1 files changed, 309 insertions, 0 deletions
diff --git a/systems/dilion/base.nix b/systems/dilion/base.nix
new file mode 100644
index 0000000..ac4bdaf
--- /dev/null
+++ b/systems/dilion/base.nix
@@ -0,0 +1,309 @@
+{ config, pkgs, name, lib, pkgs-no-overlay, secrets, ... }:
+{
+  # ssh-keyscan dilion | nix-shell -p ssh-to-age --run ssh-to-age
+  secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ];
+  boot = {
+    loader = {
+      grub = {
+        devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ];
+      };
+      timeout = 1;
+    };
+    blacklistedKernelModules = [ "nvidiafb" ];
+    supportedFilesystems = [ "zfs" ];
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+    kernelModules = [ "kvm-intel" ];
+    initrd.availableKernelModules = [ "ahci" "sd_mod" ];
+    initrd.secrets = {
+      "/boot/pass.key" = "/boot/pass.key";
+    };
+    kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
+    # available in nixos-20.09
+    #zfs.requestEncryptionCredentials = [ "zpool/root" ];
+  };
+  powerManagement.cpuFreqGovernor = "powersave";
+  hardware.enableRedistributableFirmware = true;
+  swapDevices = [ { label = "swap"; } ];
+  fileSystems = {
+    "/"           = { fsType = "zfs"; device = "zpool/root"; };
+    "/boot"       = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; };
+    "/etc"        = { fsType = "zfs"; device = "zpool/root/etc"; };
+    "/home"       = { fsType = "zfs"; device = "zpool/root/home"; };
+    "/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; };
+    "/tmp"        = { fsType = "zfs"; device = "zpool/root/tmp"; };
+    "/var"        = { fsType = "zfs"; device = "zpool/root/var"; };
+    "/data"       = { fsType = "ext4"; label = "data"; };
+    "/nix"        = { fsType = "ext4"; label = "nix"; };
+  };
+  services.udev.extraRules = ''
+    ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0"
+  '';
+  nixpkgs.config.permittedInsecurePackages = [
+    "python-2.7.18.6" # for nagios-cli
+  ];
+  networking = {
+    hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4
+    firewall.enable = false;
+    interfaces."eth0".ipv4.addresses =
+      [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
+      ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+        (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
+        (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips));
+    interfaces."eth0".ipv6.addresses =
+      [ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ]
+      ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+        (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
+        config.hostEnv.ips);
+    defaultGateway = { address = "176.9.10.225"; interface = "eth0"; };
+    defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
+    nameservers = [
+      "213.133.98.98"
+      "213.133.99.99"
+      "213.133.100.100"
+      "2a01:4f8:0:a0a1::add:1010"
+      "2a01:4f8:0:a102::add:9999"
+      "2a01:4f8:0:a111::add:9898"
+    ];
+  };
+  myServices.ssh.modules.regular.snippet = builtins.readFile ./ssh_ldap_regular.sh;
+  imports = [
+    secrets.nixosModules.users-config-dilion
+    ./monitoring.nix
+    ./vms.nix
+  ];
+  myServices.vms.libvirt-guests = {
+    buildbot = {
+      pool = "zfspool";
+      network = "immae";
+      cpus = 1;
+      memory = 3;
+      diskSize = 10;
+      destroyVolumeOnExit = true;
+    };
+  };
+  myServices.vms.libvirt-images = {
+    nixos = ./vms/base_configuration.nix;
+    buildbot = ./vms/buildbot_configuration.nix;
+  };
+  myServices.vms.libvirt-networks.immae = {
+    bridgeNumber = 1;
+    ipRange = "192.168.100";
+  };
+  myServices.vms.libvirt-pools = {
+    niximages = {
+      type = "dir";
+      target = "/etc/libvirtd/base-images";
+    };
+    buildbot-disks = rec {
+      type = "dir";
+      target = "/var/lib/libvirt/images/buildbot-disks";
+      preStart = ''
+        mkdir -p ${target}
+      '';
+    };
+    zfspool = {
+      # pool-define-as --name zfspool --source-name zpool/libvirt --type zfs
+      type = "zfs";
+      xml = ''
+        <source>
+          <name>zpool/libvirt</name>
+        </source>
+      '';
+    };
+  };
+  system.nssModules = [ pkgs.libvirt ];
+  system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
+  programs.zsh.enable = true;
+  users.users.libvirt = {
+    hashedPassword = "!";
+    shell = pkgs.bashInteractive;
+    isSystemUser = true;
+    group = "libvirtd";
+    packages = [ pkgs.libressl.nc ];
+    openssh.authorizedKeys.keys = [
+      config.myEnv.buildbot.ssh_key.public
+      config.myEnv.sshd.rootKeys.ismael_flony
+    ];
+  };
+  users.groups.backup = {};
+  users.users.backup = {
+    hashedPassword = "!";
+    isSystemUser = true;
+    extraGroups = [ "keys" ];
+    group = "backup";
+    shell = pkgs.bashInteractive;
+    openssh.authorizedKeys.keys = let
+      zreplConfig = "/etc/zrepl/zrepl.yml";
+    in
+      ["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"];
+  };
+  security.sudo.extraRules = pkgs.lib.mkAfter [
+    {
+      commands = [
+        { command = "/home/immae/.nix-profile/root_scripts/*"; options = [ "NOPASSWD" ]; }
+      ];
+      users = [ "immae" ];
+      runAs = "root";
+    }
+  ];
+  virtualisation.docker.enable = true;
+  virtualisation.docker.storageDriver = "zfs";
+  virtualisation.libvirtd.enable = true;
+  virtualisation.libvirtd.qemu.package = pkgs-no-overlay.qemu;
+  systemd.services.libvirtd.path = lib.mkAfter [ config.boot.zfs.package ];
+  users.groups.immae = {};
+  users.extraUsers.immae.extraGroups = [ "immae" "libvirtd" "docker" ];
+  systemd.services.libvirtd.postStart = ''
+    install -m 0770 -g libvirtd -d /var/lib/libvirt/images
+  '';
+  time.timeZone = "Europe/Paris";
+  nix = {
+    settings = {
+      sandbox = "relaxed";
+      max-jobs = 8;
+      substituters = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
+      trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+      trusted-users = [ "root" "@wheel"] ;
+    };
+    extraOptions = ''
+      keep-outputs = true
+      keep-derivations = true
+      allow-unsafe-native-code-during-evaluation = true
+      experimental-features = nix-command flakes
+      #Assumed in NUR
+      allow-import-from-derivation = true
+    '';
+  };
+  security.pki.certificateFiles = [
+    (pkgs.fetchurl {
+      url = "http://downloads.e.eriomem.net/eriomemca.pem";
+      sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh";
+    })
+  ];
+  myServices.monitoring.enable = true;
+  security.acme.certs."${name}-immae" = {
+    group = "immae";
+    domain = "dilion.immae.eu";
+  };
+  security.acme.certs."${name}" = {
+    group = config.services.nginx.group;
+    extraDomainNames = [
+      "dilion.immae.dev"
+    ];
+  };
+  systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
+  services.nginx = {
+    enable = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "dilion.immae.dev" = {
+        acmeRoot = config.security.acme.defaults.webroot;
+        useACMEHost = name;
+        forceSSL = true;
+        locations."/".root = "/home/immae/www";
+      };
+    };
+  };
+  secrets.keys = {
+    "zrepl/${name}.key" = {
+      permissions = "0400";
+      text = config.myEnv.zrepl_backup.certs."${name}".key;
+      user = "backup";
+      group = "root";
+    };
+  } // builtins.listToAttrs (map (x: lib.attrsets.nameValuePair "zrepl/certificates/${x}.crt" {
+    permissions = "0400";
+    text = config.myEnv.zrepl_backup.certs."${x}".certificate;
+    user = "backup";
+    group = "root";
+  }) (builtins.attrNames config.myEnv.zrepl_backup.certs));
+  environment.etc."mdadm.conf" = {
+    enable = true;
+    mode = "0644";
+    user = "root";
+    text = "MAILADDR ${config.myEnv.monitoring.email}";
+  };
+  systemd.services.zrepl.serviceConfig.User = "backup";
+  systemd.services.zrepl.path = [ pkgs.openssh ];
+  # pour eldiron:
+  # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
+  # pour flony:
+  # zfs allow backup hold,release,bookmark,snapshot,send zpool
+  services.zrepl = {
+    enable = true;
+    settings = {
+      global.control.sockpath = "/run/zrepl/control";
+      global.serve.stdinserver.sockdir = "/run/zrepl/stdinserver";
+      jobs = [
+        {
+          type = "sink";
+          # must not change
+          name = "backup-from-eldiron";
+          root_fs = "zpool/backup";
+          serve.type = "tls";
+          serve.listen = ":19000";
+          serve.ca = config.secrets.fullPaths."zrepl/certificates/eldiron.crt";
+          serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
+          serve.key = config.secrets.fullPaths."zrepl/dilion.key";
+          serve.client_cns = [ "eldiron" ];
+        }
+        {
+          type = "source";
+          # must not change
+          name = "backup-to-wd-zpool";
+          # not encrypted!
+          serve.type = "tls";
+          serve.listen = ":19001";
+          serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
+          serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
+          serve.key = config.secrets.fullPaths."zrepl/dilion.key";
+          serve.client_cns = [ "flony" ];
+          filesystems."zpool/libvirt<" = true;
+          filesystems."zpool/root<" = true;
+          snapshotting.type = "manual";
+        }
+        {
+          type = "source";
+          # must not change
+          name = "backup-to-wd-zpool-docker";
+          # not encrypted!
+          serve.type = "tls";
+          serve.listen = ":19002";
+          serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
+          serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
+          serve.key = config.secrets.fullPaths."zrepl/dilion.key";
+          serve.client_cns = [ "flony" ];
+          filesystems."zpool/docker<" = true;
+          snapshotting.type = "manual";
+        }
+      ];
+    };
+  };
+  # This value determines the NixOS release with which your system is
+  # to be compatible, in order to avoid breaking some software such as
+  # database servers. You should change this only after NixOS release
+  # notes say you should.
+  # https://nixos.org/nixos/manual/release-notes.html
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

diff --git a/systems/dilion/base.nix b/systems/dilion/base.nix new file mode 100644 index 0000000..ac4bdaf --- /dev/null +++ b/systems/dilion/base.nix
@@ -0,0 +1,309 @@
	1	{ config, pkgs, name, lib, pkgs-no-overlay, secrets, ... }:
	2	{
	3	# ssh-keyscan dilion \| nix-shell -p ssh-to-age --run ssh-to-age
	4	secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ];
	5	boot = {
	6	loader = {
	7	grub = {
	8	devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ];
	9	};
	10	timeout = 1;
	11	};
	12	blacklistedKernelModules = [ "nvidiafb" ];
	13	supportedFilesystems = [ "zfs" ];
	14	kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
	15	kernelModules = [ "kvm-intel" ];
	16	initrd.availableKernelModules = [ "ahci" "sd_mod" ];
	17	initrd.secrets = {
	18	"/boot/pass.key" = "/boot/pass.key";
	19	};
	20	kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
	21	# available in nixos-20.09
	22	#zfs.requestEncryptionCredentials = [ "zpool/root" ];
	23	};
	24	powerManagement.cpuFreqGovernor = "powersave";
	25	hardware.enableRedistributableFirmware = true;
	26
	27	swapDevices = [ { label = "swap"; } ];
	28	fileSystems = {
	29	"/" = { fsType = "zfs"; device = "zpool/root"; };
	30	"/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; };
	31	"/etc" = { fsType = "zfs"; device = "zpool/root/etc"; };
	32	"/home" = { fsType = "zfs"; device = "zpool/root/home"; };
	33	"/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; };
	34	"/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; };
	35	"/var" = { fsType = "zfs"; device = "zpool/root/var"; };
	36	"/data" = { fsType = "ext4"; label = "data"; };
	37	"/nix" = { fsType = "ext4"; label = "nix"; };
	38	};
	39
	40	services.udev.extraRules = ''
	41	ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0"
	42	'';
	43
	44	nixpkgs.config.permittedInsecurePackages = [
	45	"python-2.7.18.6" # for nagios-cli
	46	];
	47
	48	networking = {
	49	hostId = "27c3048d"; # generated with head -c4 /dev/urandom \| od -A none -t x4
	50	firewall.enable = false;
	51	interfaces."eth0".ipv4.addresses =
	52	[ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
	53	++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
	54	(n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
	55	(pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips));
	56	interfaces."eth0".ipv6.addresses =
	57	[ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ]
	58	++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
	59	(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
	60	config.hostEnv.ips);
	61	defaultGateway = { address = "176.9.10.225"; interface = "eth0"; };
	62	defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
	63	nameservers = [
	64	"213.133.98.98"
	65	"213.133.99.99"
	66	"213.133.100.100"
	67	"2a01:4f8:0:a0a1::add:1010"
	68	"2a01:4f8:0:a102::add:9999"
	69	"2a01:4f8:0:a111::add:9898"
	70	];
	71	};
	72
	73	myServices.ssh.modules.regular.snippet = builtins.readFile ./ssh_ldap_regular.sh;
	74
	75	imports = [
	76	secrets.nixosModules.users-config-dilion
	77	./monitoring.nix
	78	./vms.nix
	79	];
	80
	81	myServices.vms.libvirt-guests = {
	82	buildbot = {
	83	pool = "zfspool";
	84	network = "immae";
	85	cpus = 1;
	86	memory = 3;
	87	diskSize = 10;
	88	destroyVolumeOnExit = true;
	89	};
	90	};
	91	myServices.vms.libvirt-images = {
	92	nixos = ./vms/base_configuration.nix;
	93	buildbot = ./vms/buildbot_configuration.nix;
	94	};
	95	myServices.vms.libvirt-networks.immae = {
	96	bridgeNumber = 1;
	97	ipRange = "192.168.100";
	98	};
	99	myServices.vms.libvirt-pools = {
	100	niximages = {
	101	type = "dir";
	102	target = "/etc/libvirtd/base-images";
	103	};
	104	buildbot-disks = rec {
	105	type = "dir";
	106	target = "/var/lib/libvirt/images/buildbot-disks";
	107	preStart = ''
	108	mkdir -p ${target}
	109	'';
	110	};
	111	zfspool = {
	112	# pool-define-as --name zfspool --source-name zpool/libvirt --type zfs
	113	type = "zfs";
	114	xml = ''
	115	<source>
	116	<name>zpool/libvirt</name>
	117	</source>
	118	'';
	119	};
	120	};
	121
	122	system.nssModules = [ pkgs.libvirt ];
	123	system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
	124	programs.zsh.enable = true;
	125
	126	users.users.libvirt = {
	127	hashedPassword = "!";
	128	shell = pkgs.bashInteractive;
	129	isSystemUser = true;
	130	group = "libvirtd";
	131	packages = [ pkgs.libressl.nc ];
	132	openssh.authorizedKeys.keys = [
	133	config.myEnv.buildbot.ssh_key.public
	134	config.myEnv.sshd.rootKeys.ismael_flony
	135	];
	136	};
	137
	138	users.groups.backup = {};
	139	users.users.backup = {
	140	hashedPassword = "!";
	141	isSystemUser = true;
	142	extraGroups = [ "keys" ];
	143	group = "backup";
	144	shell = pkgs.bashInteractive;
	145	openssh.authorizedKeys.keys = let
	146	zreplConfig = "/etc/zrepl/zrepl.yml";
	147	in
	148	["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"];
	149	};
	150	security.sudo.extraRules = pkgs.lib.mkAfter [
	151	{
	152	commands = [
	153	{ command = "/home/immae/.nix-profile/root_scripts/*"; options = [ "NOPASSWD" ]; }
	154	];
	155	users = [ "immae" ];
	156	runAs = "root";
	157	}
	158	];
	159
	160	virtualisation.docker.enable = true;
	161	virtualisation.docker.storageDriver = "zfs";
	162	virtualisation.libvirtd.enable = true;
	163	virtualisation.libvirtd.qemu.package = pkgs-no-overlay.qemu;
	164	systemd.services.libvirtd.path = lib.mkAfter [ config.boot.zfs.package ];
	165	users.groups.immae = {};
	166	users.extraUsers.immae.extraGroups = [ "immae" "libvirtd" "docker" ];
	167	systemd.services.libvirtd.postStart = ''
	168	install -m 0770 -g libvirtd -d /var/lib/libvirt/images
	169	'';
	170
	171	time.timeZone = "Europe/Paris";
	172	nix = {
	173	settings = {
	174	sandbox = "relaxed";
	175	max-jobs = 8;
	176	substituters = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
	177	trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
	178	trusted-users = [ "root" "@wheel"] ;
	179	};
	180	extraOptions = ''
	181	keep-outputs = true
	182	keep-derivations = true
	183	allow-unsafe-native-code-during-evaluation = true
	184	experimental-features = nix-command flakes
	185	#Assumed in NUR
	186	allow-import-from-derivation = true
	187	'';
	188	};
	189
	190	security.pki.certificateFiles = [
	191	(pkgs.fetchurl {
	192	url = "http://downloads.e.eriomem.net/eriomemca.pem";
	193	sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh";
	194	})
	195	];
	196
	197	myServices.monitoring.enable = true;
	198	security.acme.certs."${name}-immae" = {
	199	group = "immae";
	200	domain = "dilion.immae.eu";
	201	};
	202	security.acme.certs."${name}" = {
	203	group = config.services.nginx.group;
	204	extraDomainNames = [
	205	"dilion.immae.dev"
	206	];
	207	};
	208	systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
	209	services.nginx = {
	210	enable = true;
	211	recommendedOptimisation = true;
	212	recommendedGzipSettings = true;
	213	recommendedProxySettings = true;
	214	virtualHosts = {
	215	"dilion.immae.dev" = {
	216	acmeRoot = config.security.acme.defaults.webroot;
	217	useACMEHost = name;
	218	forceSSL = true;
	219	locations."/".root = "/home/immae/www";
	220	};
	221	};
	222	};
	223
	224	secrets.keys = {
	225	"zrepl/${name}.key" = {
	226	permissions = "0400";
	227	text = config.myEnv.zrepl_backup.certs."${name}".key;
	228	user = "backup";
	229	group = "root";
	230	};
	231	} // builtins.listToAttrs (map (x: lib.attrsets.nameValuePair "zrepl/certificates/${x}.crt" {
	232	permissions = "0400";
	233	text = config.myEnv.zrepl_backup.certs."${x}".certificate;
	234	user = "backup";
	235	group = "root";
	236	}) (builtins.attrNames config.myEnv.zrepl_backup.certs));
	237
	238	environment.etc."mdadm.conf" = {
	239	enable = true;
	240	mode = "0644";
	241	user = "root";
	242	text = "MAILADDR ${config.myEnv.monitoring.email}";
	243	};
	244
	245
	246	systemd.services.zrepl.serviceConfig.User = "backup";
	247	systemd.services.zrepl.path = [ pkgs.openssh ];
	248	# pour eldiron:
	249	# zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
	250	# pour flony:
	251	# zfs allow backup hold,release,bookmark,snapshot,send zpool
	252	services.zrepl = {
	253	enable = true;
	254	settings = {
	255	global.control.sockpath = "/run/zrepl/control";
	256	global.serve.stdinserver.sockdir = "/run/zrepl/stdinserver";
	257	jobs = [
	258	{
	259	type = "sink";
	260	# must not change
	261	name = "backup-from-eldiron";
	262	root_fs = "zpool/backup";
	263	serve.type = "tls";
	264	serve.listen = ":19000";
	265	serve.ca = config.secrets.fullPaths."zrepl/certificates/eldiron.crt";
	266	serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
	267	serve.key = config.secrets.fullPaths."zrepl/dilion.key";
	268	serve.client_cns = [ "eldiron" ];
	269	}
	270	{
	271	type = "source";
	272	# must not change
	273	name = "backup-to-wd-zpool";
	274	# not encrypted!
	275	serve.type = "tls";
	276	serve.listen = ":19001";
	277	serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
	278	serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
	279	serve.key = config.secrets.fullPaths."zrepl/dilion.key";
	280	serve.client_cns = [ "flony" ];
	281	filesystems."zpool/libvirt<" = true;
	282	filesystems."zpool/root<" = true;
	283	snapshotting.type = "manual";
	284	}
	285	{
	286	type = "source";
	287	# must not change
	288	name = "backup-to-wd-zpool-docker";
	289	# not encrypted!
	290	serve.type = "tls";
	291	serve.listen = ":19002";
	292	serve.ca = config.secrets.fullPaths."zrepl/certificates/flony.crt";
	293	serve.cert = config.secrets.fullPaths."zrepl/certificates/dilion.crt";
	294	serve.key = config.secrets.fullPaths."zrepl/dilion.key";
	295	serve.client_cns = [ "flony" ];
	296	filesystems."zpool/docker<" = true;
	297	snapshotting.type = "manual";
	298	}
	299	];
	300	};
	301	};
	302	# This value determines the NixOS release with which your system is
	303	# to be compatible, in order to avoid breaking some software such as
	304	# database servers. You should change this only after NixOS release
	305	# notes say you should.
	306	# https://nixos.org/nixos/manual/release-notes.html
	307	system.stateVersion = "23.05"; # Did you read the comment?
	308	}
	309