{ config, lib, nodes, ... }:
{
  imports = [ ./user ];

  config = lib.mkIf config.services.nfs.server.enable {
    services.nfs.server.exports = "/storage *(rw)";
    networking.firewall.extraInputRules = let
      targetHosts = lib.attrValues (lib.mapAttrs (_: node: node.config.deployment.targetHost) nodes);
    in ''
      ip6 saddr { ${lib.concatStringsSep ", " targetHosts} } tcp dport 2049 accept
    '';
  };
}