ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dotfiles/hosts/h002/nfs-data.nix
RingOfStorms (Joshua Bell) df184b40e0 tighten up h002 data perm cleanup
2025-12-31 11:11:56 -06:00

82 lines
2 KiB
Nix
Raw Blame History

{
pkgs,
config,
lib,
...
}:
lib.mkMerge [
({
users.groups.media = {
gid = 2000;
};
# Keep exported paths group-writable for media services.
# `2` (setgid) makes new files inherit group `media`.
systemd.tmpfiles.rules = [
"d /data/nixarr 2775 root media - -"
"d /data/nixarr/media 2775 root media - -"
"d /data/pinchflat 2775 root media - -"
"d /data/pinchflat/media 2775 root media - -"
];
# One-shot fixup for existing files after migrations/rsync.
# Runs before `nfs-server` so clients always see correct perms.
systemd.services.nfs-media-permissions = {
description = "Fix NFS media permissions";
after = [ "local-fs.target" ];
before = [ "nfs-server.service" ];
requiredBy = [ "nfs-server.service" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.coreutils pkgs.findutils ];
script = ''
set -euo pipefail
getent group media >/dev/null
for dir in /data/nixarr/media /data/pinchflat/media; do
mkdir -p "$dir"
chgrp -R media "$dir"
chmod -R g+rwX "$dir"
find "$dir" -type d -exec chmod 2775 {} +
done
'';
};
services.nfs.server = {
enable = true;
exports = ''
/data 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash,fsid=0,crossmnt)
/data 10.12.14.0/10(rw,sync,no_subtree_check,no_root_squash,fsid=0,crossmnt)
'';
};
environment.systemPackages = [
pkgs.nfs-utils
];
})
# Open ports and expose so local network works
(lib.mkIf config.networking.firewall.enable {
services.rpcbind.enable = true;
services.nfs.server.lockdPort = 32803;
services.nfs.server.mountdPort = 892;
services.nfs.server.statdPort = 662;
networking.firewall = {
allowedTCPPorts = [
2049
111
892
32803
662
];
allowedUDPPorts = [
2049
111
892
32803
662
];
};
})
]
Reference in a new issue View git blame Copy permalink