nixos-config/config/site-config/seattle.nix

{ config, lib, pkgs, ... }:

with lib;
let local-domain = "sea.fudo.org";
in {
  fileSystems = {
    # "/mnt/documents" = {
    #   device = "whitedwarf.${local-domain}:/volume1/Documents";
    #   fsType = "nfs4";
    #   options = [ "comment=systemd.automount" ];
    # };
    # "/mnt/downloads" = {
    #   device = "whitedwarf.${local-domain}:/volume1/Downloads";
    #   fsType = "nfs4";
    #   options = [ "comment=systemd.automount" ];
    # };
    "/mnt/music" = {
      device = "doraemon.${local-domain}:/volume1/Music";
      fsType = "nfs";
      options = [ "comment=systemd.automount" ];
    };
    "/mnt/video" = {
      device = "doraemon.${local-domain}:/volume1/Video";
      fsType = "nfs";
      options = [ "comment=systemd.automount" ];
    };
    # fileSystems."/mnt/security" = {
    #   device = "panopticon.${local-domain}:/srv/kerberos/data";
    #   fsType = "nfs4";
    # };
    "/mnt/cargo_video" = {
      device = "cargo.${local-domain}:/volume1/video";
      fsType = "nfs4";
      options = [ "sec=krb5i" "x-systemd.automount" ];
    };
    "/mnt/photo" = {
      device = "cargo.${local-domain}:/volume1/pictures";
      fsType = "nfs4";
      options = [ "sec=krb5i" "x-systemd.automount" ];
    };

    #  "proto=tcp"

    # # NOTE: these are pointing directly to nostromo so the krb lookup works
    "/net/documents" = {
      device = "nostromo.${local-domain}:/export/documents";
      fsType = "nfs4";
      options = [
        "sec=krb5p"
        "x-systemd.automount"
        # "vers=4"
        # "minorversion=2"
        # "proto=tcp"
      ];
    };
    "/net/downloads" = {
      device = "nostromo.${local-domain}:/export/downloads";
      fsType = "nfs4";
      options = [
        "sec=krb5i"
        "x-systemd.automount"
        # "vers=4"
        # "minorversion=2"
        # "proto=tcp"
      ];
    };
    "/net/projects" = {
      device = "nostromo.${local-domain}:/export/projects";
      fsType = "nfs4";
      options = [
        "sec=krb5p"
        "x-systemd.automount"
        # "vers=4"
        # "minorversion=2"
        # "proto=tcp"
      ];
    };
  };

  systemd.services = {
    host-keytab-watcher = {
      wantedBy = [
        "rpc-gssd-override.service"
        "rpc-svcgssd-override.service"
        "auth-rpcgss-module.service"
      ];
      before = [
        "rpc-gssd-override.service"
        "rpc-svcgssd-override.service"
        "auth-rpcgss-module.service"
      ];
      after = [ config.fudo.secrets.secret-target ];
      serviceConfig = {
        ExecStartPre = "${pkgs.coreutils}/bin/test -f /etc/krb5.keytab";
        ExecStart = "${pkgs.coreutils}/bin/true";
        TimeoutStartSec = "360";
        RemainAfterExit = true;
        Restart = "on-failure";
        RestartSec = "2";
      };
    };

    auth-rpcgss-module.enable = false;
    rpc-gssd.enable = false;
    rpc-svcgssd.enable = false;

    auth-rpcgss-module-override = {
      description = "Kernel Module supporting RPCSEC_GSS";
      before = [
        "gssproxy.service"
        "rpc-svcgssd-override.service"
        "rpc-gssd-override.service"
      ];
      wantedBy = [ "nfs-client.target" "nfs-server.target" ];
      wants = [
        "gssproxy.service"
        "rpc-svcgssd-override.service"
        "rpc-gssd-override.service"
        "host-keytab-watcher.service"
      ];
      after = [ "host-keytab-watcher.service" ];
      partOf = [ "nfs-utils.service" "nfs-server.service" ];
      unitConfig = {
        DefaultDependencies = false;
        ConditionPathExists =
          [ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ];
      };
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.kmod}/bin/modprobe -q auth_rpcgss";
        RemainAfterExit = true;
      };
    };

    rpc-gssd-override = {
      description = "RPC security service for NFS client and server";
      wantedBy = [ "auth-rpcgss-module.service" ];
      conflicts = [ "umount.target" ];
      after = [ "host-keytab-watcher.service" "rpc_pipefs.target" ];
      wants = [ "host-keytab-watcher.service" ];
      requires = [ "rpc_pipefs.target" ];
      partOf = [ "nfs-utils.service" ];
      unitConfig.DefaultDependencies = false;
      serviceConfig = {
        Type = "forking";
        ExecStart = "${pkgs.nfs-utils}/bin/rpc.gssd";
      };
    };

    rpc-svcgssd-override = {
      description = "RPC security service for NFS server";
      wantedBy = [ "auth-rpcgss-module.service" ];
      after =
        [ "host-keytab-watcher.service" "local-fs.target" "gssproxy.service" ];
      wants = [ "host-keytab-watcher.service" ];
      partOf = [ "nfs-utils.service" "nfs-server.service" ];
      unitConfig = {
        DefaultDependencies = false;
        ConditionPathExists =
          [ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ];
      };
      serviceConfig = {
        Type = "forking";
        ExecStart = "${pkgs.nfs-utils}/bin/rpc.svcgssd";
      };
    };
  };

  services.printing = {
    enable = true;
    drivers = [ pkgs.brgenml1cupswrapper ];
  };
}