add a module for mounting CIFS volumes

The new module is for NAS clients, where we specify the server and the
paths to mount locally.

We add a new secret to have the username of the `nas' user.

We mount the backups volume from the NAS under `/data/backups` on the
VM.

5 files changed, 112 insertions, 0 deletions

diff --git a/machines/nixos/x86_64-linux/vm-synology.nix b/machines/nixos/x86_64-linux/vm-synology.nix
index eedf26e..0dfbc14 100644
--- a/machines/nixos/x86_64-linux/vm-synology.nix
+++ b/machines/nixos/x86_64-linux/vm-synology.nix
@@ -19,6 +19,9 @@
       cloudflared-cert = {
         file = "${self}/secrets/cloudflared_cert.age";
       };
+      nas_client_credentials = {
+        file = "${self}/secrets/nas_client.age";
+      };
     };
   };
 
@@ -56,5 +59,17 @@
     };
   };
 
+  my.modules.nas-client = {
+    enable = true;
+    volumes = {
+      data = {
+        server = "192.168.1.68";
+        remotePath = "backups";
+        mountPoint = "/data/backups";
+        uid = adminUser.uid;
+      };
+    };
+  };
+
   system.stateVersion = "23.11"; # Did you read the comment?
 }
diff --git a/modules/default.nix b/modules/default.nix
index b42a079..441a9b8 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -3,5 +3,6 @@
   imports = [
     ./home.nix
     ./host-config.nix
+    ./nas-client.nix
   ];
 }
diff --git a/modules/nas-client.nix b/modules/nas-client.nix
new file mode 100644
index 0000000..fe0952e
--- /dev/null
+++ b/modules/nas-client.nix
@@ -0,0 +1,84 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.my.modules.nas-client;
+in
+{
+  options.my.modules.nas-client = with lib; {
+    enable = mkEnableOption "NAS client";
+
+    volumes = mkOption {
+      type = types.attrsOf (
+        types.submodule {
+          options = {
+            server = mkOption {
+              type = types.str;
+              example = "nas";
+              description = "Hostname of the server to connect to.";
+            };
+            remotePath = mkOption {
+              type = types.str;
+              example = "data";
+              description = "Remote path on the NAS to mount.";
+            };
+            mountPoint = mkOption {
+              type = types.str;
+              description = "Local directory where the volume will be mounted.";
+            };
+            uid = mkOption {
+              type = types.int;
+              default = 1000;
+              description = "User ID for mounted files.";
+            };
+            gid = mkOption {
+              type = types.int;
+              default = 1000;
+              description = "Group ID for mounted files.";
+            };
+            options = mkOption {
+              type = types.str;
+              default = "rw";
+              description = "Additional mount options.";
+            };
+          };
+        }
+      );
+      default = { };
+      description = "NAS volumes to mount.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    boot.kernelModules = [
+      "cifs"
+      "cmac"
+      "sha256"
+    ];
+
+    # this is required to get the credentials options to work
+    environment.systemPackages = [ pkgs.cifs-utils ];
+
+    systemd.mounts = lib.mapAttrsToList (name: volume: {
+      description = "Mount for NAS volume ${name}";
+      what = "//${volume.server}/${volume.remotePath}";
+      where = volume.mountPoint;
+      unitConfig = {
+        # This ensures it uses mount.cifs
+        Type = "cifs";
+      };
+      type = "cifs"; # Explicitly specify CIFS type otherwise we ran into issues when using the credentials file option
+      options = "credentials=${config.age.secrets.nas_client_credentials.path},uid=${toString volume.uid},gid=${toString volume.gid},${volume.options}";
+    }) cfg.volumes;
+
+    systemd.automounts = lib.mapAttrsToList (name: volume: {
+      description = "Automount for NAS volume ${name}";
+      where = volume.mountPoint;
+      wantedBy = [ "multi-user.target" ];
+    }) cfg.volumes;
+  };
+}
diff --git a/secrets/nas_client.age b/secrets/nas_client.age
new file mode 100644
index 0000000..5824c53
--- /dev/null
+++ b/secrets/nas_client.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA XZhA5nQ/XBzXSUbFHx/6vIzCgKmu1gBQ6ARi2EEeEzA
+dnXIxNGc+QQ9zG1qmeEvEDXK170X/9AcoZgWzgQoHEc
+-> ssh-ed25519 qRUWSw zvv2IRkop9SvceyNT7GcDb/V4eE8p8Lc+18Ji/XxwW8
+pZW6V9l7rO1HP+8TjFkAOpDVXBZhGI9YOlmEruE9MrI
+--- r6qFz8l3mklLVEAyLqdnzYoTGmAn18HfsBhsZmM2xh4
+²,îªÄMºÌ®Í3-Ía„L_±‚MÊv ƒ”‚Ró'•;ÓOI&kR!0=¿ÏßJ6Ѻ-÷•üÒðF”ló»Ùã¡
+;
Hž
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3de69b7..b437995 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -30,4 +30,8 @@ in
     users.fcuny
     hosts.vm-synology
   ];
+  "nas_client.age".publicKeys = [
+    users.fcuny
+    hosts.vm-synology
+  ];
 }