{ lib, ... }:
{
  # share /nix/store via NFS read-only
  services.nfs.server = {
    enable = true;
    exports =
      let
        allowed = [
          "172.22.99.0/24"
          "172.20.72.0/21"
          "30c:c3d2:b946:76d0::/64"
          "2a00:8180:2c00:200::/56"
          "fd23:42:c3d2:500::/56"
        ];
        opts = o: fsid:
          lib.concatStringsSep "," [
            o "async"
            "no_subtree_check" "no_root_squash"
            "fsid=${toString fsid}"
          ];
      in ''
        # ro-store for netbooting Pi4
        /nix/store ${
          lib.concatMapStringsSep " " (subnet:
            "${subnet}(${opts "ro" 0})"
          ) allowed
        }
        # rootfs for 100% nfsroot
        /var/lib/nfsroot/dacbert ${
          lib.concatMapStringsSep " " (subnet:
            "${subnet}(${opts "rw" 1})"
          ) [ "${hostRegistry.dacbert.ip4}/32" "${hostRegistry.dacbert.ip6}/128" ]
        }
        /var/lib/nfsroot/riscbert ${
          lib.concatMapStringsSep " " (subnet:
            "${subnet}(${opts "rw" 2})"
          ) allowed
        }
        # shared space for dump-dvb project
        /var/lib/dump-dvb/whoopsie ${
          lib.concatMapStringsSep " " (subnet:
            "${subnet}(${opts "rw" 3})"
          ) allowed
        }
    '';
  };
}