Enable yubikey on lift

.sops.yaml

@@ -6,3 +6,7 @@ creation_rules:
       - age:
         - *admin
         - age1y5lmqqzpapjmtxzvsmf6a9cchhhpq05uwdlqv2q6yz9kkx3s6ars6szsc7
+  - path_regex: hosts/lift/secrets.yaml
+    key_groups:
+      - age:
+        - *admin

flake.lock

@@ -44,11 +44,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1738148035,
+        "lastModified": 1745502102,
-        "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=",
+        "narHash": "sha256-LqhRwzvIVPEjH0TaPgwzqpyhW6DtCrvz7FnUJDoUZh8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54",
+        "rev": "ca27b88c88948d96feeee9ed814cbd34f53d0d70",
         "type": "github"
       },
       "original": {
@@ -76,11 +76,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1733328505,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
         "type": "github"
       },
       "original": {
@@ -134,11 +134,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736143030,
+        "lastModified": 1743550720,
-        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1705309234,
+        "lastModified": 1731533236,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -186,16 +186,18 @@
     "ghostty": {
       "inputs": {
         "flake-compat": "flake-compat_2",
+        "flake-utils": "flake-utils",
         "nixpkgs-stable": "nixpkgs-stable",
         "nixpkgs-unstable": "nixpkgs-unstable",
-        "zig": "zig"
+        "zig": "zig",
+        "zon2nix": "zon2nix"
       },
       "locked": {
-        "lastModified": 1738619868,
+        "lastModified": 1745440371,
-        "narHash": "sha256-q4h4SY1kVkZG4t/59CmJvaKjlx+xjojhdU1HqxiQhrQ=",
+        "narHash": "sha256-Nb6h64rKi2p6GEAnz8mxIKVDvzozndC3SB9T+vXWfL8=",
         "owner": "ghostty-org",
         "repo": "ghostty",
-        "rev": "f0d276062b78658fc1f3857e9ea104788f1f4e58",
+        "rev": "4e91d11a60bf3f52a15936cef65eae7135906b28",
         "type": "github"
       },
       "original": {
@@ -233,11 +235,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736373539,
+        "lastModified": 1744743431,
-        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
+        "narHash": "sha256-iyn/WBYDc7OtjSawbegINDe/gIkok888kQxk3aVnkgg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
+        "rev": "c61bfe3ae692f42ce688b5865fac9e0de58e1387",
         "type": "github"
       },
       "original": {
@@ -261,16 +263,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1729958008,
+        "lastModified": 1737371634,
-        "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=",
+        "narHash": "sha256-fTVAWzT1UMm1lT+YxHuVPtH+DATrhYfea3B0MxG/cGw=",
         "owner": "NuschtOS",
         "repo": "ixx",
-        "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb",
+        "rev": "a1176e2a10ce745ff8f63e4af124ece8fe0b1648",
         "type": "github"
       },
       "original": {
         "owner": "NuschtOS",
-        "ref": "v0.0.6",
+        "ref": "v0.0.7",
         "repo": "ixx",
         "type": "github"
       }
@@ -303,11 +305,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1738574474,
+        "lastModified": 1745487689,
-        "narHash": "sha256-rvyfF49e/k6vkrRTV4ILrWd92W+nmBDfRYZgctOyolQ=",
+        "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fecfeb86328381268e29e998ddd3ebc70bbd7f7c",
+        "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3",
         "type": "github"
       },
       "original": {
@@ -319,11 +321,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1733423277,
+        "lastModified": 1741992157,
-        "narHash": "sha256-TxabjxEgkNbCGFRHgM/b9yZWlBj60gUOUnRT/wbVQR8=",
+        "narHash": "sha256-nlIfTsTrMSksEJc1f7YexXiPVuzD1gOfeN1ggwZyUoc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e36963a147267afc055f7cf65225958633e536bf",
+        "rev": "da4b122f63095ca1199bd4d526f9e26426697689",
         "type": "github"
       },
       "original": {
@@ -351,11 +353,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1733229606,
+        "lastModified": 1741865919,
-        "narHash": "sha256-FLYY5M0rpa5C2QAE3CKLYAM6TwbKicdRK6qNrSHlNrE=",
+        "narHash": "sha256-4thdbnP6dlbdq+qZWTsm4ffAwoS8Tiq1YResB+RP6WE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "566e53c2ad750c84f6d31f9ccb9d00f823165550",
+        "rev": "573c650e8a14b2faa0041645ab18aed7e60f0c9a",
         "type": "github"
       },
       "original": {
@@ -367,11 +369,11 @@
     },
     "nixpkgs-unstable_2": {
       "locked": {
-        "lastModified": 1742669843,
+        "lastModified": 1745391562,
-        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
+        "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
+        "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
         "type": "github"
       },
       "original": {
@@ -396,11 +398,11 @@
         "treefmt-nix": []
       },
       "locked": {
-        "lastModified": 1738413494,
+        "lastModified": 1745068593,
-        "narHash": "sha256-qgshhFqTKsPA3QMwPhbYZrvcRCbkzZ/pZNbJSrCtLTE=",
+        "narHash": "sha256-YuQRMvqLVu+ghl2XzqXyVg/YevH/t3XHVCl7w+UrCH8=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "3eafee65e0f20684cb09223718195425b54c02a4",
+        "rev": "d35dc6dfcae3ff1a0c72f2d59491a7d83e5505a3",
         "type": "github"
       },
       "original": {
@@ -420,11 +422,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737924095,
+        "lastModified": 1745046075,
-        "narHash": "sha256-9RO/IlxiE7bpY7GYsdDMNB533PnDOBo9UvYyXXqlN4c=",
+        "narHash": "sha256-8v4y6k16Ra/fiecb4DxhsoOGtzLKgKlS+9/XJ9z0T2I=",
         "owner": "NuschtOS",
         "repo": "search",
-        "rev": "5efc9c966bb9bdad07a3c28667eac38b758c6f18",
+        "rev": "066afe8643274470f4a294442aadd988356a478f",
         "type": "github"
       },
       "original": {
@@ -501,11 +503,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742700801,
+        "lastModified": 1745310711,
-        "narHash": "sha256-ZGlpUDsuBdeZeTNgoMv+aw0ByXT2J3wkYw9kJwkAS4M=",
+        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "67566fe68a8bed2a7b1175fdfb0697ed22ae8852",
+        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
         "type": "github"
       },
       "original": {
@@ -582,18 +584,21 @@
         "flake-compat": [
           "ghostty"
         ],
-        "flake-utils": "flake-utils",
+        "flake-utils": [
+          "ghostty",
+          "flake-utils"
+        ],
         "nixpkgs": [
           "ghostty",
           "nixpkgs-stable"
         ]
       },
       "locked": {
-        "lastModified": 1717848532,
+        "lastModified": 1741825901,
-        "narHash": "sha256-d+xIUvSTreHl8pAmU1fnmkfDTGQYCn2Rb/zOwByxS2M=",
+        "narHash": "sha256-aeopo+aXg5I2IksOPFN79usw7AeimH1+tjfuMzJHFdk=",
         "owner": "mitchellh",
         "repo": "zig-overlay",
-        "rev": "02fc5cc555fc14fda40c42d7c3250efa43812b43",
+        "rev": "0b14285e283f5a747f372fb2931835dd937c4383",
         "type": "github"
       },
       "original": {
@@ -601,6 +606,32 @@
         "repo": "zig-overlay",
         "type": "github"
       }
+    },
+    "zon2nix": {
+      "inputs": {
+        "flake-utils": [
+          "ghostty",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "ghostty",
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1742104771,
+        "narHash": "sha256-LhidlyEA9MP8jGe1rEnyjGFCzLLgCdDpYeWggibayr0=",
+        "owner": "jcollie",
+        "repo": "zon2nix",
+        "rev": "56c159be489cc6c0e73c3930bd908ddc6fe89613",
+        "type": "github"
+      },
+      "original": {
+        "owner": "jcollie",
+        "ref": "56c159be489cc6c0e73c3930bd908ddc6fe89613",
+        "repo": "zon2nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -40,6 +40,7 @@
         lift = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
+            sops-nix.nixosModules.sops
             ./hosts/lift
           ];
         };

home/terminal/default.nix

@@ -118,8 +118,10 @@
       extraConfig = ''
       bind-key Space next-window
 
-      set -g status-right '#[fg=colour242]#S'
+      set -g status-right '#[fg=colour246]#{pane_current_path} #S'
       set -g status-left ' '
+      set -g status-interval 1
+      set -g status-right-length 200
       set -g window-status-format '#I:#W'
       set -g window-status-current-format '#I:#W'
       set -g allow-rename off

hosts/dalinar/default.nix

@@ -34,6 +34,14 @@
     };
   };
 
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+https://git.johannes-rothe.de/onjen/nixos-config";
+    flags = [ "--no-write-lock-file" ];
+    allowReboot = true;
+    dates = "daily";
+  };
+
   nix.gc = {
     automatic = true;
     dates = "weekly";
@@ -46,7 +54,8 @@
     firewall = {
       enable = true;
       allowedUDPPorts = [ 53 ];
-      allowedTCPPorts = [ 80 443];
+      allowedTCPPorts = [ 80 443 ];
+      trustedInterfaces = [ "tailscale0" ];
     };
     # head -c4 /dev/urandom | od -A none -t x4
     # Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html
@@ -69,6 +78,7 @@
   sops.age.keyFile = "/etc/age/keys.txt";
   sops.secrets."miniflux/ADMIN_USERNAME" = { };
   sops.secrets."miniflux/ADMIN_PASSWORD" = { };
+  sops.secrets."borg/passphrase" = { };
   sops.templates."miniflux-admin-credentials".content = ''
     ADMIN_USERNAME=${config.sops.placeholder."miniflux/ADMIN_USERNAME"}
     ADMIN_PASSWORD=${config.sops.placeholder."miniflux/ADMIN_PASSWORD"}
@@ -81,6 +91,14 @@
   sops.templates."searx-env".content = ''
     SEARX_SECRET_KEY=${config.sops.placeholder."searx/secret_key"}
   '';
+  sops.secrets."transmission_rpc/user" = { };
+  sops.secrets."transmission_rpc/password" = { };
+  sops.templates."transmission-secrets.json".content = ''
+  {
+    "rpc-username": "${config.sops.placeholder."transmission_rpc/user"}",
+    "rpc-password": "${config.sops.placeholder."transmission_rpc/password"}"
+  }
+  '';
 
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -92,6 +110,10 @@
   users.mutableUsers = false;
   # mkpasswd -m sha512crypt <password>
   users.users.root.hashedPassword = "$6$JdgM.TQt0/0988od$yPVgGZ5zu6HjG.sVjzEWJBm4L7XEReuplrqLRekPq/GrAyk5GrFmPM9hdzrmD28PDX9AtxaClYM5emsJ75YfJ0";
+  users.users.sambauser = {
+    isNormalUser = true;
+    createHome = false;
+  };
 
   environment.systemPackages = with pkgs; [
     ethtool
@@ -119,6 +141,34 @@
 
   services.zfs.autoScrub.enable = true;
 
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        security = "user";
+        workgroup = "WORKGROUP";
+        "server string" = "smbnix";
+        "netbios name" = "smbnix";
+        "hosts allow" = "100. 172.16.0. 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+      };
+      media = {
+        path = "/storage/encrypted/media/";
+        browseable = "yes";
+        writeable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = config.services.jellyfin.user;
+        "force group" = config.services.jellyfin.group;
+      };
+    };
+  };
+
   services.unbound = {
     enable = true;
     settings = {
@@ -184,10 +234,8 @@
 
   services.immich = {
     enable = true;
-    host = "0.0.0.0";
-    openFirewall = true;
     machine-learning.enable = false;
-    # TODO set data dir
+    mediaLocation = "/storage/encrypted/photos/";
   };
 
   services.prometheus = {
@@ -236,6 +284,15 @@
     adminCredentialsFile = config.sops.templates."miniflux-admin-credentials".path;
   };
 
+  services.jellyfin = {
+    enable = true;
+  };
+
+  services.languagetool = {
+    enable = true;
+    port = 8585;
+  };
+
   services.caddy = {
     enable = true;
     environmentFile = config.sops.templates."caddy-global-conf".path;
@@ -266,12 +323,86 @@
           reverse_proxy ${config.containers.searx.localAddress}:${builtins.toString config.containers.searx.config.services.searx.settings.server.port}
         '';
       };
+      "https://lidarr.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy lidarr:${builtins.toString config.containers.lidarr.config.services.lidarr.settings.server.port}
+        '';
+      };
+      "https://transmission.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy lidarr:${builtins.toString config.containers.lidarr.config.services.transmission.settings.rpc-port}
+        '';
+      };
+      "https://jellyfin.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy localhost:8096
+        '';
+      };
+      "https://immich.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy localhost:${toString config.services.immich.port}
+        '';
+      };
+      "https://languagetool.dalinar.home.johannes-rothe.de" = {
+        extraConfig = ''
+          reverse_proxy localhost:${toString config.services.languagetool.port}
+        '';
+      };
     };
   };
 
+  services.borgmatic = let
+      commonSettings = {
+        compression = "lz4";
+        archive_name_format = "backup-{now}";
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+        keep_yearly = 1;
+        check_last = 3;
+      };
+      borgID = "zh5200";
+    in {
+      enable = true;
+      # After a new installation
+      #  * Run `nix run nixpkgs#borgmatic -- init --encryption repokey-blake2` to initialize the repos
+      #  * Generate and add ssh key to rsync.net (see Multiple Keys Section at https://www.rsync.net/resources/howto/ssh_keys.html)
+      configurations = {
+        files = commonSettings // {
+          source_directories = [
+            "/storage/encrypted/media/books"
+            "/storage/encrypted/media/home-videos"
+            "/storage/encrypted/photos/"
+          ];
+          repositories = [{
+            path = "ssh://${borgID}@${borgID}.rsync.net/./dalinar-files";
+            label = "dalinar-files";
+          }];
+        };
+
+        databases = commonSettings // {
+          source_directories = lib.mkForce [ ]; # Should never be set for the databases repo
+          postgresql_databases = [
+            { name = "immich"; username = "immich"; }
+            { name = "miniflux"; username = "miniflux"; }
+          ];
+          repositories = [{
+            path = "ssh://${borgID}@${borgID}.rsync.net/./dalinar-databases";
+            label = "dalinar-databases";
+          }];
+        };
+      };
+    };
+
+    systemd.services.borgmatic = {
+      environment = {
+        BORG_PASSCOMMAND = "cat ${config.sops.secrets."borg/passphrase".path}";
+      };
+    };
+
   networking.nat = {
     enable = true;
-    internalInterfaces = [ "ve-searx" ];
+    internalInterfaces = [ "ve-*" ];
     externalInterface = "eno1";
   };
 
@@ -279,6 +410,7 @@
     autoStart = true;
     ephemeral = true;
     privateNetwork = true;
+    # privateUsers = "pick";
     hostAddress = "192.168.100.2";
     localAddress = "192.168.100.3";
     bindMounts."/run/secrets/searx-env" = {
@@ -300,6 +432,55 @@
     };
   };
 
+  containers.lidarr = {
+    autoStart = true;
+    privateNetwork = true;
+    enableTun = true;
+    hostAddress = "192.168.100.4";
+    localAddress = "192.168.100.5";
+    bindMounts."/run/secrets/tranmission.json" = {
+      isReadOnly = true;
+      hostPath = config.sops.templates."transmission-secrets.json".path;
+    };
+    config = { pkgs, ... }: {
+      system.stateVersion = "24.11";
+      networking.useHostResolvConf = lib.mkForce false;
+      # Required workaround for tailscale exit nodes, see https://nixos.wiki/wiki/Tailscale
+      networking.firewall.checkReversePath = "loose";
+      networking.nftables.enable = true;
+      services.resolved.enable = true;
+
+      # Tailscale is also used for local connectivity, since the exit node for
+      # some reason prevents local access
+      services.tailscale.enable = true;
+
+      services.transmission = {
+        enable = true;
+        openRPCPort = true;
+        credentialsFile = "/run/secrets/tranmission.json";
+        settings = {
+          rpc-port = 9091;
+          rpc-bind-address = "0.0.0.0";
+          rpc-whitelist-enabled = false;
+          rpc-authentication-required = true;
+        };
+        webHome = pkgs.flood-for-transmission;
+      };
+      # https://github.com/NixOS/nixpkgs/issues/258793
+      systemd.services.transmission.serviceConfig = {
+        RootDirectoryStartOnly = lib.mkForce false;
+        RootDirectory = lib.mkForce "";
+        PrivateMounts = lib.mkForce false;
+        PrivateUsers = lib.mkForce false;
+      };
+
+      services.lidarr = {
+        enable = true;
+        openFirewall = true;
+      };
+    };
+  };
+
   system.stateVersion = "24.11"; # Don't change
 
 }

hosts/dalinar/secrets.yaml

@@ -5,6 +5,11 @@ caddy:
     ionos_dns_api_key: ENC[AES256_GCM,data:boZTsuMbYRHk16VAjPu1pw6Z/dRw8PCCb0VT5KKwiofq6FydBhZ7pLEpHy/q8UfZB0AEUtKNXxrTa8R1WFFAGwad9JqC49DBNxnhxT7yDppu1x8fI0s7U5AYZHIDekTXw22N5EmUT1zzMoFPogHkLr+JPiSGVSM=,iv:pg/RlPFOanMVjaMAu4DSXC/cLgPA6quSs4e4Z50Iyf0=,tag:83md4Psn21z3HtBL0cQIyA==,type:str]
 searx:
     secret_key: ENC[AES256_GCM,data:N8rfDlmDGltQOc+dcdCP0ghGMbEcdZWmoeH2tQTphKGLKg==,iv:JMUcI3ln2rm09FSy6A382soh6oaSvOCCfq1LeeyoE9g=,tag:z5fqLlLVmRpgvMUM2NI0RA==,type:str]
+transmission_rpc:
+    user: ENC[AES256_GCM,data:w+gjEQ==,iv:Qyp2zvUBagrMMdUMN6ghIZuGxSMEvhh2/JPXtRtBJ7Q=,tag:6rOt4Goc7n0nrIycdbquhw==,type:str]
+    password: ENC[AES256_GCM,data:SUTKckSWqW94eshNkysVfA==,iv:WtuyR7Y9a7lyaZ9AbJyTiVVYVbJUsxHqtRU/5T1aO/E=,tag:eyveY9/aA1EQ2JXU2NrDYg==,type:str]
+borg:
+    passphrase: ENC[AES256_GCM,data:O0NgLUbf+1bC3r0RP9ozb5GMdb9AUqk2o+rczMCKgY7n1WEQvj5LmMW/Cg==,iv:kB8B8H/Kw/daJ0RWTXE6FrFRILK/P8A1yImEy90tqvM=,tag:ocZll0ravre2vfU2xtFurA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -29,8 +34,8 @@ sops:
             SVMwSGwwWVo1RzZnSjB6Z0MraTBHZ00KiHCJ8M3xQ8+YH5+aOy3th5fYTEavHqa0
             bbzATd2uRW8K+RSW3NFpN2AMtn9GCGt6Hsw0kezhiBN8qZ4tneKxJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-24T21:54:24Z"
+    lastmodified: "2025-04-25T21:11:20Z"
-    mac: ENC[AES256_GCM,data:ptQt4xit3quAJ+S+BQe2vzZz7JcfTxs5Z3kMwb6TuL7f0uX6Cr/h6HEJOu4ERIgN2hFzScDSdwW6/0XW4IepdUxTIVW5TPMpxf9QrlhBRJd8hd41jHywEubN2bvSe/a3Nm1og5v603X0/jlyqLzhOFBZCYjEKVEL7c0fWyneo+U=,iv:AkK3hPgHwCdyOmyRxzL8X5Vud38H6N+2J/XHV08klFQ=,tag:IdngdAUy7ylWIjkgMLeAJg==,type:str]
+    mac: ENC[AES256_GCM,data:Y9oV1f9kkOqz031wn0HOh8Trh6W+KDlZ2smLQdhdiG1pLknShJ+JaSzKLkg2zOj8FCJ52t+iJv/90VVGSPrM7zp1Z4mPoJwodlfObFOdy2bwkeDUXHHWDYg4ji+zUePa+z/kPXh3yAqKG6jeUfFLZ3RroXFI9dEchIdbiIdKdCg=,iv:ccbvursbZGa3bih/LMZ+YQrwkhT1dpdchjTx8jVvMDE=,tag:JGlwkKJ/lF8a5FxeN0C6ww==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4

hosts/lift/configuration.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   # Bootloader.
@@ -22,6 +22,30 @@
   systemd.network.wait-online.enable = false;
   boot.initrd.systemd.network.wait-online.enable = false;
 
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [];
+  sops.age.keyFile = "/home/rothe/.config/sops/age/keys.txt";
+  sops.secrets."samba/user" = { };
+  sops.secrets."samba/password" = { };
+  sops.templates.sambacreds.content = ''
+    username=${config.sops.placeholder."samba/user"}
+    password=${config.sops.placeholder."samba/password"}
+  '';
+
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+  };
+
+  fileSystems."/mnt/media" = {
+    device = "//dalinar.home.johannes-rothe.de/media";
+    fsType = "cifs";
+    options = let
+      # this line prevents hanging on network split
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+
+    in ["${automount_opts},credentials=${config.sops.templates.sambacreds.path},uid=1000,gid=100"];
+  };
 
   # bluetooth
   hardware.bluetooth.enable = true;
@@ -29,6 +53,7 @@
   environment.systemPackages = with pkgs; [
     avrdude
     cryptsetup
+    cifs-utils
     ffmpeg
     fzf
     gammastep

hosts/lift/secrets.yaml

@@ -0,0 +1,23 @@
+samba:
+    user: ENC[AES256_GCM,data:gxlxZYtLyom7,iv:wCNASjPzkcf0IPV1Hy5PF5fznTbs1blG3CIRK2D30Yw=,tag:q1uaEx/raTxR5XKEhBYqHw==,type:str]
+    password: ENC[AES256_GCM,data:SNyQ6MFZkq7Vik2kzuJXgA==,iv:dc9HMgDd/xH6EXjM55QxKJGkT9/nOtU4a1/sCLFvstM=,tag:b5HBuhuANo63OgMkeuEMdQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZdnFSRUlYWDNoc2h4RGdS
+            TEN3TlpiWkVZaHFyWXJLSE9nRjBEd243RWh3CmtBd3dyYzlVTzJHMUdyYjNVQTk1
+            WVdTajg4b2JMRWlwNXhhOEtUTTRmdFkKLS0tIEJqakloNHNlQlgwRVNMT2lQWWlh
+            ejY4UDlFZlYvak5kZmM2Ylp3dkJHNk0KE8hC2CybCA8YJ5F4hv/szIOcn1XXp8+a
+            c62iDMBYWV6TjzQSqYryDoejj9eE/fnbSRoj632MUbZzu87toCj/pw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-30T16:45:13Z"
+    mac: ENC[AES256_GCM,data:O0JI59PeSgb/49EMTIcjALXBhN6sK6CTKwqvlU6PPcCz02ibiuivQD1ow8lAP67GaCzOlNOuDdtr0rTx6cuc7BuPGsfD/MGjw+Aw2OS57fPRUyGVMKLIXgpCOaakXTkfKwDSqjTgtrPdgqVyQgJB1osRR5ji2nAj1Cmk3/JEqPA=,iv:mbUrOBkyb+M7cxW971gnCLyaABYLnHMjrJlxy+lW5Jo=,tag:7asKES378gynGN4Bqjsw0A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4