bundlewrap/nodes/home/nas.py

363 lines
12 KiB
Python
Raw Normal View History

# Dell Local Node Manager running on <http://172.19.138.20:4679/>
2020-11-12 18:40:41 +00:00
nodes['home.nas'] = {
'hostname': '172.19.138.20',
2020-11-12 18:40:41 +00:00
'bundles': {
'avahi-daemon',
2022-01-13 14:56:57 +00:00
'backup-client',
2024-02-25 13:47:55 +00:00
'dm-crypt',
2023-09-24 13:22:38 +00:00
'jellyfin',
'lm-sensors',
'mixcloud-downloader',
'mosquitto',
2020-11-12 18:59:02 +00:00
'nfs-server',
2023-08-28 15:21:48 +00:00
'rsyslogd',
2024-08-23 17:43:04 +00:00
'samba',
'smartd',
2020-11-13 15:29:42 +00:00
'vmhost',
2020-11-12 18:40:41 +00:00
'zfs',
},
2020-11-21 09:55:09 +00:00
'groups': {
'debian-bullseye',
2023-09-24 14:48:19 +00:00
'webserver',
2020-11-21 09:55:09 +00:00
},
2020-11-12 18:40:41 +00:00
'metadata': {
'interfaces': {
2023-03-27 11:52:23 +00:00
'br1138': {
2020-11-12 18:40:41 +00:00
'ips': {
'172.19.138.20/24',
},
'gateway4': '172.19.138.1',
'ipv6_accept_ra': True,
2020-11-12 18:40:41 +00:00
},
},
'apt': {
'unattended-upgrades': {
'day': 6,
# requires manual decryption of zfs after reboot
'reboot_enabled': False,
},
'packages': {
'mpv': {},
# for hardware transcoding of video
'firmware-amd-graphics': {},
'mesa-va-drivers': {},
# for compiling yate
'autoconf': {},
'subversion': {},
# svn checkout http://yate.null.ro/svn/yate/tags/RELEASE_6_4_0/ .
# ./autogen.sh
# ./configure --prefix=/opt/yate
# make -j8
# systemctl stop yate
# make install-noconf
# systemctl start yate
},
},
2020-11-13 11:58:23 +00:00
'backups': {
2022-01-13 14:56:57 +00:00
'paths': {
2022-02-05 14:39:33 +00:00
'/storage/nas/Audiobooks',
2022-01-13 14:56:57 +00:00
'/storage/nas/Bilder',
'/storage/nas/Bilder_Archiv',
2022-02-05 14:39:33 +00:00
'/storage/nas/Books',
2023-05-02 03:45:50 +00:00
'/storage/nas/Installer',
2022-01-13 14:56:57 +00:00
'/storage/nas/Musik',
2022-02-05 14:39:33 +00:00
'/storage/nas/Musikvideos',
'/storage/nas/normen',
2022-01-13 14:56:57 +00:00
},
2020-11-13 11:58:23 +00:00
},
2024-09-12 17:58:15 +00:00
'dm-crypt': {
'encrypted-devices': {
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': {
'dm-name': 'sam-S5SSNJ0X409404K',
'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409404K'),
},
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F': {
'dm-name': 'sam-S5SSNJ0X409845F',
'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409845F'),
},
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J': {
'dm-name': 'sam-S5SSNJ0X409870J',
'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409870J'),
},
},
},
'groups': {
'nas': {},
},
'firewall': {
'port_rules': {
2023-09-24 18:59:58 +00:00
'4679/tcp': { # Dell ULNM
'172.19.136.0/25',
'172.19.138.0/24',
},
2023-09-24 18:59:58 +00:00
'5060/tcp': { # yate SIP
'home.snom-wohnzimmer',
'home.mitel-rfp35',
},
2023-09-24 18:59:58 +00:00
'5061/tcp': { # yate SIPS
'home.snom-wohnzimmer',
'home.mitel-rfp35',
},
# yate RTP uses some random UDP port. We cannot firewall
# it, because for incoming calls the other side decides
# which port to use. That's why we simply allow all UDP
# traffic from our SIP clients. It's fine to do so, because
# all sip clients are known to bundlewrap, so we won't have
# to deal with randomly changing IPs here.
'*/udp': {
'home.snom-wohnzimmer',
'home.mitel-rfp35',
},
},
2021-03-21 11:01:56 +00:00
},
'mixcloud-downloader': {
'netrc': {
'soundcloud': {
'username': 'oauth',
'password': bwpass.attr('soundcloud.com/hi@kunsmann.eu', 'oauth_token'),
},
},
},
'mosquitto': {
'bridges': {
'c3voc': {
'peer': 'mqtt.c3voc.de',
'client_id': 'kunsi-home',
'auth': {
'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='),
'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='),
},
'topics': [
{
'pattern': '#',
'remote_prefix': '/voc/',
'local_prefix': 'voc'
},
],
},
},
'listeners': {
'8083': {
'protocol': 'websockets',
},
},
'tasmota-telegraf-topic': '/switch/#',
'restrict-to': {
'172.19.136.0/25',
'172.19.138.0/24',
2021-04-04 08:30:45 +00:00
},
},
2020-11-12 18:59:02 +00:00
'nfs-server': {
'shares': {
'/storage/download': {
'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check',
},
2020-11-12 18:59:02 +00:00
'/storage/nas': {
'172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check',
2020-11-12 18:59:02 +00:00
},
2021-05-23 15:41:19 +00:00
'/srv/paperless': {
'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check',
2021-05-23 15:41:19 +00:00
},
2020-11-12 18:59:02 +00:00
},
},
2023-09-24 14:48:19 +00:00
'nginx': {
'vhosts': {
'jellyfin': {
'domain': 'jellyfin.home.kunbox.net',
'ssl': '_.home.kunbox.net',
},
},
},
2023-08-28 15:21:48 +00:00
'rsyslogd': {
'restrict-to': {
'home',
},
},
2024-08-23 17:43:04 +00:00
'samba': {
'shares': {
'TV': {
'path': '/storage/nas/TV',
'force_group': 'nas',
},
2024-08-23 17:43:04 +00:00
'music': {
'path': '/storage/nas/Musik',
'force_group': 'nas',
},
2024-11-15 09:17:37 +00:00
'music_videos': {
'path': '/storage/nas/Musikvideos',
'force_group': 'nas',
},
2024-08-23 17:43:04 +00:00
},
'restrict-to': {
'172.19.138.0/24',
},
'timemachine-shares': {
#'apfelcomputer', # hostname TBD
},
2024-08-23 17:43:04 +00:00
},
'smartd': {
'disks': {
'/dev/nvme0',
2024-09-12 17:58:15 +00:00
# old nas disks
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL',
2024-09-12 17:58:15 +00:00
# encrypted disks
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K',
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F',
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J',
},
},
2020-11-12 18:40:41 +00:00
'systemd-networkd': {
'bridges': {
'br0': {
'match': {
'eno1',
2020-11-12 18:40:41 +00:00
},
},
2023-03-27 11:52:23 +00:00
'br1138': {
'match': {
2023-03-27 11:52:23 +00:00
'br0.1138',
},
},
2024-08-31 11:14:24 +00:00
'br1139': {
'match': {
'br0.1139',
},
},
2020-11-12 18:40:41 +00:00
},
},
'systemd-timers': {
'timers': {
# Ensure every user is able to read and write to the NAS dataset.
'nas_permissions': {
'command': [
'chown -R :nas /storage/nas/',
2024-04-28 19:40:35 +00:00
r'find /storage/nas/ -type d -exec chmod 0775 {} \;',
r'find /storage/nas/ -type f -exec chmod 0664 {} \;',
],
'when': '*-*-* 02:00:00',
},
},
},
'openssh': {
'enable_x_forwarding_for_admins': True,
},
2020-11-13 15:29:42 +00:00
'users': {
2022-03-06 10:09:57 +00:00
'inbox': {
'ssh_pubkey': {
#'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ',
},
},
2020-11-13 15:29:42 +00:00
'kunsi': {
'groups': {
'nas',
},
},
2020-11-13 15:29:42 +00:00
},
2020-11-13 11:58:23 +00:00
'zfs': {
'module_options': {
'zfs_arc_max_gb': 8,
},
2020-11-13 11:58:23 +00:00
'pools': {
2024-12-22 19:01:26 +00:00
'tank': {
2021-08-17 16:09:51 +00:00
'when_creating': {
'config': [
{
'type': 'raidz2',
'devices': {
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R',
2023-05-16 11:01:04 +00:00
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL',
2021-08-17 16:09:51 +00:00
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR',
},
},
2024-02-25 13:47:55 +00:00
],
'ashift': 12,
},
},
2024-09-12 17:58:15 +00:00
'encrypted': {
'when_creating': {
'config': [
{
'type': 'raidz',
'devices': {
'/dev/mapper/sam-S5SSNJ0X409404K',
'/dev/mapper/sam-S5SSNJ0X409845F',
'/dev/mapper/sam-S5SSNJ0X409870J',
},
},
],
'ashift': 12,
},
'needs': {
'action:dm-crypt_open_sam-S5SSNJ0X409404K',
'action:dm-crypt_open_sam-S5SSNJ0X409845F',
'action:dm-crypt_open_sam-S5SSNJ0X409870J',
},
# see comment in bundle:backup-server
'unless': 'zpool import encrypted',
},
2020-11-13 11:58:23 +00:00
},
'datasets': {
2024-09-12 17:58:15 +00:00
'encrypted': {
'primarycache': 'metadata',
},
'encrypted/nas': {
'acltype': 'off',
'atime': 'off',
'compression': 'off',
2024-09-27 08:15:50 +00:00
'mountpoint': '/storage/nas',
2024-09-12 17:58:15 +00:00
},
2024-12-22 19:01:26 +00:00
'tank': {
2022-04-03 15:41:27 +00:00
'primarycache': 'metadata',
},
2024-12-22 19:01:26 +00:00
'tank/opt-yate': {
'mountpoint': '/opt/yate',
},
2024-12-22 19:01:26 +00:00
'tank/download': {
'mountpoint': '/storage/download',
},
2024-12-22 19:01:26 +00:00
'tank/paperless': {
2021-05-23 15:41:19 +00:00
'mountpoint': '/srv/paperless',
},
2020-11-13 11:58:23 +00:00
},
'snapshots': {
'retain_per_dataset': {
2024-09-12 17:58:15 +00:00
'encrypted/nas': {
# juuuuuuuust to be sure.
'daily': 14,
'weekly': 6,
'monthly': 12,
},
2024-12-22 19:01:26 +00:00
'tank/download': {
'hourly': 48,
'daily': 0,
'weekly': 0,
'monthly': 0,
},
2024-12-22 19:01:26 +00:00
'tank/paperless': {
2021-05-23 15:41:19 +00:00
'daily': 14,
'weekly': 6,
'monthly': 24,
},
},
},
2020-11-13 11:58:23 +00:00
},
2020-11-12 18:40:41 +00:00
'vm': {
'cpu': 8,
2021-06-26 04:18:01 +00:00
'ram': 32,
2020-11-12 18:40:41 +00:00
},
},
}