395 lines
9 KiB
Nix
395 lines
9 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
{
|
|
imports =
|
|
[
|
|
./hardware-configuration.nix
|
|
../common/configuration.nix
|
|
];
|
|
|
|
hardware = {
|
|
cpu.intel.updateMicrocode = true;
|
|
enableAllFirmware = true;
|
|
|
|
opengl = {
|
|
enable = true;
|
|
driSupport = true;
|
|
extraPackages = with pkgs; [
|
|
intel-media-driver
|
|
vaapiIntel
|
|
vaapiVdpau
|
|
libvdpau-va-gl
|
|
intel-compute-runtime
|
|
];
|
|
};
|
|
};
|
|
|
|
boot = {
|
|
kernelModules = [ "coretemp" "nct6775" ];
|
|
|
|
extraModprobeConfig = ''
|
|
options qla2xxx qlini_mode="disabled"
|
|
options zfs l2arc_rebuild_enabled=1
|
|
'';
|
|
|
|
loader = {
|
|
systemd-boot.enable = true;
|
|
efi.canTouchEfiVariables = true;
|
|
};
|
|
|
|
kernel.sysctl = {
|
|
"fs.inotify.max_user_watches" = 204800;
|
|
};
|
|
|
|
supportedFilesystems = [ "zfs" ];
|
|
zfs.extraPools = [ "docs_12t_z1" ];
|
|
};
|
|
|
|
networking = {
|
|
useDHCP = false;
|
|
interfaces.eno1.useDHCP = true;
|
|
|
|
interfaces.enp1s0.useDHCP = false;
|
|
interfaces.enp1s0.ipv4.addresses = [{
|
|
address = "10.2.0.2";
|
|
prefixLength = 24;
|
|
}];
|
|
|
|
hostName = "nas";
|
|
hostId = "c9e40f42";
|
|
|
|
nat = {
|
|
enable = true;
|
|
externalInterface = "enp1s0";
|
|
internalInterfaces = [ "wg0" ];
|
|
};
|
|
|
|
firewall = {
|
|
enable = true;
|
|
|
|
allowedTCPPorts = [
|
|
22 # ssh
|
|
80 # http
|
|
139 # smb
|
|
443 # https
|
|
445 # smb
|
|
8096 # jellyfin
|
|
9091 # transmission webui
|
|
19999 # netdata
|
|
22000 # syncthing sync
|
|
51415 # transmission
|
|
51820 # wireguard
|
|
];
|
|
|
|
allowedUDPPorts = [
|
|
21027 # syncthing discovery
|
|
22000 # syncthing sync
|
|
51415 # transmission
|
|
51820 # wireguard
|
|
];
|
|
};
|
|
|
|
wireguard.interfaces.wg0 = {
|
|
ips = [ "10.100.0.1/32" ];
|
|
listenPort = 51820;
|
|
privateKeyFile = "/home/sijmen/wireguard-keys/private";
|
|
|
|
postSetup = ''
|
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
|
|
'';
|
|
|
|
postShutdown = ''
|
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
|
|
'';
|
|
|
|
peers = [
|
|
{
|
|
# thinkpad
|
|
publicKey = "Y2X8mT+LCXkjLjzRBcdglIKLYu68kvf5K0nKTEOWdGE=";
|
|
allowedIPs = [ "10.100.0.2/32" ];
|
|
}
|
|
|
|
{
|
|
# framework
|
|
publicKey = "csvOi6DK6b9zh0JCGIe8z25ePmayY7Hihm5Ur2/aIyo=";
|
|
allowedIPs = [ "10.100.0.4/32" ];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
users.users.sijmen = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" "nextcloud" ];
|
|
};
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
programs.msmtp = {
|
|
enable = true;
|
|
setSendmail = true;
|
|
accounts = {
|
|
default = {
|
|
auth = true;
|
|
tls = true;
|
|
port = 587;
|
|
host = "smtp.soverin.net";
|
|
user = "me@sijmenschoon.nl";
|
|
passwordeval = "pass show email/personal-nas";
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "me@sijmenschoon.nl";
|
|
};
|
|
|
|
services.jellyfin.enable = true;
|
|
services.thermald.enable = true;
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
# Use recommended settings
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
|
|
# Only allow PFS-enabled ciphers with AES256
|
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
|
|
clientMaxBodySize = "1000G";
|
|
|
|
# Setup Nextcloud virtual host to listen on ports
|
|
virtualHosts = {
|
|
"cloud.sijmenschoon.nl" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
extraConfig = ''
|
|
proxy_read_timeout 600;
|
|
proxy_connect_timeout 60;
|
|
proxy_send_timeout 600;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
services.redis.servers."".enable = true;
|
|
|
|
services.nextcloud = {
|
|
enable = true;
|
|
hostName = "cloud.sijmenschoon.nl";
|
|
https = true;
|
|
autoUpdateApps.enable = true;
|
|
autoUpdateApps.startAt = "05:00:00";
|
|
maxUploadSize = "1000G";
|
|
package = pkgs.nextcloud24;
|
|
|
|
caching = {
|
|
redis = true;
|
|
};
|
|
|
|
config = {
|
|
overwriteProtocol = "https";
|
|
|
|
# Nextcloud PostegreSQL database configuration, recommended over using SQLite
|
|
dbtype = "pgsql";
|
|
dbuser = "nextcloud";
|
|
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
|
dbname = "nextcloud";
|
|
dbpassFile = "/var/nextcloud-db-pass";
|
|
|
|
adminpassFile = "/var/nextcloud-admin-pass";
|
|
adminuser = "admin";
|
|
|
|
extraTrustedDomains = [
|
|
"cloud.sijman.nl"
|
|
"192.168.1.123"
|
|
];
|
|
defaultPhoneRegion = "NL";
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureDatabases = [ "nextcloud" ];
|
|
ensureUsers = [
|
|
{
|
|
name = "nextcloud";
|
|
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
|
}
|
|
{
|
|
name = "netdata";
|
|
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
|
}
|
|
];
|
|
|
|
settings = {
|
|
shared_buffers = "8192MB";
|
|
};
|
|
};
|
|
|
|
services.fwupd.enable = true;
|
|
|
|
services.netdata = {
|
|
enable = true;
|
|
python.extraPackages = ps: [
|
|
ps.psycopg2
|
|
];
|
|
};
|
|
|
|
services.smartd = {
|
|
enable = true;
|
|
extraOptions = [
|
|
"-A /var/log/smartd/"
|
|
"-i 600"
|
|
];
|
|
notifications.mail = {
|
|
enable = true;
|
|
sender = "nas@sijman.nl";
|
|
recipient = "nas@sijman.nl";
|
|
mailer = "/run/current-system/sw/bin/msmtp --read-envelope-from -t";
|
|
};
|
|
};
|
|
|
|
services.nfs.server = {
|
|
enable = true;
|
|
exports = ''
|
|
/mnt/docs 192.168.0.0/24(rw,sync)
|
|
/mnt/backup 192.168.0.0/24(rw,sync)
|
|
'';
|
|
};
|
|
|
|
services.samba = {
|
|
enable = true;
|
|
securityType = "user";
|
|
extraConfig = ''
|
|
workgroup = WORKGROUP
|
|
server string = nas
|
|
netbios name = nas
|
|
security = user
|
|
hosts allow = 192.168.1.0/24, 10.2.0.0/24, 10.100.0.0/24
|
|
guest account = nobody
|
|
|
|
client min protocol = SMB3
|
|
client max protocol = SMB3
|
|
restrict anonymous = 2
|
|
encrypt passwords = true
|
|
'';
|
|
|
|
shares = {
|
|
docs = {
|
|
path = "/mnt/docs";
|
|
"valid users" = "@nextcloud";
|
|
"force user" = "nextcloud";
|
|
"force group" = "+nextcloud";
|
|
|
|
public = "no";
|
|
browseable = "yes";
|
|
writable = "yes";
|
|
|
|
"read only" = "no";
|
|
|
|
"create mask" = "0664";
|
|
"directory mask" = "2775";
|
|
"force create mode" = "0664";
|
|
"force directory mode" = "2775";
|
|
};
|
|
|
|
backup = {
|
|
path = "/mnt/backup";
|
|
"valid users" = "sijmen";
|
|
"force user" = "nextcloud";
|
|
"force group" = "+nextcloud";
|
|
|
|
public = "no";
|
|
browseable = "yes";
|
|
writable = "yes";
|
|
|
|
"read only" = "no";
|
|
|
|
"create mask" = "0644";
|
|
"directory mask" = "2755";
|
|
"force create mode" = "0644";
|
|
"force directory mode" = "2755";
|
|
};
|
|
};
|
|
};
|
|
|
|
services.borgmatic = {
|
|
enable = true;
|
|
settings = {
|
|
location.repositories = [ "/mnt/backup/borg" ];
|
|
location.source_directories = [ "/mnt/docs" ];
|
|
location.patterns = [ "- /mnt/docs/fileio.bin" ];
|
|
retention.keep_daily = 7;
|
|
retention.keep_weekly = 4;
|
|
retention.keep_monthly = 3;
|
|
};
|
|
};
|
|
|
|
services.syncthing = {
|
|
dataDir = "/mnt/docs/users/sijmen";
|
|
configDir = "/home/sijmen/.config/syncthing";
|
|
guiAddress = "0.0.0.0:8384";
|
|
};
|
|
|
|
services.transmission = {
|
|
enable = true;
|
|
|
|
user = "nextcloud"; # TODO make this its own user maybe
|
|
group = "nextcloud";
|
|
|
|
settings = {
|
|
peer-port = 51415;
|
|
download-dir = "/mnt/docs/media/Downloads";
|
|
rpc-bind-address = "0.0.0.0";
|
|
rpc-whitelist-enabled = false;
|
|
};
|
|
};
|
|
|
|
systemd = {
|
|
services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
|
|
|
|
services."nextcloud-setup" = {
|
|
requires = ["postgresql.service"];
|
|
after = ["postgresql.service"];
|
|
};
|
|
|
|
services."set-smr-timeout" = {
|
|
description = "Set command timeout for SMR drives to 180 seconds";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "mnt-backup.mount" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart = "${pkgs.stdenv.shell} -c 'echo 180 > /sys/block/$(basename $(readlink -f /dev/disk/by-id/ata-ST2000DM008-2FR102_WFL3W3SZ))/device/timeout'";
|
|
};
|
|
};
|
|
|
|
timers.backup = {
|
|
wantedBy = [ "timers.target" ];
|
|
partOf = [ "backup.service" ];
|
|
timerConfig.OnCalendar = "daily";
|
|
};
|
|
|
|
services.backup = {
|
|
serviceConfig.Type = "oneshot";
|
|
path = [ pkgs.mount pkgs.umount pkgs.borgmatic pkgs.hdparm ];
|
|
script = ''
|
|
mount /mnt/backup
|
|
borgmatic --verbosity 1 --files
|
|
umount /mnt/backup
|
|
sync
|
|
hdparm -y /dev/disk/by-id/{ata-WDC_WD10EARS-00MVWB0_WD-WCAZA0318253,ata-WDC_WD10EARS-00MVWB0_WD-WCAZA0338594,ata-ST2000VN004-2E4164_Z522Z7XT,ata-ST2000DM008-2FR102_WFL3W3SZ,ata-WDC_WD10EZEX-22RKKA0_WD-WCC1S3934917,ata-SAMSUNG_HD103SJ_S246J9BZC23280}
|
|
'';
|
|
};
|
|
};
|
|
|
|
system.stateVersion = "21.05";
|
|
}
|
|
|