alyssum/samba: use proper credentials

hosts/alyssum/default.nix

@@ -31,6 +31,7 @@
     ./filesystem.nix
     ./kernel.nix
     ./networking.nix
+    ./samba.nix
 
     ../../users/hana
   ];

hosts/alyssum/samba.nix

@@ -0,0 +1,84 @@
+{ config, ... }: {
+  networking.firewall.allowPing = true;
+
+  age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age;
+  age.secrets.passwd_smbkujira.file = ../../secrets/passwd_smbkujira.age;
+
+  users.users.cilly = {
+    hashedPasswordFile = config.age.secrets.passwd.path;
+    isNormalUser = true;
+  };
+  users.users.kujira = {
+    hashedPasswordFile = config.age.secrets.passwd.path;
+    isNormalUser = true;
+  };
+  system.activationScripts = {
+    init_smbpasswd.text = ''
+      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbcilly.path})\n" | /run/current-system/sw/bin/smbpasswd -sa cilly
+
+      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n$(/run/current-system/sw/bin/cat ${config.age.secrets.passwd_smbkujira.path})\n" | /run/current-system/sw/bin/smbpasswd -sa kujira
+    '';
+  };
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "server string" = "smbnix";
+        "netbios name" = "smbnix";
+        "security" = "user";
+        "hosts allow" = "100.67.2.1 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+      };
+      "public" = {
+        "path" = "/flower/smb/public";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "yes";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "hana";
+        "force group" = "users";
+      };
+      "cilly" = {
+        "path" = "/flower/smb/cilly";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "cilly";
+        "force group" = "users";
+        "valid users" = "cilly";
+      };
+      "kujira" = {
+        "path" = "/flower/smb/kujira";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "kujira";
+        "force group" = "users";
+        "valid users" = "kujira";
+      };
+    };
+  };
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.avahi = {
+    enable = true;
+    openFirewall = true;
+    nssmdns4 = true;
+    publish.enable = true;
+    publish.userServices = true;
+  };
+}

secrets.nix

@@ -8,6 +8,8 @@ let
   rin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
 in {
   "secrets/passwd.age".publicKeys = [ anemone blossom rin ];
+  "secrets/passwd_smbcilly.age".publicKeys = [ alyssum rin ];
+  "secrets/passwd_smbkujira.age".publicKeys = [ alyssum rin ];
   "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ];
 
   "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ];

secrets/passwd_smbcilly.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw CQaXT9/nw3NGD2/H/ctSQGXIoacgjfKQ24wkpEieLSQ
+i4xEXgWGQ7xgQyaDQQIeDuiCLjA6Le23qSnv8C1cbcI
+-> ssh-ed25519 U9FXlg GL4dCSCku/FA6ipb9XI1AxO4lhm2r/1lRAeqaGrB32o
++pPgqwnoPi3wJLobTimVMj0rng+XRapRG6jTYFXSsDM
+--- eVgn3ON19pqq+L832bqlbkHUQXdaTI+LfSL4bYfEdew
+Æ*Œl\ÈWç!J7E/´»îò"f@%\ìüÏ[¨òj8fÓ¶›ž

secrets/passwd_smbkujira.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 kOMSPw Kn+LPMoyOrVwI/nrGgnxgVA3D+tVY9Tccg/Yx/jL+E8
+IfWiSBh7KgNvgcHlcDzfdcB9nxm1zy12Ae7AGm39fdE
+-> ssh-ed25519 U9FXlg 6eIIGEIYDo02FBsgBnwbuOeR8t4xB6jSmLfIL73UCDg
+QOc0ddunQQcVEVD20DKKpn3wZWUSveFJSUTBnv+xnNk
+--- MjN2i0FNzbUpBGUDNgWGXrRsYl2gtsQX+JlzZV/fYdw
+TÎ <ç‘R#d<>ĆÌŽlLkáN¦½º8´cÃ_N¬)±ŠT