From 7756e5319d4eab4d7fc58281f6c3d39c44cc3464 Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Fri, 10 Apr 2020 15:08:33 +0200
Subject: [PATCH] samba-share: add private folders

---
 configs/pepe/syncthing.nix       |  4 ++++
 modules/services/samba-share.nix | 33 +++++++++++++++++++++++++++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/configs/pepe/syncthing.nix b/configs/pepe/syncthing.nix
index 901754e..73d2091 100644
--- a/configs/pepe/syncthing.nix
+++ b/configs/pepe/syncthing.nix
@@ -11,6 +11,10 @@
       samples = config.test.services.syncthing.declarative.folders.samples.path;
       series = config.test.services.syncthing.declarative.folders.series.path;
     };
+    private.test = {
+      folder = config.test.services.syncthing.declarative.folders.porn.path;
+      users = "kodi";
+    };
   };
 
   test.services.syncthing = {
diff --git a/modules/services/samba-share.nix b/modules/services/samba-share.nix
index 68463ea..f15730b 100644
--- a/modules/services/samba-share.nix
+++ b/modules/services/samba-share.nix
@@ -11,16 +11,36 @@ in {
   options.custom.samba-share = {
     enable = mkEnableOption "enable custom.samba-share";
     folders = mkOption {
+      default = { };
       type = with types; attrsOf str;
       description = ''
         folders to share as readonly
       '';
       example = { public = "/srv/downloads/movies"; };
     };
+    private = mkOption {
+      default = { };
+      type = with types;
+        attrsOf (submodule {
+          options = {
+            users = mkOption {
+              type = with types; str;
+              description = ''
+                System users allowed to access the folder.
+                To set password:
+                # smbpasswd -a <user>
+              '';
+            };
+            folder = mkOption { type = with types; str; };
+          };
+        });
+    };
   };
 
   config = mkMerge [
+
     (mkIf cfg.enable {
+
       networking.firewall.enable = true;
       networking.firewall.allowPing = true;
       networking.firewall.allowedTCPPorts = [ 445 139 ];
@@ -49,7 +69,18 @@ in {
             "read only" = "yes";
             "guest ok" = "yes";
           };
-        }) cfg.folders;
+        }) cfg.folders // (mapAttrs' (name:
+          { users, folder, ... }: {
+            name = name;
+            value = {
+              browsable = "yes";
+              comment = "read only share ${name}";
+              path = folder;
+              "read only" = "yes";
+              "valid users" = users;
+              "guest ok" = "false";
+            };
+          }) cfg.private);
       };
 
       users.users.smbguest = {