Skip to content

add NFS export on trenderhoof #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
dotlambda wants to merge 16 commits into
base: main
Choose a base branch
from
Draft

add NFS export on trenderhoof #77

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
049031c
add dotlambda
dotlambda Nov 21, 2025
e98d2e0
add NFS export on trenderhoof
dotlambda Nov 21, 2025
5783901
update trenderhoof last octet to 128
sophiebsw Nov 26, 2025
39dbece
add trenderhoof pubkey
sophiebsw Nov 26, 2025
1dda81a
agenix rekey
sophiebsw Nov 26, 2025
92c4c5b
fix /etc/exports syntax
dotlambda Nov 29, 2025
5d69bc9
add bind mounts
dotlambda Nov 29, 2025
7ac1077
configure swraid /dev/md/nfs
dotlambda Nov 30, 2025
184c5f9
Merge branch 'main' into trenderhoof
dotlambda Dec 6, 2025
b204139
Merge branch 'main' into trenderhoof
dotlambda Dec 6, 2025
cee9f99
add disko to dev shell
dotlambda Dec 6, 2025
ece6115
add disko config for root drive
dotlambda Dec 6, 2025
2ad4455
remove traceValSeq
dotlambda Dec 6, 2025
618d902
use GRUB
dotlambda Dec 6, 2025
3dffec6
open firewall
dotlambda Dec 7, 2025
570ff83
rename ocf.nfs to ocf.nfs-export
dotlambda Dec 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,7 @@
pkgs.agenix-rekey
pkgs.age-plugin-fido2-hmac
colmena.packages.${pkgs.system}.colmena
disko.packages.${pkgs.system}.disko
];
};
deploy = pkgs.mkShell {
Expand Down
123 changes: 123 additions & 0 deletions hosts/servers/trenderhoof.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
{
networking.hostName = "trenderhoof";

ocf.network = {
enable = true;
lastOctet = 128;
};

ocf.nfs-export = {
enable = true;
# https://github.com/ocf/puppet/blob/a081b2210691bd46d585accc8548c985188486a0/modules/ocf_filehost/manifests/init.pp#L10-L16
exports = [
{
directory = "/opt/homes";
hosts = [
"admin"
"www"
"ssh"
"apphost"
"adenine"
"guanine"
"cytosine"
"thymine"
"fluttershy"
"rainbowdash"
];
options = [
"rw"
"fsid=0"
"no_subtree_check"
"no_root_squash"
];
}
];
};


boot.loader = {
grub.enable = true;
systemd-boot.enable = false;
};

# FIXME remove and make sure it still boots
hardware.enableAllHardware = true;

disko.devices = {
disk = {
main = {
device = "/dev/disk/by-id/ata-Micron_5100_MTFDDAK960TBY_1725190CE6F0";
type = "disk";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02";
size = "1M";
priority = 1;
};
ESP = {
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};

boot.swraid = {
enable = true;
mdadmConf = ''
MAILADDR [email protected]
Copy link
Contributor Author

@dotlambda dotlambda Nov 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure which email address this should be. It's where

alerts should be sent to when mdadm is running in --monitor mode (and was given the --scan option).1

On dataloss, /etc/mdadm/mdadm.conf says

MAILADDR root
complete /etc/mdadm/mdadm.conf 
# mdadm.conf
#
# !NB! Run update-initramfs -u after updating this file.
# !NB! This will ensure that initramfs has an uptodate copy.
#
# Please refer to mdadm.conf(5) for information about this file.
#

# by default (built-in), scan all partitions (/proc/partitions) and all
# containers for MD superblocks. alternatively, specify devices to scan, using
# wildcards if desired.
#DEVICE partitions containers

# automatically tag new arrays as belonging to the local system
HOMEHOST <system>

# instruct the monitoring daemon where to send mail alerts
MAILADDR root

# definitions of existing MD arrays
#ARRAY /dev/md/nfs  metadata=1.2 UUID=4239539d:502ce95e:eb4b4e88:2c55614a name=dataloss:nfs

# This configuration was auto-generated on Sat, 13 Nov 2021 15:07:16 -0800 by mkconf
#ARRAY /dev/md/nfs  metadata=1.2 UUID=4239539d:502ce95e:eb4b4e88:2c55614a name=dataloss:nfs
#ARRAY /dev/md/nfs  metadata=1.2 UUID=4239539d:502ce95e:eb4b4e88:2c55614a name=dataloss:nfs
ARRAY /dev/md/nfs  metadata=1.2 UUID=46b10914:9f84099b:dd54304a:917d7898 name=dataloss:nfs
#ARRAY /dev/md/nfs-old  metadata=1.2 UUID=4239539d:502ce95e:eb4b4e88:2c55614a name=dataloss:nfs-old

Footnotes

  1. https://www.man7.org/linux/man-pages/man5/mdadm.conf.5.html

ARRAY /dev/md/nfs metadata=1.2 UUID=46b10914:9f84099b:dd54304a:917d7898 name=dataloss:nfs
'';
};

fileSystems = {
"/opt/homes" = {
device = "/dev/md/nfs";
fsType = "ext4";
options = [
"noacl"
"noatime"
"nodev"
"usrquota"
];
};

# Bind mount /opt/homes/home to /home. This allows running
# mount trenderhoof:/home /home
# In fact, since home is CNAMEd to filehost is CNAMEd to trenderhoof, even
# mount homes:/home /home
# works and that's what the Puppet config in modules/ocf/manifests/nfs.pp does.
"/home" = {
device = "/opt/homes/home";
fsType = "none";
options = [ "bind" ];
};
"/services" = {
device = "/opt/homes/services";
fsType = "none";
options = [ "bind" ];
};
};

nixpkgs.hostPlatform = "x86_64-linux";

system.stateVersion = "25.11";
}
1 change: 1 addition & 0 deletions modules/ocf/managed-deployment.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ in
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdAe7sPMxaidnqOah3UVrjt41KFHHOYleS1VWGH+ZUc" # storce
"[email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICW8L5pydSCGwBstSlXWNSQh//wmRB03RmAWaT3u7+8hAAAABHNzaDo=" # sbwilliams primary hardware token
"[email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIsQXwbC4lVR8qMbduDWHVNvjfqD1m8yYbjdEOGCNVNPAAAABHNzaDo=" # sbwilliams secondary hardware token
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6TAvD4mDHB7BRgCgG50IOc0417lgpYxG8qZ2d7DesV" # dotlambda
];
};

Expand Down
62 changes: 62 additions & 0 deletions modules/ocf/nfs-export.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
{ config, lib, ... }:

let
inherit (lib)
concatMapStrings
concatMapStringsSep
concatStringsSep
mkEnableOption
mkIf
mkOption
types
;
cfg = config.ocf.nfs-export;
in
{
options.ocf.nfs-export = {
enable = mkEnableOption "NFS exports";
exports = mkOption {
type = types.listOf (
types.submodule {
options = {
directory = mkOption {
type = types.path;
};
hosts = mkOption {
description = "Hosts with which the export is shared";
example = [
"192.168.0.0/28"
"*.ocf.io"
];
type = with types; nonEmptyListOf str;
};
options = mkOption {
default = [ ];
description = "NFS options applied to all hosts";
example = [ "rw" ];
type = with types; listOf str;
};
};
}
);
};
};

config = mkIf cfg.enable {
services.nfs.server = {
enable = true;
# https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/5/html/deployment_guide/s1-nfs-server-config-exports
exports = concatMapStrings (export: ''
${export.directory} \
${concatMapStringsSep " \\\n " (
host: "${host}(${concatStringsSep "," export.options})"
) export.hosts}
'') cfg.exports;
};

networking.firewall.allowedTCPPorts = [
# sufficient for NFSv4
2049
Copy link
Contributor Author

@dotlambda dotlambda Dec 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is less than what's opened in https://github.com/ocf/puppet/blob/master/modules/ocf/manifests/firewall/nfs.pp but it's sufficient for NFSv4 and we explicitly use NFSv4 in https://github.com/ocf/puppet/blob/master/modules/ocf/manifests/nfs.pp#L15-L26.

];
};
}
1 change: 1 addition & 0 deletions secrets/host-keys/trenderhoof.pub
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHZpj8sV40I6Pab3Jup+f+eH+9Bf3CEhajswD5eGHTZ
10 changes: 10 additions & 0 deletions secrets/rekeyed/trenderhoof/872e797c25248dc68a76c6aee374dd25-tsig-secret.age
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 RgUMkQ 8ggGWkHW67SV/BktBgTolq4ZUXYDdgmJR88THMx2Jz8
zFEvazxXmtrfT6d1KAoQOvgKcAgQ0MGBXZmbP+FaJt4
-> EUK3R-grease
/5H1MwTh69z1pszb5c8p/a26xe4Am04Pnqsrf8ixJFAgEpAX7U+fPVNXkMeF1zzJ
Wo3t1Ndzk5FTC7/oS3kKTn/aMRHfN/NJCtcEtazhtLM/a2ZQSU5pB4bYRGz7Ys7N
M4Q
--- +HivWJMJweyF58MlGLkK9RYFjko7bT2lHx2QpyqVdcw
5��p�ƾpM���"* 5þݸK�Ҍ��D�E��d���j� 9�n|��}O A8Lp���N�
�o��9�ҸԊ�%�<��`�e��������)��k�$�b�C���������
10 changes: 10 additions & 0 deletions secrets/rekeyed/trenderhoof/ffdf6714e76099295655f295e8da71f3-root-password-hash.age
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 RgUMkQ EPL+fghcpX2doHrSHLTy2vQROOwpc+S7QlqZpAepuX0
LQ1lDiFjWxOF42NR7ZEHCQlJfO6AjtRU4Wufej06PwM
-> p<I?Z-grease b>$iLTP PkLB|6 (glLp
q1f8HSAZ3tST4NxMBxQxVBmWTZrReHsT6az5lk5tFeNP+tFrpjuZI5Hv85Sruy+j
5zjhqTOg4PbsIzjMeJFy7Dk4JM+/kOT0NhyDE4WhHNC3cSrF0G9h+JZbnfngPCkZ
Qg
--- q4IVyLNABx+/GKCi+853bvl/foHVUIC5gFjCGR+5YEo
�'�����m"j����"�4����p�)_q^�gC�q9���f��;'xj�U����S%{S���\ͷ��5PF�:?���b\��&ӬT*��
���n �
Expand Down