From f9301e0fe52313581920026a186955c78fcbe831 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Tue, 22 Oct 2024 22:01:49 -0400
Subject: zfs autosnapshots, syncthing, pam cleanup

---
 scripts/hostclass/nfs_server/10-nfs | 50 +++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 scripts/hostclass/nfs_server/10-nfs

(limited to 'scripts/hostclass/nfs_server/10-nfs')

diff --git a/scripts/hostclass/nfs_server/10-nfs b/scripts/hostclass/nfs_server/10-nfs
new file mode 100644
index 0000000..a775859
--- /dev/null
+++ b/scripts/hostclass/nfs_server/10-nfs
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Jails serving NFS need 'allow.nfsd' option.
+
+: ${nfsuserd_cache_size:='256'}
+: ${nfsuserd_num_servers:='4'}
+: ${nfsuserd_cache_timeout:='1'}
+: ${nfsd_srvmaxio:='1048576'}
+
+nfs_root=/share
+nfs_dataset="${state_dataset}/nfs"
+
+# Create ZFS dataset for NFS share.
+create_dataset -o "mountpoint=${nfs_root}" "${nfs_dataset}"
+
+# Allow NFSv4 ACLs to propagate.
+zfs set aclinherit=passthrough aclmode=passthrough "$nfs_dataset"
+
+# Create nfs service principal and keytab.
+add_principal -nokey -x "containerdn=${services_basedn}" "nfs/${fqdn}"
+ktadd -k "${keytab_dir}/host.keytab" "nfs/${fqdn}"
+
+if [ "$BOXCONF_VIRTUALIZATION_TYPE" != jail ]; then
+  set_sysctl \
+    vfs.nfsd.issue_delegations=1 \
+    vfs.nfsd.enable_locallocks=0
+fi
+
+sysrc -v \
+  nfs_server_managegids=YES \
+  nfsuserd_enable=YES \
+  nfsuserd_flags="-usermax ${nfsuserd_cache_size} -usertimeout ${nfsuserd_cache_timeout} ${nfsuserd_num_servers}" \
+  gssd_enable=YES \
+  nfs_server_enable=YES \
+  nfs_server_flags='-t' \
+  nfs_server_maxio="$nfsd_srvmaxio" \
+  nfsv4_server_only=YES \
+  mountd_enable=YES \
+  mountd_flags='-R -S'
+
+# Our krb5.conf assumes MIT Kerberos, but the gssd in base uses the base
+# Heimdal kerberos, which doesnt support %{euid} expansion. So we must
+# override the keytab path with an environment variable.
+sysrc -v gssd_env="KRB5_KTNAME=${keytab_dir}/host.keytab"
+
+install_template -m 0644 /etc/exports
+
+for service in gssd nfsuserd mountd nfsd; do
+  service "$service" status || service "$service" start
+done
-- 
cgit v1.2.3