feat(samba): add bunker share for very important data

2025-10-11 07:10:39 +02:00 · 2024-01-14 14:53:05 +01:00 · 2024-01-14 14:53:05 +01:00 · 1165dc44aa
commit 1165dc44aa
parent 412405be3d
3 changed files with 105 additions and 63 deletions
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@ -44,7 +44,11 @@
  # services.telegraf.extraConfig.inputs.github = {};
  guests = let
-    mkGuest = guestName: {enableStorageDataset ? false, ...}: {
+    mkGuest = guestName: {
      enableStorageDataset ? false,
      enableBunkerDataset ? false,
      ...
    }: {
      autostart = true;
      zfs."/state" = {
        # TODO make one option out of that? and split into two readonly options automatically?
@ -59,6 +63,10 @@
        pool = "storage";
        dataset = "safe/guests/${guestName}";
      };
      zfs."/bunker" = lib.mkIf enableBunkerDataset {
        pool = "storage";
        dataset = "bunker/guests/${guestName}";
      };
      modules = [
        ../../modules
        ./guests/common.nix
@ -105,7 +113,10 @@
  in
    lib.mkIf (!minimal) (
      {}
-      // mkMicrovm "samba" {enableStorageDataset = true;}
+      // mkMicrovm "samba" {
        enableStorageDataset = true;
        enableBunkerDataset = true;
      }
      // mkMicrovm "grafana" {}
      // mkMicrovm "influxdb" {}
      // mkMicrovm "loki" {}
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@ -5,6 +5,58 @@
 }: let
  smbUsers = config.repo.secrets.local.samba.users;
  smbGroups = config.repo.secrets.local.samba.groups;
  mkPersistent = persistRoot: directory: owner: {
    ${persistRoot}.directories = [
      {
        inherit directory;
        user = owner;
        group = owner;
        mode = "0750";
      }
    ];
  };
  mkShare = id: path: cfg: {
    ${id} =
      {
        inherit path;
        public = "no";
        writable = "yes";
        "create mask" = "0740";
        "directory mask" = "0750";
        "acl allow execute always" = "yes";
      }
      // cfg;
  };
  mkGroupShares = group: {enableBunker ? false, ...}:
    [
      (mkShare group "/shares/groups/${group}" {
        "valid users" = "@${group}";
        "force user" = group;
        "force group" = group;
      })
    ]
    ++ lib.optional enableBunker (
      mkShare "${group}-bunker" "/shares/groups/${group}-bunker" {
        "valid users" = "@${group}";
        "force user" = group;
        "force group" = group;
      }
    );
  mkUserShares = user: {enableBunker ? false, ...}:
    [
      (mkShare user "/shares/users/${user}" {
        "valid users" = user;
      })
    ]
    ++ lib.optional enableBunker (
      mkShare "${user}-bunker" "/shares/users/${user}-bunker" {
        "valid users" = user;
      }
    );
 in {
  age.secrets."samba-passdb.tdb" = {
    rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age";
@ -37,28 +89,32 @@ in {
    '';
  };
-  environment.persistence."/persist".files = [
+  fileSystems."/storage".neededForBoot = true;
  fileSystems."/bunker".neededForBoot = true;
  environment.persistence = lib.mkMerge ([
      {
        "/persist".files = [
          "/etc/ssh/ssh_host_rsa_key"
          "/etc/ssh/ssh_host_rsa_key.pub"
        ];
-
+      }
-  fileSystems."/storage".neededForBoot = true;
+    ]
-  environment.persistence."/storage" = {
+    ++ lib.flatten (
-    hideMounts = true;
+      lib.flip lib.mapAttrsToList smbUsers (
-    directories =
+        name: {enableBunker ? false, ...}:
-      lib.flip lib.mapAttrsToList smbUsers (name: _: {
+          [(mkPersistent "/storage" "/shares/users/${name}" name)]
-        directory = "/shares/users/${name}";
+          ++ lib.optional enableBunker (
-        user = name;
+            mkPersistent "/bunker" "/shares/users/${name}-bunker" name
-        group = name;
+          )
-        mode = "0750";
+      )
-      })
+      ++ lib.flip lib.mapAttrsToList smbGroups (
-      ++ lib.flip lib.mapAttrsToList smbGroups (name: _: {
+        name: {enableBunker ? false, ...}:
-        directory = "/shares/groups/${name}";
+          [(mkPersistent "/storage" "/shares/groups/${name}" name)]
-        user = name;
+          ++ lib.optional enableBunker (
-        group = name;
+            mkPersistent "/bunker" "/shares/groups/${name}-bunker" name
-        mode = "0750";
+          )
-      });
+      )
-  };
+    ));
  services.samba = {
    enable = true;
@ -121,35 +177,10 @@ in {
      "fruit:wipe_intentionally_left_blank_rfork = yes"
      "fruit:delete_empty_adfiles = yes"
    ];
-    shares = let
+    shares = lib.mkMerge (lib.flatten (
-      mkShare = path: cfg:
+      lib.mapAttrsToList mkUserShares smbUsers
-        {
+      ++ lib.mapAttrsToList mkGroupShares smbGroups
-          inherit path;
+    ));
          public = "no";
          writable = "yes";
          "create mask" = "0740";
          "directory mask" = "0750";
          # "force create mode" = "0660";
          # "force directory mode" = "0770";
          "acl allow execute always" = "yes";
        }
        // cfg;
      mkGroupShare = group:
        mkShare "/shares/groups/${group}" {
          "valid users" = "@${group}";
          "force user" = group;
          "force group" = group;
        };
      mkUserShare = user:
        mkShare "/shares/users/${user}" {
          "valid users" = user;
        };
    in
      {}
      // lib.mapAttrs (name: _: mkUserShare name) smbUsers
      // lib.mapAttrs (name: _: mkGroupShare name) smbGroups;
  };
  users.users = let
--- a/hosts/sire/secrets/samba/local.nix.age
+++ b/hosts/sire/secrets/samba/local.nix.age
@ -1,12 +1,12 @@
 age-encryption.org/v1
-> X25519 fKbik0Nwn3w0RFtyYjRx3NIRR6p1ePjwN1rQeQUKnC0
+-> X25519 XPiCVTwoNp+wxBHO+VroeCoWNHVsdtjeSEX4cLCnHFY
-FESp5Xwwuu3hifwpoalYD75/g994HsDJb6a7lasAH98
+RWmVk3RrtU3qOBjvBbYJ9qSf34PHXAUVhnC9fdFCEf4
-> piv-p256 xqSe8Q A/f8+j/94A2oU2/SynYRewGBZbPWy1rGU5pnUPksXkwH
+-> piv-p256 xqSe8Q A4hKgmiwNm99B4RVisUnKDDj4r6KtOOpeVCBM35Z/V76
-n+KeTBbXvjCu9GZypD8Vmz2uuN1XaZpDfX40TNk74js
+OLj3c+OIFfqbclocmoIKuKEaOengs0cCipI4wNRrbaQ
-> *:l-grease D8U!RlB wkBn7Zl4
+-> 46$NeX?-grease Z'&t |s}Wh:
-PLWQ+OcE+p/gZ9AaOl5RmO8C5IO5rQD3GIazmdWs/ImIbPFgSY7NM+Tb4j/qrQez
+P0L0T0ObtToRodYfse+ETpl3GWGAbLlVFrJJackWMgkOWIjkU8YvKmQHcQ7QTSc7
-
+bFyyf1pDEkkAGAZEzoqnem+0sZN4bcqNuZJKqkzCaJDeJvrui0sCfyj0
--- 2ucK0s28/BTrnfxnm0vOvqsmOXLXBEnsxHMRHYUyLHo
+--- HCDoDWmBPaPfC3oh/qroi2nMtBI3PvmAfhlRpPpktJk
-¼b˜à¹oÑ¯Vo}¼å]3KÐ¿âppú\ÉYiæ}:FH÷Ó^ÉU°>ÚRÿô¿eM`0Î+îíÕ¯·±ÞÜÓë†ª…Œ1¡50:F‚Y2M“^[u�ÇáZMy;„ký]z8û÷a~MæÔŸÿ1cô/™óU¦3)–r–è¢Ç–Uõ>•÷˜‘ºóx?ý6xò¤6`!R_Ïˆ¦�»’éæŒ¦£á·Žòû÷&ž(.«{x•›?rëhåÙêÂB}Ì¨Në°#Œ–¿g[•õù2aR¯lRØT§Ï£æ9W“”Û ]ŸÇ£IŽ›œ26¼¨¨lô?íµäô·áÆ
+e˛”> ~Đ/Ä¬÷Ć»oŞ!eÜŽş·Ý~Fhű��ý™¸±�eFd÷Âř¦RË˛0%EâTxV\ę«7™ŇË%�óz˛BŃ˘&qžŐ’·Üe=pÇR¸»	KÎŤc¨Çî˛ôZŮľ¶±Ň4€ŕwć~Çs
-~ÑXßµ½„”O·…Ï†#‚!àø.�‰�*äÄ¤mjh*C˜¨¨}{!¸µ›
+b<[şu÷§Î<gý}W8uYá?Ëä`'źŮ\OÍT»(tJ}ßť5ns(W‚VÚRť"ŁdíLHGĽß1Î<Şm¸OYS·ý‰.Ŕ`†7A¤c¦ZŻĂčöy¦1"`Ä.3 líŃččăsőg»7étçĚEmAemvGŇ±�•–ä$”^jŤ)*á©¦‹¬©ž‹˙=hĄSa�YçPńš1]7Ű�ůą/-RśÇ5P˙qÂŁ"ú$)ÝűŮřť˛^Űý`Ę"~TuŻ.=;¨?.±m÷ű0Şňű-¸×?OŘ!…K,îžB˛„†	Ü¸N?«ĂYhă=”Ł_żĂđ<ŰŻR[Ó>ŰÓĄ	Z6Q‡ kŃË˙!ťÓŢńéć!$K[‡QU;fgä|šĺPě�†K‰ŢVQh~ŚŇđ
-Ã&ÒN¿Ðm#vEFbË–3C´d\}·ajRÆ[…È[Ñ+ïp2%ÜãÊÈ†óÀ/|5³þ(øÂ-à�žÝîa¹°dÝÔ_@Éà…g¬|.Á…o¦+à[œVÇ`‹tP©²¼
+‹ČńeîąĂKŃE1äŢťAŚéÄôÎśtUD\;Ĺź