1
1
Fork 0
nixos-configs/configuration.nix

209 lines
4.7 KiB
Nix

{ pkgs, ... }:
{
disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ];
imports = [
./modules/system/boot/loader/raspberrypi/raspberrypi.nix
./fileserver.nix
];
boot = {
kernelPackages = pkgs.linuxPackages_rpi4;
supportedFilesystems = ["zfs"];
zfs.enableUnstable = true;
loader = {
grub.enable = false;
raspberryPi = {
enable = true;
version = 4;
configurationLimit = 1;
};
};
};
# MAKE SURE THESE ARE RIGHT OR THE PI WILL NOT BOOT
fileSystems = {
"/" = {
fsType = "ext4";
device = "/dev/disk/by-label/NIXOS_SD";
};
"/boot" = {
fsType = "vfat";
device = "/dev/disk/by-label/NIXOS_BOOT";
};
};
hardware.enableRedistributableFirmware = true;
swapDevices = [ { device = "/swap"; size = 1024; } ];
console.keyMap = "us";
i18n.defaultLocale = "en_US.UTF-8";
environment.systemPackages = with pkgs;
let
py3-packages = python-packages: with python-packages; [
flask
];
py3-with-packages = python3.withPackages py3-packages;
in [
wget vim curl git htop bash tmux psmisc manpages pv lsof
zip unzip
nginx
py3-with-packages
usbutils
hdparm sdparm smartmontools gptfdisk gnufdisk
dosfstools
mkpasswd samba
tinc_pre
#file-rename
rsync
rclone gnupg
];
networking = {
hostName = "catacomb";
hostId = "beeeeee5";
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [ 22 139 445 ];
allowedUDPPorts = [ 137 138 ];
};
};
security = {
hideProcessInformation = true;
};
services.cron = {
enable = true;
systemCronJobs = [
"0 20 * * 1 root /root/reassert-nas-permissions.sh"
"0 0 * * 1 tvb . /etc/profile; /home/tvb/gitea-backup"
];
};
services.openssh = {
enable = true;
passwordAuthentication = true;
};
services.ntp = {
enable = true;
servers = ["time.nist.gov"];
};
services.rsyncd.enable = true;
services.samba =
let
sambaShare = path: validUsers: {
path = path;
comment = "Samba share for ${path}";
browseable = "yes";
"read only" = "no";
"guest okay" = "no";
"create mask" = "0640";
"force create mode" = "0640";
"directory mask" = "0750";
"force directory mode" = "0750";
"valid users" = validUsers;
"force group" = ''nas'';
};
sambaShareRO = path: validUsers: {
path = path;
comment = "Read-only Samba share for ${path}";
browseable = "yes";
"read only" = "yes";
"guest okay" = "no";
"valid users" = validUsers;
"force group" = ''nas'';
};
in
{
enable = true;
securityType = "user";
extraConfig = ''
workgroup = beatific
server string = Catacomb Nix SMB
netbios name = catacomb
deadtime = 300
local master = yes
domain master = yes
preferred master = yes
guest account = nobody
map to guest = bad user
case sensitive = yes
veto files = /^.DS_Store$/^.Trash-1000$/
load printers = no
printcap name = /dev/null
printing = bsd
log file = /var/log/samba/client-%m.log
log level = 2
max log size = 64
hide dot files = no
hosts allow = 10.7.3.
map archive = no
unix extensions = yes
ntlm auth = yes
'';
shares = {
audioRO = sambaShareRO "/nas/audio" ''@nas'';
docRO = sambaShareRO "/nas/doc/" ''@nas'';
gameRO = sambaShareRO "/nas/game/" ''@nas'';
imageRO = sambaShareRO "/nas/image" ''@nas'';
videoRO = sambaShareRO "/nas/video" ''@nas'';
audio = sambaShare "/nas/audio" ''@nas'';
doc = sambaShare "/nas/doc/" ''@nas'';
game = sambaShare "/nas/game/" ''@nas'';
image = sambaShare "/nas/image" ''@nas'';
video = sambaShare "/nas/video" ''@nas'';
};
};
services.tinc.networks = {
beatific = {
name = "catacomb";
listenAddress = "0.0.0.0";
chroot = false;
};
};
services.zfs = {
autoScrub = {
enable = true;
pools = ["catapool"];
interval = "monthly";
};
};
users.groups = {
nas = { gid = 1600; };
};
users.users.tvb = {
isNormalUser = true;
uid = 1001;
password = "badpassword";
extraGroups = ["wheel" "nas"];
shell = pkgs.bash;
openssh.authorizedKeys.keyFiles = [
./keys/tvb.palamas.pub
./keys/tvb.stagirite.pub
./keys/monitor.isidore.pub
./keys/inquisitor.conduit.pub
];
};
#./keys/tvb.empyrean.pub
nix.buildCores = 4;
}