{ config, lib, pkgs, ... }: with lib; let local-domain = "sea.fudo.org"; in { # imports = [ ./seattle/authelia.nix ./seattle/keycloak.nix ]; imports = [ # (import ./seattle/authentik.nix { # authentikHost = "nostromo"; # proxyHost = "limina"; # externalHostname = "authentik.fudo.link"; # }) ]; config = { fudo = { services = { mqtt = { enable = true; host = "wormhole0"; }; wallfly-presence.enable = true; tattler = let snooper-host = "wormhole0"; in { enable = true; verbose = true; event-topics = [ "suanni/events/motion" ]; inherit snooper-host; }; suanni = let listener = "nostromo"; objectifier = "nostromo"; in { enable = true; event-listener.host = listener; objectifier.host = objectifier; synology = { host = "cargo.sea.fudo.org"; port = 5001; username = "suanni"; password-file = config.fudo.secrets.files.service-passwords."${listener}".suanni-synology; }; }; }; zones."sea.fudo.org" = { aliases = { lemmy = "nostromo"; world-of-fun = "toothless"; repland = "toothless"; }; srv-records.tcp = { minecraft = [{ host = "toothless"; port = 25568; }]; }; }; }; fileSystems = { # "/mnt/documents" = { # device = "whitedwarf.${local-domain}:/volume1/Documents"; # fsType = "nfs4"; # options = [ "comment=systemd.automount" ]; # }; # "/mnt/downloads" = { # device = "whitedwarf.${local-domain}:/volume1/Downloads"; # fsType = "nfs4"; # options = [ "comment=systemd.automount" ]; # }; "/mnt/music" = { device = "doraemon.${local-domain}:/volume1/Music"; fsType = "nfs"; options = [ "comment=systemd.automount" ]; }; "/mnt/video" = { device = "doraemon.${local-domain}:/volume1/Video"; fsType = "nfs"; options = [ "comment=systemd.automount" ]; }; # fileSystems."/mnt/security" = { # device = "panopticon.${local-domain}:/srv/kerberos/data"; # fsType = "nfs4"; # }; "/mnt/cargo_video" = { device = "cargo.${local-domain}:/volume1/video"; fsType = "nfs4"; options = [ "sec=krb5i" "x-systemd.automount" ]; }; "/mnt/photo" = { device = "cargo.${local-domain}:/volume1/pictures"; fsType = "nfs4"; options = [ "sec=krb5i" "x-systemd.automount" ]; }; # "proto=tcp" # # NOTE: these are pointing directly to nostromo so the krb lookup works "/net/documents" = { device = "nostromo.${local-domain}:/export/documents"; fsType = "nfs4"; options = [ "sec=krb5p" "x-systemd.automount" # "vers=4" # "minorversion=2" # "proto=tcp" ]; }; "/net/downloads" = { device = "nostromo.${local-domain}:/export/downloads"; fsType = "nfs4"; options = [ "sec=krb5i" "x-systemd.automount" # "vers=4" # "minorversion=2" # "proto=tcp" ]; }; "/net/projects" = { device = "nostromo.${local-domain}:/export/projects"; fsType = "nfs4"; options = [ "sec=krb5p" "x-systemd.automount" # "vers=4" # "minorversion=2" # "proto=tcp" ]; }; }; systemd.services = { host-keytab-watcher = { wantedBy = [ "rpc-gssd-override.service" "rpc-svcgssd-override.service" "auth-rpcgss-module.service" ]; before = [ "rpc-gssd-override.service" "rpc-svcgssd-override.service" "auth-rpcgss-module.service" ]; after = [ config.fudo.secrets.secret-target ]; serviceConfig = { ExecStartPre = "${pkgs.coreutils}/bin/test -f /etc/krb5.keytab"; ExecStart = "${pkgs.coreutils}/bin/true"; TimeoutStartSec = "360"; RemainAfterExit = true; Restart = "on-failure"; RestartSec = "2"; }; }; auth-rpcgss-module.enable = false; rpc-gssd.enable = false; rpc-svcgssd.enable = false; auth-rpcgss-module-override = { description = "Kernel Module supporting RPCSEC_GSS"; before = [ "gssproxy.service" "rpc-svcgssd-override.service" "rpc-gssd-override.service" ]; wantedBy = [ "nfs-client.target" "nfs-server.target" ]; wants = [ "gssproxy.service" "rpc-svcgssd-override.service" "rpc-gssd-override.service" "host-keytab-watcher.service" ]; after = [ "host-keytab-watcher.service" ]; partOf = [ "nfs-utils.service" "nfs-server.service" ]; unitConfig = { DefaultDependencies = false; ConditionPathExists = [ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ]; }; serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.kmod}/bin/modprobe -q auth_rpcgss"; RemainAfterExit = true; }; }; rpc-gssd-override = { description = "RPC security service for NFS client and server"; wantedBy = [ "auth-rpcgss-module.service" ]; conflicts = [ "umount.target" ]; after = [ "host-keytab-watcher.service" "rpc_pipefs.target" "local-fs.target" ]; wants = [ "host-keytab-watcher.service" ]; requires = [ "rpc_pipefs.target" ]; partOf = [ "nfs-utils.service" ]; unitConfig.DefaultDependencies = false; serviceConfig = { Type = "forking"; ExecStart = "${pkgs.nfs-utils}/bin/rpc.gssd"; Restart = "always"; }; }; rpc-svcgssd-override = { description = "RPC security service for NFS server"; wantedBy = [ "auth-rpcgss-module.service" ]; after = [ "host-keytab-watcher.service" "local-fs.target" "gssproxy.service" ]; wants = [ "host-keytab-watcher.service" ]; partOf = [ "nfs-utils.service" "nfs-server.service" ]; unitConfig = { DefaultDependencies = false; ConditionPathExists = [ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ]; }; serviceConfig = { Type = "forking"; ExecStart = "${pkgs.nfs-utils}/bin/rpc.svcgssd"; Restart = "always"; }; }; rpcbind.after = [ "local-fs.target" ]; }; services.printing = { enable = true; drivers = [ pkgs.brgenml1cupswrapper ]; }; }; }