{ pkgs, ... }: { disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ]; imports = [ ./modules/system/boot/loader/raspberrypi/raspberrypi.nix ./fileserver.nix ]; boot = { kernelPackages = pkgs.linuxPackages_rpi4; supportedFilesystems = ["zfs"]; zfs.enableUnstable = true; loader = { grub.enable = false; raspberryPi = { enable = true; version = 4; configurationLimit = 1; }; }; }; # MAKE SURE THESE ARE RIGHT OR THE PI WILL NOT BOOT fileSystems = { "/" = { fsType = "ext4"; device = "/dev/disk/by-label/NIXOS_SD"; }; "/boot" = { fsType = "vfat"; device = "/dev/disk/by-label/NIXOS_BOOT"; }; }; hardware.enableRedistributableFirmware = true; swapDevices = [ { device = "/swap"; size = 1024; } ]; console.keyMap = "us"; i18n.defaultLocale = "en_US.UTF-8"; environment.systemPackages = with pkgs; let py3-packages = python-packages: with python-packages; [ flask ]; py3-with-packages = python3.withPackages py3-packages; in [ wget vim curl git htop bash tmux psmisc manpages pv lsof zip unzip nginx py3-with-packages usbutils hdparm sdparm smartmontools gptfdisk gnufdisk dosfstools mkpasswd samba tinc_pre #file-rename rsync rclone gnupg ]; networking = { hostName = "catacomb"; hostId = "beeeeee5"; firewall = { enable = true; allowPing = true; allowedTCPPorts = [ 22 139 445 ]; allowedUDPPorts = [ 137 138 ]; }; }; security = { hideProcessInformation = true; }; services.cron = { enable = true; systemCronJobs = [ "0 20 * * 1 root /root/reassert-nas-permissions.sh" "0 0 * * 1 tvb . /etc/profile; /home/tvb/gitea-backup" ]; }; services.openssh = { enable = true; passwordAuthentication = true; }; services.ntp = { enable = true; servers = ["time.nist.gov"]; }; services.rsyncd.enable = true; services.samba = let sambaShare = path: validUsers: { path = path; comment = "Samba share for ${path}"; browseable = "yes"; "read only" = "no"; "guest okay" = "no"; "create mask" = "0640"; "force create mode" = "0640"; "directory mask" = "0750"; "force directory mode" = "0750"; "valid users" = validUsers; "force group" = ''nas''; }; sambaShareRO = path: validUsers: { path = path; comment = "Read-only Samba share for ${path}"; browseable = "yes"; "read only" = "yes"; "guest okay" = "no"; "valid users" = validUsers; "force group" = ''nas''; }; in { enable = true; securityType = "user"; extraConfig = '' workgroup = beatific server string = Catacomb Nix SMB netbios name = catacomb deadtime = 300 local master = yes domain master = yes preferred master = yes guest account = nobody map to guest = bad user case sensitive = yes veto files = /^.DS_Store$/^.Trash-1000$/ load printers = no printcap name = /dev/null printing = bsd log file = /var/log/samba/client-%m.log log level = 2 max log size = 64 hide dot files = no hosts allow = 10.7.3. map archive = no unix extensions = yes ntlm auth = yes ''; shares = { audioRO = sambaShareRO "/nas/audio" ''@nas''; docRO = sambaShareRO "/nas/doc/" ''@nas''; gameRO = sambaShareRO "/nas/game/" ''@nas''; imageRO = sambaShareRO "/nas/image" ''@nas''; videoRO = sambaShareRO "/nas/video" ''@nas''; #audio = sambaShare "/nas/audio" ''@nas''; #doc = sambaShare "/nas/doc/" ''@nas''; #game = sambaShare "/nas/game/" ''@nas''; #image = sambaShare "/nas/image" ''@nas''; #video = sambaShare "/nas/video" ''@nas''; }; }; services.tinc.networks = { beatific = { name = "catacomb"; listenAddress = "0.0.0.0"; chroot = false; }; }; services.zfs = { autoScrub = { enable = true; pools = ["catapool"]; interval = "monthly"; }; }; users.groups = { nas = { gid = 1600; }; }; users.users.tvb = { isNormalUser = true; uid = 1001; password = "badpassword"; extraGroups = ["wheel" "nas"]; shell = pkgs.bash; openssh.authorizedKeys.keyFiles = [ ./keys/tvb.palamas.pub ./keys/tvb.stagirite.pub ./keys/tvb.vagrant.pub ./keys/monitor.isidore.pub ./keys/inquisitor.conduit.pub ]; }; #./keys/tvb.empyrean.pub nix.buildCores = 4; }