nfs: expose playground as a read/write dir
This commit is contained in:
parent
4fdf74fdbe
commit
357b6ef06e
|
@ -44,8 +44,7 @@
|
||||||
sane.fs."/var/export/playground/README.md" = {
|
sane.fs."/var/export/playground/README.md" = {
|
||||||
wantedBy = [ "nfs.service" "sftpgo.service" ];
|
wantedBy = [ "nfs.service" "sftpgo.service" ];
|
||||||
file.text = ''
|
file.text = ''
|
||||||
this directory is intentionally read+write by anyone.
|
this directory is intentionally read+write by anyone with access (i.e. on the LAN).
|
||||||
there are no rules, except a shared quota:
|
|
||||||
- share files
|
- share files
|
||||||
- write poetry
|
- write poetry
|
||||||
- be a friendly troll
|
- be a friendly troll
|
||||||
|
|
|
@ -1,8 +1,20 @@
|
||||||
# docs:
|
# docs:
|
||||||
# - <https://nixos.wiki/wiki/NFS>
|
# - <https://nixos.wiki/wiki/NFS>
|
||||||
# - <https://wiki.gentoo.org/wiki/Nfs-utils>
|
# - <https://wiki.gentoo.org/wiki/Nfs-utils>
|
||||||
|
# system files:
|
||||||
|
# - /etc/exports
|
||||||
|
# system services:
|
||||||
|
# - nfs-server.service
|
||||||
|
# - nfs-idmapd.service
|
||||||
|
# - nfs-mountd.service
|
||||||
|
# - nfsdcld.service
|
||||||
|
# - rpc-statd.service
|
||||||
|
# - rpcbind.service
|
||||||
|
#
|
||||||
|
# TODO: force files to be 755, or 750.
|
||||||
|
# - could maybe be done with some mount option?
|
||||||
|
|
||||||
{ ... }:
|
{ config, lib, ... }:
|
||||||
{
|
{
|
||||||
services.nfs.server.enable = true;
|
services.nfs.server.enable = true;
|
||||||
|
|
||||||
|
@ -52,11 +64,47 @@
|
||||||
# - no_root_squash, root_squash (default): map requests from uid 0 to user `nobody`.
|
# - no_root_squash, root_squash (default): map requests from uid 0 to user `nobody`.
|
||||||
# - crossmnt: reveal filesystems that are mounted under this endpoint
|
# - crossmnt: reveal filesystems that are mounted under this endpoint
|
||||||
# - fsid: must be zero for the root export
|
# - fsid: must be zero for the root export
|
||||||
|
# - fsid=root is alias for fsid=0
|
||||||
# - mountpoint[=/path]: only export the directory if it's a mountpoint. used to avoid exporting failed mounts.
|
# - mountpoint[=/path]: only export the directory if it's a mountpoint. used to avoid exporting failed mounts.
|
||||||
|
# - all_squash: rewrite all client requests such that they come from anonuid/anongid
|
||||||
|
# - any files a user creates are owned by local anonuid/anongid.
|
||||||
|
# - users can read any local file which anonuid/anongid would be able to read.
|
||||||
|
# - users can't chown to/away from anonuid/anongid.
|
||||||
|
# - users can chmod files they own, to anything (making them unreadable to non-`nfsuser` export users, like FTP).
|
||||||
|
# - `stat` remains unchanged, returning the real UIDs/GIDs to the client.
|
||||||
|
# - thus programs which check `uid` or `gid` before trying an operation may incorrectly conclude they can't perform some op.
|
||||||
#
|
#
|
||||||
# 10.0.0.0/8 to export both to LAN (readonly, unencrypted) and wg vpn (read-write, encrypted)
|
# 10.0.0.0/8 to export both to LAN (readonly, unencrypted) and wg vpn (read-write, encrypted)
|
||||||
services.nfs.server.exports = ''
|
services.nfs.server.exports =
|
||||||
/var/export 10.78.79.0/22(ro,crossmnt,fsid=0,subtree_check) 10.0.10.0/24(rw,no_root_squash,crossmnt,fsid=0,subtree_check)
|
let
|
||||||
'';
|
fmtExport = { export, baseOpts, extraLanOpts ? [], extraVpnOpts ? [] }:
|
||||||
# TODO: export playground as read-write to LAN, with forced UID/GID mapping to nfsguest/export
|
let
|
||||||
|
always = [ "subtree_check" ];
|
||||||
|
lanOpts = always ++ baseOpts ++ extraLanOpts;
|
||||||
|
vpnOpts = always ++ baseOpts ++ extraVpnOpts;
|
||||||
|
in "${export} 10.78.79.0/22(${lib.concatStringsSep "," lanOpts}) 10.0.10.0/24(${lib.concatStringsSep "," vpnOpts})";
|
||||||
|
in lib.concatStringsSep "\n" [
|
||||||
|
(fmtExport {
|
||||||
|
export = "/var/export";
|
||||||
|
baseOpts = [ "crossmnt" "fsid=root" ];
|
||||||
|
extraLanOpts = [ "ro" ];
|
||||||
|
extraVpnOpts = [ "rw" "no_root_squash" ];
|
||||||
|
})
|
||||||
|
(fmtExport {
|
||||||
|
export = "/var/export/playground";
|
||||||
|
baseOpts = [
|
||||||
|
"mountpoint"
|
||||||
|
"all_squash"
|
||||||
|
"rw"
|
||||||
|
"anonuid=${builtins.toString config.users.users.nfsuser.uid}"
|
||||||
|
"anongid=${builtins.toString config.users.groups.export.gid}"
|
||||||
|
];
|
||||||
|
})
|
||||||
|
];
|
||||||
|
|
||||||
|
users.users.nfsuser = {
|
||||||
|
description = "virtual user for anonymous NFS operations";
|
||||||
|
group = "export";
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -45,6 +45,7 @@
|
||||||
sane.ids.trust-dns.uid = 2411;
|
sane.ids.trust-dns.uid = 2411;
|
||||||
sane.ids.trust-dns.gid = 2411;
|
sane.ids.trust-dns.gid = 2411;
|
||||||
sane.ids.export.gid = 2412;
|
sane.ids.export.gid = 2412;
|
||||||
|
sane.ids.nfsuser.uid = 2413;
|
||||||
|
|
||||||
sane.ids.colin.uid = 1000;
|
sane.ids.colin.uid = 1000;
|
||||||
sane.ids.guest.uid = 1100;
|
sane.ids.guest.uid = 1100;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user