6 files changed, 282 insertions, 31 deletions
diff --git a/hosts/eos/default.nix b/hosts/eos/default.nix
new file mode 100644
index 00000000..1c5347e7
--- /dev/null
+++ b/hosts/eos/default.nix
@@ -0,0 +1,101 @@
+{ flake, config, pkgs, lib, ... }:
+with lib;
+{
+  imports = with flake.nixosModules.systemProfiles; [
+    nfsroot
+  ];
+  config = {
+    nixpkgs = {
+      system = "x86_64-linux";
+      config = {
+        allowUnfree = true;
+      };
+    };
+    boot = {
+      initrd = {
+        availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ];
+        kernelModules = [ "igb" ];
+      };
+      kernelModules = [ "kvm-amd" ];
+      extraModulePackages = [ ];
+      plymouth.enable = true;
+      tmpOnTmpfs = true;
+    };
+    hardware = {
+      enableRedistributableFirmware = true;
+      cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware;
+      nvidia = {
+        modesetting.enable = true;
+        powerManagement.enable = true;
+      };
+      opengl.enable = true;
+    };
+    environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468";
+    networking = {
+      hostId = "f457b213";
+      domain = "asgard.yggdrasil";
+      search = [ "asgard.yggdrasil" "yggdrasil" ];
+      hosts = {
+        "127.0.0.1" = [ "eos.asgard.yggdrasil" "eos" ];
+        "::1" = [ "eos.asgard.yggdrasil" "eos" ];
+      };
+      firewall.enable = false;
+      nftables = {
+        enable = true;
+        rulesetFile = ./ruleset.nft;
+      };
+    };
+    services.resolved = {
+      llmnr = "false";
+    };
+    zramSwap.enable = true;
+    system.stateVersion = config.system.nixos.release; # No state
+    time.timeZone = "Europe/Berlin";
+    time.hardwareClockInLocalTime = true;
+    i18n.defaultLocale = "en_DK.UTF-8";
+    environment.systemPackages = with pkgs; [ cifs-utils ];
+    security.pam.mount = {
+      enable = true;
+      extraVolumes = [
+        "<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"home-eos\" mountpoint=\"~\" />"
+        "<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"%(USER)\" mountpoint=\"/run/media/%(USER)/vidhar\" />"
+      ];
+    };
+    services.xserver = {
+      enable = true;
+      displayManager.sddm = {
+        enable = true;
+        settings = {
+          Users.HideUsers = "gkleen";
+        };
+      };
+      desktopManager.plasma5.enable = true;
+      videoDrivers = [ "nvidia" ];
+    };
+  };
+}
diff --git a/hosts/eos/ruleset.nft b/hosts/eos/ruleset.nft
new file mode 100644
index 00000000..7b38a059
--- /dev/null
+++ b/hosts/eos/ruleset.nft
@@ -0,0 +1,101 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  chain input {
+    type filter hook input priority filter
+    policy accept
+    limit name lim_arp counter drop
+    counter
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    limit name lim_arp counter drop
+    counter
+  }
+}
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+    ct state invalid log level debug prefix "drop invalid forward: " counter drop
+    iifname lo counter accept
+    limit name lim_reject log level debug prefix "drop forward: " counter drop
+    log level debug prefix "reject forward: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+    counter
+  }
+  chain input {
+    type filter hook input priority filter
+    policy drop
+    ct state invalid log level debug prefix "drop invalid input: " counter drop
+    iifname lo counter accept
+    iif != lo ip daddr 127.0.0.1/8 counter reject
+    iif != lo ip6 daddr ::1/128 counter reject
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+    tcp dport 22 counter accept
+    udp dport 60000-61000 counter accept
+    ct state {established, related} counter accept
+    limit name lim_reject log level debug prefix "drop input: " counter drop
+    log level debug prefix "reject input: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+    counter
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    oifname lo counter accept
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+    counter
+  }
+}
+\ No newline at end of file
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 3f5d17d5..fc77f03c 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -235,25 +235,30 @@ with lib;
        ];
      };
    };
-    systemd.services.loki.preStart = let
+    systemd.services.loki = {
-      rulesYaml = generators.toYAML {} {
+      preStart = let
-        groups = [
+        rulesYaml = generators.toYAML {} {
-          { name = "power-failures";
+          groups = [
-            rules = [
+            { name = "power-failures";
-              { record = "apcupsd_power_failures:per_day";
+              rules = [
-                expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1d])) * 86400";
+                { record = "apcupsd_power_failures:per_day";
-              }
+                  expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1d])) * 86400";
-              { record = "apcupsd_power_failures:per_week";
+                }
-                expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1w])) * 604800";
+                { record = "apcupsd_power_failures:per_week";
-              }
+                  expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1w])) * 604800";
-            ];
+                }
-          }
+              ];
-        ];
+            }
-      };
+          ];
-    in ''
+        };
-      ${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake
+      in ''
-      ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml
+        ${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake
-    '';
+        ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml
+      '';
+      serviceConfig.Environment = [
+        "ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19"
+      ];
+    };
    services.promtail = {
      enable = true;
      configuration = {
@@ -286,6 +291,9 @@ with lib;
        ];
      };
    };
+    systemd.services.promtail.serviceConfig.Environment = [
+      "ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19"
+    ];
    services.apcupsd = {
      enable = true;
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index dfaa4c9f..d3407f1d 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -23,6 +23,12 @@ with lib;
          };
          client-classes = [
+            { name = "eos-ipxe";
+              test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'";
+              next-server = "10.141.0.1";
+              boot-file-name = "http://nfsroot.vidhar.yggdrasil/eos/netboot.ipxe";
+              only-if-required = true;
+            }
            { name = "ipxe";
              test = "option[77].hex == 'iPXE'";
              next-server = "10.141.0.1";
@@ -85,7 +91,7 @@ with lib;
              ddns-send-updates = true;
              ddns-qualifying-suffix = "lan.yggdrasil";
              pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];
-              require-client-classes = ["ipxe" "uefi-64" "uefi-32" "legacy"];
+              require-client-classes = map (cc: cc.name) config.services.kea.dhcp4.settings.client-classes;
              reservations = [
                { hostname = "sif";
                  hw-address = "3c:e1:a1:52:24:35";
@@ -258,7 +264,25 @@ with lib;
                   ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
               '')
              ) ["x86_64-linux"]
-            );
+            ) ++ [
+              (let
+                 eosBuild = (flake.nixosConfigurations.eos.extendModules {
+                   modules = [
+                     ({ ... }: {
+                       config.nfsroot.storeDevice = "10.141.0.1:nix-store";
+                       config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eos/registration";
+                     })
+                   ];
+                 }).config.system.build;
+               in builtins.toPath (pkgs.runCommandLocal "eos" {} ''
+                    mkdir -p $out/eos
+                    install -m 0444 -t $out/eos \
+                      ${eosBuild.initialRamdisk}/initrd \
+                      ${eosBuild.kernel}/bzImage \
+                      ${eosBuild.netbootIpxeScript}/netboot.ipxe \
+                      ${pkgs.closureInfo { rootPaths = eosBuild.storeContents; }}/registration
+                  ''))
+            ];
        };
      };
    };
diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix
index 0ddf56a3..ffca9c6d 100644
--- a/hosts/vidhar/samba.nix
+++ b/hosts/vidhar/samba.nix
@@ -14,28 +14,45 @@
        guest account = nobody
        bind interfaces only = yes
        interfaces = lo lan
+        server signing = mandatory
+        server min protocol = SMB3
+        server smb encrypt = required
      '';
      shares = {
        homes = {
-          comment = "Home Directories";
+          comment = "Home directory for %S";
          path = "/home/%S";
-          browseable = "no";
+          browseable = false;
          "valid users" = "%S";
-          "read only" = "no";
+          "read only" = false;
          "create mask" = "0700";
          "directory mask" = "0700";
          "vfs objects" = "shadow_copy2";
          "shadow:snapdir" = ".zfs/snapshot";
+          "shadow:snapdirseverywhere" = true;
          "shadow:sort" = "desc";
          "shadow:format" = "%Y-%m-%dT%H:%M:%SZ";
        };
        eos = {
-          comment = "Disk image of eos";
+          comment = "Disk image of legacy eos";
          browseable = true;
          "valid users" = "mherold";
          writeable = "true";
          path = "/srv/eos";
        };
+        home-eos = {
+          comment = "Home directoriy for %u on PXE booted EOS";
+          path = "/srv/cifs/home-eos/%u";
+          volume = "%u@eos";
+          browseable = true;
+          "read only" = false;
+          "create mask" = "0700";
+          "directory mask" = "0700";
+          "vfs objects" = "shadow_copy2";
+          "shadow:snapdir" = ".zfs/snapshot";
+          "shadow:sort" = "desc";
+          "shadow:format" = "%Y-%m-%dT%H:%M:%SZ";
+        };
      };
    };
    services.samba-wsdd = {
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 52b48aca..1de4b9b7 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -23,7 +23,7 @@
          fsType = "zfs";
          neededForBoot = true;
        };
-      
      "/var/lib/nixos" =
        { device = "ssd-raid1/local/var-lib-nixos";
          fsType = "zfs";
@@ -34,22 +34,22 @@
        { device = "ssd-raid1/local/var-lib-unbound";
          fsType = "zfs";
        };
-      
      # "/var/lib/dhcp" =
      #   { device = "ssd-raid1/local/var-lib-dhcp";
      #     fsType = "zfs";
      #   };
-      
      "/var/lib/chrony" =
        { device = "ssd-raid1/local/var-lib-chrony";
          fsType = "zfs";
        };
-      
      "/var/lib/samba" =
        { device = "ssd-raid1/local/var-lib-samba";
          fsType = "zfs";
        };
-      
      # "/var/lib/prometheus2" =
      #   { device = "ssd-raid1/local/var-lib-prometheus2";
      #     fsType = "zfs";
@@ -67,7 +67,7 @@
      #     fsType = "zfs";
      #     options = [ "zfsutil" ];
      #   };
-      
      # "/srv/tftp" =
      #   { device = "ssd-raid1/local/srv-tftp";
      #     fsType = "zfs";

diff --git a/hosts/eos/default.nix b/hosts/eos/default.nix new file mode 100644 index 00000000..1c5347e7 --- /dev/null +++ b/hosts/eos/default.nix
@@ -0,0 +1,101 @@
		1	{ flake, config, pkgs, lib, ... }:
		2
		3	with lib;
		4
		5	{
		6	imports = with flake.nixosModules.systemProfiles; [
		7	nfsroot
		8	];
		9
		10	config = {
		11	nixpkgs = {
		12	system = "x86_64-linux";
		13	config = {
		14	allowUnfree = true;
		15	};
		16	};
		17
		18	boot = {
		19	initrd = {
		20	availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ];
		21	kernelModules = [ "igb" ];
		22	};
		23	kernelModules = [ "kvm-amd" ];
		24	extraModulePackages = [ ];
		25
		26	plymouth.enable = true;
		27
		28	tmpOnTmpfs = true;
		29	};
		30
		31	hardware = {
		32	enableRedistributableFirmware = true;
		33	cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware;
		34
		35	nvidia = {
		36	modesetting.enable = true;
		37	powerManagement.enable = true;
		38	};
		39
		40	opengl.enable = true;
		41	};
		42
		43	environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468";
		44
		45	networking = {
		46	hostId = "f457b213";
		47
		48	domain = "asgard.yggdrasil";
		49	search = [ "asgard.yggdrasil" "yggdrasil" ];
		50
		51	hosts = {
		52	"127.0.0.1" = [ "eos.asgard.yggdrasil" "eos" ];
		53	"::1" = [ "eos.asgard.yggdrasil" "eos" ];
		54	};
		55
		56	firewall.enable = false;
		57	nftables = {
		58	enable = true;
		59	rulesetFile = ./ruleset.nft;
		60	};
		61	};
		62
		63	services.resolved = {
		64	llmnr = "false";
		65	};
		66
		67	zramSwap.enable = true;
		68
		69	system.stateVersion = config.system.nixos.release; # No state
		70
		71
		72	time.timeZone = "Europe/Berlin";
		73	time.hardwareClockInLocalTime = true;
		74	i18n.defaultLocale = "en_DK.UTF-8";
		75
		76
		77	environment.systemPackages = with pkgs; [ cifs-utils ];
		78
		79	security.pam.mount = {
		80	enable = true;
		81	extraVolumes = [
		82	"<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"home-eos\" mountpoint=\"~\" />"
		83	"<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"%(USER)\" mountpoint=\"/run/media/%(USER)/vidhar\" />"
		84	];
		85	};
		86
		87
		88	services.xserver = {
		89	enable = true;
		90	displayManager.sddm = {
		91	enable = true;
		92	settings = {
		93	Users.HideUsers = "gkleen";
		94	};
		95	};
		96	desktopManager.plasma5.enable = true;
		97
		98	videoDrivers = [ "nvidia" ];
		99	};
		100	};
		101	}


diff --git a/hosts/eos/ruleset.nft b/hosts/eos/ruleset.nft new file mode 100644 index 00000000..7b38a059 --- /dev/null +++ b/hosts/eos/ruleset.nft
@@ -0,0 +1,101 @@
		1	define icmp_protos = {ipv6-icmp, icmp, igmp}
		2
		3	table arp filter {
		4	limit lim_arp {
		5	rate over 50 mbytes/second burst 50 mbytes
		6	}
		7
		8	chain input {
		9	type filter hook input priority filter
		10	policy accept
		11
		12	limit name lim_arp counter drop
		13
		14	counter
		15	}
		16
		17	chain output {
		18	type filter hook output priority filter
		19	policy accept
		20
		21	limit name lim_arp counter drop
		22
		23	counter
		24	}
		25	}
		26
		27	table inet filter {
		28	limit lim_reject {
		29	rate over 1000/second burst 1000 packets
		30	}
		31
		32	limit lim_icmp {
		33	rate over 50 mbytes/second burst 50 mbytes
		34	}
		35
		36
		37	chain forward {
		38	type filter hook forward priority filter
		39	policy drop
		40
		41
		42	ct state invalid log level debug prefix "drop invalid forward: " counter drop
		43
		44
		45	iifname lo counter accept
		46
		47
		48	limit name lim_reject log level debug prefix "drop forward: " counter drop
		49	log level debug prefix "reject forward: " counter
		50	meta l4proto tcp ct state new counter reject with tcp reset
		51	ct state new counter reject
		52
		53
		54	counter
		55	}
		56
		57	chain input {
		58	type filter hook input priority filter
		59	policy drop
		60
		61
		62	ct state invalid log level debug prefix "drop invalid input: " counter drop
		63
		64
		65	iifname lo counter accept
		66	iif != lo ip daddr 127.0.0.1/8 counter reject
		67	iif != lo ip6 daddr ::1/128 counter reject
		68
		69	meta l4proto $icmp_protos limit name lim_icmp counter drop
		70	meta l4proto $icmp_protos counter accept
		71
		72	tcp dport 22 counter accept
		73	udp dport 60000-61000 counter accept
		74
		75
		76	ct state {established, related} counter accept
		77
		78
		79	limit name lim_reject log level debug prefix "drop input: " counter drop
		80	log level debug prefix "reject input: " counter
		81	meta l4proto tcp ct state new counter reject with tcp reset
		82	ct state new counter reject
		83
		84
		85	counter
		86	}
		87
		88	chain output {
		89	type filter hook output priority filter
		90	policy accept
		91
		92
		93	oifname lo counter accept
		94
		95	meta l4proto $icmp_protos limit name lim_icmp counter drop
		96	meta l4proto $icmp_protos counter accept
		97
		98
		99	counter
		100	}
		101	} \ No newline at end of file


diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 3f5d17d5..fc77f03c 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -235,25 +235,30 @@ with lib;
235	];	235	];
236	};	236	};
237	};	237	};
238	systemd.services.loki.preStart = let	238	systemd.services.loki = {
239	rulesYaml = generators.toYAML {} {	239	preStart = let
240	groups = [	240	rulesYaml = generators.toYAML {} {
241	{ name = "power-failures";	241	groups = [
242	rules = [	242	{ name = "power-failures";
243	{ record = "apcupsd_power_failures:per_day";	243	rules = [
244	expr = "sum by (nodename) (rate({job=\"systemd-journal\"} \| json \| MESSAGE = \"Power failure.\"[1d])) * 86400";	244	{ record = "apcupsd_power_failures:per_day";
245	}	245	expr = "sum by (nodename) (rate({job=\"systemd-journal\"} \| json \| MESSAGE = \"Power failure.\"[1d])) * 86400";
246	{ record = "apcupsd_power_failures:per_week";	246	}
247	expr = "sum by (nodename) (rate({job=\"systemd-journal\"} \| json \| MESSAGE = \"Power failure.\"[1w])) * 604800";	247	{ record = "apcupsd_power_failures:per_week";
248	}	248	expr = "sum by (nodename) (rate({job=\"systemd-journal\"} \| json \| MESSAGE = \"Power failure.\"[1w])) * 604800";
249	];	249	}
250	}	250	];
251	];	251	}
252	};	252	];
253	in ''	253	};
254	${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake	254	in ''
255	${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml	255	${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake
256	'';	256	${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml
		257	'';
		258	serviceConfig.Environment = [
		259	"ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19"
		260	];
		261	};
257	services.promtail = {	262	services.promtail = {
258	enable = true;	263	enable = true;
259	configuration = {	264	configuration = {
@@ -286,6 +291,9 @@ with lib;
286	];	291	];
287	};	292	};
288	};	293	};
		294	systemd.services.promtail.serviceConfig.Environment = [
		295	"ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19"
		296	];
289		297
290	services.apcupsd = {	298	services.apcupsd = {
291	enable = true;	299	enable = true;


diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index dfaa4c9f..d3407f1d 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix
@@ -23,6 +23,12 @@ with lib;
23	};	23	};
24		24
25	client-classes = [	25	client-classes = [
		26	{ name = "eos-ipxe";
		27	test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'";
		28	next-server = "10.141.0.1";
		29	boot-file-name = "http://nfsroot.vidhar.yggdrasil/eos/netboot.ipxe";
		30	only-if-required = true;
		31	}
26	{ name = "ipxe";	32	{ name = "ipxe";
27	test = "option[77].hex == 'iPXE'";	33	test = "option[77].hex == 'iPXE'";
28	next-server = "10.141.0.1";	34	next-server = "10.141.0.1";
@@ -85,7 +91,7 @@ with lib;
85	ddns-send-updates = true;	91	ddns-send-updates = true;
86	ddns-qualifying-suffix = "lan.yggdrasil";	92	ddns-qualifying-suffix = "lan.yggdrasil";
87	pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];	93	pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];
88	require-client-classes = ["ipxe" "uefi-64" "uefi-32" "legacy"];	94	require-client-classes = map (cc: cc.name) config.services.kea.dhcp4.settings.client-classes;
89	reservations = [	95	reservations = [
90	{ hostname = "sif";	96	{ hostname = "sif";
91	hw-address = "3c:e1:a1:52:24:35";	97	hw-address = "3c:e1:a1:52:24:35";
@@ -258,7 +264,25 @@ with lib;
258	${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration	264	${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
259	'')	265	'')
260	) ["x86_64-linux"]	266	) ["x86_64-linux"]
261	);	267	) ++ [
		268	(let
		269	eosBuild = (flake.nixosConfigurations.eos.extendModules {
		270	modules = [
		271	({ ... }: {
		272	config.nfsroot.storeDevice = "10.141.0.1:nix-store";
		273	config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eos/registration";
		274	})
		275	];
		276	}).config.system.build;
		277	in builtins.toPath (pkgs.runCommandLocal "eos" {} ''
		278	mkdir -p $out/eos
		279	install -m 0444 -t $out/eos \
		280	${eosBuild.initialRamdisk}/initrd \
		281	${eosBuild.kernel}/bzImage \
		282	${eosBuild.netbootIpxeScript}/netboot.ipxe \
		283	${pkgs.closureInfo { rootPaths = eosBuild.storeContents; }}/registration
		284	''))
		285	];
262	};	286	};
263	};	287	};
264	};	288	};


diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix index 0ddf56a3..ffca9c6d 100644 --- a/hosts/vidhar/samba.nix +++ b/hosts/vidhar/samba.nix
@@ -14,28 +14,45 @@
14	guest account = nobody	14	guest account = nobody
15	bind interfaces only = yes	15	bind interfaces only = yes
16	interfaces = lo lan	16	interfaces = lo lan
		17	server signing = mandatory
		18	server min protocol = SMB3
		19	server smb encrypt = required
17	'';	20	'';
18	shares = {	21	shares = {
19	homes = {	22	homes = {
20	comment = "Home Directories";	23	comment = "Home directory for %S";
21	path = "/home/%S";	24	path = "/home/%S";
22	browseable = "no";	25	browseable = false;
23	"valid users" = "%S";	26	"valid users" = "%S";
24	"read only" = "no";	27	"read only" = false;
25	"create mask" = "0700";	28	"create mask" = "0700";
26	"directory mask" = "0700";	29	"directory mask" = "0700";
27	"vfs objects" = "shadow_copy2";	30	"vfs objects" = "shadow_copy2";
28	"shadow:snapdir" = ".zfs/snapshot";	31	"shadow:snapdir" = ".zfs/snapshot";
		32	"shadow:snapdirseverywhere" = true;
29	"shadow:sort" = "desc";	33	"shadow:sort" = "desc";
30	"shadow:format" = "%Y-%m-%dT%H:%M:%SZ";	34	"shadow:format" = "%Y-%m-%dT%H:%M:%SZ";
31	};	35	};
32	eos = {	36	eos = {
33	comment = "Disk image of eos";	37	comment = "Disk image of legacy eos";
34	browseable = true;	38	browseable = true;
35	"valid users" = "mherold";	39	"valid users" = "mherold";
36	writeable = "true";	40	writeable = "true";
37	path = "/srv/eos";	41	path = "/srv/eos";
38	};	42	};
		43	home-eos = {
		44	comment = "Home directoriy for %u on PXE booted EOS";
		45	path = "/srv/cifs/home-eos/%u";
		46	volume = "%u@eos";
		47	browseable = true;
		48	"read only" = false;
		49	"create mask" = "0700";
		50	"directory mask" = "0700";
		51	"vfs objects" = "shadow_copy2";
		52	"shadow:snapdir" = ".zfs/snapshot";
		53	"shadow:sort" = "desc";
		54	"shadow:format" = "%Y-%m-%dT%H:%M:%SZ";
		55	};
39	};	56	};
40	};	57	};
41	services.samba-wsdd = {	58	services.samba-wsdd = {


diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix index 52b48aca..1de4b9b7 100644 --- a/hosts/vidhar/zfs.nix +++ b/hosts/vidhar/zfs.nix
@@ -23,7 +23,7 @@
23	fsType = "zfs";	23	fsType = "zfs";
24	neededForBoot = true;	24	neededForBoot = true;
25	};	25	};
26		26
27	"/var/lib/nixos" =	27	"/var/lib/nixos" =
28	{ device = "ssd-raid1/local/var-lib-nixos";	28	{ device = "ssd-raid1/local/var-lib-nixos";
29	fsType = "zfs";	29	fsType = "zfs";
@@ -34,22 +34,22 @@
34	{ device = "ssd-raid1/local/var-lib-unbound";	34	{ device = "ssd-raid1/local/var-lib-unbound";
35	fsType = "zfs";	35	fsType = "zfs";
36	};	36	};
37		37
38	# "/var/lib/dhcp" =	38	# "/var/lib/dhcp" =
39	# { device = "ssd-raid1/local/var-lib-dhcp";	39	# { device = "ssd-raid1/local/var-lib-dhcp";
40	# fsType = "zfs";	40	# fsType = "zfs";
41	# };	41	# };
42		42
43	"/var/lib/chrony" =	43	"/var/lib/chrony" =
44	{ device = "ssd-raid1/local/var-lib-chrony";	44	{ device = "ssd-raid1/local/var-lib-chrony";
45	fsType = "zfs";	45	fsType = "zfs";
46	};	46	};
47		47
48	"/var/lib/samba" =	48	"/var/lib/samba" =
49	{ device = "ssd-raid1/local/var-lib-samba";	49	{ device = "ssd-raid1/local/var-lib-samba";
50	fsType = "zfs";	50	fsType = "zfs";
51	};	51	};
52		52
53	# "/var/lib/prometheus2" =	53	# "/var/lib/prometheus2" =
54	# { device = "ssd-raid1/local/var-lib-prometheus2";	54	# { device = "ssd-raid1/local/var-lib-prometheus2";
55	# fsType = "zfs";	55	# fsType = "zfs";
@@ -67,7 +67,7 @@
67	# fsType = "zfs";	67	# fsType = "zfs";
68	# options = [ "zfsutil" ];	68	# options = [ "zfsutil" ];
69	# };	69	# };
70		70
71	# "/srv/tftp" =	71	# "/srv/tftp" =
72	# { device = "ssd-raid1/local/srv-tftp";	72	# { device = "ssd-raid1/local/srv-tftp";
73	# fsType = "zfs";	73	# fsType = "zfs";