diff options
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/sif/default.nix | 355 | ||||
-rw-r--r-- | hosts/sif/hw.nix | 35 | ||||
-rw-r--r-- | hosts/sif/mail/default.nix | 66 | ||||
-rw-r--r-- | hosts/sif/mail/secrets.yaml | 33 | ||||
-rw-r--r-- | hosts/sif/wacom.conf | 15 | ||||
-rw-r--r-- | hosts/surtr/default.nix | 126 | ||||
-rw-r--r-- | hosts/surtr/dns/default.nix | 92 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/email.nights.soa | 38 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.141.soa | 50 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.kleen.soa | 40 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.xmpp.soa | 40 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.yggdrasil.soa | 58 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/org.dirty-haskell.soa | 32 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/org.praseodym.soa | 45 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/org.rheperire.soa | 25 | ||||
-rw-r--r-- | hosts/surtr/tls.nix | 70 | ||||
-rw-r--r-- | hosts/surtr/zfs.nix | 101 |
17 files changed, 1221 insertions, 0 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix new file mode 100644 index 00000000..c0b7f50c --- /dev/null +++ b/hosts/sif/default.nix | |||
@@ -0,0 +1,355 @@ | |||
1 | { flake, pkgs, customUtils, lib, config, path, ... }: | ||
2 | { | ||
3 | imports = with flake.nixosModules.systemProfiles; [ | ||
4 | ./hw.nix | ||
5 | |||
6 | initrd-all-crypto-modules default-locale openssh | ||
7 | ]; | ||
8 | |||
9 | config = { | ||
10 | nixpkgs = { | ||
11 | system = "x86_64-linux"; | ||
12 | config = { | ||
13 | allowUnfree = true; | ||
14 | }; | ||
15 | }; | ||
16 | |||
17 | boot = { | ||
18 | initrd = { | ||
19 | luks.devices = { | ||
20 | nvm0.device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb"; | ||
21 | nvm1.device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a"; | ||
22 | }; | ||
23 | availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; | ||
24 | kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ]; | ||
25 | }; | ||
26 | |||
27 | blacklistedKernelModules = [ "nouveau" ]; | ||
28 | |||
29 | # Use the systemd-boot EFI boot loader. | ||
30 | loader = { | ||
31 | systemd-boot.enable = true; | ||
32 | efi.canTouchEfiVariables = true; | ||
33 | timeout = null; | ||
34 | }; | ||
35 | |||
36 | plymouth.enable = true; | ||
37 | |||
38 | kernelPackages = pkgs.linuxPackages_latest; | ||
39 | kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ]; | ||
40 | extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; | ||
41 | kernelModules = ["v4l2loopback"]; | ||
42 | |||
43 | tmpOnTmpfs = true; | ||
44 | }; | ||
45 | |||
46 | networking = { | ||
47 | domain = "midgard.yggdrasil"; | ||
48 | hosts = { | ||
49 | "127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ]; | ||
50 | "::1" = [ "sif.midgard.yggdrasil" "sif" ]; | ||
51 | }; | ||
52 | |||
53 | firewall = { | ||
54 | enable = true; | ||
55 | allowedTCPPorts = [ 22 # ssh | ||
56 | 8000 # quickserve | ||
57 | ]; | ||
58 | allowedUDPPorts = [ 8554 # gopro webcam | ||
59 | ]; | ||
60 | }; | ||
61 | |||
62 | networkmanager = { | ||
63 | enable = true; | ||
64 | dhcp = "internal"; | ||
65 | dns = lib.mkForce "dnsmasq"; | ||
66 | extraConfig = '' | ||
67 | [connectivity] | ||
68 | uri=https://online.yggdrasil.li | ||
69 | ''; | ||
70 | }; | ||
71 | |||
72 | wlanInterfaces = { | ||
73 | wlan0 = { | ||
74 | device = "wlp82s0"; | ||
75 | }; | ||
76 | }; | ||
77 | |||
78 | bonds = { | ||
79 | "lan" = { | ||
80 | interfaces = [ "wlan0" "enp0s31f6" "dock0" ]; | ||
81 | driverOptions = { | ||
82 | miimon = "1000"; | ||
83 | mode = "active-backup"; | ||
84 | primary_reselect = "always"; | ||
85 | }; | ||
86 | }; | ||
87 | }; | ||
88 | |||
89 | dhcpcd.enable = false; | ||
90 | useDHCP = false; | ||
91 | useNetworkd = true; | ||
92 | |||
93 | interfaces.yggdrasil = { | ||
94 | virtual = true; | ||
95 | virtualType = config.services.tinc.networks.yggdrasil.interfaceType; | ||
96 | macAddress = "5c:93:21:c3:61:39"; | ||
97 | }; | ||
98 | }; | ||
99 | |||
100 | systemd.services."NetworkManager-wait-online".enable = false; | ||
101 | systemd.services."systemd-networkd-wait-online".enable = false; | ||
102 | |||
103 | environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = { | ||
104 | text = '' | ||
105 | server=/sif.libvirt/192.168.122.1 | ||
106 | ''; | ||
107 | }; | ||
108 | |||
109 | services.openssh.enable = true; | ||
110 | |||
111 | powerManagement = { | ||
112 | enable = true; | ||
113 | |||
114 | cpuFreqGovernor = "schedutil"; | ||
115 | }; | ||
116 | |||
117 | environment.systemPackages = with pkgs; [ | ||
118 | nvtop brightnessctl config.boot.kernelPackages.v4l2loopback s-tui | ||
119 | ]; | ||
120 | |||
121 | services = { | ||
122 | tinc.yggdrasil.enable = true; | ||
123 | |||
124 | uucp = { | ||
125 | enable = true; | ||
126 | nodeName = "sif"; | ||
127 | remoteNodes = { | ||
128 | "ymir" = { | ||
129 | publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"]; | ||
130 | hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; | ||
131 | }; | ||
132 | }; | ||
133 | |||
134 | defaultCommands = lib.mkForce []; | ||
135 | }; | ||
136 | |||
137 | avahi.enable = true; | ||
138 | |||
139 | fwupd.enable = true; | ||
140 | |||
141 | fprintd.enable = true; | ||
142 | |||
143 | blueman.enable = true; | ||
144 | |||
145 | colord.enable = true; | ||
146 | |||
147 | vnstat.enable = true; | ||
148 | |||
149 | logind = { | ||
150 | lidSwitch = "suspend"; | ||
151 | lidSwitchDocked = "lock"; | ||
152 | lidSwitchExternalPower = "lock"; | ||
153 | }; | ||
154 | |||
155 | atd = { | ||
156 | enable = true; | ||
157 | allowEveryone = true; | ||
158 | }; | ||
159 | |||
160 | xserver = { | ||
161 | enable = true; | ||
162 | |||
163 | layout = "us"; | ||
164 | xkbVariant = "dvp"; | ||
165 | xkbOptions = "compose:caps"; | ||
166 | |||
167 | displayManager.lightdm = { | ||
168 | enable = true; | ||
169 | greeters.gtk = { | ||
170 | clock-format = "%H:%M %a %b %_d"; | ||
171 | indicators = ["~host" "~spacer" "~clock" "~session" "~power"]; | ||
172 | theme = { | ||
173 | package = pkgs.equilux-theme; | ||
174 | name = "Equilux-compact"; | ||
175 | }; | ||
176 | iconTheme = { | ||
177 | package = pkgs.paper-icon-theme; | ||
178 | name = "Paper"; | ||
179 | }; | ||
180 | extraConfig = '' | ||
181 | background = #000000 | ||
182 | user-background = false | ||
183 | active-monitor = #cursor | ||
184 | hide-user-image = true | ||
185 | |||
186 | [monitor: DP-2] | ||
187 | laptop = true | ||
188 | ''; | ||
189 | }; | ||
190 | }; | ||
191 | |||
192 | displayManager.setupCommands = '' | ||
193 | ${pkgs.xorg.xinput}/bin/xinput disable 'SynPS/2 Synaptics TouchPad' | ||
194 | ''; | ||
195 | |||
196 | desktopManager.xterm.enable = true; | ||
197 | windowManager.twm.enable = true; | ||
198 | displayManager.defaultSession = "xterm+twm"; | ||
199 | |||
200 | wacom.enable = true; | ||
201 | libinput.enable = true; | ||
202 | |||
203 | dpi = 282; | ||
204 | |||
205 | videoDrivers = [ "nvidia" ]; | ||
206 | |||
207 | screenSection = '' | ||
208 | Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }" | ||
209 | ''; | ||
210 | |||
211 | deviceSection = '' | ||
212 | Option "AccelMethod" "SNA" | ||
213 | Option "TearFree" "True" | ||
214 | ''; | ||
215 | |||
216 | exportConfiguration = true; | ||
217 | }; | ||
218 | }; | ||
219 | |||
220 | users = { | ||
221 | users.gkleen.extraGroups = [ "media" ]; | ||
222 | groups.media = {}; | ||
223 | }; | ||
224 | |||
225 | hardware = { | ||
226 | pulseaudio = { | ||
227 | enable = true; | ||
228 | package = with pkgs; pulseaudioFull; | ||
229 | support32Bit = true; | ||
230 | }; | ||
231 | |||
232 | bluetooth = { | ||
233 | enable = true; | ||
234 | settings = { | ||
235 | General = { | ||
236 | Enable = "Source,Sink,Media,Socket"; | ||
237 | }; | ||
238 | }; | ||
239 | }; | ||
240 | |||
241 | trackpoint = { | ||
242 | enable = true; | ||
243 | emulateWheel = true; | ||
244 | sensitivity = 255; | ||
245 | speed = 255; | ||
246 | }; | ||
247 | |||
248 | nvidia = { | ||
249 | modesetting.enable = true; | ||
250 | prime = { | ||
251 | nvidiaBusId = "PCI:1:0:0"; | ||
252 | intelBusId = "PCI:0:2:0"; | ||
253 | sync.enable = true; | ||
254 | }; | ||
255 | }; | ||
256 | |||
257 | opengl = { | ||
258 | enable = true; | ||
259 | driSupport32Bit = true; | ||
260 | setLdLibraryPath = true; | ||
261 | }; | ||
262 | |||
263 | firmware = [ pkgs.firmwareLinuxNonfree ]; | ||
264 | }; | ||
265 | |||
266 | sound.enable = true; | ||
267 | |||
268 | nix = { | ||
269 | autoOptimiseStore = true; | ||
270 | daemonNiceLevel = 10; | ||
271 | daemonIONiceLevel = 3; | ||
272 | }; | ||
273 | |||
274 | environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; | ||
275 | |||
276 | systemd.services."ac-plugged" = { | ||
277 | description = "Inhibit handling of lid-switch and sleep"; | ||
278 | |||
279 | path = with pkgs; [ systemd coreutils ]; | ||
280 | |||
281 | script = '' | ||
282 | exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity | ||
283 | ''; | ||
284 | |||
285 | serviceConfig = { | ||
286 | Type = "simple"; | ||
287 | }; | ||
288 | }; | ||
289 | |||
290 | services.udev.extraRules = with pkgs; lib.mkAfter '' | ||
291 | SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" | ||
292 | SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" | ||
293 | ACTION=="add", SUBSYSTEM=="net", DEVTYPE!="?*", ATTR{address}=="3c:e1:a1:b9:cd:e5", NAME="dock0" | ||
294 | ''; | ||
295 | |||
296 | services.borgbackup = { | ||
297 | snapshots = "btrfs"; | ||
298 | prefix = "yggdrasil.midgard.sif."; | ||
299 | targets = { | ||
300 | "munin" = { | ||
301 | repo = "borg.munin:borg"; | ||
302 | paths = [ "/home/gkleen" ]; | ||
303 | prune = { | ||
304 | "home" = | ||
305 | [ "--keep-within" "24H" | ||
306 | "--keep-daily" "31" | ||
307 | "--keep-monthly" "12" | ||
308 | "--keep-yearly" "-1" | ||
309 | ]; | ||
310 | }; | ||
311 | keyFile = "/run/secrets/borg-repokey--borg_munin__borg"; | ||
312 | }; | ||
313 | }; | ||
314 | }; | ||
315 | sops.secrets.borg-repokey--borg_munin__borg = { | ||
316 | sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml"; | ||
317 | key = "key"; | ||
318 | }; | ||
319 | |||
320 | services.btrfs.autoScrub = { | ||
321 | enable = true; | ||
322 | fileSystems = [ "/" "/home" ]; | ||
323 | interval = "weekly"; | ||
324 | }; | ||
325 | |||
326 | systemd.services."nix-daemon".serviceConfig = { | ||
327 | MemoryAccounting = true; | ||
328 | MemoryHigh = "50%"; | ||
329 | MemoryMax = "75%"; | ||
330 | }; | ||
331 | |||
332 | services.journald.extraConfig = '' | ||
333 | SystemMaxUse=100M | ||
334 | ''; | ||
335 | |||
336 | services.dbus.packages = with pkgs; | ||
337 | [ dbus gnome3.dconf | ||
338 | ]; | ||
339 | |||
340 | programs = { | ||
341 | light.enable = true; | ||
342 | wireshark.enable = true; | ||
343 | }; | ||
344 | |||
345 | virtualisation.libvirtd = { | ||
346 | enable = true; | ||
347 | }; | ||
348 | |||
349 | zramSwap.enable = true; | ||
350 | |||
351 | services.pcscd.enable = true; | ||
352 | |||
353 | system.stateVersion = "20.03"; | ||
354 | }; | ||
355 | } | ||
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix new file mode 100644 index 00000000..92afb7c9 --- /dev/null +++ b/hosts/sif/hw.nix | |||
@@ -0,0 +1,35 @@ | |||
1 | { config, lib, pkgs, ... }: | ||
2 | |||
3 | { | ||
4 | fileSystems."/" = | ||
5 | { device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2"; | ||
6 | fsType = "btrfs"; | ||
7 | }; | ||
8 | |||
9 | fileSystems."/boot" = | ||
10 | { device = "/dev/disk/by-uuid/B3A2-D029"; | ||
11 | fsType = "vfat"; | ||
12 | }; | ||
13 | |||
14 | fileSystems."/home" = | ||
15 | { device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28"; | ||
16 | fsType = "btrfs"; | ||
17 | }; | ||
18 | |||
19 | fileSystems."/var/media" = | ||
20 | { device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096"; | ||
21 | fsType = "btrfs"; | ||
22 | }; | ||
23 | |||
24 | swapDevices = | ||
25 | [ { device = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; } | ||
26 | ]; | ||
27 | |||
28 | nix.maxJobs = 12; | ||
29 | # High-DPI console | ||
30 | console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; | ||
31 | |||
32 | hardware.cpu.intel.updateMicrocode = true; | ||
33 | |||
34 | hardware.enableRedistributableFirmware = true; | ||
35 | } | ||
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix new file mode 100644 index 00000000..29bfb4f1 --- /dev/null +++ b/hosts/sif/mail/default.nix | |||
@@ -0,0 +1,66 @@ | |||
1 | { config, pkgs, ... }: | ||
2 | { | ||
3 | services.postfix = { | ||
4 | enable = true; | ||
5 | enableSmtp = true; | ||
6 | enableSubmission = false; | ||
7 | setSendmail = true; | ||
8 | networksStyle = "host"; | ||
9 | hostname = "sif.midgard.yggdrasil"; | ||
10 | destination = []; | ||
11 | relayHost = "uucp:ymir"; | ||
12 | recipientDelimiter = "+"; | ||
13 | masterConfig = { | ||
14 | uucp = { | ||
15 | type = "unix"; | ||
16 | private = true; | ||
17 | privileged = true; | ||
18 | chroot = false; | ||
19 | command = "pipe"; | ||
20 | args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ]; | ||
21 | }; | ||
22 | }; | ||
23 | transport = '' | ||
24 | odin.asgard.yggdrasil uucp:odin | ||
25 | ''; | ||
26 | config = { | ||
27 | always_bcc = "gkleen+sent@odin.asgard.yggdrasil"; | ||
28 | |||
29 | default_transport = "uucp:ymir"; | ||
30 | |||
31 | inet_interfaces = "loopback-only"; | ||
32 | |||
33 | authorized_submit_users = ["!uucp" "static:anyone"]; | ||
34 | message_size_limit = "0"; | ||
35 | |||
36 | sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" '' | ||
37 | /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de | ||
38 | /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587 | ||
39 | /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de | ||
40 | ''}''; | ||
41 | sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" '' | ||
42 | /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de | ||
43 | /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de | ||
44 | ''}''; | ||
45 | |||
46 | smtp_sasl_auth_enable = true; | ||
47 | smtp_sender_dependent_authentication = true; | ||
48 | smtp_sasl_tls_security_options = "noanonymous"; | ||
49 | smtp_sasl_mechanism_filter = ["plain"]; | ||
50 | smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd"; | ||
51 | smtp_cname_overrides_servername = false; | ||
52 | smtp_always_send_ehlo = true; | ||
53 | smtp_tls_security_level = "dane"; | ||
54 | |||
55 | smtp_tls_loglevel = "1"; | ||
56 | smtp_dns_support_level = "dnssec"; | ||
57 | }; | ||
58 | }; | ||
59 | |||
60 | sops.secrets.postfix-sasl-passwd = { | ||
61 | key = "sasl-passwd"; | ||
62 | path = "/var/db/postfix/sasl_passwd"; | ||
63 | owner = "postfix"; | ||
64 | sopsFile = ./secrets.yaml; | ||
65 | }; | ||
66 | } | ||
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml new file mode 100644 index 00000000..06a2ad40 --- /dev/null +++ b/hosts/sif/mail/secrets.yaml | |||
@@ -0,0 +1,33 @@ | |||
1 | sasl-passwd: ENC[AES256_GCM,data:S81uICROGm/E0TC3xJyPXbVLjOO+PsRyJBoWINFZGzeh8F0nXx1ewiiSXtNl9trTbxlSgf5jnBvtbyd75N0OcyqBf0db5tJtvU42DO5I4qFo4R67FzpKzKWMF4AJuFGP1aKkPsPIc41WTfLemKCfbEhVfQj9qEFLR9TC8iqzSZa0bztCuLoKi0vrAO/4JZnzUe3n7FXy+ER6oYK9JoKwaXc9KYdwQC3QYCby2iSq+GvRs7FL4x6/Zr8FzVCXHYMaW/Qg9dCn/g2NnEnOsH0pEASuKRPJKh8x5dtQg9v3jRK6NIDjEkXeuBnSOaeQiAcYc784foIlI7Q=,iv:zCsYZtU51zJR9XqaCvMtc5aGZwSccIrPzhznubEoEjo=,tag:0/v4Cp/0xLrfEX7H953bOA==,type:str] | ||
2 | sops: | ||
3 | kms: [] | ||
4 | gcp_kms: [] | ||
5 | azure_kv: [] | ||
6 | hc_vault: [] | ||
7 | lastmodified: '2021-01-18T09:46:15Z' | ||
8 | mac: ENC[AES256_GCM,data:Idvsviv6CGibT+s7TSYUNmYO6gELqahJq33+k8YQhhwDKC6+s3Wqjq3xDkVjPcgq32GQolzmv20s93vQSHVuTKcH9jpXmIlwVZmZFFV7ejuA3QScOqqNNynh1m1ba/eZCGgIZiSlRuv7wqs7wz2uHN9eY3prsDkG1vxpc7UC18g=,iv:S9S/N3vW2TXcNYsc/w+3pDJT+BOQaAw8vgqYwRUtbU4=,tag:jPRXDzy29ewkq/Nzcayfnw==,type:str] | ||
9 | pgp: | ||
10 | - created_at: '2021-01-02T19:29:14Z' | ||
11 | enc: | | ||
12 | -----BEGIN PGP MESSAGE----- | ||
13 | |||
14 | hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw | ||
15 | 4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb | ||
16 | 0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9 | ||
17 | Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl | ||
18 | =7rOv | ||
19 | -----END PGP MESSAGE----- | ||
20 | fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8 | ||
21 | - created_at: '2021-01-02T19:29:14Z' | ||
22 | enc: | | ||
23 | -----BEGIN PGP MESSAGE----- | ||
24 | |||
25 | hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw | ||
26 | 8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz | ||
27 | 0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F | ||
28 | ++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC | ||
29 | =E/qh | ||
30 | -----END PGP MESSAGE----- | ||
31 | fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 | ||
32 | unencrypted_suffix: _unencrypted | ||
33 | version: 3.6.1 | ||
diff --git a/hosts/sif/wacom.conf b/hosts/sif/wacom.conf new file mode 100644 index 00000000..864409f1 --- /dev/null +++ b/hosts/sif/wacom.conf | |||
@@ -0,0 +1,15 @@ | |||
1 | Section "InputClass" | ||
2 | Identifier "Wacom USB device class" | ||
3 | MatchUSBID "056a:*" | ||
4 | MatchDevicePath "/dev/input/event*" | ||
5 | Driver "wacom" | ||
6 | EndSection | ||
7 | |||
8 | Section "InputClass" | ||
9 | Identifier "calibration" | ||
10 | MatchProduct "Wacom USB device class" | ||
11 | Option "MinX" "58" | ||
12 | Option "MaxX" "30982" | ||
13 | Option "MinY" "87" | ||
14 | Option "MaxY" "17328" | ||
15 | EndSection \ No newline at end of file | ||
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix new file mode 100644 index 00000000..72ed81ae --- /dev/null +++ b/hosts/surtr/default.nix | |||
@@ -0,0 +1,126 @@ | |||
1 | { flake, pkgs, lib, ... }: | ||
2 | { | ||
3 | imports = with flake.nixosModules.systemProfiles; [ | ||
4 | qemu-guest openssh rebuild-machines ./zfs.nix ./dns ./tls.nix | ||
5 | ]; | ||
6 | |||
7 | config = { | ||
8 | nixpkgs = { | ||
9 | system = "x86_64-linux"; | ||
10 | }; | ||
11 | |||
12 | networking.hostId = "a64cf4d7"; | ||
13 | environment.etc."machine-id".text = "a64cf4d793ab0a0ed3892ead609fc0bc"; | ||
14 | |||
15 | boot = { | ||
16 | loader.grub = { | ||
17 | enable = true; | ||
18 | version = 2; | ||
19 | device = "/dev/vda"; | ||
20 | }; | ||
21 | |||
22 | kernelPackages = pkgs.linuxPackages_latest; | ||
23 | |||
24 | tmpOnTmpfs = true; | ||
25 | |||
26 | supportedFilesystems = [ "zfs" ]; | ||
27 | zfs = { | ||
28 | enableUnstable = true; | ||
29 | devNodes = "/dev"; # /dev/vda2 does not show up in /dev/disk/by-id | ||
30 | }; | ||
31 | |||
32 | kernelModules = ["ptp_kvm"]; | ||
33 | }; | ||
34 | |||
35 | fileSystems = { | ||
36 | "/" = { | ||
37 | fsType = "tmpfs"; | ||
38 | options = [ "mode=0755" ]; | ||
39 | }; | ||
40 | |||
41 | "/boot" = | ||
42 | { device = "/dev/disk/by-label/boot"; | ||
43 | fsType = "vfat"; | ||
44 | }; | ||
45 | }; | ||
46 | |||
47 | networking = { | ||
48 | hostName = "surtr"; | ||
49 | domain = "muspelheim.yggdrasil"; | ||
50 | search = [ "muspelheim.yggdrasil" "yggdrasil" ]; | ||
51 | |||
52 | enableIPv6 = true; | ||
53 | dhcpcd.enable = false; | ||
54 | useDHCP = false; | ||
55 | useNetworkd = true; | ||
56 | defaultGateway = { address = "202.61.240.1"; }; | ||
57 | defaultGateway6 = { address = "fe80::1"; }; | ||
58 | interfaces."ens3" = { | ||
59 | ipv4.addresses = [ | ||
60 | { address = "202.61.241.61"; prefixLength = 22; } | ||
61 | ]; | ||
62 | ipv6.addresses = [ | ||
63 | { address = "2a03:4000:52:ada::"; prefixLength = 64; } | ||
64 | ]; | ||
65 | }; | ||
66 | |||
67 | firewall = { | ||
68 | enable = true; | ||
69 | allowPing = true; | ||
70 | allowedTCPPorts = [ | ||
71 | 22 # ssh | ||
72 | ]; | ||
73 | allowedUDPPortRanges = [ | ||
74 | { from = 60000; to = 61000; } # mosh | ||
75 | ]; | ||
76 | }; | ||
77 | }; | ||
78 | |||
79 | systemd.network.networks."40-ens3".networkConfig = { | ||
80 | Domains = lib.mkForce "~."; | ||
81 | DNS = [ "46.38.225.230" "46.38.252.230" "2a03:4000:0:1::e1e6" "2a03:4000:8000::fce6" ]; | ||
82 | }; | ||
83 | |||
84 | services.timesyncd.enable = false; | ||
85 | services.chrony = { | ||
86 | enable = true; | ||
87 | servers = []; | ||
88 | extraConfig = '' | ||
89 | pool time.cloudflare.com iburst nts | ||
90 | pool nts.ntp.se iburst nts | ||
91 | server nts.sth1.ntp.se iburst nts | ||
92 | server nts.sth2.ntp.se iburst nts | ||
93 | server ptbtime1.ptb.de iburst nts | ||
94 | server ptbtime2.ptb.de iburst nts | ||
95 | server ptbtime3.ptb.de iburst nts | ||
96 | |||
97 | refclock PHC /dev/ptp_kvm poll 2 dpoll -2 offset 0 stratum 3 | ||
98 | |||
99 | makestep 0.1 3 | ||
100 | |||
101 | cmdport 0 | ||
102 | ''; | ||
103 | }; | ||
104 | |||
105 | services.openssh = { | ||
106 | enable = true; | ||
107 | passwordAuthentication = false; | ||
108 | challengeResponseAuthentication = false; | ||
109 | extraConfig = '' | ||
110 | AllowGroups ssh | ||
111 | ''; | ||
112 | }; | ||
113 | users.groups."ssh" = { | ||
114 | members = ["root"]; | ||
115 | }; | ||
116 | |||
117 | security.sudo.extraConfig = '' | ||
118 | Defaults lecture = never | ||
119 | ''; | ||
120 | |||
121 | nix.gc = { | ||
122 | automatic = true; | ||
123 | options = "--delete-older-than 30d"; | ||
124 | }; | ||
125 | }; | ||
126 | } | ||
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix new file mode 100644 index 00000000..ce909b72 --- /dev/null +++ b/hosts/surtr/dns/default.nix | |||
@@ -0,0 +1,92 @@ | |||
1 | {...}: | ||
2 | { | ||
3 | config = { | ||
4 | fileSystems."/var/lib/knot" = | ||
5 | { device = "surtr/safe/var-lib-knot"; | ||
6 | fsType = "zfs"; | ||
7 | }; | ||
8 | |||
9 | systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; | ||
10 | |||
11 | networking.firewall = { | ||
12 | allowedTCPPorts = [ | ||
13 | 53 # DNS | ||
14 | ]; | ||
15 | allowedUDPPorts = [ | ||
16 | 53 # DNS | ||
17 | ]; | ||
18 | }; | ||
19 | |||
20 | services.knot = { | ||
21 | enable = true; | ||
22 | extraConfig = '' | ||
23 | server: | ||
24 | listen: 127.0.0.1@53 | ||
25 | listen: ::1@53 | ||
26 | listen: 202.61.241.61@53 | ||
27 | listen: 2a03:4000:52:ada::@53 | ||
28 | |||
29 | remote: | ||
30 | - id: inwx_notify | ||
31 | address: 185.181.104.96@53 | ||
32 | |||
33 | acl: | ||
34 | - id: inwx_acl | ||
35 | address: 185.181.104.96 | ||
36 | action: transfer | ||
37 | |||
38 | template: | ||
39 | - id: inwx_zone | ||
40 | storage: /var/lib/knot | ||
41 | zonefile-sync: -1 | ||
42 | zonefile-load: difference-no-serial | ||
43 | serial-policy: dateserial | ||
44 | journal-content: all | ||
45 | semantic-checks: on | ||
46 | dnssec-signing: on | ||
47 | notify: [inwx_notify] | ||
48 | acl: [inwx_acl] | ||
49 | |||
50 | policy: | ||
51 | - id: rsa | ||
52 | algorithm: rsasha256 | ||
53 | ksk-size: 4096 | ||
54 | zsk-size: 2048 | ||
55 | zsk-lifetime: 30d | ||
56 | |||
57 | zone: | ||
58 | - domain: yggdrasil.li | ||
59 | template: inwx_zone | ||
60 | file: ${./zones/li.yggdrasil.soa} | ||
61 | |||
62 | - domain: nights.email | ||
63 | template: inwx_zone | ||
64 | file: ${./zones/email.nights.soa} | ||
65 | |||
66 | - domain: 141.li | ||
67 | template: inwx_zone | ||
68 | file: ${./zones/li.141.soa} | ||
69 | |||
70 | - domain: kleen.li | ||
71 | template: inwx_zone | ||
72 | file: ${./zones/li.kleen.soa} | ||
73 | |||
74 | - domain: xmpp.li | ||
75 | template: inwx_zone | ||
76 | file: ${./zones/li.xmpp.soa} | ||
77 | |||
78 | - domain: dirty-haskell.org | ||
79 | template: inwx_zone | ||
80 | file: ${./zones/org.dirty-haskell.soa} | ||
81 | |||
82 | - domain: praseodym.org | ||
83 | template: inwx_zone | ||
84 | file: ${./zones/org.praseodym.soa} | ||
85 | |||
86 | - domain: rheperire.org | ||
87 | template: inwx_zone | ||
88 | file: ${./zones/org.rheperire.soa} | ||
89 | ''; | ||
90 | }; | ||
91 | }; | ||
92 | } | ||
diff --git a/hosts/surtr/dns/zones/email.nights.soa b/hosts/surtr/dns/zones/email.nights.soa new file mode 100644 index 00000000..e0589dd3 --- /dev/null +++ b/hosts/surtr/dns/zones/email.nights.soa | |||
@@ -0,0 +1,38 @@ | |||
1 | $ORIGIN nights.email. | ||
2 | $TTL 3600 | ||
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | ||
4 | 2021053002 ; serial | ||
5 | 10800 ; refresh | ||
6 | 3600 ; retry | ||
7 | 604800 ; expire | ||
8 | 3600 ; min TTL | ||
9 | ) | ||
10 | IN NS ns.yggdrasil.li. | ||
11 | IN NS ns.inwx.de. | ||
12 | IN NS ns2.inwx.de. | ||
13 | IN NS ns3.inwx.eu. | ||
14 | |||
15 | @ IN A 188.68.51.254 | ||
16 | @ IN AAAA 2a03:4000:6:d004:: | ||
17 | @ IN MX 0 ymir.yggdrasil.li. | ||
18 | @ IN TXT "v=spf1 redirect=yggdrasil.li" | ||
19 | |||
20 | * IN A 188.68.51.254 | ||
21 | * IN AAAA 2a03:4000:6:d004:: | ||
22 | * IN MX 0 ymir.yggdrasil.li. | ||
23 | * IN TXT "v=spf1 redirect=yggdrasil.li" | ||
24 | |||
25 | _acme-challenge 30 IN TXT "" | ||
26 | |||
27 | ymir._domainkey IN TXT ( | ||
28 | "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" | ||
29 | "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24" | ||
30 | "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ==" | ||
31 | ) | ||
32 | |||
33 | _xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li. | ||
34 | _xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li. | ||
35 | |||
36 | _submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li. | ||
37 | _imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li. | ||
38 | _imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li. | ||
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa new file mode 100644 index 00000000..6f974439 --- /dev/null +++ b/hosts/surtr/dns/zones/li.141.soa | |||
@@ -0,0 +1,50 @@ | |||
1 | $ORIGIN 141.li. | ||
2 | $TTL 3600 | ||
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | ||
4 | 2021053001 ; serial | ||
5 | 10800 ; refresh | ||
6 | 3600 ; retry | ||
7 | 604800 ; expire | ||
8 | 3600 ; min TTL | ||
9 | ) | ||
10 | IN NS ns.yggdrasil.li. | ||
11 | IN NS ns.inwx.de. | ||
12 | IN NS ns2.inwx.de. | ||
13 | IN NS ns3.inwx.eu. | ||
14 | |||
15 | @ IN A 188.68.51.254 | ||
16 | @ IN AAAA 2a03:4000:6:d004:: | ||
17 | @ IN MX 0 ymir.yggdrasil.li. | ||
18 | @ IN TXT "v=spf1 redirect=yggdrasil.li" | ||
19 | |||
20 | * IN A 188.68.51.254 | ||
21 | * IN AAAA 2a03:4000:6:d004:: | ||
22 | * IN MX 0 ymir.yggdrasil.li. | ||
23 | * IN TXT "v=spf1 redirect=yggdrasil.li" | ||
24 | |||
25 | surtr IN A 202.61.241.61 | ||
26 | surtr IN AAAA 2a03:4000:52:ada:: | ||
27 | surtr IN MX 0 ymir.yggdrasil.li | ||
28 | surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" | ||
29 | |||
30 | ymir IN A 188.68.51.254 | ||
31 | ymir IN AAAA 2a03:4000:6:d004:: | ||
32 | ymir IN MX 0 ymir.yggdrasil.li | ||
33 | ymir IN TXT "v=spf1 redirect=ymir.yggdrasil.li" | ||
34 | |||
35 | _acme-challenge 30 IN TXT "" | ||
36 | |||
37 | ymir._domainkey IN TXT ( | ||
38 | "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" | ||
39 | "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24" | ||
40 | "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ==" | ||
41 | ) | ||
42 | |||
43 | _xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li. | ||
44 | _xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li. | ||
45 | |||
46 | _infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li. | ||
47 | |||
48 | _submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li. | ||
49 | _imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li. | ||
50 | _imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li. | ||
diff --git a/hosts/surtr/dns/zones/li.kleen.soa b/hosts/surtr/dns/zones/li.kleen.soa new file mode 100644 index 00000000..5a3d2a11 --- /dev/null +++ b/hosts/surtr/dns/zones/li.kleen.soa | |||
@@ -0,0 +1,40 @@ | |||
1 | $ORIGIN kleen.li. | ||
2 | $TTL 3600 | ||
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | ||
4 | 2021053001 ; serial | ||
5 | 10800 ; refresh | ||
6 | 3600 ; retry | ||
7 | 604800 ; expire | ||
8 | 3600 ; min TTL | ||
9 | ) | ||
10 | IN NS ns.yggdrasil.li. | ||
11 | IN NS ns.inwx.de. | ||
12 | IN NS ns2.inwx.de. | ||
13 | IN NS ns3.inwx.eu. | ||
14 | |||
15 | @ IN A 188.68.51.254 | ||
16 | @ IN AAAA 2a03:4000:6:d004:: | ||
17 | @ IN MX 0 ymir.yggdrasil.li. | ||
18 | @ IN TXT "v=spf1 redirect=yggdrasil.li" | ||
19 | |||
20 | * IN A 188.68.51.254 | ||
21 | * IN AAAA 2a03:4000:6:d004:: | ||
22 | * IN MX 0 ymir.yggdrasil.li. | ||
23 | * IN TXT "v=spf1 redirect=yggdrasil.li" | ||
24 | |||
25 | _acme-challenge 30 IN TXT "" | ||
26 | |||
27 | ymir._domainkey IN TXT ( | ||
28 | "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" | ||
29 | "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24" | ||
30 | "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ==" | ||
31 | ) | ||
32 | |||
33 | _xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li. | ||
34 | _xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li. | ||
35 | |||
36 | _infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li. | ||
37 | |||
38 | _submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li. | ||
39 | _imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li. | ||
40 | _imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li. | ||
diff --git a/hosts/surtr/dns/zones/li.xmpp.soa b/hosts/surtr/dns/zones/li.xmpp.soa new file mode 100644 index 00000000..b123f4a5 --- /dev/null +++ b/hosts/surtr/dns/zones/li.xmpp.soa | |||
@@ -0,0 +1,40 @@ | |||
1 | $ORIGIN xmpp.li. | ||
2 | $TTL 3600 | ||
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | ||
4 | 2021053001 ; serial | ||
5 | 10800 ; refresh | ||
6 | 3600 ; retry | ||
7 | 604800 ; expire | ||
8 | 3600 ; min TTL | ||
9 | ) | ||
10 | IN NS ns.yggdrasil.li. | ||
11 | IN NS ns.inwx.de. | ||
12 | IN NS ns2.inwx.de. | ||
13 | IN NS ns3.inwx.eu. | ||
14 | |||
15 | @ IN A 188.68.51.254 | ||
16 | @ IN AAAA 2a03:4000:6:d004:: | ||
17 | @ IN MX 0 ymir.yggdrasil.li. | ||
18 | @ IN TXT "v=spf1 redirect=yggdrasil.li" | ||
19 | |||
20 | * IN A 188.68.51.254 | ||
21 | * IN AAAA 2a03:4000:6:d004:: | ||
22 | * IN MX 0 ymir.yggdrasil.li. | ||
23 | * IN TXT "v=spf1 redirect=yggdrasil.li" | ||
24 | |||
25 | _acme-challenge 30 IN TXT "" | ||
26 | |||
27 | ymir._domainkey IN TXT ( | ||
28 | "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" | ||
29 | "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24" | ||
30 | "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ==" | ||
31 | ) | ||
32 | |||
33 | _xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li. | ||
34 | _xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li. | ||
35 | |||
36 | _infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li. | ||
37 | |||
38 | _submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li. | ||
39 | _imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li. | ||
40 | _imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li. | ||
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa new file mode 100644 index 00000000..a9b87b76 --- /dev/null +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa | |||
@@ -0,0 +1,58 @@ | |||
1 | $ORIGIN yggdrasil.li. | ||
2 | $TTL 3600 | ||
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | ||
4 | 2021053000 ; serial | ||
5 | 10800 ; refresh | ||
6 | 3600 ; retry | ||
7 | 604800 ; expire | ||
8 | 3600 ; min TTL | ||
9 | ) | ||
10 | IN NS ns.yggdrasil.li. | ||
11 | IN NS ns.inwx.de. | ||
12 | IN NS ns2.inwx.de. | ||
13 | IN NS ns3.inwx.eu. | ||
14 | |||
15 | ns IN A 202.61.241.61 | ||
16 | ns IN AAAA 2a03:4000:52:ada:: | ||
17 | |||
18 | @ IN A 188.68.51.254 | ||
19 | @ IN AAAA 2a03:4000:6:d004:: | ||
20 | @ IN MX 0 ymir.yggdrasil.li. | ||
21 | @ IN TXT "v=spf1 a:mailout.yggdrasil.li -all" | ||
22 | |||
23 | * IN A 188.68.51.254 | ||
24 | * IN AAAA 2a03:4000:6:d004:: | ||
25 | * IN MX 0 ymir.yggdrasil.li. | ||
26 | * IN TXT "v=spf1 redirect=yggdrasil.li" | ||
27 | |||
28 | ymir IN A 188.68.51.254 | ||
29 | ymir IN AAAA 2a03:4000:6:d004:: | ||
30 | ymir IN MX 0 ymir.yggdrasil.li. | ||
31 | ymir IN TXT "v=spf1 redirect=yggdrasil.li" | ||
32 | |||
33 | surtr IN A 202.61.241.61 | ||
34 | surtr IN AAAA 2a03:4000:52:ada:: | ||
35 | surtr IN MX 0 ymir.yggdrasil.li | ||
36 | surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" | ||
37 | |||
38 | mailout IN A 188.68.51.254 | ||
39 | mailout IN AAAA 2a03:4000:6:d004:: | ||
40 | mailout IN MX 0 ymir.yggdrasil.li | ||
41 | mailout IN TXT "v=spf1 redirect=yggdrasil.li" | ||
42 | |||
43 | _acme-challenge 30 IN TXT "" | ||
44 | |||
45 | ymir._domainkey IN TXT ( | ||
46 | "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" | ||
47 | "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24" | ||
48 | "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ==" | ||
49 | ) | ||
50 | |||
51 | _xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li. | ||
52 | _xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li. | ||
53 | |||
54 | _infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li. | ||
55 | |||
56 | _submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li. | ||
57 | _imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li. | ||
58 | _imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li. | ||
diff --git a/hosts/surtr/dns/zones/org.dirty-haskell.soa b/hosts/surtr/dns/zones/org.dirty-haskell.soa new file mode 100644 index 00000000..74aed5fd --- /dev/null +++ b/hosts/surtr/dns/zones/org.dirty-haskell.soa | |||
@@ -0,0 +1,32 @@ | |||
1 | $ORIGIN dirty-haskell.org. | ||
2 | $TTL 3600 | ||
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | ||
4 | 2021053001 ; serial | ||
5 | 10800 ; refresh | ||
6 | 3600 ; retry | ||
7 | 604800 ; expire | ||
8 | 3600 ; min TTL | ||
9 | ) | ||
10 | IN NS ns.yggdrasil.li. | ||
11 | IN NS ns.inwx.de. | ||
12 | IN NS ns2.inwx.de. | ||
13 | IN NS ns3.inwx.eu. | ||
14 | |||
15 | |||
16 | @ IN A 188.68.51.254 | ||
17 | @ IN AAAA 2a03:4000:6:d004:: | ||
18 | @ IN MX 10 ymir.yggdrasil.li. | ||
19 | @ IN TXT "v=spf1 redirect=yggdrasil.li" | ||
20 | |||
21 | * IN A 188.68.51.254 | ||
22 | * IN AAAA 2a03:4000:6:d004:: | ||
23 | * IN MX 0 ymir.yggdrasil.li. | ||
24 | * IN TXT "v=spf1 redirect=yggdrasil.li" | ||
25 | |||
26 | _acme-challenge 30 IN TXT "" | ||
27 | |||
28 | ymir._domainkey IN TXT ( | ||
29 | "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" | ||
30 | "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24" | ||
31 | "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ==" | ||
32 | ) | ||
diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa new file mode 100644 index 00000000..6f2c676f --- /dev/null +++ b/hosts/surtr/dns/zones/org.praseodym.soa | |||
@@ -0,0 +1,45 @@ | |||
1 | $ORIGIN praseodym.org. | ||
2 | $TTL 3600 | ||
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | ||
4 | 2021053000 ; serial | ||
5 | 10800 ; refresh | ||
6 | 3600 ; retry | ||
7 | 604800 ; expire | ||
8 | 3600 ; min TTL | ||
9 | ) | ||
10 | IN NS ns.yggdrasil.li. | ||
11 | IN NS ns.inwx.de. | ||
12 | IN NS ns2.inwx.de. | ||
13 | IN NS ns3.inwx.eu. | ||
14 | |||
15 | @ IN A 188.68.51.254 | ||
16 | @ IN AAAA 2a03:4000:6:d004:: | ||
17 | @ IN MX 0 ymir.yggdrasil.li. | ||
18 | @ IN TXT "v=spf1 redirect=yggdrasil.li" | ||
19 | |||
20 | * IN A 188.68.51.254 | ||
21 | * IN AAAA 2a03:4000:6:d004:: | ||
22 | * IN MX 0 ymir.yggdrasil.li. | ||
23 | * IN TXT "v=spf1 redirect=yggdrasil.li" | ||
24 | |||
25 | surtr IN A 202.61.241.61 | ||
26 | surtr IN AAAA 2a03:4000:52:ada:: | ||
27 | surtr IN MX 0 ymir.yggdrasil.li | ||
28 | surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" | ||
29 | |||
30 | _acme-challenge 30 IN TXT "" | ||
31 | |||
32 | ymir._domainkey IN TXT ( | ||
33 | "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" | ||
34 | "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24" | ||
35 | "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ==" | ||
36 | ) | ||
37 | |||
38 | _xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li. | ||
39 | _xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li. | ||
40 | |||
41 | _infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li. | ||
42 | |||
43 | _submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li. | ||
44 | _imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li. | ||
45 | _imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li. | ||
diff --git a/hosts/surtr/dns/zones/org.rheperire.soa b/hosts/surtr/dns/zones/org.rheperire.soa new file mode 100644 index 00000000..43b1e862 --- /dev/null +++ b/hosts/surtr/dns/zones/org.rheperire.soa | |||
@@ -0,0 +1,25 @@ | |||
1 | $ORIGIN rheperire.org. | ||
2 | $TTL 3600 | ||
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | ||
4 | 2021053010 ; serial | ||
5 | 10800 ; refresh | ||
6 | 3600 ; retry | ||
7 | 604800 ; expire | ||
8 | 3600 ; min TTL | ||
9 | ) | ||
10 | IN NS ns.yggdrasil.li. | ||
11 | IN NS ns.inwx.de. | ||
12 | IN NS ns2.inwx.de. | ||
13 | IN NS ns3.inwx.eu. | ||
14 | |||
15 | @ IN A 188.68.51.254 | ||
16 | @ IN AAAA 2a03:4000:6:d004:: | ||
17 | @ IN MX 0 ymir.yggdrasil.li. | ||
18 | @ IN TXT "v=spf1 redirect=yggdrasil.li" | ||
19 | |||
20 | * IN A 188.68.51.254 | ||
21 | * IN AAAA 2a03:4000:6:d004:: | ||
22 | * IN MX 0 ymir.yggdrasil.li. | ||
23 | * IN TXT "v=spf1 redirect=yggdrasil.li" | ||
24 | |||
25 | _acme-challenge 30 IN TXT "" | ||
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix new file mode 100644 index 00000000..9581dd60 --- /dev/null +++ b/hosts/surtr/tls.nix | |||
@@ -0,0 +1,70 @@ | |||
1 | { config, pkgs, ... }: | ||
2 | let | ||
3 | knotCfg = config.services.knot; | ||
4 | |||
5 | knotDNSCredentials = zone: pkgs.writeText "lego-credentials" '' | ||
6 | EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh | ||
7 | EXEC_PROPAGATION_TIMEOUT=300 | ||
8 | EXEC_POLLING_INTERVAL=5 | ||
9 | ''; | ||
10 | knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" '' | ||
11 | #!${pkgs.zsh}/bin/zsh -xe | ||
12 | |||
13 | mode=$1 | ||
14 | fqdn=$2 | ||
15 | challenge=$3 | ||
16 | |||
17 | owner=''${fqdn%".${zone}."} | ||
18 | |||
19 | commited= | ||
20 | function abort() { | ||
21 | [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}" | ||
22 | } | ||
23 | |||
24 | ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}" | ||
25 | trap abort EXIT | ||
26 | |||
27 | case "''${mode}" in | ||
28 | present) | ||
29 | ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""' | ||
30 | ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}" | ||
31 | ;; | ||
32 | cleanup) | ||
33 | ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" | ||
34 | ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""' | ||
35 | ;; | ||
36 | *) | ||
37 | exit 2 | ||
38 | ;; | ||
39 | esac | ||
40 | |||
41 | ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" | ||
42 | commited=yes | ||
43 | ''; | ||
44 | in { | ||
45 | config = { | ||
46 | fileSystems."/var/lib/acme" = | ||
47 | { device = "surtr/safe/var-lib-acme"; | ||
48 | fsType = "zfs"; | ||
49 | }; | ||
50 | |||
51 | security.acme = { | ||
52 | server = "https://acme-staging-v02.api.letsencrypt.org/directory"; | ||
53 | |||
54 | acceptTerms = true; | ||
55 | preliminarySelfsigned = false; | ||
56 | email = "phikeebaogobaegh@141.li"; | ||
57 | certs = { | ||
58 | "rheperire.org" = { | ||
59 | domain = "rheperire.org"; | ||
60 | extraDomainNames = [ "*.rheperire.org" ]; | ||
61 | dnsProvider = "exec"; | ||
62 | credentialsFile = knotDNSCredentials "rheperire.org"; | ||
63 | dnsResolver = "1.1.1.1:53"; | ||
64 | }; | ||
65 | }; | ||
66 | }; | ||
67 | |||
68 | users.groups."knot".members = [ "acme" ]; | ||
69 | }; | ||
70 | } | ||
diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix new file mode 100644 index 00000000..3cbd0cf0 --- /dev/null +++ b/hosts/surtr/zfs.nix | |||
@@ -0,0 +1,101 @@ | |||
1 | { pkgs, config, ... }: | ||
2 | let | ||
3 | snapshotNames = ["frequent" "hourly" "daily" "monthly" "yearly"]; | ||
4 | snapshotCount = { | ||
5 | frequent = 24; | ||
6 | hourly = 24; | ||
7 | daily = 30; | ||
8 | monthly = 12; | ||
9 | yearly = 5; | ||
10 | }; | ||
11 | snapshotTimerConfig = { | ||
12 | frequent = { OnCalendar = "*:0/5 UTC"; Persistent = true; }; | ||
13 | hourly = { OnCalendar = "hourly UTC"; Persistent = true; }; | ||
14 | daily = { OnCalendar = "daily UTC"; Persistent = true; }; | ||
15 | monthly = { OnCalendar = "monthly UTC"; Persistent = true; }; | ||
16 | yearly = { OnCalendar = "yearly UTC"; Persistent = true; }; | ||
17 | }; | ||
18 | snapshotDescr = { | ||
19 | frequent = "few minutes"; | ||
20 | hourly = "hour"; | ||
21 | daily = "day"; | ||
22 | monthly = "month"; | ||
23 | yearly = "year"; | ||
24 | }; | ||
25 | |||
26 | zfs = config.boot.zfs.package; | ||
27 | |||
28 | autosnapPackage = pkgs.zfstools.override { inherit zfs; }; | ||
29 | in { | ||
30 | config = { | ||
31 | fileSystems = { | ||
32 | "/nix" = | ||
33 | { device = "surtr/local/nix"; | ||
34 | fsType = "zfs"; | ||
35 | }; | ||
36 | |||
37 | "/root" = | ||
38 | { device = "surtr/safe/home-root"; | ||
39 | fsType = "zfs"; | ||
40 | neededForBoot = true; | ||
41 | }; | ||
42 | |||
43 | "/var/lib/systemd" = | ||
44 | { device = "surtr/local/var-lib-systemd"; | ||
45 | fsType = "zfs"; | ||
46 | neededForBoot = true; | ||
47 | }; | ||
48 | |||
49 | "/var/lib/nixos" = | ||
50 | { device = "surtr/local/var-lib-nixos"; | ||
51 | fsType = "zfs"; | ||
52 | neededForBoot = true; | ||
53 | }; | ||
54 | |||
55 | "/var/log" = | ||
56 | { device = "surtr/local/var-log"; | ||
57 | fsType = "zfs"; | ||
58 | }; | ||
59 | |||
60 | "/home" = | ||
61 | { device = "surtr/safe/home"; | ||
62 | fsType = "zfs"; | ||
63 | }; | ||
64 | }; | ||
65 | |||
66 | systemd.services = | ||
67 | let mkSnapService = snapName: { | ||
68 | name = "zfs-snapshot-${snapName}"; | ||
69 | value = { | ||
70 | description = "ZFS auto-snapshot every ${snapshotDescr.${snapName}}"; | ||
71 | after = [ "zfs-import.target" ]; | ||
72 | serviceConfig = { | ||
73 | Type = "oneshot"; | ||
74 | ExecStart = "${autosnapPackage}/bin/zfs-auto-snapshot -k -p -u ${snapName} ${toString snapshotCount.${snapName}}"; | ||
75 | }; | ||
76 | restartIfChanged = false; | ||
77 | |||
78 | preStart = '' | ||
79 | ${zfs}/bin/zfs set com.sun:auto-snapshot=true surtr/safe | ||
80 | ''; | ||
81 | }; | ||
82 | }; | ||
83 | in builtins.listToAttrs (map mkSnapService snapshotNames); | ||
84 | |||
85 | systemd.timers = | ||
86 | let mkSnapTimer = snapName: { | ||
87 | name = "zfs-snapshot-${snapName}"; | ||
88 | value = { | ||
89 | wantedBy = [ "timers.target" ]; | ||
90 | timerConfig = snapshotTimerConfig.${snapName}; | ||
91 | }; | ||
92 | }; | ||
93 | in builtins.listToAttrs (map mkSnapTimer snapshotNames); | ||
94 | |||
95 | services.zfs.trim.enable = false; | ||
96 | services.zfs.autoScrub = { | ||
97 | enable = true; | ||
98 | interval = "Sun *-*-1..7 04:00:00"; | ||
99 | }; | ||
100 | }; | ||
101 | } | ||