Mount dalinar media on lift

2025-03-30 19:18:56 +02:00 · 2025-03-30 19:18:56 +02:00 · 8e304f189a
commit 8e304f189a
parent 7773a20fb4
4 changed files with 49 additions and 1 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -6,3 +6,7 @@ creation_rules:
      - age:
        - *admin
        - age1y5lmqqzpapjmtxzvsmf6a9cchhhpq05uwdlqv2q6yz9kkx3s6ars6szsc7
+  - path_regex: hosts/lift/secrets.yaml
+    key_groups:
+      - age:
+        - *admin
--- a/flake.nix
+++ b/flake.nix
@ -40,6 +40,7 @@
        lift = nixpkgs.lib.nixosSystem {
          inherit system;
          modules = [
+            sops-nix.nixosModules.sops
            ./hosts/lift
          ];
        };
--- a/hosts/lift/configuration.nix
+++ b/hosts/lift/configuration.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:

 {
  # Bootloader.
@ -22,6 +22,25 @@
  systemd.network.wait-online.enable = false;
  boot.initrd.systemd.network.wait-online.enable = false;

+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [];
+  sops.age.keyFile = "/home/rothe/.config/sops/age/keys.txt";
+  sops.secrets."samba/user" = { };
+  sops.secrets."samba/password" = { };
+  sops.templates.sambacreds.content = ''
+    username=${config.sops.placeholder."samba/user"}
+    password=${config.sops.placeholder."samba/password"}
+  '';
+
+  fileSystems."/mnt/media" = {
+    device = "//dalinar.home.johannes-rothe.de/media";
+    fsType = "cifs";
+    options = let
+      # this line prevents hanging on network split
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+
+    in ["${automount_opts},credentials=${config.sops.templates.sambacreds.path},uid=1000,gid=100"];
+  };

  # bluetooth
  hardware.bluetooth.enable = true;
@ -29,6 +48,7 @@
  environment.systemPackages = with pkgs; [
    avrdude
    cryptsetup
+    cifs-utils
    ffmpeg
    fzf
    gammastep
--- a/hosts/lift/secrets.yaml
+++ b/hosts/lift/secrets.yaml
@ -0,0 +1,23 @@
+samba:
+    user: ENC[AES256_GCM,data:gxlxZYtLyom7,iv:wCNASjPzkcf0IPV1Hy5PF5fznTbs1blG3CIRK2D30Yw=,tag:q1uaEx/raTxR5XKEhBYqHw==,type:str]
+    password: ENC[AES256_GCM,data:SNyQ6MFZkq7Vik2kzuJXgA==,iv:dc9HMgDd/xH6EXjM55QxKJGkT9/nOtU4a1/sCLFvstM=,tag:b5HBuhuANo63OgMkeuEMdQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZdnFSRUlYWDNoc2h4RGdS
+            TEN3TlpiWkVZaHFyWXJLSE9nRjBEd243RWh3CmtBd3dyYzlVTzJHMUdyYjNVQTk1
+            WVdTajg4b2JMRWlwNXhhOEtUTTRmdFkKLS0tIEJqakloNHNlQlgwRVNMT2lQWWlh
+            ejY4UDlFZlYvak5kZmM2Ylp3dkJHNk0KE8hC2CybCA8YJ5F4hv/szIOcn1XXp8+a
+            c62iDMBYWV6TjzQSqYryDoejj9eE/fnbSRoj632MUbZzu87toCj/pw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-30T16:45:13Z"
+    mac: ENC[AES256_GCM,data:O0JI59PeSgb/49EMTIcjALXBhN6sK6CTKwqvlU6PPcCz02ibiuivQD1ow8lAP67GaCzOlNOuDdtr0rTx6cuc7BuPGsfD/MGjw+Aw2OS57fPRUyGVMKLIXgpCOaakXTkfKwDSqjTgtrPdgqVyQgJB1osRR5ji2nAj1Cmk3/JEqPA=,iv:mbUrOBkyb+M7cxW971gnCLyaABYLnHMjrJlxy+lW5Jo=,tag:7asKES378gynGN4Bqjsw0A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4