A new start

2024-03-21 15:00:36 +01:00 · 2024-03-21 15:00:36 +01:00 · f4e2368893
commit f4e2368893
93 changed files with 7621 additions and 0 deletions
--- a/systems/x86_64-linux/sgx/backup.nix
+++ b/systems/x86_64-linux/sgx/backup.nix
@ -0,0 +1,76 @@
+{ pkgs, lib, config, ... }:
+let
+  backup_new_path = "/mnt/raid/backup/hoyer/new/";
+  restic_repo = "/mnt/backup/restic-repo";
+in
+{
+  services.restic.backups.hoyer_new = {
+    repository = restic_repo;
+    passwordFile = config.sops.secrets.backup-pw.path;
+    timerConfig = {
+      OnCalendar = "daily";
+      FixedRandomDelay = true;
+      RandomizedDelaySec = "4h";
+      Persistent = true;
+    };
+    paths = [ backup_new_path ];
+    pruneOpts = [
+      "-g host,paths"
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+      "--keep-yearly 1"
+    ];
+    backupPrepareCommand = ''
+      HOME=/root ${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh"  --exclude-from /root/excludelist --no-specials --no-devices --numeric-ids --delete-after --partial -axz backup@mx.surfsite.org:/{etc,var,home,root} ${backup_new_path}
+    '';
+  };
+
+  services.restic.backups.self = {
+    repository = restic_repo;
+    #repository = "s3:nas2a6e8f.myqnapcloud.com:8081/backup";
+    passwordFile = config.sops.secrets.backup-pw.path;
+    timerConfig = {
+      OnCalendar = "daily";
+      FixedRandomDelay = true;
+      RandomizedDelaySec = "4h";
+      Persistent = true;
+    };
+    paths = [
+      "/etc"
+      "/var"
+      "/home"
+      "/root"
+      "/persist"
+      config.services.samba.shares.Qmultimedia.path
+    ];
+    extraBackupArgs =
+      let
+        ignorePatterns = [
+          "/mnt/raid/backup"
+          "/mnt/backup"
+          "/mnt/snap"
+          "/var/cache"
+          "/home/*/.local/share/Trash"
+          "/home/*/.cache"
+          "/home/*/Downloads"
+          "/home/*/.npm"
+          "/home/*/.local/share/containers"
+          ".cache"
+          ".tmp"
+          ".log"
+          ".Trash"
+        ];
+        ignoreFile = builtins.toFile "ignore"
+          (lib.foldl (a: b: a + "\n" + b) "" ignorePatterns);
+      in
+      [ "--exclude-file=${ignoreFile}" ];
+    pruneOpts = [
+      "-g host,paths"
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+      "--keep-yearly 1"
+    ];
+  };
+}
--- a/systems/x86_64-linux/sgx/default.nix
+++ b/systems/x86_64-linux/sgx/default.nix
@ -0,0 +1,55 @@
+{ pkgs, lib, config, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./fileserver.nix
+    ./backup.nix
+    ./network.nix
+  ];
+
+  sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml;
+  sops.secrets.backup-pw.sopsFile = ../../../.secrets/sgx/backup-s3.yaml;
+
+  metacfg = {
+    base.enable = true;
+    gui.enable = false;
+    nix-ld.enable = true;
+    nix.enable = true;
+    aesmd_dcap.enable = true;
+    pccs.enable = true;
+    pccs.secret = config.sops.secrets.pccs.path;
+    podman.enable = true;
+    secureboot.enable = true;
+    user.extraGroups = [ "docker" "sgx" ];
+  };
+
+  virtualisation = {
+    docker.enable = true;
+    libvirtd.enable = true;
+    podman.dockerCompat = false;
+  };
+  systemd.services.libvirt-guests.after = [ "network-online.target" ];
+
+  system.autoUpgrade = {
+    enable = true;
+    operation = "switch";
+    allowReboot = true;
+  };
+
+  services.pcscd.enable = true;
+
+  environment.etc."sgx_default_qcnl.conf".text = ''
+    {
+      "pccs_url": "https://127.0.0.1:8081/sgx/certification/v4/",
+      "use_secure_cert": false,
+      "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
+      "retry_times": 6,
+      "retry_delay": 10,
+      "pck_cache_expire_hours": 168,
+      "verify_collateral_cache_expire_hours": 168,
+      "local_cache_only": false
+    }
+  '';
+
+  system.stateVersion = "23.11";
+}
--- a/systems/x86_64-linux/sgx/fileserver.nix
+++ b/systems/x86_64-linux/sgx/fileserver.nix
@ -0,0 +1,75 @@
+{ pkgs, lib, config, ... }:
+{
+  services.netatalk = {
+    enable = true;
+    settings = {
+      Homes = {
+        "basedir regex" = "/home";
+        path = "Public";
+      };
+      time-machine = {
+        path = "/mnt/backup/tm_share";
+        "valid users" = "harald";
+        "time machine" = true;
+      };
+      Qmultimedia = {
+        path = "/mnt/raid/Qmultimedia";
+      };
+    };
+  };
+
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+    publish = {
+      enable = true;
+      userServices = true;
+    };
+  };
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    securityType = "user";
+    extraConfig = ''
+      read raw = Yes
+      write raw = Yes
+      socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
+      min receivefile size = 16384
+      use sendfile = true
+      aio read size = 16384
+      aio write size = 16384
+      workgroup = WORKGROUP
+      server string = sgx
+      netbios name = sgx
+      security = user
+      #max protocol = smb2
+      hosts allow = 192.168.178. 127.0.0.1 localhost 2003::/16 ::1
+      hosts deny = ALL
+      guest account = nobody
+      map to guest = bad user
+    '';
+    shares = {
+      #    public = {
+      #      path = "/mnt/Shares/Public";
+      #      browseable = "yes";
+      #      "read only" = "no";
+      #      "guest ok" = "yes";
+      #      "create mask" = "0644";
+      #      "directory mask" = "0755";
+      #      "force user" = "username";
+      #      "force group" = "groupname";
+      #    };
+      Qmultimedia = {
+        path = "/mnt/raid/Qmultimedia";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "harald";
+        "force group" = "users";
+      };
+    };
+  };
+}
--- a/systems/x86_64-linux/sgx/hardware-configuration.nix
+++ b/systems/x86_64-linux/sgx/hardware-configuration.nix
@ -0,0 +1,64 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+  boot.blacklistedKernelModules = [ "iwlwifi" "snd_hda_intel" "hdaudio" "btintel" "bluetooth" ];
+  boot.extraModprobeConfig = "options kvm_intel nested=1";
+
+  services.btrfs.autoScrub.enable = true;
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
+      fsType = "btrfs";
+      options = [ "subvol=@" ];
+      neededForBoot = true;
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/C902-1AF5";
+      fsType = "vfat";
+    };
+
+    "/mnt/raid" = {
+      fsType = "btrfs";
+      device = "/dev/disk/by-uuid/11727be7-bf9b-4888-8b02-d7eb1f898712";
+      options = [ "defaults" "compress=zstd" "subvol=root" "autodefrag" "noatime" "nofail" "x-systemd.device-timeout=60" ];
+    };
+
+    "/mnt/backup" = {
+      fsType = "btrfs";
+      device = "/dev/disk/by-uuid/c29e7eac-26ba-41b1-ac3e-11123476b7c5";
+      options = [ "defaults" "compress=zstd" "subvol=root" "autodefrag" "noatime" "nofail" "x-systemd.device-timeout=60" ];
+    };
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }];
+
+  environment.etc."crypttab".text = ''
+    a16 /dev/disk/by-uuid/6f1c1b24-3c94-44be-8d1b-70db562079c1 /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
+    b16 /dev/disk/by-uuid/9540de6d-c907-43e4-b740-2d75dbf37135 /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
+    a4  /dev/disk/by-uuid/72924bd6-3d58-4437-aafd-ae6d2b995fbf /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
+    b4  /dev/disk/by-uuid/459c8d9a-6e92-4dec-a998-701ab9e76a2e /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
+    c4  /dev/disk/by-uuid/5c61cbf0-dbca-48e0-948e-71bea3806a6c /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
+  '';
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  security.tpm2.enable = false;
+  security.tpm2.abrmd.enable = false;
+  powerManagement.cpuFreqGovernor = "ondemand";
+}
--- a/systems/x86_64-linux/sgx/network.nix
+++ b/systems/x86_64-linux/sgx/network.nix
@ -0,0 +1,42 @@
+{ pkgs, lib, config, ... }:
+{
+  networking.hostName = "sgx"; # Define your hostname.
+  networking.useDHCP = false;
+
+  #networking.domain = "fritz.box";
+  networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = false; # use networkd
+  networking.dhcpcd.enable = false; # use networkd
+  # services.nscd.enableNsncd = false;
+
+  # systemd-networkd
+  systemd.network.enable = true;
+  #systemd.network.wait-online.anyInterface = true;
+  #systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
+
+  systemd.network.networks."10-br0" = {
+    matchConfig.Name = "br0";
+    DHCP = "yes";
+    linkConfig.RequiredForOnline = "routable";
+    linkConfig.RequiredFamilyForOnline = "both";
+  };
+
+  systemd.network.netdevs."br0" = {
+    netdevConfig = {
+      Name = "br0";
+      Kind = "bridge";
+      MACAddress = "00:a1:2f:68:07:ea";
+    };
+  };
+
+  systemd.network.networks."11-en" = {
+    linkConfig.RequiredForOnline = "enslaved";
+    matchConfig.Name = "enp3s0";
+    networkConfig = {
+      Bridge = "br0";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 548 ];
+  networking.firewall.allowPing = true;
+}