Added copyparty+samba module, updated traefik

modules/default.nix

@@ -6,5 +6,6 @@
     ./virtualisation
     ./social
     ./file-server
+    ./samba
   ];
 }

modules/file-server/copyparty/default.nix

@@ -1,19 +1,96 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:
 
 with lib;
 
-let
-  cfg = config.dov.file-server.copyparty;
+let cfg = config.dov.file-server.copyparty;
 in {
-  options.dov.file-server.copyparty = { enable = mkEnableOption "copyparty config"; };
+  options.dov.file-server.copyparty = {
+    enable = mkEnableOption "copyparty config";
+  };
 
   config = mkIf cfg.enable {
-    # # add the copyparty overlay to expose the package to the module
-    # nixpkgs.overlays = [ copyparty.overlays.default ];
-    # # (optional) install the package globally
-    # environment.systemPackages = [ pkgs.copyparty ];
-    # # configure the copyparty module
-    # services.copyparty.enable = cfg.enable;
+    networking.firewall.allowedTCPPorts = config.services.copyparty.settings.p;
+
+    sops.secrets."copyparty/admin_password" = {
+      owner = "copyparty";
+      group = "copyparty";
+    };
+    sops.secrets."copyparty/alex_password" = {
+      owner = "copyparty";
+      group = "copyparty";
+    };
+
+    # add the copyparty overlay to expose the package to the module
+    nixpkgs.overlays = [ inputs.copyparty.overlays.default ];
+    # (optional) install the package globally
+    environment.systemPackages = [ pkgs.copyparty ];
+    # configure the copyparty module
+    services.copyparty = {
+      enable = cfg.enable;
+      settings = {
+        p = [ 3923 ];
+        e2dsa = true; # enable file indexing and filesystem scanning
+        e2ts = true; # and enable multimedia indexing
+        z = true; # and zeroconf
+        qr = true; # and qrcode (you can comma-separate arguments)
+      };
+      accounts = {
+        admin.passwordFile = "/run/secrets/copyparty/admin_password";
+        alex.passwordFile = "/run/secrets/copyparty/alex_password";
+      };
+
+      # create a volume
+      volumes = {
+        "/" = {
+          # share the contents of "/MEDIA"
+          path = "/";
+          # see `copyparty --help-accounts` for available options
+          access = {
+            # everyone gets read-access, but
+            r = [ "admin" "alex" ];
+            # users "ed" and "k" get read-write
+            rw = [ "admin" ];
+          };
+          # see `copyparty --help-flags` for available options
+          flags = {
+            # "fk" enables filekeys (necessary for upget permission) (4 chars long)
+            fk = 4;
+            # scan for new files every 60sec
+            scan = 60;
+            # volflag "e2d" enables the uploads database
+            e2d = true;
+            # "d2t" disables multimedia parsers (in case the uploads are malicious)
+            d2t = true;
+            # skips hashing file contents if path matches *.iso
+            nohash = ".iso$";
+          };
+        };
+        "/MEDIA" = {
+          # share the contents of "/MEDIA"
+          path = "/MEDIA";
+          # see `copyparty --help-accounts` for available options
+          access = {
+            # everyone gets read-access, but
+            r = "alex";
+            # users "ed" and "k" get read-write
+            rw = [ "admin" "alex" ];
+          };
+          # see `copyparty --help-flags` for available options
+          flags = {
+            # "fk" enables filekeys (necessary for upget permission) (4 chars long)
+            fk = 4;
+            # scan for new files every 60sec
+            scan = 60;
+            # volflag "e2d" enables the uploads database
+            e2d = true;
+            # "d2t" disables multimedia parsers (in case the uploads are malicious)
+            d2t = true;
+            # skips hashing file contents if path matches *.iso
+            nohash = ".iso$";
+          };
+        };
+      };
+    };
   };
 
 }

modules/reverse-proxy/traefik/default.nix

@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.dov.reverse-proxy.traefik;
+  domain = "susano-nixos.duckdns.org";
   configFile = pkgs.writeText "duckdns-options"
     ''
     DUCKDNS_PROPAGATION_TIMEOUT=120
@@ -71,17 +72,24 @@ in {
           routers = {
             # --- Router for the Traefik dashboard (optional) ---
             dashboard-router = {
-              rule = "Host(`traefik.susano-test.duckdns.org`)"; # Example: A local-only subdomain
+              rule = "Host(`traefik.${domain}`)"; # Example: A local-only subdomain
               entryPoints = [ "websecure" ];
               service = "api@internal"; # Special service for the dashboard
               tls.certResolver = "duckdns";
             };
 
             immich-router = {
-              rule = "Host(`immich.susano-test.duckdns.org`)"; # 1. The new domain
-              entryPoints = [ "websecure" ];                        # 2. Listen on HTTPS
-              service = "immich-service";                           # 3. Link to the new Immich service
-              tls.certResolver = "duckdns";                         # 4. Use the same SSL resolver
+              rule = "Host(`immich.${domain}`)";
+              entryPoints = [ "websecure" ];
+              service = "immich-service";
+              tls.certResolver = "duckdns";
+            };
+
+            copyparty = mkIf config.dov.file-server.copyparty.enable {
+              rule = "Host(`copyparty.${domain}`)";
+              entryPoints = [ "websecure" ];
+              service = "copyparty-service";
+              tls.certResolver = "duckdns";
             };
           };
 
@@ -92,6 +100,13 @@ in {
                 { url = "http://192.168.1.57:2283"; }
               ];
             };
+
+            copyparty-service = mkIf config.dov.file-server.copyparty.enable {
+              loadBalancer.servers = [
+                # The backend URL for Immich
+                { url = "http://192.168.1.85:3923"; }
+              ];
+            };
           };
 
           middlewares = {

modules/samba/default.nix

@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.dov.samba;
+  ip = "192.168.1.88";
+in {
+  options.dov.samba = {
+    enable = mkEnableOption "samba share config";
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.smb-secrets = {
+    };
+
+    environment.systemPackages = [ pkgs.cifs-utils ];
+
+    fileSystems."/MEDIA" = {
+      device = "//${ip}/MEDIA";
+      fsType = "cifs";
+      options = let
+        # this line prevents hanging on network split
+        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+
+      in ["${automount_opts},credentials=/run/secrets/smb-secrets"];
+    };
+  };
+
+}