got unifi connected

systems/jeeves/default.nix

@@ -7,12 +7,13 @@
     ../../common/optional/syncthing_base.nix
     ../../common/optional/zerotier.nix
     ./docker
-    ./services
     ./hardware.nix
     ./networking.nix
     ./nvidia.nix
     ./programs.nix
     ./runners
+    ./services
+    ./services_accounts.nix
     ./syncthing.nix
   ];
 

systems/jeeves/services/samba.nix

@@ -1,6 +1,34 @@
 {
-  services.samba = {
-    enable = true;
-    openFirewall = true;
+  services = {
+    samba = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        global = {
+          "workgroup" = "WORKGROUP";
+          "server string" = "smbnix";
+          "netbios name" = "smbnix";
+          "security" = "user";
+          "hosts allow" = "192.168.95. 127.0.0.1 localhost";
+          "hosts deny" = "0.0.0.0/0";
+          "guest account" = "nobody";
+          "map to guest" = "bad user";
+        };
+        "unifi" = {
+          "path" = "/zfs/storage/main/unifi";
+          "browseable" = "yes";
+          "read only" = "no";
+          "guest ok" = "no";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "unifi";
+          "force group" = "unifi";
+        };
+      };
+    };
+    samba-wsdd = {
+      enable = true;
+      openFirewall = true;
+    };
   };
 }

systems/jeeves/services_accounts.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  ...
+}:
+{
+
+  sops.secrets.unifi_password = {
+    sopsFile = ../../users/secrets.yaml;
+    neededForUsers = true;
+  };
+
+  users = {
+
+    users.unifi = {
+      isSystemUser = true;
+      group = "unifi";
+      extraGroups = [ "samba" ];
+      hashedPasswordFile = "${config.sops.secrets.unifi_password.path}";
+    };
+    groups.unifi = { };
+  };
+}