暂存

2026-01-12 04:39:23 +08:00 · 2023-07-26 21:05:46 +08:00
parent c34c579835
commit 39eb683ee8
4 changed files with 182 additions and 146 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -240,6 +240,20 @@
 											snapper = { enable = true; configs.persistent = "/nix/persistent"; };
 											fontconfig.enable = true;
 											u2f.enable = true;
+											sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
+											samba =
+											{
+												enable = true;
+												private = true;
+												hostsAllowed = "192.168. 127.";
+												shares =
+												{
+													media.path = "/run/media/chn";
+													home.path = "/home/chn";
+													mnt.path = "/mnt";
+													share.path = "/home/chn/share";
+												};
+											};
 										};
 									};
 									systemd.sleep.extraConfig = localLib.stripeTabs	
@@ -249,10 +263,8 @@
 									";
 								}; })

-								./modules/sops.nix
 								[ ./modules/hardware/nvidia-prime.nix { intelBusId = "PCI:0:2:0"; nvidiaBusId = "PCI:1:0:0"; } ]
 								./modules/hardware/chn-PC.nix
-								./modules/networking/samba.nix
 								./modules/networking/ssh.nix
 								./modules/networking/wall_client.nix
 								./modules/networking/xmunet.nix
--- a/modules/networking/samba.nix
+++ b/modules/networking/samba.nix
@@ -1,46 +0,0 @@
-inputs:
-{
-	config =
-	{
-		# make shares visible for windows 10 clients
-		services.samba-wsdd.enable = true;
-		# networking.firewall = { allowedTCPPorts = [ 5357 ]; allowedUDPPorts = [ 3702 ]; };
-		services.samba =
-		{
-			enable = true;
-			securityType = "user";
-			extraConfig = inputs.localLib.stripeTabs
-			''
-				workgroup = WORKGROUP
-				server string = Samba Server
-				server role = standalone server
-				hosts allow = 192.168. 127.
-				dns proxy = no
-			'';
-			#	obey pam restrictions = yes
-			#	encrypt passwords = no
-			shares = builtins.listToAttrs (builtins.map
-				(config: { name = config.name; value =
-				{
-					comment = config.comment;
-					path = config.path;
-					browseable = true;
-					writeable = true;
-					"create mask" = "664";
-					"force create mode" = "644";
-					# "security mask" = "644";
-					# "force security mode" = "644";
-					"directory mask" = "2755";
-					"force directory mode" = "2755";
-					# "directory security mask" = "2755";
-					# "force directory security mode" = "2755";
-				}; })
-				[
-					{ name = "media"; comment = "chn media"; path = "/run/media/chn"; }
-					{ name = "home"; comment = "chn home"; path = "/home/chn"; }
-					{ name = "mnt"; comment = "mnt"; path = "/mnt"; }
-					{ name = "share"; comment = "chn share"; path = "/home/chn/share"; }
-				]);
-		};
-	};
-}
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -15,96 +15,177 @@ inputs:
 		kmscon.enable = mkOption { type = types.bool; default = false; };
 		fontconfig.enable = mkOption { type = types.bool; default = false; };
 		u2f.enable = mkOption { type = types.bool; default = false; };
+		sops =
+		{
+			enable = mkOption { type = types.bool; default = false; };
+			keyPathPrefix = mkOption { type = types.str; default = ""; };
+		};
+		samba =
+		{
+			enable = mkOption { type = types.bool; default = false; };
+			wsdd = mkOption { type = types.bool; default = false; };
+			private = mkOption { type = types.bool; default = false; };
+			hostsAllowed = mkOption { type = types.str; default = "127."; };
+			shares = mkOption
+			{
+				type = types.attrsOf (types.submodule { options =
+				{
+					comment = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+					path = mkOption { type = types.nonEmptyStr; };
+				};});
+				default = {};
+			};
+		};
 	};
-	config = let inherit (inputs.lib) mkMerge mkIf; inherit (inputs.localLib) stripeTabs attrsToList; in mkMerge
-	[
-		(
-			mkIf inputs.config.nixos.services.impermanence.enable
-			{
-				environment.persistence."${inputs.config.nixos.services.impermanence.persistence}" =
+	config =
+		let
+			inherit (inputs.lib) mkMerge mkIf;
+			inherit (inputs.localLib) stripeTabs attrsToList;
+			inherit (inputs.options.nixos) services;
+		in mkMerge
+		[
+			(
+				mkIf services.impermanence.enable
 				{
-					hideMounts = true;
-					directories =
-					[
-						"/etc/NetworkManager/system-connections"
-						"/home"
-						"/root"
-						"/var"
-					];
-					files =
-					[
-						"/etc/machine-id"
-						"/etc/ssh/ssh_host_ed25519_key.pub"
-						"/etc/ssh/ssh_host_ed25519_key"
-						"/etc/ssh/ssh_host_rsa_key.pub"
-						"/etc/ssh/ssh_host_rsa_key"
-					];
-				};
-			}
-		)
-    (
-      mkIf inputs.config.nixos.services.snapper.enable
-      {
-        services.snapper.configs =
-          let
-            f = (config:
-            {
-              inherit (config) name;
-              value =
-              {
-                SUBVOLUME = config.value;
-                TIMELINE_CREATE = true;
-                TIMELINE_CLEANUP = true;
-                TIMELINE_MIN_AGE = 1800;
-                TIMELINE_LIMIT_HOURLY = "10";
-                TIMELINE_LIMIT_DAILY = "7";
-                TIMELINE_LIMIT_WEEKLY = "1";
-                TIMELINE_LIMIT_MONTHLY = "0";
-                TIMELINE_LIMIT_YEARLY = "0";
-              };
-            });
-          in
-            builtins.listToAttrs (builtins.map f (attrsToList inputs.config.nixos.services.snapper.configs));
-      }
-    )
-		(
-			mkIf inputs.config.nixos.services.kmscon.enable
-			{
-				services.kmscon =
-				{
-					enable = true;
-					fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
-				};
-			}
-		)
-		(
-			mkIf inputs.config.nixos.services.fontconfig.enable
-			{
-				fonts =
-				{
-					fontDir.enable = true;
-					fonts = with inputs.pkgs;
-						[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
-					fontconfig.defaultFonts =
+					environment.persistence."${services.impermanence.persistence}" =
 					{
-						emoji = [ "Noto Color Emoji" ];
-						monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
-						sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
-						serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
+						hideMounts = true;
+						directories =
+						[
+							"/etc/NetworkManager/system-connections"
+							"/home"
+							"/root"
+							"/var"
+						];
+						files =
+						[
+							"/etc/machine-id"
+							"/etc/ssh/ssh_host_ed25519_key.pub"
+							"/etc/ssh/ssh_host_ed25519_key"
+							"/etc/ssh/ssh_host_rsa_key.pub"
+							"/etc/ssh/ssh_host_rsa_key"
+						];
 					};
-				};
-			}
-		)
-		(
-			mkIf inputs.config.nixos.services.u2f.enable
-			{
-				security.pam =
+				}
+			)
+			(
+				mkIf services.snapper.enable
 				{
-					u2f = { enable = true; cue = true; authFile = ./u2f_keys; };
-					services = builtins.listToAttrs (builtins.map (name: { inherit name; value = { u2fAuth = true; }; })
-						[ "login" "sudo" "su" "kde" "polkit-1" ]);
-				};
-			}
-		)
-  ];
+					services.snapper.configs =
+						let
+							f = (config:
+							{
+								inherit (config) name;
+								value =
+								{
+									SUBVOLUME = config.value;
+									TIMELINE_CREATE = true;
+									TIMELINE_CLEANUP = true;
+									TIMELINE_MIN_AGE = 1800;
+									TIMELINE_LIMIT_HOURLY = "10";
+									TIMELINE_LIMIT_DAILY = "7";
+									TIMELINE_LIMIT_WEEKLY = "1";
+									TIMELINE_LIMIT_MONTHLY = "0";
+									TIMELINE_LIMIT_YEARLY = "0";
+								};
+							});
+						in
+							builtins.listToAttrs (builtins.map f (attrsToList services.snapper.configs));
+				}
+			)
+			(
+				mkIf services.kmscon.enable
+				{
+					services.kmscon =
+					{
+						enable = true;
+						fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
+					};
+				}
+			)
+			(
+				mkIf services.fontconfig.enable
+				{
+					fonts =
+					{
+						fontDir.enable = true;
+						fonts = with inputs.pkgs;
+							[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
+						fontconfig.defaultFonts =
+						{
+							emoji = [ "Noto Color Emoji" ];
+							monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
+							sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
+							serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
+						};
+					};
+				}
+			)
+			(
+				mkIf services.u2f.enable
+				{
+					security.pam =
+					{
+						u2f = { enable = true; cue = true; authFile = ./u2f_keys; };
+						services = builtins.listToAttrs (builtins.map (name: { inherit name; value = { u2fAuth = true; }; })
+							[ "login" "sudo" "su" "kde" "polkit-1" ]);
+					};
+				}
+			)
+			(
+				mkIf services.sops.enable
+				{
+					sops =
+					{
+						defaultSopsFile = ../../secrets/${inputs.config.networking.hostName}.yaml;
+						# sops start before impermanence, so we need to use the absolute path
+						age.sshKeyPaths = [ "${services.sops.keyPathPrefix}/etc/ssh/ssh_host_ed25519_key" ];
+						gnupg.sshKeyPaths = [ "${services.sops.keyPathPrefix}/nix/persistent/etc/ssh/ssh_host_rsa_key" ];
+					};
+				}
+			)
+			(
+				mkIf services.samba.enable
+				{
+					# make shares visible for windows 10 clients
+					services =
+					{
+						samba-wsdd.enable = services.samba.wsdd;
+						samba =
+						{
+							enable = true;
+							openFirewall = !services.samba.private;
+							securityType = "user";
+							extraConfig = stripeTabs
+							''
+								workgroup = WORKGROUP
+								server string = Samba Server
+								server role = standalone server
+								hosts allow = ${services.samba.hostsAllowed}
+								dns proxy = no
+							'';
+							#	obey pam restrictions = yes
+							#	encrypt passwords = no
+							shares = builtins.listToAttrs (builtins.map
+								(share:
+								{
+									name = share.name;
+									value =
+									{
+										comment = if share.value.comment != null then share.value.comment else share.name;
+										path = share.value.path;
+										browseable = true;
+										writeable = true;
+										"create mask" = "664";
+										"force create mode" = "644";
+										"directory mask" = "2755";
+										"force directory mode" = "2755";
+									};
+								})
+								(attrsToList services.samba.shares));
+						};
+					};
+				}
+			)
+		];
 }
--- a/modules/sops.nix
+++ b/modules/sops.nix
@@ -1,11 +0,0 @@
-inputs:
-{
-	config.sops =
-	{
-		defaultSopsFile = ../secrets/${inputs.config.networking.hostName}.yaml;
-
-		# sops start before impermanence, so we need to use the absolute path
-		age.sshKeyPaths = [ "/nix/persistent/etc/ssh/ssh_host_ed25519_key" ];
-		gnupg.sshKeyPaths = [ "/nix/persistent/etc/ssh/ssh_host_rsa_key" ];
-	};
-}