feat(kyuuto): fs roots

2026-02-09 04:19:19 -08:00 · 2024-11-19 15:03:44 -08:00 · 2024-11-19 15:03:44 -08:00 · 99baf8dec6
commit 99baf8dec6
parent e06af89d88
4 changed files with 73 additions and 10 deletions
--- a/nixos/kyuuto/nfs.nix
+++ b/nixos/kyuuto/nfs.nix
@ -4,9 +4,6 @@
  ...
 }: let
  inherit (lib.modules) mkIf;
-  inherit (lib.lists) optionals;
-  inherit (lib.strings) concatStringsSep;
-  inherit (config.networking.access) cidrForNetwork;
  inherit (config) kyuuto;
  inherit (config.services.nfs.export) flagSets;
  nfsRoot = {
@ -14,6 +11,8 @@
    transfer = "${nfsRoot}/kyuuto/transfer";
    media = "${nfsRoot}/kyuuto/media";
    data = "${nfsRoot}/kyuuto/data";
+    systems = "${nfsRoot}/kyuuto/systems";
+    gengetsu = "${nfsRoot.systems}/gengetsu";
  };
 in {
  services.nfs = {
@ -46,6 +45,24 @@ in {
            };
          };
        };
+        "${nfsRoot.gengetsu}/root" = {
+          flags = flagSets.common ++ ["fsid=162"] ++ ["async"];
+          clients = {
+            gengetsu = {
+              machine = flagSets.gengetsuClients;
+              flags = flagSets.metal;
+            };
+          };
+        };
+        "${nfsRoot.gengetsu}/boot" = {
+          flags = flagSets.common ++ ["fsid=163"] ++ ["async"];
+          clients = {
+            gengetsu = {
+              machine = flagSets.gengetsuClients;
+              flags = flagSets.metal;
+            };
+          };
+        };
      };
    };
  };
@ -74,5 +91,15 @@ in {
        what = kyuuto.transferDir;
        where = nfsRoot.transfer;
      }
+      {
+        inherit type options wantedBy before;
+        what = "${kyuuto.dataDir}/systems/gengetsu/fs/root";
+        where = "${nfsRoot.gengetsu}/root";
+      }
+      {
+        inherit type options wantedBy before;
+        what = "${kyuuto.dataDir}/systems/gengetsu/fs/boot";
+        where = "${nfsRoot.gengetsu}/boot";
+      }
    ];
 }
--- a/nixos/nfs.nix
+++ b/nixos/nfs.nix
@ -55,7 +55,18 @@ in {
      mountdPort = mkDefault 4002;
    };
    export = {
-      flagSets = {
+      flagSets = let
+        mkMetalClient = name: let
+          system = gensokyo-zone.systems.${name};
+          inherit (system.network.networks) local;
+          addrs =
+            optional (local.enable or false && local.address4 != null) "${local.address4}/32"
+            ++ optional (local.enable or false && local.address6 != null) "${local.address6}/128";
+          allowed =
+            if addrs != [] then addrs
+            else lib.warn "${name} NFS: falling back to all LAN" cidrForNetwork.allLan.all;
+        in allowed;
+      in {
        common = [
          "no_subtree_check"
          "anonuid=${toString config.users.users.guest.uid}"
@ -78,6 +89,9 @@ in {
          "all_squash"
          "ro"
        ];
+        metal = [
+          "sec=sys" "no_root_squash" "rw"
+        ];
        # client machines
        clientGroups = [
          "@peeps"
@ -89,6 +103,7 @@ in {
        tailClients = optionals config.services.tailscale.enable cidrForNetwork.tail.all;
        localClients = cidrForNetwork.allLan.all ++ flagSets.tailClients;
        allClients = flagSets.clientGroups ++ flagSets.trustedClients ++ flagSets.localClients;
+        gengetsuClients = mkMetalClient "gengetsu";
      };
      root = {
        path = "/srv/fs";