add mx

Signed-off-by: Harald Hoyer <harald@hoyer.xyz>

systems/x86_64-linux/sgx/backup.nix

@@ -0,0 +1,76 @@
+{ pkgs, lib, config, ... }:
+let
+  backup_new_path = "/mnt/raid/backup/hoyer/new/";
+  restic_repo = "/mnt/backup/restic-repo";
+in
+{
+  services.restic.backups.hoyer_new = {
+    repository = restic_repo;
+    passwordFile = config.sops.secrets.backup-pw.path;
+    timerConfig = {
+      OnCalendar = "daily";
+      FixedRandomDelay = true;
+      RandomizedDelaySec = "4h";
+      Persistent = true;
+    };
+    paths = [ backup_new_path ];
+    pruneOpts = [
+      "-g host,paths"
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+      "--keep-yearly 1"
+    ];
+    backupPrepareCommand = ''
+      HOME=/root ${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh"  --exclude-from /root/excludelist --no-specials --no-devices --numeric-ids --delete-after --partial -axz backup@mx.surfsite.org:/{etc,var,home,root} ${backup_new_path}
+    '';
+  };
+
+  services.restic.backups.self = {
+    repository = restic_repo;
+    #repository = "s3:nas2a6e8f.myqnapcloud.com:8081/backup";
+    passwordFile = config.sops.secrets.backup-pw.path;
+    timerConfig = {
+      OnCalendar = "daily";
+      FixedRandomDelay = true;
+      RandomizedDelaySec = "4h";
+      Persistent = true;
+    };
+    paths = [
+      "/etc"
+      "/var"
+      "/home"
+      "/root"
+      "/persist"
+      config.services.samba.shares.Qmultimedia.path
+    ];
+    extraBackupArgs =
+      let
+        ignorePatterns = [
+          "/mnt/raid/backup"
+          "/mnt/backup"
+          "/mnt/snap"
+          "/var/cache"
+          "/home/*/.local/share/Trash"
+          "/home/*/.cache"
+          "/home/*/Downloads"
+          "/home/*/.npm"
+          "/home/*/.local/share/containers"
+          ".cache"
+          ".tmp"
+          ".log"
+          ".Trash"
+        ];
+        ignoreFile = builtins.toFile "ignore"
+          (lib.foldl (a: b: a + "\n" + b) "" ignorePatterns);
+      in
+      [ "--exclude-file=${ignoreFile}" ];
+    pruneOpts = [
+      "-g host,paths"
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+      "--keep-yearly 1"
+    ];
+  };
+}

systems/x86_64-linux/sgx/default.nix

@@ -1,10 +1,11 @@
 { pkgs, lib, config, ... }:
-let
-  backup_new_path = "/mnt/raid/backup/hoyer/new/";
-  restic_repo = "/mnt/backup/restic-repo";
-in
 {
-  imports = [ ./hardware-configuration.nix ];
+  imports = [
+    ./hardware-configuration.nix
+    ./fileserver.nix
+    ./backup.nix
+    ./network.nix
+  ];
 
   sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml;
   sops.secrets.backup-pw.sopsFile = ../../../.secrets/sgx/backup-s3.yaml;
@@ -22,8 +23,12 @@ in
     user.extraGroups = [ "docker" "sgx" ];
   };
 
-  virtualisation.docker.enable = true;
-  virtualisation.podman.dockerCompat = false;
+  virtualisation = {
+    docker.enable = true;
+    libvirtd.enable = true;
+    podman.dockerCompat = false;
+  };
+  systemd.services.libvirt-guests.after = [ "network-online.target" ];
 
   system.autoUpgrade = {
     enable = true;
@@ -31,15 +36,8 @@ in
     allowReboot = true;
   };
 
-  security.tpm2.enable = false;
-  security.tpm2.abrmd.enable = false;
-
   services.pcscd.enable = true;
 
-  powerManagement.cpuFreqGovernor = "ondemand";
-
-  system.stateVersion = "23.11";
-
   environment.etc."sgx_default_qcnl.conf".text = ''
     {
       "pccs_url": "https://127.0.0.1:8081/sgx/certification/v4/",
@@ -53,190 +51,5 @@ in
     }
   '';
 
-  services.netatalk = {
-    enable = true;
-    settings = {
-      Homes = {
-        "basedir regex" = "/home";
-        path = "Public";
-      };
-      time-machine = {
-        path = "/mnt/backup/tm_share";
-        "valid users" = "harald";
-        "time machine" = true;
-      };
-      Qmultimedia = {
-        path = "/mnt/raid/Qmultimedia";
-      };
-    };
-  };
-
-  services.avahi = {
-    enable = true;
-    nssmdns = true;
-    publish = {
-      enable = true;
-      userServices = true;
-    };
-  };
-
-  services.samba = {
-    enable = true;
-    securityType = "user";
-    extraConfig = ''
-      read raw = Yes
-      write raw = Yes
-      socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
-      min receivefile size = 16384
-      use sendfile = true
-      aio read size = 16384
-      aio write size = 16384
-      workgroup = WORKGROUP
-      server string = sgx
-      netbios name = sgx
-      security = user
-      #max protocol = smb2
-      hosts allow = 192.168.178. 127.0.0.1 localhost 2003::/16 ::1
-      hosts deny = ALL
-      guest account = nobody
-      map to guest = bad user
-    '';
-    shares = {
-      #    public = {
-      #      path = "/mnt/Shares/Public";
-      #      browseable = "yes";
-      #      "read only" = "no";
-      #      "guest ok" = "yes";
-      #      "create mask" = "0644";
-      #      "directory mask" = "0755";
-      #      "force user" = "username";
-      #      "force group" = "groupname";
-      #    };
-      Qmultimedia = {
-        path = "/mnt/raid/Qmultimedia";
-        browseable = "yes";
-        "read only" = "no";
-        "guest ok" = "no";
-        "create mask" = "0644";
-        "directory mask" = "0755";
-        "force user" = "harald";
-        "force group" = "users";
-      };
-    };
-  };
-
-  services.restic.backups.hoyer_new = {
-    repository = restic_repo;
-    passwordFile = config.sops.secrets.backup-pw.path;
-    timerConfig = {
-      OnCalendar = "daily";
-      FixedRandomDelay = true;
-      RandomizedDelaySec = "4h";
-      Persistent = true;
-    };
-    paths = [ backup_new_path ];
-    pruneOpts = [
-      "-g host,paths"
-      "--keep-daily 7"
-      "--keep-weekly 4"
-      "--keep-monthly 3"
-      "--keep-yearly 1"
-    ];
-    backupPrepareCommand = ''
-      HOME=/root ${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh"  --exclude-from /root/excludelist --no-specials --no-devices --numeric-ids --delete-after --partial -axz backup@mx.surfsite.org:/{etc,var,home,root} ${backup_new_path}
-    '';
-  };
-
-  services.restic.backups.self = {
-    repository = restic_repo;
-    #repository = "s3:nas2a6e8f.myqnapcloud.com:8081/backup";
-    passwordFile = config.sops.secrets.backup-pw.path;
-    timerConfig = {
-      OnCalendar = "daily";
-      FixedRandomDelay = true;
-      RandomizedDelaySec = "4h";
-      Persistent = true;
-    };
-    paths = [
-      "/etc"
-      "/var"
-      "/home"
-      "/root"
-      "/persist"
-      config.services.samba.shares.Qmultimedia.path
-    ];
-    extraBackupArgs =
-      let
-        ignorePatterns = [
-          "/mnt/raid/backup"
-          "/mnt/backup"
-          "/mnt/snap"
-          "/var/cache"
-          "/home/*/.local/share/Trash"
-          "/home/*/.cache"
-          "/home/*/Downloads"
-          "/home/*/.npm"
-          "/home/*/.local/share/containers"
-          ".cache"
-          ".tmp"
-          ".log"
-          ".Trash"
-        ];
-        ignoreFile = builtins.toFile "ignore"
-          (lib.foldl (a: b: a + "\n" + b) "" ignorePatterns);
-      in
-      [ "--exclude-file=${ignoreFile}" ];
-    pruneOpts = [
-      "-g host,paths"
-      "--keep-daily 7"
-      "--keep-weekly 4"
-      "--keep-monthly 3"
-      "--keep-yearly 1"
-    ];
-  };
-
-  systemd.services.libvirt-guests.after = [ "network-online.target" ];
-  virtualisation.libvirtd.enable = true;
-
-  networking.hostName = "sgx"; # Define your hostname.
-  networking.useDHCP = false;
-
-  #networking.domain = "fritz.box";
-  networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
-  networking.networkmanager.enable = false; # use networkd
-  networking.dhcpcd.enable = false; # use networkd
-  # services.nscd.enableNsncd = false;
-
-  # systemd-networkd
-  systemd.network.enable = true;
-  #systemd.network.wait-online.anyInterface = true;
-  #systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
-
-  systemd.network.networks."10-br0" = {
-    matchConfig.Name = "br0";
-    DHCP = "yes";
-    linkConfig.RequiredForOnline = "routable";
-    linkConfig.RequiredFamilyForOnline = "both";
-  };
-
-  systemd.network.netdevs."br0" = {
-    netdevConfig = {
-      Name = "br0";
-      Kind = "bridge";
-      MACAddress = "00:a1:2f:68:07:ea";
-    };
-  };
-
-  systemd.network.networks."11-en" = {
-    linkConfig.RequiredForOnline = "enslaved";
-    matchConfig.Name = "enp3s0";
-    networkConfig = {
-      Bridge = "br0";
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 548 ];
-  networking.firewall.allowPing = true;
-  services.samba.openFirewall = true;
-
+  system.stateVersion = "23.11";
 }

systems/x86_64-linux/sgx/fileserver.nix

@@ -0,0 +1,75 @@
+{ pkgs, lib, config, ... }:
+{
+  services.netatalk = {
+    enable = true;
+    settings = {
+      Homes = {
+        "basedir regex" = "/home";
+        path = "Public";
+      };
+      time-machine = {
+        path = "/mnt/backup/tm_share";
+        "valid users" = "harald";
+        "time machine" = true;
+      };
+      Qmultimedia = {
+        path = "/mnt/raid/Qmultimedia";
+      };
+    };
+  };
+
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+    publish = {
+      enable = true;
+      userServices = true;
+    };
+  };
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    securityType = "user";
+    extraConfig = ''
+      read raw = Yes
+      write raw = Yes
+      socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
+      min receivefile size = 16384
+      use sendfile = true
+      aio read size = 16384
+      aio write size = 16384
+      workgroup = WORKGROUP
+      server string = sgx
+      netbios name = sgx
+      security = user
+      #max protocol = smb2
+      hosts allow = 192.168.178. 127.0.0.1 localhost 2003::/16 ::1
+      hosts deny = ALL
+      guest account = nobody
+      map to guest = bad user
+    '';
+    shares = {
+      #    public = {
+      #      path = "/mnt/Shares/Public";
+      #      browseable = "yes";
+      #      "read only" = "no";
+      #      "guest ok" = "yes";
+      #      "create mask" = "0644";
+      #      "directory mask" = "0755";
+      #      "force user" = "username";
+      #      "force group" = "groupname";
+      #    };
+      Qmultimedia = {
+        path = "/mnt/raid/Qmultimedia";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "harald";
+        "force group" = "users";
+      };
+    };
+  };
+}

systems/x86_64-linux/sgx/hardware-configuration.nix

@@ -57,4 +57,8 @@
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  security.tpm2.enable = false;
+  security.tpm2.abrmd.enable = false;
+  powerManagement.cpuFreqGovernor = "ondemand";
 }

systems/x86_64-linux/sgx/network.nix

@@ -0,0 +1,42 @@
+{ pkgs, lib, config, ... }:
+{
+  networking.hostName = "sgx"; # Define your hostname.
+  networking.useDHCP = false;
+
+  #networking.domain = "fritz.box";
+  networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = false; # use networkd
+  networking.dhcpcd.enable = false; # use networkd
+  # services.nscd.enableNsncd = false;
+
+  # systemd-networkd
+  systemd.network.enable = true;
+  #systemd.network.wait-online.anyInterface = true;
+  #systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
+
+  systemd.network.networks."10-br0" = {
+    matchConfig.Name = "br0";
+    DHCP = "yes";
+    linkConfig.RequiredForOnline = "routable";
+    linkConfig.RequiredFamilyForOnline = "both";
+  };
+
+  systemd.network.netdevs."br0" = {
+    netdevConfig = {
+      Name = "br0";
+      Kind = "bridge";
+      MACAddress = "00:a1:2f:68:07:ea";
+    };
+  };
+
+  systemd.network.networks."11-en" = {
+    linkConfig.RequiredForOnline = "enslaved";
+    matchConfig.Name = "enp3s0";
+    networkConfig = {
+      Bridge = "br0";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 548 ];
+  networking.firewall.allowPing = true;
+}