# Dell Local Node Manager running on nodes['home.nas'] = { 'hostname': 'fd90:2017:0:1138::20', 'bundles': { 'backup-client', 'dm-crypt', 'jellyfin', 'lm-sensors', 'mixcloud-downloader', 'mosquitto', 'nfs-server', 'rsyslogd', 'scansnap', 'smartd', 'vmhost', 'zfs', }, 'groups': { 'debian-bullseye', 'webserver', }, 'metadata': { 'interfaces': { 'br1138': { 'ips': { '172.19.138.20/24', 'fd90:2017:0:1138::20/64', }, 'gateway4': '172.19.138.1', 'ipv6_accept_ra': True, }, }, 'apt': { 'unattended-upgrades': { 'day': 6, # requires manual decryption of zfs after reboot 'reboot_enabled': False, }, 'packages': { 'mpv': {}, # for hardware transcoding of video 'firmware-amd-graphics': {}, 'mesa-va-drivers': {}, # for compiling yate 'autoconf': {}, 'subversion': {}, # svn checkout http://yate.null.ro/svn/yate/tags/RELEASE_6_4_0/ . # ./autogen.sh # ./configure --prefix=/opt/yate # make -j8 # systemctl stop yate # make install-noconf # systemctl start yate }, }, 'backups': { 'paths': { '/storage/nas/Audiobooks', '/storage/nas/Bilder', '/storage/nas/Bilder_Archiv', '/storage/nas/Books', '/storage/nas/Installer', '/storage/nas/Musik', '/storage/nas/Musikvideos', '/storage/nas/normen', }, }, 'dm-crypt': { 'encrypted-devices': { '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7-part1': { 'dm-name': 'sg-ZVV06JV7-1', 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06JV7-1'), }, '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7-part2': { 'dm-name': 'sg-ZVV06JV7-2', 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06JV7-2'), }, '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR-part1': { 'dm-name': 'sg-ZVV06SLR-1', 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06SLR-1'), }, '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR-part2': { 'dm-name': 'sg-ZVV06SLR-2', 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06SLR-2'), }, }, }, 'groups': { 'nas': {}, }, 'firewall': { 'port_rules': { '4679/tcp': { # Dell ULNM '172.19.136.0/25', '172.19.138.0/24', }, '5060/tcp': { # yate SIP 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, '5061/tcp': { # yate SIPS 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, # yate RTP uses some random UDP port. We cannot firewall # it, because for incoming calls the other side decides # which port to use. That's why we simply allow all UDP # traffic from our SIP clients. It's fine to do so, because # all sip clients are known to bundlewrap, so we won't have # to deal with randomly changing IPs here. '*/udp': { 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, }, }, 'jellyfin': { 'restrict-to': { 'home.lgtv-wohnzimmer', }, }, 'mosquitto': { 'bridges': { 'c3voc': { 'peer': 'mqtt.c3voc.de', 'client_id': 'kunsi-home', 'auth': { 'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='), 'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='), }, 'topics': [ { 'pattern': '#', 'remote_prefix': '/voc/', 'local_prefix': 'voc' }, ], }, }, 'listeners': { '8083': { 'protocol': 'websockets', }, }, 'tasmota-telegraf-topic': '/switch/#', 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', }, }, 'nfs-server': { 'shares': { '/storage/download': { 'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check', }, '/storage/nas': { '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, '/srv/paperless': { 'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, '/srv/scansnap': { '172.19.138.0/24': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, }, }, 'nginx': { 'vhosts': { 'jellyfin': { 'domain': 'jellyfin.home.kunbox.net', 'ssl': '_.home.kunbox.net', }, }, }, 'rsyslogd': { 'restrict-to': { 'home', }, }, 'smartd': { 'disks': { '/dev/nvme0', # encrypted disks '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7', '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR', # ZFS cache disks #'/dev/disk/by-id/ata-TS64GSSD370_B807810503', #'/dev/disk/by-id/ata-TS64GSSD370_B807810527', }, }, 'sysctl': { 'options': { # XXX find out if this is really needed 'net.ipv4.ip_forward': '1', }, }, 'systemd-networkd': { 'bridges': { 'br0': { 'match': { 'eno1', }, }, 'br1138': { 'match': { 'br0.1138', }, }, }, }, 'systemd-timers': { 'timers': { # Ensure every user is able to read and write to the NAS dataset. 'nas_permissions': { 'command': [ 'chown -R :nas /storage/nas/', 'find /storage/nas/ -type d -exec chmod 0775 {} \;', 'find /storage/nas/ -type f -exec chmod 0664 {} \;', ], 'when': '*-*-* 02:00:00', }, }, }, 'openssh': { 'enable_x_forwarding_for_admins': True, }, 'users': { 'f2k1de': { 'delete': True, }, 'inbox': { 'ssh_pubkey': { #'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', }, }, 'kunsi': { 'groups': { 'nas', }, }, 'sophie': { 'groups': { 'nas', }, }, 'qcn': { 'delete': True, }, }, 'zfs': { 'module_options': { 'zfs_arc_max_gb': 8, }, 'pools': { 'storage': { 'when_creating': { 'config': [ { 'type': 'raidz2', 'devices': { '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', }, }, # { # 'type': 'log', # 'devices': { # '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part1', # '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part1', # }, # }, # { # 'type': 'cache', # 'devices': { # '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part2', # '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part2', # }, # }, ], 'ashift': 12, }, }, 'encrypted': { 'when_creating': { 'config': [ # These are new and fancy "dual actuator" # drives, partitioned into two partitions # taking 50% of the disk each. { 'type': 'mirror', 'devices': { '/dev/mapper/sg-ZVV06JV7-1', '/dev/mapper/sg-ZVV06SLR-1', }, }, { 'type': 'mirror', 'devices': { '/dev/mapper/sg-ZVV06JV7-2', '/dev/mapper/sg-ZVV06SLR-2', }, }, ], 'ashift': 12 }, 'needs': { 'action:dm-crypt_open_sg-ZVV06JV7-1', 'action:dm-crypt_open_sg-ZVV06JV7-2', 'action:dm-crypt_open_sg-ZVV06SLR-1', 'action:dm-crypt_open_sg-ZVV06SLR-2', }, # see comment in bundle:backup-server 'unless': 'zpool import encrypted', }, }, 'datasets': { 'encrypted': { 'primarycache': 'metadata', }, 'encrypted/nas': { 'acltype': 'off', 'atime': 'off', 'compression': 'off', 'mountpoint': '/media/nas', }, 'storage': { 'primarycache': 'metadata', }, 'storage/opt-yate': { 'mountpoint': '/opt/yate', }, 'storage/f2k1de': { 'mountpoint': '/storage/f2k1de', }, 'storage/download': { 'mountpoint': '/storage/download', }, 'storage/inbox': { 'quota': str(1024*1024*1024*1024), # 1TB 'mountpoint': '/storage/inbox', }, 'storage/nas': { 'mountpoint': '/storage/nas', }, 'storage/paperless': { 'mountpoint': '/srv/paperless', }, 'storage/scan': { 'mountpoint': '/srv/scansnap', }, }, 'snapshots': { 'retain_per_dataset': { 'storage/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, 'storage/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, 'storage/paperless': { 'daily': 14, 'weekly': 6, 'monthly': 24, }, 'storage/scan': { 'hourly': 6, 'daily': 0, 'weekly': 0, 'monthly': 0, }, }, }, }, 'vm': { 'cpu': 8, 'ram': 32, }, }, }