diff --git a/configuration.nix b/configuration.nix index f3b9b23..3de7cd8 100644 --- a/configuration.nix +++ b/configuration.nix @@ -11,6 +11,7 @@ { imports = [ ./hardware.nix + ./zfs.nix ./services/jellyfin.nix ./services/caddy.nix ./services/immich.nix @@ -60,15 +61,6 @@ boot = { kernelPackages = pkgs.linuxPackages; - zfs.package = pkgs.zfs_unstable; - - kernelParams = [ - # 2048MB - "zfs.zfs_arc_max=2048000000" - ]; - - supportedFilesystems = [ "zfs" ]; - zfs.extraPools = [ "tank" ]; loader = { # Use the systemd-boot EFI boot loader. @@ -96,13 +88,10 @@ #!/bin/sh rm -fr ${config.boot.lanzaboote.pkiBundle} || true mkdir -p ${config.boot.lanzaboote.pkiBundle} - ${pkgs.gnutar}/bin/tar xf /etc/nixos/secrets/secureboot.tar -C ${config.boot.lanzaboote.pkiBundle} + ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle} ''; }; - # encryption key for zpool (VERY IMPORTANT) - boot.initrd.secrets."/etc/zfs-key" = /etc/nixos/secrets/zfs-key; - environment.etc = { "issue".text = ""; }; @@ -160,25 +149,32 @@ powertop - (pkgs.writeScriptBin "mc-console" '' - #!/bin/sh - ${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach - '') + (pkgs.writeShellApplication { + name = "disk-smart-test"; + runtimeInputs = with pkgs; [ + gnugrep + coreutils + smartmontools + ]; - (pkgs.writeScriptBin "disk-smart-test" '' - #!/bin/sh - set -e - if [[ $EUID -ne 0 ]]; then - echo "This command requires root." - exit 2 - fi + # i gotta fix that + excludeShellChecks = [ "SC2010" ]; - DISKS=$(${pkgs.coreutils}/bin/ls /dev/sd* | ${pkgs.gnugrep}/bin/grep -v "[0-9]$") - for i in $DISKS; do - ${pkgs.coreutils}/bin/echo -n "$i " - ${pkgs.smartmontools}/bin/smartctl -a "$i" | ${pkgs.gnugrep}/bin/grep "SMART overall-health self-assessment test result:" | ${pkgs.coreutils}/bin/cut -d' ' -f6 - done - '') + text = '' + #!/bin/sh + set -e + if [[ $EUID -ne 0 ]]; then + echo "This command requires root." + exit 2 + fi + + DISKS=$(ls /dev/sd* | grep -v "[0-9]$") + for i in $DISKS; do + echo -n "$i " + smartctl -a "$i" | grep "SMART overall-health self-assessment test result:" | cut -d' ' -f6 + done + ''; + }) (pkgs.writeShellApplication { name = "reflac"; @@ -279,6 +275,8 @@ # }; }; + users.groups.${service_configs.torrent_group} = { }; + users.users.${username} = { isNormalUser = true; extraGroups = [ @@ -286,9 +284,11 @@ "video" "render" "postgres" - "owntracks" + "media" + service_configs.torrent_group ]; - hashedPasswordFile = "/etc/nixos/secrets/hashedPass"; + + hashedPasswordFile = "${./secrets/hashedPass}"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop diff --git a/flake.lock b/flake.lock index fe0cbff..1281959 100644 --- a/flake.lock +++ b/flake.lock @@ -15,6 +15,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738148035, + "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", + "owner": "nix-community", + "repo": "disko", + "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -163,11 +183,11 @@ ] }, "locked": { - "lastModified": 1738287839, - "narHash": "sha256-Vh060kC/aTX+e8Ru195wo+QySd0z91wJ++JZNSDJxy8=", + "lastModified": 1738374527, + "narHash": "sha256-OcZG42dKolSREIIBM39/kY2TqykihbtYopQSjBbgBjM=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "58f1ae4ac2620cbcef912e32b17f9a64fcb372ad", + "rev": "2c815583946bcf1f7327c89fdf9bb4af7f3f5a14", "type": "github" }, "original": { @@ -178,11 +198,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1737751639, - "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=", + "lastModified": 1738391520, + "narHash": "sha256-6HI58PKjddsC0RA0gBQlt6ox47oH//jLUHwx05RO8g0=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4", + "rev": "34b64e4e1ddb14e3ffc7db8d4a781396dbbab773", "type": "github" }, "original": { @@ -194,11 +214,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1738163270, - "narHash": "sha256-B/7Y1v4y+msFFBW1JAdFjNvVthvNdJKiN6EGRPnqfno=", + "lastModified": 1738277201, + "narHash": "sha256-6L+WXKCw5mqnUIExvqkD99pJQ41xgyCk6z/H9snClwk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "59e618d90c065f55ae48446f307e8c09565d5ab0", + "rev": "666e1b3f09c267afd66addebe80fb05a5ef2b554", "type": "github" }, "original": { @@ -269,6 +289,7 @@ }, "root": { "inputs": { + "disko": "disko", "home-manager": "home-manager", "lanzaboote": "lanzaboote", "nix-minecraft": "nix-minecraft", diff --git a/flake.nix b/flake.nix index 5cf9db4..13ab5be 100644 --- a/flake.nix +++ b/flake.nix @@ -46,11 +46,13 @@ let username = "primary"; hostname = "muffin"; - eth_interface = "enp3s0"; + eth_interface = "enp4s0"; service_configs = rec { + zpool = "tank"; hdd_path = "/mnt/hdd"; services_dir = "/tank/services"; + torrent_group = "media"; # TODO: add checks to make sure none of these collide ports = { diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 9db8244..8008002 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -30,6 +30,7 @@ users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" + service_configs.torrent_group ]; users.users.${username}.extraGroups = [ diff --git a/services/minecraft.nix b/services/minecraft.nix index 62f1f8b..03e90ca 100644 --- a/services/minecraft.nix +++ b/services/minecraft.nix @@ -9,6 +9,13 @@ let heap_size = "4000M"; in { + environment.systemPackages = [ + (pkgs.writeScriptBin "mc-console" '' + #!/bin/sh + ${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach + '') + ]; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ diff --git a/services/owntracks.nix b/services/owntracks.nix index 0019d7a..c246e10 100644 --- a/services/owntracks.nix +++ b/services/owntracks.nix @@ -1,4 +1,9 @@ -{ pkgs, service_configs, ... }: +{ + pkgs, + service_configs, + username, + ... +}: let owntracks_pkg = pkgs.owntracks-recorder.overrideAttrs (old: { installPhase = @@ -31,4 +36,8 @@ in systemd.tmpfiles.rules = [ "d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks" ]; + + users.users.${username}.extraGroups = [ + "owntracks" + ]; } diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix index 87bad24..592f52b 100644 --- a/services/qbittorrent.nix +++ b/services/qbittorrent.nix @@ -82,8 +82,8 @@ }; systemd.tmpfiles.rules = [ - "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" - "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0770 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" + "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${service_configs.torrent_group}" + "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0770 ${config.services.qbittorrent.user} ${service_configs.torrent_group}" ]; # make qbittorrent use a vpn @@ -92,6 +92,10 @@ vpnNamespace = "wg"; }; + users.users.${config.services.qbittorrent.user}.extraGroups = [ + service_configs.torrent_group + ]; + users.users.${username}.extraGroups = [ config.services.qbittorrent.group ]; diff --git a/zfs.nix b/zfs.nix new file mode 100644 index 0000000..eb0c215 --- /dev/null +++ b/zfs.nix @@ -0,0 +1,29 @@ +{ + service_configs, + config, + pkgs, + ... +}: +let + zfs-key = "/etc/zfs-key"; +in +{ + system.activationScripts = { + "zfs-key".text = '' + #!/bin/sh + rm -fr ${zfs-key} || true + cp ${./secrets/zfs-key} ${zfs-key} + ''; + }; + + boot.zfs.package = pkgs.zfs_unstable; + boot.initrd.kernelModules = [ "zfs" ]; + + boot.kernelParams = [ + # 2048MB + "zfs.zfs_arc_max=2048000000" + ]; + + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.extraPools = [ service_configs.zpool ]; +}