nixos/modules/services/groupshare.nix

inputs:
{
  options.nixos.services.groupshare = let inherit (inputs.lib) mkOption types; in
  {
    enable = mkOption { type = types.bool; default = false; };
    # hard to read value from inputs.config.users.users.xxx.home, causing infinite recursion
    mountPoints = mkOption { type = types.listOf types.str; default = []; };
  };
  config =
    let
      inherit (inputs.lib) mkIf;
      inherit (builtins) listToAttrs map concatLists concatStringsSep;
      inherit (inputs.config.nixos.services) groupshare;
      users = inputs.config.users.groups.groupshare.members;
    in mkIf groupshare.enable
    {
      users.groups.groupshare.gid = inputs.config.nixos.system.user.group.groupshare;
      systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ]
        ++ (concatLists (map
          (user:
          [
            "d /var/lib/groupshare/${user} 2750 ${user} groupshare"
            "Z /var/lib/groupshare/${user} - ${user} groupshare"
            ("A /var/lib/groupshare/${user} - - - - "
              # d 指 default, 即目录下新创建的文件和目录的权限
              # 大写 X 指仅给目录执行权限
              # m 指 mask, 即对于所有者以外的用户, 该用户的权限最大为 m 指定的权限
              + (concatStringsSep "," (concatLists (map
                (perm: [ "d:${perm}" perm ])
                [ "u:${user}:rwX" "g:groupshare:r-X" "o::---" "m::r-x" ]))))
          ])
          users));
      fileSystems = listToAttrs (map
        (mountPoint:
        {
          name = mountPoint;
          value =
          {
            device = "/var/lib/groupshare";
            options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
            depends = [ "/home" "/var/lib" ];
          };
        })
        groupshare.mountPoints);
    };
}