From 55726b54cf6d1a1b12fae8f6325af60d100381f4 Mon Sep 17 00:00:00 2001
From: Richie Cahill <Richie@tmmworkshop.com>
Date: Wed, 14 May 2025 19:26:12 -0400
Subject: [PATCH] got unifi connected

---
 .vscode/settings.json                |  1 +
 systems/jeeves/default.nix           |  3 ++-
 systems/jeeves/services/samba.nix    | 34 +++++++++++++++++++++++++---
 systems/jeeves/services_accounts.nix | 22 ++++++++++++++++++
 users/secrets.yaml                   | 12 ++++------
 5 files changed, 60 insertions(+), 12 deletions(-)
 create mode 100644 systems/jeeves/services_accounts.nix

diff --git a/.vscode/settings.json b/.vscode/settings.json
index 3cd0f25..f0027ea 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -274,6 +274,7 @@
     "ublock",
     "uiprotect",
     "uitour",
+    "unifi",
     "unrar",
     "unsubmitted",
     "uptimekuma",
diff --git a/systems/jeeves/default.nix b/systems/jeeves/default.nix
index 1cb8a9d..0f236b3 100644
--- a/systems/jeeves/default.nix
+++ b/systems/jeeves/default.nix
@@ -7,12 +7,13 @@
     ../../common/optional/syncthing_base.nix
     ../../common/optional/zerotier.nix
     ./docker
-    ./services
     ./hardware.nix
     ./networking.nix
     ./nvidia.nix
     ./programs.nix
     ./runners
+    ./services
+    ./services_accounts.nix
     ./syncthing.nix
   ];
 
diff --git a/systems/jeeves/services/samba.nix b/systems/jeeves/services/samba.nix
index 5bcbd4f..c072753 100644
--- a/systems/jeeves/services/samba.nix
+++ b/systems/jeeves/services/samba.nix
@@ -1,6 +1,34 @@
 {
-  services.samba = {
-    enable = true;
-    openFirewall = true;
+  services = {
+    samba = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        global = {
+          "workgroup" = "WORKGROUP";
+          "server string" = "smbnix";
+          "netbios name" = "smbnix";
+          "security" = "user";
+          "hosts allow" = "192.168.95. 127.0.0.1 localhost";
+          "hosts deny" = "0.0.0.0/0";
+          "guest account" = "nobody";
+          "map to guest" = "bad user";
+        };
+        "unifi" = {
+          "path" = "/zfs/storage/main/unifi";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "no";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "unifi";
+          "force group" = "unifi";
+        };
+      };
+    };
+    samba-wsdd = {
+      enable = true;
+      openFirewall = true;
+    };
   };
 }
diff --git a/systems/jeeves/services_accounts.nix b/systems/jeeves/services_accounts.nix
new file mode 100644
index 0000000..5030fc2
--- /dev/null
+++ b/systems/jeeves/services_accounts.nix
@@ -0,0 +1,22 @@
+{
+  config,
+  ...
+}:
+{
+
+  sops.secrets.unifi_password = {
+    sopsFile = ../../users/secrets.yaml;
+    neededForUsers = true;
+  };
+
+  users = {
+
+    users.unifi = {
+      isSystemUser = true;
+      group = "unifi";
+      extraGroups = [ "samba" ];
+      hashedPasswordFile = "${config.sops.secrets.unifi_password.path}";
+    };
+    groups.unifi = { };
+  };
+}
diff --git a/users/secrets.yaml b/users/secrets.yaml
index 099d422..251babf 100644
--- a/users/secrets.yaml
+++ b/users/secrets.yaml
@@ -1,10 +1,7 @@
 richie_password: ENC[AES256_GCM,data:DMi3M8aqrQ60APIofr8wJMh+VZ14hLRxz6jWZgzswr0pV/QVSX53ShBFr90ruO3mucOLYv0l+bI31covfqMAhXWBJp9wUgtC2Q==,iv:qgtn30hZfIL4dBnQSLkjbo7zPJA4m9TR0f52sTFc0v4=,tag:ydLbcGyXjv0fE+4b5ECX5w==,type:str]
 gaming_password: ENC[AES256_GCM,data:i692UsQaCOjE4V1y9d8yYDlK+TRMIprCHJkhl1UBZRMqe9a2LTUtmbbn/xlCYQd2tADJvn+dkx1jLfV4CqaqWOj5YSUFfpgsEw==,iv:3Y7hXQcmpzNN7hF+BDvO52uFB4o5D0dHvxemJ0ZoSIM=,tag:zzLGNDVAMCs2GPMqXp2BtQ==,type:str]
+unifi_password: ENC[AES256_GCM,data:mFEaXMiVoZtHn3R9fBSpdqUC1DJ1g5jkdQVeQVrCZ+KtFOSGlZRIGI7SiItVZnaQBKFhOecJoXbu0ZQHCyCK0dUImUkBnqZ+4g==,iv:Gzyx5OAKTpXuOCmZnj/lA/o9rl6XDyHdL8YL7x8sGCk=,tag:zwwQgNXEoJUPv7XkRB07gA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1u8zj599elqqvcmhxn8zuwrufsz8w8w366d3ayrljjejljt2q45kq8mxw9c
           enc: |
@@ -51,8 +48,7 @@ sops:
             UzQzWEFtSDJwR201cmZoeXh5T0RmSk0KWLOpw5cWbtnfVP/ISa7n1vZchoD+nxmn
             7yr7igpEIro0Sd238KinOQYswVaT0NHB9p1dSW/mN+aGQliSNLzkDQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-07T20:13:43Z"
-    mac: ENC[AES256_GCM,data:Q5fmv+MRVYGUQ4j+28CcGWHmgT1178N+haVS9xa0c99OKuPZdfSndAG0QVDhh/jYq+7zXs6zzLtBjB+egkoDfxJXfJOmg3E46UMO3vDHaEcIZD16ZbWJaz4Z/+yabqhDURKtgfGiu4xPv3OtGbwcP5kud17WcHNfY/LT+Y+LSD8=,iv:y3K3kCroIh+RTplUe4tM8B9rbLgIHCbE6FJawngam8Q=,tag:2VTIWlLp4cOwm18BfIlz5g==,type:str]
-    pgp: []
+    lastmodified: "2025-05-13T23:15:05Z"
+    mac: ENC[AES256_GCM,data:MRYYpSCaSkZhF1ew6hmzTfwWNSzaRrhrcaUiXSvfftzTjbHD+k7P1/jpcwA7iK8haXlqiH4YtanQmzY0t/Ygmh1T2GQebvotzLIF0pJ7Bi8yLfWpt0vYrR15oHBIiyM4/ito8dkff+abjMYQuARxAfr6Iq9JyJWQbvM9coehYkE=,iv:0pX2+jBKh14Bm3L4PgtA8H+P1mPyW9u3PAYe8m4wpHk=,tag:EtY1EckmbtPje9BiAO6BoQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2