209 lines
4.7 KiB
Nix
209 lines
4.7 KiB
Nix
{ pkgs, ... }:
|
|
|
|
{
|
|
disabledModules = [ "system/boot/loader/raspberrypi/raspberrypi.nix" ];
|
|
imports = [
|
|
./modules/system/boot/loader/raspberrypi/raspberrypi.nix
|
|
./fileserver.nix
|
|
];
|
|
|
|
boot = {
|
|
kernelPackages = pkgs.linuxPackages_rpi4;
|
|
supportedFilesystems = ["zfs"];
|
|
zfs.enableUnstable = true;
|
|
loader = {
|
|
grub.enable = false;
|
|
raspberryPi = {
|
|
enable = true;
|
|
version = 4;
|
|
configurationLimit = 1;
|
|
};
|
|
};
|
|
};
|
|
|
|
# MAKE SURE THESE ARE RIGHT OR THE PI WILL NOT BOOT
|
|
fileSystems = {
|
|
"/" = {
|
|
fsType = "ext4";
|
|
device = "/dev/disk/by-label/NIXOS_SD";
|
|
};
|
|
"/boot" = {
|
|
fsType = "vfat";
|
|
device = "/dev/disk/by-label/NIXOS_BOOT";
|
|
};
|
|
};
|
|
|
|
hardware.enableRedistributableFirmware = true;
|
|
|
|
swapDevices = [ { device = "/swap"; size = 1024; } ];
|
|
|
|
console.keyMap = "us";
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
environment.systemPackages = with pkgs;
|
|
let
|
|
py3-packages = python-packages: with python-packages; [
|
|
flask
|
|
];
|
|
py3-with-packages = python3.withPackages py3-packages;
|
|
in [
|
|
wget vim curl git htop bash tmux psmisc manpages pv lsof
|
|
zip unzip
|
|
nginx
|
|
py3-with-packages
|
|
usbutils
|
|
hdparm sdparm smartmontools gptfdisk gnufdisk
|
|
dosfstools
|
|
mkpasswd samba
|
|
tinc_pre
|
|
#file-rename
|
|
rsync
|
|
rclone gnupg
|
|
];
|
|
|
|
networking = {
|
|
hostName = "catacomb";
|
|
hostId = "beeeeee5";
|
|
firewall = {
|
|
enable = true;
|
|
allowPing = true;
|
|
allowedTCPPorts = [ 22 139 445 ];
|
|
allowedUDPPorts = [ 137 138 ];
|
|
};
|
|
};
|
|
|
|
security = {
|
|
hideProcessInformation = true;
|
|
};
|
|
|
|
services.cron = {
|
|
enable = true;
|
|
systemCronJobs = [
|
|
"0 20 * * 1 root /root/reassert-nas-permissions.sh"
|
|
"0 0 * * 1 tvb . /etc/profile; /home/tvb/gitea-backup"
|
|
];
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
passwordAuthentication = true;
|
|
};
|
|
|
|
services.ntp = {
|
|
enable = true;
|
|
servers = ["time.nist.gov"];
|
|
};
|
|
|
|
services.rsyncd.enable = true;
|
|
|
|
services.samba =
|
|
let
|
|
sambaShare = path: validUsers: {
|
|
path = path;
|
|
comment = "Samba share for ${path}";
|
|
browseable = "yes";
|
|
"read only" = "no";
|
|
"guest okay" = "no";
|
|
"create mask" = "0640";
|
|
"force create mode" = "0640";
|
|
"directory mask" = "0750";
|
|
"force directory mode" = "0750";
|
|
"valid users" = validUsers;
|
|
"force group" = ''nas'';
|
|
};
|
|
sambaShareRO = path: validUsers: {
|
|
path = path;
|
|
comment = "Read-only Samba share for ${path}";
|
|
browseable = "yes";
|
|
"read only" = "yes";
|
|
"guest okay" = "no";
|
|
"valid users" = validUsers;
|
|
"force group" = ''nas'';
|
|
};
|
|
in
|
|
{
|
|
enable = true;
|
|
securityType = "user";
|
|
extraConfig = ''
|
|
workgroup = beatific
|
|
server string = Catacomb Nix SMB
|
|
netbios name = catacomb
|
|
deadtime = 300
|
|
|
|
local master = yes
|
|
domain master = yes
|
|
preferred master = yes
|
|
|
|
guest account = nobody
|
|
map to guest = bad user
|
|
|
|
case sensitive = yes
|
|
veto files = /^.DS_Store$/^.Trash-1000$/
|
|
|
|
load printers = no
|
|
printcap name = /dev/null
|
|
printing = bsd
|
|
|
|
log file = /var/log/samba/client-%m.log
|
|
log level = 2
|
|
max log size = 64
|
|
|
|
hide dot files = no
|
|
hosts allow = 10.7.3.
|
|
map archive = no
|
|
unix extensions = yes
|
|
|
|
ntlm auth = yes
|
|
'';
|
|
shares = {
|
|
audioRO = sambaShareRO "/nas/audio" ''@nas'';
|
|
docRO = sambaShareRO "/nas/doc/" ''@nas'';
|
|
gameRO = sambaShareRO "/nas/game/" ''@nas'';
|
|
imageRO = sambaShareRO "/nas/image" ''@nas'';
|
|
videoRO = sambaShareRO "/nas/video" ''@nas'';
|
|
audio = sambaShare "/nas/audio" ''@nas'';
|
|
doc = sambaShare "/nas/doc/" ''@nas'';
|
|
game = sambaShare "/nas/game/" ''@nas'';
|
|
image = sambaShare "/nas/image" ''@nas'';
|
|
video = sambaShare "/nas/video" ''@nas'';
|
|
};
|
|
};
|
|
|
|
services.tinc.networks = {
|
|
beatific = {
|
|
name = "catacomb";
|
|
listenAddress = "0.0.0.0";
|
|
chroot = false;
|
|
};
|
|
};
|
|
|
|
services.zfs = {
|
|
autoScrub = {
|
|
enable = true;
|
|
pools = ["catapool"];
|
|
interval = "monthly";
|
|
};
|
|
};
|
|
|
|
users.groups = {
|
|
nas = { gid = 1600; };
|
|
};
|
|
|
|
users.users.tvb = {
|
|
isNormalUser = true;
|
|
uid = 1001;
|
|
password = "badpassword";
|
|
extraGroups = ["wheel" "nas"];
|
|
shell = pkgs.bash;
|
|
openssh.authorizedKeys.keyFiles = [
|
|
./keys/tvb.palamas.pub
|
|
./keys/tvb.stagirite.pub
|
|
./keys/monitor.isidore.pub
|
|
./keys/inquisitor.conduit.pub
|
|
];
|
|
};
|
|
#./keys/tvb.empyrean.pub
|
|
|
|
nix.buildCores = 4;
|
|
}
|