fixes and docs

docs/systems/jallen-nas.md

@@ -1,101 +1,104 @@
 # NAS Server (jallen-nas)
 
-This document describes the configuration for the NAS server system.
+`systems/x86_64-linux/jallen-nas/`
 
 ## Hardware
 
-The NAS server is built on AMD hardware:
+- **CPU**: AMD (x86_64)
+- **GPU**: AMD (LACT for fan/power control)
+- **Disk**: NVMe system drive + bcachefs NAS pool
+- **Security**: TPM2 (Clevis disk unlock), Lanzaboote (Secure Boot)
 
-- CPU: AMD processor
-- Hardware-specific modules:
-  - `nixos-hardware.nixosModules.common-pc`
-  - `nixos-hardware.nixosModules.common-cpu-amd`
-  - `nixos-hardware.nixosModules.common-cpu-amd-pstate`
-  - `nixos-hardware.nixosModules.common-hidpi`
+## Key Features
 
-## Services
+- bcachefs storage pool mounted at `/media/nas/main`
+- Clevis-based TPM disk unlock at boot (no passphrase required)
+- Impermanence — root is ephemeral; state persists to `/media/nas/main/persist`
+- Samba shares (Windows file sharing, Time Machine)
+- Nebula VPN node (overlay peer, lighthouse at pi5)
+- ~40 self-hosted services behind a Caddy reverse proxy
+- Authentik SSO protecting most web UIs
+- CrowdSec for intrusion detection
+- Restic backups
 
-The NAS hosts various services:
+## Network
 
-### Media Services
+- **LAN IP**: 10.0.1.3 (static, `enp197s0`)
+- **Gateway**: 10.0.1.1
+- **Nebula**: overlay peer, lighthouse at `mjallen.dev:4242`
 
-- **Jellyfin** - Media server
-- **Jellyseerr** - Media request manager
-- **Sonarr** - TV show management
-- **Radarr** - Movie management
-- **Lidarr** - Music management
-- **Bazarr** - Subtitle management
-- **Music Assistant** - Music streaming integration with Home Assistant
+## Storage
 
-### Download Services
+| Mount | Filesystem | Description |
+|---|---|---|
+| `/media/nas/main` | bcachefs | Primary NAS pool (media, appdata, documents) |
+| `/media/nas/test` | bcachefs | Secondary test pool |
 
-- **Transmission** - Torrent client
-- **NZBGet** - Usenet downloader
-- **Prowlarr** - Indexer manager
+### Samba Shares
 
-### Document Management
+| Share | Time Machine |
+|---|---|
+| `3d_printer` | no |
+| `Backup` | no |
+| `Documents` | no |
+| `isos` | no |
+| `app_data` | no |
+| `TimeMachine` | yes (max 1 TB) |
 
-- **Paperless-ngx** - Document management system
+## Enabled Services
 
-### File Sharing
+| Service | Port | Notes |
+|---|---|---|
+| Caddy | 443/80 | Reverse proxy for all services |
+| Authentik | 9000 | SSO / identity provider |
+| Attic | 9012 | Nix binary cache (`cache.mjallen.dev`) |
+| Immich | 2283 | Photo management |
+| Jellyfin | 8096 | Media server |
+| Jellyseerr | 5055 | Media request manager |
+| Nextcloud | 9988 | Cloud storage |
+| Paperless | 28981 | Document management |
+| Paperless AI | 28982 | AI-assisted document tagging |
+| Gitea | 3000 | Self-hosted Git |
+| Matrix | 8448 | Matrix homeserver |
+| Ntfy | 2586 | Push notifications |
+| Glance | 5555 | Dashboard |
+| Immich | 2283 | Photo library |
+| Uptime Kuma | 3001 | Uptime monitoring |
+| Code Server | 4444 | VS Code in the browser |
+| Cockpit | 9090 | System management UI |
+| Collabora | 9980 | Online office suite |
+| CrowdSec | 8181 | Intrusion detection |
+| Glances | 61208 | System stats |
+| Coturn | 3478 | TURN/STUN server |
+| Nebula | 4242 | Overlay VPN node |
+| Restic | 8008 | Backup service |
+| Sunshine | 47989 | Remote desktop (Moonlight) |
+| Unmanic | 8265 | Media transcoding |
+| Lubelogger | 6754 | Vehicle maintenance log |
+| Manyfold | 3214 | 3D model library |
+| Booklore | 6066 | Book library |
+| Tunarr | 8000 | Virtual TV channels |
+| Termix | 7777 | Web terminal |
+| Sparky Fitness | 3004/3010 | Fitness tracking |
+| Protonmail Bridge | 1025/1143 | SMTP/IMAP bridge |
+| Arrs | various | Sonarr, Radarr, etc. |
+| AI | various | Ollama, etc. |
+| Wyoming | various | Voice assistant pipeline |
 
-- **Samba** - Windows file sharing
-- **Nextcloud** - Self-hosted cloud storage
+## Configuration Files
 
-### AI Services
+| File | Purpose |
+|---|---|
+| `default.nix` | Main config — network, hardware, filesystems, packages |
+| `apps.nix` | All service enable/disable declarations |
+| `nas-defaults.nix` | Sets `configDir`/`dataDir` defaults for all services |
+| `boot.nix` | Lanzaboote, kernel, initrd |
+| `services.nix` | Home Assistant, samba, and other platform services |
+| `users.nix` | User accounts (`admin`, `nix-apps`) |
+| `sops.nix` | Secret declarations |
+| `vpn.nix` | Nebula VPN configuration |
+| `disabled.nix` | Services explicitly disabled |
 
-- **Ollama** - Local AI model hosting
+## Secrets
 
-### Smart Home
-
-- **Home Assistant** - Smart home controller
-- **Zigbee2MQTT** - Zigbee device integration
-- **MQTT** - Message broker for IoT devices
-- **Thread Border Router** - Thread network for smart home devices
-
-## Storage Configuration
-
-The NAS uses multiple storage devices:
-
-1. **System Drive** - For the operating system
-2. **Data Drives** - Configured as a storage array for media and data
-
-## Network Configuration
-
-The NAS is configured with:
-
-- Static IP address
-- Firewall rules for the various services
-- Tailscale for secure remote access
-
-## Backup Strategy
-
-The NAS implements a comprehensive backup strategy:
-
-1. **System Backup** - Regular backups of the NixOS configuration
-2. **Data Backup** - Backups of important data to secondary storage
-3. **Off-site Backup** - Critical data is backed up off-site
-
-## Usage and Management
-
-### Accessing Services
-
-Most services are available through a reverse proxy, which provides:
-- HTTPS access
-- Authentication via Authentik
-- Subdomain-based routing
-
-### Adding Storage
-
-To add additional storage to the NAS:
-
-1. Add the physical drive to the system
-2. Update the disko configuration
-3. Rebuild the system with `nixos-rebuild switch`
-
-### Monitoring
-
-The system can be monitored through:
-- Prometheus metrics
-- Grafana dashboards
-- Home Assistant sensors
+Secrets are in `secrets/nas-secrets.yaml`, encrypted for: `matt`, `desktop`, `admin`, `jallen-nas`.