disks

2026-02-09 20:39:18 -08:00 · 2023-03-11 13:18:35 -08:00 · 2023-03-11 13:18:35 -08:00 · 8f611f02be
commit 8f611f02be
parent 14f97d4028
3 changed files with 107 additions and 11 deletions
--- a/nixos/systems/tewi/nixos.nix
+++ b/nixos/systems/tewi/nixos.nix
@ -1,6 +1,28 @@
-{ meta, tf, config, lib, pkgs, modulesPath, ... }:
-
-{
+{ meta, tf, config, lib, utils, pkgs, modulesPath, ... }: let
+  hddopts = [ "luks" "discard" "noauto" "nofail" ];
+  md = {
+    shadow = rec {
+      name = "shadowlegend";
+      device = "/dev/md/${name}";
+      unit = utils.escapeSystemdPath device;
+      service = "md-shadow.service";
+      cryptDisks = lib.flip lib.mapAttrs {
+        seagate0 = {
+          device = "/dev/disk/by-uuid/78880135-6455-4603-ae07-4e044a77b740";
+          keyFile = "/root/ST4000DM000-1F21.key";
+          options = hddopts;
+        };
+        hgst = {
+          device = "/dev/disk/by-uuid/4033c877-fa1f-4f75-b9de-07be84f83afa";
+          keyFile = "/root/HGST-HDN724040AL.key";
+          options = hddopts;
+        };
+      } (disk: attrs: attrs // {
+        service = "systemd-cryptsetup@${disk}.service";
+      });
+    };
+  };
+in {
  imports = with meta; [
    (modulesPath + "/installer/scan/not-detected.nix")
    hardware.local
@ -38,6 +60,8 @@
    };
  };

+  environment.systemPackages = [ pkgs.cryptsetup ];
+
  boot = {
    loader = {
      systemd-boot = {
@ -53,14 +77,32 @@
    kernelModules = [ "kvm-intel" ];
  };

+  services.mediatomb = {
+    enable = true;
+    openFirewall = true;
+    serverName = config.networking.hostName;
+    mediaDirectories = lib.singleton {
+      path = "/mnt/shadow/media";
+      recursive = true;
+      hidden-files = false;
+    };
+  };
+
  services.openiscsi = {
    enable = true;
    name = "";
-    discoverPortal = "shanghai.tail.cutie.moe";
  };

-  environment.etc."iscsi/initiatorname.iscsi" = lib.mkForce {
-    source = config.sops.secrets.openscsi-config.path;
+  environment.etc = {
+    "iscsi/initiatorname.iscsi" = lib.mkForce {
+      source = config.sops.secrets.openscsi-config.path;
+    };
+    crypttab.text = let
+      inherit (lib) concatStringsSep mapAttrsToList;
+      cryptOpts = lib.concatStringsSep ",";
+    in concatStringsSep "\n" (mapAttrsToList (disk: { device, keyFile, options, ... }:
+      "${disk} ${device} ${keyFile} ${cryptOpts options}"
+    ) md.shadow.cryptDisks);
  };

  sops.secrets.openscsi-config = { };
@ -74,6 +116,60 @@
      device = "/dev/disk/by-uuid/85DC-72FA";
      fsType = "vfat";
    };
+    "/mnt/shadow" = {
+      device = "/dev/disk/by-uuid/84aafe0e-132a-4ee5-8c5c-c4a396b999bf";
+      fsType = "xfs";
+      options = [
+        "x-systemd.automount" "noauto"
+        "x-systemd.requires=${md.shadow.service}"
+        "x-systemd.after=${md.shadow.service}"
+        "x-systemd.after=${md.shadow.unit}"
+      ];
+    };
+  };
+  systemd = let
+    inherit (lib) getExe mapAttrsToList mapAttrs' nameValuePair;
+    serviceName = lib.removeSuffix ".service";
+    cryptServices = mapAttrsToList (_: { service, ... }: service) md.shadow.cryptDisks;
+  in {
+    services = {
+      mdmonitor.enable = false;
+      ${serviceName md.shadow.service} = rec {
+        restartIfChanged = false;
+        wants = cryptServices;
+        after = wants;
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = "true";
+          ExecStartPre = [
+            "-${getExe pkgs.mdadm} --assemble --scan"
+          ];
+          ExecStart = [
+            "${getExe pkgs.mdadm} --detail ${md.shadow.device}"
+          ];
+          ExecStop = [
+            "${getExe pkgs.mdadm} --stop ${md.shadow.device}"
+          ];
+        };
+      };
+      iscsid = rec {
+        wantedBy = cryptServices;
+        before = wantedBy;
+      };
+      mediatomb = rec {
+        confinement.enable = true;
+        requires = [
+          "mnt-shadow.mount"
+        ];
+        after = requires;
+        serviceConfig = {
+          StateDirectory = config.services.mediatomb.package.pname;
+          BindReadOnlyPaths = map (path: "/mnt/shadow/media/${path}") [
+            "anime" "movies" "tv" "unsorted"
+          ];
+        };
+      };
+    };
  };

  swapDevices = lib.singleton ({
--- a/trusted/flake.lock
+++ b/trusted/flake.lock
@ -7,11 +7,11 @@
    },
    "trusted": {
      "locked": {
-        "lastModified": 1678478350,
-        "narHash": "sha256-OxAth0uppnijCgsgq0B3VgYwFfZ7RrrDsRmulQhvPsM=",
+        "lastModified": 1678569470,
+        "narHash": "sha256-wMOp8sBd4Wgh1ITgMRPkUdGvf0B1G9LlKuhN+bcnbxg=",
        "ref": "shim",
-        "rev": "d53a6c00dd57535dd9824493cbc6a64bc9902768",
-        "revCount": 2,
+        "rev": "b9c0310cab3d85a477e886201e09b6e565d944e6",
+        "revCount": 3,
        "type": "git",
        "url": "gcrypt::ssh://git@github.com/arcnmx/kat-nixfiles-trusted.git"
      },
--- a/trusted/trusted
+++ b/trusted/trusted
@ -1 +1 @@
-Subproject commit d53a6c00dd57535dd9824493cbc6a64bc9902768
+Subproject commit b9c0310cab3d85a477e886201e09b6e565d944e6