thomas/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

move smb automount secrets to agenix
helium update / update-helium (push) Successful in 10s
Details
zen browser update / update-zen-browser (push) Successful in 5s
Details
handy update / update-handy (push) Successful in 5s
Details

Browse Source
This commit is contained in:
Thomas G. Lopes
2026-03-13 19:07:13 +00:00
parent b1b3f324d9
commit 1d1afe1a43
6 changed files with 211 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/hosts/nixos.nix
+68 -4
View File
@@ -3,9 +3,20 @@
self,
config,
...
}: {
flake.nixosModules.nixos-host = {pkgs, ...}: {
}: let
flakeConfig = config;
in {
flake.nixosModules.nixos-host = {
pkgs,
lib,
config,
...
}: let
smbSecretFile = ../../secrets/smb-credentials.age;
hasSmbSecret = builtins.pathExists smbSecretFile;
in {
imports = [
inputs.agenix.nixosModules.default
../../hardware-configuration.nix
];
@@ -19,7 +30,7 @@
# Custom EDID override for Samsung 240Hz on DP-1
boot.kernelParams = ["drm.edid_firmware=DP-1:edid/g80.bin"];
hardware.firmware = [
(pkgs.runCommandNoCC "g80-edid-firmware" {} ''
(pkgs.runCommand "g80-edid-firmware" {} ''
install -Dm444 ${../assets/edid/g80.bin} $out/lib/firmware/edid/g80.bin
'')
];
@@ -69,7 +80,7 @@
};
# User account
users.users.${config.username} = {
users.users.${flakeConfig.username} = {
isNormalUser = true;
description = "Thomas Gouveia Lopes";
extraGroups = ["networkmanager" "wheel"];
@@ -91,6 +102,59 @@
# State version
system.stateVersion = "25.11";
boot.supportedFilesystems = ["cifs"];
warnings = lib.optional (!hasSmbSecret) ''
SMB automount is disabled: missing ${toString smbSecretFile}.
Create it with agenix:
sudo env RULES=secrets/secrets.nix nix run github:ryantm/agenix -- -e secrets/smb-credentials.age -i /etc/ssh/ssh_host_ed25519_key
and set:
username=...
password=...
# optional
# domain=WORKGROUP
'';
age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];
age.secrets."smb-credentials" = lib.mkIf hasSmbSecret {
file = smbSecretFile;
mode = "0400";
owner = "root";
group = "root";
};
fileSystems."/mnt/unraid-data" = lib.mkIf hasSmbSecret {
device = "//192.168.1.102/data";
fsType = "cifs";
options = [
"credentials=${config.age.secrets."smb-credentials".path}"
"uid=1000"
"gid=1000"
"iocharset=utf8"
"nofail"
"x-systemd.automount"
"x-systemd.idle-timeout=5min"
"_netdev"
"vers=3.0"
];
};
fileSystems."/mnt/unraid-appdata" = lib.mkIf hasSmbSecret {
device = "//192.168.1.102/appdata";
fsType = "cifs";
options = [
"credentials=${config.age.secrets."smb-credentials".path}"
"uid=1000"
"gid=1000"
"iocharset=utf8"
"nofail"
"x-systemd.automount"
"x-systemd.idle-timeout=5min"
"_netdev"
"vers=3.0"
];
};
fileSystems."/mnt/endeavour" = {
device = "/dev/disk/by-uuid/a32ca052-12a5-4355-bd3b-b4515d9ea4a5";
fsType = "ext4";