From b52df5381d3e772c459eedaf7924827bdf526ad6 Mon Sep 17 00:00:00 2001
From: caandt <caandt@twoha.cc>
Date: Sun, 19 Jan 2025 00:44:22 -0500
Subject: [PATCH] nas

---
 flake.lock               | 23 ++++++++++++++++++++++-
 flake.nix                |  5 +++++
 overlays/default.nix     |  3 +++
 secrets/secrets.yaml     | 24 ++++++++++++++++++++++++
 system/configuration.nix |  1 +
 system/default.nix       |  8 +++++++-
 system/mnt.nix           | 29 +++++++++++++++++++++++++++++
 system/security.nix      | 14 +++++++++++++-
 8 files changed, 104 insertions(+), 3 deletions(-)
 create mode 100644 secrets/secrets.yaml
 create mode 100644 system/mnt.nix

diff --git a/flake.lock b/flake.lock
index 284e7cb..271a4ed 100644
--- a/flake.lock
+++ b/flake.lock
@@ -153,7 +153,28 @@
         "home-manager": "home-manager",
         "nix-gaming": "nix-gaming",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-stable": "nixpkgs-stable"
+        "nixpkgs-stable": "nixpkgs-stable",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736203741,
+        "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "umu": {
diff --git a/flake.nix b/flake.nix
index 03a000e..cc09b4c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -20,6 +20,10 @@
       url = "github:nix-community/disko/latest";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = {
@@ -60,6 +64,7 @@
                 extraSpecialArgs = {
                   inherit pkgs-stable;
                   inherit (inputs) nix-gaming;
+                  inherit inputs;
                 };
                 modules = [(users + "/${user}")];
               };
diff --git a/overlays/default.nix b/overlays/default.nix
index 7b0da9e..723464e 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -26,6 +26,9 @@
         in
           lib.strings.concatLines (front ++ [add] ++ back);
       });
+      cifs-utils = super.cifs-utils.overrideAttrs (old: {
+        buildInputs = lib.lists.remove pkgs.libcap old.buildInputs;
+      });
     })
   ];
 }
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..a801153
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,24 @@
+passwd: ENC[AES256_GCM,data:EjAHralQJxmJPfgjI8V+NW7gF/ylhLTXagyUacZv8xfNTgJWUAwyPcOKgE51HeadmjNEGpmRXIo/rp1+EL45PixlptbGyZxE8w==,iv:WDgq3oJxO8QrdHGciOPYqkuxp0Lfr71ngJGyfSHk3WQ=,tag:e29oOHkh3N1VmorkN0ERIg==,type:str]
+root-passwd: ENC[AES256_GCM,data:RzcEEkT7D04IbVXYWGVcFT8lCUdFZf6lTW8WSMdFwroR+MbOSvxlTOuSWFUDsdGv77qTtLLpoJty4UDA1b/GflWgfIXzgDikXA==,iv:Be8xs0A+TDzDb9v9YeAjYSRiLY6EtGnYOLD3NjF17CA=,tag:WO3Er83DFGGdKYHUy0C8Ng==,type:str]
+pool-credentials: ENC[AES256_GCM,data:2UGj0yUOxYKQJ8CI23StzJGXiNB2iVPNrMMPX6LrZI2CmM/SFCJsD4HpwR9VTz3k7m65u4lxtb65hyiB5vtNMb2aUdMy2CqPuKoJBFWh/pfEP2TbkdzNZ3QuOLJ7Mw5QCr6k6VaqFwgFp2c=,iv:QfW23ZU2N+IAHDJ0c5BrvOUDe/7Wy23RgQqRoUf4ok8=,tag:Haie91E+Qn1OHtry4RneCg==,type:str]
+porkbun-credentials: ENC[AES256_GCM,data:ibWhIr3I9IS4Z3HWHknw6/AWkAf0YyOws61LEVrYf/+HggWEC3lxU05VCccMN8zL015WpzyG6yXMMUB09I8PWHdNsBa92b/dAdXbILVnCnP6/oWBRVSUKYZzcSjguqRU/MFk94sRofUsanvx7YMFwbDl4KlEoM1EV//A+Y4gGXbPZv4l0x+85Dv7V73N0l6QiJe0qb4qNtFUDYxYVWGWJ1mR6MuQzq6hWKwYxYMgobU0,iv:yhwRlny3Eschrwxyi8QFTSuoKBXExgOYb7uPUQ+/hFA=,tag:NdC5c6LNEg0YD+uVeOlx6g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1qungny635ytez93dnyeay5d2puej4udl0e5fkx3e46zsq5ru7yqqstjx8s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYjdVaUsyTzNVak1JbnZa
+            SkN0Q1poMnBTQzJCanJlYjY5M1R0c3A2TVNrCjlMekJhaFROQW81VlRtMDJVQVpS
+            YnZCeVZVZDJJUzVDNHRialgzQXJ5K0kKLS0tIDNLODZQb3hCaWptK1I0b2V6dDFC
+            T3hKakprd2t4K0lyb0hiL2lUSUJCYzQK7xb0tVxsIPUax4T1b/+srVWChQD7yoRc
+            fYKq1uzXfJWqnn+i4UsSJVu/FThhDF6SlhlGS7f4UBxiR6KkLvAHvg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-08T17:31:32Z"
+    mac: ENC[AES256_GCM,data:nGyJ5PnM7z53fMZq0yu4ywAGZD5EmjxMxDNBgliiZw1pj0e8yqWHkHSqOTHyL+jLPNPnbsIOTwGmL/dJxc+bJXvS0h850chBaDSCtrRJCYQCqwZZUNtD5ikpGA5VZBIskrTeyNy2NaKwMEz/R7ALnOOqYzRcyAyDQOsGvG5PXXQ=,iv:vZJmNVAxYmrhZ+kblMk9cIDpAytOTYiQIFgKWsKbjV0=,tag:LpJ6Q9QO+LJvxYtanD2ZSA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
diff --git a/system/configuration.nix b/system/configuration.nix
index ed9260f..a8b5c03 100644
--- a/system/configuration.nix
+++ b/system/configuration.nix
@@ -29,6 +29,7 @@
     man-pages
     man-pages-posix
     home-manager
+    sops
   ];
   documentation.dev.enable = true;
 
diff --git a/system/default.nix b/system/default.nix
index 58d4279..6a7d76a 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -1,4 +1,8 @@
-{lib, ...}: {
+{
+  inputs,
+  lib,
+  ...
+}: {
   imports = [
     ./audio.nix
     ./bash.nix
@@ -6,10 +10,12 @@
     ./configuration.nix
     ./display.nix
     ./locale.nix
+    ./mnt.nix
     ./plasma.nix
     ./security.nix
     ./virt.nix
     ../overlays
+    inputs.sops-nix.nixosModules.sops
   ];
   options.u = {
     has = {
diff --git a/system/mnt.nix b/system/mnt.nix
new file mode 100644
index 0000000..0c284ed
--- /dev/null
+++ b/system/mnt.nix
@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = [pkgs.cifs-utils];
+  security.wrappers."mount.cifs" = {
+    program = "mount.cifs";
+    source = "${lib.getBin pkgs.cifs-utils}/bin/mount.cifs";
+    owner = "root";
+    group = "root";
+    setuid = true;
+  };
+  fileSystems."/mnt/pool" = {
+    device = "//komikan/pool";
+    fsType = "cifs";
+    options = [
+      "noauto"
+      "x-systemd.device-timeout=5s"
+      "x-systemd.mount-timeout=5s"
+      "user"
+      "users"
+      "credentials=${config.sops.secrets.pool-credentials.path}"
+      "uid=1000"
+      "gid=100"
+    ];
+  };
+}
diff --git a/system/security.nix b/system/security.nix
index 5510969..1160331 100644
--- a/system/security.nix
+++ b/system/security.nix
@@ -1,4 +1,4 @@
-{...}: {
+{config, ...}: {
   security.doas = {
     enable = true;
     extraRules = [
@@ -18,4 +18,16 @@
     enable = true;
     allowAnyUser = true;
   };
+  sops.defaultSopsFile = ../secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "/home/ahnwuoa/.config/sops/age/keys.txt";
+  sops.secrets = {
+    passwd = {};
+    root-passwd = {};
+    pool-credentials = {
+      uid = 1000;
+    };
+    porkbun-credentials = {};
+  };
+  users.users.root.hashedPasswordFile = config.sops.secrets.root-passwd.path;
 }