From 166b68492bf82a2ca62b4743fc1f2a37d5f68905 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Tue, 16 Jan 2024 10:02:37 -0800 Subject: [PATCH] chore(tewi): remove /mnt/shadow --- modules/nixos/mediatomb.nix | 64 +++++++++++++++ nixos/deluge.nix | 24 +++++- nixos/mediatomb.nix | 12 +++ systems/tewi/mediatomb.nix | 47 ----------- systems/tewi/nixos.nix | 155 +----------------------------------- systems/tewi/secrets.yaml | 8 +- 6 files changed, 103 insertions(+), 207 deletions(-) create mode 100644 modules/nixos/mediatomb.nix create mode 100644 nixos/mediatomb.nix delete mode 100644 systems/tewi/mediatomb.nix diff --git a/modules/nixos/mediatomb.nix b/modules/nixos/mediatomb.nix new file mode 100644 index 00000000..ac0d38c9 --- /dev/null +++ b/modules/nixos/mediatomb.nix @@ -0,0 +1,64 @@ +{ + config, + utils, + lib, + ... +}: let + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; + inherit (lib.lists) singleton; + cfg = config.services.mediatomb; + mediaDirModule = { config, ... }: { + options = with lib.types; { + mountPoint = mkOption { + type = nullOr str; + default = null; + }; + subdirectories = mkOption { + type = nullOr (listOf str); + default = null; + }; + paths = mkOption { + type = listOf path; + }; + }; + config = { + paths = let + paths = map (path: "${config.path}/media/${path}") config.subdirectories; + path = singleton config.path; + in mkOptionDefault (if config.subdirectories != null then paths else path); + recursive = mkDefault true; + hidden-files = mkDefault false; + }; + }; +in { + options.services.mediatomb = with lib.types; { + confine = mkEnableOption "containment" // { + default = true; + }; + mediaDirectories = mkOption { + type = listOf (submodule mediaDirModule); + }; + }; + + config.services.mediatomb = { + openFirewall = mkDefault true; + serverName = mkDefault config.networking.hostName; + }; + config.systemd.services.mediatomb = mkIf cfg.enable { + confinement.enable = mkIf cfg.confine (mkDefault true); + bindsTo = map (dir: mkIf (dir.mountPoint != null) + "${utils.escapeSystemdPath dir.mountPoint}" + ) cfg.mediaDirectories; + unitConfig.RequiresMountsFor = mkMerge ( + map (dir: dir.paths) cfg.mediaDirectories + ); + serviceConfig = { + RestartSec = mkDefault 15; + StateDirectory = mkDefault cfg.package.pname; + BindReadOnlyPaths = mkIf cfg.config (mkMerge ( + map (dir: dir.paths) cfg.mediaDirectories + )); + }; + }; +} diff --git a/nixos/deluge.nix b/nixos/deluge.nix index d5f30319..589d136b 100644 --- a/nixos/deluge.nix +++ b/nixos/deluge.nix @@ -3,7 +3,8 @@ lib, ... }: let - inherit (lib) mkDefault; + inherit (lib.modules) mkIf mkAfter mkDefault; + inherit (lib.strings) hasPrefix removePrefix; cfg = config.services.deluge; in { sops.secrets.deluge-auth = { @@ -33,4 +34,25 @@ in { }; authFile = config.sops.secrets.deluge-auth.path; }; + + services.mediatomb.mediaDirectories = let + parent = builtins.dirOf cfg.config.download_location; + hasCompletedSubdir = cfg.config.move_completed && hasPrefix parent cfg.config.move_completed_path; + completedSubdir = removePrefix parent cfg.config.move_completed_path; + downloadDir = if hasCompletedSubdir then { + path = parent; + subdirectories = [ + (builtins.baseNameOf cfg.config.download_location) + completedSubdir + ]; + } else { + path = cfg.config.download_location; + }; + completedDir = { + path = cfg.config.move_completed_path; + }; + in mkIf cfg.enable (mkAfter [ + downloadDir + (mkIf (cfg.config.move_completed && !hasCompletedSubdir) completedDir) + ]); } diff --git a/nixos/mediatomb.nix b/nixos/mediatomb.nix new file mode 100644 index 00000000..a19f2765 --- /dev/null +++ b/nixos/mediatomb.nix @@ -0,0 +1,12 @@ +{ + lib, + ... +}: let + inherit (lib.modules) mkDefault; +in { + config.services.mediatomb = { + enable = mkDefault true; + port = mkDefault 4152; + uuid = mkDefault "082fd344-bf69-5b72-a68f-a5a4d88e76b2"; + }; +} diff --git a/systems/tewi/mediatomb.nix b/systems/tewi/mediatomb.nix deleted file mode 100644 index fa8aeaa8..00000000 --- a/systems/tewi/mediatomb.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, utils, lib, ... }: with lib; let - cfg = config.services.mediatomb; - shadowDir = "/mnt/shadow"; - inherit (config.services) deluge; -in { - services.mediatomb = { - enable = true; - openFirewall = true; - port = 4152; - serverName = config.networking.hostName; - uuid = "082fd344-bf69-5b72-a68f-a5a4d88e76b2"; - mediaDirectories = [ - { - path = "${shadowDir}/media"; - recursive = true; - hidden-files = false; - } - (mkIf deluge.enable { - path = builtins.dirOf deluge.config.download_location; - recursive = true; - hidden-files = false; - }) - ]; - }; - systemd.services.mediatomb = { - confinement.enable = true; - bindsTo = [ - "${utils.escapeSystemdPath shadowDir}.mount" - ]; - unitConfig = { - RequiresMountsFor = [ - shadowDir - ]; - }; - serviceConfig = { - RestartSec = 15; - StateDirectory = cfg.package.pname; - BindReadOnlyPaths = mkMerge [ - (map (path: "${shadowDir}/media/${path}") [ - "anime" "movies" "tv" "unsorted" - "music" "music-to-import" "music-raw" - ]) - (mkIf deluge.enable [ deluge.config.move_completed_path ]) - ]; - }; - }; -} diff --git a/systems/tewi/nixos.nix b/systems/tewi/nixos.nix index 54c403a4..9a07f704 100644 --- a/systems/tewi/nixos.nix +++ b/systems/tewi/nixos.nix @@ -2,54 +2,17 @@ meta, config, lib, - utils, pkgs, modulesPath, ... -}: let - inherit (lib) mkIf; - hddopts = ["luks" "discard" "noauto" "nofail"]; - md = { - shadow = rec { - name = "shadowlegend"; - device = "/dev/md/${name}"; - unit = utils.escapeSystemdPath device + ".device"; - where = "/mnt/shadow"; - mount = utils.escapeSystemdPath where + ".mount"; - service = "md-shadow.service"; - disk = "/dev/disk/by-uuid/84aafe0e-132a-4ee5-8c5c-c4a396b999bf"; - cryptDisks = - lib.flip lib.mapAttrs { - seagate0 = { - device = "/dev/disk/by-uuid/78880135-6455-4603-ae07-4e044a77b740"; - keyFile = "/root/ST4000DM000-1F21.key"; - options = hddopts; - }; - hgst = { - device = "/dev/disk/by-uuid/4033c877-fa1f-4f75-b9de-07be84f83afa"; - keyFile = "/root/HGST-HDN724040AL.key"; - options = hddopts; - }; - } (disk: attrs: - attrs - // { - service = "systemd-cryptsetup@${disk}.service"; - }); - }; - }; -in { +}: { imports = with meta; [ (modulesPath + "/installer/scan/not-detected.nix") nixos.sops nixos.tailscale - nixos.nginx - nixos.systemd2mqtt - ./mediatomb.nix ]; - boot.supportedFilesystems = ["nfs"]; - services.udev.extraRules = '' SUBSYSTEM=="tty", GROUP="input", MODE="0660" ''; @@ -58,12 +21,6 @@ in { services.kanidm.serverSettings.db_fs_type = "zfs"; services.tailscale.advertiseExitNode = true; services.postgresql.package = pkgs.postgresql_14; - services.zigbee2mqtt.settings.mqtt.server = let - inherit (meta.network.nodes) tei; - in "mqtt://${tei.networking.access.hostnameForNetwork.local}:1883"; - services.systemd2mqtt.mqtt.url = let - inherit (meta.network.nodes) tei; - in "tcp://${tei.networking.access.hostnameForNetwork.local}:1883"; sops.defaultSopsFile = ./secrets.yaml; @@ -73,10 +30,6 @@ in { }; services.resolved.enable = true; - environment.systemPackages = [ - pkgs.cryptsetup - ]; - boot = { loader = { systemd-boot = { @@ -92,41 +45,6 @@ in { kernelModules = ["kvm-intel"]; }; - services.openiscsi = { - enable = true; - enableAutoLoginOut = true; - name = ""; - }; - - services.systemd2mqtt.units = { - ${md.shadow.mount} = {}; - "mediatomb.service" = mkIf config.services.mediatomb.enable {}; - }; - - environment.etc = { - "iscsi/initiatorname.iscsi" = lib.mkForce { - source = config.sops.secrets.openiscsi-config.path; - }; - crypttab.text = let - inherit (lib) concatStringsSep mapAttrsToList; - cryptOpts = lib.concatStringsSep ","; - in - concatStringsSep "\n" (mapAttrsToList ( - disk: { - device, - keyFile, - options, - ... - }: "${disk} ${device} ${keyFile} ${cryptOpts options}" - ) - md.shadow.cryptDisks); - }; - - sops.secrets = { - openiscsi-config = {}; - openiscsi-env = mkIf config.services.openiscsi.enableAutoLoginOut { }; - }; - fileSystems = { "/" = { device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5"; @@ -136,77 +54,8 @@ in { device = "/dev/disk/by-uuid/85DC-72FA"; fsType = "vfat"; }; - ${md.shadow.where} = { - device = md.shadow.disk; - fsType = "xfs"; - options = [ - "x-systemd.automount" - "noauto" "nofail" - "x-systemd.requires=${md.shadow.service}" - "x-systemd.after=${md.shadow.service}" - "x-systemd.after=${md.shadow.unit}" - ]; - }; }; - systemd = let - inherit (lib) getExe; - serviceName = lib.removeSuffix ".service"; - toSystemdIni = pkgs.lib.generators.toINI { - listsAsDuplicateKeys = true; - }; - cryptServices = lib.mapAttrsToList (_: {service, ...}: service) md.shadow.cryptDisks; - in { - services = { - nfs-mountd = { - wants = ["network-online.target"]; - }; - mdmonitor.enable = false; - ${serviceName md.shadow.service} = rec { - restartIfChanged = false; - wants = cryptServices ++ [ "iscsi.service" ]; - bindsTo = cryptServices; - after = wants; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "true"; - ExecStartPre = [ - "-${getExe pkgs.mdadm} --assemble --scan" - ]; - ExecStart = [ - "${getExe pkgs.mdadm} --detail ${md.shadow.device}" - ]; - ExecStop = [ - "${getExe pkgs.mdadm} --stop ${md.shadow.device}" - ]; - }; - }; - iscsid = rec { - wantedBy = cryptServices; - before = wantedBy; - }; - iscsi = let - cfg = config.services.openiscsi; - in mkIf cfg.enableAutoLoginOut rec { - wantedBy = cryptServices; - before = wantedBy; - serviceConfig = { - EnvironmentFile = [ config.sops.secrets.openiscsi-env.path ]; - ExecStartPre = [ - "${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal $DISCOVER_PORTAL --discover" - ]; - }; - }; - }; - units = { - ${md.shadow.mount} = { - overrideStrategy = "asDropin"; - text = toSystemdIni { - Unit.BindsTo = [ - md.shadow.service - ]; - }; - }; - }; + systemd = { network = { networks.eno1 = { inherit (config.systemd.network.links.eno1) matchConfig; diff --git a/systems/tewi/secrets.yaml b/systems/tewi/secrets.yaml index 453c0755..c2cddc3a 100644 --- a/systems/tewi/secrets.yaml +++ b/systems/tewi/secrets.yaml @@ -1,8 +1,4 @@ tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/FltOKExby0=,iv:c8yN1XLk3ZAAzkBozzHJ9BWerWdiNQG/p8e46j8cZyo=,tag:E5Ey5R+t372yLE6XegoOrA==,type:str] -openiscsi-config: ENC[AES256_GCM,data:xyZVJRzR4vK+UAtq3+/QcszLIlcHXYifHnFKm5tVbFUj3c7PjxYGLkvXZfFvERStewdNIQ==,iv:BcbEupXiLECXwfETaVOqfHQ+vkBbrGxkQn54WBYug54=,tag:e0cddYTQAfzSk2AhvzJFvA==,type:str] -openiscsi-env: ENC[AES256_GCM,data:uAlnrtk64UQukKBWHYrH5J4Ys+GIpu5zDg==,iv:7ahUk9nocs4cSgtr/A4G0Xhlp7pZj/bUlUDLMMYEAMk=,tag:rE2mdBGT3kZqyoDIaKUY3w==,type:str] -systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str] -postgresql-init: ENC[AES256_GCM,data:40s9cdfJMcKjfNBNQikpAY6FZ0cgVEGC52fnXwH3jC5d9qI56hIv84ZZhZ3/kVyxSwpQL+pY0DxNjAKMqLpXx/Ujsp4=,iv:Cj7RPBM7tzTb4jBONM8DYWuJ/STRj6vO2ZU2MTkBPCM=,tag:rq7ROGRyjVZulDDof8qKDg==,type:str] sops: shamir_threshold: 1 kms: [] @@ -28,8 +24,8 @@ sops: VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR 7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-14T21:35:39Z" - mac: ENC[AES256_GCM,data:kkH6Qc81/mmYA8paCGHlQt3K5BUntU7aQm9Rjtqf1rFHIjWFIbpguXPzl555BO4AxUGzNm+OMSIOejLq5GKJ1S749BeADxwExeeR/+zWqECeerQmBfaBQfb1kBr9KlMyhP03fOeUyX1GZmnFyFyAm/xCvW67hatHPKaRrMvSQIY=,iv:DtbabItptKBoibi4g69CLVviURhK5YgPnq3BBkmzhM0=,tag:LDUXWSOdvUGss2S5Oy5KQw==,type:str] + lastmodified: "2024-01-16T17:09:37Z" + mac: ENC[AES256_GCM,data:Y3PRQkpAh76TIGJZ3t5ehyx6mt3s3Tg3Kd5xR8nImjtFcMOF3MthW73ZTadL41MipOepcT8lm/mUBB5e91vKk8Q1LjccnN1IBorS/yfppvtwFhHn4MOX3TjHbpKXDgRYgi6PzS3/jTXsreghnZjurHE69qi6pFUA1jJceqnvqsU=,iv:bX3OeJfmGQVw7V1xyT0D1PQ6yZ8HlaDStYdm4OtDQxs=,tag:71YXH9/Wdf4SAjwMjHi1TQ==,type:str] pgp: - created_at: "2023-03-10T17:06:53Z" enc: |