From b9d1b1c9d0b6d5d75533a42d3c731dc87b059489 Mon Sep 17 00:00:00 2001 From: kurogeek Date: Mon, 10 Nov 2025 11:32:07 +0700 Subject: [PATCH] mob next [ci-skip] [ci skip] [skip ci] lastFile:machines/sirius/services/samba.nix --- machines/sirius/configuration.nix | 25 +++++ machines/sirius/disko.nix | 141 +++++++++++++++++++++++++++++ machines/sirius/services/samba.nix | 93 +++++++++++++++++++ 3 files changed, 259 insertions(+) create mode 100644 machines/sirius/configuration.nix create mode 100644 machines/sirius/disko.nix create mode 100644 machines/sirius/services/samba.nix diff --git a/machines/sirius/configuration.nix b/machines/sirius/configuration.nix new file mode 100644 index 0000000..9b38695 --- /dev/null +++ b/machines/sirius/configuration.nix @@ -0,0 +1,25 @@ +{ + inputs, + config, + self, + ... +}: +{ + imports = [ + self.nixosModules.common + + (inputs.import-tree ./services) + + ]; + + clan.core.sops.defaultGroups = [ "admins" ]; + clan.core.networking.targetHost = "root@[${config.clan.core.vars.generators.zerotier.files.zerotier-ip.value}]"; + + nixpkgs.hostPlatform = { + system = "x86_64-linux"; + }; + + networking.fqdn = config.clan.core.vars.generators.vega-internal-domain.files.name.value; + system.stateVersion = "25.11"; + +} diff --git a/machines/sirius/disko.nix b/machines/sirius/disko.nix new file mode 100644 index 0000000..9d7a10f --- /dev/null +++ b/machines/sirius/disko.nix @@ -0,0 +1,141 @@ +{ lib, ... }: +let + hashDisk = disk: "os-${builtins.substring 0 5 (builtins.hashString "sha256" disk)}"; + os = "/dev/disk/by-id/mmc-CUTB42_0x95d14f9e"; + vdev = [ + "/dev/disk/by-id/ata-ST20000NM002H-3KV133_ZYD5RYRG" + "/dev/disk/by-id/ata-ST20000NM002H-3KV133_ZYD5S02X" + ]; +in +{ + + boot.loader = { + systemd-boot = { + enable = true; + }; + efi = { + canTouchEfiVariables = true; + }; + }; + + disko.devices = { + disk = { + "os-${hashDisk os}" = { + type = "disk"; + device = os; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "nofail" ]; + }; + }; + system = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + swap = { + size = "16G"; + content = { + type = "swap"; + }; + }; + }; + }; + }; + } + // (lib.listToAttrs ( + map (disk: { + name = "data-${hashDisk disk}"; + value = { + type = "disk"; + device = disk; + content = { + type = "zfs"; + pool = "zdata"; + }; + }; + }) vdev + )); + zpool = { + zroot = { + type = "zpool"; + rootFsOptions = { + mountpoint = "none"; + compression = "lz4"; + acltype = "posixacl"; + xattr = "sa"; + "com.sun:auto-snapshot" = "true"; + }; + options.ashift = "12"; + datasets = { + "root" = { + type = "zfs_fs"; + options.mountpoint = "none"; + }; + "root/nixos" = { + type = "zfs_fs"; + options.mountpoint = "/"; + mountpoint = "/"; + }; + "root/home" = { + type = "zfs_fs"; + options.mountpoint = "/home"; + mountpoint = "/home"; + }; + "root/tmp" = { + type = "zfs_fs"; + mountpoint = "/tmp"; + options = { + mountpoint = "/tmp"; + sync = "disabled"; + }; + }; + }; + }; + zdata = { + type = "zpool"; + options.ashift = "12"; + rootFsOptions = { + mountpoint = "none"; + compression = "lz4"; + acltype = "posixacl"; + xattr = "sa"; + "com.sun:auto-snapshot" = "true"; + }; + mode = { + topology = { + type = "topology"; + vdev = [ + { + mode = "mirror"; + members = vdev; + } + ]; + }; + }; + datasets = { + "nas" = { + type = "zfs_fs"; + mountpoint = "/mnt/hdd"; + mountOptions = [ "nofail" ]; + }; + "service-data" = { + type = "zfs_fs"; + mountpoint = "/var/lib"; + mountOptions = [ "nofail" ]; + }; + }; + }; + }; + }; +} diff --git a/machines/sirius/services/samba.nix b/machines/sirius/services/samba.nix new file mode 100644 index 0000000..8ce4b5b --- /dev/null +++ b/machines/sirius/services/samba.nix @@ -0,0 +1,93 @@ +{ + config, + lib, + ... +}: +let + sambaUser = lib.filterAttrs ( + name: user: user.isNormalUser && builtins.elem "samba" user.extraGroups + ) config.users.users; + + sharedFolders = { + WhiteHouse.users = [ + "w" + "kurogeek" + "berwn" + ]; + }; +in +{ + + services.samba = { + enable = true; + openFirewall = true; + settings = { + global = { + security = "user"; + workgroup = "WORKGROUP"; + "server string" = "WhiteHouse NAS"; + interfaces = "eth* en*"; + "max log size" = "50"; + "dns proxy" = false; + "syslog only" = true; + "map to guest" = "Bad User"; + "guest account" = "nobody"; + }; + } + // lib.mapAttrs (share: opts: { + path = "/mnt/hdd/samba/${share}"; + comment = share; + "force user" = share; + "force group" = share; + public = "yes"; + "guest ok" = "yes"; + "create mask" = "0640"; + "directory mask" = "0750"; + writable = "no"; + browseable = "yes"; + printable = "no"; + # TODO + # "valid users" = toString opts.users; + }) sharedFolders; + }; + + users.users = lib.mapAttrs (share: opts: { + isSystemUser = true; + group = share; + }) sharedFolders; + + users.groups = lib.mapAttrs (share: opts: { }) sharedFolders; + + systemd.services.samba-smbd.postStart = + lib.concatMapStrings ( + user: + let + password = config.clan.core.vars.generators."${user}-smb-password".files.password.path; + in + '' + mkdir -p /mnt/hdd/samba/${user} + chown ${user}:users /mnt/hdd/samba/${user} + # if a password is unchanged, this will error + (echo $(<${password}); echo $(<${password})) | ${config.services.samba.package}/bin/smbpasswd -s -a ${user} + '' + ) (lib.attrNames sambaUser) + + lib.concatMapStrings (share: '' + mkdir -p /mnt/hdd/samba/${share} + chown ${share}:${share} /mnt/hdd/samba/${share} + '') (lib.attrNames sharedFolders); + + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; + + services.avahi = { + publish.enable = true; + publish.userServices = true; + # ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile` + nssmdns4 = true; + # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it + enable = true; + openFirewall = true; + }; +}