feat(kyuuto): fs roots

nixos/kyuuto/nfs.nix

@@ -4,9 +4,6 @@
   ...
 }: let
   inherit (lib.modules) mkIf;
-  inherit (lib.lists) optionals;
-  inherit (lib.strings) concatStringsSep;
-  inherit (config.networking.access) cidrForNetwork;
   inherit (config) kyuuto;
   inherit (config.services.nfs.export) flagSets;
   nfsRoot = {
@@ -14,6 +11,8 @@
     transfer = "${nfsRoot}/kyuuto/transfer";
     media = "${nfsRoot}/kyuuto/media";
     data = "${nfsRoot}/kyuuto/data";
+    systems = "${nfsRoot}/kyuuto/systems";
+    gengetsu = "${nfsRoot.systems}/gengetsu";
   };
 in {
   services.nfs = {
@@ -46,6 +45,24 @@ in {
             };
           };
         };
+        "${nfsRoot.gengetsu}/root" = {
+          flags = flagSets.common ++ ["fsid=162"] ++ ["async"];
+          clients = {
+            gengetsu = {
+              machine = flagSets.gengetsuClients;
+              flags = flagSets.metal;
+            };
+          };
+        };
+        "${nfsRoot.gengetsu}/boot" = {
+          flags = flagSets.common ++ ["fsid=163"] ++ ["async"];
+          clients = {
+            gengetsu = {
+              machine = flagSets.gengetsuClients;
+              flags = flagSets.metal;
+            };
+          };
+        };
       };
     };
   };
@@ -74,5 +91,15 @@ in {
         what = kyuuto.transferDir;
         where = nfsRoot.transfer;
       }
+      {
+        inherit type options wantedBy before;
+        what = "${kyuuto.dataDir}/systems/gengetsu/fs/root";
+        where = "${nfsRoot.gengetsu}/root";
+      }
+      {
+        inherit type options wantedBy before;
+        what = "${kyuuto.dataDir}/systems/gengetsu/fs/boot";
+        where = "${nfsRoot.gengetsu}/boot";
+      }
     ];
 }

nixos/nfs.nix

@@ -55,7 +55,18 @@ in {
       mountdPort = mkDefault 4002;
     };
     export = {
-      flagSets = {
+      flagSets = let
+        mkMetalClient = name: let
+          system = gensokyo-zone.systems.${name};
+          inherit (system.network.networks) local;
+          addrs =
+            optional (local.enable or false && local.address4 != null) "${local.address4}/32"
+            ++ optional (local.enable or false && local.address6 != null) "${local.address6}/128";
+          allowed =
+            if addrs != [] then addrs
+            else lib.warn "${name} NFS: falling back to all LAN" cidrForNetwork.allLan.all;
+        in allowed;
+      in {
         common = [
           "no_subtree_check"
           "anonuid=${toString config.users.users.guest.uid}"
@@ -78,6 +89,9 @@ in {
           "all_squash"
           "ro"
         ];
+        metal = [
+          "sec=sys" "no_root_squash" "rw"
+        ];
         # client machines
         clientGroups = [
           "@peeps"
@@ -89,6 +103,7 @@ in {
         tailClients = optionals config.services.tailscale.enable cidrForNetwork.tail.all;
         localClients = cidrForNetwork.allLan.all ++ flagSets.tailClients;
         allClients = flagSets.clientGroups ++ flagSets.trustedClients ++ flagSets.localClients;
+        gengetsuClients = mkMetalClient "gengetsu";
       };
       root = {
         path = "/srv/fs";

systems/reimu/lxc.json

@@ -3,6 +3,8 @@
 		"lxc.mount.entry": [
 			"/mnt/kyuuto-media mnt/kyuuto-media none bind,optional,create=dir",
 			"/mnt/kyuuto-data/minecraft mnt/kyuuto-data/minecraft none bind,optional,create=dir",
+			"/mnt/kyuuto-data/systems/gengetsu/fs/root mnt/kyuuto-data/systems/gengetsu/fs/root none bind,optional,create=dir",
+			"/mnt/kyuuto-data/systems/gengetsu/fs/boot mnt/kyuuto-data/systems/gengetsu/fs/boot none bind,optional,create=dir",
 			"/dev/net/tun dev/net/tun none bind,optional,create=file"
 		],
 		"lxc.cgroup2.devices.allow": [

systems/reisen/setup.sh

@@ -117,14 +117,16 @@ mkzfs() {
 	ZFS_ARGS=("$@")
 
 	if [[ $ZFS_NAME != ${ZFS_PATH#/} ]]; then
-		ZFS_ARGS+=(-o "mountpoint=$ZFS_PATH")
+		ZFS_ARGS+=(-o "mountpoint=${ZFS_PATH-none}")
 	fi
 
-	if [[ ! -d "$ZFS_PATH" ]]; then
+	if [[ -z "$ZFS_PATH" || ! -d "$ZFS_PATH" ]]; then
 		zfs create "$ZFS_NAME" ${ZFS_ARGS[@]+"${ZFS_ARGS[@]}"}
 	fi
-	chmod "$ZFS_MODE" "$ZFS_PATH"
+	if [[ -n "$ZFS_PATH" ]]; then
-	chown "$ZFS_OWNER:$ZFS_GROUP" "$ZFS_PATH"
+		chmod "$ZFS_MODE" "$ZFS_PATH"
+		chown "$ZFS_OWNER:$ZFS_GROUP" "$ZFS_PATH"
+	fi
 }
 
 mkshared() {
@@ -140,11 +142,12 @@ mkcache() {
 }
 
 mkkyuuto() {
-	local KYUUTO_PATH KYUUTO_ARGS=()
+	local KYUUTO_MOUNTNAME KYUUTO_ARGS=()
 	KYUUTO_NAME=$1
 	KYUUTO_ARGS=("$2" "$3" "$4")
 	shift 4
-	mkzfs "/mnt/kyuuto-$KYUUTO_NAME" "${KYUUTO_ARGS[@]}" "kyuuto/$KYUUTO_NAME" "$@"
+	KYUUTO_MOUNTNAME=${KYUUTO_MOUNT-$KYUUTO_NAME}
+	mkzfs "/mnt/kyuuto-$KYUUTO_MOUNTNAME" "${KYUUTO_ARGS[@]}" "kyuuto/$KYUUTO_NAME" "$@"
 }
 
 mkshared nix 0 0 0755
@@ -198,6 +201,22 @@ fi
 chown 100913:8126 /mnt/kyuuto-data/minecraft/simplebackups
 chmod 0775 /mnt/kyuuto-data/minecraft/simplebackups
 
+mkkyuuto data/systems 0 0 0775
+nfsystemroot=/mnt/kyuuto-data/systems
+for nfsystem in gengetsu; do
+	mkkyuuto data/systems/$nfsystem 0 0 0750
+
+	if [[ ! -d $nfsystemroot/$nfsystem/fs ]]; then
+		mkdir $nfsystemroot/$nfsystem/fs
+	fi
+	chown 0:0 $nfsystemroot/$nfsystem/fs
+	chmod 0755 $nfsystemroot/$nfsystem/fs
+
+	for nfsystemfs in root boot; do
+		KYUUTO_MOUNT=data/systems/$nfsystem/fs/$nfsystemfs mkkyuuto data/systems/$nfsystem/$nfsystemfs 0 0 0755
+	done
+done
+
 ln -sf /lib/systemd/system/auth-rpcgss-module.service /etc/systemd/system/
 mkdir -p /etc/systemd/system/auth-rpcgss-module.service.d
 ln -sf /etc/systemd/system/auth-rpcgss-module.service /etc/systemd/system/multi-user.target.wants/