diff --git a/devices/srv1/node0/default.nix b/devices/srv1/node0/default.nix index 79e269a0..73cb98af 100644 --- a/devices/srv1/node0/default.nix +++ b/devices/srv1/node0/default.nix @@ -6,7 +6,6 @@ inputs: { system = { - nix = { marches = [ "cascadelake" "broadwell" ]; remote.slave.enable = true; }; nixpkgs.march = "cascadelake"; networking.networkd.static = { @@ -17,11 +16,7 @@ inputs: }; services = { - xray.client = - { - enable = true; - dnsmasq.extraInterfaces = [ "eno146" ]; - }; + xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; }; beesd.instances.root = { device = "/"; hashTableSizeMB = 512; threads = 4; }; wireguard = { @@ -30,33 +25,13 @@ inputs: publicKey = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM="; wireguardIp = "192.168.83.9"; }; + nfs = { root = "/"; exports = "/home"; accessLimit = "192.168.178.0/24"; }; }; packages.packages._prebuildPackages = [ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ]; }; - services.nfs.server = - { - enable = true; - exports = - '' - / 192.168.178.0/24(rw,no_root_squash,fsid=0,sync,crossmnt) - /home 192.168.178.0/24(rw,no_root_squash,sync,crossmnt) - ''; - }; - networking = - { - firewall.allowedTCPPorts = [ 2049 ]; - }; + # allow other machine access network by this machine systemd.network.networks."10-eno146".networkConfig.IPMasquerade = "both"; - services.rpcbind.enable = true; - fileSystems = - { - "/nix/share/home" = - { - device = "/home"; - options = [ "rbind" ]; - }; - }; # without this, tproxy does not work # TODO: why? networking.firewall.trustedInterfaces = [ "eno146" ]; diff --git a/devices/srv1/node1/default.nix b/devices/srv1/node1/default.nix index 1d574c90..ca876c90 100644 --- a/devices/srv1/node1/default.nix +++ b/devices/srv1/node1/default.nix @@ -13,24 +13,19 @@ inputs: eno2 = { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; }; }; cluster.nodeType = "worker"; - initrd.sshd.enable = true; - nix.remote.slave.enable = true; }; services.beesd.instances.root = { device = "/"; hashTableSizeMB = 256; threads = 4; }; packages.packages._prebuildPackages = [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ]; }; - specialisation = + specialisation.no-share-home.configuration = { - no-share-home.configuration = + nixos = { - nixos = - { - services.slurm.enable = inputs.lib.mkForce false; - system.cluster.nodeType = inputs.lib.mkForce "master"; - }; - system.nixos.tags = [ "no-share-home" ]; + services.slurm.enable = inputs.lib.mkForce false; + system.cluster.nodeType = inputs.lib.mkForce "master"; }; + system.nixos.tags = [ "no-share-home" ]; }; fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker") { diff --git a/devices/srv1/node2/default.nix b/devices/srv1/node2/default.nix index 025e431c..4ceaa442 100644 --- a/devices/srv1/node2/default.nix +++ b/devices/srv1/node2/default.nix @@ -17,17 +17,14 @@ inputs: packages.packages._prebuildPackages = [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ]; }; - specialisation = + specialisation.no-share-home.configuration = { - no-share-home.configuration = + nixos = { - nixos = - { - services.slurm.enable = inputs.lib.mkForce false; - system.cluster.nodeType = inputs.lib.mkForce "master"; - }; - system.nixos.tags = [ "no-share-home" ]; + services.slurm.enable = inputs.lib.mkForce false; + system.cluster.nodeType = inputs.lib.mkForce "master"; }; + system.nixos.tags = [ "no-share-home" ]; }; fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker") { diff --git a/devices/srv1/node3/default.nix b/devices/srv1/node3/default.nix index 63b9253c..59a75784 100644 --- a/devices/srv1/node3/default.nix +++ b/devices/srv1/node3/default.nix @@ -17,17 +17,14 @@ inputs: packages.packages._prebuildPackages = [ inputs.topInputs.self.nixosConfigurations.srv1-node0.config.system.build.toplevel ]; }; - specialisation = + specialisation.no-share-home.configuration = { - no-share-home.configuration = + nixos = { - nixos = - { - services.slurm.enable = inputs.lib.mkForce false; - system.cluster.nodeType = inputs.lib.mkForce "master"; - }; - system.nixos.tags = [ "no-share-home" ]; + services.slurm.enable = inputs.lib.mkForce false; + system.cluster.nodeType = inputs.lib.mkForce "master"; }; + system.nixos.tags = [ "no-share-home" ]; }; fileSystems = inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType == "worker") { diff --git a/modules/services/nfs.nix b/modules/services/nfs.nix new file mode 100644 index 00000000..53b09ea7 --- /dev/null +++ b/modules/services/nfs.nix @@ -0,0 +1,29 @@ +inputs: +{ + options.nixos.services.nfs = let inherit (inputs.lib) mkOption types; in mkOption + { + type = types.nullOr (types.submodule { options = + { + root = mkOption { type = types.nonEmptyStr; }; + exports = mkOption { type = types.listOf types.nonEmptyStr; }; + accessLimit = mkOption { type = types.nonEmptyStr; }; + };}); + default = null; + }; + config = let inherit (inputs.config.nixos.services) nfs; in inputs.lib.mkIf (nfs != null) + { + services = + { + rpcbind.enable = true; + nfs.server = + { + enable = true; + exports = "${nfs.root} ${nfs.accessLimit}(rw,no_root_squash,fsid=0,sync,crossmnt)" + + builtins.concatStringsSep "\n" (builtins.map + (export: "${export} ${nfs.accessLimit}(rw,no_root_squash,sync,crossmnt)") + nfs.exports); + }; + }; + networking.firewall.allowedTCPPorts = [ 2049 ]; + }; +}