set smb password

2025-05-29 22:46:38 +02:00 · 2025-05-29 22:46:38 +02:00 · 2d61c06946
commit 2d61c06946
parent 8b23224b6b
3 changed files with 35 additions and 5 deletions
--- a/sys/machines/hopper/lab/samba.nix
+++ b/sys/machines/hopper/lab/samba.nix
@ -1,4 +1,9 @@
-{config, ...}: {
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
  # only used for samba
  users.groups.xun = {};
  users.users.xun = {
@ -27,14 +32,15 @@
        "server string" = config.networking.hostName;
        "hosts allow" = "192.168.50.0/24";
        "map to guest" = "bad user";
+        "passdb backend" = "smbpasswd:${config.sops.secrets.samba-pass.path}";
      };
      transmission = {
        path = "/var/lib/transmission";
        browseable = "yes";
        "read only" = "yes";
        "guest ok" = "no";
-        "create mask" = "0664";
-        "directory mask" = "0775";
+        "create mask" = "0660";
+        "directory mask" = "0770";
      };
      vault = {
        path = "/srv/vault";
@ -61,8 +67,8 @@
        browseable = "yes";
        "read only" = "no";
        "guest ok" = "no";
-        "create mask" = "0666";
-        "directory mask" = "0777";
+        "create mask" = "0660";
+        "directory mask" = "0770";
        "force user" = "media";
        "force group" = "media";
      };
--- a/sys/profiles/secrets/hopper/default.nix
+++ b/sys/profiles/secrets/hopper/default.nix
@ -41,5 +41,10 @@
      owner = "roblox-playtime";
      group = "roblox-playtime";
    };
+    samba-pass = {
+      format = "binary";
+      sopsFile = ./samba-pass;
+      mode = "0600";
+    };
  };
 }
--- a/sys/profiles/secrets/hopper/samba-pass
+++ b/sys/profiles/secrets/hopper/samba-pass
@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:kkJygi1K4ZHjM+VfVMTVTNBxhPBijWtP3au7zcx1rjqjFTLT5vdPdKBaMOM9G3qLjpjqet7webyu8u/GhYopjWowsS8ixwirhC0MJXpnemA9BRYUqZRc0rVHcUkNDsqGncd5SA==,iv:Vhi2V8MGnGz1EfS6ZYPjS1ffhqVLj/XMf/gWf8YYlAM=,tag:vK1izGpNaaaA+U4lLUDAtA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJK1V3YkcvZUY5SWpRcjNv\nQXNvS2pyNDJocDlrWWR5dm15cXJLd1ZnRXdrCm9VVHF3dzRmT2pjbGl4aGJNZlJB\naTJNaDZFS0dZOWdRNUszZXRVcktHZHcKLS0tIGZ5V2d2QWZGSFBiTi9aa1lCZVgy\nTG9HMVRLaEtUbmFSRTZ5NjFRRmp6ZEUKIEdWVooN7oEsPXm5xhq0OIqRgbTofxer\nFki4heCRtOJFVd2ee7eI5LC8goNT/KjXLX0kj/HPIAHKehq/rNcWBQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1e9nhfwfcg9krc03re4fwh0wu0cwf6jq4js5vfn26hcdqc2apgdes98fea7",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUeGFTNDVidCtnUzFmelEy\nTFR1a1EzQVN5RVh6Tm9oNEhoMitzN0hZMkdRCnJTYXBicHZkR3RIR0tVeGVPN2xJ\nNXFwN0tHTGozRzNSNlRXVFAxRlUzTHMKLS0tIGwxaEJSVGxRclBHak1xMzVrQU1Z\nYnhaMVp5MStGOGtkWm5jNmxUUWp1aVEKBmq9CPCqGOIDT6dFm9vqSx/pxtmdOuXo\n2Gn4mOPSCU74EuOUDW7RdEWkLHDYUMB1himxZpWXPlYYnRKzBAfQqw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-29T20:45:45Z",
+		"mac": "ENC[AES256_GCM,data:ztcpvpqejP2E2AjDfgZHfkdCFIPJmNLbfoy5DVWO5fE+kF/kNQu3+bsgP9UHVsCvMlKjSCdTMxeBt1pV2s5jkStZSxq4sQ5zUtjeNq8SMhVH1fvj8JRTpgNcwZ4MHeHOALKRQBELYLBfJqg2/u2TnxCZigiQwZf3pAw6J6wRoK0=,iv:zpqguOWAouPtj5K1tHe8/ugmWVha2ztogErsG/LC4Aw=,tag:aIc1Ey74CCJLPM0IwZ3gNQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}