{ config, lib, pkgs, ... }: with lib; let local-domain = "sea.fudo.org"; in { fileSystems = { # "/mnt/documents" = { # device = "whitedwarf.${local-domain}:/volume1/Documents"; # fsType = "nfs4"; # options = [ "comment=systemd.automount" ]; # }; # "/mnt/downloads" = { # device = "whitedwarf.${local-domain}:/volume1/Downloads"; # fsType = "nfs4"; # options = [ "comment=systemd.automount" ]; # }; "/mnt/music" = { device = "doraemon.${local-domain}:/volume1/Music"; fsType = "nfs"; options = [ "comment=systemd.automount" ]; }; "/mnt/video" = { device = "doraemon.${local-domain}:/volume1/Video"; fsType = "nfs"; options = [ "comment=systemd.automount" ]; }; # fileSystems."/mnt/security" = { # device = "panopticon.${local-domain}:/srv/kerberos/data"; # fsType = "nfs4"; # }; "/mnt/cargo_video" = { device = "cargo.${local-domain}:/volume1/video"; fsType = "nfs4"; options = [ "sec=krb5i" "x-systemd.automount" ]; }; "/mnt/photo" = { device = "cargo.${local-domain}:/volume1/pictures"; fsType = "nfs4"; options = [ "sec=krb5i" "x-systemd.automount" ]; }; # "proto=tcp" # # NOTE: these are pointing directly to nostromo so the krb lookup works "/net/documents" = { device = "nostromo.${local-domain}:/export/documents"; fsType = "nfs4"; options = [ "sec=krb5p" "x-systemd.automount" # "vers=4" # "minorversion=2" # "proto=tcp" ]; }; "/net/downloads" = { device = "nostromo.${local-domain}:/export/downloads"; fsType = "nfs4"; options = [ "sec=krb5i" "x-systemd.automount" # "vers=4" # "minorversion=2" # "proto=tcp" ]; }; "/net/projects" = { device = "nostromo.${local-domain}:/export/projects"; fsType = "nfs4"; options = [ "sec=krb5p" "x-systemd.automount" # "vers=4" # "minorversion=2" # "proto=tcp" ]; }; }; systemd.services = { host-keytab-watcher = { wantedBy = [ "rpc-gssd-override.service" "rpc-svcgssd-override.service" "auth-rpcgss-module.service" ]; before = [ "rpc-gssd-override.service" "rpc-svcgssd-override.service" "auth-rpcgss-module.service" ]; after = [ config.fudo.secrets.secret-target ]; serviceConfig = { ExecStartPre = "${pkgs.coreutils}/bin/test -f /etc/krb5.keytab"; ExecStart = "${pkgs.coreutils}/bin/true"; TimeoutStartSec = "360"; RemainAfterExit = true; Restart = "on-failure"; RestartSec = "2"; }; }; auth-rpcgss-module.enable = false; rpc-gssd.enable = false; rpc-svcgssd.enable = false; auth-rpcgss-module-override = { description = "Kernel Module supporting RPCSEC_GSS"; before = [ "gssproxy.service" "rpc-svcgssd-override.service" "rpc-gssd-override.service" ]; wantedBy = [ "nfs-client.target" "nfs-server.target" ]; wants = [ "gssproxy.service" "rpc-svcgssd-override.service" "rpc-gssd-override.service" "host-keytab-watcher.service" ]; after = [ "host-keytab-watcher.service" ]; partOf = [ "nfs-utils.service" "nfs-server.service" ]; unitConfig = { DefaultDependencies = false; ConditionPathExists = [ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ]; }; serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.kmod}/bin/modprobe -q auth_rpcgss"; RemainAfterExit = true; }; }; rpc-gssd-override = { description = "RPC security service for NFS client and server"; wantedBy = [ "auth-rpcgss-module.service" ]; conflicts = [ "umount.target" ]; after = [ "host-keytab-watcher.service" "rpc_pipefs.target" ]; wants = [ "host-keytab-watcher.service" ]; requires = [ "rpc_pipefs.target" ]; partOf = [ "nfs-utils.service" ]; unitConfig.DefaultDependencies = false; serviceConfig = { Type = "forking"; ExecStart = "${pkgs.nfs-utils}/bin/rpc.gssd"; }; }; rpc-svcgssd-override = { description = "RPC security service for NFS server"; wantedBy = [ "auth-rpcgss-module.service" ]; after = [ "host-keytab-watcher.service" "local-fs.target" "gssproxy.service" ]; wants = [ "host-keytab-watcher.service" ]; partOf = [ "nfs-utils.service" "nfs-server.service" ]; unitConfig = { DefaultDependencies = false; ConditionPathExists = [ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ]; }; serviceConfig = { Type = "forking"; ExecStart = "${pkgs.nfs-utils}/bin/rpc.svcgssd"; }; }; }; services.printing = { enable = true; drivers = [ pkgs.brgenml1cupswrapper ]; }; }