172 lines
4.5 KiB
Nix
172 lines
4.5 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
# globals,
|
|
...
|
|
}:
|
|
{
|
|
disko.devices = {
|
|
disk = {
|
|
internal-ssd = rec {
|
|
type = "disk";
|
|
device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.nvme}";
|
|
content = with lib.disko.gpt; {
|
|
type = "gpt";
|
|
partitions = {
|
|
boot = (partEfi "1GiB") // {
|
|
device = "${device}-part1";
|
|
};
|
|
rpool = (partLuksZfs "ssd" "rpool" "100%") // {
|
|
device = "${device}-part2";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
"4TB-hdd-1" = {
|
|
type = "disk";
|
|
device = "/dev/disk/by-id/${config.secrets.secrets.local.disko."4TB-1"}";
|
|
content = lib.disko.content.luksZfs "hdd-4TB-1" "renaultft";
|
|
};
|
|
"4TB-hdd-2" = {
|
|
type = "disk";
|
|
device = "/dev/disk/by-id/${config.secrets.secrets.local.disko."4TB-2"}";
|
|
content = lib.disko.content.luksZfs "hdd-4TB-2" "renaultft";
|
|
};
|
|
"4TB-hdd-3" = {
|
|
type = "disk";
|
|
device = "/dev/disk/by-id/${config.secrets.secrets.local.disko."4TB-3"}";
|
|
content = lib.disko.content.luksZfs "hdd-4TB-3" "renaultft";
|
|
};
|
|
"8TB-hdd-1" = {
|
|
type = "disk";
|
|
device = "/dev/disk/by-id/${config.secrets.secrets.local.disko."8TB-1"}";
|
|
content = lib.disko.content.luksZfs "hdd-8TB-1" "panzer";
|
|
};
|
|
"8TB-hdd-2" = {
|
|
type = "disk";
|
|
device = "/dev/disk/by-id/${config.secrets.secrets.local.disko."8TB-2"}";
|
|
content = lib.disko.content.luksZfs "hdd-8TB-2" "panzer";
|
|
};
|
|
"8TB-hdd-3" = {
|
|
type = "disk";
|
|
device = "/dev/disk/by-id/${config.secrets.secrets.local.disko."8TB-3"}";
|
|
content = lib.disko.content.luksZfs "hdd-8TB-3" "panzer";
|
|
};
|
|
};
|
|
|
|
zpool = with lib.disko.zfs; {
|
|
rpool = mkZpool { datasets = impermanenceZfsDatasets; };
|
|
panzer = mkZpool {
|
|
datasets = {
|
|
"safe/guests" = unmountable;
|
|
};
|
|
mode = "raidz";
|
|
};
|
|
renaultft = mkZpool {
|
|
datasets = {
|
|
"safe/guests" = unmountable;
|
|
};
|
|
mode = "raidz";
|
|
};
|
|
};
|
|
};
|
|
|
|
boot.kernel.sysctl."fs.inotify.max_user_instances" = 1024;
|
|
|
|
services.zrepl = {
|
|
enable = true;
|
|
settings = {
|
|
global = {
|
|
logging = [
|
|
{
|
|
type = "syslog";
|
|
level = "info";
|
|
format = "human";
|
|
}
|
|
];
|
|
# TODO Monitoring
|
|
};
|
|
jobs = [
|
|
#{
|
|
# type = "push";
|
|
# name = "push-to-remote";
|
|
#}
|
|
{
|
|
type = "snap";
|
|
name = "mach-schnipp-schusss";
|
|
filesystems = {
|
|
"panzer<" = true;
|
|
"rpool/local/state<" = true;
|
|
"rpool/local/guests<" = true;
|
|
"rpool/safe<" = true;
|
|
"renaultft<" = true;
|
|
};
|
|
snapshotting = {
|
|
type = "periodic";
|
|
prefix = "zrepl-";
|
|
interval = "10m";
|
|
timestamp_format = "iso-8601";
|
|
};
|
|
pruning = {
|
|
keep = [
|
|
{
|
|
type = "regex";
|
|
regex = "^zrepl-.*$";
|
|
negate = true;
|
|
}
|
|
{
|
|
type = "grid";
|
|
grid = lib.concatStringsSep " | " [
|
|
"1x1d(keep=all)"
|
|
"142x1h(keep=2)"
|
|
"90x1d(keep=2)"
|
|
"500x7d"
|
|
];
|
|
regex = "^zrepl-.*$";
|
|
}
|
|
];
|
|
};
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
wireguard.scrtiny-patrick.server = {
|
|
#host = globals.domains.web;
|
|
host = "3.3.3.3";
|
|
port = 51831;
|
|
reservedAddresses = [
|
|
"10.44.0.0/16"
|
|
"fd00:1766::/112"
|
|
];
|
|
openFirewall = true;
|
|
};
|
|
networking.nftables.firewall.zones.untrusted.interfaces = [ "scrtiny-patrick" ];
|
|
services.scrutiny = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
collector = {
|
|
enable = true;
|
|
settings.host.id = "elisabeth";
|
|
};
|
|
};
|
|
environment.persistence."/persist".directories = [
|
|
{
|
|
directory = "/var/lib/influxdb2";
|
|
mode = "0700";
|
|
user = "influxdb2";
|
|
}
|
|
];
|
|
environment.persistence."/state".directories = [
|
|
{
|
|
directory = "/var/lib/private/scrutiny";
|
|
mode = "0700";
|
|
}
|
|
];
|
|
|
|
fileSystems."/state".neededForBoot = true;
|
|
fileSystems."/persist".neededForBoot = true;
|
|
boot.initrd.systemd.services."zfs-import-panzer".after = [ "cryptsetup.target" ];
|
|
boot.initrd.systemd.services."zfs-import-renaultft".after = [ "cryptsetup.target" ];
|
|
}
|