feat(reimu): nfs

nixos/nfs.nix

@@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  access,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.lists) optional;
+  inherit (lib.strings) concatStringsSep concatMapStringsSep splitString;
+  cfg = config.services.nfs;
+  openPorts = [
+    (mkIf cfg.server.enable 2049)
+    (mkIf config.services.rpcbind.enable 111)
+    (mkIf (cfg.server.statdPort != null) cfg.server.statdPort)
+    (mkIf (cfg.server.lockdPort != null) cfg.server.lockdPort)
+    (mkIf (cfg.server.mountdPort != null) cfg.server.mountdPort)
+  ];
+  enableLdap = false;
+  system = access.systemFor "tei";
+  inherit (system.services) kanidm;
+in {
+  services.nfs = {
+    server = {
+      enable = mkDefault true;
+      statdPort = mkDefault 4000;
+      lockdPort = mkDefault 4001;
+      mountdPort = mkDefault 4002;
+    };
+    idmapd.settings = {
+      General.Domain = mkDefault config.networking.domain;
+      Translation.GSS-Methods = concatStringsSep "," (
+        [ "static" ]
+        ++ optional enableLdap "umich_ldap"
+        ++ [ "nsswitch" ]
+      );
+      Static = {
+      };
+      UMICH_SCHEMA = mkIf enableLdap {
+        LDAP_server = "ldap.local.${config.networking.domain}";
+        LDAP_use_ssl = true;
+        LDAP_ca_cert = "/etc/ssl/certs/ca-bundle.crt";
+        LDAP_base = kanidm.server.ldap.baseDn;
+        NFSv4_person_objectclass = "account";
+        NFSv4_group_objectclass = "group";
+        NFSv4_name_attr = "name";
+        NFSv4_group_attr = "name";
+        NFSv4_uid_attr = "gidnumber";
+        NFSv4_gid_attr = "gidnumber";
+        LDAP_canonicalize_name = false;
+      };
+    };
+  };
+  networking.firewall.interfaces.local = {
+    allowedTCPPorts = openPorts;
+    allowedUDPPorts = openPorts;
+  };
+}