105 lines
3.4 KiB
Markdown
105 lines
3.4 KiB
Markdown
# NAS Server (jallen-nas)
|
|
|
|
`systems/x86_64-linux/jallen-nas/`
|
|
|
|
## Hardware
|
|
|
|
- **CPU**: AMD (x86_64)
|
|
- **GPU**: AMD (LACT for fan/power control)
|
|
- **Disk**: NVMe system drive + bcachefs NAS pool
|
|
- **Security**: TPM2 (Clevis disk unlock), Lanzaboote (Secure Boot)
|
|
|
|
## Key Features
|
|
|
|
- bcachefs storage pool mounted at `/media/nas/main`
|
|
- Clevis-based TPM disk unlock at boot (no passphrase required)
|
|
- Impermanence — root is ephemeral; state persists to `/media/nas/main/persist`
|
|
- Samba shares (Windows file sharing, Time Machine)
|
|
- Nebula VPN node (overlay peer, lighthouse at pi5)
|
|
- ~40 self-hosted services behind a Caddy reverse proxy
|
|
- Authentik SSO protecting most web UIs
|
|
- CrowdSec for intrusion detection
|
|
- Restic backups
|
|
|
|
## Network
|
|
|
|
- **LAN IP**: 10.0.1.3 (static, `enp197s0`)
|
|
- **Gateway**: 10.0.1.1
|
|
- **Nebula**: overlay peer, lighthouse at `mjallen.dev:4242`
|
|
|
|
## Storage
|
|
|
|
| Mount | Filesystem | Description |
|
|
|---|---|---|
|
|
| `/media/nas/main` | bcachefs | Primary NAS pool (media, appdata, documents) |
|
|
| `/media/nas/test` | bcachefs | Secondary test pool |
|
|
|
|
### Samba Shares
|
|
|
|
| Share | Time Machine |
|
|
|---|---|
|
|
| `3d_printer` | no |
|
|
| `Backup` | no |
|
|
| `Documents` | no |
|
|
| `isos` | no |
|
|
| `app_data` | no |
|
|
| `TimeMachine` | yes (max 1 TB) |
|
|
|
|
## Enabled Services
|
|
|
|
| Service | Port | Notes |
|
|
|---|---|---|
|
|
| Caddy | 443/80 | Reverse proxy for all services |
|
|
| Authentik | 9000 | SSO / identity provider |
|
|
| Attic | 9012 | Nix binary cache (`cache.mjallen.dev`) |
|
|
| Immich | 2283 | Photo management |
|
|
| Jellyfin | 8096 | Media server |
|
|
| Seerr | 5055 | Media request manager |
|
|
| Nextcloud | 9988 | Cloud storage |
|
|
| Paperless | 28981 | Document management |
|
|
| Paperless AI | 28982 | AI-assisted document tagging |
|
|
| Gitea | 3000 | Self-hosted Git |
|
|
| Matrix | 8448 | Matrix homeserver |
|
|
| Ntfy | 2586 | Push notifications |
|
|
| Glance | 5555 | Dashboard |
|
|
| Immich | 2283 | Photo library |
|
|
| Uptime Kuma | 3001 | Uptime monitoring |
|
|
| Code Server | 4444 | VS Code in the browser |
|
|
| Cockpit | 9090 | System management UI |
|
|
| Collabora | 9980 | Online office suite |
|
|
| CrowdSec | 8181 | Intrusion detection |
|
|
| Glances | 61208 | System stats |
|
|
| Coturn | 3478 | TURN/STUN server |
|
|
| Nebula | 4242 | Overlay VPN node |
|
|
| Restic | 8008 | Backup service |
|
|
| Sunshine | 47989 | Remote desktop (Moonlight) |
|
|
| Unmanic | 8265 | Media transcoding |
|
|
| Lubelogger | 6754 | Vehicle maintenance log |
|
|
| Manyfold | 3214 | 3D model library |
|
|
| Booklore | 6066 | Book library |
|
|
| Tunarr | 8000 | Virtual TV channels |
|
|
| Termix | 7777 | Web terminal |
|
|
| Sparky Fitness | 3004/3010 | Fitness tracking |
|
|
| Protonmail Bridge | 1025/1143 | SMTP/IMAP bridge |
|
|
| Arrs | various | Sonarr, Radarr, etc. |
|
|
| AI | various | Ollama, etc. |
|
|
| Wyoming | various | Voice assistant pipeline |
|
|
|
|
## Configuration Files
|
|
|
|
| File | Purpose |
|
|
|---|---|
|
|
| `default.nix` | Main config — network, hardware, filesystems, packages |
|
|
| `apps.nix` | All service enable/disable declarations |
|
|
| `nas-defaults.nix` | Sets `configDir`/`dataDir` defaults for all services |
|
|
| `boot.nix` | Lanzaboote, kernel, initrd |
|
|
| `services.nix` | Home Assistant, samba, and other platform services |
|
|
| `users.nix` | User accounts (`admin`, `nix-apps`) |
|
|
| `sops.nix` | Secret declarations |
|
|
| `vpn.nix` | Nebula VPN configuration |
|
|
| `disabled.nix` | Services explicitly disabled |
|
|
|
|
## Secrets
|
|
|
|
Secrets are in `secrets/nas-secrets.yaml`, encrypted for: `matt`, `desktop`, `admin`, `jallen-nas`.
|