switch to cap based home configs

2026-01-20 16:57:10 +01:00 · 2026-01-20 16:57:10 +01:00 · 49b6f5bde0
commit 49b6f5bde0
parent 50ee9aac83
64 changed files with 2064 additions and 1779 deletions
--- a/hosts/fili/storage.nix
+++ b/hosts/fili/storage.nix
@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+let
+  directory = "/storage";
+  storage = "${directory}/storage";
+in
+{
+  boot.swraid.enable = true;
+  boot.swraid.mdadmConf = ''
+    ARRAY /dev/md0 metadata=1.2 name=fili:0 UUID=0796fee2:0d9f2908:24af61b0:1250fa0e
+  '';
+  # todo: email notifications (through PROGRAM)
+
+  fileSystems.storage = {
+    mountPoint = "${storage}";
+    device = "/dev/md0";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+    ];
+  };
+
+  # for vpn in containers
+  fileSystems."/tmp/net_cls" = {
+    device = "net_cls";
+    fsType = "cgroup";
+    options = [ "net_cls" ];
+  };
+
+  # don't allow execute permissions for "other" people
+  # (not root user and not in storage group)
+  # to effectively disallow people outside the storage group
+  # to access /storage
+  systemd.tmpfiles.rules = [
+    "d ${directory} 0777 root ${config.users.groups.storage.name}"
+  ];
+
+  users.groups.storage = {
+    name = "storage";
+    members = [ config.users.users.jana.name ];
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    2049
+  ];
+}