diff --git a/lib/network/default.nix b/lib/network/default.nix index 175a502..a7b4a48 100755 --- a/lib/network/default.nix +++ b/lib/network/default.nix @@ -99,6 +99,7 @@ # ---- pi5 services -------------------------------------------------- pi5 = { adguard = 3000; + attic = 9012; nebula = 4242; dns = 53; }; diff --git a/systems/aarch64-linux/pi5/default.nix b/systems/aarch64-linux/pi5/default.nix index 1fe5e3f..a4c9ca1 100755 --- a/systems/aarch64-linux/pi5/default.nix +++ b/systems/aarch64-linux/pi5/default.nix @@ -107,6 +107,14 @@ in # ################################################### services = { + attic = { + enable = true; + port = net.ports.pi5.attic; + listenAddress = "[::]"; + environmentFile = "/run/secrets/pi5/attic-key"; + configDir = "/mnt/attic-store"; + }; + nebula = { enable = true; isLighthouse = true; @@ -153,7 +161,10 @@ in firewall = { enable = true; allowPing = true; - allowedTCPPorts = [ 53 ]; + allowedTCPPorts = [ + 53 + net.ports.pi5.attic + ]; allowedUDPPorts = [ 53 ]; }; networkmanager.profiles = { @@ -169,6 +180,16 @@ in # # FileSystems # # # ################################################### + fileSystems."/mnt/attic-store" = { + device = "/dev/disk/by-uuid/E81DBFCC-066E-46A3-8018-AA3BF4573074"; + fsType = "xfs"; + options = [ + "defaults" + "noatime" + "nofail" + ]; + }; + boot.supportedFilesystems = [ "bcachefs" ]; programs.seahorse.enable = false; diff --git a/systems/aarch64-linux/pi5/sops.nix b/systems/aarch64-linux/pi5/sops.nix index d04d442..a7bb29c 100755 --- a/systems/aarch64-linux/pi5/sops.nix +++ b/systems/aarch64-linux/pi5/sops.nix @@ -9,6 +9,16 @@ in # Secrets # ------------------------------ secrets = { + # ------------------------------ + # Attic + # ------------------------------ + "pi5/attic-key" = { + sopsFile = defaultSops; + mode = "0400"; + owner = "atticd"; + restartUnits = [ "atticd.service" ]; + }; + # ------------------------------ # SSH keys # ------------------------------