{ pkgs, lib, config, ... }: let backup_new_path = "/mnt/raid/backup/hoyer/new/"; restic_repo = "/mnt/backup/restic-repo"; in { imports = [ ./hardware-configuration.nix ]; sops.secrets.pccs.sopsFile = ../../../.secrets/sgx/pccs.yaml; sops.secrets.backup-pw.sopsFile = ../../../.secrets/sgx/backup-s3.yaml; metacfg = { base.enable = true; gui.enable = false; nix-ld.enable = true; nix.enable = true; pccs.enable = true; pccs.secret = config.sops.secrets.pccs.path; podman.enable = true; secureboot.enable = true; user.extraGroups = [ "docker" "sgx" ]; }; virtualisation.docker.enable = true; virtualisation.podman.dockerCompat = false; system.autoUpgrade = { enable = true; operation = "switch"; allowReboot = true; }; security.tpm2.enable = false; security.tpm2.abrmd.enable = false; services.aesmd = { enable = true; quoteProviderLibrary = pkgs.nixsgx.sgx-dcap.default_qpl; }; systemd.services.aesmd = { environment.LD_LIBRARY_PATH = lib.mkForce (lib.makeLibraryPath [ pkgs.nixsgx.sgx-dcap.default_qpl pkgs.curl.out ]); serviceConfig.BindReadOnlyPaths = [ "/etc/sgx_default_qcnl.conf" ]; }; services.pcscd.enable = true; powerManagement.cpuFreqGovernor = "ondemand"; system.stateVersion = "23.11"; environment.etc."sgx_default_qcnl.conf".text = '' { "pccs_url": "https://127.0.0.1:8081/sgx/certification/v4/", "use_secure_cert": false, "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/", "retry_times": 6, "retry_delay": 10, "pck_cache_expire_hours": 168, "verify_collateral_cache_expire_hours": 168, "local_cache_only": false } ''; services.netatalk = { enable = true; settings = { Homes = { "basedir regex" = "/home"; path = "Public"; }; time-machine = { path = "/mnt/backup/tm_share"; "valid users" = "harald"; "time machine" = true; }; Qmultimedia = { path = "/mnt/raid/Qmultimedia"; }; }; }; services.avahi = { enable = true; nssmdns = true; publish = { enable = true; userServices = true; }; }; services.samba = { enable = true; securityType = "user"; extraConfig = '' read raw = Yes write raw = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 min receivefile size = 16384 use sendfile = true aio read size = 16384 aio write size = 16384 workgroup = WORKGROUP server string = sgx netbios name = sgx security = user #max protocol = smb2 hosts allow = 192.168.178. 127.0.0.1 localhost 2003::/16 ::1 hosts deny = ALL guest account = nobody map to guest = bad user ''; shares = { # public = { # path = "/mnt/Shares/Public"; # browseable = "yes"; # "read only" = "no"; # "guest ok" = "yes"; # "create mask" = "0644"; # "directory mask" = "0755"; # "force user" = "username"; # "force group" = "groupname"; # }; Qmultimedia = { path = "/mnt/raid/Qmultimedia"; browseable = "yes"; "read only" = "no"; "guest ok" = "no"; "create mask" = "0644"; "directory mask" = "0755"; "force user" = "harald"; "force group" = "users"; }; }; }; services.restic.backups.hoyer_new = { repository = restic_repo; passwordFile = config.sops.secrets.backup-pw.path; timerConfig = { OnCalendar = "daily"; FixedRandomDelay = true; RandomizedDelaySec = "4h"; Persistent = true; }; paths = [ backup_new_path ]; pruneOpts = [ "-g host,paths" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 3" "--keep-yearly 1" ]; backupPrepareCommand = '' HOME=/root ${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh" --exclude-from /root/excludelist --no-specials --no-devices --numeric-ids --delete-after --partial -axz backup@mx.surfsite.org:/{etc,var,home,root} ${backup_new_path} ''; }; services.restic.backups.self = { repository = restic_repo; #repository = "s3:nas2a6e8f.myqnapcloud.com:8081/backup"; passwordFile = config.sops.secrets.backup-pw.path; timerConfig = { OnCalendar = "daily"; FixedRandomDelay = true; RandomizedDelaySec = "4h"; Persistent = true; }; paths = [ "/etc" "/var" "/home" "/root" "/persist" config.services.samba.shares.Qmultimedia.path ]; extraBackupArgs = let ignorePatterns = [ "/mnt/raid/backup" "/mnt/backup" "/mnt/snap" "/var/cache" "/home/*/.local/share/Trash" "/home/*/.cache" "/home/*/Downloads" "/home/*/.npm" "/home/*/.local/share/containers" ".cache" ".tmp" ".log" ".Trash" ]; ignoreFile = builtins.toFile "ignore" (lib.foldl (a: b: a + "\n" + b) "" ignorePatterns); in [ "--exclude-file=${ignoreFile}" ]; pruneOpts = [ "-g host,paths" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 3" "--keep-yearly 1" ]; }; systemd.services.libvirt-guests.after = [ "network-online.target" ]; virtualisation.libvirtd.enable = true; networking.hostName = "sgx"; # Define your hostname. networking.useDHCP = false; #networking.domain = "fritz.box"; networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. networking.networkmanager.enable = false; # use networkd networking.dhcpcd.enable = false; # use networkd # services.nscd.enableNsncd = false; # systemd-networkd systemd.network.enable = true; #systemd.network.wait-online.anyInterface = true; #systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; systemd.network.networks."10-br0" = { matchConfig.Name = "br0"; DHCP = "yes"; linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredFamilyForOnline = "both"; }; systemd.network.netdevs."br0" = { netdevConfig = { Name = "br0"; Kind = "bridge"; MACAddress = "00:a1:2f:68:07:ea"; }; }; systemd.network.networks."11-en" = { linkConfig.RequiredForOnline = "enslaved"; matchConfig.Name = "enp3s0"; networkConfig = { Bridge = "br0"; }; }; networking.firewall.allowedTCPPorts = [ 548 ]; networking.firewall.allowPing = true; services.samba.openFirewall = true; }