nodes['kunsi-p14s'] = { 'hostname': 'localhost', 'bundles': { 'arch-with-gui', 'backup-client', 'lldp', 'lm-sensors', 'nfs-client', 'openvpn-client', 'systemd-boot', 'telegraf-battery-usage', 'vmhost', 'wireguard', 'zfs', }, 'groups': { 'arch', }, 'metadata': { 'arch-with-gui': { 'autologin_as': 'kunsi', }, 'backup-client': { # only alert people if we're missing more than a week of backups 'one_backup_every_hours': 7 * 24, }, 'firewall': { 'port_rules': { # obs websocket thingie - just allow all RFC1918 ips here #'4444': { # '10.0.0.0/8', # '172.16.0.0/12', # '192.168.0.0/16', #}, # For the occasional file-share using `python -m http.server` '8000/tcp': {'*'}, }, }, 'interfaces': { 'br0': { 'ips': {'10.73.100.103/16'}, 'gateway4': '10.73.0.254', 'dhcp': True, }, # there is also wlp3s0, but that's managed by netctl }, 'nfs-client': { 'mounts': { 'nas-scansnap': { 'mountpoint': '/mnt/scansnap', 'serverpath': '172.19.138.20:/srv/scansnap', 'mount_options': { 'retry=0', 'rw', }, }, 'nas-storage': { 'mountpoint': '/mnt/nas', 'serverpath': '172.19.138.20:/storage/nas', 'mount_options': { 'retry=0', 'ro', }, }, }, }, 'nftables': { 'forward': { '50-routing': [ 'ct state { related, established } accept', 'oifname wlan0 accept', ], }, 'postrouting': { '50-routing': [ 'oifname wlan0 masquerade', ], }, }, 'openssh': { 'restrict-to': { 'rfc1918', }, }, 'openvpn-client': { 'configs': { 'c3voc': { 'running': None, 'enabled': False, }, 'smedia-priv': { 'running': None, 'enabled': False, }, }, }, 'pacman': { 'no_extract': { 'etc/sudoers.d/ctdb', # samba junk }, 'packages': { # for hardware support 'amd-ucode': {}, 'mesa': {}, # various video drivers 'libva-mesa-driver': {}, 'mesa-vdpau': {}, 'xf86-video-amdgpu': {}, # all that other random stuff one needs 'abcde': {}, 'apachedirectorystudio': {}, 'claws-mail': {}, 'claws-mail-themes': {}, 'ferdi-bin': {}, 'gumbo-parser': {}, # for claws litehtml 'inkstitch': {}, # for RZL embroidery machine 'obs-studio': {}, 'perl-musicbrainz-discid': {}, # for abcde 'perl-webservice-musicbrainz': {}, # for abcde 'sdl_ttf': {}, # for compiling testcard 'x32edit': {}, }, }, 'systemd-boot': { 'default': 'arch', 'entries': { 'arch': { 'title': 'Arch Linux', 'linux': '/vmlinuz-linux', 'initrd': [ '/amd-ucode.img', '/initramfs-linux.img', ], 'options': { 'net.ifnames=0', 'rw', 'zfs=zroot/system/root', }, }, 'arch-fallback': { 'title': 'Arch Linux (no ucode, fallback initramfs)', 'linux': '/vmlinuz-linux', 'initrd': [ '/initramfs-linux-fallback.img', ], 'options': { 'net.ifnames=0', 'rw', 'zfs=zroot/system/root', }, }, }, }, 'sysctl': { 'options': { 'net.ipv4.ip_forward': '1', }, }, 'systemd-networkd': { 'bridges': { 'br0': { 'match': { 'en*', 'eth*', }, }, }, }, 'timezone': 'Europe/Berlin', 'users': { 'kunsi': { 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), 'shell': '/usr/bin/fish', }, 'sophie': { 'delete': True, }, }, 'wireguard': { 'peers': { 'htz-cloud.wireguard': { 'auto_connection': False, 'endpoint': 'wireguard.htz-cloud.kunbox.net:1194', 'my_ip': '172.19.136.65', 'my_port': 51819, 'their_ip': '172.19.136.64', 'routes': { '172.19.128.0/20', }, }, }, }, 'zfs': { 'pools': { 'zroot': { 'when_creating': { 'config': [{ 'devices': [ '/dev/disk/by-id/nvme-UMIS_RPETJ1T24MGE2QDQ_SS0L25218X3RC1BG1182-part2', ], }], 'ashift': 12, }, }, }, 'datasets': { # this is not a complete list, but we can't create that # structure using bundlewrap anyway, so there's no point # in adding it here. 'zroot': { 'compression': 'lz4', 'relatime': 'on', 'xattr': 'sa', 'primarycache': 'metadata' # encryption is enabled, too. }, 'zroot/movies': { 'mountpoint': '/media/movies', }, 'zroot/system/journal': { 'mountpoint': '/var/log/journal', 'acltype': 'posix', }, 'zroot/system/libvirt': { 'mountpoint': '/var/lib/libvirt', 'needed_by': { 'bundle:vmhost', }, }, 'zroot/system/video': { 'mountpoint': '/video', 'needed_by': { 'bundle:voc-tracker-worker', }, }, 'zroot/system/root': { 'canmount': 'noauto', 'mountpoint': 'legacy', }, 'zroot/user/kunsi': { 'mountpoint': '/home/kunsi', }, }, 'snapshots': { 'retain_per_dataset': { 'zroot/user/kunsi': { # juuuuuuuust to be sure 'hourly': 100, }, }, 'snapshot_never': { 'zroot/movies', 'zroot/system/journal', 'zroot/system/video', }, }, }, }, 'os': 'arch', }