testing fix for nfs shares

machines/sleeper-service/nfs.nix

@@ -9,32 +9,89 @@
     ../../modules/users/media-group.nix
   ];
 
+  # NFSv4 ID mapping for consistent user/group mapping
+  services.rpcbind.enable = true;
+  services.nfs.idmapd = {
+    enable = true;
+    settings = {
+      General = {
+        Domain = "home.lab";
+        Verbosity = 0;
+      };
+      Mapping = {
+        Nobody-User = "nobody";
+        Nobody-Group = "nogroup";
+      };
+    };
+  };
+
   # NFS server configuration
   services.nfs.server = {
     enable = true;
+    # Increased thread count for better performance
+    threads = 16;
+
     # Export the storage directory (ZFS dataset)
     # Allow access from both local network and Tailscale network
+    # Using layered security approach with different permission models
     exports = ''
-      /mnt/storage       10.0.0.0/24(rw,sync,no_subtree_check,no_root_squash) 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash)
-      /mnt/storage/media 10.0.0.0/24(rw,sync,no_subtree_check,no_root_squash) 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash)
+      # Main storage - root squashed for security, crossmnt for subdirectories
+      /mnt/storage 10.0.0.0/24(rw,sync,no_subtree_check,crossmnt,root_squash) 100.64.0.0/10(rw,sync,no_subtree_check,crossmnt,root_squash)
+
+      # Media directory - accessible to media group, root squashed
+      /mnt/storage/media 10.0.0.0/24(rw,sync,no_subtree_check,root_squash) 100.64.0.0/10(rw,sync,no_subtree_check,root_squash)
+
+      # Downloads - all users squashed to media group for simplified permissions
+      /mnt/storage/downloads 10.0.0.0/24(rw,sync,no_subtree_check,all_squash,anonuid=993,anongid=993) 100.64.0.0/10(rw,sync,no_subtree_check,all_squash,anonuid=993,anongid=993)
+
+      # Backups - admin access only from specific trusted hosts
+      /mnt/storage/backups 10.0.0.0/24(rw,sync,no_subtree_check,root_squash) 100.64.0.0/10(ro,sync,no_subtree_check,root_squash)
+
+      # Shares - public access via media group
+      /mnt/storage/shares 10.0.0.0/24(rw,sync,no_subtree_check,all_squash,anonuid=993,anongid=993) 100.64.0.0/10(rw,sync,no_subtree_check,all_squash,anonuid=993,anongid=993)
     '';
     # Create exports on startup
     createMountPoints = true;
   };
 
   # Ensure the storage subdirectories exist with proper ownership (ZFS dataset is mounted at /mnt/storage)
-  # Setting ownership to root:media with group write permissions for shared access
+  # Using setgid bit (2xxx) for proper group inheritance on new files/directories
   systemd.tmpfiles.rules = [
-    "d /mnt/storage/media 0775 root media -"
-    "d /mnt/storage/downloads 0775 root media -"
-    "d /mnt/storage/backups 0775 root media -"
-    "d /mnt/storage/shares 0775 root media -"
+    "d /mnt/storage/media 2775 root media -" # Setgid for group inheritance
+    "d /mnt/storage/downloads 2775 media media -" # Owned by media group
+    "d /mnt/storage/backups 0750 root root -" # Admin only, restricted access
+    "d /mnt/storage/shares 2775 media media -" # Public access via media group
   ];
 
+  # Performance tuning for NFS
+  boot.kernel.sysctl = {
+    # Network buffer optimizations
+    "net.core.rmem_max" = 134217728;
+    "net.core.wmem_max" = 134217728;
+    "net.ipv4.tcp_rmem" = "4096 65536 134217728";
+    "net.ipv4.tcp_wmem" = "4096 65536 134217728";
+
+    # NFS-specific optimizations
+    "fs.nfs.nlm_tcpport" = 32768;
+    "fs.nfs.nlm_udpport" = 32768;
+  };
+
   # Required packages for NFS
   environment.systemPackages = with pkgs; [
     nfs-utils
   ];
 
-  # Firewall rules are already configured in network module
+  # Firewall configuration for NFS services
+  networking.firewall = {
+    allowedTCPPorts = [
+      111 # portmapper (rpcbind)
+      2049 # nfsd
+      32768 # lockd
+    ];
+    allowedUDPPorts = [
+      111 # portmapper (rpcbind)
+      2049 # nfsd
+      32768 # lockd
+    ];
+  };
 }