export: enforce a quota

2023-09-01 03:37:33 +00:00
parent 15e09573d5
commit 4fdf74fdbe
5 changed files with 42 additions and 41 deletions
--- a/hosts/by-name/servo/services/export/default.nix
+++ b/hosts/by-name/servo/services/export/default.nix
@@ -5,21 +5,33 @@
    ./sftpgo.nix
  ];

+  users.groups.export = {};

  fileSystems."/var/export/media" = {
    # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
    device = "/var/lib/uninsane/media";
    options = [ "rbind" ];
  };
-  fileSystems."/var/export/playground" = {
-    device = config.fileSystems."/mnt/persist/ext".device;
-    fsType = "btrfs";
-    options = [
-      "subvol=export-playground"
-      "compress=zstd"
-      "defaults"
-    ];
-  };
+  # fileSystems."/var/export/playground" = {
+  #   device = config.fileSystems."/mnt/persist/ext".device;
+  #   fsType = "btrfs";
+  #   options = [
+  #     "subvol=export-playground"
+  #     "compress=zstd"
+  #     "defaults"
+  #   ];
+  # };
+  # N.B.: the backing directory should be manually created here **as a btrfs subvolume** and with a quota.
+  # - `sudo btrfs subvolume create /mnt/persist/ext/persist/var/export/playground`
+  # - `sudo btrfs quota enable /mnt/persist/ext/persist/var/export/playground`
+  # - `sudo btrfs quota rescan -sw /mnt/persist/ext/persist/var/export/playground`
+  # to adjust the limits (which apply at the block layer, i.e. post-compression):
+  # - `sudo btrfs qgroup limit 20G /mnt/persist/ext/persist/var/export/playground`
+  # to query the quota/status:
+  # - `sudo btrfs qgroup show -re /var/export/playground`
+  sane.persist.sys.ext = [
+    { user = "root"; group = "export"; mode = "0775"; path = "/var/export/playground"; }
+  ];

  sane.fs."/var/export/README.md" = {
    wantedBy = [ "nfs.service" "sftpgo.service" ];
@@ -29,14 +41,14 @@
    '';
  };

-  # sane.fs."/var/lib/sftpgo/export/playground/README.md" = {
-  #   wantedBy = [ "nfs.service" "sftpgo.service" ];
-  #   file.text = ''
-  #     this directory is intentionally read+write by anyone.
-  #     there are no rules, except a server-level quota:
-  #     - share files
-  #     - write poetry
-  #     - be a friendly troll
-  #   '';
-  # };
+  sane.fs."/var/export/playground/README.md" = {
+    wantedBy = [ "nfs.service" "sftpgo.service" ];
+    file.text = ''
+      this directory is intentionally read+write by anyone.
+      there are no rules, except a shared quota:
+      - share files
+      - write poetry
+      - be a friendly troll
+    '';
+  };
 }
--- a/hosts/by-name/servo/services/export/nfs.nix
+++ b/hosts/by-name/servo/services/export/nfs.nix
@@ -54,8 +54,9 @@
  # - fsid:  must be zero for the root export
  # - mountpoint[=/path]:  only export the directory if it's a mountpoint. used to avoid exporting failed mounts.
  #
-  # 10.0.0.0/8 to export (readonly) both to LAN (unencrypted) and wg vpn (encrypted)
+  # 10.0.0.0/8 to export both to LAN (readonly, unencrypted) and wg vpn (read-write, encrypted)
  services.nfs.server.exports = ''
    /var/export 10.78.79.0/22(ro,crossmnt,fsid=0,subtree_check) 10.0.10.0/24(rw,no_root_squash,crossmnt,fsid=0,subtree_check)
  '';
+  # TODO: export playground as read-write to LAN, with forced UID/GID mapping to nfsguest/export
 }
--- a/hosts/by-name/servo/services/export/sftpgo.nix
+++ b/hosts/by-name/servo/services/export/sftpgo.nix
@@ -9,9 +9,6 @@
 #
 # TODO: change umask so sftpgo-created files default to 644.
 # - it does indeed appear that the 600 is not something sftpgo is explicitly doing.
-#
-# TODO: enforce a "quota" by placing /playground on a btrfs subvolume
-# - sane.persist API could expose a `subvolume` option to make this feel natural


 { config, lib, pkgs, sane-lib, ... }:
@@ -126,6 +123,7 @@ in

  services.sftpgo = {
    enable = true;
+    group = "export";
    settings = {
      ftpd = {
        bindings = [
@@ -172,22 +170,10 @@ in
    };
  };

-  # fileSystems."/var/lib/sftpgo/export/media" = {
-  #   # everything in here could be considered publicly readable (based on the viewer's legal jurisdiction)
-  #   device = "/var/lib/uninsane/media";
-  #   options = [ "rbind" ];
-  # };
-  # sane.persist.sys.plaintext = [
-  #   { user = "sftpgo"; group = "sftpgo"; path = "/var/lib/sftpgo/export/playground"; }
-  # ];
-  # sane.fs."/var/lib/sftpgo/export/playground/README.md" = {
-  #   wantedBy = [ "sftpgo.service" ];
-  #   file.text = ''
-  #     this directory is intentionally read+write by anyone.
-  #     there are no rules, except a server-level quota:
-  #     - share files
-  #     - write poetry
-  #     - be a friendly troll
-  #   '';
-  # };
+  users.users.sftpgo.extraGroups = [ "export" ];
+
+  systemd.services.sftpgo.serviceConfig = {
+    ReadOnlyPaths = [ "/var/export" ];
+    ReadWritePaths = [ "/var/export/playground" ];
+  };
 }
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@@ -44,6 +44,7 @@
  sane.ids.sftpgo.gid = 2410;
  sane.ids.trust-dns.uid = 2411;
  sane.ids.trust-dns.gid = 2411;
+  sane.ids.export.gid = 2412;

  sane.ids.colin.uid = 1000;
  sane.ids.guest.uid = 1100;
--- a/hosts/common/users/colin.nix
+++ b/hosts/common/users/colin.nix
@@ -16,6 +16,7 @@
    group = "users";
    extraGroups = [
      "dialout"  # required for modem access (moby)
+      "export"  # to read filesystem exports (servo)
      "feedbackd"
      "input"  # for /dev/input/<xyz>: sxmo
      "networkmanager"