add cifs client side mounts

2025-11-11 19:08:56 -06:00
parent b4bba876ae
commit 5a451bcaa1
4 changed files with 78 additions and 5 deletions
--- a/hosts/nixos/yveltal/configuration.nix
+++ b/hosts/nixos/yveltal/configuration.nix
@@ -24,6 +24,7 @@
    ssh.enable = true;
    sops.enable = true;
    yubikey.enable = true;
+    yubikey.lock_on_remove = true;
    tailscale.enable = true;
    syncthing.enable = true;
    flatpak.enable = true;
--- a/modules/system/cifs_mounts/default.nix
+++ b/modules/system/cifs_mounts/default.nix
@@ -0,0 +1,70 @@
+{
+  pkgs,
+  inputs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.system.flatpak;
+  sec = config.sops.secrets;
+in {
+  options.system.flatpak = {
+    enable = lib.mkEnableOption "enables mounting holocron fileshare on the client side";
+  };
+
+  environment.systemPackages = with pkgs; [
+    cifs-utils
+  ];
+
+  config = lib.mkIf cfg.enable {
+    fileSystems."/media/holocron/blake" = {
+      device = "//10.10.0.10/users/blake";
+      fsType = "cifs";
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "_netdev"
+        "credentials=${sec."holocron_creds".path}"
+        "uid=1000"
+        "gid=1000"
+        "file_mode=0664"
+        "dir_mode=0775"
+      ];
+    };
+    fileSystems."/media/holocron/archives" = {
+      device = "//10.10.0.10/archives";
+      fsType = "cifs";
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "_netdev"
+        "credentials=${sec."holocron_creds".path}"
+        "uid=1000"
+        "gid=1000"
+        "file_mode=0664"
+        "dir_mode=0775"
+      ];
+    };
+    fileSystems."/media/holocron/media" = {
+      device = "//10.10.0.10/media";
+      fsType = "cifs";
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "_netdev"
+        "credentials=${sec."holocron_creds".path}"
+        "uid=1000"
+        "gid=1000"
+        "file_mode=0664"
+        "dir_mode=0775"
+      ];
+    };
+    # manage secrets with sops
+    sops.secrets = {
+      "holocron_creds" = {
+        owner = "blake";
+        group = "blake";
+      };
+    };
+  };
+}
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -6,6 +6,8 @@ klefki_auth_map: ENC[AES256_GCM,data:u8OBLtT/,iv:THW21BDyhyFIjcwixsAnaAODofxbuQZ
 tailscale_authkey: ENC[AES256_GCM,data:SU0k3asrJd+WZ86VbC4w8TDJp+MqsbyagrzCfDcgTzO5yvBjpWAKbJ7A+VxgQvdu4+S2jMYbdrONPp3YbQ==,iv:VMYmGVk5GpUQApKKQYhdOw/cYCXrXxEZJJwHfQL4MjQ=,tag:7ruaoCDxuFQ7tE/JLJ37Xw==,type:str]
 #ENC[AES256_GCM,data:bEbCic+ZDAA5ieNedCbiVbJrse17,iv:UwRYlis6NPB/RUcv+YnPxrGdbIcF4hrNiZt19YvWZNQ=,tag:m6PVlzPNnahX7X7KzMUj7A==,type:comment]
 borg_passwd: ENC[AES256_GCM,data:XOMJtr+DRs7xn5Iclc49iTzK9cFJyc/fSXJjhdKa9jdN,iv:YB8z7zNYjh6NpSxQb1TfPxAYUdzThdVfNZIe6tO5grA=,tag:bO6kZ3cLJDL4IQoWmGvRdg==,type:str]
+#ENC[AES256_GCM,data:ztRwuY0mTMDmwV5HqVR7Dmc+dCWcrVRtWZGEL1abE/WUcA==,iv:mmaWfHRiENJUGNhyUBFo1z7PdzVPH1OUZrVhkce6KV0=,tag:GKEvT0qkzTtimQXDueKPdw==,type:comment]
+holocron_creds: ENC[AES256_GCM,data:8mD2pTAw21JuNbuKKaz5ldSt2BVNJTg4trn229uKmHOwkLEYRsLwCvBoAA==,iv:N6yDNWZ5xApos5uGPsgo3hEWJbV4AQAGeMvGQZEsTdo=,tag:0NAM0Rvo11SqNY9dH3H5Bg==,type:str]
 #ENC[AES256_GCM,data:VdbMrwGKUKNJHw==,iv:OLwBh6KQXR/H8eRgp/hH8k3QfIkK/ydL735kx/dpc8E=,tag:N+v+ym6RMbvW4IckbiLK8Q==,type:comment]
 syncthing:
    gui_passwd: ENC[AES256_GCM,data:CicGIe5dT8lJVchCcE4wg3E8va3RYR8d53MISkE=,iv:8ziDDyQvU8ABaKKwYlcHmvm8Qybk4G+q5F0Ghqluu9w=,tag:YlyNPE04KD3detL1QUTrgQ==,type:str]
@@ -60,7 +62,7 @@ sops:
            U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
            PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-05T05:51:29Z"
-    mac: ENC[AES256_GCM,data:y4KF/ImqWzga34UIjn8ohvR4Ktu785vNgyxLDxJZOvqZNsShlgSBQ+EnJ6TgG3Ghyo6n3frcMBaZJLP4QJVqsoigUMqqOdhp3xxLRQSV5c5GbmKscW2q/xdkKqnqbANDWxQ4FWd7n/CfH+FDxtRoWgkptRzhpqYEdXxFRjzR5jo=,iv:KJYp8BmuXyuDkpRH/ZjahT8tG4NoG7Y4XFJ9Q4GntLg=,tag:sr9HQCuynFXwYT7Ulbyerg==,type:str]
+    lastmodified: "2025-11-12T01:06:25Z"
+    mac: ENC[AES256_GCM,data:a7jVTExWh/PFaCb0xdzlO5jAoGPzYiC+EQHRx8meTBy7lRvgKxiRKC/ND0Yffp4yx8aTsJrEdCXWnk/3VaDE/ko7LyI8v2EaP4n8IHs+1iD6iO6V9QZTDincCqJwVYCGzicGmgCHaSN/E6n8uowxkAX3hTSwe3E2q2UbJzuKVOc=,iv:GMMnTBIGBBi1ZFG5v02BaLHAQ3DWG7zOliGXsxBqE1w=,tag:Hm4KYzU6oEYLym2i9uo3XQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/users/blake/secrets/secrets.yaml
+++ b/users/blake/secrets/secrets.yaml
@@ -1,7 +1,7 @@
 #ENC[AES256_GCM,data:3JeFFtzO7nuVZmzPcLsP7h12BKbnyOb9/A==,iv:V6gzwAze1FVjmpf1dD8CqQpUpO9CqWfj+nHImXgz+Zw=,tag:iT6zE2X7DQmIT9d4Ds4XiA==,type:comment]
 blake_passwd: ENC[AES256_GCM,data:AfFql6/ghGhCDLOb4+QuAsDznz4hC4ilxZYCIH2sgBWX9tWXsUOgFw1k7CIhDoXIehz6YlTy0czekXPCqHL5gmIKRQTowU4svocw/Bl/Qz5CQ58RASB6YpnzOKTrwX7HCnu/ghpdMrcy2A==,iv:hMAkLcHjP0hiyCY4rhMU0Ae7jdYPa6MffEd2WGolbEo=,tag:p/6xmD8Te1RnFkp0zWw+ew==,type:str]
 #ENC[AES256_GCM,data:0HBVS2AYQ2VZXY4EbMLwiSjRNyWZ57bf,iv:20SLWXpbRTLk76g5mFrhg1Z9Qasv3NoSJbK/FOiIgtk=,tag:DbUffQwrDqzy2QO64uoUeg==,type:comment]
-klefki_auth_map: ENC[AES256_GCM,data:eQ==,iv:DwWh1mhnM4EcYW3XtryDJSq1kIGwDKgekN8+FQqDhoE=,tag:oMCQkNDnIYJZeNZxrRGB5w==,type:str]
+klefki_auth_map: ENC[AES256_GCM,data:JOUluKyKlK4hbGmKVSNh61Gzp/OVsb1LVhAfqyBeQ0ChlQWJ5jzS+fSI4QaJz2KS3NWvHDP5I3Y4b51fUUPGleoBazPNGpPfRLDDCgI2ys+OiNOCtykUE8A9Rt83dlWhfnsjWzsa2gUGba/52qvjgzP9T5lejzS9U+WGdRX0xSITr2u96RXz6j0SWgHSlcrddINgSoNkMRmRctEQGLL39U5wdvRQM0CWJymPoH2IUVVhM/xw4vVUFH1YV4GtbI+pqOihtGfQFg==,iv:KRBDuozK7NUfYv8IDEE/zW+3EZQuI+KT9+N3HCg71LY=,tag:35Ox4fBaBfdGAsQ3J2a/4A==,type:str]
 #ENC[AES256_GCM,data:bEbCic+ZDAA5ieNedCbiVbJrse17,iv:UwRYlis6NPB/RUcv+YnPxrGdbIcF4hrNiZt19YvWZNQ=,tag:m6PVlzPNnahX7X7KzMUj7A==,type:comment]
 borg_passwd: ENC[AES256_GCM,data:XOMJtr+DRs7xn5Iclc49iTzK9cFJyc/fSXJjhdKa9jdN,iv:YB8z7zNYjh6NpSxQb1TfPxAYUdzThdVfNZIe6tO5grA=,tag:bO6kZ3cLJDL4IQoWmGvRdg==,type:str]
 #ENC[AES256_GCM,data:en3kcMuSAicr6DR8y3V3,iv:Vw9YB+AqYwn2/ZP8FmbD1TsjHfxkCGpv7NLpoqZHEKM=,tag:jliaGGKQ7wex9e9gMSWFEQ==,type:comment]
@@ -23,7 +23,7 @@ sops:
            U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
            PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-11T23:01:41Z"
-    mac: ENC[AES256_GCM,data:hcZynyaUVq9aCqN9l6EVloa5HaPB9tSMAXu+c8i++fTHIAwWCl9PLiJtkizfT/Ov5svjyCrC7yBF0asm6qB3CshiSGnAxIk8imDmdzvITu/6RbomCT0VeRcvcz7mfxQb4TYbuW1z3x2H4YOjAVHbaILjcANCI/jOOYENrmLheA0=,iv:/9+f4KGXq4BnB0uCV8D3BeaTNQjtttvGSvEVgcHr/f4=,tag:BHLU0JxijmyQ6d/MSpdjjQ==,type:str]
+    lastmodified: "2025-11-12T01:06:16Z"
+    mac: ENC[AES256_GCM,data:kUWUwWHtGrbiKKr8gvhrhMhmWnxqRO2VNgP1LHxZ9ENpBqhtIj22o8D0BRr5WQHmtUISN1CPcEf13j/14rLVRyfLRvl/ofgrNmUboG4gbRPfUGov39gC+hmayeX3/vX9fTWBDThzWNBxNJgCj1k+nulw6c4XmQaPqYmE0/F+b7c=,iv:GZRbSCfI21LEqHWYEwC11G9jKtNGCtD534TRfmJiQns=,tag:Mwg8YLMGbsp3OC1K66Z3Wg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0