nixos-config/config/site-config/seattle.nix

{ config, lib, pkgs, ... }:

with lib;
let local-domain = "sea.fudo.org";
in {
  fileSystems = {
    # "/mnt/documents" = {
    #   device = "whitedwarf.${local-domain}:/volume1/Documents";
    #   fsType = "nfs4";
    #   options = [ "comment=systemd.automount" ];
    # };
    # "/mnt/downloads" = {
    #   device = "whitedwarf.${local-domain}:/volume1/Downloads";
    #   fsType = "nfs4";
    #   options = [ "comment=systemd.automount" ];
    # };
    "/mnt/music" = {
      device = "doraemon.${local-domain}:/volume1/Music";
      fsType = "nfs";
      options = [ "comment=systemd.automount" ];
    };
    "/mnt/video" = {
      device = "doraemon.${local-domain}:/volume1/Video";
      fsType = "nfs";
      options = [ "comment=systemd.automount" ];
    };
    # fileSystems."/mnt/security" = {
    #   device = "panopticon.${local-domain}:/srv/kerberos/data";
    #   fsType = "nfs4";
    # };
    "/mnt/cargo_video" = {
      device = "cargo.${local-domain}:/volume1/video";
      fsType = "nfs4";
      options = [ "sec=krb5i" "x-systemd.automount" ];
    };
    "/mnt/photo" = {
      device = "cargo.${local-domain}:/volume1/pictures";
      fsType = "nfs4";
      options = [ "sec=krb5i" "x-systemd.automount" ];
    };

    #  "proto=tcp"

    # # NOTE: these are pointing directly to nostromo so the krb lookup works
    "/net/documents" = {
      device = "nostromo.${local-domain}:/export/documents";
      fsType = "nfs4";
      options = [
        "sec=krb5p"
        "x-systemd.automount"
        # "vers=4"
        # "minorversion=2"
        # "proto=tcp"
      ];
    };
    "/net/downloads" = {
      device = "nostromo.${local-domain}:/export/downloads";
      fsType = "nfs4";
      options = [
        "sec=krb5i"
        "x-systemd.automount"
        # "vers=4"
        # "minorversion=2"
        # "proto=tcp"
      ];
    };
    "/net/projects" = {
      device = "nostromo.${local-domain}:/export/projects";
      fsType = "nfs4";
      options = [
        "sec=krb5p"
        "x-systemd.automount"
        # "vers=4"
        # "minorversion=2"
        # "proto=tcp"
      ];
    };
  };

  systemd.services = {
    host-keytab-watcher = {
      wantedBy = [
        "rpc-gssd-override.service"
        "rpc-svcgssd-override.service"
        "auth-rpcgss-module.service"
      ];
      before = [
        "rpc-gssd-override.service"
        "rpc-svcgssd-override.service"
        "auth-rpcgss-module.service"
      ];
      after = [ config.fudo.secrets.secret-target ];
      serviceConfig = {
        ExecStartPre = "${pkgs.coreutils}/bin/test -f /etc/krb5.keytab";
        ExecStart = "${pkgs.coreutils}/bin/true";
        TimeoutStartSec = "360";
        RemainAfterExit = true;
        Restart = "on-failure";
        RestartSec = "2";
      };
    };

    auth-rpcgss-module.enable = false;
    rpc-gssd.enable = false;
    rpc-svcgssd.enable = false;

    auth-rpcgss-module-override = {
      description = "Kernel Module supporting RPCSEC_GSS";
      before = [
        "gssproxy.service"
        "rpc-svcgssd-override.service"
        "rpc-gssd-override.service"
      ];
      wantedBy = [ "nfs-client.target" "nfs-server.target" ];
      wants = [
        "gssproxy.service"
        "rpc-svcgssd-override.service"
        "rpc-gssd-override.service"
        "host-keytab-watcher.service"
      ];
      after = [ "host-keytab-watcher.service" ];
      partOf = [ "nfs-utils.service" "nfs-server.service" ];
      unitConfig = {
        DefaultDependencies = false;
        ConditionPathExists =
          [ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ];
      };
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.kmod}/bin/modprobe -q auth_rpcgss";
        RemainAfterExit = true;
      };
    };

    rpc-gssd-override = {
      description = "RPC security service for NFS client and server";
      wantedBy = [ "auth-rpcgss-module.service" ];
      conflicts = [ "umount.target" ];
      after = [ "host-keytab-watcher.service" "rpc_pipefs.target" ];
      wants = [ "host-keytab-watcher.service" ];
      requires = [ "rpc_pipefs.target" ];
      partOf = [ "nfs-utils.service" ];
      unitConfig.DefaultDependencies = false;
      serviceConfig = {
        Type = "forking";
        ExecStart = "${pkgs.nfs-utils}/bin/rpc.gssd";
      };
    };

    rpc-svcgssd-override = {
      description = "RPC security service for NFS server";
      wantedBy = [ "auth-rpcgss-module.service" ];
      after =
        [ "host-keytab-watcher.service" "local-fs.target" "gssproxy.service" ];
      wants = [ "host-keytab-watcher.service" ];
      partOf = [ "nfs-utils.service" "nfs-server.service" ];
      unitConfig = {
        DefaultDependencies = false;
        ConditionPathExists =
          [ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ];
      };
      serviceConfig = {
        Type = "forking";
        ExecStart = "${pkgs.nfs-utils}/bin/rpc.svcgssd";
      };
    };
  };

  services.printing = {
    enable = true;
    drivers = [ pkgs.brgenml1cupswrapper ];
  };
}
Working refactored (on a test server) 2021-02-25 12:45:50 -08:00			`{ config, lib, pkgs, ... }:`

Added live disk flake 2022-03-16 09:49:35 -07:00			`with lib;`
chanegs over time... 2021-06-08 14:22:37 -07:00			`let local-domain = "sea.fudo.org";`
add network mounts 2021-04-02 14:08:01 -07:00			`in {`
			`fileSystems = {`
Tons of changes, I guess? 2021-11-05 07:06:08 -07:00			`# "/mnt/documents" = {`
			`# device = "whitedwarf.${local-domain}:/volume1/Documents";`
			`# fsType = "nfs4";`
			`# options = [ "comment=systemd.automount" ];`
			`# };`
			`# "/mnt/downloads" = {`
			`# device = "whitedwarf.${local-domain}:/volume1/Downloads";`
			`# fsType = "nfs4";`
			`# options = [ "comment=systemd.automount" ];`
			`# };`
add network mounts 2021-04-02 14:08:01 -07:00			`"/mnt/music" = {`
			`device = "doraemon.${local-domain}:/volume1/Music";`
Added live disk flake 2022-03-16 09:49:35 -07:00			`fsType = "nfs";`
Changes for lambda, fixes for sea.fudo.org 2021-07-26 12:09:47 -07:00			`options = [ "comment=systemd.automount" ];`
add network mounts 2021-04-02 14:08:01 -07:00			`};`
			`"/mnt/video" = {`
			`device = "doraemon.${local-domain}:/volume1/Video";`
Added live disk flake 2022-03-16 09:49:35 -07:00			`fsType = "nfs";`
Changes for lambda, fixes for sea.fudo.org 2021-07-26 12:09:47 -07:00			`options = [ "comment=systemd.automount" ];`
add network mounts 2021-04-02 14:08:01 -07:00			`};`
			`# fileSystems."/mnt/security" = {`
			`# device = "panopticon.${local-domain}:/srv/kerberos/data";`
			`# fsType = "nfs4";`
			`# };`
			`"/mnt/cargo_video" = {`
			`device = "cargo.${local-domain}:/volume1/video";`
Many changes over time 2022-04-08 14:21:56 -07:00			`fsType = "nfs4";`
			`options = [ "sec=krb5i" "x-systemd.automount" ];`
add network mounts 2021-04-02 14:08:01 -07:00			`};`
			`"/mnt/photo" = {`
			`device = "cargo.${local-domain}:/volume1/pictures";`
Many changes over time 2022-04-08 14:21:56 -07:00			`fsType = "nfs4";`
			`options = [ "sec=krb5i" "x-systemd.automount" ];`
add network mounts 2021-04-02 14:08:01 -07:00			`};`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00
Added nutboy3 and nuttyclub 2021-11-13 10:30:58 -08:00			`# "proto=tcp"`

Added live disk flake 2022-03-16 09:49:35 -07:00			`# # NOTE: these are pointing directly to nostromo so the krb lookup works`
Networks aren't a function 2021-10-19 10:04:35 -07:00			`"/net/documents" = {`
Many changes over time 2022-04-08 14:21:56 -07:00			`device = "nostromo.${local-domain}:/export/documents";`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`fsType = "nfs4";`
Added live disk flake 2022-03-16 09:49:35 -07:00			`options = [`
			`"sec=krb5p"`
			`"x-systemd.automount"`
			`# "vers=4"`
			`# "minorversion=2"`
			`# "proto=tcp"`
			`];`
Daaamn NFS is a pain 2021-10-18 21:55:24 -07:00			`};`
Networks aren't a function 2021-10-19 10:04:35 -07:00			`"/net/downloads" = {`
Many changes over time 2022-04-08 14:21:56 -07:00			`device = "nostromo.${local-domain}:/export/downloads";`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`fsType = "nfs4";`
Added live disk flake 2022-03-16 09:49:35 -07:00			`options = [`
			`"sec=krb5i"`
			`"x-systemd.automount"`
			`# "vers=4"`
			`# "minorversion=2"`
			`# "proto=tcp"`
			`];`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`};`
			`"/net/projects" = {`
Many changes over time 2022-04-08 14:21:56 -07:00			`device = "nostromo.${local-domain}:/export/projects";`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`fsType = "nfs4";`
Added live disk flake 2022-03-16 09:49:35 -07:00			`options = [`
			`"sec=krb5p"`
			`"x-systemd.automount"`
			`# "vers=4"`
			`# "minorversion=2"`
			`# "proto=tcp"`
			`];`
Daaamn NFS is a pain 2021-10-18 21:55:24 -07:00			`};`
add network mounts 2021-04-02 14:08:01 -07:00			`};`

Upgrade to 22.05 (and much else) 2022-06-01 13:57:58 -07:00			`systemd.services = {`
			`host-keytab-watcher = {`
			`wantedBy = [`
			`"rpc-gssd-override.service"`
			`"rpc-svcgssd-override.service"`
			`"auth-rpcgss-module.service"`
			`];`
			`before = [`
			`"rpc-gssd-override.service"`
			`"rpc-svcgssd-override.service"`
			`"auth-rpcgss-module.service"`
			`];`
			`after = [ config.fudo.secrets.secret-target ];`
			`serviceConfig = {`
			`ExecStartPre = "${pkgs.coreutils}/bin/test -f /etc/krb5.keytab";`
			`ExecStart = "${pkgs.coreutils}/bin/true";`
			`TimeoutStartSec = "360";`
			`RemainAfterExit = true;`
			`Restart = "on-failure";`
			`RestartSec = "2";`
			`};`
			`};`
Added live disk flake 2022-03-16 09:49:35 -07:00
Upgrade to 22.05 (and much else) 2022-06-01 13:57:58 -07:00			`auth-rpcgss-module.enable = false;`
			`rpc-gssd.enable = false;`
			`rpc-svcgssd.enable = false;`
Many changes over time 2022-04-08 14:21:56 -07:00
Upgrade to 22.05 (and much else) 2022-06-01 13:57:58 -07:00			`auth-rpcgss-module-override = {`
			`description = "Kernel Module supporting RPCSEC_GSS";`
			`before = [`
			`"gssproxy.service"`
			`"rpc-svcgssd-override.service"`
			`"rpc-gssd-override.service"`
			`];`
			`wantedBy = [ "nfs-client.target" "nfs-server.target" ];`
			`wants = [`
			`"gssproxy.service"`
			`"rpc-svcgssd-override.service"`
			`"rpc-gssd-override.service"`
			`"host-keytab-watcher.service"`
			`];`
			`after = [ "host-keytab-watcher.service" ];`
			`partOf = [ "nfs-utils.service" "nfs-server.service" ];`
			`unitConfig = {`
			`DefaultDependencies = false;`
			`ConditionPathExists =`
			`[ "\|!/run/gssproxy.pid" "\|!/proc/net/rpc/use-gss-proxy" ];`
Many changes over time 2022-04-08 14:21:56 -07:00			`};`
Upgrade to 22.05 (and much else) 2022-06-01 13:57:58 -07:00			`serviceConfig = {`
			`Type = "oneshot";`
			`ExecStart = "${pkgs.kmod}/bin/modprobe -q auth_rpcgss";`
			`RemainAfterExit = true;`
Added live disk flake 2022-03-16 09:49:35 -07:00			`};`
			`};`
Networks aren't a function 2021-10-19 10:04:35 -07:00
Upgrade to 22.05 (and much else) 2022-06-01 13:57:58 -07:00			`rpc-gssd-override = {`
			`description = "RPC security service for NFS client and server";`
			`wantedBy = [ "auth-rpcgss-module.service" ];`
			`conflicts = [ "umount.target" ];`
			`after = [ "host-keytab-watcher.service" "rpc_pipefs.target" ];`
			`wants = [ "host-keytab-watcher.service" ];`
			`requires = [ "rpc_pipefs.target" ];`
			`partOf = [ "nfs-utils.service" ];`
			`unitConfig.DefaultDependencies = false;`
			`serviceConfig = {`
			`Type = "forking";`
			`ExecStart = "${pkgs.nfs-utils}/bin/rpc.gssd";`
			`};`
			`};`
Added live disk flake 2022-03-16 09:49:35 -07:00
Upgrade to 22.05 (and much else) 2022-06-01 13:57:58 -07:00			`rpc-svcgssd-override = {`
			`description = "RPC security service for NFS server";`
			`wantedBy = [ "auth-rpcgss-module.service" ];`
			`after =`
			`[ "host-keytab-watcher.service" "local-fs.target" "gssproxy.service" ];`
			`wants = [ "host-keytab-watcher.service" ];`
			`partOf = [ "nfs-utils.service" "nfs-server.service" ];`
			`unitConfig = {`
			`DefaultDependencies = false;`
			`ConditionPathExists =`
			`[ "\|!/run/gssproxy.pid" "\|!/proc/net/rpc/use-gss-proxy" ];`
			`};`
			`serviceConfig = {`
			`Type = "forking";`
			`ExecStart = "${pkgs.nfs-utils}/bin/rpc.svcgssd";`
			`};`
			`};`
			`};`
Added live disk flake 2022-03-16 09:49:35 -07:00
add network mounts 2021-04-02 14:08:01 -07:00			`services.printing = {`
			`enable = true;`
Upgrade to 22.05 (and much else) 2022-06-01 13:57:58 -07:00			`drivers = [ pkgs.brgenml1cupswrapper ];`
add network mounts 2021-04-02 14:08:01 -07:00			`};`
Working (I think?) GUI on zbox 2021-03-31 16:28:42 -07:00			`}`