Rodrigo Arias Mallo
6551dce813
Allows root to read files in the NFS export, so we can directly run `nixos-rebuild switch` from /home. Reviewed-by: Aleix Boné <abonerib@bsc.es>
38 lines
1.5 KiB
Nix
38 lines
1.5 KiB
Nix
{ ... }:
|
|
|
|
{
|
|
services.nfs.server = {
|
|
enable = true;
|
|
lockdPort = 4001;
|
|
mountdPort = 4002;
|
|
statdPort = 4000;
|
|
exports = ''
|
|
/home 10.0.40.0/24(rw,sync,no_subtree_check,no_root_squash)
|
|
'';
|
|
};
|
|
networking.firewall = {
|
|
# Check with `rpcinfo -p`
|
|
extraCommands = ''
|
|
# Accept NFS traffic from compute nodes but not from the outside
|
|
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 111 -j nixos-fw-accept
|
|
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 2049 -j nixos-fw-accept
|
|
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4000 -j nixos-fw-accept
|
|
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept
|
|
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept
|
|
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
|
|
# Same but UDP
|
|
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 111 -j nixos-fw-accept
|
|
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 2049 -j nixos-fw-accept
|
|
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4000 -j nixos-fw-accept
|
|
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4001 -j nixos-fw-accept
|
|
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002 -j nixos-fw-accept
|
|
iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
|
|
'';
|
|
# Flush all rules and chains on stop so it won't break on start
|
|
extraStopCommands = ''
|
|
iptables -F
|
|
iptables -X
|
|
'';
|
|
};
|
|
}
|