gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(tewi): remove /mnt/shadow

Browse source
This commit is contained in:
arcnmx 2024-01-16 10:02:37 -08:00
parent a191777943
commit 166b68492b
6 changed files with 103 additions and 207 deletions
Download patch file Download diff file Expand all files Collapse all files

47
systems/tewi/mediatomb.nix
View file

@ -1,47 +0,0 @@
{ config, utils, lib, ... }: with lib; let
cfg = config.services.mediatomb;
shadowDir = "/mnt/shadow";
inherit (config.services) deluge;
in {
services.mediatomb = {
enable = true;
openFirewall = true;
port = 4152;
serverName = config.networking.hostName;
uuid = "082fd344-bf69-5b72-a68f-a5a4d88e76b2";
mediaDirectories = [
{
path = "${shadowDir}/media";
recursive = true;
hidden-files = false;
}
(mkIf deluge.enable {
path = builtins.dirOf deluge.config.download_location;
recursive = true;
hidden-files = false;
})
];
};
systemd.services.mediatomb = {
confinement.enable = true;
bindsTo = [
"${utils.escapeSystemdPath shadowDir}.mount"
];
unitConfig = {
RequiresMountsFor = [
shadowDir
];
};
serviceConfig = {
RestartSec = 15;
StateDirectory = cfg.package.pname;
BindReadOnlyPaths = mkMerge [
(map (path: "${shadowDir}/media/${path}") [
"anime" "movies" "tv" "unsorted"
"music" "music-to-import" "music-raw"
])
(mkIf deluge.enable [ deluge.config.move_completed_path ])
];
};
};
}

155
systems/tewi/nixos.nix
View file

@ -2,54 +2,17 @@
meta,
config,
lib,
utils,
pkgs,
modulesPath,
...
}: let
inherit (lib) mkIf;
hddopts = ["luks" "discard" "noauto" "nofail"];
md = {
shadow = rec {
name = "shadowlegend";
device = "/dev/md/${name}";
unit = utils.escapeSystemdPath device + ".device";
where = "/mnt/shadow";
mount = utils.escapeSystemdPath where + ".mount";
service = "md-shadow.service";
disk = "/dev/disk/by-uuid/84aafe0e-132a-4ee5-8c5c-c4a396b999bf";
cryptDisks =
lib.flip lib.mapAttrs {
seagate0 = {
device = "/dev/disk/by-uuid/78880135-6455-4603-ae07-4e044a77b740";
keyFile = "/root/ST4000DM000-1F21.key";
options = hddopts;
};
hgst = {
device = "/dev/disk/by-uuid/4033c877-fa1f-4f75-b9de-07be84f83afa";
keyFile = "/root/HGST-HDN724040AL.key";
options = hddopts;
};
} (disk: attrs:
attrs
// {
service = "systemd-cryptsetup@${disk}.service";
});
};
};
in {
}: {
imports = with meta;
[
(modulesPath + "/installer/scan/not-detected.nix")
nixos.sops
nixos.tailscale
nixos.nginx
nixos.systemd2mqtt
./mediatomb.nix
];
boot.supportedFilesystems = ["nfs"];
services.udev.extraRules = ''
SUBSYSTEM=="tty", GROUP="input", MODE="0660"
'';
@ -58,12 +21,6 @@ in {
services.kanidm.serverSettings.db_fs_type = "zfs";
services.tailscale.advertiseExitNode = true;
services.postgresql.package = pkgs.postgresql_14;
services.zigbee2mqtt.settings.mqtt.server = let
inherit (meta.network.nodes) tei;
in "mqtt://${tei.networking.access.hostnameForNetwork.local}:1883";
services.systemd2mqtt.mqtt.url = let
inherit (meta.network.nodes) tei;
in "tcp://${tei.networking.access.hostnameForNetwork.local}:1883";
sops.defaultSopsFile = ./secrets.yaml;
@ -73,10 +30,6 @@ in {
};
services.resolved.enable = true;
environment.systemPackages = [
pkgs.cryptsetup
];
boot = {
loader = {
systemd-boot = {
@ -92,41 +45,6 @@ in {
kernelModules = ["kvm-intel"];
};
services.openiscsi = {
enable = true;
enableAutoLoginOut = true;
name = "";
};
services.systemd2mqtt.units = {
${md.shadow.mount} = {};
"mediatomb.service" = mkIf config.services.mediatomb.enable {};
};
environment.etc = {
"iscsi/initiatorname.iscsi" = lib.mkForce {
source = config.sops.secrets.openiscsi-config.path;
};
crypttab.text = let
inherit (lib) concatStringsSep mapAttrsToList;
cryptOpts = lib.concatStringsSep ",";
in
concatStringsSep "\n" (mapAttrsToList (
disk: {
device,
keyFile,
options,
...
}: "${disk} ${device} ${keyFile} ${cryptOpts options}"
)
md.shadow.cryptDisks);
};
sops.secrets = {
openiscsi-config = {};
openiscsi-env = mkIf config.services.openiscsi.enableAutoLoginOut { };
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5";
@ -136,77 +54,8 @@ in {
device = "/dev/disk/by-uuid/85DC-72FA";
fsType = "vfat";
};
${md.shadow.where} = {
device = md.shadow.disk;
fsType = "xfs";
options = [
"x-systemd.automount"
"noauto" "nofail"
"x-systemd.requires=${md.shadow.service}"
"x-systemd.after=${md.shadow.service}"
"x-systemd.after=${md.shadow.unit}"
];
};
};
systemd = let
inherit (lib) getExe;
serviceName = lib.removeSuffix ".service";
toSystemdIni = pkgs.lib.generators.toINI {
listsAsDuplicateKeys = true;
};
cryptServices = lib.mapAttrsToList (_: {service, ...}: service) md.shadow.cryptDisks;
in {
services = {
nfs-mountd = {
wants = ["network-online.target"];
};
mdmonitor.enable = false;
${serviceName md.shadow.service} = rec {
restartIfChanged = false;
wants = cryptServices ++ [ "iscsi.service" ];
bindsTo = cryptServices;
after = wants;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "true";
ExecStartPre = [
"-${getExe pkgs.mdadm} --assemble --scan"
];
ExecStart = [
"${getExe pkgs.mdadm} --detail ${md.shadow.device}"
];
ExecStop = [
"${getExe pkgs.mdadm} --stop ${md.shadow.device}"
];
};
};
iscsid = rec {
wantedBy = cryptServices;
before = wantedBy;
};
iscsi = let
cfg = config.services.openiscsi;
in mkIf cfg.enableAutoLoginOut rec {
wantedBy = cryptServices;
before = wantedBy;
serviceConfig = {
EnvironmentFile = [ config.sops.secrets.openiscsi-env.path ];
ExecStartPre = [
"${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal $DISCOVER_PORTAL --discover"
];
};
};
};
units = {
${md.shadow.mount} = {
overrideStrategy = "asDropin";
text = toSystemdIni {
Unit.BindsTo = [
md.shadow.service
];
};
};
};
systemd = {
network = {
networks.eno1 = {
inherit (config.systemd.network.links.eno1) matchConfig;

8
systems/tewi/secrets.yaml
View file

@ -1,8 +1,4 @@
tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/FltOKExby0=,iv:c8yN1XLk3ZAAzkBozzHJ9BWerWdiNQG/p8e46j8cZyo=,tag:E5Ey5R+t372yLE6XegoOrA==,type:str]
openiscsi-config: ENC[AES256_GCM,data:xyZVJRzR4vK+UAtq3+/QcszLIlcHXYifHnFKm5tVbFUj3c7PjxYGLkvXZfFvERStewdNIQ==,iv:BcbEupXiLECXwfETaVOqfHQ+vkBbrGxkQn54WBYug54=,tag:e0cddYTQAfzSk2AhvzJFvA==,type:str]
openiscsi-env: ENC[AES256_GCM,data:uAlnrtk64UQukKBWHYrH5J4Ys+GIpu5zDg==,iv:7ahUk9nocs4cSgtr/A4G0Xhlp7pZj/bUlUDLMMYEAMk=,tag:rE2mdBGT3kZqyoDIaKUY3w==,type:str]
systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str]
postgresql-init: ENC[AES256_GCM,data:40s9cdfJMcKjfNBNQikpAY6FZ0cgVEGC52fnXwH3jC5d9qI56hIv84ZZhZ3/kVyxSwpQL+pY0DxNjAKMqLpXx/Ujsp4=,iv:Cj7RPBM7tzTb4jBONM8DYWuJ/STRj6vO2ZU2MTkBPCM=,tag:rq7ROGRyjVZulDDof8qKDg==,type:str]
sops:
shamir_threshold: 1
kms: []
@ -28,8 +24,8 @@ sops:
VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-14T21:35:39Z"
mac: ENC[AES256_GCM,data:kkH6Qc81/mmYA8paCGHlQt3K5BUntU7aQm9Rjtqf1rFHIjWFIbpguXPzl555BO4AxUGzNm+OMSIOejLq5GKJ1S749BeADxwExeeR/+zWqECeerQmBfaBQfb1kBr9KlMyhP03fOeUyX1GZmnFyFyAm/xCvW67hatHPKaRrMvSQIY=,iv:DtbabItptKBoibi4g69CLVviURhK5YgPnq3BBkmzhM0=,tag:LDUXWSOdvUGss2S5Oy5KQw==,type:str]
lastmodified: "2024-01-16T17:09:37Z"
mac: ENC[AES256_GCM,data:Y3PRQkpAh76TIGJZ3t5ehyx6mt3s3Tg3Kd5xR8nImjtFcMOF3MthW73ZTadL41MipOepcT8lm/mUBB5e91vKk8Q1LjccnN1IBorS/yfppvtwFhHn4MOX3TjHbpKXDgRYgi6PzS3/jTXsreghnZjurHE69qi6pFUA1jJceqnvqsU=,iv:bX3OeJfmGQVw7V1xyT0D1PQ6yZ8HlaDStYdm4OtDQxs=,tag:71YXH9/Wdf4SAjwMjHi1TQ==,type:str]
pgp:
- created_at: "2023-03-10T17:06:53Z"
enc: |