add groupshare (currently not working)

2026-01-12 04:39:23 +08:00 · 2023-09-12 22:43:38 +08:00
parent 716a4cbfcf
commit 53be0e13c4
6 changed files with 61 additions and 10 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -444,7 +444,9 @@
                snapper = { enable = true; configs.persistent = "/nix/persistent"; };
                sshd.enable = true;
                xrdp = { enable = true; hostname = "nas.chn.moe"; };
+                groupshare.enable = true;
              };
+              users = [ "root" "chn" "xll" ];
            };})
          ];
          "xmupc1" =
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -13,6 +13,7 @@ inputs:
    ./synapse.nix
    ./phpfpm.nix
    ./xrdp.nix
+    ./groupshare.nix
    # ./docker.nix
  ];
  options.nixos.services = let inherit (inputs.lib) mkOption types; in
--- a/modules/services/groupshare.nix
+++ b/modules/services/groupshare.nix
@@ -0,0 +1,32 @@
+inputs:
+{
+  options.nixos.services.groupshare = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (builtins) listToAttrs map concatLists;
+      inherit (inputs.config.nixos.services) groupshare;
+      users = inputs.config.users.groups.groupshare.members;
+    in mkIf groupshare.enable
+    {
+      users.groups.groupshare = {};
+      systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ]
+      ++ (concatLists (map
+        (user:
+        [
+          "d /var/lib/groupshare/${user} 0750 ${user} groupshare"
+          "a /var/lib/groupshare/${user} - - - - u::rwX,g::rX,o::r"
+        ])
+        users));
+      fileSystems = listToAttrs (map
+        (user:
+        {
+          name = "${inputs.config.users.users."${user}".home}/share";
+          value = { device = "/var/lib/groupshare"; options = [ "bind" ]; };
+        })
+        users);
+    };
+}
--- a/modules/system/fileSystems.nix
+++ b/modules/system/fileSystems.nix
@@ -79,7 +79,11 @@ inputs:
      # mount.vfat
      {
        fileSystems = listToAttrs (map
-          (device: { name = device.value; value = { device = device.name; fsType = "vfat"; neededForBoot = true; }; })
+          (device:
+          {
+            name = device.value;
+            value = { device = device.name; fsType = "vfat"; options = [ "acl" ]; neededForBoot = true; };
+          })
          (attrsToList fileSystems.mount.vfat));
      }
      # mount.btrfs
@@ -106,7 +110,7 @@ inputs:
                    # zstd:15 5m33s 7.16G
                    # zstd:8 54s 7.32G
                    # zstd:3 17s 7.52G
-                    options = [ "compress-force=zstd" "subvol=${subvol.name}" ];
+                    options = [ "compress-force=zstd" "subvol=${subvol.name}" "acl" ];
                    neededForBoot = true;
                  };
                }
--- a/modules/users/default.nix
+++ b/modules/users/default.nix
@@ -29,7 +29,7 @@ inputs:
        {
          isNormalUser = true;
          extraGroups = inputs.lib.intersectLists
-            [ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" "video" "audio" ]
+            [ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" "video" "audio" "groupshare" ]
            (builtins.attrNames inputs.config.users.groups);
          shell = inputs.pkgs.zsh;
          autoSubUidGidRange = true;
@@ -110,14 +110,24 @@ inputs:
          };
        };
      };
+      xll =
+      {
+        users.users.xll =
+        {
+          isNormalUser = true;
+          extraGroups = inputs.lib.intersectLists
+            [ "groupshare" ]
+            (builtins.attrNames inputs.config.users.groups);
+          passwordFile = inputs.config.sops.secrets."users/xll".path;
+          shell = inputs.pkgs.zsh;
+          autoSubUidGidRange = true;
+        };
+        sops.secrets."users/xll".neededForUsers = true;
+      };
    };
  in
  {
-    options.nixos.users = mkOption
-    {
-      type = types.listOf (types.enum (attrNames users));
-      default = [ "root" "chn" ];
-    };
+    options.nixos.users = mkOption { type = types.listOf (types.enum (attrNames users)); default = [ "root" "chn" ]; };
    config = mkMerge (map (user: mkIf (builtins.elem user inputs.config.nixos.users) users.${user}) (attrNames users));
  }

--- a/secrets/nas.yaml
+++ b/secrets/nas.yaml
@@ -4,6 +4,8 @@ nebula:
    key: ENC[AES256_GCM,data:zWLXEH628ZVDZk7U/9zEXocJatCJr7hZrCmh/pifPlxVvVud5RQxLvgRvhQ=,iv:YFn7spiIcaW/l8dQZvGhsERi81L2RKLUE/55Bht0TMQ=,tag:fVdIRCMeT6o0lrGVDjCVlA==,type:str]
 acme:
    cloudflare.ini: ENC[AES256_GCM,data:/LpP1qoVS+CG+5ska6vtmagHNrhcgr5e1QRzDdbdCYGnDB8Nca/GmIogzHCXsogQY/rwGTCZoXLKKEGToYiThwk=,iv:R++I0ued2wrVsmM/vYvBVMOp9M7HyZIfDOVOlg7GALE=,tag:gYchPuh8MHk3EEnGb9g4WA==,type:str]
+users:
+    xll: ENC[AES256_GCM,data:enJRRLbRhK0ypMuYrdArfOZvKjNZxVEX3QgWBHU2Q9RfDq+3TftWYBmPf5zG2dAaChQW2fNXEjCRNautpjfoMBUBEpA/+I/x7g==,iv:RKTOoD0ToTJWOccrrGfDrOZDtV+gM62y1Ed+HByvawU=,tag:IXOwGGj1osatSOyGlfCIag==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -28,8 +30,8 @@ sops:
            by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
            kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-12T12:56:01Z"
-    mac: ENC[AES256_GCM,data:TnqLYhK0Q5E12oiXx9igkHJraHM8BHsc/ODzOvpUrHGMF2JR++NcJWEqzKdkPUy/lQi89/21Kf0f7cdJUctiQmC9JOrjrmKruTwPOH5A7EqgCetTgwygU3Tw+GasUIsmcNPIc44H6tRyqDc2ahPJsYXl31VXL7TCv69FGGJzv/g=,iv:mZOog09Ub3hiGznMe2eKHdJ3oVD5uGElbIzJd6BoJYI=,tag:zr9EJY3/3gfgAQHQeiUv2w==,type:str]
+    lastmodified: "2023-09-12T14:38:06Z"
+    mac: ENC[AES256_GCM,data:XxSmAUnOH/PSF2WmsPQWBtG0rEQ7Y1cqLjZOINsxR8w31z5QI5AkAvabvn39pLxglODscaTs5m0729AnfzPRwe2gjvfXPG2qQzvb+KtcMsJQDoLF7tq8g8blfDL4ao4bU6j1UADQummVw9FLTLf11wfw4lSZvC0pfc6lFaVu1ao=,iv:q/jc747W/Z+z1hjLJvGBWG3r7GPZeFc/SRBxOVLNToE=,tag:6fKLwxpHB5BfnpeLxYOAPA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3