# Dell Local Node Manager running on nodes['home.nas'] = { 'hostname': '172.19.138.20', 'bundles': { 'backup-client', 'lm-sensors', 'mosquitto', 'nfs-server', 'scansnap', 'smartd', 'vmhost', 'zfs', }, 'groups': { 'debian-bullseye', }, 'metadata': { 'interfaces': { 'br42': { 'ips': { '172.19.138.20/24', }, 'gateway4': '172.19.138.1', 'ipv6_accept_ra': True, }, }, 'apt': { 'unattended-upgrades': { 'day': 6, # requires manual decryption of zfs after reboot 'reboot_enabled': False, }, 'packages': { 'mpv': {}, # for compiling yate 'autoconf': {}, 'subversion': {}, # svn checkout http://yate.null.ro/svn/yate/tags/RELEASE_6_4_0/ . # ./autogen.sh # ./configure --prefix=/opt/yate # make -j8 # systemctl stop yate # make install-noconf # systemctl start yate }, }, 'backups': { 'paths': { '/storage/nas/Audiobooks', '/storage/nas/Bilder', '/storage/nas/Bilder_Archiv', '/storage/nas/Books', '/storage/nas/Musik', '/storage/nas/Musikvideos', '/storage/nas/normen', }, }, #'backup-server': { # 'my_hostname': 'franzi-home.kunbox.net', # 'my_ssh_port': 2022, # 'zfs-base': 'storage/backups', #}, 'cron': { 'jobs': { # Ensure every user is able to read and write to the NAS dataset. 'nas_permissions': '0 3 * * * root ' 'chown -R :nas /storage/nas/ && ' 'find /storage/nas/ -type d -exec chmod 0775 {} \; && ' 'find /storage/nas/ -type f -exec chmod 0664 {} \;', 'nas_mixcloud': vault.decrypt('encrypt$gAAAAABgxFkM0Zd8SOhk8aK_zsUY5S39FvyxvEq9TVnAK-ryn9qjrpziqUgNyPXFQBSUHPCV5DX6CW6iSQFGO54truPoaymdHFwchWh3u6bOar_h8x3er3I=').format_into( '0 2 * * * kunsi ' 'cd /storage/nas/Musik/Compilations && ' 'wget --mirror --page-requisites --convert-links --domains {0} --execute robots=off https://{0}/'), }, }, 'groups': { 'nas': {}, }, 'firewall': { 'port_rules': { '4679': { # Dell ULNM '172.19.136.0/25', '172.19.138.0/24', }, '5060': { # yate SIP 'home.snom-wohnzimmer', 'home.bubble01', }, '5061': { # yate SIPS 'home.snom-wohnzimmer', 'home.bubble01', }, # yate RTP uses some random UDP port. We cannot firewall # it, because for incoming calls the other side decides # which port to use. That's why we simply allow all UDP # traffic from our SIP clients. It's fine to do so, because # all sip clients are known to bundlewrap, so we won't have # to deal with randomly changing IPs here. '*/udp': { 'home.snom-wohnzimmer', 'home.bubble01', }, }, }, 'icinga_options': { # override group default 'also_affected_by': atomic(set()), }, 'mosquitto': { 'bridges': { 'c3voc': { 'peer': 'mqtt.c3voc.de', 'client_id': 'kunsi-home', 'auth': { 'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='), 'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='), }, 'topics': [ { 'pattern': '#', 'remote_prefix': '/voc/', 'local_prefix': 'voc' }, ], }, }, 'listeners': { '8083': { 'protocol': 'websockets', }, }, 'tasmota-telegraf-topic': '/switch/#', 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', }, }, 'nfs-server': { 'shares': { '/storage/download': { 'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check', }, '/storage/nas': { '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, '/srv/paperless': { 'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, '/srv/scansnap': { '172.19.138.0/24': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, }, }, 'smartd': { 'disks': { '/dev/nvme0', # ZFS cache disks '/dev/disk/by-id/ata-TS64GSSD370_B807810503', '/dev/disk/by-id/ata-TS64GSSD370_B807810527', }, }, 'sysctl': { 'options': { # XXX find out if this is really needed 'net.ipv4.ip_forward': '1', }, }, 'systemd-networkd': { 'bonds': { 'bond0': { 'match': { 'enp8*', 'enp9*', }, }, }, 'bridges': { 'br0': { 'match': { 'bond0', }, }, 'br42': { 'match': { 'br0.42', }, }, }, }, 'openssh': { 'allowed_users': { 'kunsi-t470', # backup user }, 'enable_x_forwarding_for_admins': True, }, 'users': { 'f2k1de': { 'ssh_pubkey': { 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e', 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up', }, }, 'kunsi': { 'groups': { 'nas', }, }, 'sophie': { 'groups': { 'nas', }, }, 'qcn': { 'ssh_pubkey': { #'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILAwUA5t2cSy9YD+ilu5nklvokSRAoNOq/gUV73/KTsv lexi@aranea', 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7cCmJ1+btuwpbGrGAuiK8R/hTMCK7CFK0aK2vPcSy+ lexi@kanaya', 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLx+8d429D1KjaqOaGRFK09j6j3/FuU4xQMsrNLdflg lexi@toriel', }, }, }, 'zfs': { 'module_options': { 'zfs_arc_max_gb': 8, }, 'pools': { 'storage': { 'when_creating': { 'config': [ { 'type': 'raidz2', 'devices': { '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJU4NR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', }, }, { 'type': 'log', 'devices': { '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part1', '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part1', }, }, { 'type': 'cache', 'devices': { '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part2', '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part2', }, }, ], 'ashift': 12, }, }, }, 'datasets': { 'storage/backups': {}, 'storage/opt-yate': { 'mountpoint': '/opt/yate', }, 'storage/f2k1de': { 'mountpoint': '/storage/f2k1de', }, 'storage/download': { 'mountpoint': '/storage/download', }, 'storage/nas': { 'mountpoint': '/storage/nas', }, 'storage/paperless': { 'mountpoint': '/srv/paperless', }, 'storage/scan': { 'mountpoint': '/srv/scansnap', }, }, 'snapshots': { 'retain_per_dataset': { 'storage/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, 'storage/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, 'storage/paperless': { 'daily': 14, 'weekly': 6, 'monthly': 24, }, 'storage/scan': { 'hourly': 6, 'daily': 0, 'weekly': 0, 'monthly': 0, }, }, # XXX remove when deleting old backups from node 'snapshot_never': { 'storage/backups', } }, }, 'vm': { 'cpu': 8, 'ram': 32, }, }, }