diff --git a/flake.nix b/flake.nix index 8c91b1d2..5a89201a 100644 --- a/flake.nix +++ b/flake.nix @@ -342,6 +342,14 @@ if isDarwin then "/Users/${device.user}" else "/home/${device.user}"; + uid = + if (builtins.hasAttr "uid" device) + then device.uid + else 1000; + gid = + if (builtins.hasAttr "gid" device) + then device.gid + else 1000; # output = # if isDarwin # then self.darwinConfigurations."${device.name}" diff --git a/nixos/ryu/configuration.nix b/nixos/ryu/configuration.nix index fdcab517..fa17665a 100644 --- a/nixos/ryu/configuration.nix +++ b/nixos/ryu/configuration.nix @@ -77,6 +77,7 @@ }; users.users.${device.user} = { + uid = device.uid; isNormalUser = true; extraGroups = ["wheel" "audio" "i2c" "media" "video" "tss"]; openssh.authorizedKeys.keyFiles = [ @@ -86,6 +87,10 @@ }; users.groups.i2c = {}; users.groups.media = {}; + users.groups.${device.user} = { + gid = device.gid; + members = [device.user]; + }; services = { devmon.enable = true; diff --git a/nixos/ryu/ryu.nix b/nixos/ryu/ryu.nix index 93b9e492..97a5d11b 100644 --- a/nixos/ryu/ryu.nix +++ b/nixos/ryu/ryu.nix @@ -5,6 +5,7 @@ config, lib, modulesPath, + device, pkgs, ... }: { @@ -59,7 +60,7 @@ NIXOS_OZONE_WL = "1"; }; - users.extraUsers.servius.extraGroups = ["libvirtd" "adbusers" "kvm"]; + users.extraUsers.${device.user}.extraGroups = ["libvirtd" "adbusers" "kvm"]; boot.extraModprobeConfig = '' options kvm_intel nested=1 @@ -133,7 +134,12 @@ # options = ["nofail"]; # }; - swapDevices = []; + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 64 * 1024; + } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/nixos/ryu/services/samba.nix b/nixos/ryu/services/samba.nix index 7f88d994..e0fcfca1 100644 --- a/nixos/ryu/services/samba.nix +++ b/nixos/ryu/services/samba.nix @@ -1,36 +1,30 @@ -{...}: { - # services = { - # samba = { - # enable = false; - # openFirewall = true; - # settings = { - # global = { - # "workgroup" = "WORKGROUP"; - # "server string" = "smbnix"; - # "netbios name" = "smbnix"; - # "security" = "user"; - # "hosts allow" = "192.168.11. 127.0.0.1 localhost"; - # "hosts deny" = "0.0.0.0/0"; - # "guest account" = "nobody"; - # "map to guest" = "bad user"; - # }; - # - # public = { - # "path" = "/media"; - # "browseable" = "yes"; - # "read only" = "no"; - # "guest ok" = "yes"; - # "create mask" = "0644"; - # "directory mask" = "0755"; - # # "force user" = "username"; - # # "force group" = "groupname"; - # }; - # }; - # }; - # samba-wsdd = { - # enable = true; - # openFirewall = true; - # }; - # }; - networking.firewall.allowPing = true; +{ + lib, + config, + device, + ... +}: { + # networking.firewall.allowPing = true; + sops = { + secrets."nas/password" = {}; + templates."nas-credentials".content = '' + username=${device.user} + domain=WORKGROUP + password=${config.sops.placeholder."nas/password"} + ''; + }; + fileSystems."/volumes/nas" = { + device = "//tsuba.darksailor.dev/nas"; + fsType = "cifs"; + + options = let + options = "nofail,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; + uid = toString config.users.users.servius.uid; + gid = toString config.users.groups.servius.gid; + check = lib.asserts.assertMsg ( + uid != "" && gid != "" + ) "User ${device.user} must have uid ang gid set to mount NAS as user."; + in + lib.optionals check ["${options},credentials=${config.sops.templates."nas-credentials".path},uid=${uid},gid=${gid}"]; + }; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 5b0f17cc..e5f0ffae 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -78,6 +78,8 @@ lastfm: api_key: ENC[AES256_GCM,data:5sFOaTAeiinetn8NfUBOFTcfuZmnnRNDTbuxVzAT4MU=,iv:RUmZ0PQpON3wkwj6GrSo7FHADM2pr4bavHT1omgR+Xw=,tag:ST7v4R8Scp+9ikYkiZ8Vtw==,type:str] pihole: password: ENC[AES256_GCM,data:xOpsEFN6zbgPwYnSudmFqlYOghY=,iv:isO0RtKgi8G8noumyhIfLLfmH9w5ybt9NVxh7bRVykM=,tag:17UcPypyqquJDTFZAc5iyA==,type:str] +nas: + password: ENC[AES256_GCM,data:lWb/l3srLrA=,iv:SN8+ziMJZZ1F+RT6JhoqWXcr1c4pSAkiT6gYfsi2LS4=,tag:g5Whb9nV8FHrOA5/Nbg0Fw==,type:str] sops: age: - recipient: age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk @@ -89,7 +91,7 @@ sops: VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-29T22:55:29Z" - mac: ENC[AES256_GCM,data:eEYsNcqFKFRS2wb5dht6AI86d7IWJGKGBdKVF4hk87ieVpZ6UaflgPbjAUYHMNFB7PCvhx3gjIPscb2oNZ/sYx8aTx9zFeexosQ8C8OqCWxGEEn3OxVGEqVNvIEQ7HvTg/2Dj5644IAIKD5bltAMPtfdfBzUm7KrA+nc8BMuPVk=,iv:i1EufRekIBASVf+EAphtJsHDnlwKLVSZKeC4RE0w2ac=,tag:efFizvzVBEXvE5ly25rsvA==,type:str] + lastmodified: "2025-12-30T01:39:33Z" + mac: ENC[AES256_GCM,data:dD0EYgJ7vD4bH5l36XJZO5LA495tVCeh5bMUBhKaOoZgf2LmgNXz5oBHwIof1ZrhZ6cYMKCxvt+hllAL5u2N+hE/JjJLDxPj3DS/BXhTzp/OoQohKdLrYoj6IAUfTQppmLj06WLKR+5TCEzOuG01Y/SkAM9tqk3himfrx7guxUQ=,iv:U7a+4syPkM9R9ksIVJ3/vnFi0iS1uPH2rulpWOayPgs=,tag:2r2rrUg6wEC1zqRpeU2GJA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0