exports: consolidate nfs and sftpgo mounts into /var/export

2023-09-01 01:23:35 +00:00 · 2023-09-01 01:23:35 +00:00 · 15e09573d5
parent d6479ca148
commit 15e09573d5
3 changed files with 43 additions and 30 deletions
--- a/hosts/by-name/servo/services/export/default.nix
+++ b/hosts/by-name/servo/services/export/default.nix
@ -1,7 +1,42 @@
-{ ... }:
+{ config, ... }:
 {
  imports = [
    ./nfs.nix
    ./sftpgo.nix
  ];
+
+
+  fileSystems."/var/export/media" = {
+    # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
+    device = "/var/lib/uninsane/media";
+    options = [ "rbind" ];
+  };
+  fileSystems."/var/export/playground" = {
+    device = config.fileSystems."/mnt/persist/ext".device;
+    fsType = "btrfs";
+    options = [
+      "subvol=export-playground"
+      "compress=zstd"
+      "defaults"
+    ];
+  };
+
+  sane.fs."/var/export/README.md" = {
+    wantedBy = [ "nfs.service" "sftpgo.service" ];
+    file.text = ''
+      - media/         read-only:  Videos, Music, Books, etc
+      - playground/    read-write: use it to share files with other users of this server
+    '';
+  };
+
+  # sane.fs."/var/lib/sftpgo/export/playground/README.md" = {
+  #   wantedBy = [ "nfs.service" "sftpgo.service" ];
+  #   file.text = ''
+  #     this directory is intentionally read+write by anyone.
+  #     there are no rules, except a server-level quota:
+  #     - share files
+  #     - write poetry
+  #     - be a friendly troll
+  #   '';
+  # };
 }
--- a/hosts/by-name/servo/services/export/nfs.nix
+++ b/hosts/by-name/servo/services/export/nfs.nix
@ -56,12 +56,6 @@
  #
  # 10.0.0.0/8 to export (readonly) both to LAN (unencrypted) and wg vpn (encrypted)
  services.nfs.server.exports = ''
-    /var/nfs/export 10.78.79.0/22(ro,crossmnt,fsid=0,subtree_check) 10.0.10.0/24(rw,no_root_squash,crossmnt,fsid=0,subtree_check)
+    /var/export 10.78.79.0/22(ro,crossmnt,fsid=0,subtree_check) 10.0.10.0/24(rw,no_root_squash,crossmnt,fsid=0,subtree_check)
  '';
-
-  fileSystems."/var/nfs/export/media" = {
-    # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
-    device = "/var/lib/uninsane/media";
-    options = [ "rbind" ];
-  };
 }
--- a/hosts/by-name/servo/services/export/sftpgo.nix
+++ b/hosts/by-name/servo/services/export/sftpgo.nix
@ -44,7 +44,7 @@ let
    status = 1;
    username = "anonymous";
    expiration_date = 0;
-    home_dir = "/var/lib/sftpgo/export";
+    home_dir = "/var/export";
    # uid/gid 0 means to inherit sftpgo uid.
    # - i.e. users can't read files which Linux user `sftpgo` can't read
    # - uploaded files belong to Linux user `sftpgo`
@ -172,23 +172,14 @@ in
    };
  };

-  fileSystems."/var/lib/sftpgo/export/media" = {
-    # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
-    device = "/var/lib/uninsane/media";
-    options = [ "rbind" ];
-  };
+  # fileSystems."/var/lib/sftpgo/export/media" = {
+  #   # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
+  #   device = "/var/lib/uninsane/media";
+  #   options = [ "rbind" ];
+  # };
  # sane.persist.sys.plaintext = [
  #   { user = "sftpgo"; group = "sftpgo"; path = "/var/lib/sftpgo/export/playground"; }
  # ];
-  fileSystems."/var/lib/sftpgo/export/playground" = {
-    device = config.fileSystems."/mnt/persist/ext".device;
-    fsType = "btrfs";
-    options = [
-      "subvol=export-playground"
-      "compress=zstd"
-      "defaults"
-    ];
-  };
  # sane.fs."/var/lib/sftpgo/export/playground/README.md" = {
  #   wantedBy = [ "sftpgo.service" ];
  #   file.text = ''
@ -199,11 +190,4 @@ in
  #     - be a friendly troll
  #   '';
  # };
-  sane.fs."/var/lib/sftpgo/export/README.md" = {
-    wantedBy = [ "sftpgo.service" ];
-    file.text = ''
-      - media/         read-only:  Videos, Music, Books, etc
-      - playground/    read-write: use it to share files with other users of this server
-    '';
-  };
 }