diff --git a/README.md b/README.md index 0ae48f1..a497da2 100644 --- a/README.md +++ b/README.md @@ -20,3 +20,36 @@ NixOS configuration using a dendritic structure — `flake.nix` at the root, wit ```bash sudo nixos-rebuild switch --flake .#nixos ``` + +## SMB share secrets (agenix) + +SMB automount is configured in `modules/hosts/nixos.nix` and activates once +`secrets/smb-credentials.age` exists. + +1. Edit recipients in `secrets/secrets.nix` if needed. +2. Create the encrypted secret (using the host SSH private key via sudo): + +```bash +sudo env RULES=secrets/secrets.nix nix run github:ryantm/agenix -- -e secrets/smb-credentials.age -i /etc/ssh/ssh_host_ed25519_key +``` + +Use this content: + +```text +username=YOUR_SMB_USER +password=YOUR_SMB_PASSWORD +# optional +# domain=WORKGROUP +``` + +Configured shares mirror your Endeavour setup: + +- `//192.168.1.102/data` → `/mnt/unraid-data` +- `//192.168.1.102/appdata` → `/mnt/unraid-appdata` + +Then apply: + +```bash +sudo nixos-rebuild switch --flake .#nixos +``` + diff --git a/flake.lock b/flake.lock index 2787770..48c521a 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,48 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1770165109, + "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", + "owner": "ryantm", + "repo": "agenix", + "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -20,6 +63,27 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "import-tree": { "locked": { "lastModified": 1772999353, @@ -36,6 +100,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1754028485, + "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "59e69648d345d6e8fef86158c555730fa12af9de", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1772773019, "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=", @@ -53,9 +133,25 @@ }, "root": { "inputs": { + "agenix": "agenix", "flake-parts": "flake-parts", "import-tree": "import-tree", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index b0770a7..a1b2f14 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,7 @@ }; import-tree.url = "github:vic/import-tree"; + agenix.url = "github:ryantm/agenix"; }; outputs = diff --git a/modules/hosts/nixos.nix b/modules/hosts/nixos.nix index ee279db..ba75cdb 100644 --- a/modules/hosts/nixos.nix +++ b/modules/hosts/nixos.nix @@ -3,9 +3,20 @@ self, config, ... -}: { - flake.nixosModules.nixos-host = {pkgs, ...}: { +}: let + flakeConfig = config; +in { + flake.nixosModules.nixos-host = { + pkgs, + lib, + config, + ... + }: let + smbSecretFile = ../../secrets/smb-credentials.age; + hasSmbSecret = builtins.pathExists smbSecretFile; + in { imports = [ + inputs.agenix.nixosModules.default ../../hardware-configuration.nix ]; @@ -19,7 +30,7 @@ # Custom EDID override for Samsung 240Hz on DP-1 boot.kernelParams = ["drm.edid_firmware=DP-1:edid/g80.bin"]; hardware.firmware = [ - (pkgs.runCommandNoCC "g80-edid-firmware" {} '' + (pkgs.runCommand "g80-edid-firmware" {} '' install -Dm444 ${../assets/edid/g80.bin} $out/lib/firmware/edid/g80.bin '') ]; @@ -69,7 +80,7 @@ }; # User account - users.users.${config.username} = { + users.users.${flakeConfig.username} = { isNormalUser = true; description = "Thomas Gouveia Lopes"; extraGroups = ["networkmanager" "wheel"]; @@ -91,6 +102,59 @@ # State version system.stateVersion = "25.11"; + boot.supportedFilesystems = ["cifs"]; + + warnings = lib.optional (!hasSmbSecret) '' + SMB automount is disabled: missing ${toString smbSecretFile}. + Create it with agenix: + sudo env RULES=secrets/secrets.nix nix run github:ryantm/agenix -- -e secrets/smb-credentials.age -i /etc/ssh/ssh_host_ed25519_key + and set: + username=... + password=... + # optional + # domain=WORKGROUP + ''; + + age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + age.secrets."smb-credentials" = lib.mkIf hasSmbSecret { + file = smbSecretFile; + mode = "0400"; + owner = "root"; + group = "root"; + }; + + fileSystems."/mnt/unraid-data" = lib.mkIf hasSmbSecret { + device = "//192.168.1.102/data"; + fsType = "cifs"; + options = [ + "credentials=${config.age.secrets."smb-credentials".path}" + "uid=1000" + "gid=1000" + "iocharset=utf8" + "nofail" + "x-systemd.automount" + "x-systemd.idle-timeout=5min" + "_netdev" + "vers=3.0" + ]; + }; + + fileSystems."/mnt/unraid-appdata" = lib.mkIf hasSmbSecret { + device = "//192.168.1.102/appdata"; + fsType = "cifs"; + options = [ + "credentials=${config.age.secrets."smb-credentials".path}" + "uid=1000" + "gid=1000" + "iocharset=utf8" + "nofail" + "x-systemd.automount" + "x-systemd.idle-timeout=5min" + "_netdev" + "vers=3.0" + ]; + }; + fileSystems."/mnt/endeavour" = { device = "/dev/disk/by-uuid/a32ca052-12a5-4355-bd3b-b4515d9ea4a5"; fsType = "ext4"; diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..b5e73b5 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + nixos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIg62Co6P+CYcvINrW9IYM1D8W7A3LNlEphAqP6vCzrv root@nixos"; +in { + "secrets/smb-credentials.age".publicKeys = [ + nixos + ]; +} diff --git a/secrets/smb-credentials.age b/secrets/smb-credentials.age new file mode 100644 index 0000000..a3444e6 --- /dev/null +++ b/secrets/smb-credentials.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 eoxNoQ +//j26EmOrSLqTMUaKWy4X/GZZ3XoJmKlT+ArQejODU +olSV7FU5URhIcB4JczmPhGZsaQjQCs7kTm/IISCePsk +--- r7Gpe55fXHr9lghoFvwAZZVvDVckENBxTDXW3sXEjUI +{&ffj?Sy|ԙtܾ_3Ojp tS!,!5iGo_?tFKˆ%ʴh%upX;'.Xo= \ No newline at end of file