nas

2025-01-19 00:44:22 -05:00 · 2025-01-19 00:44:22 -05:00 · b52df5381d
parent 3a377e24c9
commit b52df5381d
8 changed files with 104 additions and 3 deletions
--- a/flake.lock
+++ b/flake.lock
@ -153,7 +153,28 @@
        "home-manager": "home-manager",
        "nix-gaming": "nix-gaming",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-stable": "nixpkgs-stable"
+        "nixpkgs-stable": "nixpkgs-stable",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736203741,
+        "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
      }
    },
    "umu": {
--- a/flake.nix
+++ b/flake.nix
@ -20,6 +20,10 @@
      url = "github:nix-community/disko/latest";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = {
@ -60,6 +64,7 @@
                extraSpecialArgs = {
                  inherit pkgs-stable;
                  inherit (inputs) nix-gaming;
+                  inherit inputs;
                };
                modules = [(users + "/${user}")];
              };
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -26,6 +26,9 @@
        in
          lib.strings.concatLines (front ++ [add] ++ back);
      });
+      cifs-utils = super.cifs-utils.overrideAttrs (old: {
+        buildInputs = lib.lists.remove pkgs.libcap old.buildInputs;
+      });
    })
  ];
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -0,0 +1,24 @@
+passwd: ENC[AES256_GCM,data:EjAHralQJxmJPfgjI8V+NW7gF/ylhLTXagyUacZv8xfNTgJWUAwyPcOKgE51HeadmjNEGpmRXIo/rp1+EL45PixlptbGyZxE8w==,iv:WDgq3oJxO8QrdHGciOPYqkuxp0Lfr71ngJGyfSHk3WQ=,tag:e29oOHkh3N1VmorkN0ERIg==,type:str]
+root-passwd: ENC[AES256_GCM,data:RzcEEkT7D04IbVXYWGVcFT8lCUdFZf6lTW8WSMdFwroR+MbOSvxlTOuSWFUDsdGv77qTtLLpoJty4UDA1b/GflWgfIXzgDikXA==,iv:Be8xs0A+TDzDb9v9YeAjYSRiLY6EtGnYOLD3NjF17CA=,tag:WO3Er83DFGGdKYHUy0C8Ng==,type:str]
+pool-credentials: ENC[AES256_GCM,data:2UGj0yUOxYKQJ8CI23StzJGXiNB2iVPNrMMPX6LrZI2CmM/SFCJsD4HpwR9VTz3k7m65u4lxtb65hyiB5vtNMb2aUdMy2CqPuKoJBFWh/pfEP2TbkdzNZ3QuOLJ7Mw5QCr6k6VaqFwgFp2c=,iv:QfW23ZU2N+IAHDJ0c5BrvOUDe/7Wy23RgQqRoUf4ok8=,tag:Haie91E+Qn1OHtry4RneCg==,type:str]
+porkbun-credentials: ENC[AES256_GCM,data:ibWhIr3I9IS4Z3HWHknw6/AWkAf0YyOws61LEVrYf/+HggWEC3lxU05VCccMN8zL015WpzyG6yXMMUB09I8PWHdNsBa92b/dAdXbILVnCnP6/oWBRVSUKYZzcSjguqRU/MFk94sRofUsanvx7YMFwbDl4KlEoM1EV//A+Y4gGXbPZv4l0x+85Dv7V73N0l6QiJe0qb4qNtFUDYxYVWGWJ1mR6MuQzq6hWKwYxYMgobU0,iv:yhwRlny3Eschrwxyi8QFTSuoKBXExgOYb7uPUQ+/hFA=,tag:NdC5c6LNEg0YD+uVeOlx6g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1qungny635ytez93dnyeay5d2puej4udl0e5fkx3e46zsq5ru7yqqstjx8s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYjdVaUsyTzNVak1JbnZa
+            SkN0Q1poMnBTQzJCanJlYjY5M1R0c3A2TVNrCjlMekJhaFROQW81VlRtMDJVQVpS
+            YnZCeVZVZDJJUzVDNHRialgzQXJ5K0kKLS0tIDNLODZQb3hCaWptK1I0b2V6dDFC
+            T3hKakprd2t4K0lyb0hiL2lUSUJCYzQK7xb0tVxsIPUax4T1b/+srVWChQD7yoRc
+            fYKq1uzXfJWqnn+i4UsSJVu/FThhDF6SlhlGS7f4UBxiR6KkLvAHvg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-08T17:31:32Z"
+    mac: ENC[AES256_GCM,data:nGyJ5PnM7z53fMZq0yu4ywAGZD5EmjxMxDNBgliiZw1pj0e8yqWHkHSqOTHyL+jLPNPnbsIOTwGmL/dJxc+bJXvS0h850chBaDSCtrRJCYQCqwZZUNtD5ikpGA5VZBIskrTeyNy2NaKwMEz/R7ALnOOqYzRcyAyDQOsGvG5PXXQ=,iv:vZJmNVAxYmrhZ+kblMk9cIDpAytOTYiQIFgKWsKbjV0=,tag:LpJ6Q9QO+LJvxYtanD2ZSA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/system/configuration.nix
+++ b/system/configuration.nix
@ -29,6 +29,7 @@
    man-pages
    man-pages-posix
    home-manager
+    sops
  ];
  documentation.dev.enable = true;

--- a/system/default.nix
+++ b/system/default.nix
@ -1,4 +1,8 @@
-{lib, ...}: {
+{
+  inputs,
+  lib,
+  ...
+}: {
  imports = [
    ./audio.nix
    ./bash.nix
@ -6,10 +10,12 @@
    ./configuration.nix
    ./display.nix
    ./locale.nix
+    ./mnt.nix
    ./plasma.nix
    ./security.nix
    ./virt.nix
    ../overlays
+    inputs.sops-nix.nixosModules.sops
  ];
  options.u = {
    has = {
--- a/system/mnt.nix
+++ b/system/mnt.nix
@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = [pkgs.cifs-utils];
+  security.wrappers."mount.cifs" = {
+    program = "mount.cifs";
+    source = "${lib.getBin pkgs.cifs-utils}/bin/mount.cifs";
+    owner = "root";
+    group = "root";
+    setuid = true;
+  };
+  fileSystems."/mnt/pool" = {
+    device = "//komikan/pool";
+    fsType = "cifs";
+    options = [
+      "noauto"
+      "x-systemd.device-timeout=5s"
+      "x-systemd.mount-timeout=5s"
+      "user"
+      "users"
+      "credentials=${config.sops.secrets.pool-credentials.path}"
+      "uid=1000"
+      "gid=100"
+    ];
+  };
+}
--- a/system/security.nix
+++ b/system/security.nix
@ -1,4 +1,4 @@
-{...}: {
+{config, ...}: {
  security.doas = {
    enable = true;
    extraRules = [
@ -18,4 +18,16 @@
    enable = true;
    allowAnyUser = true;
  };
+  sops.defaultSopsFile = ../secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "/home/ahnwuoa/.config/sops/age/keys.txt";
+  sops.secrets = {
+    passwd = {};
+    root-passwd = {};
+    pool-credentials = {
+      uid = 1000;
+    };
+    porkbun-credentials = {};
+  };
+  users.users.root.hashedPasswordFile = config.sops.secrets.root-passwd.path;
 }