testing fix for nfs shares

2025-06-11 09:51:36 +02:00 · 2025-06-11 09:51:36 +02:00 · 3f93a85469
commit 3f93a85469
parent e440585a8c
3 changed files with 452 additions and 12 deletions
--- a/machines/sleeper-service/nfs.nix
+++ b/machines/sleeper-service/nfs.nix
@ -9,32 +9,89 @@
    ../../modules/users/media-group.nix
  ];

+  # NFSv4 ID mapping for consistent user/group mapping
+  services.rpcbind.enable = true;
+  services.nfs.idmapd = {
+    enable = true;
+    settings = {
+      General = {
+        Domain = "home.lab";
+        Verbosity = 0;
+      };
+      Mapping = {
+        Nobody-User = "nobody";
+        Nobody-Group = "nogroup";
+      };
+    };
+  };
+
  # NFS server configuration
  services.nfs.server = {
    enable = true;
+    # Increased thread count for better performance
+    threads = 16;
+
    # Export the storage directory (ZFS dataset)
    # Allow access from both local network and Tailscale network
+    # Using layered security approach with different permission models
    exports = ''
-      /mnt/storage       10.0.0.0/24(rw,sync,no_subtree_check,no_root_squash) 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash)
-      /mnt/storage/media 10.0.0.0/24(rw,sync,no_subtree_check,no_root_squash) 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash)
+      # Main storage - root squashed for security, crossmnt for subdirectories
+      /mnt/storage 10.0.0.0/24(rw,sync,no_subtree_check,crossmnt,root_squash) 100.64.0.0/10(rw,sync,no_subtree_check,crossmnt,root_squash)
+
+      # Media directory - accessible to media group, root squashed
+      /mnt/storage/media 10.0.0.0/24(rw,sync,no_subtree_check,root_squash) 100.64.0.0/10(rw,sync,no_subtree_check,root_squash)
+
+      # Downloads - all users squashed to media group for simplified permissions
+      /mnt/storage/downloads 10.0.0.0/24(rw,sync,no_subtree_check,all_squash,anonuid=993,anongid=993) 100.64.0.0/10(rw,sync,no_subtree_check,all_squash,anonuid=993,anongid=993)
+
+      # Backups - admin access only from specific trusted hosts
+      /mnt/storage/backups 10.0.0.0/24(rw,sync,no_subtree_check,root_squash) 100.64.0.0/10(ro,sync,no_subtree_check,root_squash)
+
+      # Shares - public access via media group
+      /mnt/storage/shares 10.0.0.0/24(rw,sync,no_subtree_check,all_squash,anonuid=993,anongid=993) 100.64.0.0/10(rw,sync,no_subtree_check,all_squash,anonuid=993,anongid=993)
    '';
    # Create exports on startup
    createMountPoints = true;
  };

  # Ensure the storage subdirectories exist with proper ownership (ZFS dataset is mounted at /mnt/storage)
-  # Setting ownership to root:media with group write permissions for shared access
+  # Using setgid bit (2xxx) for proper group inheritance on new files/directories
  systemd.tmpfiles.rules = [
-    "d /mnt/storage/media 0775 root media -"
-    "d /mnt/storage/downloads 0775 root media -"
-    "d /mnt/storage/backups 0775 root media -"
-    "d /mnt/storage/shares 0775 root media -"
+    "d /mnt/storage/media 2775 root media -" # Setgid for group inheritance
+    "d /mnt/storage/downloads 2775 media media -" # Owned by media group
+    "d /mnt/storage/backups 0750 root root -" # Admin only, restricted access
+    "d /mnt/storage/shares 2775 media media -" # Public access via media group
  ];

+  # Performance tuning for NFS
+  boot.kernel.sysctl = {
+    # Network buffer optimizations
+    "net.core.rmem_max" = 134217728;
+    "net.core.wmem_max" = 134217728;
+    "net.ipv4.tcp_rmem" = "4096 65536 134217728";
+    "net.ipv4.tcp_wmem" = "4096 65536 134217728";
+
+    # NFS-specific optimizations
+    "fs.nfs.nlm_tcpport" = 32768;
+    "fs.nfs.nlm_udpport" = 32768;
+  };
+
  # Required packages for NFS
  environment.systemPackages = with pkgs; [
    nfs-utils
  ];

-  # Firewall rules are already configured in network module
+  # Firewall configuration for NFS services
+  networking.firewall = {
+    allowedTCPPorts = [
+      111 # portmapper (rpcbind)
+      2049 # nfsd
+      32768 # lockd
+    ];
+    allowedUDPPorts = [
+      111 # portmapper (rpcbind)
+      2049 # nfsd
+      32768 # lockd
+    ];
+  };
 }
--- a/machines/sleeper-service/services/transmission.nix
+++ b/machines/sleeper-service/services/transmission.nix
@ -1,6 +1,8 @@
-{ config, pkgs, ... }:
-
 {
+  config,
+  pkgs,
+  ...
+}: {
  imports = [
    ../../../modules/users/media-group.nix
  ];
@ -8,7 +10,7 @@
  services.transmission = {
    package = pkgs.transmission_4;
    enable = true;
-    user = "sma";  # Using admin user for server processes
+    user = "sma"; # Using admin user for server processes
    group = "media";
    settings.rpc-port = 9091;
    settings.rpc-bind-address = "0.0.0.0";
@ -19,7 +21,7 @@
      rpc-host-whitelist = "sleeper-service,localhost,congenital-optimist";
    };
  };
-  
+
  # Downloads directory ownership will be handled by NFS module tmpfiles rules
  # Removed duplicate tmpfiles rule since NFS module already creates this directory
 }