# mounts the samba share on s0 over tailscale

{ config, lib, pkgs, ... }:

let
  cfg = config.services.mount-samba;

  # prevents hanging on network split
  network_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,nostrictsync,cache=loose,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend";

  user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
  auth_opts = "credentials=/run/agenix/smb-secrets";
  version_opts = "vers=2.1";

  opts = "${network_opts},${user_opts},${version_opts},${auth_opts}";
in {
  options.services.mount-samba = {
    enable = lib.mkEnableOption "enable mounting samba shares";
  };

  config = lib.mkIf (cfg.enable && config.services.tailscale.enable) {
    fileSystems."/mnt/public" = {
        device = "//s0.koi-bebop.ts.net/public";
        fsType = "cifs";
        options = [ opts ];
    };

    fileSystems."/mnt/private" = {
        device = "//s0.koi-bebop.ts.net/googlebot";
        fsType = "cifs";
        options = [ opts ];
    };

    age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;

    # Encrypted Vault
    environment.shellAliases = {
      vault_unlock = "${pkgs.gocryptfs}/bin/gocryptfs /mnt/private/.vault/ /mnt/vault/";
      vault_lock = "umount /mnt/vault/";
    };
  };
}