# Dell Local Node Manager running on nodes['home.nas'] = { 'hostname': '172.19.138.20', 'bundles': { 'backup-client', 'jellyfin', 'lm-sensors', 'mixcloud-downloader', 'mosquitto', 'nfs-server', 'rsyslogd', 'scansnap', 'smartd', 'vmhost', 'zfs', }, 'groups': { 'debian-bullseye', 'webserver', }, 'metadata': { 'interfaces': { 'br1138': { 'ips': { '172.19.138.20/24', }, 'gateway4': '172.19.138.1', 'ipv6_accept_ra': True, }, }, 'apt': { 'unattended-upgrades': { 'day': 6, # requires manual decryption of zfs after reboot 'reboot_enabled': False, }, 'packages': { 'mpv': {}, # for hardware transcoding of video 'firmware-amd-graphics': {}, 'mesa-va-drivers': {}, # for compiling yate 'autoconf': {}, 'subversion': {}, # svn checkout http://yate.null.ro/svn/yate/tags/RELEASE_6_4_0/ . # ./autogen.sh # ./configure --prefix=/opt/yate # make -j8 # systemctl stop yate # make install-noconf # systemctl start yate }, }, 'backups': { 'paths': { '/storage/nas/Audiobooks', '/storage/nas/Bilder', '/storage/nas/Bilder_Archiv', '/storage/nas/Books', '/storage/nas/Installer', '/storage/nas/Musik', '/storage/nas/Musikvideos', '/storage/nas/normen', }, }, 'groups': { 'nas': {}, }, 'firewall': { 'port_rules': { '4679/tcp': { # Dell ULNM '172.19.136.0/25', '172.19.138.0/24', }, '5060/tcp': { # yate SIP 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, '5061/tcp': { # yate SIPS 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, # yate RTP uses some random UDP port. We cannot firewall # it, because for incoming calls the other side decides # which port to use. That's why we simply allow all UDP # traffic from our SIP clients. It's fine to do so, because # all sip clients are known to bundlewrap, so we won't have # to deal with randomly changing IPs here. '*/udp': { 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, }, }, 'jellyfin': { 'restrict-to': { 'home.lgtv-wohnzimmer', }, }, 'mosquitto': { 'bridges': { 'c3voc': { 'peer': 'mqtt.c3voc.de', 'client_id': 'kunsi-home', 'auth': { 'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='), 'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='), }, 'topics': [ { 'pattern': '#', 'remote_prefix': '/voc/', 'local_prefix': 'voc' }, ], }, }, 'listeners': { '8083': { 'protocol': 'websockets', }, }, 'tasmota-telegraf-topic': '/switch/#', 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', }, }, 'nfs-server': { 'shares': { '/storage/download': { 'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check', }, '/storage/nas': { '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, '/srv/paperless': { 'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, '/srv/scansnap': { '172.19.138.0/24': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, }, }, 'nginx': { 'vhosts': { 'jellyfin': { 'domain': 'jellyfin.home.kunbox.net', 'ssl': '_.home.kunbox.net', }, }, }, 'rsyslogd': { 'restrict-to': { 'home', }, }, 'smartd': { 'disks': { '/dev/nvme0', # ZFS cache disks '/dev/disk/by-id/ata-TS64GSSD370_B807810503', '/dev/disk/by-id/ata-TS64GSSD370_B807810527', }, }, 'sysctl': { 'options': { # XXX find out if this is really needed 'net.ipv4.ip_forward': '1', }, }, 'systemd-networkd': { 'bridges': { 'br0': { 'match': { 'eno1', }, }, 'br1138': { 'match': { 'br0.1138', }, }, }, }, 'systemd-timers': { 'timers': { # Ensure every user is able to read and write to the NAS dataset. 'nas_permissions': { 'command': [ 'chown -R :nas /storage/nas/', 'find /storage/nas/ -type d -exec chmod 0775 {} \;', 'find /storage/nas/ -type f -exec chmod 0664 {} \;', ], 'when': '*-*-* 02:00:00', }, }, }, 'openssh': { 'enable_x_forwarding_for_admins': True, }, 'users': { 'f2k1de': { 'ssh_pubkey': { 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e', 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up', }, }, 'inbox': { 'ssh_pubkey': { #'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', 'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl9zOB7FBeqecfGBRQXZB9nM8e2HNIOKj7IhjgD47GUPh/niD4kUWfVsd6JiNs6RZZE7mQBAKD1wh3/sTd5Twn3ptMIZpoTrLAYEknICzdtwoLRlkHVfb3eK/Q9ufpOGV7Pd24viONSSWSgtd/GcXFCclpEtM06/47USwytFcN5NPmE3/yi68IKDSbIo3hWNo5ZUdeS7g0v+/uF/DkYMJRv0oQatcZx+P/yPLrKqekg/5nMw3RHRwcYVCDqoTc2KjAwWJQw1hOtt105tOpfmbo4eX9cmjcw3Eihwdyl+EeZelaTay1oIzHlKnuxp2oTI0O0KHNQngRt7YDgnEICY16SvyIOJD9ZOam1VeOr0+Z8QgPgGu82Wv+UG+/21yjIoB48VlkNNNpUBeGTBad23Cb+wHVFC5PIQN4iEH2i0PS0xVCIU2bOlXUPJx6/XK51vFoZdknH/8/Mr0jvMsw9i3QSrSy76AjxkexNYje0phNiseMRCakZ8uKdL2yA0g3P5s=', }, }, 'kunsi': { 'groups': { 'nas', }, }, 'sophie': { 'groups': { 'nas', }, }, 'qcn': { 'ssh_pubkey': { #'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILAwUA5t2cSy9YD+ilu5nklvokSRAoNOq/gUV73/KTsv lexi@aranea', 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7cCmJ1+btuwpbGrGAuiK8R/hTMCK7CFK0aK2vPcSy+ lexi@kanaya', 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLx+8d429D1KjaqOaGRFK09j6j3/FuU4xQMsrNLdflg lexi@toriel', 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/Serien_Englisch/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPGPse+vv3+kHBYt6bdab/4AbP1hU34/3qH9SBuC8LCJ jenny@normandy', }, }, }, 'zfs': { 'module_options': { 'zfs_arc_max_gb': 8, }, 'pools': { 'storage': { 'when_creating': { 'config': [ { 'type': 'raidz2', 'devices': { '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', }, }, { 'type': 'log', 'devices': { '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part1', '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part1', }, }, { 'type': 'cache', 'devices': { '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part2', '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part2', }, }, ], 'ashift': 12, }, }, }, 'datasets': { 'storage': { 'primarycache': 'metadata', }, 'storage/opt-yate': { 'mountpoint': '/opt/yate', }, 'storage/f2k1de': { 'mountpoint': '/storage/f2k1de', }, 'storage/download': { 'mountpoint': '/storage/download', }, 'storage/inbox': { 'quota': str(1024*1024*1024*1024), # 1TB 'mountpoint': '/storage/inbox', }, 'storage/nas': { 'mountpoint': '/storage/nas', }, 'storage/paperless': { 'mountpoint': '/srv/paperless', }, 'storage/scan': { 'mountpoint': '/srv/scansnap', }, }, 'snapshots': { 'retain_per_dataset': { 'storage/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, 'storage/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, 'storage/paperless': { 'daily': 14, 'weekly': 6, 'monthly': 24, }, 'storage/scan': { 'hourly': 6, 'daily': 0, 'weekly': 0, 'monthly': 0, }, }, }, }, 'vm': { 'cpu': 8, 'ram': 32, }, }, }