{ pkgs, ... }: { disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ]; imports = [ ./modules/system/boot/loader/raspberrypi/raspberrypi.nix ]; boot = { kernelPackages = pkgs.linuxPackages_rpi4; supportedFilesystems = ["zfs"]; zfs.enableUnstable = true; loader = { grub.enable = false; raspberryPi = { enable = true; version = 4; configurationLimit = 1; }; }; }; # MAKE SURE THESE ARE RIGHT OR THE PI WILL NOT BOOT fileSystems = { "/" = { fsType = "ext4"; device = "/dev/disk/by-label/NIXOS_SD"; }; "/boot" = { fsType = "vfat"; device = "/dev/disk/by-label/NIXOS_BOOT"; }; }; hardware.enableRedistributableFirmware = true; swapDevices = [ { device = "/swap"; size = 1024; } ]; console.keyMap = "us"; i18n.defaultLocale = "en_US.UTF-8"; environment.systemPackages = with pkgs; let py3-packages = python-packages: with python-packages; [ flask ]; py3-with-packages = python3.withPackages py3-packages; in [ wget vim curl git htop bash tmux psmisc manpages pv lsof zip unzip nginx py3-with-packages usbutils hdparm sdparm smartmontools gptfdisk gnufdisk dosfstools mkpasswd samba tinc_pre #file-rename rsync rclone gnupg ]; networking = { hostName = "catacomb"; hostId = "beeeeee5"; firewall = { enable = true; allowPing = true; allowedTCPPorts = [ 22 80 139 445 7473 ]; allowedUDPPorts = [ 137 138 ]; }; }; security = { hideProcessInformation = true; }; services.cron = { enable = true; systemCronJobs = [ "0 20 * * 1 root /root/reassert-nas-permissions.sh" "0 0 * * 1 tvb . /etc/profile; /home/tvb/gitea-backup" ]; }; services.openssh = { enable = true; passwordAuthentication = true; }; services.nginx = { enable = true; virtualHosts."catacomb-server" = { listen = [ { addr = "10.7.3.16"; } ]; root = "/nas"; locations."/".tryFiles = "\$uri @indexer"; locations."@indexer".extraConfig = " proxy_buffering off; proxy_pass http://127.0.0.1:5000; "; }; virtualHosts."guest-server" = { listen = [ { addr = "10.7.3.16"; port = 7473; } ]; extraConfig = " access_log /var/log/nginx/access.guest-server.log; "; locations."/".extraConfig = " proxy_buffering off; proxy_pass http://127.0.0.1:7473/; "; }; }; services.ntp = { enable = true; servers = ["time.nist.gov"]; }; services.rsyncd.enable = true; services.samba = let sambaShare = path: validUsers: { path = path; comment = "Samba share for ${path}"; browseable = "yes"; "read only" = "no"; "guest okay" = "no"; "create mask" = "0640"; "force create mode" = "0640"; "directory mask" = "0750"; "force directory mode" = "0750"; "valid users" = validUsers; "force group" = ''nas''; }; sambaShareRO = path: validUsers: { path = path; comment = "Read-only Samba share for ${path}"; browseable = "yes"; "read only" = "yes"; "guest okay" = "no"; "valid users" = validUsers; "force group" = ''nas''; }; in { enable = true; securityType = "user"; extraConfig = '' workgroup = beatific server string = Catacomb Nix SMB netbios name = catacomb deadtime = 300 local master = yes domain master = yes preferred master = yes guest account = nobody map to guest = bad user case sensitive = yes veto files = /^.DS_Store$/^.Trash-1000$/ load printers = no printcap name = /dev/null printing = bsd log file = /var/log/samba/client-%m.log log level = 2 max log size = 64 hide dot files = no hosts allow = 10.7.3. map archive = no unix extensions = yes ntlm auth = yes ''; shares = { audioRO = sambaShareRO "/nas/audio" ''@nas''; docRO = sambaShareRO "/nas/doc/" ''@nas''; gameRO = sambaShareRO "/nas/game/" ''@nas''; imageRO = sambaShareRO "/nas/image" ''@nas''; videoRO = sambaShareRO "/nas/video" ''@nas''; audio = sambaShare "/nas/audio" ''@nas''; doc = sambaShare "/nas/doc/" ''@nas''; game = sambaShare "/nas/game/" ''@nas''; image = sambaShare "/nas/image" ''@nas''; video = sambaShare "/nas/video" ''@nas''; }; }; services.tinc.networks = { beatific = { name = "catacomb"; listenAddress = "0.0.0.0"; chroot = false; }; }; services.zfs = { autoScrub = { enable = true; pools = ["catapool"]; interval = "monthly"; }; }; systemd.services.host-server = { enable = true; description = "catapool host index server"; serviceConfig = { Type = "simple"; ExecStart = "/nas-indexer/host-server/run.sh"; Restart = "on-failure"; User = "tvb"; WorkingDirectory = "/nas-indexer/host-server"; }; requires = [ "zfs.target" ]; wantedBy = [ "multi-user.target" ]; }; systemd.services.guest-server = { enable = true; description = "catapool guest index server"; serviceConfig = { Type = "simple"; ExecStart = "/nas-indexer/guest-server/run.sh"; Restart = "on-failure"; User = "tvb"; WorkingDirectory = "/nas-indexer/guest-server"; }; requires = [ "zfs.target" ]; wantedBy = [ "multi-user.target" ]; }; users.groups = { nas = { gid = 1600; }; }; users.users.tvb = { isNormalUser = true; uid = 1001; password = "badpassword"; extraGroups = ["wheel" "nas"]; shell = pkgs.bash; openssh.authorizedKeys.keyFiles = [ ./keys/tvb.palamas.pub ./keys/tvb.stagirite.pub ./keys/monitor.isidore.pub ]; }; #./keys/tvb.empyrean.pub users.users.nginx.extraGroups = ["nas"]; nix.buildCores = 4; }