209 lines
6.0 KiB
Nix
209 lines
6.0 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let local-domain = "sea.fudo.org";
|
|
in {
|
|
|
|
config = {
|
|
fudo = {
|
|
services = {
|
|
mqtt = {
|
|
enable = true;
|
|
host = "wormhole0";
|
|
};
|
|
|
|
wallfly-presence.enable = true;
|
|
|
|
# tattler = let snooper-host = "wormhole0";
|
|
# in {
|
|
# enable = true;
|
|
# verbose = true;
|
|
# event-topics = [ "suanni/events/motion" ];
|
|
# inherit snooper-host;
|
|
# };
|
|
|
|
# suanni = let
|
|
# listener = "nostromo";
|
|
# objectifier = "nostromo";
|
|
# in {
|
|
# enable = true;
|
|
# event-listener.host = listener;
|
|
# objectifier.host = objectifier;
|
|
# synology = {
|
|
# host = "cargo.sea.fudo.org";
|
|
# port = 5001;
|
|
# username = "suanni";
|
|
# password-file =
|
|
# config.fudo.secrets.files.service-passwords."${listener}".suanni-synology;
|
|
# };
|
|
# };
|
|
};
|
|
|
|
zones."sea.fudo.org" = {
|
|
aliases = {
|
|
lemmy = "nostromo";
|
|
world-of-fun = "toothless";
|
|
repland = "toothless";
|
|
};
|
|
srv-records.tcp = {
|
|
minecraft = [{
|
|
host = "toothless";
|
|
port = 25568;
|
|
}];
|
|
};
|
|
};
|
|
};
|
|
|
|
fileSystems = {
|
|
"/mnt/music" = {
|
|
device = "doraemon.${local-domain}:/volume1/Music";
|
|
fsType = "nfs";
|
|
options = [ "comment=systemd.automount" ];
|
|
};
|
|
"/mnt/video" = {
|
|
device = "doraemon.${local-domain}:/volume1/Video";
|
|
fsType = "nfs";
|
|
options = [ "comment=systemd.automount" ];
|
|
};
|
|
"/mnt/cargo_video" = {
|
|
device = "cargo.${local-domain}:/volume1/video";
|
|
fsType = "nfs4";
|
|
options = [ "sec=krb5i" "x-systemd.automount" ];
|
|
};
|
|
"/mnt/photo" = {
|
|
device = "cargo.${local-domain}:/volume1/pictures";
|
|
fsType = "nfs4";
|
|
options = [ "sec=krb5i" "x-systemd.automount" ];
|
|
};
|
|
|
|
# # NOTE: these are pointing directly to nostromo so the krb lookup works
|
|
"/net/documents" = {
|
|
device = "nostromo.${local-domain}:/export/documents";
|
|
fsType = "nfs4";
|
|
options = [ "sec=krb5p" "x-systemd.automount" ];
|
|
};
|
|
"/net/downloads" = {
|
|
device = "nostromo.${local-domain}:/export/downloads";
|
|
fsType = "nfs4";
|
|
options = [ "sec=krb5i" "x-systemd.automount" ];
|
|
};
|
|
"/net/projects" = {
|
|
device = "nostromo.${local-domain}:/export/projects";
|
|
fsType = "nfs4";
|
|
options = [ "sec=krb5p" "x-systemd.automount" ];
|
|
};
|
|
};
|
|
|
|
systemd.services = {
|
|
host-keytab-watcher = {
|
|
wantedBy = [
|
|
"rpc-gssd-override.service"
|
|
"rpc-svcgssd-override.service"
|
|
"auth-rpcgss-module.service"
|
|
];
|
|
before = [
|
|
"rpc-gssd-override.service"
|
|
"rpc-svcgssd-override.service"
|
|
"auth-rpcgss-module.service"
|
|
];
|
|
after = [ config.fudo.secrets.secret-target ];
|
|
serviceConfig = {
|
|
ExecStartPre = pkgs.writeShellScript "await-keytab.sh" ''
|
|
while [ ! -f /etc/krb5.keytab ]; do
|
|
sleep 5
|
|
done
|
|
exit 0
|
|
'';
|
|
ExecStart = "${pkgs.coreutils}/bin/true";
|
|
TimeoutStartSec = "360";
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
Restart = "on-failure";
|
|
RestartSec = "2";
|
|
};
|
|
};
|
|
|
|
auth-rpcgss-module.enable = false;
|
|
rpc-gssd.enable = false;
|
|
rpc-svcgssd.enable = false;
|
|
|
|
auth-rpcgss-module-override = {
|
|
description = "Kernel Module supporting RPCSEC_GSS";
|
|
before = [
|
|
"gssproxy.service"
|
|
"rpc-svcgssd-override.service"
|
|
"rpc-gssd-override.service"
|
|
];
|
|
wantedBy = [ "nfs-client.target" "nfs-server.target" ];
|
|
wants = [
|
|
"gssproxy.service"
|
|
"rpc-svcgssd-override.service"
|
|
"rpc-gssd-override.service"
|
|
"host-keytab-watcher.service"
|
|
];
|
|
after = [ "host-keytab-watcher.service" ];
|
|
partOf = [ "nfs-utils.service" "nfs-server.service" ];
|
|
unitConfig = {
|
|
DefaultDependencies = false;
|
|
ConditionPathExists =
|
|
[ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ];
|
|
};
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
ExecStart = "${pkgs.kmod}/bin/modprobe -q auth_rpcgss";
|
|
RemainAfterExit = true;
|
|
};
|
|
};
|
|
|
|
rpc-gssd-override = {
|
|
description = "RPC security service for NFS client and server";
|
|
wantedBy = [ "auth-rpcgss-module.service" ];
|
|
conflicts = [ "umount.target" ];
|
|
after = [
|
|
"host-keytab-watcher.service"
|
|
"rpc_pipefs.target"
|
|
"local-fs.target"
|
|
];
|
|
wants = [ "host-keytab-watcher.service" ];
|
|
requires = [ "rpc_pipefs.target" ];
|
|
partOf = [ "nfs-utils.service" ];
|
|
unitConfig.DefaultDependencies = false;
|
|
serviceConfig = {
|
|
Type = "forking";
|
|
ExecStart = "${pkgs.nfs-utils}/bin/rpc.gssd";
|
|
Restart = "always";
|
|
};
|
|
};
|
|
|
|
rpc-svcgssd-override = {
|
|
description = "RPC security service for NFS server";
|
|
wantedBy = [ "auth-rpcgss-module.service" ];
|
|
after = [
|
|
"host-keytab-watcher.service"
|
|
"local-fs.target"
|
|
"gssproxy.service"
|
|
];
|
|
wants = [ "host-keytab-watcher.service" ];
|
|
partOf = [ "nfs-utils.service" "nfs-server.service" ];
|
|
unitConfig = {
|
|
DefaultDependencies = false;
|
|
ConditionPathExists =
|
|
[ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ];
|
|
};
|
|
serviceConfig = {
|
|
Type = "forking";
|
|
ExecStart = "${pkgs.nfs-utils}/bin/rpc.svcgssd";
|
|
Restart = "always";
|
|
};
|
|
};
|
|
|
|
rpcbind.after = [ "local-fs.target" ];
|
|
};
|
|
|
|
services.printing = {
|
|
enable = true;
|
|
drivers = [ pkgs.brgenml1cupswrapper ];
|
|
};
|
|
};
|
|
}
|