feat: add paperless samba share and per-user consume folder

2024-01-19 02:03:29 +01:00 · 2024-01-19 02:03:29 +01:00 · b466f8ab65
commit b466f8ab65
parent 8446b8fa13
8 changed files with 245 additions and 97 deletions
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@ -46,7 +46,11 @@
      }
    );

-  mkUserShares = user: {enableBunker ? false, ...}:
+  mkUserShares = user: {
+    enableBunker ? false,
+    enablePaperless ? false,
+    ...
+  }:
    [
      (mkShare user "/shares/users/${user}" {
        "valid users" = user;
@ -56,6 +60,13 @@
      mkShare "${user}-bunker" "/shares/users/${user}-bunker" {
        "valid users" = user;
      }
+    )
+    ++ lib.optional enablePaperless (
+      mkShare "${user}-paperless" "/shares/users/${user}-paperless" {
+        "valid users" = user;
+        "force user" = "paperless";
+        "force group" = "paperless";
+      }
    );
 in {
  age.secrets."samba-passdb.tdb" = {
@ -89,9 +100,8 @@ in {
    '';
  };

-  fileSystems."/storage".neededForBoot = true;
-  fileSystems."/bunker".neededForBoot = true;
-  environment.persistence = lib.mkMerge ([
+  environment.persistence = lib.mkMerge (
+    [
      {
        "/persist".files = [
          "/etc/ssh/ssh_host_rsa_key"
@ -114,7 +124,13 @@ in {
            mkPersistent "/bunker" "/shares/groups/${name}-bunker" name
          )
      )
-    ));
+    )
+  );
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };

  services.samba = {
    enable = true;
@ -188,6 +204,100 @@ in {
    ));
  };

+  systemd.tmpfiles.settings = lib.mkMerge (
+    # Make sure the main paperless structure exists
+    [
+      {
+        "10-smb-paperless" = {
+          "/paperless/consume".d = {
+            user = "paperless";
+            group = "paperless";
+            mode = "0750";
+          };
+          "/paperless/media".d = {
+            user = "paperless";
+            group = "paperless";
+            mode = "0750";
+          };
+          "/paperless/media/documents".d = {
+            user = "paperless";
+            group = "paperless";
+            mode = "0750";
+          };
+          "/paperless/media/documents/archive".d = {
+            user = "paperless";
+            group = "paperless";
+            mode = "0750";
+          };
+          "/paperless/media/documents/originals".d = {
+            user = "paperless";
+            group = "paperless";
+            mode = "0750";
+          };
+        };
+      }
+    ]
+    # For each paperless share, make sure the necessary sub-folders for that user are created
+    # at boot so we can bind-mount them into the shares.
+    ++ lib.flatten (lib.flip lib.mapAttrsToList smbUsers (
+      user: userCfg:
+        lib.optional (userCfg.enablePaperless or false) {
+          "10-smb-paperless" = {
+            "/shares/users/${user}-paperless".d = {
+              user = "paperless";
+              group = "paperless";
+              mode = "0750";
+            };
+            "/paperless/consume/${user}".d = {
+              user = "paperless";
+              group = "paperless";
+              mode = "0750";
+            };
+            "/paperless/media/documents/archive/${user}".d = {
+              user = "paperless";
+              group = "paperless";
+              mode = "0750";
+            };
+            "/paperless/media/documents/originals/${user}".d = {
+              user = "paperless";
+              group = "paperless";
+              mode = "0750";
+            };
+          };
+        }
+    ))
+  );
+
+  # For each paperless share, bind-mount create the necessary folders using tmpfiles.
+  fileSystems = lib.mkMerge (
+    [
+      {
+        "/storage".neededForBoot = true;
+        "/bunker".neededForBoot = true;
+      }
+    ]
+    ++ lib.flip lib.mapAttrsToList smbUsers (
+      user: userCfg:
+        lib.optionalAttrs (userCfg.enablePaperless or false) {
+          "/shares/users/${user}-paperless/consume" = {
+            fsType = "none";
+            options = ["bind"];
+            device = "/paperless/consume/${user}";
+          };
+          "/shares/users/${user}-paperless/documents" = {
+            fsType = "none";
+            options = ["bind" "ro"];
+            device = "/paperless/media/documents/archive/${user}";
+          };
+          "/shares/users/${user}-paperless/originals" = {
+            fsType = "none";
+            options = ["bind" "ro"];
+            device = "/paperless/media/documents/originals/${user}";
+          };
+        }
+    )
+  );
+
  users.users = let
    mkUser = name: id: groups: {
      isNormalUser = true;
@ -210,10 +320,20 @@ in {
        scanner.openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJcWkqM2gXM9MJoKggCMpXLBJvgPP0fuoIO3UNy4h4uFzyDqMKAADjaJHCqyIQPq/s5vATVmuu4GQyajkc7Y3fBg/2rvAACzFx/2ufK2M4dkdDcYOX6kyNZL7XiJRmLfUR2cqda3P3bQxapkdfIOWfPQQJUAnYlVvUaIShoBxYw5HXRTr2jR5UAklfIRWZOmx07WKC6dZG5MIm1Luun5KgvqQmzQ9ErL5tz/Oi5pPdK30kdkS5WdeWD6KwL78Ff4KfC0DVTO0zb/C7WyKk4ZLu+UKCLHXDTzE4lhBAu6mSUfJ5nQhmdLdKg6Gvh1St/vRcsDJOZqEFBVn35/oK974l root@ADS_4300N_BRN000EC691D285"
        ];
+
+        paperless = {
+          group = "paperless";
+          uid = config.ids.uids.paperless;
+          home = "/var/empty";
+        };
      }
    ];

-  users.groups = lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups);
+  users.groups =
+    {
+      paperless.gid = config.ids.gids.paperless;
+    }
+    // lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups);

  # Backups
  # ========================================================================