nodes['sophie.vmhost'] = { 'hostname': '172.19.164.2', 'bundles': { 'backup-client', 'hetzner-dyndns', 'lm-sensors', 'mosquitto', 'nfs-server', 'smartd', 'vmhost', 'wireguard', 'zfs', }, 'groups': { 'debian-bookworm', }, 'metadata': { 'apt': { 'packages': { 'irqbalance': {}, }, }, 'groups': { 'nas': {}, }, 'hetzner-dyndns': { 'zone': 'sophies-kitchen.eu', 'record': 'router.home', 'api_key': vault.decrypt('encrypt$gAAAAABoABHrRTTyOAAFIsHK_g-bubDoNJidbAQ6_0VXyqfal8-wpVMuPPlrw-OtbI1AjNU6Rd1_gKTvwYtNYO9X6RuvuW3TCCH_eitpsoylVEQ0X6SDFNQAFfjkRlOgEiFl85oyTazl'), }, 'interfaces': { 'br1': { 'ips': { '172.19.164.2/24', }, 'gateway4': '172.19.164.1', 'ipv6_accept_ra': True, }, }, 'mosquitto': { 'bridges': { 'c3voc': { 'peer': 'mqtt.c3voc.de', 'client_id': 'sophie-vm-host', 'auth': { 'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='), 'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='), }, 'topics': [ { 'pattern': '#', 'remote_prefix': '/voc/', 'local_prefix': 'voc' }, ], }, }, 'listeners': { '8083': { 'protocol': 'websockets', }, }, 'tasmota-telegraf-topic': '/switch/#', 'restrict-to': { '172.19.164.0/24', }, }, 'nfs-server': { 'version': 4, 'shares': { '/srv/nas': { '172.19.164.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, }, }, 'nftables': { 'forward': { '50-router': [ 'ct state { related, established } accept', 'oifname br1 accept', ], }, 'input': { '50-wireguard': [ 'udp dport 1194 accept', 'udp dport 10348 accept', 'udp dport 10349 accept', ], }, }, 'smartd': { 'disks': { '/dev/nvme0', # nas disks '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7BHBQ', '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7D6JP', }, }, 'sysctl': { 'options': { 'net.ipv4.conf.all.forwarding': '1', 'net.ipv6.conf.all.forwarding': '1', }, }, 'systemd-networkd': { 'bridges': { 'br0': { 'match': { 'enp1s0', }, }, 'br1': { 'match': { 'br0.1', }, }, }, }, 'systemd-timers': { 'timers': { # Ensure every user is able to read and write to the NAS dataset. 'nas_permissions': { 'command': [ 'chown -R :nas /srv/nas/', r'find /srv/nas/ -type d -exec chmod 0775 {} \;', r'find /srv/nas/ -type f -exec chmod 0664 {} \;', ], 'when': '*-*-* 02:00:00', }, }, }, 'users': { 'sophie': { 'groups': { 'nas', }, }, }, 'wireguard': { 'snat_ip': '172.19.137.2', 'peers': { 'thinkpad': { 'endpoint': None, 'exclude_from_monitoring': True, 'my_ip': '172.19.165.64', 'my_port': 10348, 'their_ip': '172.19.165.65', 'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'), 'pubkey': vault.decrypt('encrypt$gAAAAABoAUxlf048ovJebqo0MlLiLHcuuTCSmnCzhxSZPrFMjRaFLW0CvC3GnVed_4n7CjjZ6ygrORSl8xyBM5hvbN0-JM_56ZZFpn1UVkizctjHjb1u2XtpGAe2nMAnq2Cdg5swgH9S'), }, 'smartphone': { 'endpoint': None, 'exclude_from_monitoring': True, 'my_ip': '172.19.165.66', 'my_port': 10349, 'their_ip': '172.19.165.67', 'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'), 'pubkey': vault.decrypt('encrypt$gAAAAABoAWD96YcEFsLzfOCzjS_4Hg7xX516OZ5RD_qFPSEZliaYSRMhY3uyNDtQ--e0dzEwdFHK_xGT3F7jQzYAvftH4iFtk9y3n3FNFVPxqsWckX4cJIX7ZZszbQCq8sfZZXGUR0C9'), }, }, }, 'zfs': { 'pools': { 'storage': { 'when_creating': { 'config': [{ 'devices': { '/dev/disk/by-id/nvme-SAMSUNG_MZVLB256HAHQ-000L7_S41GNX0M481966-part3', }, }] } }, 'nas': { 'when_creating': { 'config': [{ 'type': 'mirror', 'devices': { '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7BHBQ', '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7D6JP', }, }] } } }, "datasets": { "storage/libvirt": { "mountpoint": "/var/lib/libvirt", }, "nas": { "mountpoint": "/srv/nas", }, }, }, }, }