nodes['fkusei-locutus'] = { 'hostname': '10.5.99.29', 'bundles': { 'arch-with-gui', 'bird', 'lldp', 'lm-sensors', 'nfs-client', 'systemd-boot', 'telegraf-battery-usage', 'wireguard', 'voc-tracker-worker', 'zfs', }, 'groups': { 'arch', }, 'metadata': { 'arch-with-gui': { 'autologin_as': 'fkunsmann', }, 'bird': { 'bgp_neighbors': { 'smedia': { 'local_as': 4200128002, 'local_ip': '10.200.128.2', 'neighbor_as': 64900, 'neighbor_ip': '10.200.128.1', }, }, }, 'firewall': { 'port_rules': { # obs websocket thingie - just allow all RFC1918 ips here #'4444': { # '10.0.0.0/8', # '172.16.0.0/12', # '192.168.0.0/16', #}, # For the occasional file-share using `python -m http.server` '8000/tcp': {'*'}, }, }, 'interfaces': { 'eth*': { 'dhcp': True, }, # there is also wlan0, but that's managed by netctl }, 'location': 'home', # not actually true, but needed for static dhcp lease 'nfs-client': { 'mounts': { 'nas-storage': { 'mountpoint': '/mnt/nas', 'serverpath': '172.19.138.20:/storage/nas', 'mount_options': { 'retry=0', 'ro', }, }, }, }, 'openssh': { 'restrict-to': { 'rfc1918', }, }, 'pacman': { 'packages': { 'amd-ucode': {}, 'xf86-video-amdgpu': {}, # all that other random stuff one needs 'apachedirectorystudio': {}, 'direnv': {}, 'freerdp': {}, 'sdl_ttf': {}, # for compiling testcard 'thermald': {}, }, }, 'sysctl': { 'options': { # accept RA even though forwarding is enabled 'net.ipv4.conf.all.accept_ra': '2', 'net.ipv4.conf.wlan0.accept_ra': '2', }, }, 'systemd-boot': { 'default': 'arch', 'entries': { 'arch': { 'title': 'Arch Linux', 'linux': '/vmlinuz-linux', 'initrd': [ '/amd-ucode.img', '/initramfs-linux.img', ], 'options': { 'net.ifnames=0', 'rw', 'zfs=zroot/system/root', }, }, 'arch-fallback': { 'title': 'Arch Linux (no ucode, fallback initramfs)', 'linux': '/vmlinuz-linux', 'initrd': [ '/initramfs-linux-fallback.img', ], 'options': { 'net.ifnames=0', 'rw', 'zfs=zroot/system/root', }, }, }, }, 'timezone': 'Europe/Berlin', 'users': { 'fkunsmann': { 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), 'shell': '/usr/bin/fish', 'sudo_commands': { 'ALL', }, }, 'sophie': { 'delete': True, }, }, 'voc-tracker-worker': { 'url': 'https://tracker.c3voc.de/rpc', 'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'), 'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'), }, 'wireguard': { 'privatekey': vault.decrypt('smedia$NotViaThisRepository'), 'peers': { 'smedia': { 'endpoint': 'wireguard.htz-cloud.kunbox.net:1194', 'their_ip': '10.200.128.1', 'my_ip': '10.200.128.2/20', 'my_port': 51820, 'endpoint': '185.122.180.82:51820', 'psk': vault.decrypt('smedia$NotViaThisRepository'), 'pubkey': vault.decrypt('smedia$NotViaThisRepository'), }, }, }, 'zfs': { 'pools': { 'zroot': { 'when_creating': { 'config': [], }, }, }, 'datasets': { # this is not a complete list, but we can't create that # structure using bundlewrap anyway, so there's no point # in adding it here. 'zroot': { 'compression': 'lz4', 'relatime': 'on', 'xattr': 'sa', 'primarycache': 'metadata' # encryption is enabled, too. }, 'zroot/system/journal': { 'mountpoint': '/var/log/journal', 'acltype': 'posix', }, 'zroot/system/root': { 'canmount': 'noauto', 'mountpoint': '/', }, 'zroot/user/fkunsmann': { 'mountpoint': '/home/fkunsmann', }, }, 'snapshots': { 'retain_per_dataset': { 'zroot/user/fkunsmann': { # juuuuuuuust to be sure 'hourly': 100, }, }, 'snapshot_never': { 'zroot/system/journal', }, }, }, }, 'os': 'arch', }