From 88891b44be5244ef99defed93e74db9a0a648724 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 20 Feb 2022 08:24:38 +0100
Subject: [PATCH] bundles/nfs-server: ensure nfs runs on managed ports, fix
 firewall rules

---
 bundles/nfs-server/files/etc-default | 19 +++++++++++++++++++
 bundles/nfs-server/items.py          |  6 ++++++
 bundles/nfs-server/metadata.py       | 22 +++++++++++++++-------
 bundles/sysctl/items.py              |  1 +
 4 files changed, 41 insertions(+), 7 deletions(-)
 create mode 100644 bundles/nfs-server/files/etc-default

diff --git a/bundles/nfs-server/files/etc-default b/bundles/nfs-server/files/etc-default
new file mode 100644
index 0000000..614ac2f
--- /dev/null
+++ b/bundles/nfs-server/files/etc-default
@@ -0,0 +1,19 @@
+# Number of servers to start up
+RPCNFSDCOUNT=8
+
+# Runtime priority of server (see nice(1))
+RPCNFSDPRIORITY=0
+
+# Options for rpc.mountd.
+# If you have a port-based firewall, you might want to set up
+# a fixed port here using the --port option. For more information, 
+# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
+# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
+RPCMOUNTDOPTS="--port 35295"
+
+# Do you want to start the svcgssd daemon? It is only required for Kerberos
+# exports. Valid alternatives are "yes" and "no"; the default is "no".
+NEED_SVCGSSD=""
+
+# Options for rpc.svcgssd.
+RPCSVCGSSDOPTS=""
diff --git a/bundles/nfs-server/items.py b/bundles/nfs-server/items.py
index bb68646..dacbc48 100644
--- a/bundles/nfs-server/items.py
+++ b/bundles/nfs-server/items.py
@@ -5,6 +5,12 @@ files = {
             'action:nfs_reload_shares',
         },
     },
+    '/etc/default/nfs-kernel-server': {
+        'source': 'etc-default',
+        'triggers': {
+            'svc_systemd:nfs-server:restart',
+        },
+    },
 }
 
 actions = {
diff --git a/bundles/nfs-server/metadata.py b/bundles/nfs-server/metadata.py
index 333d7f7..4b9e8d5 100644
--- a/bundles/nfs-server/metadata.py
+++ b/bundles/nfs-server/metadata.py
@@ -11,6 +11,15 @@ defaults = {
             },
         },
     },
+    'sysctl': {
+        'options': {
+            'fs.nfs.nlm_udpport': 4045,
+            'fs.nfs.nlm_tcpport': 4045,
+        },
+        'reload_triggers': {
+            'svc_systemd:nfs-server:restart',
+        },
+    },
 }
 
 
@@ -19,18 +28,17 @@ defaults = {
 )
 def firewall(metadata):
     ips = set()
-
     for share_items in metadata.get('nfs-server/shares', {}).values():
         for share_target in share_items:
             ips.add(share_target)
 
+    rules = {}
+    for port in ('111', '2049', '1110', '4045', '35295'): # TODO find out if we need more ports
+        for proto in ('', '/udp'):
+            rules[port + proto] = atomic(ips)
+
     return {
         'firewall': {
-            'port_rules': {
-                '111': atomic(ips),
-                '111/udp': atomic(ips),
-                '2049': atomic(ips),
-                '35295': atomic(ips),
-            },
+            'port_rules': rules,
         },
     }
diff --git a/bundles/sysctl/items.py b/bundles/sysctl/items.py
index 4b804e8..c4c448c 100644
--- a/bundles/sysctl/items.py
+++ b/bundles/sysctl/items.py
@@ -36,5 +36,6 @@ actions = {
         'needs': {
             'file:/usr/local/sbin/apply-sysctl',
         },
+        'triggers': node.metadata.get('sysctl/reload_triggers', set())
     },
 }