From 2d61c06946b03469ae90893990e0f094ea8ae349 Mon Sep 17 00:00:00 2001 From: xunuwu Date: Thu, 29 May 2025 22:46:38 +0200 Subject: [PATCH] set smb password --- sys/machines/hopper/lab/samba.nix | 16 +++++++++++----- sys/profiles/secrets/hopper/default.nix | 5 +++++ sys/profiles/secrets/hopper/samba-pass | 19 +++++++++++++++++++ 3 files changed, 35 insertions(+), 5 deletions(-) create mode 100644 sys/profiles/secrets/hopper/samba-pass diff --git a/sys/machines/hopper/lab/samba.nix b/sys/machines/hopper/lab/samba.nix index f606862..c3c6956 100644 --- a/sys/machines/hopper/lab/samba.nix +++ b/sys/machines/hopper/lab/samba.nix @@ -1,4 +1,9 @@ -{config, ...}: { +{ + config, + lib, + pkgs, + ... +}: { # only used for samba users.groups.xun = {}; users.users.xun = { @@ -27,14 +32,15 @@ "server string" = config.networking.hostName; "hosts allow" = "192.168.50.0/24"; "map to guest" = "bad user"; + "passdb backend" = "smbpasswd:${config.sops.secrets.samba-pass.path}"; }; transmission = { path = "/var/lib/transmission"; browseable = "yes"; "read only" = "yes"; "guest ok" = "no"; - "create mask" = "0664"; - "directory mask" = "0775"; + "create mask" = "0660"; + "directory mask" = "0770"; }; vault = { path = "/srv/vault"; @@ -61,8 +67,8 @@ browseable = "yes"; "read only" = "no"; "guest ok" = "no"; - "create mask" = "0666"; - "directory mask" = "0777"; + "create mask" = "0660"; + "directory mask" = "0770"; "force user" = "media"; "force group" = "media"; }; diff --git a/sys/profiles/secrets/hopper/default.nix b/sys/profiles/secrets/hopper/default.nix index e748031..b13091f 100644 --- a/sys/profiles/secrets/hopper/default.nix +++ b/sys/profiles/secrets/hopper/default.nix @@ -41,5 +41,10 @@ owner = "roblox-playtime"; group = "roblox-playtime"; }; + samba-pass = { + format = "binary"; + sopsFile = ./samba-pass; + mode = "0600"; + }; }; } diff --git a/sys/profiles/secrets/hopper/samba-pass b/sys/profiles/secrets/hopper/samba-pass new file mode 100644 index 0000000..343ee39 --- /dev/null +++ b/sys/profiles/secrets/hopper/samba-pass @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:kkJygi1K4ZHjM+VfVMTVTNBxhPBijWtP3au7zcx1rjqjFTLT5vdPdKBaMOM9G3qLjpjqet7webyu8u/GhYopjWowsS8ixwirhC0MJXpnemA9BRYUqZRc0rVHcUkNDsqGncd5SA==,iv:Vhi2V8MGnGz1EfS6ZYPjS1ffhqVLj/XMf/gWf8YYlAM=,tag:vK1izGpNaaaA+U4lLUDAtA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJK1V3YkcvZUY5SWpRcjNv\nQXNvS2pyNDJocDlrWWR5dm15cXJLd1ZnRXdrCm9VVHF3dzRmT2pjbGl4aGJNZlJB\naTJNaDZFS0dZOWdRNUszZXRVcktHZHcKLS0tIGZ5V2d2QWZGSFBiTi9aa1lCZVgy\nTG9HMVRLaEtUbmFSRTZ5NjFRRmp6ZEUKIEdWVooN7oEsPXm5xhq0OIqRgbTofxer\nFki4heCRtOJFVd2ee7eI5LC8goNT/KjXLX0kj/HPIAHKehq/rNcWBQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1e9nhfwfcg9krc03re4fwh0wu0cwf6jq4js5vfn26hcdqc2apgdes98fea7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUeGFTNDVidCtnUzFmelEy\nTFR1a1EzQVN5RVh6Tm9oNEhoMitzN0hZMkdRCnJTYXBicHZkR3RIR0tVeGVPN2xJ\nNXFwN0tHTGozRzNSNlRXVFAxRlUzTHMKLS0tIGwxaEJSVGxRclBHak1xMzVrQU1Z\nYnhaMVp5MStGOGtkWm5jNmxUUWp1aVEKBmq9CPCqGOIDT6dFm9vqSx/pxtmdOuXo\n2Gn4mOPSCU74EuOUDW7RdEWkLHDYUMB1himxZpWXPlYYnRKzBAfQqw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-29T20:45:45Z", + "mac": "ENC[AES256_GCM,data:ztcpvpqejP2E2AjDfgZHfkdCFIPJmNLbfoy5DVWO5fE+kF/kNQu3+bsgP9UHVsCvMlKjSCdTMxeBt1pV2s5jkStZSxq4sQ5zUtjeNq8SMhVH1fvj8JRTpgNcwZ4MHeHOALKRQBELYLBfJqg2/u2TnxCZigiQwZf3pAw6J6wRoK0=,iv:zpqguOWAouPtj5K1tHe8/ugmWVha2ztogErsG/LC4Aw=,tag:aIc1Ey74CCJLPM0IwZ3gNQ==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +}