feat(samba): add bunker share for very important data

hosts/sire/default.nix

@@ -44,7 +44,11 @@
   # services.telegraf.extraConfig.inputs.github = {};
 
   guests = let
-    mkGuest = guestName: {enableStorageDataset ? false, ...}: {
+    mkGuest = guestName: {
+      enableStorageDataset ? false,
+      enableBunkerDataset ? false,
+      ...
+    }: {
       autostart = true;
       zfs."/state" = {
         # TODO make one option out of that? and split into two readonly options automatically?
@@ -59,6 +63,10 @@
         pool = "storage";
         dataset = "safe/guests/${guestName}";
       };
+      zfs."/bunker" = lib.mkIf enableBunkerDataset {
+        pool = "storage";
+        dataset = "bunker/guests/${guestName}";
+      };
       modules = [
         ../../modules
         ./guests/common.nix
@@ -105,7 +113,10 @@
   in
     lib.mkIf (!minimal) (
       {}
-      // mkMicrovm "samba" {enableStorageDataset = true;}
+      // mkMicrovm "samba" {
+        enableStorageDataset = true;
+        enableBunkerDataset = true;
+      }
       // mkMicrovm "grafana" {}
       // mkMicrovm "influxdb" {}
       // mkMicrovm "loki" {}

hosts/sire/guests/samba.nix

@@ -5,6 +5,58 @@
 }: let
   smbUsers = config.repo.secrets.local.samba.users;
   smbGroups = config.repo.secrets.local.samba.groups;
+
+  mkPersistent = persistRoot: directory: owner: {
+    ${persistRoot}.directories = [
+      {
+        inherit directory;
+        user = owner;
+        group = owner;
+        mode = "0750";
+      }
+    ];
+  };
+
+  mkShare = id: path: cfg: {
+    ${id} =
+      {
+        inherit path;
+        public = "no";
+        writable = "yes";
+        "create mask" = "0740";
+        "directory mask" = "0750";
+        "acl allow execute always" = "yes";
+      }
+      // cfg;
+  };
+
+  mkGroupShares = group: {enableBunker ? false, ...}:
+    [
+      (mkShare group "/shares/groups/${group}" {
+        "valid users" = "@${group}";
+        "force user" = group;
+        "force group" = group;
+      })
+    ]
+    ++ lib.optional enableBunker (
+      mkShare "${group}-bunker" "/shares/groups/${group}-bunker" {
+        "valid users" = "@${group}";
+        "force user" = group;
+        "force group" = group;
+      }
+    );
+
+  mkUserShares = user: {enableBunker ? false, ...}:
+    [
+      (mkShare user "/shares/users/${user}" {
+        "valid users" = user;
+      })
+    ]
+    ++ lib.optional enableBunker (
+      mkShare "${user}-bunker" "/shares/users/${user}-bunker" {
+        "valid users" = user;
+      }
+    );
 in {
   age.secrets."samba-passdb.tdb" = {
     rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age";
@@ -37,28 +89,32 @@ in {
     '';
   };
 
-  environment.persistence."/persist".files = [
-    "/etc/ssh/ssh_host_rsa_key"
-    "/etc/ssh/ssh_host_rsa_key.pub"
-  ];
-
   fileSystems."/storage".neededForBoot = true;
-  environment.persistence."/storage" = {
-    hideMounts = true;
-    directories =
-      lib.flip lib.mapAttrsToList smbUsers (name: _: {
-        directory = "/shares/users/${name}";
-        user = name;
-        group = name;
-        mode = "0750";
-      })
-      ++ lib.flip lib.mapAttrsToList smbGroups (name: _: {
-        directory = "/shares/groups/${name}";
-        user = name;
-        group = name;
-        mode = "0750";
-      });
-  };
+  fileSystems."/bunker".neededForBoot = true;
+  environment.persistence = lib.mkMerge ([
+      {
+        "/persist".files = [
+          "/etc/ssh/ssh_host_rsa_key"
+          "/etc/ssh/ssh_host_rsa_key.pub"
+        ];
+      }
+    ]
+    ++ lib.flatten (
+      lib.flip lib.mapAttrsToList smbUsers (
+        name: {enableBunker ? false, ...}:
+          [(mkPersistent "/storage" "/shares/users/${name}" name)]
+          ++ lib.optional enableBunker (
+            mkPersistent "/bunker" "/shares/users/${name}-bunker" name
+          )
+      )
+      ++ lib.flip lib.mapAttrsToList smbGroups (
+        name: {enableBunker ? false, ...}:
+          [(mkPersistent "/storage" "/shares/groups/${name}" name)]
+          ++ lib.optional enableBunker (
+            mkPersistent "/bunker" "/shares/groups/${name}-bunker" name
+          )
+      )
+    ));
 
   services.samba = {
     enable = true;
@@ -121,35 +177,10 @@ in {
       "fruit:wipe_intentionally_left_blank_rfork = yes"
       "fruit:delete_empty_adfiles = yes"
     ];
-    shares = let
-      mkShare = path: cfg:
-        {
-          inherit path;
-          public = "no";
-          writable = "yes";
-          "create mask" = "0740";
-          "directory mask" = "0750";
-          # "force create mode" = "0660";
-          # "force directory mode" = "0770";
-          "acl allow execute always" = "yes";
-        }
-        // cfg;
-
-      mkGroupShare = group:
-        mkShare "/shares/groups/${group}" {
-          "valid users" = "@${group}";
-          "force user" = group;
-          "force group" = group;
-        };
-
-      mkUserShare = user:
-        mkShare "/shares/users/${user}" {
-          "valid users" = user;
-        };
-    in
-      {}
-      // lib.mapAttrs (name: _: mkUserShare name) smbUsers
-      // lib.mapAttrs (name: _: mkGroupShare name) smbGroups;
+    shares = lib.mkMerge (lib.flatten (
+      lib.mapAttrsToList mkUserShares smbUsers
+      ++ lib.mapAttrsToList mkGroupShares smbGroups
+    ));
   };
 
   users.users = let

hosts/sire/secrets/samba/local.nix.age

@@ -1,12 +1,12 @@
 age-encryption.org/v1
--> X25519 fKbik0Nwn3w0RFtyYjRx3NIRR6p1ePjwN1rQeQUKnC0
-FESp5Xwwuu3hifwpoalYD75/g994HsDJb6a7lasAH98
--> piv-p256 xqSe8Q A/f8+j/94A2oU2/SynYRewGBZbPWy1rGU5pnUPksXkwH
-n+KeTBbXvjCu9GZypD8Vmz2uuN1XaZpDfX40TNk74js
--> *:l-grease D8U!RlB wkBn7Zl4
-PLWQ+OcE+p/gZ9AaOl5RmO8C5IO5rQD3GIazmdWs/ImIbPFgSY7NM+Tb4j/qrQez
-
---- 2ucK0s28/BTrnfxnm0vOvqsmOXLXBEnsxHMRHYUyLHo
-¼b˜à¹oѯVo}¼å]3Kпâppú\­ÉYiæ}:FH÷Ó^
ÉU°>ÚRÿô¿eM`0Î+îíÕ¯·±ÞÜÓ놪…Œ1¡50:F‚Y2M“^[u�ÇáZMy;„ký]z8û÷a~MæÔŸÿ1­cô/™óU¦3)–r–è¢Ç–Uõ>•÷˜‘ºóx?ý6xò¤6`!R_ψ¦�»’é挦£á·Žòû÷&ž(.«{x•›?rëhåÙêÂB}̨Në°#Œ–¿g[•õù2aR¯­lRØT§Ï£æ9W“”Û ]ŸÇ£IŽ›œ2
6¼¨¨lô?íµäô·áÆ
-~ÑXßµ½„”O·…φ#‚!àø.�‰�*äĤmjh*C˜¨¨}­{!¸µ›
-Ã&ÒN¿Ðm#vEFbË–3C´d\}·ajRÆ[…È[Ñ+ïp2%ÜãÊÈ­†óÀ/|5³þ(øÂ-à�žÝîa¹°dÝÔ_@Éà…g¬|.Á…o¦+à[œVÇ`‹tP©²¼
+-> X25519 XPiCVTwoNp+wxBHO+VroeCoWNHVsdtjeSEX4cLCnHFY
+RWmVk3RrtU3qOBjvBbYJ9qSf34PHXAUVhnC9fdFCEf4
+-> piv-p256 xqSe8Q A4hKgmiwNm99B4RVisUnKDDj4r6KtOOpeVCBM35Z/V76
+OLj3c+OIFfqbclocmoIKuKEaOengs0cCipI4wNRrbaQ
+-> 46$NeX?-grease Z'&t |s}Wh:
+P0L0T0ObtToRodYfse+ETpl3GWGAbLlVFrJJackWMgkOWIjkU8YvKmQHcQ7QTSc7
+bFyyf1pDEkkAGAZEzoqnem+0sZN4bcqNuZJKqkzCaJDeJvrui0sCfyj0
+--- HCDoDWmBPaPfC3oh/qroi2nMtBI3PvmAfhlRpPpktJk
+e˛”> ~Đ/Ĭ÷Ć»oŞ!eÜŽş·Ý~Fhű��ý™¸±�eFd÷Âř¦R
˲0%EâTxV\ę«7™ŇË%�óz˛BѢ&qžŐ’·Üe=pÇR¸»	KÎŤc¨Çî˛ôZŮľ¶±Ň4€ŕwć~Çs
+b<[şu÷§Î<gý}W8uYá?Ëä`'źŮ\OÍT»(tJ}ßť5ns(W‚VÚRť"ŁdíLHGĽß1Î<Şm¸OYS·ý‰.Ŕ`†7A¤c¦ZŻĂčöy­¦
1"`Ä.3 líŃččăsőg»7ét
çĚEmAemvGұ�•–ä$”^jŤ)*ᩦ‹¬©ž‹˙=hĄSa�YçPńš1]7Ű�ůą/-RśÇ5P˙qÂŁ"ú$)ÝűŮřť˛^Űý`Ę"~TuŻ.=;¨?.±m÷ű0Şňű-¸×?OŘ!…K,îžB˛„†	ܸN?«ĂYhă=”Ł_żĂđ<ŰŻR[Ó>ŰÓĄ	Z6Q‡ 
kŃË˙!ťÓŢńéć!$K[‡QU;fgä|šĺPě�†K‰ŢVQh~ŚŇđ
+‹ČńeîąĂKŃE1äŢťAŚéÄôÎśtUD\;Ĺź