-
Notifications
You must be signed in to change notification settings - Fork 0
/
configuration.nix-amon
102 lines (83 loc) · 2.97 KB
/
configuration.nix-amon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# -*- nix -*-
{ config, pkgs, ... }:
let
hosts = import ./nixops/personal-hosts.nix;
in
{
networking.hostName = "amon";
networking.hostId = "ef633c75";
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
./hardware/hp-microserver.nix
./modules/force-my-version.nix
# ./modules/rabbitmq-server.nix
./profile/server.nix
./users/binarin.nix
./packages/use-my-overlays.nix
./profile/emacs.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ];
boot.supportedFilesystems = [ "zfs" ];
services.zfs.autoScrub.enable = true;
fileSystems."/" =
{ device = "tank/root/nixos";
fsType = "zfs";
};
# 16k record size, for bit-torrent
fileSystems."/media" =
{ device = "tank/root/media";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
services.fail2ban.enable = true;
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [
22000 # Syncthing
80 443
];
networking.firewall.allowedUDPPorts = [
21027 # Syncthing
];
networking.firewall.logRefusedConnections = false;
networking.firewall.extraCommands = ''
iptables -A nixos-fw -i enp3s0 -p tcp -s 192.168.2.0/24 --dport 4000:4002 -j nixos-fw-accept # nfs server
iptables -A nixos-fw -i enp3s0 -p tcp -s 192.168.2.0/24 --dport 2049 -j nixos-fw-accept # nfs server
iptables -A nixos-fw -i enp3s0 -p udp -s 192.168.2.0/24 --dport 2049 -j nixos-fw-accept # nfs server
iptables -A nixos-fw -i enp3s0 -p tcp -s 192.168.2.0/24 --dport ${builtins.toString config.services.transmission.port} -j nixos-fw-accept
'';
environment.systemPackages = with pkgs; [
syncthing
youtube-dl
gptfdisk
hdparm
smartmontools
borgbackup
];
services.journald.rateLimitInterval = "30s";
services.journald.rateLimitBurst = 7000;
services.nfs.server = {
enable = true;
# XXX enable to everyone on local network?
exports = ''
/media/shared ${hosts.kodi.lan.ip}(ro,all_squash,anonuid=1000,anongid=${builtins.toString config.ids.gids.transmission}) ${hosts.ishamael.lan.ip}(rw,all_squash,anonuid=1000,anongid=${builtins.toString config.ids.gids.transmission}) ${hosts.ishamael.wifi.ip}(rw,all_squash,anonuid=1000,anongid=${builtins.toString config.ids.gids.transmission}) ${hosts.rpi3.lan.ip}(rw,all_squash,anonuid=1000,anongid=${builtins.toString config.ids.gids.transmission}) ${hosts.rpi3.wlan.ip}(rw,all_squash,anonuid=1000,anongid=${builtins.toString config.ids.gids.transmission})
'';
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
};
services.transmission = {
enable = true;
port = 9091;
settings = {
download-dir = "/media/shared/";
incomplete-dir = "/media/incomplete-torrents/";
incomplete-dir-enabled = true;
rpc-whitelist = "127.0.0.1,192.168.*.*,10.10.10.*";
};
};
}