Move request-key configuration

2025-06-09 15:00:44 +02:00 · 2025-06-09 15:00:44 +02:00 · 537e30a347
commit 537e30a347
parent 2fec5ead38
1 changed files with 16 additions and 30 deletions
--- a/hosts/vm-oddjob/configuration.nix
+++ b/hosts/vm-oddjob/configuration.nix
@ -19,39 +19,25 @@
  };
  # Setup NAS backups
-  environment.etc."request-key.conf".text =
+  environment.etc."request-key.d/cifs.spnego.conf".text = ''
-    let
+    create cifs.spnego * * ${pkgs.cifs-utils}/bin/cifs.upcall -t %k
-      upcall = "${pkgs.cifs-utils}/bin/cifs.upcall";
+  '';
-      keyctl = "${pkgs.keyutils}/bin/keyctl";
+  environment.etc."request-key.d/cifs.idmap.conf".text = ''
-    in
+    create cifs.idmap * * ${pkgs.cifs-utils}/bin/cifs.idmap %k
    ''
      #OP    TYPE         DESCRIPTION  CALLOUT_INFO PROGRAM
      # -t is required for DFS share servers...
      create cifs.spnego  *            *            ${upcall} -t %k
      create dns_resolver *            *            ${upcall} %k
      # Everything below this is essentially the
      # defualt configuration
      create user         debug:*      negate       ${keyctl} negate %k 30 %S
      create user         debug:*      rejected     ${keyctl} reject %k 30 %c %S
      create user         debug:*      expired      ${keyctl} reject %k 30 %c %S
      create user         debug:*      revoked      ${keyctl} reject %k 30 %c %S
      create user         debug:loop:* *            |${pkgs.coreutils}/bin/cat
      create user         debug:*      *            ${pkgs.keyutils}/share/keyutils/request-key-debug.sh %k %d %c %S
      negate *            *            *            ${keyctl} negate %k 30 %S
  '';
  sops.secrets."smb-credentials" = {
    sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";
  };
-  systemd.services.mnt-nas-krb5 = {
+  # systemd.services.mnt-nas-krb5 = {
-    description = "Set up Kerberos credentials for mnt-nas";
+  #   description = "Set up Kerberos credentials for mnt-nas";
-    before = [ "mnt-nas.mount" ];
+  #   before = [ "mnt-nas.mount" ];
-    requiredBy = [ "mnt-nas.mount" ];
+  #   requiredBy = [ "mnt-nas.mount" ];
-    serviceConfig.type = "oneshot";
+  #   serviceConfig.type = "oneshot";
-    script = ''
+  #   script = ''
-      . ${config.sops.secrets."smb-credentials".path}
+  #     . ${config.sops.secrets."smb-credentials".path}
-      echo $password | ${pkgs.krb5}/bin/kinit $username
+  #     echo $password | ${pkgs.krb5}/bin/kinit $username
-    '';
+  #   '';
-  };
+  # };
  fileSystems."/mnt/nas" = {
    device = "//${inputs.secrets.lab.nas.host}/Backup";
    fsType = "cifs";