feat(odin): adding samba shares service

flake.lock

@@ -295,11 +295,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756579987,
-        "narHash": "sha256-duCce8zGsaMsrqqOmLOsuaV1PVIw/vXWnKuLKZClsGg=",
+        "lastModified": 1756663325,
+        "narHash": "sha256-HQLfFrJ9OjGNix/driLs77Zhvzq9xUvFU6Af0eHgsPQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "99a69bdf8a3c6bf038c4121e9c4b6e99706a187a",
+        "rev": "71b57070771aac60ca949b47d6b2bd2afd5e49d8",
         "type": "github"
       },
       "original": {
@@ -422,11 +422,11 @@
     },
     "nixpkgs-darwin": {
       "locked": {
-        "lastModified": 1756543146,
-        "narHash": "sha256-iFjXZwjYyqhmeGVLsxfxFWbSsXDIXSJUC6dyEkQFoHo=",
+        "lastModified": 1756601055,
+        "narHash": "sha256-32FECkjKLrIG00XUP2dZw+G2NjyetVAQRdN6Jb4v1ng=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9c9a90449133bfc2d19feff96c612c28e56d7edd",
+        "rev": "90fa096bc50648798f62d701eb5324a18702e8ee",
         "type": "github"
       },
       "original": {
@@ -438,11 +438,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1756438964,
-        "narHash": "sha256-yo473URkISSmBZeIE1o6Mf94VRSn5qFVFS9phb7l6eg=",
+        "lastModified": 1756636162,
+        "narHash": "sha256-mBecwgUTWRgClJYqcF+y4O1bY8PQHqeDpB+zsAn+/zA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c73522789a3c7552b1122773d6eaa34e1491cc1c",
+        "rev": "37ff64b7108517f8b6ba5705ee5085eac636a249",
         "type": "github"
       },
       "original": {
@@ -517,11 +517,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1756582634,
-        "narHash": "sha256-kBBaHMP5g2Ytg0m0GBhZtIWXJG7kfpwd/ubP86Nx5tg=",
+        "lastModified": 1756665336,
+        "narHash": "sha256-w2mwy/ZxS+G/MDZOsZWgXTwTToyVENDBRFm3SYRdWXM=",
         "ref": "refs/heads/master",
-        "rev": "c99f89799cefa8bb37e8803cb274171d0441adda",
-        "revCount": 7,
+        "rev": "23c105869b98b1653a371178e3c4c709c4591c53",
+        "revCount": 8,
         "type": "git",
         "url": "ssh://[email protected]/control/secrets.git"
       },

hosts/odin/age.nix

@@ -13,6 +13,7 @@
       file = inputs.secrets."odin/services/nullmailer.age";
       owner = config.services.nullmailer.user;
     };
+    "odin/services/samba".file = inputs.secrets."odin/services/samba.age";
     "odin/services/tailscale".file = inputs.secrets."odin/services/tailscale.age";
     "odin/users/thomas".file = inputs.secrets."odin/users/thomas.age";
   };

hosts/odin/services/default.nix

@@ -1,9 +1,8 @@
-# { config, pkgs, ... }:
-
 {
   imports = [
     ./adguard.nix
     ./caddy.nix
+    ./samba.nix
     ./snapraid.nix
     ./tailscale.nix
     # ./immich.nix
@@ -14,41 +13,4 @@
     # ./nextcloud.nix
     # ./traefik.nix
   ];
-
-  # # Common service setup
-  # systemd.tmpfiles.rules = [
-  #   # Service directories
-  #   "d /srv 0755 root root -"
-  #   "d /srv/immich 0755 root root -"
-  #   "d /srv/media 0755 root root -"
-  #   "d /srv/web 0755 root root -"
-  #   "d /srv/monitoring 0755 root root -"
-  #
-  #   # Database directories
-  #   "d /databases 0755 root root -"
-  #   "d /databases/postgresql 0755 postgres postgres -"
-  #   "d /databases/redis 0755 redis redis -"
-  #
-  #   # Cache directories
-  #   "d /cache 0755 root root -"
-  #   "d /cache/immich 0755 root root -"
-  #
-  #   # Log directories
-  #   "d /logs 0755 root root -"
-  #   "d /logs/services 0755 root root -"
-  #
-  #   # Storage array structure
-  #   "d /storage 0755 root root -"
-  #   "d /storage/media 0755 root root -"
-  #   "d /storage/backups 0755 root root -"
-  #   "d /storage/photos 0755 root root -"
-  # ];
-  #
-  # # MergerFS for unified storage view
-  # services.mergerfs.mounts = {
-  #   "/storage" = {
-  #     branches = [ "/mnt/disk1" "/mnt/disk2" "/mnt/disk3" ];
-  #     options = "defaults,allow_other,use_ino,cache.files=partial,dropcacheonclose=true,category.create=mfs";
-  #   };
-  # };
 }

hosts/odin/services/samba.nix

@@ -0,0 +1,83 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+let
+  shares = [ "thomas" "christine" ];
+  # TODO: make sure to add system users for all the users that don't exist
+in
+{
+  users.users.christine.isSystemUser = true;
+  users.users.christine.group = "storage";
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        workgroup = "WORKGROUP";
+        "server string" = config.networking.hostName;
+        "netbios name" = config.networking.hostName;
+        "security" = "user";
+        "invalid users" = [ "root" ];
+        "hosts allow" = "100.64.0.0/10 192.168.178. 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+        "passdb backend" = "tdbsam";
+      };
+
+    } // builtins.listToAttrs
+      (map
+        (name: {
+          inherit name;
+          value = {
+            path = "/mnt/storage/samba/${name}";
+            "preserve case" = "yes";
+            "short preserve case" = "yes";
+            "browseable" = "yes";
+            "writeable" = "yes";
+            "read only" = "no";
+            "guest ok" = "no";
+            "create mask" = "0644";
+            "directory mask" = "0755";
+            "valid users" = "${name}";
+            "fruit:aapl" = "yes";
+            "vfs objects" = "catia fruit streams_xattr";
+          };
+        })
+        shares);
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /mnt/storage/samba 0755 root storage -"
+  ] ++ map (name: "d /mnt/storage/samba/${name} 0770 ${name} storage -") shares;
+
+  system.activationScripts.addSambaUsers = {
+    text = ''
+      #!/bin/sh
+      USERS="${config.age.secrets."odin/services/samba".path}"
+
+      if [ -f "$USERS" ]; then
+        while IFS=, read -r username password; do
+          if [ -z "$username" ] || [ -z "$password" ]; then
+            continue
+          fi
+
+          # Check if the user exists in the system
+          if id "$username" >/dev/null 2>&1; then
+            # Add or update the Samba user password
+            echo -e "$password\n$password" | ${lib.getExe' pkgs.samba "smbpasswd"} -s -a "$username"
+            echo "Added/Updated Samba user: $username"
+          else
+            echo "System user $username does not exist, skipping..."
+          fi
+        done < "$USERS"
+      else
+        echo "Samba users CSV file not found at $USERS"
+      fi
+    '';
+    deps = [ "users" ];
+  };
+}