nixos-config/hosts/vm-oddjob/configuration.nix

{
  inputs,
  lib,
  pkgs,
  config,
  ...
}:

{
  # State version
  system.stateVersion = "24.11";

  # Machine hostname
  networking.hostName = "vm-oddjob";

  # Enabled modules
  modules = {
    profiles.vm.enable = true;
  };

  # Setup NAS backups
  environment.etc."request-key.conf".text =
    let
      upcall = "${pkgs.cifs-utils}/bin/cifs.upcall";
      keyctl = "${pkgs.keyutils}/bin/keyctl";
    in
    ''
      #OP    TYPE         DESCRIPTION  CALLOUT_INFO PROGRAM
      # -t is required for DFS share servers...
      create cifs.spnego  *            *            ${upcall} -t %k
      create dns_resolver *            *            ${upcall} %k
      # Everything below this is essentially the
      # defualt configuration
      create user         debug:*      negate       ${keyctl} negate %k 30 %S
      create user         debug:*      rejected     ${keyctl} reject %k 30 %c %S
      create user         debug:*      expired      ${keyctl} reject %k 30 %c %S
      create user         debug:*      revoked      ${keyctl} reject %k 30 %c %S
      create user         debug:loop:* *            |${pkgs.coreutils}/bin/cat
      create user         debug:*      *            ${pkgs.keyutils}/share/keyutils/request-key-debug.sh %k %d %c %S
      negate *            *            *            ${keyctl} negate %k 30 %S
    '';
  sops.secrets."smb-credentials" = {
    sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";
  };
  systemd.services.mnt-nas-krb5 = {
    description = "Set up Kerberos credentials for mnt-nas";
    before = [ "mnt-nas.mount" ];
    requiredBy = [ "mnt-nas.mount" ];
    serviceConfig.type = "oneshot";
    script = ''
      . ${config.sops.secrets."smb-credentials".path}
      echo $password | ${pkgs.krb5}/bin/kinit $username
    '';
  };
  fileSystems."/mnt/nas" = {
    device = "//${inputs.secrets.lab.nas.host}/Backup";
    fsType = "cifs";
    options = [ "sec=krb5,credentials=${config.sops.secrets."smb-credentials".path}" ];
  };
}
Added oddjob VM 2025-06-07 21:15:31 +02:00			`{`
Added samba mount 2025-06-07 23:36:21 +02:00			`inputs,`
Added oddjob VM 2025-06-07 21:15:31 +02:00			`lib,`
			`pkgs,`
			`config,`
			`...`
			`}:`

			`{`
			`# State version`
			`system.stateVersion = "24.11";`

			`# Machine hostname`
Set correct hostname 2025-06-07 23:38:38 +02:00			`networking.hostName = "vm-oddjob";`
Added oddjob VM 2025-06-07 21:15:31 +02:00
			`# Enabled modules`
			`modules = {`
			`profiles.vm.enable = true;`
			`};`

Added samba mount 2025-06-07 23:36:21 +02:00			`# Setup NAS backups`
Set up request-key.conf 2025-06-09 13:54:31 +02:00			`environment.etc."request-key.conf".text =`
			`let`
			`upcall = "${pkgs.cifs-utils}/bin/cifs.upcall";`
			`keyctl = "${pkgs.keyutils}/bin/keyctl";`
			`in`
			`''`
			`#OP TYPE DESCRIPTION CALLOUT_INFO PROGRAM`
			`# -t is required for DFS share servers...`
			`create cifs.spnego * * ${upcall} -t %k`
			`create dns_resolver * * ${upcall} %k`
			`# Everything below this is essentially the`
			`# defualt configuration`
			`create user debug:* negate ${keyctl} negate %k 30 %S`
			`create user debug:* rejected ${keyctl} reject %k 30 %c %S`
			`create user debug:* expired ${keyctl} reject %k 30 %c %S`
			`create user debug:* revoked ${keyctl} reject %k 30 %c %S`
			`create user debug:loop:* * \|${pkgs.coreutils}/bin/cat`
			`create user debug:* * ${pkgs.keyutils}/share/keyutils/request-key-debug.sh %k %d %c %S`
			`negate * * * ${keyctl} negate %k 30 %S`
			`'';`
Added samba mount 2025-06-07 23:36:21 +02:00			`sops.secrets."smb-credentials" = {`
			`sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";`
			`};`
Added service to set up user keytab 2025-06-09 14:23:11 +02:00			`systemd.services.mnt-nas-krb5 = {`
			`description = "Set up Kerberos credentials for mnt-nas";`
			`before = [ "mnt-nas.mount" ];`
			`requiredBy = [ "mnt-nas.mount" ];`
			`serviceConfig.type = "oneshot";`
			`script = ''`
			`. ${config.sops.secrets."smb-credentials".path}`
Use kinit from krb5 package 2025-06-09 14:28:54 +02:00			`echo $password \| ${pkgs.krb5}/bin/kinit $username`
Added service to set up user keytab 2025-06-09 14:23:11 +02:00			`'';`
			`};`
Added samba mount 2025-06-07 23:36:21 +02:00			`fileSystems."/mnt/nas" = {`
			`device = "//${inputs.secrets.lab.nas.host}/Backup";`
			`fsType = "cifs";`
Added krb5 as sec for smb mount 2025-06-07 23:47:20 +02:00			`options = [ "sec=krb5,credentials=${config.sops.secrets."smb-credentials".path}" ];`
Added samba mount 2025-06-07 23:36:21 +02:00			`};`
Added oddjob VM 2025-06-07 21:15:31 +02:00			`}`