diff --git a/nixos/kyuuto/nfs.nix b/nixos/kyuuto/nfs.nix index 69f9ab8b..15f5ee51 100644 --- a/nixos/kyuuto/nfs.nix +++ b/nixos/kyuuto/nfs.nix @@ -4,9 +4,6 @@ ... }: let inherit (lib.modules) mkIf; - inherit (lib.lists) optionals; - inherit (lib.strings) concatStringsSep; - inherit (config.networking.access) cidrForNetwork; inherit (config) kyuuto; inherit (config.services.nfs.export) flagSets; nfsRoot = { @@ -14,6 +11,8 @@ transfer = "${nfsRoot}/kyuuto/transfer"; media = "${nfsRoot}/kyuuto/media"; data = "${nfsRoot}/kyuuto/data"; + systems = "${nfsRoot}/kyuuto/systems"; + gengetsu = "${nfsRoot.systems}/gengetsu"; }; in { services.nfs = { @@ -46,6 +45,24 @@ in { }; }; }; + "${nfsRoot.gengetsu}/root" = { + flags = flagSets.common ++ ["fsid=162"] ++ ["async"]; + clients = { + gengetsu = { + machine = flagSets.gengetsuClients; + flags = flagSets.metal; + }; + }; + }; + "${nfsRoot.gengetsu}/boot" = { + flags = flagSets.common ++ ["fsid=163"] ++ ["async"]; + clients = { + gengetsu = { + machine = flagSets.gengetsuClients; + flags = flagSets.metal; + }; + }; + }; }; }; }; @@ -74,5 +91,15 @@ in { what = kyuuto.transferDir; where = nfsRoot.transfer; } + { + inherit type options wantedBy before; + what = "${kyuuto.dataDir}/systems/gengetsu/fs/root"; + where = "${nfsRoot.gengetsu}/root"; + } + { + inherit type options wantedBy before; + what = "${kyuuto.dataDir}/systems/gengetsu/fs/boot"; + where = "${nfsRoot.gengetsu}/boot"; + } ]; } diff --git a/nixos/nfs.nix b/nixos/nfs.nix index f5ee81e0..e040a747 100644 --- a/nixos/nfs.nix +++ b/nixos/nfs.nix @@ -55,7 +55,18 @@ in { mountdPort = mkDefault 4002; }; export = { - flagSets = { + flagSets = let + mkMetalClient = name: let + system = gensokyo-zone.systems.${name}; + inherit (system.network.networks) local; + addrs = + optional (local.enable or false && local.address4 != null) "${local.address4}/32" + ++ optional (local.enable or false && local.address6 != null) "${local.address6}/128"; + allowed = + if addrs != [] then addrs + else lib.warn "${name} NFS: falling back to all LAN" cidrForNetwork.allLan.all; + in allowed; + in { common = [ "no_subtree_check" "anonuid=${toString config.users.users.guest.uid}" @@ -78,6 +89,9 @@ in { "all_squash" "ro" ]; + metal = [ + "sec=sys" "no_root_squash" "rw" + ]; # client machines clientGroups = [ "@peeps" @@ -89,6 +103,7 @@ in { tailClients = optionals config.services.tailscale.enable cidrForNetwork.tail.all; localClients = cidrForNetwork.allLan.all ++ flagSets.tailClients; allClients = flagSets.clientGroups ++ flagSets.trustedClients ++ flagSets.localClients; + gengetsuClients = mkMetalClient "gengetsu"; }; root = { path = "/srv/fs"; diff --git a/systems/reimu/lxc.json b/systems/reimu/lxc.json index c7b7ca40..87e9fcd1 100644 --- a/systems/reimu/lxc.json +++ b/systems/reimu/lxc.json @@ -3,6 +3,8 @@ "lxc.mount.entry": [ "/mnt/kyuuto-media mnt/kyuuto-media none bind,optional,create=dir", "/mnt/kyuuto-data/minecraft mnt/kyuuto-data/minecraft none bind,optional,create=dir", + "/mnt/kyuuto-data/systems/gengetsu/fs/root mnt/kyuuto-data/systems/gengetsu/fs/root none bind,optional,create=dir", + "/mnt/kyuuto-data/systems/gengetsu/fs/boot mnt/kyuuto-data/systems/gengetsu/fs/boot none bind,optional,create=dir", "/dev/net/tun dev/net/tun none bind,optional,create=file" ], "lxc.cgroup2.devices.allow": [ diff --git a/systems/reisen/setup.sh b/systems/reisen/setup.sh index 3e3500d1..6bdb3c5b 100644 --- a/systems/reisen/setup.sh +++ b/systems/reisen/setup.sh @@ -117,14 +117,16 @@ mkzfs() { ZFS_ARGS=("$@") if [[ $ZFS_NAME != ${ZFS_PATH#/} ]]; then - ZFS_ARGS+=(-o "mountpoint=$ZFS_PATH") + ZFS_ARGS+=(-o "mountpoint=${ZFS_PATH-none}") fi - if [[ ! -d "$ZFS_PATH" ]]; then + if [[ -z "$ZFS_PATH" || ! -d "$ZFS_PATH" ]]; then zfs create "$ZFS_NAME" ${ZFS_ARGS[@]+"${ZFS_ARGS[@]}"} fi - chmod "$ZFS_MODE" "$ZFS_PATH" - chown "$ZFS_OWNER:$ZFS_GROUP" "$ZFS_PATH" + if [[ -n "$ZFS_PATH" ]]; then + chmod "$ZFS_MODE" "$ZFS_PATH" + chown "$ZFS_OWNER:$ZFS_GROUP" "$ZFS_PATH" + fi } mkshared() { @@ -140,11 +142,12 @@ mkcache() { } mkkyuuto() { - local KYUUTO_PATH KYUUTO_ARGS=() + local KYUUTO_MOUNTNAME KYUUTO_ARGS=() KYUUTO_NAME=$1 KYUUTO_ARGS=("$2" "$3" "$4") shift 4 - mkzfs "/mnt/kyuuto-$KYUUTO_NAME" "${KYUUTO_ARGS[@]}" "kyuuto/$KYUUTO_NAME" "$@" + KYUUTO_MOUNTNAME=${KYUUTO_MOUNT-$KYUUTO_NAME} + mkzfs "/mnt/kyuuto-$KYUUTO_MOUNTNAME" "${KYUUTO_ARGS[@]}" "kyuuto/$KYUUTO_NAME" "$@" } mkshared nix 0 0 0755 @@ -198,6 +201,22 @@ fi chown 100913:8126 /mnt/kyuuto-data/minecraft/simplebackups chmod 0775 /mnt/kyuuto-data/minecraft/simplebackups +mkkyuuto data/systems 0 0 0775 +nfsystemroot=/mnt/kyuuto-data/systems +for nfsystem in gengetsu; do + mkkyuuto data/systems/$nfsystem 0 0 0750 + + if [[ ! -d $nfsystemroot/$nfsystem/fs ]]; then + mkdir $nfsystemroot/$nfsystem/fs + fi + chown 0:0 $nfsystemroot/$nfsystem/fs + chmod 0755 $nfsystemroot/$nfsystem/fs + + for nfsystemfs in root boot; do + KYUUTO_MOUNT=data/systems/$nfsystem/fs/$nfsystemfs mkkyuuto data/systems/$nfsystem/$nfsystemfs 0 0 0755 + done +done + ln -sf /lib/systemd/system/auth-rpcgss-module.service /etc/systemd/system/ mkdir -p /etc/systemd/system/auth-rpcgss-module.service.d ln -sf /etc/systemd/system/auth-rpcgss-module.service /etc/systemd/system/multi-user.target.wants/