From 1165dc44aa99f02650ea75a10e5b2ec440ebfc52 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sun, 14 Jan 2024 14:53:05 +0100
Subject: [PATCH] feat(samba): add bunker share for very important data

---
 hosts/sire/default.nix                 |  15 ++-
 hosts/sire/guests/samba.nix            | 131 +++++++++++++++----------
 hosts/sire/secrets/samba/local.nix.age |  22 ++---
 3 files changed, 105 insertions(+), 63 deletions(-)

diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix
index 2b7c11c..8639923 100644
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@@ -44,7 +44,11 @@
   # services.telegraf.extraConfig.inputs.github = {};
 
   guests = let
-    mkGuest = guestName: {enableStorageDataset ? false, ...}: {
+    mkGuest = guestName: {
+      enableStorageDataset ? false,
+      enableBunkerDataset ? false,
+      ...
+    }: {
       autostart = true;
       zfs."/state" = {
         # TODO make one option out of that? and split into two readonly options automatically?
@@ -59,6 +63,10 @@
         pool = "storage";
         dataset = "safe/guests/${guestName}";
       };
+      zfs."/bunker" = lib.mkIf enableBunkerDataset {
+        pool = "storage";
+        dataset = "bunker/guests/${guestName}";
+      };
       modules = [
         ../../modules
         ./guests/common.nix
@@ -105,7 +113,10 @@
   in
     lib.mkIf (!minimal) (
       {}
-      // mkMicrovm "samba" {enableStorageDataset = true;}
+      // mkMicrovm "samba" {
+        enableStorageDataset = true;
+        enableBunkerDataset = true;
+      }
       // mkMicrovm "grafana" {}
       // mkMicrovm "influxdb" {}
       // mkMicrovm "loki" {}
diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix
index fbaecbb..750cf03 100644
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@@ -5,6 +5,58 @@
 }: let
   smbUsers = config.repo.secrets.local.samba.users;
   smbGroups = config.repo.secrets.local.samba.groups;
+
+  mkPersistent = persistRoot: directory: owner: {
+    ${persistRoot}.directories = [
+      {
+        inherit directory;
+        user = owner;
+        group = owner;
+        mode = "0750";
+      }
+    ];
+  };
+
+  mkShare = id: path: cfg: {
+    ${id} =
+      {
+        inherit path;
+        public = "no";
+        writable = "yes";
+        "create mask" = "0740";
+        "directory mask" = "0750";
+        "acl allow execute always" = "yes";
+      }
+      // cfg;
+  };
+
+  mkGroupShares = group: {enableBunker ? false, ...}:
+    [
+      (mkShare group "/shares/groups/${group}" {
+        "valid users" = "@${group}";
+        "force user" = group;
+        "force group" = group;
+      })
+    ]
+    ++ lib.optional enableBunker (
+      mkShare "${group}-bunker" "/shares/groups/${group}-bunker" {
+        "valid users" = "@${group}";
+        "force user" = group;
+        "force group" = group;
+      }
+    );
+
+  mkUserShares = user: {enableBunker ? false, ...}:
+    [
+      (mkShare user "/shares/users/${user}" {
+        "valid users" = user;
+      })
+    ]
+    ++ lib.optional enableBunker (
+      mkShare "${user}-bunker" "/shares/users/${user}-bunker" {
+        "valid users" = user;
+      }
+    );
 in {
   age.secrets."samba-passdb.tdb" = {
     rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age";
@@ -37,28 +89,32 @@ in {
     '';
   };
 
-  environment.persistence."/persist".files = [
-    "/etc/ssh/ssh_host_rsa_key"
-    "/etc/ssh/ssh_host_rsa_key.pub"
-  ];
-
   fileSystems."/storage".neededForBoot = true;
-  environment.persistence."/storage" = {
-    hideMounts = true;
-    directories =
-      lib.flip lib.mapAttrsToList smbUsers (name: _: {
-        directory = "/shares/users/${name}";
-        user = name;
-        group = name;
-        mode = "0750";
-      })
-      ++ lib.flip lib.mapAttrsToList smbGroups (name: _: {
-        directory = "/shares/groups/${name}";
-        user = name;
-        group = name;
-        mode = "0750";
-      });
-  };
+  fileSystems."/bunker".neededForBoot = true;
+  environment.persistence = lib.mkMerge ([
+      {
+        "/persist".files = [
+          "/etc/ssh/ssh_host_rsa_key"
+          "/etc/ssh/ssh_host_rsa_key.pub"
+        ];
+      }
+    ]
+    ++ lib.flatten (
+      lib.flip lib.mapAttrsToList smbUsers (
+        name: {enableBunker ? false, ...}:
+          [(mkPersistent "/storage" "/shares/users/${name}" name)]
+          ++ lib.optional enableBunker (
+            mkPersistent "/bunker" "/shares/users/${name}-bunker" name
+          )
+      )
+      ++ lib.flip lib.mapAttrsToList smbGroups (
+        name: {enableBunker ? false, ...}:
+          [(mkPersistent "/storage" "/shares/groups/${name}" name)]
+          ++ lib.optional enableBunker (
+            mkPersistent "/bunker" "/shares/groups/${name}-bunker" name
+          )
+      )
+    ));
 
   services.samba = {
     enable = true;
@@ -121,35 +177,10 @@ in {
       "fruit:wipe_intentionally_left_blank_rfork = yes"
       "fruit:delete_empty_adfiles = yes"
     ];
-    shares = let
-      mkShare = path: cfg:
-        {
-          inherit path;
-          public = "no";
-          writable = "yes";
-          "create mask" = "0740";
-          "directory mask" = "0750";
-          # "force create mode" = "0660";
-          # "force directory mode" = "0770";
-          "acl allow execute always" = "yes";
-        }
-        // cfg;
-
-      mkGroupShare = group:
-        mkShare "/shares/groups/${group}" {
-          "valid users" = "@${group}";
-          "force user" = group;
-          "force group" = group;
-        };
-
-      mkUserShare = user:
-        mkShare "/shares/users/${user}" {
-          "valid users" = user;
-        };
-    in
-      {}
-      // lib.mapAttrs (name: _: mkUserShare name) smbUsers
-      // lib.mapAttrs (name: _: mkGroupShare name) smbGroups;
+    shares = lib.mkMerge (lib.flatten (
+      lib.mapAttrsToList mkUserShares smbUsers
+      ++ lib.mapAttrsToList mkGroupShares smbGroups
+    ));
   };
 
   users.users = let
diff --git a/hosts/sire/secrets/samba/local.nix.age b/hosts/sire/secrets/samba/local.nix.age
index 949b563..75eefdc 100644
--- a/hosts/sire/secrets/samba/local.nix.age
+++ b/hosts/sire/secrets/samba/local.nix.age
@@ -1,12 +1,12 @@
 age-encryption.org/v1
--> X25519 fKbik0Nwn3w0RFtyYjRx3NIRR6p1ePjwN1rQeQUKnC0
-FESp5Xwwuu3hifwpoalYD75/g994HsDJb6a7lasAH98
--> piv-p256 xqSe8Q A/f8+j/94A2oU2/SynYRewGBZbPWy1rGU5pnUPksXkwH
-n+KeTBbXvjCu9GZypD8Vmz2uuN1XaZpDfX40TNk74js
--> *:l-grease D8U!RlB wkBn7Zl4
-PLWQ+OcE+p/gZ9AaOl5RmO8C5IO5rQD3GIazmdWs/ImIbPFgSY7NM+Tb4j/qrQez
-
---- 2ucK0s28/BTrnfxnm0vOvqsmOXLXBEnsxHMRHYUyLHo
-¼b˜à¹oÑ¯Vo}¼å]3KÐ¿âppú\­ÉYiæ}:FH÷Ó^ÉU°>ÚRÿô¿eM`0Î+îíÕ¯·±ÞÜÓë†ª…Œ1¡50:F‚Y2M“^[uÇáZMy;„ký]z8û÷a~MæÔŸÿ1­cô/™óU¦3)–r–è¢Ç–Uõ>•÷˜‘ºóx?ý6xò¤6`!R_Ïˆ¦»’éæŒ¦£á·Žòû÷&ž(.«{x•›?rëhåÙêÂB}Ì¨Në°#Œ–¿g[•õù2aR¯­lRØT§Ï£æ9W“”Û ]ŸÇ£IŽ›œ26¼¨¨lô?íµäô·áÆ
-~ÑXßµ½„”O·…Ï†#‚!àø.‰*äÄ¤mjh*C˜¨¨}­{!¸µ›
-Ã&ÒN¿Ðm#vEFbË–3C´d\}·ajRÆ[…È[Ñ+ïp2%ÜãÊÈ­†óÀ/|5³þ(øÂ-àžÝîa¹°dÝÔ_@Éà…g¬|.Á…o¦+à[œVÇ`‹tP©²¼
\ No newline at end of file
+-> X25519 XPiCVTwoNp+wxBHO+VroeCoWNHVsdtjeSEX4cLCnHFY
+RWmVk3RrtU3qOBjvBbYJ9qSf34PHXAUVhnC9fdFCEf4
+-> piv-p256 xqSe8Q A4hKgmiwNm99B4RVisUnKDDj4r6KtOOpeVCBM35Z/V76
+OLj3c+OIFfqbclocmoIKuKEaOengs0cCipI4wNRrbaQ
+-> 46$NeX?-grease Z'&t |s}Wh:
+P0L0T0ObtToRodYfse+ETpl3GWGAbLlVFrJJackWMgkOWIjkU8YvKmQHcQ7QTSc7
+bFyyf1pDEkkAGAZEzoqnem+0sZN4bcqNuZJKqkzCaJDeJvrui0sCfyj0
+--- HCDoDWmBPaPfC3oh/qroi2nMtBI3PvmAfhlRpPpktJk
+e²”> ~Ð/Ä¬÷Æ»oª!eÜŽº·Ý~Fhû˜ý™¸±˜eFd÷Âø¦RË²0%EâTxV\ê«7™ÒË%ƒóz²BÑ¢&qžÕ’·Üe=pÇR¸»	KÎc¨Çî²ôZÙ¾¶±Ò4€àwæ~Çs
+b<[ºu÷§Î<gý}W8uYá?Ëä`'ŸÙ\OÍT»(tJ}ß5ns(W‚VÚR"£díLHG¼ß1Î<ªm¸OYS·ý‰.À`†7A¤c¦Z¯Ãèöy­¦1"`Ä.3 líÑèèãsõg»7étçÌEmAemvGÒ±ˆ•–ä$”^j)*á©¦‹¬©ž‹ÿ=h¥SaYçPñš1]7Ûˆù¹/-RœÇ5PÿqÂ£"ú$)ÝûÙø²^Ûý`Ê"~Tu¯.=;¨?.±m÷û0ªòû-¸×?OØ!…K,îžB²„†	Ü¸N?«ÃYhã=”£_¿Ãð<Û¯R[Ó>ÛÓ¥	Z6Q‡ kÑËÿ!ÓÞñéæ!$K[‡QU;fgä|šåPì†K‰ÞVQh~ŒÒð
+‹Èñeî¹ÃKÑE1äÞAŒéÄôÎœtUD\;ÅŸ
\ No newline at end of file