# Dell Local Node Manager running on nodes['home.nas'] = { 'hostname': '172.19.138.20', 'bundles': { 'backup-client', 'dm-crypt', 'jellyfin', 'lm-sensors', 'mixcloud-downloader', 'mosquitto', 'nfs-server', 'rsyslogd', 'samba', 'smartd', 'vmhost', 'zfs', }, 'groups': { 'debian-bullseye', 'webserver', }, 'metadata': { 'interfaces': { 'br1138': { 'ips': { '172.19.138.20/24', }, 'gateway4': '172.19.138.1', 'ipv6_accept_ra': True, }, }, 'apt': { 'unattended-upgrades': { 'day': 6, # requires manual decryption of zfs after reboot 'reboot_enabled': False, }, 'packages': { 'mpv': {}, # for hardware transcoding of video 'firmware-amd-graphics': {}, 'mesa-va-drivers': {}, # for compiling yate 'autoconf': {}, 'subversion': {}, # svn checkout http://yate.null.ro/svn/yate/tags/RELEASE_6_4_0/ . # ./autogen.sh # ./configure --prefix=/opt/yate # make -j8 # systemctl stop yate # make install-noconf # systemctl start yate }, }, 'backups': { 'paths': { '/storage/nas/Audiobooks', '/storage/nas/Bilder', '/storage/nas/Bilder_Archiv', '/storage/nas/Books', '/storage/nas/Installer', '/storage/nas/Musik', '/storage/nas/Musikvideos', '/storage/nas/normen', }, }, 'dm-crypt': { 'encrypted-devices': { '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': { 'dm-name': 'sam-S5SSNJ0X409404K', 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409404K'), }, '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F': { 'dm-name': 'sam-S5SSNJ0X409845F', 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409845F'), }, '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J': { 'dm-name': 'sam-S5SSNJ0X409870J', 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409870J'), }, }, }, 'groups': { 'nas': {}, }, 'firewall': { 'port_rules': { '4679/tcp': { # Dell ULNM '172.19.136.0/25', '172.19.138.0/24', }, '5060/tcp': { # yate SIP 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, '5061/tcp': { # yate SIPS 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, # yate RTP uses some random UDP port. We cannot firewall # it, because for incoming calls the other side decides # which port to use. That's why we simply allow all UDP # traffic from our SIP clients. It's fine to do so, because # all sip clients are known to bundlewrap, so we won't have # to deal with randomly changing IPs here. '*/udp': { 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, }, }, 'mixcloud-downloader': { 'netrc': { 'soundcloud': { 'username': 'oauth', 'password': bwpass.attr('soundcloud.com/hi@kunsmann.eu', 'oauth_token'), }, }, }, 'mosquitto': { 'bridges': { 'c3voc': { 'peer': 'mqtt.c3voc.de', 'client_id': 'kunsi-home', 'auth': { 'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='), 'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='), }, 'topics': [ { 'pattern': '#', 'remote_prefix': '/voc/', 'local_prefix': 'voc' }, ], }, }, 'listeners': { '8083': { 'protocol': 'websockets', }, }, 'tasmota-telegraf-topic': '/switch/#', 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', }, }, 'nfs-server': { 'shares': { '/storage/download': { 'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check', }, '/storage/nas': { '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, '/srv/paperless': { 'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, }, }, 'nginx': { 'vhosts': { 'jellyfin': { 'domain': 'jellyfin.home.kunbox.net', 'ssl': '_.home.kunbox.net', }, }, }, 'rsyslogd': { 'restrict-to': { 'home', }, }, 'samba': { 'shares': { 'TV': { 'path': '/storage/nas/TV', 'force_group': 'nas', }, 'music': { 'path': '/storage/nas/Musik', 'force_group': 'nas', }, 'music_videos': { 'path': '/storage/nas/Musikvideos', 'force_group': 'nas', }, }, 'restrict-to': { '172.19.138.0/24', }, }, 'smartd': { 'disks': { '/dev/nvme0', # old nas disks '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL', # encrypted disks '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K', '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F', '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J', }, }, 'systemd-networkd': { 'bridges': { 'br0': { 'match': { 'eno1', }, }, 'br1138': { 'match': { 'br0.1138', }, }, 'br1139': { 'match': { 'br0.1139', }, }, }, }, 'systemd-timers': { 'timers': { # Ensure every user is able to read and write to the NAS dataset. 'nas_permissions': { 'command': [ 'chown -R :nas /storage/nas/', r'find /storage/nas/ -type d -exec chmod 0775 {} \;', r'find /storage/nas/ -type f -exec chmod 0664 {} \;', ], 'when': '*-*-* 02:00:00', }, }, }, 'openssh': { 'enable_x_forwarding_for_admins': True, }, 'users': { 'inbox': { 'ssh_pubkey': { #'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', }, }, 'kunsi': { 'groups': { 'nas', }, }, }, 'zfs': { 'module_options': { 'zfs_arc_max_gb': 8, }, 'pools': { 'tank': { 'when_creating': { 'config': [ { 'type': 'raidz2', 'devices': { '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', }, }, ], 'ashift': 12, }, }, 'encrypted': { 'when_creating': { 'config': [ { 'type': 'raidz', 'devices': { '/dev/mapper/sam-S5SSNJ0X409404K', '/dev/mapper/sam-S5SSNJ0X409845F', '/dev/mapper/sam-S5SSNJ0X409870J', }, }, ], 'ashift': 12, }, 'needs': { 'action:dm-crypt_open_sam-S5SSNJ0X409404K', 'action:dm-crypt_open_sam-S5SSNJ0X409845F', 'action:dm-crypt_open_sam-S5SSNJ0X409870J', }, # see comment in bundle:backup-server 'unless': 'zpool import encrypted', }, }, 'datasets': { 'encrypted': { 'primarycache': 'metadata', }, 'encrypted/nas': { 'acltype': 'off', 'atime': 'off', 'compression': 'off', 'mountpoint': '/storage/nas', }, 'tank': { 'primarycache': 'metadata', }, 'tank/opt-yate': { 'mountpoint': '/opt/yate', }, 'tank/download': { 'mountpoint': '/storage/download', }, 'tank/paperless': { 'mountpoint': '/srv/paperless', }, }, 'snapshots': { 'retain_per_dataset': { 'encrypted/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, 'tank/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, 'tank/paperless': { 'daily': 14, 'weekly': 6, 'monthly': 24, }, }, }, }, 'vm': { 'cpu': 8, 'ram': 32, }, }, }