hosts/alyssum/home.syncthing.nix

@@ -4,8 +4,6 @@ let
     me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
     me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
 
-    systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
-
     users.users.${user} = {
       hashedPasswordFile = config.age.secrets.passwd.path;
       isNormalUser = true;
@@ -20,12 +18,6 @@ let
       services.syncthing = {
         enable = true;
         guiAddress = "[::]:${toString port}";
-        options.listenAddresses = [
-          "tcp://0.0.0.0:2${toString port}"
-          "quic://0.0.0.0:2${toString port}"
-          "dynamic+https://relays.syncthing.net/endpoint"
-        ];
-        settings.defaults.folder.path = "/flower/syncthing/${user}";
       };
     };
   };

hosts/alyssum/samba.nix

@@ -1,83 +1,88 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }: {
-let
+  networking.firewall.allowPing = true;
-  configOn = user: let
-    passwd_fname = "passwd_smb${user}";
-  in {
-    age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
-    me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
 
-    users.users.${user} = {
+  age.secrets.passwd_smbcilly.file = ../../secrets/passwd_smbcilly.age;
-      hashedPasswordFile = config.age.secrets.passwd.path;
+  age.secrets.passwd_smbkujira.file = ../../secrets/passwd_smbkujira.age;
-      isNormalUser = true;
-    };
 
-    system.activationScripts = {
+  users.users.cilly = {
-      init_smbpasswd.text = let
+    hashedPasswordFile = config.age.secrets.passwd.path;
-        smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
+    isNormalUser = true;
-      in ''
-        printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
-      '';
-    };
-    services.samba.settings."${user}" = {
-      "path" = "/flower/smb/${user}";
-      "browseable" = "yes";
-      "read only" = "no";
-      "guest ok" = "no";
-      "create mask" = "0644";
-      "directory mask" = "0755";
-      "force user" = user;
-      "force group" = "users";
-      "valid users" = user;
-    };
   };
-in lib.mkMerge [
+  users.users.kujira = {
-  (configOn "cilly")
+    hashedPasswordFile = config.age.secrets.passwd.path;
-  (configOn "kujira")
+    isNormalUser = true;
-  {
+  };
-    me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
+  system.activationScripts = {
+    init_smbpasswd.text = let
+      smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
+    in ''
+      printf "$(cat ${config.age.secrets.passwd_smbcilly.path})\n$(cat ${config.age.secrets.passwd_smbcilly.path})\n" | ${smbpasswd} -sa cilly
 
-    networking.firewall.allowPing = true;
+      printf "$(cat ${config.age.secrets.passwd_smbkujira.path})\n$(cat ${config.age.secrets.passwd_smbkujira.path})\n" | ${smbpasswd} -sa kujira
+    '';
+  };
 
-    services.samba = {
+  services.samba = {
-      enable = true;
+    enable = true;
-      package = pkgs.samba4Full;
+    package = pkgs.samba4Full;
-      openFirewall = true;
+    openFirewall = true;
-      settings = {
+    settings = {
-        global = {
+      global = {
-          "server smb encrypt" = "required";
+        "server smb encrypt" = "required";
-          "workgroup" = "WORKGROUP";
+        "workgroup" = "WORKGROUP";
-          "server string" = "smbnix";
+        "server string" = "smbnix";
-          "netbios name" = "smbnix";
+        "netbios name" = "smbnix";
-          "security" = "user";
+        "security" = "user";
-          "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
+        "hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
-          "hosts deny" = "0.0.0.0/0";
+        "hosts deny" = "0.0.0.0/0";
-          "guest account" = "nobody";
+        "guest account" = "nobody";
-          "map to guest" = "bad user";
+        "map to guest" = "bad user";
-        };
+      };
-        "public" = {
+      "public" = {
-          "path" = "/flower/smb/public";
+        "path" = "/flower/smb/public";
-          "browseable" = "yes";
+        "browseable" = "yes";
-          "read only" = "no";
+        "read only" = "no";
-          "guest ok" = "yes";
+        "guest ok" = "yes";
-          "create mask" = "0644";
+        "create mask" = "0644";
-          "directory mask" = "0755";
+        "directory mask" = "0755";
-          "force user" = "hana";
+        "force user" = "hana";
-          "force group" = "users";
+        "force group" = "users";
-        };
+      };
+      "cilly" = {
+        "path" = "/flower/smb/cilly";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "cilly";
+        "force group" = "users";
+        "valid users" = "cilly";
+      };
+      "kujira" = {
+        "path" = "/flower/smb/kujira";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "kujira";
+        "force group" = "users";
+        "valid users" = "kujira";
       };
     };
+  };
 
-    services.samba-wsdd = {
+  services.samba-wsdd = {
-      enable = true;
+    enable = true;
-      openFirewall = true;
+    openFirewall = true;
-    };
+  };
 
-    services.avahi = {
+  services.avahi = {
-      enable = true;
+    enable = true;
-      openFirewall = true;
+    openFirewall = true;
-      nssmdns4 = true;
+    nssmdns4 = true;
-      publish.enable = true;
+    publish.enable = true;
-      publish.userServices = true;
+    publish.userServices = true;
-    };
+  };
-  }
+}
-]

modules/binds.nix

@@ -1,12 +1,8 @@
 { config, lib, ...}: {
   imports = [ ./options.nix ];
-  fileSystems = lib.mapAttrs (dest: key: let
+  fileSystems = lib.mapAttrs (dest: key: {
-    target = if (lib.strings.hasPrefix "/" key)
-      then key
-      else "/persist/binds/${key}";
-  in {
     depends = [ "/persist" ];
-    device = target;
+    device = "/persist/binds/${key}";
     fsType = "none";
     options = [ "bind" ];
   }) config.me.binds;