nixos-config/modules/media-mount.nix

# SPDX-FileCopyrightText: 2022-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, pkgs, ... }:
let
  mkMount = remote: { port ? 22, ro ? true, idmap ? null }:
    assert !(isNull idmap) -> lib.elem idmap.type [ "simple" ];
    {
      device = remote;
      fsType = "sshfs";
      options = [
        "allow_other"

        "_netdev"
        "x-systemd.idle-timeout=5min"
        "x-systemd.automount"

        "port=${toString port}"

        "reconnect"
        "ServerAliveInterval=15"
        "ServerAliveCountMax=1"
        "IdentityFile=${config.sops.secrets.media-ssh-key.path}"
      ] ++ lib.optionals ro [
        "ro"
      ] ++ lib.optionals (!ro) [
        "default_permissions" # if it is writable, permissions should be checked
      ] ++ lib.optionals (!(isNull idmap)) ([
        "idmap=${if lib.elem idmap.type [ "file" "user" ] then idmap.type else "file"}"
        "nomap=ignore"
      ] ++ lib.optionals (idmap.type == "simple") [
        "uidfile=${pkgs.writeText "uidfile" ''
          ${idmap.username}:${toString idmap.uid}
        ''}"
        "gidfile=${pkgs.writeText "gidfile" ''
          ${idmap.groupname}:${toString idmap.gid}
        ''}"
      ]);
    };
in
lib.mkIf config.sbruder.gui.enable {
  sops.secrets.media-ssh-key = { };

  system.fsPackages = with pkgs; [ sshfs ];

  fileSystems = {
    "/home/simon/mounts/media" = mkMount "media@fuuko.lan.shinonome-lab.de:/data/cold/media" { };
    "/home/simon/mounts/torrent" = mkMount "media@fuuko.lan.shinonome-lab.de:/data/hot/torrent" { };
    "/home/simon/mounts/storagebox" = mkMount "u313368@personal.storagebox.sbruder.de:" {
      port = 23;
      ro = false;
      idmap = {
        type = "simple";
        username = "simon";
        groupname = "users";
        uid = 313368;
        gid = 313368;
      };
    };
  };

  systemd.tmpfiles.rules = [
    "d /home/simon/mounts 0750 simon users - -"
  ];
}