The NAS
1. lampadas
1.1. Setup
1.2. Installation
1.2.1. partitions
1.2.1.1. system drive
1.2.1.2. data drives
1.2.2. luks
1.2.2.1. system drive
1.2.2.2. data drives
1.2.3. filesystems
1.2.3.1. system drive
1.2.3.2. data drives
1.2.4. mount stuff
1.2.5. nixos install
2. Troubleshooting
3. Nix foo
motherboard: Asrock n100m
ram: idk.
data drives: 1TB Evo 970 + 1TB Evo 960 pro
system drive: 128GB Intenso
sda (1TB SSD)
sda1
luks
btrfs raid1 (data)
sdb (1TB SSD)
sdb1
luks
btrfs raid1 (data)
sdc (128GB SSD)
sdc1
btrfs (root)
sdc2
fat32 (boot)
parted --script --align optimal /dev/sdc -- mklabel gpt mkpart root 512MB 100% mkpart ESP fat32 1MB 512MB set 2 esp on
parted --script --align optimal /dev/sda -- mklabel gpt mkpart root 512MB 100%
parted --script --align optimal /dev/sdb -- mklabel gpt mkpart root 512MB 100%
curl -O http://192.168.1.102:8080/lampadas_luks_key
cat lampadas_luks_key | cryptsetup luksFormat /dev/sdc1
cat lampadas_luks_key | cryptsetup luksOpen /dev/sdc1 luksroot1
cat lampadas_luks_key | cryptsetup luksFormat /dev/sda1
cat lampadas_luks_key | cryptsetup luksOpen /dev/sda1 luksdata1
cat lampadas_luks_key | cryptsetup luksFormat /dev/sdb1
cat lampadas_luks_key | cryptsetup luksOpen /dev/sdb1 luksdata2
mkfs.btrfs -L root1 /dev/mapper/luksroot1
mkdir -p /mnt
mount /dev/mapper/luksroot1 /mnt
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
btrfs subvolume create /mnt/nix
umount /mnt
mkdir /mnt/{home,nix}
mount UUID=$(btrfs fi show | grep -Eo "[0-9a-z-]{16,}") -o compress=zstd,subvol=root /mnt
mount UUID=$(btrfs fi show | grep -Eo "[0-9a-z-]{16,}") -o compress=zstd,subvol=home /mnt/home
mount UUID=$(btrfs fi show | grep -Eo "[0-9a-z-]{16,}") -o compress=zstd,noatime,subvol=nix/mnt/nix
mkfs.fat -F 32 -n boot /dev/sdc2
create the btrfs filesystem on the luks filesystem:
mkfs.btrfs -L data1 /dev/mapper/luksdata1
mkfs.btrfs -L data2 /dev/mapper/luksdata2
mkdir -p /mnt/data
mount /dev/mapper/luksdata1 /mnt/data
add the second device (-f, as we've already got btrfs on the second drive):
btrfs device add -f /dev/mapper/luksdata2 /mnt/data
balance the raid1 (-dconvert converts data chunks, -mconvert converts metadata chunks)
btrfs balance start -dconvert=raid1 -mconvert=raid1 /mnt/data
mkdir /mnt/boot
mount -o umask=077 /dev/disk/by-label/boot /mnt/boot
nixos-generate-config --root /mnt
cd /etc/nixos
mv configuration.nix config_orig.nix
curl -O http://192.168.1.102:8080/configuration.nix
Generate a host key for the initrd ssh session allowing us to enter the luks
password via ssh
ssh-keygen -t ed25519 -N "" -f initrd_ssh_host_key_ed25519
cp initrd_ssh_host_key_ed25519 /mnt
nixos-install
boot into a nixos installer image
open the luks
curl -O http://192.168.1.102:8080/lampadas_luks_key
cat lampadas_luks_key | cryptsetup luksOpen /dev/sda1 luksroot1
cat lampadas_luks_key | cryptsetup luksOpen /dev/sdb1 luksroot2
figure out the uuid using `btrfs fi show` and insert it at the beginning of the
search term used in the grep below in order to mount the drives:
mkdir /mnt/{home,nix}
mount UUID=$(btrfs fi show | grep -Eo "c9[0-9a-z-]{16,}") -o compress=zstd,subvol=root /mnt
mount UUID=$(btrfs fi show | grep -Eo "c9[0-9a-z-]{16,}") -o compress=zstd,subvol=home /mnt/home
mount UUID=$(btrfs fi show | grep -Eo "c9[0-9a-z-]{16,}") -o compress=zstd,noatime,subvol=nix /mnt/nix
mount /dev/disk/by-label/boot /mnt/boot
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ pkgs, ... }:
let
emile_keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLZ56SEgwZZ0OusTdSDDhpMlxSg1zPNdRLuxKOfrR5 emile@chusuk"
];
in {
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
kernelParams = [ "ip=dhcp" ];
initrd = {
availableKernelModules = [ "r8169" ];
systemd.users.root.shell = "/bin/cryptsetup-askpass";
network = {
enable = true;
ssh = {
enable = true;
port = 22;
hostKeys = ["/initrd_ssh_host_key_ed25519"];
authorizedKeys = emile_keys;
};
postCommands = ''
echo 'cryptsetup-askpass' > /root/.profile
'';
};
};
};
fileSystems = {
"/".options = ["compress=zstd"];
"/home".options = ["compress=zstd"];
"/nix".options = ["compress=zstd" "noatime"];
};
networking = {
hostName = "lampadas";
firewall.enable = true;
};
time.timeZone = "Europe/Berlin";
powerManagement = {
powertop.enable = true;
scsiLinkPolicy = "med_power_with_dipm";
};
users = {
mutableUsers = false;
users = {
root = {
hashedPassword = "";
openssh.authorizedKeys.keys = emile_keys;
};
emile = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = emile_keys;
};
};
};
environment.systemPackages = with pkgs; [ vim tailscale ];
programs.mosh.enable = true;
services = {
# traffic metrics
vnstat.enable = true;
# ssh access
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
# VPN
tailscale.enable = true;
# filesystem stuff
btrfs = {
autoScrub.enable = true;
autoScrub.interval = "weekly";
};
# metric exporters
prometheus.exporters = {
node.enable = true;
systemd.enable = true;
smartctl.enable = true;
};
# shares
samba = {
enable = true;
openFirewall = true;
securityType = "user";
extraConfig = ''
workgroup = WORKGROUP
server string = lampadas
netbios name = lampadas
security = user
hosts allow = 100.64.0.0/255.192.0.0, 127.0.0.1/255.0.0.0, ::1, 192.168.0.
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
load printers = no
server min protocol = SMB3
server smb encrypt = required
read raw = Yes
write raw = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
min receivefile size = 16384
use sendfile = true
aio read size = 16384
aio write size = 16384
server multi channel support = yes
'';
shares = {
public = {
path = "/data/public";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "emile";
"force group" = "users";
"comment" = "public data";
};
private = {
path = "/data/private";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "emile";
"force group" = "users";
"comment" = "private data (no flags though)";
};
time_machine = {
path = "/data/time_machine";
"public" = "no";
"writeable" = "yes";
"valid users" = "emile";
"force user" = "emile";
"fruit:aapl" = "yes";
"fruit:time machine" = "yes";
# otherwise, copying on the server happens Server -> Client ->
# Server (but only on macos)
"fruit:copyfile" = "yes";
"vfs objects" = "catia fruit streams_xattr";
"comment" = "time machine backups";
};
};
};
};
system = {
stateVersion = "23.11";
autoUpgrade.enable = true;
};
nix = {
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 14d";
};
settings = {
auto-optimise-store = true;
};
};
}
emile - 1757350858.34266s - generated using vokobe "0.1.3"