1 files changed, 74 insertions, 9 deletions

diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix
index ac4ebdf..f2ea4f0 100644
--- a/nixos/machine/spt-omnia.nix
+++ b/nixos/machine/spt-omnia.nix
@@ -14,26 +14,89 @@ in {
         lanIP = hosts.omnia;
         staticLeases = {
           "a8:a1:59:10:32:c4" = hosts.errol;
+          "7c:b0:c2:bb:9c:ca" = hosts.albert;
           "4c:d5:77:0d:85:d9" = hosts.binky;
+          "b8:27:eb:57:a2:31" = hosts.mpd;
+          "74:bf:c0:42:82:19" = hosts.printer;
         };
       };
       wifiAP.spt = {
         enable = true;
         ar9287 = {
-          interface = "wlp3s0";
-          bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"];
-          channel = 13;
+          interface = "wlp1s0";
+          bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"];
+          channel = 11;
         };
         qca988x = {
-          interface = "wlp2s0";
-          bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"];
+          interface = "wlp3s0";
+          bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"];
           channel = 36;
         };
       };
-      #openvpn.oldpersonal = true;
+      openvpn.oldpersonal = true;
       monitoring.speedtest = true;
     };
 
+    environment = {
+      etc.crypttab.text = ''
+        nas UUID=3472bef9-cbae-48bd-873e-fd4858a0b72f /run/secrets/luks-spt-omnia-nas.key luks
+        nassec UUID=016e9e75-bbc8-4b24-8bb7-c800c8f6a500 /run/secrets/luks-spt-omnia-nas.key luks
+      '';
+      systemPackages = with pkgs; [
+        cryptsetup
+      ];
+    };
+    fileSystems = {
+      "/data" = {
+        device = "/dev/mapper/nas";
+        fsType = "btrfs";
+        options = ["compress=lzo" "subvol=@data" "nofail"];
+      };
+      "/srv" = {
+        device = "/dev/mapper/nas";
+        fsType = "btrfs";
+        options = ["compress=lzo" "subvol=@srv" "nofail"];
+        depends = ["/data"];
+      };
+    };
+    services.btrfs.autoScrub = {
+      enable = true;
+      fileSystems = ["/" "/data"];
+    };
+    services.udev.packages = [
+      (pkgs.writeTextFile rec {
+        name = "queue_depth_sata.rules";
+        destination = "/etc/udev/rules.d/50-${name}";
+        text = ''
+          ACTION=="add|change", SUBSYSTEM=="scsi", ATTR{queue_depth}="1"
+        '';
+      })
+    ];
+
+    users = {
+      groups.nas = {};
+      users = {
+        nas = {
+          group = "nas";
+          openssh.authorizedKeys.keyFiles = [(config.personal-secrets + "/unencrypted/nas.pub")];
+          isNormalUser = true;
+          home = "/data/nas";
+          homeMode = "770";
+        };
+        cynerd.extraGroups = ["nas"];
+      };
+    };
+    services.openssh = {
+      settings.Macs = ["hmac-sha2-256"]; # Allow sha2-256 for Nexcloud access
+      extraConfig = ''
+        Match User nas
+          X11Forwarding no
+          AllowTcpForwarding no
+          AllowAgentForwarding no
+          ForceCommand internal-sftp -d /data/nas
+      '';
+    };
+
     networking.useDHCP = false;
     systemd.network = {
       netdevs = {
@@ -102,18 +165,20 @@ in {
       '';
     };
     systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"];
+    # TODO limit NSS clamping to just pppoe-wan
     networking.firewall.extraForwardRules = ''
-      tcp flags syn tcp option maxseg size set rt mtu
+      tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4"
+      iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept
     '';
 
     services.syncthing = {
-      enable = true;
+      enable = false;
       openDefaultPorts = true;
 
       overrideDevices = false;
       overrideFolders = false;
 
-      dataDir = "/data";
+      dataDir = "/data"; # TODO this can't be the location
     };
   };
 }