indexer/host-server/run.sh";
+      Restart = "on-failure";
+      User = "tvb";
+      WorkingDirectory = "/nas-indexer/host-server";
+    };
+    requires = [ "zfs.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  systemd.services.guest-server = {
+    enable = true;
+    description = "catapool guest index server";
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "/nas-indexer/guest-server/run.sh";
+      Restart = "on-failure";
+      User = "tvb";
+      WorkingDirectory = "/nas-indexer/guest-server";
+    };
+    requires = [ "zfs.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  users.groups = {
+    nas = { gid = 1600; };
+  };
+
+  users.users.tvb = {
+    isNormalUser = true;
+    uid = 1001;
+    password = "badpassword";
+    extraGroups = ["wheel" "nas"];
+    shell = pkgs.bash;
+    openssh.authorizedKeys.keyFiles = [
+      ./keys/tvb.palamas.pub
+      ./keys/tvb.stagirite.pub
+      ./keys/monitor.isidore.pub
+    ];
+  };
+  #./keys/tvb.empyrean.pub
+
+  users.users.nginx.extraGroups = ["nas"];
+
+  nix.buildCores = 4;
+}

keys/monitor.isidore.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzx37PqIaJVWdQs5meVgI4Cg1GRGk6srrix0AUvQeaBS9MOVtJLi+HfnNkcW4GPk9qVlz1E7ciQ7YUw+ny7QbHxcbib2Tawwfk3cx9xiNcN6UI9EzF/rTbNB2Cex8A4sEr5UvoE0BjT5yPaXyrjn8vLksGWq4dlZBM3xeJqe3KP+OxPL0vik3SVGOr/6ZQ7H9cwX5+/p6rCWQuVtwZMcaE6QyXYg5J5FQUaIrFvKbOVklJIkQSbXGzIYQO/QlQC0xWGBapJtGQw/lsQ3YqnFSMkkw8qrKbde07rg8p1FSuqTu+a1ePK+/F4klNel174+39YSobY2/6biPP3Uj/Yhorf4Tw141tIT75e3ebtK5faatQmNOyXcA7LULXK7XemJkZy8PmbNNTeBIKyoI6XQdzk95gpb2C4LEJmV040YMgXhOIiKsHQVgss9FuC+oP5jXWU/JuNXBRHa1IpJjcJhIhg7jnh6ZNZHyK0EpeUs3Zp7usv7mz6CGwb04yvTsWOhZRc+6EoHaHyrNvFPfkPeGsZzxhIbprCyDMtKWsI9GCtztcRhQWBgornUVEs5CurLJBbClQTrZLVv2fn9UnXWPYZTLYL7aFwRIGyKr8ZOOMFxbLOGdeFlqc5TGCP416e8PZvhE+BuDmxiKtQJ/dsQFqVzvOZb2WQRsYRPYvvXbvUw== monitor@isidore

keys/tvb.empyrean.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1h/6CedtyFIjFTT7M5e0dEKJkhPbCQ1RLhtj/83H//AK6bzRbWfnKzSH0VXpsHjaU/Ipc1Jl2fQ23r8i/QyKHUKK7xPeGcY5J7oIHVggkEKW2n9R27Ml9BriKxx6ltButnwSOVYk7dyNhz93GYTTEF3ydh4X7HP2Cv7rh5fbca3s69GXRjOVGmIuuVbaJiaMmiWhBI4LYtqwpo1zGXMjfNlXcMFw7VA4EG2UpkJkcWeyN/AI3ZS/YybcTQNCAg+Xnk94CVys/b5wTuGWRplDrRlNR00MUWpr94+u/xk+sC4/6vT7je2W4GjA1jTq4XmewTEV4cxOu+l1jtHZBgvHho5X0fOogdN52MkjuaXzByZB/Br5xTkBRv0tDf5haX4HzuBC29yU9rt62SEQRzvZxObCCGDcIYR/1HTgjDZkRuwgO/1RoRh5SvwbptvPwpBMvx25S//ZJESLO++lqxjgRZSr/05YpZ5diffEIGd1J0Jz0NGv4XBPcMBnSMKFmdwOy+5jnBbW2OjPQaPslXHEKYTfOByzCA8LgppkxvmL08GIjxYfEljioHR5by+Z6SjG1VvifMFA6FN/+DN6ZH0LmeOMa5YM1Zl3bx5RaANpnSNvi6rmxkQa1oMaK0l482FvpVkg6o1h9si/AeNTEbiX9ozHdjekfuzBSk6Jfo6xw+Q== tvb@empyrean

keys/tvb.palamas.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCKsKkD9S2gRlRgdf3JD06dRTGUQkDgBMWn+2kqVEPA/K1W/f083+odyXLVeg4IWV/fOwVKBgi9YNTavM8hkKRDGElkVq6Y8slApgu1k51QiKvAqqj4yJKE28pMCeHGGfTBdXbaRAaAfsD7Oh7dHOoadBIxUcq4RjN84+srhR2/p7xN+5rlp/uljU85uPA6JhW4tFEjsAQPUBnlI2EMf6SjKScuYsf5kiyE740NxPPpFSaKIU09dR/oR/nXORqOTzJbWC5tRlpeRFrKDrTeoAZnsl+vjqtVjJRIVjJoON50u3W9qfFKcPcfgtqUbpi1D8Xk8cibGo/0I8ruIwuZrD4Q9v1zGUGbXnAVwoJ5Yn8uVcHnFCbqndN+bDA5M0Fe7zLk6/ui9Z3LJdTWD2aT7mTSmW+5puHlNsAnqD1du1Yh7QbJSBNPdJCq/hceb4JKxUpFH8AXZ6km8j4GTYw0BhPYk2OFrFOG/KUOo1Ez8KRGIkisRTqJU2kFhQ5oSKmD+JbtDA5L6X8ibAUNh67eBJUXRvG/AWUeDDoVdYmEj6yCEi5MrcNJY+b41ywa8mTjjEJlsg+oUdD+1RA9c3px+98ulauhyFw2WfUVQc0ihCDqqqXYkwl0jK3e9Uwlgn4Lkwj9jTsWRwalAoJTXwIPbaAiwDH+UhfiPoLl5yHuoFXdw== tvb@palamas

keys/tvb.stagirite.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAbmOSvKJoW+akurv/tMD/jfaDuDg0S/FvIMAOS9WauBI9JyMaQh5NfV+fhOSbjqmvrdm+dGttthqi56MZ090Qps1340TGjY6mVap36pa+fZWSajnUjCW+Tk5T0CqbWJkeDvKwSxY73lhBG4QG+SUFkDvhR6XZXfVksJZ++3aaoSmw6E0LCVL4+CAjTf7lm6Zs9Tq62Skf/5tKhk9ASk+QwBTKpPj/0ZKtBDLJfzrwvT+6K2jFohWPKMXkgZiVFVhbIMatdyZo+Mi+To4YDicyf4KW8OuE0zYb06naWeCgEKH8nSB6xEnosdzrhNwkyJi1TEJHmsn1+PjJ/KWWBOTDFVgueWF0ql2ERAtY/hbe36lNBf0lLRzxIugbxMdix8Oqjy0E9wI3E9/X7j0JGHkDzbzX6xeaTwIRFEFtKqK4zcqOMbUWVujUEnOvIKS9dP4uP08gH9HaIE/0bTb+6RRLmnDA9T6dVXc+dCGMAeqxhZYwuO9XJNxXp4byPFRC29OdEShNp9Yqt9sgLMepAzzFiIXgzIcjg5AOnn2qv4SId2rslX0hkMN05a+Cxn2qAj1ign3BuYRzMnaHyA+R+oHN9314/hTYF7wlYws6Fu3P229arfE2d4UqvnMRmY8vWAjfJr40FyRCxS/6qdVPgJWVevkPx69MMJ+BKAomc/s7fw== tvb@stagirite