diff --git a/lib/module/default.nix b/lib/module/default.nix index d4d9a9d..3dfb596 100644 --- a/lib/module/default.nix +++ b/lib/module/default.nix @@ -70,6 +70,9 @@ rec { systemd.services.${serviceName} = { requires = [ "media-nas-main.mount" ]; + after = lib.mkForce [ + "media-nas-main.mount" + ]; }; services = { diff --git a/modules/nixos/boot/common/default.nix b/modules/nixos/boot/common/default.nix index 87be05f..46ceaa2 100644 --- a/modules/nixos/boot/common/default.nix +++ b/modules/nixos/boot/common/default.nix @@ -25,6 +25,7 @@ in boot = { kernelModules = [ "kvm" ]; + kernelParams = lib.mkDefault [ "quiet" "splash" "udev.log_level=3" ]; binfmt = lib.mkIf isArm { registrations."x86_64-linux" = { @@ -38,37 +39,20 @@ in }; }; - supportedFilesystems = [ "bcachefs" ]; + supportedFilesystems = lib.mkDefault [ "bcachefs" ]; - consoleLogLevel = lib.mkForce 3; + consoleLogLevel = lib.mkDefault 0; bootspec.enable = (!isArm); initrd = { - # secrets = { - # "/etc/clevis/nuc-nixos.jwe" = (lib.snowfall.fs.get-file "secrets/nuc-nixos.jwe"); - # }; - - # systemd.services."unlock-disk" = { - # enable = false; - # path = [ - # pkgs.clevis - # pkgs.bcachefs-tools - # ]; - # script = '' - # ${pkgs.clevis}/bin/clevis decrypt < "/etc/clevis/nuc-nixos.jwe" - # # | ${pkgs.bcachefs-tools}/bin/bcachefs unlock -k session /dev/disk/by-label/disk-main-nuc-nixos-bcachefs-root - # ''; - # wantedBy = [ "initrd-root-fs.target" ]; - # requiredBy = [ "initrd-root-fs.target" ]; - # serviceConfig = { - # Type = "oneshot"; - # TimeoutSec = "10s"; - # }; - # }; - - # clevis = mkIf (config.${namespace}.hardware.disko.filesystem == "bcachefs"){ - # enable = true; - # }; + verbose = lib.mkDefault false; + availableKernelModules = [ "bcachefs" ]; + kernelModules = { + bcachefs = true; + }; + systemd.storePaths = with pkgs; [ + bcachefs-tools + ]; luks = mkIf cfg.yubikeyEncryption { devices = { diff --git a/modules/nixos/services/arrs/default.nix b/modules/nixos/services/arrs/default.nix index cb3fa7c..39172d4 100644 --- a/modules/nixos/services/arrs/default.nix +++ b/modules/nixos/services/arrs/default.nix @@ -37,6 +37,8 @@ let templates = { "sabnzbd.ini" = { mode = "660"; + owner = "nix-apps"; + group = "jallen-nas"; restartUnits = [ "sabnzbd.service" ]; content = '' misc.password=${config.sops.placeholder."jallen-nas/sabnzbd/password"} diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix index 84368e8..8ef87ce 100644 --- a/modules/nixos/sops/default.nix +++ b/modules/nixos/sops/default.nix @@ -42,6 +42,10 @@ in group = config.users.users."${user}".group; }; + "disk-key" = { + mode = "0600"; + }; + # ------------------------------ # SSH keys # ------------------------------ diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 762ca05..58c0663 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,7 +1,9 @@ #ENC[AES256_GCM,data:HkOno2ohMSLs46g=,iv:7KHzoElBP/GMIVubcIBya42SoFKVyt/+YRIxkgRE3Cw=,tag:U87dYHrKu/qqbLf5r7XEiA==,type:comment] wifi: ENC[AES256_GCM,data:Rs+4Km4DogO7XatA,iv:JUv9HkNWsv/l4Fli5sFeUeYuWG1Yju95G59FJ/Q5W50=,tag:gRFCG4d5OBMRx1QayRV8Zg==,type:str] matt_password: ENC[AES256_GCM,data:/8utn5xMoWIxXitfg2kFZCQwbqqn6rH7Pt5KYeTyGintjg5jF8T9eqdqrBGlqMdKh/YjUTwZZg4/PkNG9/gqk86pjaUtg+8C6w==,iv:BDbThvyXmzB9eKfuK0V2eR8p20g7rOOTOA3AYNCM6TI=,tag:KvIKOLFW9NMmQy97QWRfQA==,type:str] +admin_password: ENC[AES256_GCM,data:aGyn1Tm+2ld3BqXN3U1RQkew13Ln0Y3+xYiIUjErmq8Y/AkR65bhEHpVKx6lT2AZNG7bTPM0QTGd5vloD4QdrtAMv5eye6GFHg==,iv:EYLqDoqK/4tzdg+YTywpeCg0kullQEyD6mKTJMTXYB4=,tag:GJnZqZj2Lnx4YoQ+ApUBBw==,type:str] github-token: ENC[AES256_GCM,data:FAuwS/j5kd/NvOVdwa+ROWgMZCjyOjDbIMoU11KkaUOVhnztZyLGCA==,iv:+EvAvf7cUpljLHaxVkBRloZsAYcKjceJHinUU47PCRI=,tag:p0irO6vnt5nr4sZIq9B8gA==,type:str] +disk-key: ENC[AES256_GCM,data:cJdjG1gWYT4V0idae0nZl0j9FoEQuMW5PhQer2s8t4piv2mE8XM64W92MJyhi2aNtZ3cJ9h5PSW49zLeUWXIPGJNAvwRyWVc0O+T96jlZqtFlYBYLVh4tXdpXmxvq7IhB+sR2rY7qpcJEtCyUR8Mc7uzPZLQhuicwOjYuThhMdq73v3Re4taiL358U4DsLGhaQaGVoZ/RVRqT40F0ByxZto+JbwFGJBjQJlBhxE0b5pge93hQJcyY0LiI0Ctkv43gR5pnkHpXlM5TqZvzJLQVkG+N9IaRg0fPBnTyR8IaTi6ZAqBTY9byMPbfRsMgwY/FdGCkBguLNBt8a8P4TzzKo8CwcBcSOcCMKh+tzBwIAOxFb3H6lgLiKutA5wxgOrJ1tADvPxjEOjPx3zXVZA1jzsqtH4p6s5XDKJVhSoT08gI6DN7ILhBG9v8+NDeBj8ENFkMxDnbFrEyBt2j1fwq5s2/SmioN407KVi8Jd7SqQBEcp2WHFkrc95nJTyDer0J34jVUPVtVaqmLAPlzKWr9VZyrDJbl4stwz/pjstxtDfx4urxNYn6fhs3vigU6JFrE3sVN4MMosgvDxyqiMM44Qc6V6XO1GDJxKUo9kP8CGNvLpsMZSY9ZSjQaxMUNqXfySCry3AsOZolo6XUtbEk3YGGVAiJoiUE9aogdh++zRVYi+s2pzwf8BYGK2OB+C8ojSTRtcjsTCacWlV4cCnkpC5hpQ7KBycg8hYEm3bTjMuKcqsSTl8TUgwk4gq2cq2ZqvTWE7AHcgLGiFcT4/vm05rdS8j+nq5XprBUAwcvhR+wHtgU/HcJr939hp/45ZVI5a2DtcbhFOnrX+W/TZsUHdw+pxzau4JUfMI5COc3ntD0IOwP8c/dH+DOYeI6KToV8judUnIyMKnJrXBRpGoLa9kmbslUpw2oZSnQo1jBB1rQqLiQmbjA3nybAunmgrnaMtZcZZBX,iv:Y2rQMzIP4iA4YTRReMhIaG6aKTnlQjBl/eVdxg9gipM=,tag:m9KlqWLIxQ5065DBB8u0rw==,type:str] age-keys-private: matt-desktop-nix: ENC[AES256_GCM,data:7/UO2Oq096iJHSpwA2cflRoiPWrKFJA2RhcuH0bJKM/MO15GbW1VktPZieEVrj+3KTYnhrWr5mEHx+uekhyL2W98SO0JkIJ/c24=,iv:w9lt2rQzkys2HSR8ls4RKJlkNsAb61a+6eB/joKDEtQ=,tag:OYkFVP9HGHumE/3PUP64PA==,type:str] admin-jallen-nas: ENC[AES256_GCM,data:lKXCpyB0+wViUYsJgxxe7a4dD24a80xe1XEfvVLoazEb/qmoUClhXU4FI1o8ATvpND4XG/vlq8IsZ3V3Yr2FQSOQTrUxs+Yz1po=,iv:Po0jpfoHNMu4s6EePwD20Kc0HQhnY+YKnwovkqCzviI=,tag:0YHI6cNWV21OH2gMOX/Gmw==,type:str] @@ -182,8 +184,8 @@ sops: ZjkrUTNlbE1xTmkxVU5MbGdrYkNaNzgKrwOW1hTCSDU8Lp/zwbWBH8GoMnvCgOiQ 9nf/MXoKp+CYUHcocBQ2+0R7MF8DABSEss+QG1QH4a7NlNzPjQmg7g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-12T02:59:49Z" - mac: ENC[AES256_GCM,data:hOHsyujX+EHCzHM4vyAoYMohCeH1T/riacfUxV5hkMz4FQdCUG+gfHq1Ym9Z0xwSMCrtr9Oz3vmO6kZTAXa4abXLxS4VmShP+N2TIxD8aX4Z4kC99odfxHalQAxEt32RoEM5DGq5gvIOz/Eyb/av0RZ+iEs5dVQ/8Juo4Gs4mK4=,iv:GqrZitl/sK6TxRzf9smH3AbEhvGIU6dbdlk7+sMZh8M=,tag:zdsXCYGLOf8yyPc1XrpkJg==,type:str] + lastmodified: "2026-02-02T15:37:01Z" + mac: ENC[AES256_GCM,data:GL0s9MHOEBV7a/l6XlaSKU5g/urU4NrqC4SGZ9anClF0SsKTUS18swrJWSu9tnPVQCiBLOD9wiHHV6MLwrlVZIVKz52T2HcvNSK4dgJ+l3yXL8mnrkditJqWC6AHMm0+93rcjqV0SMda+5mTDDivYmgxQcYdSbWyA0DPi9FvYY0=,iv:GLb5E6Cq01O74sJSOTKZuNxRlHFKwqN47zBkh6bD8Fs=,tag:g3oyWOSdo2RwMo+JtND/vQ==,type:str] pgp: - created_at: "2026-01-27T18:43:55Z" enc: |- diff --git a/systems/x86_64-linux/jallen-nas/boot.nix b/systems/x86_64-linux/jallen-nas/boot.nix index c65c2be..ea22b89 100755 --- a/systems/x86_64-linux/jallen-nas/boot.nix +++ b/systems/x86_64-linux/jallen-nas/boot.nix @@ -13,7 +13,6 @@ in boot = { # Override kernel to latest kernelPackages = kernel; - plymouth.enable = lib.mkForce false; initrd = { supportedFilesystems = [ "bcachefs" ]; @@ -28,6 +27,4 @@ in # Enable binfmt emulation for ARM binfmt.emulatedSystems = [ "aarch64-linux" ]; # --argstr system aarch64-linux }; - - # environment.etc."clevis/nas_pool.jwe".source = config.sops.secrets."jallen-nas/nas_pool".path; } diff --git a/systems/x86_64-linux/jallen-nas/default.nix b/systems/x86_64-linux/jallen-nas/default.nix index 7ded524..404d6c3 100755 --- a/systems/x86_64-linux/jallen-nas/default.nix +++ b/systems/x86_64-linux/jallen-nas/default.nix @@ -191,7 +191,7 @@ in # ################################################### samba = { - enable = true; + enable = false; hostsAllow = "10.0.1."; enableTimeMachine = true; timeMachinePath = "/media/nas/main/timemachine"; @@ -269,96 +269,43 @@ in # ################################################### # # Mounts # # # ################################################### - # fileSystems."/media/nas/main" = { - # label = "nas_pool"; - # # device = "/dev/sde:/dev/sdf:/dev/sdh:/dev/sdi:/dev/sdj:/dev/nmve0n1:/dev/nvme1n1"; - # fsType = "bcachefs"; - # mountPoint = "/media/nas/main"; - # options = [ - # # "noauto" - # "nofail" - # # "x-systemd.mount-timeout=0" - # # "x-systemd.device-timeout=0" - # ]; - # }; + fileSystems = { "/media/nas/main" = { - device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; + device = "/dev/disk/by-uuid/d179ff8d-151d-4e62-9890-e13b5e006fdc"; fsType = "bcachefs"; + neededForBoot = true; + options = [ + "nofail" + ]; }; - # "/media/nas/test" = { - # device = "UUID=621706d6-e3a8-48d6-9560-58b01129a846"; - # fsType = "bcachefs"; - # }; - }; - fileSystems."/etc".neededForBoot = true; - environment.etc = { - "crypttab".text = '' - hdd1-cryptroot UUID="295d4c78-41f0-4792-bd97-ac88b2455cdc" none tpm2-device=auto - hdd2-cryptroot UUID="7c9c2179-351c-40a5-9257-e9ee2a1e794a" none tpm2-device=auto - ssd1-cryptroot UUID="d78fa862-212c-4d4f-ad86-bfeead5cc054" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue - ssd2-cryptroot UUID="1661c173-3809-4517-9ab8-ad94c229048d" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue - ssd3-cryptroot UUID="cfea125e-90b1-4248-834d-16dcaf310783" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue - ssd4-cryptroot UUID="96055401-6d1a-4308-9e4e-2211e1e23635" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue - ssd5-cryptroot UUID="055e27e0-c96a-4899-8ee7-cb1cd5f21476" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue - ssd6-cryptroot UUID="6e830abd-2555-4558-81a3-4a990507b5a7" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue - ''; + "/media/nas/test" = { + device = "/dev/disk/by-uuid/621706d6-e3a8-48d6-9560-58b01129a846"; + fsType = "bcachefs"; + neededForBoot = true; + options = [ + "nofail" + ]; + }; + + "/etc".neededForBoot = true; }; boot.initrd = { - luks.devices = { - # "621706d6-e3a8-48d6-9560-58b01129a846" = { - # device = "/dev/disk/by-uuid/621706d6-e3a8-48d6-9560-58b01129a846"; - # }; - hdd1-cryptroot = { - device = "/dev/disk/by-uuid/295d4c78-41f0-4792-bd97-ac88b2455cdc"; - }; - hdd2-cryptroot = { - device = "/dev/disk/by-uuid/7c9c2179-351c-40a5-9257-e9ee2a1e794a"; - }; - ssd1-cryptroot = { - device = "/dev/disk/by-uuid/d78fa862-212c-4d4f-ad86-bfeead5cc054"; - allowDiscards = true; - bypassWorkqueues = true; - }; - ssd2-cryptroot = { - device = "/dev/disk/by-uuid/1661c173-3809-4517-9ab8-ad94c229048d"; - allowDiscards = true; - bypassWorkqueues = true; - }; - ssd3-cryptroot = { - device = "/dev/disk/by-uuid/cfea125e-90b1-4248-834d-16dcaf310783"; - allowDiscards = true; - bypassWorkqueues = true; - }; - ssd4-cryptroot = { - device = "/dev/disk/by-uuid/96055401-6d1a-4308-9e4e-2211e1e23635"; - allowDiscards = true; - bypassWorkqueues = true; - }; - ssd5-cryptroot = { - device = "/dev/disk/by-uuid/055e27e0-c96a-4899-8ee7-cb1cd5f21476"; - allowDiscards = true; - bypassWorkqueues = true; - }; - ssd6-cryptroot = { - device = "/dev/disk/by-uuid/6e830abd-2555-4558-81a3-4a990507b5a7"; - allowDiscards = true; - bypassWorkqueues = true; - }; + supportedFilesystems = { + bcachefs = true; }; - # clevis = { - # enable = true; - # devices = { - # "621706d6-e3a8-48d6-9560-58b01129a846".secretFile = ../../../test.jwe; - # }; - # }; + clevis = { + enable = lib.mkForce true; + devices = { + "/dev/disk/by-uuid/621706d6-e3a8-48d6-9560-58b01129a846".secretFile = ../../../test.jwe; # config.sops.secrets."disk-key".path; + "/dev/disk/by-uuid/d179ff8d-151d-4e62-9890-e13b5e006fdc".secretFile = ../../../test.jwe; # config.sops.secrets."disk-key".path; + }; + }; }; - # boot.initrd.luks.devices.cryptroot.device = "/dev/disk/by-partlabel/disk-main-jallen-nas-cryptroot"; - # Configure environment environment = { systemPackages = with pkgs; [ @@ -386,12 +333,7 @@ in persistence."/media/nas/main/persist" = { hideMounts = true; directories = [ - # { - # directory = "/var/lib/redis-ccache"; - # user = "redis-ccache"; - # group = "redis-ccache"; - # mode = "u=rwx,g=,o="; - # } + ]; }; }; diff --git a/systems/x86_64-linux/jallen-nas/disabled.nix b/systems/x86_64-linux/jallen-nas/disabled.nix index ec118be..c98cddd 100644 --- a/systems/x86_64-linux/jallen-nas/disabled.nix +++ b/systems/x86_64-linux/jallen-nas/disabled.nix @@ -12,6 +12,11 @@ in specialisation = { safe-mode = { configuration = { + boot = { + kernelParams = [ ]; + initrd.verbose = true; + consoleLogLevel = 3; + }; ${namespace} = { services = { actual = mkForce disabled; diff --git a/systems/test.jwe b/test.jwe similarity index 100% rename from systems/test.jwe rename to test.jwe