{ pkgs, lib, ... }: let beatific = import ../../modules/beatific-config.nix; in { imports = [ ./hardware-configuration.nix ./fileserver.nix ]; beatific.hostName = "catacomb"; beatific.defaults = { i18n = false; programs = false; ssh = false; nebula = false; tvb = false; }; boot = { loader = { # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) grub.enable = false; # Enables the generation of /boot/extlinux/extlinux.conf generic-extlinux-compatible.enable = true; }; supportedFilesystems = ["zfs"]; zfs.enableUnstable = true; }; system.stateVersion = "22.11"; # Read the usual warning swapDevices = [ { device = "/swap"; size = 1024; } ]; console.keyMap = "us"; i18n.defaultLocale = "en_US.UTF-8"; environment.systemPackages = with pkgs; let py3-packages = python-packages: with python-packages; [ flask ]; py3-with-packages = python3.withPackages py3-packages; in [ wget vim curl git htop bash tmux psmisc man-pages pv lsof zip unzip py3-with-packages usbutils hdparm sdparm smartmontools gptfdisk gnufdisk dosfstools mkpasswd samba #file-rename rsync rclone gnupg ]; networking = { hostId = "beeeeee5"; firewall = { enable = true; allowPing = true; allowedTCPPorts = [ 22 139 445 ]; allowedUDPPorts = [ 137 138 ]; }; }; services.cron = { enable = true; systemCronJobs = let reassertPerms = pkgs.writeShellScript "reassert-nas-permissions.sh" '' ${pkgs.coreutils}/bin/chown -v -R tvb:nas /nas ${pkgs.findutils}/bin/find /nas -type d -exec ${pkgs.coreutils}/bin/chmod -v 750 {} \; ${pkgs.findutils}/bin/find /nas -type f -exec ${pkgs.coreutils}/bin/chmod -v 640 {} \; ''; in [ "0 20 * * 1 root ${reassertPerms}" "0 0 * * 1 tvb . /etc/profile; /home/tvb/gitea-backup" ]; }; services.openssh = { enable = true; passwordAuthentication = true; }; services.rsyncd.enable = true; services.samba = let sambaShare = path: validUsers: { path = path; comment = "Samba share for ${path}"; browseable = "yes"; "read only" = "no"; "guest okay" = "no"; "create mask" = "0640"; "force create mode" = "0640"; "directory mask" = "0750"; "force directory mode" = "0750"; "valid users" = validUsers; "force group" = ''nas''; }; sambaShareRO = path: validUsers: { path = path; comment = "Read-only Samba share for ${path}"; browseable = "yes"; "read only" = "yes"; "guest okay" = "no"; "valid users" = validUsers; "force group" = ''nas''; }; in { enable = true; securityType = "user"; extraConfig = '' workgroup = beatific server string = Catacomb Nix SMB netbios name = catacomb deadtime = 300 local master = yes domain master = yes preferred master = yes guest account = nobody map to guest = bad user case sensitive = yes veto files = /^.DS_Store$/^.Trash-1000$/ load printers = no printcap name = /dev/null printing = bsd log file = /var/log/samba/client-%m.log log level = 2 max log size = 64 hide dot files = no hosts allow = 10.22.20., 192.168.1. map archive = no unix extensions = yes ntlm auth = yes ''; shares = let homeShare = user: { path = "/home/${user}"; comment = "${user}'s home folder"; browseable = "yes"; "read only" = "no"; "guest okay" = "no"; "create mask" = "0640"; "force create mode" = "0640"; "directory mask" = "0750"; "force directory mode" = "0750"; "valid users" = "${user}"; }; in { tvb = homeShare "tvb"; katydid = homeShare "katydid"; }; }; services.nebula.networks.beatific = lib.recursiveUpdate beatific.nebula-defaults { enable = true; # Network certificate and host credentials ca = "/etc/nebula/beatific/beatific.crt"; cert = "/etc/nebula/beatific/catacomb.crt"; key = "/etc/nebula/beatific/catacomb.key"; # Connect to the lighthouse at empyrean # Note that this is a VPN address, not a public address lighthouses = [ beatific.empyrean-vpn-ip ]; # Map the lighthouse address to its public address staticHostMap = beatific.empyrean-host-map; }; services.zfs = { autoScrub = { enable = true; pools = ["catapool"]; interval = "monthly"; }; }; users.groups = { nas = { gid = 1600; }; }; users.users.tvb = { isNormalUser = true; uid = 1001; password = "badpassword"; extraGroups = ["wheel" "nas"]; openssh.authorizedKeys.keyFiles = [ ../../keys/tvb.palamas.pub ../../keys/tvb.stagirite.pub ../../keys/tvb.vagrant.pub ../../keys/tvb.empyrean.pub ]; }; users.users.katydid = { isNormalUser = true; uid = 1002; }; nix.settings.cores = 4; }