nix-config/hosts/storage-ng/configuration.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, lib, strings, ... }:

let eth0 = "ens18";
in {
  imports = [ # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ../../lib
    ../../lib/hq.nix
    ../../lib/shared.nix
    ../../lib/users.nix
    ./ncdc.nix
    ../../lib/default-gateway.nix
    ../../lib/emery.nix
  ];

  c3d2 = {
    isInHq = true;
    mapHqHosts = true;
    hq.interface = eth0;
  };

  hq.yggdrasil = {
    enable = true;
    interface = eth0;
  };

  boot.loader.systemd-boot.enable = true;
  systemd.enableEmergencyMode = false;

  networking = {
    hostName = "storage-ng";
    # usePredictableInterfacenames = false;
    interfaces.${eth0} = {
      ipv4.addresses = [{
      address = "172.22.99.20";
      prefixLength = 24;
    }];
    ipv6.addresses = [{
      address = "2a02:8106:208:5201::20";
      prefixLength = 64;
    }];
    };

    defaultGateway.interface = eth0;

  };

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    wget
    vim
    screen
    zsh
    lftp
    lsof
    psmisc
    gitAndTools.git-annex
    gitAndTools.git
    tmux

    mpv
    iotop
  ];

  services.ceph = {
    enable = false;
    client.enable = true;
  };

  # fixme, we need a floating ip here
  # correct is floating ip 172.22.99.21
  # does not exist yet

  # secretfile does not work :(

  fileSystems."/mnt/cephfs" = {
    device = "172.22.99.13:6789:/";
    fsType = "ceph";
    options = [
      "name=storage2"
      "secret=AQAvRhxcaCK0IxAAnoe00oiopcpQeKZgL02RWw=="
      "noatime,_netdev"
      "noauto"
      "x-systemd.automount"
      "x-systemd.device-timeout=175"
      "users"
    ];
  };

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  programs.bash.enableCompletion = true;
  programs.mtr.enable = true;
  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  services.atftpd = {
    enable = true;
    root = "/mnt/cephfs/c3d2/tftp";
  };

  services.nfs.server = {
    enable = true;
    #    exports = "/mnt/cephfs/c3d2/dacbert-rootfs dacbert.hq.c3d2.de(rw) *(ro)";
    exports = "/mnt/cephfs/c3d2/dacbert-rootfs *(rw)";
  };

  services.nginx = {
    enable = true;
    #modules = [ pkgs.nginxModules.nixfancyindex ];
    package =
      pkgs.nginx.override { modules = with pkgs.nginxModules; [ fancyindex ]; };
    virtualHosts = {
      "storage-ng.hq.c3d2.de" = {
        root = "/etc/nixos/www";
        serverAliases = [ "storage" "storage2" "storageng" ];
        http2 = true;
        # addSSL = true;
        locations = {
          "/" = let authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
          in {
            alias = "/mnt/cephfs/c3d2/files/";
            extraConfig = ''
              		auth_basic "Chaos";
              		auth_basic_user_file ${authFile};
                              fancyindex on;
                              # autoindex on;
                            '';
          };
        };
      };
    };
  };

  services.samba = {
    enable = false; # samba is garbage
    enableNmbd = true;
    extraConfig = ''
      workgroup = WORKGROUP
      server string = storage
      netbios name = storage
      hosts allow = 172.20 172.22 172.22.99.146
      hosts deny = 0.0.0.0/0
      guest account = k-ot
      map to guest = Bad user
    '';
    shares = {
      c3d2 = {
        path = "/mnt/cephfs/c3d2";
        browseable = "yes";
        "read only" = "no";
        "guest ok" = "yes";
        "create mask" = "0644";
        "directory mask" = "0755";
        "force user" = "k-ot";
        "force group" = "k-ot";
      };
    };
  };

  /* # Open ports in the firewall.
     networking.firewall.allowedTCPPorts = [
       23
       80
       443
       137 138 445 139 # samba
      ];
     networking.firewall.allowedUDPPorts = [
       69
       137 138 445 139 # samba
      ];
  */

  networking.firewall.enable = false;

  system.stateVersion = "19.03"; # Did you read the comment?

}