feat(nixos): Added uid and gid to users

flake.nix

@@ -342,6 +342,14 @@
         if isDarwin
         then "/Users/${device.user}"
         else "/home/${device.user}";
+      uid =
+        if (builtins.hasAttr "uid" device)
+        then device.uid
+        else 1000;
+      gid =
+        if (builtins.hasAttr "gid" device)
+        then device.gid
+        else 1000;
       # output =
       #   if isDarwin
       #   then self.darwinConfigurations."${device.name}"

nixos/ryu/configuration.nix

@@ -77,6 +77,7 @@
   };
 
   users.users.${device.user} = {
+    uid = device.uid;
     isNormalUser = true;
     extraGroups = ["wheel" "audio" "i2c" "media" "video" "tss"];
     openssh.authorizedKeys.keyFiles = [
@@ -86,6 +87,10 @@
   };
   users.groups.i2c = {};
   users.groups.media = {};
+  users.groups.${device.user} = {
+    gid = device.gid;
+    members = [device.user];
+  };
 
   services = {
     devmon.enable = true;

nixos/ryu/ryu.nix

@@ -5,6 +5,7 @@
   config,
   lib,
   modulesPath,
+  device,
   pkgs,
   ...
 }: {
@@ -59,7 +60,7 @@
     NIXOS_OZONE_WL = "1";
   };
 
-  users.extraUsers.servius.extraGroups = ["libvirtd" "adbusers" "kvm"];
+  users.extraUsers.${device.user}.extraGroups = ["libvirtd" "adbusers" "kvm"];
 
   boot.extraModprobeConfig = ''
     options kvm_intel nested=1
@@ -133,7 +134,12 @@
   #   options = ["nofail"];
   # };
 
-  swapDevices = [];
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 64 * 1024;
+    }
+  ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

nixos/ryu/services/samba.nix

@@ -1,36 +1,30 @@
-{...}: {
+{
-  # services = {
+  lib,
-  #   samba = {
+  config,
-  #     enable = false;
+  device,
-  #     openFirewall = true;
+  ...
-  #     settings = {
+}: {
-  #       global = {
+  # networking.firewall.allowPing = true;
-  #         "workgroup" = "WORKGROUP";
+  sops = {
-  #         "server string" = "smbnix";
+    secrets."nas/password" = {};
-  #         "netbios name" = "smbnix";
+    templates."nas-credentials".content = ''
-  #         "security" = "user";
+      username=${device.user}
-  #         "hosts allow" = "192.168.11. 127.0.0.1 localhost";
+      domain=WORKGROUP
-  #         "hosts deny" = "0.0.0.0/0";
+      password=${config.sops.placeholder."nas/password"}
-  #         "guest account" = "nobody";
+    '';
-  #         "map to guest" = "bad user";
+  };
-  #       };
+  fileSystems."/volumes/nas" = {
-  #
+    device = "//tsuba.darksailor.dev/nas";
-  #       public = {
+    fsType = "cifs";
-  #         "path" = "/media";
+
-  #         "browseable" = "yes";
+    options = let
-  #         "read only" = "no";
+      options = "nofail,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
-  #         "guest ok" = "yes";
+      uid = toString config.users.users.servius.uid;
-  #         "create mask" = "0644";
+      gid = toString config.users.groups.servius.gid;
-  #         "directory mask" = "0755";
+      check = lib.asserts.assertMsg (
-  #         # "force user" = "username";
+        uid != "" && gid != ""
-  #         # "force group" = "groupname";
+      ) "User ${device.user} must have uid ang gid set to mount NAS as user.";
-  #       };
+    in
-  #     };
+      lib.optionals check ["${options},credentials=${config.sops.templates."nas-credentials".path},uid=${uid},gid=${gid}"];
-  #   };
+  };
-  #   samba-wsdd = {
-  #     enable = true;
-  #     openFirewall = true;
-  #   };
-  # };
-  networking.firewall.allowPing = true;
 }

secrets/secrets.yaml

@@ -78,6 +78,8 @@ lastfm:
     api_key: ENC[AES256_GCM,data:5sFOaTAeiinetn8NfUBOFTcfuZmnnRNDTbuxVzAT4MU=,iv:RUmZ0PQpON3wkwj6GrSo7FHADM2pr4bavHT1omgR+Xw=,tag:ST7v4R8Scp+9ikYkiZ8Vtw==,type:str]
 pihole:
     password: ENC[AES256_GCM,data:xOpsEFN6zbgPwYnSudmFqlYOghY=,iv:isO0RtKgi8G8noumyhIfLLfmH9w5ybt9NVxh7bRVykM=,tag:17UcPypyqquJDTFZAc5iyA==,type:str]
+nas:
+    password: ENC[AES256_GCM,data:lWb/l3srLrA=,iv:SN8+ziMJZZ1F+RT6JhoqWXcr1c4pSAkiT6gYfsi2LS4=,tag:g5Whb9nV8FHrOA5/Nbg0Fw==,type:str]
 sops:
     age:
         - recipient: age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk
@@ -89,7 +91,7 @@ sops:
             VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
             ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-29T22:55:29Z"
+    lastmodified: "2025-12-30T01:39:33Z"
-    mac: ENC[AES256_GCM,data:eEYsNcqFKFRS2wb5dht6AI86d7IWJGKGBdKVF4hk87ieVpZ6UaflgPbjAUYHMNFB7PCvhx3gjIPscb2oNZ/sYx8aTx9zFeexosQ8C8OqCWxGEEn3OxVGEqVNvIEQ7HvTg/2Dj5644IAIKD5bltAMPtfdfBzUm7KrA+nc8BMuPVk=,iv:i1EufRekIBASVf+EAphtJsHDnlwKLVSZKeC4RE0w2ac=,tag:efFizvzVBEXvE5ly25rsvA==,type:str]
+    mac: ENC[AES256_GCM,data:dD0EYgJ7vD4bH5l36XJZO5LA495tVCeh5bMUBhKaOoZgf2LmgNXz5oBHwIof1ZrhZ6cYMKCxvt+hllAL5u2N+hE/JjJLDxPj3DS/BXhTzp/OoQohKdLrYoj6IAUfTQppmLj06WLKR+5TCEzOuG01Y/SkAM9tqk3himfrx7guxUQ=,iv:U7a+4syPkM9R9ksIVJ3/vnFi0iS1uPH2rulpWOayPgs=,tag:2r2rrUg6wEC1zqRpeU2GJA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0