Update loki configuration

2022-12-26 21:54:26 +01:00 · 2022-12-26 21:54:26 +01:00 · 55c1ffee33
commit 55c1ffee33
parent 091fc65b2f
9 changed files with 131 additions and 177 deletions
--- a/loki/configuration.nix
+++ b/loki/configuration.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ pkgs, lib, ... }:
 with lib; {
  boot = {
    binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
@ -140,13 +140,13 @@ with lib; {
        in
        {
          bertof = recursiveUpdate common {
-            path = "/mnt/raid0/bertof";
+            path = "/home/bertof/";
            comment = "Bertof samba share";
            "force user" = "bertof";
            "valid users" = "bertof";
          };
          tiziano = recursiveUpdate common {
-            path = "/mnt/raid0/tiziano";
+            path = "/home/tiziano/";
            comment = "Tiziano samba share";
            "force user" = "tiziano";
            "valid users" = "tiziano";
@ -160,27 +160,6 @@ with lib; {
            "force create mode" = "0660";
            "force directory mode" = "2770";
          };
-          bertof_safe = recursiveUpdate common {
-            path = "/mnt/raid1/bertof";
-            comment = "Bertof samba share";
-            "force user" = "bertof";
-            "valid users" = "bertof";
-          };
-          tiziano_safe = recursiveUpdate common {
-            path = "/mnt/raid1/tiziano";
-            comment = "Tiziano samba share";
-            "force user" = "tiziano";
-            "valid users" = "tiziano";
-          };
-          condiviso_safe = recursiveUpdate common {
-            path = "/mnt/raid1/condiviso";
-            comment = "Samba share condiviso";
-            "valid users" = "bertof tiziano";
-            "create mask" = "0770";
-            "directory mask" = "2770";
-            "force create mode" = "0660";
-            "force directory mode" = "2770";
-          };
        };
    };
    smartd = {
@ -248,9 +227,15 @@ with lib; {
    };
    tiziano = {
      isNormalUser = true;
+      extraGroups = [
+        "audio"
+        "input"
+        "video"
+      ];
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMExwtJFk6HjySrTZwJH67SOHC3hlL28NO4oe2GXsv6k"
      ];
+      shell = pkgs.zsh;
    };
    jellyfin.extraGroups = [ "video" ];
  };
@ -259,21 +244,34 @@ with lib; {
    configs =
      let
        commonExtraConfig = ''
-          ALLOW_USERS="bertof"
          TIMELINE_CREATE=yes
          TIMELINE_CLEANUP=yes
        '';
      in
      {
        bertof_raid0 = {
-          subvolume = "/mnt/raid0/bertof";
+          subvolume = "/home/bertof/raid0";
          extraConfig = ''
            ALLOW_USERS="bertof"
            ${commonExtraConfig}
          '';
        };
        tiziano_raid0 = {
-          subvolume = "/mnt/raid0/tiziano";
+          subvolume = "/home/tiziano/raid0";
+          extraConfig = ''
+            ALLOW_USERS="tiziano"
+            ${commonExtraConfig}
+          '';
+        };
+        bertof_raid1 = {
+          subvolume = "/home/bertof/raid1";
+          extraConfig = ''
+            ALLOW_USERS="bertof"
+            ${commonExtraConfig}
+          '';
+        };
+        tiziano_raid1 = {
+          subvolume = "/home/tiziano/raid1";
          extraConfig = ''
            ALLOW_USERS="tiziano"
            ${commonExtraConfig}
@ -286,73 +284,16 @@ with lib; {
            ${commonExtraConfig}
          '';
        };
+        condiviso_raid1 = {
+          subvolume = "/mnt/raid1/condiviso";
+          extraConfig = ''
+            ALLOW_USERS="bertof tiziano"
+            ${commonExtraConfig}
+          '';
+        };
      };
  };

-  systemd.packages = with pkgs; [ syncthing ];
-  systemd.services =
-    let
-      common = {
-        documentation = [ "man:syncthing(1)" ];
-        startLimitIntervalSec = 60;
-        startLimitBurst = 4;
-        after = [ "network.target" ];
-        environment = {
-          STNORESTART = "yes";
-          STNOUPGRADE = "yes";
-        };
-        wantedBy = [ "default.target" ];
-        serviceConfig = {
-          Restart = "on-failure";
-          RestartSec = 1;
-          SuccessExitStatus = "3 4";
-          RestartForceExitStatus = "3 4";
-
-          Group = config.ids.gids.users;
-          MemoryDenyWriteExecute = true;
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateMounts = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProtectControlGroups = true;
-          ProtectHostname = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          CapabilityBoundingSet = [
-            "~CAP_SYS_PTRACE"
-            "~CAP_SYS_ADMIN"
-            "~CAP_SETGID"
-            "~CAP_SETUID"
-            "~CAP_SETPCAP"
-            "~CAP_SYS_TIME"
-            "~CAP_KILL"
-          ];
-        };
-      };
-    in
-    {
-      syncthing-bertof = recursiveUpdate common {
-        description = "Syncthing service bertof";
-        serviceConfig = {
-          User = "bertof";
-          ExecStart =
-            "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8384 -home=/mnt/raid0/bertof/Syncthing/.config";
-        };
-      };
-      syncthing-tiziano = recursiveUpdate common {
-        description = "Syncthing service tiziano";
-        serviceConfig = {
-          User = "tiziano";
-          ExecStart =
-            "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8385 -home=/mnt/raid0/tiziano/Syncthing/.config";
-        };
-      };
-    };
-
  networking.firewall = {
    enable = true;
    allowPing = true;