From cccd4338c96ac35c0f5eb37a82c8131f0268e083 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Tue, 20 Feb 2024 21:09:58 +0100 Subject: nixos/spt-omnia: update and fix --- nixos/machine/spt-omnia.nix | 83 ++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 74 insertions(+), 9 deletions(-) (limited to 'nixos/machine') diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix index ac4ebdf..f2ea4f0 100644 --- a/nixos/machine/spt-omnia.nix +++ b/nixos/machine/spt-omnia.nix @@ -14,26 +14,89 @@ in { lanIP = hosts.omnia; staticLeases = { "a8:a1:59:10:32:c4" = hosts.errol; + "7c:b0:c2:bb:9c:ca" = hosts.albert; "4c:d5:77:0d:85:d9" = hosts.binky; + "b8:27:eb:57:a2:31" = hosts.mpd; + "74:bf:c0:42:82:19" = hosts.printer; }; }; wifiAP.spt = { enable = true; ar9287 = { - interface = "wlp3s0"; - bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"]; - channel = 13; + interface = "wlp1s0"; + bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"]; + channel = 11; }; qca988x = { - interface = "wlp2s0"; - bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"]; + interface = "wlp3s0"; + bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"]; channel = 36; }; }; - #openvpn.oldpersonal = true; + openvpn.oldpersonal = true; monitoring.speedtest = true; }; + environment = { + etc.crypttab.text = '' + nas UUID=3472bef9-cbae-48bd-873e-fd4858a0b72f /run/secrets/luks-spt-omnia-nas.key luks + nassec UUID=016e9e75-bbc8-4b24-8bb7-c800c8f6a500 /run/secrets/luks-spt-omnia-nas.key luks + ''; + systemPackages = with pkgs; [ + cryptsetup + ]; + }; + fileSystems = { + "/data" = { + device = "/dev/mapper/nas"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@data" "nofail"]; + }; + "/srv" = { + device = "/dev/mapper/nas"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@srv" "nofail"]; + depends = ["/data"]; + }; + }; + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/" "/data"]; + }; + services.udev.packages = [ + (pkgs.writeTextFile rec { + name = "queue_depth_sata.rules"; + destination = "/etc/udev/rules.d/50-${name}"; + text = '' + ACTION=="add|change", SUBSYSTEM=="scsi", ATTR{queue_depth}="1" + ''; + }) + ]; + + users = { + groups.nas = {}; + users = { + nas = { + group = "nas"; + openssh.authorizedKeys.keyFiles = [(config.personal-secrets + "/unencrypted/nas.pub")]; + isNormalUser = true; + home = "/data/nas"; + homeMode = "770"; + }; + cynerd.extraGroups = ["nas"]; + }; + }; + services.openssh = { + settings.Macs = ["hmac-sha2-256"]; # Allow sha2-256 for Nexcloud access + extraConfig = '' + Match User nas + X11Forwarding no + AllowTcpForwarding no + AllowAgentForwarding no + ForceCommand internal-sftp -d /data/nas + ''; + }; + networking.useDHCP = false; systemd.network = { netdevs = { @@ -102,18 +165,20 @@ in { ''; }; systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; + # TODO limit NSS clamping to just pppoe-wan networking.firewall.extraForwardRules = '' - tcp flags syn tcp option maxseg size set rt mtu + tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" + iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept ''; services.syncthing = { - enable = true; + enable = false; openDefaultPorts = true; overrideDevices = false; overrideFolders = false; - dataDir = "/data"; + dataDir = "/data"; # TODO this can't be the location }; }; } -- cgit v1.2.3