temmie/nfs-mounts: generate systemd units ourselves

hosts/temmie/services/nfs-mounts.nix

@@ -1,21 +1,51 @@
-{ pkgs, lib, ... }:
+{ lib, ... }:
+let
+  # See microbel:/etc/exports
+  letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+in
 {
-  fileSystems = let
+  systemd.mounts = map (l: {
-    # See microbel:/etc/exports
+    description = "PVV Homedirs Partition ${l}";
-    shorthandAreas = lib.listToAttrs (map
+
-      (l: lib.nameValuePair "/run/pvv-home-mounts/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
+    before = [ "remote-fs.target" ];
-      [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ]);
+    wantedBy = [ "multi-user.target" ];
-  in { }
+
-  //
+    type = "nfs";
-  (lib.mapAttrs (_: device: {
+    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
-    inherit device;
+    where = "/run/pvv-home-mounts/${l}";
-    fsType = "nfs";
+
-    options = [
+    options = lib.concatStringsSep "," [
       "nfsvers=3"
-      "noauto"
       "proto=tcp"
-      "x-systemd.automount"
+      "auto"
-      "x-systemd.idle-timeout=300"
+      "async"
+
+      # We don't want to update access time constantly
+      "noatime"
+
+      # No SUID/SGID, no special devices
+      "nosuid"
+      "nodev"
+
+      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
+      # "ro"
+      "rw"
+
+      # TODO: can we enable this and still run cgi stuff?
+      # "noexec"
     ];
-  }) shorthandAreas);
+  }) letters;
+
+  systemd.automounts = map (l: {
+    description = "PVV Homedirs Partition ${l}";
+
+    wantedBy = [ "multi-user.target" ];
+
+    where = "/run/pvv-home-mounts/${l}";
+
+    automountConfig = {
+      # Unmount if not accessed in 5 mins
+      TimeoutIdleSec = "5min";
+    };
+  }) letters;
 }