feat(nixos): Added uid and gid to users

2025-12-30 18:35:28 +05:30
parent 67cc456503
commit 5f243fda02
5 changed files with 54 additions and 39 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -342,6 +342,14 @@
        if isDarwin
        then "/Users/${device.user}"
        else "/home/${device.user}";
+      uid =
+        if (builtins.hasAttr "uid" device)
+        then device.uid
+        else 1000;
+      gid =
+        if (builtins.hasAttr "gid" device)
+        then device.gid
+        else 1000;
      # output =
      #   if isDarwin
      #   then self.darwinConfigurations."${device.name}"
--- a/nixos/ryu/configuration.nix
+++ b/nixos/ryu/configuration.nix
@@ -77,6 +77,7 @@
  };

  users.users.${device.user} = {
+    uid = device.uid;
    isNormalUser = true;
    extraGroups = ["wheel" "audio" "i2c" "media" "video" "tss"];
    openssh.authorizedKeys.keyFiles = [
@@ -86,6 +87,10 @@
  };
  users.groups.i2c = {};
  users.groups.media = {};
+  users.groups.${device.user} = {
+    gid = device.gid;
+    members = [device.user];
+  };

  services = {
    devmon.enable = true;
--- a/nixos/ryu/ryu.nix
+++ b/nixos/ryu/ryu.nix
@@ -5,6 +5,7 @@
  config,
  lib,
  modulesPath,
+  device,
  pkgs,
  ...
 }: {
@@ -59,7 +60,7 @@
    NIXOS_OZONE_WL = "1";
  };

-  users.extraUsers.servius.extraGroups = ["libvirtd" "adbusers" "kvm"];
+  users.extraUsers.${device.user}.extraGroups = ["libvirtd" "adbusers" "kvm"];

  boot.extraModprobeConfig = ''
    options kvm_intel nested=1
@@ -133,7 +134,12 @@
  #   options = ["nofail"];
  # };

-  swapDevices = [];
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 64 * 1024;
+    }
+  ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/nixos/ryu/services/samba.nix
+++ b/nixos/ryu/services/samba.nix
@@ -1,36 +1,30 @@
-{...}: {
-  # services = {
-  #   samba = {
-  #     enable = false;
-  #     openFirewall = true;
-  #     settings = {
-  #       global = {
-  #         "workgroup" = "WORKGROUP";
-  #         "server string" = "smbnix";
-  #         "netbios name" = "smbnix";
-  #         "security" = "user";
-  #         "hosts allow" = "192.168.11. 127.0.0.1 localhost";
-  #         "hosts deny" = "0.0.0.0/0";
-  #         "guest account" = "nobody";
-  #         "map to guest" = "bad user";
-  #       };
-  #
-  #       public = {
-  #         "path" = "/media";
-  #         "browseable" = "yes";
-  #         "read only" = "no";
-  #         "guest ok" = "yes";
-  #         "create mask" = "0644";
-  #         "directory mask" = "0755";
-  #         # "force user" = "username";
-  #         # "force group" = "groupname";
-  #       };
-  #     };
-  #   };
-  #   samba-wsdd = {
-  #     enable = true;
-  #     openFirewall = true;
-  #   };
-  # };
-  networking.firewall.allowPing = true;
+{
+  lib,
+  config,
+  device,
+  ...
+}: {
+  # networking.firewall.allowPing = true;
+  sops = {
+    secrets."nas/password" = {};
+    templates."nas-credentials".content = ''
+      username=${device.user}
+      domain=WORKGROUP
+      password=${config.sops.placeholder."nas/password"}
+    '';
+  };
+  fileSystems."/volumes/nas" = {
+    device = "//tsuba.darksailor.dev/nas";
+    fsType = "cifs";
+
+    options = let
+      options = "nofail,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+      uid = toString config.users.users.servius.uid;
+      gid = toString config.users.groups.servius.gid;
+      check = lib.asserts.assertMsg (
+        uid != "" && gid != ""
+      ) "User ${device.user} must have uid ang gid set to mount NAS as user.";
+    in
+      lib.optionals check ["${options},credentials=${config.sops.templates."nas-credentials".path},uid=${uid},gid=${gid}"];
+  };
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -78,6 +78,8 @@ lastfm:
    api_key: ENC[AES256_GCM,data:5sFOaTAeiinetn8NfUBOFTcfuZmnnRNDTbuxVzAT4MU=,iv:RUmZ0PQpON3wkwj6GrSo7FHADM2pr4bavHT1omgR+Xw=,tag:ST7v4R8Scp+9ikYkiZ8Vtw==,type:str]
 pihole:
    password: ENC[AES256_GCM,data:xOpsEFN6zbgPwYnSudmFqlYOghY=,iv:isO0RtKgi8G8noumyhIfLLfmH9w5ybt9NVxh7bRVykM=,tag:17UcPypyqquJDTFZAc5iyA==,type:str]
+nas:
+    password: ENC[AES256_GCM,data:lWb/l3srLrA=,iv:SN8+ziMJZZ1F+RT6JhoqWXcr1c4pSAkiT6gYfsi2LS4=,tag:g5Whb9nV8FHrOA5/Nbg0Fw==,type:str]
 sops:
    age:
        - recipient: age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk
@@ -89,7 +91,7 @@ sops:
            VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
            ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-29T22:55:29Z"
-    mac: ENC[AES256_GCM,data:eEYsNcqFKFRS2wb5dht6AI86d7IWJGKGBdKVF4hk87ieVpZ6UaflgPbjAUYHMNFB7PCvhx3gjIPscb2oNZ/sYx8aTx9zFeexosQ8C8OqCWxGEEn3OxVGEqVNvIEQ7HvTg/2Dj5644IAIKD5bltAMPtfdfBzUm7KrA+nc8BMuPVk=,iv:i1EufRekIBASVf+EAphtJsHDnlwKLVSZKeC4RE0w2ac=,tag:efFizvzVBEXvE5ly25rsvA==,type:str]
+    lastmodified: "2025-12-30T01:39:33Z"
+    mac: ENC[AES256_GCM,data:dD0EYgJ7vD4bH5l36XJZO5LA495tVCeh5bMUBhKaOoZgf2LmgNXz5oBHwIof1ZrhZ6cYMKCxvt+hllAL5u2N+hE/JjJLDxPj3DS/BXhTzp/OoQohKdLrYoj6IAUfTQppmLj06WLKR+5TCEzOuG01Y/SkAM9tqk3himfrx7guxUQ=,iv:U7a+4syPkM9R9ksIVJ3/vnFi0iS1uPH2rulpWOayPgs=,tag:2r2rrUg6wEC1zqRpeU2GJA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0