From 5a451bcaa1cbdd6b5125b4a2c795ee251907e1e7 Mon Sep 17 00:00:00 2001 From: blake Date: Tue, 11 Nov 2025 19:08:56 -0600 Subject: [PATCH] add cifs client side mounts --- hosts/nixos/yveltal/configuration.nix | 1 + modules/system/cifs_mounts/default.nix | 70 ++++++++++++++++++++++++++ secrets/secrets.yaml | 6 ++- users/blake/secrets/secrets.yaml | 6 +-- 4 files changed, 78 insertions(+), 5 deletions(-) create mode 100644 modules/system/cifs_mounts/default.nix diff --git a/hosts/nixos/yveltal/configuration.nix b/hosts/nixos/yveltal/configuration.nix index f41be6e..18de9ef 100644 --- a/hosts/nixos/yveltal/configuration.nix +++ b/hosts/nixos/yveltal/configuration.nix @@ -24,6 +24,7 @@ ssh.enable = true; sops.enable = true; yubikey.enable = true; + yubikey.lock_on_remove = true; tailscale.enable = true; syncthing.enable = true; flatpak.enable = true; diff --git a/modules/system/cifs_mounts/default.nix b/modules/system/cifs_mounts/default.nix new file mode 100644 index 0000000..3533bb0 --- /dev/null +++ b/modules/system/cifs_mounts/default.nix @@ -0,0 +1,70 @@ +{ + pkgs, + inputs, + config, + lib, + ... +}: let + cfg = config.system.flatpak; + sec = config.sops.secrets; +in { + options.system.flatpak = { + enable = lib.mkEnableOption "enables mounting holocron fileshare on the client side"; + }; + + environment.systemPackages = with pkgs; [ + cifs-utils + ]; + + config = lib.mkIf cfg.enable { + fileSystems."/media/holocron/blake" = { + device = "//10.10.0.10/users/blake"; + fsType = "cifs"; + options = [ + "x-systemd.automount" + "noauto" + "_netdev" + "credentials=${sec."holocron_creds".path}" + "uid=1000" + "gid=1000" + "file_mode=0664" + "dir_mode=0775" + ]; + }; + fileSystems."/media/holocron/archives" = { + device = "//10.10.0.10/archives"; + fsType = "cifs"; + options = [ + "x-systemd.automount" + "noauto" + "_netdev" + "credentials=${sec."holocron_creds".path}" + "uid=1000" + "gid=1000" + "file_mode=0664" + "dir_mode=0775" + ]; + }; + fileSystems."/media/holocron/media" = { + device = "//10.10.0.10/media"; + fsType = "cifs"; + options = [ + "x-systemd.automount" + "noauto" + "_netdev" + "credentials=${sec."holocron_creds".path}" + "uid=1000" + "gid=1000" + "file_mode=0664" + "dir_mode=0775" + ]; + }; + # manage secrets with sops + sops.secrets = { + "holocron_creds" = { + owner = "blake"; + group = "blake"; + }; + }; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 16e789a..d82714e 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -6,6 +6,8 @@ klefki_auth_map: ENC[AES256_GCM,data:u8OBLtT/,iv:THW21BDyhyFIjcwixsAnaAODofxbuQZ tailscale_authkey: ENC[AES256_GCM,data:SU0k3asrJd+WZ86VbC4w8TDJp+MqsbyagrzCfDcgTzO5yvBjpWAKbJ7A+VxgQvdu4+S2jMYbdrONPp3YbQ==,iv:VMYmGVk5GpUQApKKQYhdOw/cYCXrXxEZJJwHfQL4MjQ=,tag:7ruaoCDxuFQ7tE/JLJ37Xw==,type:str] #ENC[AES256_GCM,data:bEbCic+ZDAA5ieNedCbiVbJrse17,iv:UwRYlis6NPB/RUcv+YnPxrGdbIcF4hrNiZt19YvWZNQ=,tag:m6PVlzPNnahX7X7KzMUj7A==,type:comment] borg_passwd: ENC[AES256_GCM,data:XOMJtr+DRs7xn5Iclc49iTzK9cFJyc/fSXJjhdKa9jdN,iv:YB8z7zNYjh6NpSxQb1TfPxAYUdzThdVfNZIe6tO5grA=,tag:bO6kZ3cLJDL4IQoWmGvRdg==,type:str] +#ENC[AES256_GCM,data:ztRwuY0mTMDmwV5HqVR7Dmc+dCWcrVRtWZGEL1abE/WUcA==,iv:mmaWfHRiENJUGNhyUBFo1z7PdzVPH1OUZrVhkce6KV0=,tag:GKEvT0qkzTtimQXDueKPdw==,type:comment] +holocron_creds: ENC[AES256_GCM,data:8mD2pTAw21JuNbuKKaz5ldSt2BVNJTg4trn229uKmHOwkLEYRsLwCvBoAA==,iv:N6yDNWZ5xApos5uGPsgo3hEWJbV4AQAGeMvGQZEsTdo=,tag:0NAM0Rvo11SqNY9dH3H5Bg==,type:str] #ENC[AES256_GCM,data:VdbMrwGKUKNJHw==,iv:OLwBh6KQXR/H8eRgp/hH8k3QfIkK/ydL735kx/dpc8E=,tag:N+v+ym6RMbvW4IckbiLK8Q==,type:comment] syncthing: gui_passwd: ENC[AES256_GCM,data:CicGIe5dT8lJVchCcE4wg3E8va3RYR8d53MISkE=,iv:8ziDDyQvU8ABaKKwYlcHmvm8Qybk4G+q5F0Ghqluu9w=,tag:YlyNPE04KD3detL1QUTrgQ==,type:str] @@ -60,7 +62,7 @@ sops: U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-05T05:51:29Z" - mac: ENC[AES256_GCM,data:y4KF/ImqWzga34UIjn8ohvR4Ktu785vNgyxLDxJZOvqZNsShlgSBQ+EnJ6TgG3Ghyo6n3frcMBaZJLP4QJVqsoigUMqqOdhp3xxLRQSV5c5GbmKscW2q/xdkKqnqbANDWxQ4FWd7n/CfH+FDxtRoWgkptRzhpqYEdXxFRjzR5jo=,iv:KJYp8BmuXyuDkpRH/ZjahT8tG4NoG7Y4XFJ9Q4GntLg=,tag:sr9HQCuynFXwYT7Ulbyerg==,type:str] + lastmodified: "2025-11-12T01:06:25Z" + mac: ENC[AES256_GCM,data:a7jVTExWh/PFaCb0xdzlO5jAoGPzYiC+EQHRx8meTBy7lRvgKxiRKC/ND0Yffp4yx8aTsJrEdCXWnk/3VaDE/ko7LyI8v2EaP4n8IHs+1iD6iO6V9QZTDincCqJwVYCGzicGmgCHaSN/E6n8uowxkAX3hTSwe3E2q2UbJzuKVOc=,iv:GMMnTBIGBBi1ZFG5v02BaLHAQ3DWG7zOliGXsxBqE1w=,tag:Hm4KYzU6oEYLym2i9uo3XQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/users/blake/secrets/secrets.yaml b/users/blake/secrets/secrets.yaml index d840dcb..ee51fa1 100644 --- a/users/blake/secrets/secrets.yaml +++ b/users/blake/secrets/secrets.yaml @@ -1,7 +1,7 @@ #ENC[AES256_GCM,data:3JeFFtzO7nuVZmzPcLsP7h12BKbnyOb9/A==,iv:V6gzwAze1FVjmpf1dD8CqQpUpO9CqWfj+nHImXgz+Zw=,tag:iT6zE2X7DQmIT9d4Ds4XiA==,type:comment] blake_passwd: ENC[AES256_GCM,data:AfFql6/ghGhCDLOb4+QuAsDznz4hC4ilxZYCIH2sgBWX9tWXsUOgFw1k7CIhDoXIehz6YlTy0czekXPCqHL5gmIKRQTowU4svocw/Bl/Qz5CQ58RASB6YpnzOKTrwX7HCnu/ghpdMrcy2A==,iv:hMAkLcHjP0hiyCY4rhMU0Ae7jdYPa6MffEd2WGolbEo=,tag:p/6xmD8Te1RnFkp0zWw+ew==,type:str] #ENC[AES256_GCM,data:0HBVS2AYQ2VZXY4EbMLwiSjRNyWZ57bf,iv:20SLWXpbRTLk76g5mFrhg1Z9Qasv3NoSJbK/FOiIgtk=,tag:DbUffQwrDqzy2QO64uoUeg==,type:comment] -klefki_auth_map: ENC[AES256_GCM,data:eQ==,iv:DwWh1mhnM4EcYW3XtryDJSq1kIGwDKgekN8+FQqDhoE=,tag:oMCQkNDnIYJZeNZxrRGB5w==,type:str] +klefki_auth_map: ENC[AES256_GCM,data:JOUluKyKlK4hbGmKVSNh61Gzp/OVsb1LVhAfqyBeQ0ChlQWJ5jzS+fSI4QaJz2KS3NWvHDP5I3Y4b51fUUPGleoBazPNGpPfRLDDCgI2ys+OiNOCtykUE8A9Rt83dlWhfnsjWzsa2gUGba/52qvjgzP9T5lejzS9U+WGdRX0xSITr2u96RXz6j0SWgHSlcrddINgSoNkMRmRctEQGLL39U5wdvRQM0CWJymPoH2IUVVhM/xw4vVUFH1YV4GtbI+pqOihtGfQFg==,iv:KRBDuozK7NUfYv8IDEE/zW+3EZQuI+KT9+N3HCg71LY=,tag:35Ox4fBaBfdGAsQ3J2a/4A==,type:str] #ENC[AES256_GCM,data:bEbCic+ZDAA5ieNedCbiVbJrse17,iv:UwRYlis6NPB/RUcv+YnPxrGdbIcF4hrNiZt19YvWZNQ=,tag:m6PVlzPNnahX7X7KzMUj7A==,type:comment] borg_passwd: ENC[AES256_GCM,data:XOMJtr+DRs7xn5Iclc49iTzK9cFJyc/fSXJjhdKa9jdN,iv:YB8z7zNYjh6NpSxQb1TfPxAYUdzThdVfNZIe6tO5grA=,tag:bO6kZ3cLJDL4IQoWmGvRdg==,type:str] #ENC[AES256_GCM,data:en3kcMuSAicr6DR8y3V3,iv:Vw9YB+AqYwn2/ZP8FmbD1TsjHfxkCGpv7NLpoqZHEKM=,tag:jliaGGKQ7wex9e9gMSWFEQ==,type:comment] @@ -23,7 +23,7 @@ sops: U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-11T23:01:41Z" - mac: ENC[AES256_GCM,data:hcZynyaUVq9aCqN9l6EVloa5HaPB9tSMAXu+c8i++fTHIAwWCl9PLiJtkizfT/Ov5svjyCrC7yBF0asm6qB3CshiSGnAxIk8imDmdzvITu/6RbomCT0VeRcvcz7mfxQb4TYbuW1z3x2H4YOjAVHbaILjcANCI/jOOYENrmLheA0=,iv:/9+f4KGXq4BnB0uCV8D3BeaTNQjtttvGSvEVgcHr/f4=,tag:BHLU0JxijmyQ6d/MSpdjjQ==,type:str] + lastmodified: "2025-11-12T01:06:16Z" + mac: ENC[AES256_GCM,data:kUWUwWHtGrbiKKr8gvhrhMhmWnxqRO2VNgP1LHxZ9ENpBqhtIj22o8D0BRr5WQHmtUISN1CPcEf13j/14rLVRyfLRvl/ofgrNmUboG4gbRPfUGov39gC+hmayeX3/vX9fTWBDThzWNBxNJgCj1k+nulw6c4XmQaPqYmE0/F+b7c=,iv:GZRbSCfI21LEqHWYEwC11G9jKtNGCtD534TRfmJiQns=,tag:Mwg8YLMGbsp3OC1K66Z3Wg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0