emile.space r2wa.rs

            
            

1. lampadas

The NAS

1. lampadas
1.1. Setup
1.2. Installation
1.2.1. partitions
1.2.1.1. system drive
1.2.1.2. data drives
1.2.2. luks
1.2.2.1. system drive
1.2.2.2. data drives
1.2.3. filesystems
1.2.3.1. system drive
1.2.3.2. data drives
1.2.4. mount stuff
1.2.5. nixos install
2. Troubleshooting
3. Nix foo

            
            

1.1. Setup

motherboard: Asrock n100m
ram: idk.
data drives: 1TB Evo 970 + 1TB Evo 960 pro
system drive: 128GB Intenso

sda (1TB SSD)
  sda1
    luks
      btrfs raid1 (data)

sdb (1TB SSD)
  sdb1
    luks
      btrfs raid1 (data)

sdc (128GB SSD)
  sdc1
    btrfs (root)
  sdc2
    fat32 (boot)


1.2. Installation


            
            

1.2.1. partitions


            
            

1.2.1.1. system drive

parted --script --align optimal /dev/sdc -- mklabel gpt mkpart root 512MB 100% mkpart ESP fat32 1MB 512MB set 2 esp on

1.2.1.2. data drives

parted --script --align optimal /dev/sda -- mklabel gpt mkpart root 512MB 100%
parted --script --align optimal /dev/sdb -- mklabel gpt mkpart root 512MB 100%

1.2.2. luks

curl -O http://192.168.1.102:8080/lampadas_luks_key

1.2.2.1. system drive

cat lampadas_luks_key | cryptsetup luksFormat /dev/sdc1
cat lampadas_luks_key | cryptsetup luksOpen /dev/sdc1 luksroot1

1.2.2.2. data drives

cat lampadas_luks_key | cryptsetup luksFormat /dev/sda1
cat lampadas_luks_key | cryptsetup luksOpen /dev/sda1 luksdata1

cat lampadas_luks_key | cryptsetup luksFormat /dev/sdb1
cat lampadas_luks_key | cryptsetup luksOpen /dev/sdb1 luksdata2

1.2.3. filesystems


            
            

1.2.3.1. system drive

mkfs.btrfs -L root1 /dev/mapper/luksroot1
mkdir -p /mnt
mount /dev/mapper/luksroot1 /mnt

btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
btrfs subvolume create /mnt/nix
umount /mnt

mkdir /mnt/{home,nix}
mount UUID=$(btrfs fi show | grep -Eo "[0-9a-z-]{16,}") -o compress=zstd,subvol=root /mnt
mount UUID=$(btrfs fi show | grep -Eo "[0-9a-z-]{16,}") -o compress=zstd,subvol=home /mnt/home
mount UUID=$(btrfs fi show | grep -Eo "[0-9a-z-]{16,}") -o compress=zstd,noatime,subvol=nix/mnt/nix

mkfs.fat -F 32 -n boot /dev/sdc2

1.2.3.2. data drives

create the btrfs filesystem on the luks filesystem:

mkfs.btrfs -L data1 /dev/mapper/luksdata1
mkfs.btrfs -L data2 /dev/mapper/luksdata2
mkdir -p /mnt/data
mount /dev/mapper/luksdata1 /mnt/data

add the second device (-f, as we've already got btrfs on the second drive):

btrfs device add -f /dev/mapper/luksdata2 /mnt/data

balance the raid1 (-dconvert converts data chunks, -mconvert converts metadata chunks)

btrfs balance start -dconvert=raid1 -mconvert=raid1 /mnt/data

1.2.4. mount stuff

mkdir /mnt/boot
mount -o umask=077 /dev/disk/by-label/boot /mnt/boot

1.2.5. nixos install

nixos-generate-config --root /mnt
cd /etc/nixos
mv configuration.nix config_orig.nix
curl -O http://192.168.1.102:8080/configuration.nix

Generate a host key for the initrd ssh session allowing us to enter the luks
password via ssh

ssh-keygen -t ed25519 -N "" -f initrd_ssh_host_key_ed25519
cp initrd_ssh_host_key_ed25519 /mnt

nixos-install

2. Troubleshooting

boot into a nixos installer image

open the luks

curl -O http://192.168.1.102:8080/lampadas_luks_key
cat lampadas_luks_key | cryptsetup luksOpen /dev/sda1 luksroot1
cat lampadas_luks_key | cryptsetup luksOpen /dev/sdb1 luksroot2

figure out the uuid using `btrfs fi show` and insert it at the beginning of the
search term used in the grep below in order to mount the drives:

mkdir /mnt/{home,nix}
mount UUID=$(btrfs fi show | grep -Eo "c9[0-9a-z-]{16,}") -o compress=zstd,subvol=root /mnt
mount UUID=$(btrfs fi show | grep -Eo "c9[0-9a-z-]{16,}") -o compress=zstd,subvol=home /mnt/home
mount UUID=$(btrfs fi show | grep -Eo "c9[0-9a-z-]{16,}") -o compress=zstd,noatime,subvol=nix /mnt/nix

mount /dev/disk/by-label/boot /mnt/boot

3. Nix foo

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ pkgs, ... }:
let 
  emile_keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLZ56SEgwZZ0OusTdSDDhpMlxSg1zPNdRLuxKOfrR5 emile@chusuk"
];
in {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    kernelParams = [ "ip=dhcp" ];
    initrd = {
      availableKernelModules = [ "r8169" ];
      systemd.users.root.shell = "/bin/cryptsetup-askpass";
      network = {
        enable = true;
        ssh = {
          enable = true;
          port = 22;
          hostKeys = ["/initrd_ssh_host_key_ed25519"];
          authorizedKeys = emile_keys;
        };
        postCommands = ''
          echo 'cryptsetup-askpass' > /root/.profile
        '';
      };
    };
  };
  fileSystems = {
    "/".options = ["compress=zstd"];
    "/home".options = ["compress=zstd"];
    "/nix".options = ["compress=zstd" "noatime"];
  };
  networking = {
    hostName = "lampadas";
    firewall.enable = true;
  };
  time.timeZone = "Europe/Berlin";
  powerManagement = {
    powertop.enable = true;
    scsiLinkPolicy = "med_power_with_dipm";
  };
  users = {
    mutableUsers = false;
    users = {
      root = {
        hashedPassword = "";
        openssh.authorizedKeys.keys = emile_keys;
      };
      emile = {
        isNormalUser = true;
        extraGroups = [ "wheel" ];
        openssh.authorizedKeys.keys = emile_keys;
      };
    };
  };
  environment.systemPackages = with pkgs; [ vim tailscale ];
  programs.mosh.enable = true;
  services = {
    # traffic metrics
    vnstat.enable = true;
    # ssh access
    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };
    };
    # VPN
    tailscale.enable = true;
    # filesystem stuff
    btrfs = {
      autoScrub.enable = true;
      autoScrub.interval = "weekly";
    };
    # metric exporters
    prometheus.exporters = {
      node.enable = true;
      systemd.enable = true;
      smartctl.enable = true;
    };
    # shares
    samba = {
      enable = true;
      openFirewall = true;
      securityType = "user";
      extraConfig = ''
        workgroup = WORKGROUP
        server string = lampadas
        netbios name = lampadas
        security = user
        hosts allow = 100.64.0.0/255.192.0.0, 127.0.0.1/255.0.0.0, ::1, 192.168.0.
        hosts deny = 0.0.0.0/0
        guest account = nobody
        map to guest = bad user
        load printers = no
        server min protocol = SMB3
        server smb encrypt = required 
        read raw = Yes
        write raw = Yes
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
        min receivefile size = 16384
        use sendfile = true
        aio read size = 16384
        aio write size = 16384
        server multi channel support = yes
      '';
      shares = {
        public = {
          path = "/data/public";
          "browseable" = "yes";
          "read only" = "no";
          "guest ok" = "yes";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "emile";
          "force group" = "users";
          "comment" = "public data";
        };
        private = {
          path = "/data/private";
          "browseable" = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "emile";
          "force group" = "users";
          "comment" = "private data (no flags though)";
        };
        time_machine = {
          path = "/data/time_machine";
          "public" = "no";
          "writeable" = "yes";
          "valid users" = "emile";
          "force user" = "emile"; 
          "fruit:aapl" = "yes";
          "fruit:time machine" = "yes";
          # otherwise, copying on the server happens Server -> Client ->
          # Server (but only on macos)
          "fruit:copyfile" = "yes";
          "vfs objects" = "catia fruit streams_xattr";
          "comment" = "time machine backups";
        };
      };
    };
  };
  system = {
    stateVersion = "23.11";
    autoUpgrade.enable = true;
  };
  nix = {
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 14d";
    };
    settings = {
      auto-optimise-store = true;
    };
  };
}




rss feed of @hanemile@emile.space lieu webring search engine XXIIVV webring activitypub ring
emile - 1733420135.967547s - generated using vokobe "0.1.3"