feat(reimu): nfs

systems/reimu/nfs.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  kyuuto = "/mnt/kyuuto-media";
+  kyuuto-transfer = kyuuto + "/transfer";
+  inherit (lib.lists) optionals;
+  inherit (lib.strings) concatStringsSep;
+  inherit (config.networking.access) cidrForNetwork;
+in {
+  services.nfs.server.exports = let
+    mapPerm = perm: map (addr: "${addr}(${perm})");
+    toPerms = concatStringsSep " ";
+    localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all;
+    tailAddrs = optionals config.services.tailscale.enable cidrForNetwork.tail.all;
+    allAddrs = localAddrs ++ tailAddrs;
+    kyuutoPerms =
+      mapPerm "ro" localAddrs
+      ++ mapPerm "rw" tailAddrs;
+    transferPerms = mapPerm "rw" allAddrs;
+  in ''
+    ${kyuuto} ${toPerms kyuutoPerms}
+    ${kyuuto-transfer} ${toPerms transferPerms}
+  '';
+
+  services.samba.shares = {
+    kyuuto-transfer = {
+      path = kyuuto-transfer;
+      writeable = "yes";
+      browseable = "yes";
+      public = "yes";
+      "guest only" = "yes";
+      comment = "Kyuuto Media Transfer Area";
+    };
+    kyuuto-access = {
+      path = kyuuto;
+      writeable = false;
+      browseable = "yes";
+      public = "yes";
+      comment = "Kyuuto Media Access";
+    };
+    kyuuto-media = {
+      path = kyuuto;
+      writeable = "yes";
+      browseable = "yes";
+      public = "no";
+      comment = "Kyuuto Media";
+    };
+  };
+}

systems/reimu/nixos.nix

@@ -5,8 +5,12 @@
   imports = let
     inherit (meta) nixos;
   in [
+    nixos.sops
     nixos.base
     nixos.reisen-ct
+    nixos.nfs
+    nixos.samba
+    ./nfs.nix
   ];
 
   systemd.network.networks.eth0 = {