From 537e30a3473655205aefa0a22c83ad35ddfb49f8 Mon Sep 17 00:00:00 2001
From: Jan-Bulthuis <git@bulthuis.dev>
Date: Mon, 9 Jun 2025 15:00:44 +0200
Subject: [PATCH] Move request-key configuration

---
 hosts/vm-oddjob/configuration.nix | 46 +++++++++++--------------------
 1 file changed, 16 insertions(+), 30 deletions(-)

diff --git a/hosts/vm-oddjob/configuration.nix b/hosts/vm-oddjob/configuration.nix
index bffd32e..2323aa5 100644
--- a/hosts/vm-oddjob/configuration.nix
+++ b/hosts/vm-oddjob/configuration.nix
@@ -19,39 +19,25 @@
   };
 
   # Setup NAS backups
-  environment.etc."request-key.conf".text =
-    let
-      upcall = "${pkgs.cifs-utils}/bin/cifs.upcall";
-      keyctl = "${pkgs.keyutils}/bin/keyctl";
-    in
-    ''
-      #OP    TYPE         DESCRIPTION  CALLOUT_INFO PROGRAM
-      # -t is required for DFS share servers...
-      create cifs.spnego  *            *            ${upcall} -t %k
-      create dns_resolver *            *            ${upcall} %k
-      # Everything below this is essentially the
-      # defualt configuration
-      create user         debug:*      negate       ${keyctl} negate %k 30 %S
-      create user         debug:*      rejected     ${keyctl} reject %k 30 %c %S
-      create user         debug:*      expired      ${keyctl} reject %k 30 %c %S
-      create user         debug:*      revoked      ${keyctl} reject %k 30 %c %S
-      create user         debug:loop:* *            |${pkgs.coreutils}/bin/cat
-      create user         debug:*      *            ${pkgs.keyutils}/share/keyutils/request-key-debug.sh %k %d %c %S
-      negate *            *            *            ${keyctl} negate %k 30 %S
-    '';
+  environment.etc."request-key.d/cifs.spnego.conf".text = ''
+    create cifs.spnego * * ${pkgs.cifs-utils}/bin/cifs.upcall -t %k
+  '';
+  environment.etc."request-key.d/cifs.idmap.conf".text = ''
+    create cifs.idmap * * ${pkgs.cifs-utils}/bin/cifs.idmap %k
+  '';
   sops.secrets."smb-credentials" = {
     sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";
   };
-  systemd.services.mnt-nas-krb5 = {
-    description = "Set up Kerberos credentials for mnt-nas";
-    before = [ "mnt-nas.mount" ];
-    requiredBy = [ "mnt-nas.mount" ];
-    serviceConfig.type = "oneshot";
-    script = ''
-      . ${config.sops.secrets."smb-credentials".path}
-      echo $password | ${pkgs.krb5}/bin/kinit $username
-    '';
-  };
+  # systemd.services.mnt-nas-krb5 = {
+  #   description = "Set up Kerberos credentials for mnt-nas";
+  #   before = [ "mnt-nas.mount" ];
+  #   requiredBy = [ "mnt-nas.mount" ];
+  #   serviceConfig.type = "oneshot";
+  #   script = ''
+  #     . ${config.sops.secrets."smb-credentials".path}
+  #     echo $password | ${pkgs.krb5}/bin/kinit $username
+  #   '';
+  # };
   fileSystems."/mnt/nas" = {
     device = "//${inputs.secrets.lab.nas.host}/Backup";
     fsType = "cifs";