From 8f611f02be62d3f915377c5de87cbfb9667d4d2a Mon Sep 17 00:00:00 2001
From: arcnmx <arcnmx@users.noreply.github.com>
Date: Sat, 11 Mar 2023 13:18:35 -0800
Subject: [PATCH] disks

---
 nixos/systems/tewi/nixos.nix | 108 +++++++++++++++++++++++++++++++++--
 trusted/flake.lock           |   8 +--
 trusted/trusted              |   2 +-
 3 files changed, 107 insertions(+), 11 deletions(-)

diff --git a/nixos/systems/tewi/nixos.nix b/nixos/systems/tewi/nixos.nix
index b26f794b..6c0819d5 100644
--- a/nixos/systems/tewi/nixos.nix
+++ b/nixos/systems/tewi/nixos.nix
@@ -1,6 +1,28 @@
-{ meta, tf, config, lib, pkgs, modulesPath, ... }:
-
-{
+{ meta, tf, config, lib, utils, pkgs, modulesPath, ... }: let
+  hddopts = [ "luks" "discard" "noauto" "nofail" ];
+  md = {
+    shadow = rec {
+      name = "shadowlegend";
+      device = "/dev/md/${name}";
+      unit = utils.escapeSystemdPath device;
+      service = "md-shadow.service";
+      cryptDisks = lib.flip lib.mapAttrs {
+        seagate0 = {
+          device = "/dev/disk/by-uuid/78880135-6455-4603-ae07-4e044a77b740";
+          keyFile = "/root/ST4000DM000-1F21.key";
+          options = hddopts;
+        };
+        hgst = {
+          device = "/dev/disk/by-uuid/4033c877-fa1f-4f75-b9de-07be84f83afa";
+          keyFile = "/root/HGST-HDN724040AL.key";
+          options = hddopts;
+        };
+      } (disk: attrs: attrs // {
+        service = "systemd-cryptsetup@${disk}.service";
+      });
+    };
+  };
+in {
   imports = with meta; [
     (modulesPath + "/installer/scan/not-detected.nix")
     hardware.local
@@ -38,6 +60,8 @@
     };
   };
 
+  environment.systemPackages = [ pkgs.cryptsetup ];
+
   boot = {
     loader = {
       systemd-boot = {
@@ -53,14 +77,32 @@
     kernelModules = [ "kvm-intel" ];
   };
 
+  services.mediatomb = {
+    enable = true;
+    openFirewall = true;
+    serverName = config.networking.hostName;
+    mediaDirectories = lib.singleton {
+      path = "/mnt/shadow/media";
+      recursive = true;
+      hidden-files = false;
+    };
+  };
+
   services.openiscsi = {
     enable = true;
     name = "";
-    discoverPortal = "shanghai.tail.cutie.moe";
   };
 
-  environment.etc."iscsi/initiatorname.iscsi" = lib.mkForce {
-    source = config.sops.secrets.openscsi-config.path;
+  environment.etc = {
+    "iscsi/initiatorname.iscsi" = lib.mkForce {
+      source = config.sops.secrets.openscsi-config.path;
+    };
+    crypttab.text = let
+      inherit (lib) concatStringsSep mapAttrsToList;
+      cryptOpts = lib.concatStringsSep ",";
+    in concatStringsSep "\n" (mapAttrsToList (disk: { device, keyFile, options, ... }:
+      "${disk} ${device} ${keyFile} ${cryptOpts options}"
+    ) md.shadow.cryptDisks);
   };
 
   sops.secrets.openscsi-config = { };
@@ -74,6 +116,60 @@
       device = "/dev/disk/by-uuid/85DC-72FA";
       fsType = "vfat";
     };
+    "/mnt/shadow" = {
+      device = "/dev/disk/by-uuid/84aafe0e-132a-4ee5-8c5c-c4a396b999bf";
+      fsType = "xfs";
+      options = [
+        "x-systemd.automount" "noauto"
+        "x-systemd.requires=${md.shadow.service}"
+        "x-systemd.after=${md.shadow.service}"
+        "x-systemd.after=${md.shadow.unit}"
+      ];
+    };
+  };
+  systemd = let
+    inherit (lib) getExe mapAttrsToList mapAttrs' nameValuePair;
+    serviceName = lib.removeSuffix ".service";
+    cryptServices = mapAttrsToList (_: { service, ... }: service) md.shadow.cryptDisks;
+  in {
+    services = {
+      mdmonitor.enable = false;
+      ${serviceName md.shadow.service} = rec {
+        restartIfChanged = false;
+        wants = cryptServices;
+        after = wants;
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = "true";
+          ExecStartPre = [
+            "-${getExe pkgs.mdadm} --assemble --scan"
+          ];
+          ExecStart = [
+            "${getExe pkgs.mdadm} --detail ${md.shadow.device}"
+          ];
+          ExecStop = [
+            "${getExe pkgs.mdadm} --stop ${md.shadow.device}"
+          ];
+        };
+      };
+      iscsid = rec {
+        wantedBy = cryptServices;
+        before = wantedBy;
+      };
+      mediatomb = rec {
+        confinement.enable = true;
+        requires = [
+          "mnt-shadow.mount"
+        ];
+        after = requires;
+        serviceConfig = {
+          StateDirectory = config.services.mediatomb.package.pname;
+          BindReadOnlyPaths = map (path: "/mnt/shadow/media/${path}") [
+            "anime" "movies" "tv" "unsorted"
+          ];
+        };
+      };
+    };
   };
 
   swapDevices = lib.singleton ({
diff --git a/trusted/flake.lock b/trusted/flake.lock
index c4942eec..d12c9345 100644
--- a/trusted/flake.lock
+++ b/trusted/flake.lock
@@ -7,11 +7,11 @@
     },
     "trusted": {
       "locked": {
-        "lastModified": 1678478350,
-        "narHash": "sha256-OxAth0uppnijCgsgq0B3VgYwFfZ7RrrDsRmulQhvPsM=",
+        "lastModified": 1678569470,
+        "narHash": "sha256-wMOp8sBd4Wgh1ITgMRPkUdGvf0B1G9LlKuhN+bcnbxg=",
         "ref": "shim",
-        "rev": "d53a6c00dd57535dd9824493cbc6a64bc9902768",
-        "revCount": 2,
+        "rev": "b9c0310cab3d85a477e886201e09b6e565d944e6",
+        "revCount": 3,
         "type": "git",
         "url": "gcrypt::ssh://git@github.com/arcnmx/kat-nixfiles-trusted.git"
       },
diff --git a/trusted/trusted b/trusted/trusted
index d53a6c00..b9c0310c 160000
--- a/trusted/trusted
+++ b/trusted/trusted
@@ -1 +1 @@
-Subproject commit d53a6c00dd57535dd9824493cbc6a64bc9902768
+Subproject commit b9c0310cab3d85a477e886201e09b6e565d944e6