From 472ff6401157ba45ef487ddc4ddf5a610dc972f6 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Wed, 28 Jun 2023 23:13:57 +0200
Subject: [PATCH] fuuko: Add SSD for hot storage

Adding a new PCIe device changes the names of the network interfaces, so
they need to be adapted.
---
 machines/fuuko/README.md                  |  1 +
 machines/fuuko/configuration.nix          |  5 ++++-
 machines/fuuko/hardware-configuration.nix | 18 ++++++++++++++++--
 machines/fuuko/secrets.yaml               |  6 +++---
 machines/fuuko/services/router.nix        |  8 ++++----
 machines/fuuko/services/torrent.nix       |  2 +-
 modules/media-mount.nix                   |  4 ++--
 7 files changed, 31 insertions(+), 13 deletions(-)

diff --git a/machines/fuuko/README.md b/machines/fuuko/README.md
index 1bdcaab..c895d30 100644
--- a/machines/fuuko/README.md
+++ b/machines/fuuko/README.md
@@ -9,6 +9,7 @@ Custom build in a be quiet! Pure Base 600.
  * RAM: 2×8GB GOODRAM DDR4-2666 CL19
  * PSU: be quiet! System Power B9 450W
  * SSD: Intel DC S4500 480GB
+ * SSD: Lexar NM620 TB (for frequently accessed data that is not very important)
  * HDD: Seagate Exos E 7E8 ST8000NM000A and WD Ultrastar DC HC320 0B36404 (both 8 TB) in btrfs RAID1
  * GPU (required for text console/firmware due to lack of integrated graphics in R5 1400): NVIDIA Quadro NVS 290 (the PCIe x1 variant)
  * Case fan: Noctua NF-A9 PWM
diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix
index 7c0fc07..c969152 100644
--- a/machines/fuuko/configuration.nix
+++ b/machines/fuuko/configuration.nix
@@ -23,8 +23,11 @@
         "/data"
       ];
       extraExcludes = [
+        "/data/cold/media/video"
+        "/data/cold/misc"
+        "/data/cold/torrent"
+        "/data/hot/torrent"
         "/data/media/video"
-        "/data/misc"
         "/data/torrent"
       ];
       prune = true;
diff --git a/machines/fuuko/hardware-configuration.nix b/machines/fuuko/hardware-configuration.nix
index 0570292..bc00c83 100644
--- a/machines/fuuko/hardware-configuration.nix
+++ b/machines/fuuko/hardware-configuration.nix
@@ -42,9 +42,12 @@
     loader.grub.device = "/dev/disk/by-id/ata-INTEL_SSDSC2KB480G7_PHYS749202D6480BGN";
   };
 
+  # Getting this to work with NixOS is a headache,
+  # so trusty old crypttab comes to help.
   environment.etc.crypttab.text = ''
     data0 UUID=aa692e73-2b75-4239-8a87-5f5b69ea56c5 /root/luks-data luks
     data1 UUID=1f4120b6-a3a0-4973-8c4c-a4d6703eea2a /root/luks-data luks
+    data-hot UUID=c9aeade0-4c96-4786-9b22-3161d935d644 /root/luks-data-hot luks,discard
   '';
 
   fileSystems = {
@@ -57,16 +60,27 @@
       device = "/dev/disk/by-uuid/0f1822e1-643b-49e0-b279-5e3373c6a26c";
       fsType = "ext2";
     };
-    "/data" = {
+    "/data/cold" = {
       device = "/dev/mapper/data0";
       fsType = "btrfs";
       options = [ "compress=zstd" ];
     };
+    "/data/hot" = {
+      device = "/dev/mapper/data-hot";
+      fsType = "btrfs";
+      options = [ "compress=zstd" "discard" "noatime" ];
+    };
   };
 
+  systemd.tmpfiles.rules = [
+    "d /data 0755 root root - -"
+    "d /data/hot 0755 root root - -"
+    "d /data/cold 0755 root root - -"
+  ];
+
   services.btrfs.autoScrub = {
     enable = true;
-    fileSystems = [ "/data" ];
+    fileSystems = [ "/data/cold" "/data/hot" ];
   };
 
   swapDevices = [
diff --git a/machines/fuuko/secrets.yaml b/machines/fuuko/secrets.yaml
index df0de9f..69d7095 100644
--- a/machines/fuuko/secrets.yaml
+++ b/machines/fuuko/secrets.yaml
@@ -2,15 +2,15 @@ restic-ssh-key: ENC[AES256_GCM,data:wA7JCg6Y900s6+1JoevMzbr6fKRN6jbfUuX166VS+TUF
 wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
 wg-mullvad-private-key: ENC[AES256_GCM,data:4smAYjzrMz6bapthHwTdeDJSvnEqnGmDFRZjJwnXWXLSYnEhzhvRttVrmFw=,iv:94o7E8IlZ6V+wez5+Zr9xv92rr06MlUfBCvtMW8VnEA=,tag:SJjrbBseVyWwhf9IHRi7rQ==,type:str]
 wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str]
-hostapd-config: ENC[AES256_GCM,data:In1Y4a6ScXlhQX5G5Z5rjpAZPuY2PFBzQ9d+bjzot1V6iqM2073OyBvGbM4Bl/Airfx6/rTYQLKmsmVHFMioKiqKoixAxcDltlKrpqgb5ciwmdqbS/kFpop3m5c2pWTMUzQ2KGWN0br72fFGCwVfo9W/xYuafMVVxKWBvM/1wcKvuDZBhUitPo2oQUZidUwsXs58Jkya3vQxBKMTEyBBQAtRlmd+9U3PDqwWwEoxb7BY+hSNJ2jZtTjCIsefmSRagCumBlYJawnehUXpSOP932lKB1IAjAAFP1lNVeetYxb3IVKepN3n2RRS81GQzQjZVRD5nokKIn6nTd67QmdK0BY+1d+Ts9o/eIAD1JuT+HQsf3lKZ0wVrQoxE62/3oAqE2kU/gSb/LGCohnHRhVjtUsgxQr4znE1iZeApFwA5NkaiEutVuJXEsfYpVhm0S0ekSGd2iVZuD8TUbI8ixOfObdkL6V8jzj3fd8jzLz53XQL,iv:Piu0iyrkVWPW+WdsojniNlDuI4sHcUt2863AS8u9OCo=,tag:D6eNGvaCul9AtwDdmeWRtg==,type:str]
+hostapd-config: ENC[AES256_GCM,data:d4ZOax0k3lM0BEsb9XiyFL1yC5q52RWqwBpyuY9ZGcDk7xLUeeRJdN8S7jeFUzzpQhXsn2FpP/fff/9uqOsPX+01eBM2HMfoR/2VjHTUWUqx6GqSccjj/YaPGM0Z1fMhLZkHyP/LRUBgMnOuUf3NMI97PSYePLD40b0H5rrB/T+m6TtZoRm/hOkOWJRf8oWV5UU/Wqjy4oAFg3VJX0LUi1udei2RK+FgpeFUL3QiUmd4/CyatI6VAtXjVT479hsLu5JZ6ZXTBUVbxnfpTXRDH86OoIGW2HgKhGiTYUjtRc1sPsFIBOJXsu2pK/Z13qPkOXbx1zqlmuD6I39KeckbAfod0TdyUtu30kKhby165ODs7UIgF+BWCSHBm3J/efsplrYnX/izJ54pfeIti0fE3SdepAj4Q/Z15B2wcrQV+fpyVI8YuQmUTYYHH3ZIe+Btavq7I24Qjf6bex36Xp0CNXdPTLUidU2/Iy3lskzVpKFx,iv:eu+wYsRt05WgMUYcII3iHtxXD5cj96Vg6wtPWQCUOmA=,tag:jDSP45H5Ix5oTMpsr4IsCw==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-04-05T08:05:11Z"
-    mac: ENC[AES256_GCM,data:2AkEmfCCTD8k3PstxFXI5LdqoT837XCDAlUQvBG01vb4LoIDiVXVnkehu5Y7JkGoI9r3PdFYzzh4NxUcJn9VrV0yeZqbsqEz/NmWGMViIHi5tHXcTgHOsb5Cr4ifqcSbnOfaUzS0YYAxn41ELRajzcuMNACj8mUswWoMIJwgR9c=,iv:aESGCCrNNppByFi9MuOQhtB2qTT5ME259OYluA5y2XU=,tag:ZFY2Q0UpX3gz7Qn0XmB34Q==,type:str]
+    lastmodified: "2023-06-28T10:37:21Z"
+    mac: ENC[AES256_GCM,data:ZStqsM8Lqc6SYCRi/8rFpOTZ8wgxelFMwrnSgkNgCJXZLmJax8NO45OFIG9wPq0KznGRsbJsJNG9vtKoO4SUShk2XeeqbVhHB7HeidrGEQS0FKqLlUzErvV/MLk5NKlLJ3sZm5uk856re9n9JkP3C/iMa9f9NFePUvJZfmhnGcU=,iv:YiDqGum9tRD7k6Aenbokw79YRkOGgSKkY8s/U7T109o=,tag:rA0d0MHlt6HlUYLl7yNpzA==,type:str]
     pgp:
         - created_at: "2021-04-06T11:27:21Z"
           enc: |
diff --git a/machines/fuuko/services/router.nix b/machines/fuuko/services/router.nix
index 13d80b3..165550c 100644
--- a/machines/fuuko/services/router.nix
+++ b/machines/fuuko/services/router.nix
@@ -77,7 +77,7 @@ in
     };
     networks = {
       wan = {
-        name = "enp8s0";
+        name = "enp9s0";
         networkConfig = {
           # Upstream provides no IPv6 :(
           # If this is not set, it waits and fails systemd-networkd-wait-online
@@ -90,7 +90,7 @@ in
         };
       };
       lan = {
-        name = "enp9s0";
+        name = "enp10s0";
         bridge = [ "br-lan" ];
       };
       br-lan = {
@@ -209,8 +209,8 @@ in
   # The service is mostly taken from nixpkgs pr 222536.
   systemd.services.hostapd = {
     path = with pkgs; [ hostapd ];
-    after = [ "sys-subsystem-net-devices-wlp7s0.device" ];
-    bindsTo = [ "sys-subsystem-net-devices-wlp7s0.device" ];
+    after = [ "sys-subsystem-net-devices-wlp8s0.device" ];
+    bindsTo = [ "sys-subsystem-net-devices-wlp8s0.device" ];
     wantedBy = [ "multi-user.target" ];
 
     serviceConfig = {
diff --git a/machines/fuuko/services/torrent.nix b/machines/fuuko/services/torrent.nix
index 280f278..fb9f10d 100644
--- a/machines/fuuko/services/torrent.nix
+++ b/machines/fuuko/services/torrent.nix
@@ -1,7 +1,7 @@
 {
   sbruder.qbittorrent = {
     enable = true;
-    downloadDir = "/data/torrent";
+    downloadDir = "/data/hot/torrent";
     fqdn = "torrent.sbruder.de";
   };
 
diff --git a/modules/media-mount.nix b/modules/media-mount.nix
index a01c2a9..d86fbd1 100644
--- a/modules/media-mount.nix
+++ b/modules/media-mount.nix
@@ -41,8 +41,8 @@ lib.mkIf config.sbruder.gui.enable {
   system.fsPackages = with pkgs; [ sshfs ];
 
   fileSystems = {
-    "/home/simon/mounts/media" = mkMount "media@fuuko.home.sbruder.de:/data/media" { };
-    "/home/simon/mounts/torrent" = mkMount "media@fuuko.home.sbruder.de:/data/torrent" { };
+    "/home/simon/mounts/media" = mkMount "media@fuuko.home.sbruder.de:/data/cold/media" { };
+    "/home/simon/mounts/torrent" = mkMount "media@fuuko.home.sbruder.de:/data/hot/torrent" { };
     "/home/simon/mounts/storagebox" = mkMount "u313368@personal.storagebox.sbruder.de:" {
       port = 23;
       ro = false;