387 lines
14 KiB
Python
387 lines
14 KiB
Python
# Dell Local Node Manager running on <http://172.19.138.20:4679/>
|
|
|
|
nodes['home.nas'] = {
|
|
'hostname': '172.19.138.20',
|
|
'bundles': {
|
|
'backup-client',
|
|
'dm-crypt',
|
|
'jellyfin',
|
|
'lm-sensors',
|
|
'mixcloud-downloader',
|
|
'mosquitto',
|
|
'nfs-server',
|
|
'rsyslogd',
|
|
'samba',
|
|
'smartd',
|
|
'vmhost',
|
|
'zfs',
|
|
},
|
|
'groups': {
|
|
'debian-bullseye',
|
|
'webserver',
|
|
},
|
|
'metadata': {
|
|
'interfaces': {
|
|
'br1138': {
|
|
'ips': {
|
|
'172.19.138.20/24',
|
|
},
|
|
'gateway4': '172.19.138.1',
|
|
'ipv6_accept_ra': True,
|
|
},
|
|
},
|
|
'apt': {
|
|
'unattended-upgrades': {
|
|
'day': 6,
|
|
# requires manual decryption of zfs after reboot
|
|
'reboot_enabled': False,
|
|
},
|
|
'packages': {
|
|
'mpv': {},
|
|
|
|
# for hardware transcoding of video
|
|
'firmware-amd-graphics': {},
|
|
'mesa-va-drivers': {},
|
|
|
|
# for compiling yate
|
|
'autoconf': {},
|
|
'subversion': {},
|
|
# svn checkout http://yate.null.ro/svn/yate/tags/RELEASE_6_4_0/ .
|
|
# ./autogen.sh
|
|
# ./configure --prefix=/opt/yate
|
|
# make -j8
|
|
# systemctl stop yate
|
|
# make install-noconf
|
|
# systemctl start yate
|
|
},
|
|
},
|
|
'backups': {
|
|
'paths': {
|
|
'/storage/nas/Audiobooks',
|
|
'/storage/nas/Bilder',
|
|
'/storage/nas/Bilder_Archiv',
|
|
'/storage/nas/Books',
|
|
'/storage/nas/Installer',
|
|
'/storage/nas/Musik',
|
|
'/storage/nas/Musikvideos',
|
|
'/storage/nas/normen',
|
|
},
|
|
},
|
|
'dm-crypt': {
|
|
'encrypted-devices': {
|
|
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': {
|
|
'dm-name': 'sam-S5SSNJ0X409404K',
|
|
'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409404K'),
|
|
},
|
|
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F': {
|
|
'dm-name': 'sam-S5SSNJ0X409845F',
|
|
'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409845F'),
|
|
},
|
|
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J': {
|
|
'dm-name': 'sam-S5SSNJ0X409870J',
|
|
'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409870J'),
|
|
},
|
|
},
|
|
},
|
|
'groups': {
|
|
'nas': {},
|
|
},
|
|
'firewall': {
|
|
'port_rules': {
|
|
'4679/tcp': { # Dell ULNM
|
|
'172.19.136.0/25',
|
|
'172.19.138.0/24',
|
|
},
|
|
'5060/tcp': { # yate SIP
|
|
'home.snom-wohnzimmer',
|
|
'home.mitel-rfp35',
|
|
},
|
|
'5061/tcp': { # yate SIPS
|
|
'home.snom-wohnzimmer',
|
|
'home.mitel-rfp35',
|
|
},
|
|
# yate RTP uses some random UDP port. We cannot firewall
|
|
# it, because for incoming calls the other side decides
|
|
# which port to use. That's why we simply allow all UDP
|
|
# traffic from our SIP clients. It's fine to do so, because
|
|
# all sip clients are known to bundlewrap, so we won't have
|
|
# to deal with randomly changing IPs here.
|
|
'*/udp': {
|
|
'home.snom-wohnzimmer',
|
|
'home.mitel-rfp35',
|
|
},
|
|
},
|
|
},
|
|
'mixcloud-downloader': {
|
|
'netrc': {
|
|
'soundcloud': {
|
|
'username': 'oauth',
|
|
'password': bwpass.attr('soundcloud.com/hi@kunsmann.eu', 'oauth_token'),
|
|
},
|
|
},
|
|
},
|
|
'mosquitto': {
|
|
'bridges': {
|
|
'c3voc': {
|
|
'peer': 'mqtt.c3voc.de',
|
|
'client_id': 'kunsi-home',
|
|
'auth': {
|
|
'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='),
|
|
'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='),
|
|
},
|
|
'topics': [
|
|
{
|
|
'pattern': '#',
|
|
'remote_prefix': '/voc/',
|
|
'local_prefix': 'voc'
|
|
},
|
|
],
|
|
},
|
|
},
|
|
'listeners': {
|
|
'8083': {
|
|
'protocol': 'websockets',
|
|
},
|
|
},
|
|
'tasmota-telegraf-topic': '/switch/#',
|
|
'restrict-to': {
|
|
'172.19.136.0/25',
|
|
'172.19.138.0/24',
|
|
},
|
|
},
|
|
'nfs-server': {
|
|
'shares': {
|
|
'/storage/download': {
|
|
'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check',
|
|
},
|
|
'/storage/nas': {
|
|
'172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check',
|
|
},
|
|
'/srv/paperless': {
|
|
'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check',
|
|
},
|
|
},
|
|
},
|
|
'nginx': {
|
|
'vhosts': {
|
|
'jellyfin': {
|
|
'domain': 'jellyfin.home.kunbox.net',
|
|
'ssl': '_.home.kunbox.net',
|
|
},
|
|
},
|
|
},
|
|
'rsyslogd': {
|
|
'restrict-to': {
|
|
'home',
|
|
},
|
|
},
|
|
'samba': {
|
|
'shares': {
|
|
'TV': {
|
|
'path': '/storage/nas/TV',
|
|
'force_group': 'nas',
|
|
},
|
|
'music': {
|
|
'path': '/storage/nas/Musik',
|
|
'force_group': 'nas',
|
|
},
|
|
'music_videos': {
|
|
'path': '/storage/nas/Musikvideos',
|
|
'force_group': 'nas',
|
|
},
|
|
},
|
|
'restrict-to': {
|
|
'172.19.138.0/24',
|
|
},
|
|
},
|
|
'smartd': {
|
|
'disks': {
|
|
'/dev/nvme0',
|
|
|
|
# old nas disks
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR',
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R',
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR',
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R',
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR',
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL',
|
|
|
|
# encrypted disks
|
|
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K',
|
|
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F',
|
|
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J',
|
|
},
|
|
},
|
|
'systemd-networkd': {
|
|
'bridges': {
|
|
'br0': {
|
|
'match': {
|
|
'eno1',
|
|
},
|
|
},
|
|
'br1138': {
|
|
'match': {
|
|
'br0.1138',
|
|
},
|
|
},
|
|
'br1139': {
|
|
'match': {
|
|
'br0.1139',
|
|
},
|
|
},
|
|
},
|
|
},
|
|
'systemd-timers': {
|
|
'timers': {
|
|
# Ensure every user is able to read and write to the NAS dataset.
|
|
'nas_permissions': {
|
|
'command': [
|
|
'chown -R :nas /storage/nas/',
|
|
r'find /storage/nas/ -type d -exec chmod 0775 {} \;',
|
|
r'find /storage/nas/ -type f -exec chmod 0664 {} \;',
|
|
],
|
|
'when': '*-*-* 02:00:00',
|
|
},
|
|
},
|
|
},
|
|
'openssh': {
|
|
'enable_x_forwarding_for_admins': True,
|
|
},
|
|
'users': {
|
|
'inbox': {
|
|
'ssh_pubkey': {
|
|
#'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ',
|
|
},
|
|
},
|
|
'kunsi': {
|
|
'groups': {
|
|
'nas',
|
|
},
|
|
},
|
|
},
|
|
'zfs': {
|
|
'module_options': {
|
|
'zfs_arc_max_gb': 8,
|
|
},
|
|
'pools': {
|
|
'storage': {
|
|
'when_creating': {
|
|
'config': [
|
|
{
|
|
'type': 'raidz2',
|
|
'devices': {
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR',
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R',
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR',
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R',
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL',
|
|
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR',
|
|
},
|
|
},
|
|
],
|
|
'ashift': 12,
|
|
},
|
|
},
|
|
'encrypted': {
|
|
'when_creating': {
|
|
'config': [
|
|
{
|
|
'type': 'raidz',
|
|
'devices': {
|
|
'/dev/mapper/sam-S5SSNJ0X409404K',
|
|
'/dev/mapper/sam-S5SSNJ0X409845F',
|
|
'/dev/mapper/sam-S5SSNJ0X409870J',
|
|
},
|
|
},
|
|
],
|
|
'ashift': 12,
|
|
},
|
|
'needs': {
|
|
'action:dm-crypt_open_sam-S5SSNJ0X409404K',
|
|
'action:dm-crypt_open_sam-S5SSNJ0X409845F',
|
|
'action:dm-crypt_open_sam-S5SSNJ0X409870J',
|
|
},
|
|
# see comment in bundle:backup-server
|
|
'unless': 'zpool import encrypted',
|
|
},
|
|
},
|
|
'datasets': {
|
|
'encrypted': {
|
|
'primarycache': 'metadata',
|
|
},
|
|
'encrypted/download': {
|
|
'mountpoint': '/media/download',
|
|
},
|
|
'encrypted/nas': {
|
|
'acltype': 'off',
|
|
'atime': 'off',
|
|
'compression': 'off',
|
|
'mountpoint': '/storage/nas',
|
|
},
|
|
'encrypted/paperless': {
|
|
'mountpoint': '/media/paperless',
|
|
},
|
|
'storage': {
|
|
'primarycache': 'metadata',
|
|
},
|
|
'storage/opt-yate': {
|
|
'mountpoint': '/opt/yate',
|
|
},
|
|
'storage/download': {
|
|
'mountpoint': '/storage/download',
|
|
},
|
|
'storage/nas': {
|
|
'acltype': 'off',
|
|
'atime': 'off',
|
|
'compression': 'off',
|
|
'mountpoint': '/media/nas_old',
|
|
},
|
|
'storage/paperless': {
|
|
'mountpoint': '/srv/paperless',
|
|
},
|
|
},
|
|
'snapshots': {
|
|
'retain_per_dataset': {
|
|
'encrypted/download': {
|
|
'hourly': 6,
|
|
'daily': 0,
|
|
'weekly': 0,
|
|
'monthly': 0,
|
|
},
|
|
'encrypted/nas': {
|
|
# juuuuuuuust to be sure.
|
|
'daily': 14,
|
|
'weekly': 6,
|
|
'monthly': 12,
|
|
},
|
|
'encrypted/paperless': {
|
|
'daily': 14,
|
|
'weekly': 6,
|
|
'monthly': 24,
|
|
},
|
|
'storage/download': {
|
|
'hourly': 48,
|
|
'daily': 0,
|
|
'weekly': 0,
|
|
'monthly': 0,
|
|
},
|
|
'storage/nas': {
|
|
# juuuuuuuust to be sure.
|
|
'daily': 14,
|
|
'weekly': 6,
|
|
'monthly': 12,
|
|
},
|
|
'storage/paperless': {
|
|
'daily': 14,
|
|
'weekly': 6,
|
|
'monthly': 24,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
'vm': {
|
|
'cpu': 8,
|
|
'ram': 32,
|
|
},
|
|
},
|
|
}
|