diff --git a/nixos/loki.nix b/nixos/loki.nix index 029c7f7..5a8ab4b 100644 --- a/nixos/loki.nix +++ b/nixos/loki.nix @@ -70,14 +70,69 @@ environment.pathsToLink = [ "/share/zsh" ]; services = { - avahi = { enable = true; nssmdns = true; }; + avahi = { + enable = true; + openFirewall = true; + nssmdns = true; + publish = { enable = true; addresses = true; userServices = true; }; + extraServiceFiles = { + ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service"; + smb = ''%h_smb._tcp445''; + }; + }; blueman.enable = true; dbus.packages = with pkgs; [ gnome.dconf ]; + fail2ban = { enable = true; bantime-increment.enable = true; }; gnome.gnome-keyring.enable = true; gvfs = { enable = true; package = lib.mkForce pkgs.gnome3.gvfs; }; logind.lidSwitch = "ignore"; - openssh.enable = true; + openssh = { enable = true; openFirewall = true; permitRootLogin = "no"; passwordAuthentication = false; }; + plex = { enable = true; openFirewall = true; group = "users"; }; power-profiles-daemon.enable = true; + samba = { + enable = true; + enableNmbd = true; + enableWinbindd = true; + nsswins = true; + extraConfig = '' + workgroup = WORKGROUP + load printers = no + smb encrypt = required + ''; + shares = let common = { + "public" = "no"; + "writeable" = "yes"; + "create mask" = "0700"; + "directory mask" = "2700"; + "browseable" = "yes"; + "guest ok" = "no"; + "read only" = "no"; + "force group" = "users"; + }; in + { + bertof = common // { + path = "/mnt/raid/bertof"; + comment = "Bertof samba share"; + "force user" = "bertof"; + "valid users" = "bertof"; + }; + tiziano = common // { + path = "/mnt/raid/tiziano"; + comment = "Tiziano samba share"; + "force user" = "tiziano"; + "valid users" = "tiziano"; + }; + condiviso = common // { + path = "/mnt/raid/condiviso"; + comment = "Samba share condiviso"; + "valid users" = "bertof tiziano"; + "create mask" = "0770"; + "directory mask" = "2770"; + "force create mode" = "0660"; + "force directory mode" = "2770"; + }; + }; + }; smartd = { enable = true; notifications.x11.enable = true; }; thermald.enable = true; zerotierone = { enable = true; joinNetworks = [ "8056c2e21cf9c753" ]; }; @@ -98,6 +153,44 @@ # }; # }; + + systemd.packages = with pkgs; [ syncthing ]; + systemd.services = let common = { + after = [ "network.target" ]; + environment = { STNORESTART = "yes"; STNOUPGRADE = "yes"; }; + wantedBy = [ "default.target" ]; + serviceConfig = { + Restart = "on-failure"; + SuccessExitStatus = "2 3 4"; + RestartForceExitStatus = "3 4"; + Group = config.ids.gids.users; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + CapabilityBoundingSet = [ "~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN" "~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP" "~CAP_SYS_TIME" "~CAP_KILL" ]; + }; + }; in + { + syncthing-bertof = common // { + description = "Syncthing service bertof"; + serviceConfig = { User = "bertof"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8384 -home=/mnt/raid/bertof/Syncthing/.config"; }; + }; + syncthing-tiziano = common // { + description = "Syncthing service tiziano"; + serviceConfig = { User = "tiziano"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8385 -home=/mnt/raid/tiziano/Syncthing/.config"; }; + }; + }; + virtualisation = { docker.enable = true; kvmgt.enable = true;