6 files changed, 65 insertions, 0 deletions

diff --git a/flake.nix b/flake.nix
index f9142a0..16c0afe 100644
--- a/flake.nix
+++ b/flake.nix
@@ -64,6 +64,7 @@
           [
             {_module.args = args;}
             home-manager.darwinModules.home-manager
+            agenix.darwinModules.default
             ./hosts/muhammed/configuration.nix
             ./hosts/common.nix
             ./home
diff --git a/hosts/muhammed/configuration.nix b/hosts/muhammed/configuration.nix
index f3908b2..c082ea9 100644
--- a/hosts/muhammed/configuration.nix
+++ b/hosts/muhammed/configuration.nix
@@ -2,6 +2,7 @@
 {flakeInputs, ...}: {
   imports = [
     ./home
+    ./wraaath-sshfs
   ];
 
   # Specify the location of this configuration file. Very meta.
diff --git a/hosts/muhammed/wraaath-sshfs/default.nix b/hosts/muhammed/wraaath-sshfs/default.nix
new file mode 100644
index 0000000..1f5f793
--- /dev/null
+++ b/hosts/muhammed/wraaath-sshfs/default.nix
@@ -0,0 +1,42 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  # TEMP: Tell age that secrets should be decrypted through personal key.
+  # FIXME: These should probably be rekeyed with a system-wide key.
+  age.identityPaths = [
+    "${config.users.users.linus.home}/.ssh/id_rsa"
+  ];
+
+  # The current setup is an SFTP server with the username 'linus' and a
+  # password. This is far from ideal but beggars can't be choosers...
+  age.secrets.wraaath-sftp-password.file = ../../../secrets/wraaath-sftp-password.txt.age;
+
+  launchd.daemons.wraaath-sftp = {
+    script = ''
+      set -xue
+
+      # Create the mount point.
+      # Should be automatically deleted upon unmount.
+      mkdir -p /Volumes/Wraaath
+
+      # Start a MacFUSE daemon.
+      # Will run in background mode, as foreground mode broke everything for some reason.
+      exec ${pkgs.sshfs}/bin/sshfs [email protected]:/ /Volumes/Wraaath \
+        -p 2222 \
+        -o volname=Wraath \
+        -o reconnect \
+        -o allow_other \
+        -o password_stdin <${config.age.secrets.wraaath-sftp-password.path}
+    '';
+
+    serviceConfig = {
+      # XXX
+      AbandonProcessGroup = true;
+
+      # XXX
+      KeepAlive.NetworkState = true;
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e291b23..308adad 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,4 +8,5 @@ in {
   "cloudflare-ddns-token.env.age".publicKeys = [muhammedKey ahmedKey];
   "duksebot.env.age".publicKeys = [muhammedKey ahmedKey];
   "mullvad-wg.key.age".publicKeys = [muhammedKey ahmedKey];
+  "wraaath-sftp-password.txt.age".publicKeys = [muhammedKey ahmedKey];
 }
diff --git a/secrets/wraaath-sftp-password.txt.age b/secrets/wraaath-sftp-password.txt.age
new file mode 100644
index 0000000..50eb8f3
--- /dev/null
+++ b/secrets/wraaath-sftp-password.txt.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-rsa 5MROTA
+IFE7+BqwGxjth41qQacK5nl2LNJkTP1T0Wu4XEtR7N/VDgwJbOZPzxpfC6KpfCft
+JP++aLuWXNCNT8qiClGsqwWbNOB3pQH1YnUC1skfdSKE+6RTnl6u49Aw0AFUseAU
+Bx9EVs5w41Fi0Sh0xGIoL+9w4xNR2PdzzfMfHb/2GIVMc6XMAcpf1b65/cjb0FeV
+RmbNHV8HvIhwhYpb63uF2/2U8ey//DtPpEztGV2Mz8axGxZoS+hnQMbztcuZlyqM
+s5wtc7tmx0fQHi7Q/MjxzsKPIV86wVwCn/fdwoxeVRiXMztuJG3kxPnkG3PHh8Ga
+O/SLb1TBUrrbwC6mE+/rBU2rLaOzNnE4xvhxAQqYsk2IANX7xhUDPjXk06QfOOMA
+L1t6xSiFauhr9JeujCk96r6b9uhkApfyJGs0WmPTTfZ8dfYZ2BwqfVkitFofQOW5
+boTQLWDy8X/D5yRYqvIRT1pHaC7suj3fXIamG4GxDrX49GK5htE5bIeUgSd3ZY5/
+QPRJyr2yteOTVwkDNqDoCBfANZGTdNcx3bGtQaDD7DTgPrMpjhe6WWngFh9jgy60
+xxwN9Vfh4WX13LD2hES1KplytZV8u7X9Y6lGmFeQx22I2mCjwmI8BedQY5mFoaZA
+bQfNo20P/vyPsdpn5aFuPxkCQ9cK3ApPaM/cT/kiUH0
+-> ssh-ed25519 LNzQIA pR2Q+L0UlGKQ97hl1NB9y5PQZf/I9i6YEwD7LyZqvys
+uD+szUGHCYkLdmWgC9HpSMf7nMjsdgDGCrE+wZq0XRY
+-> +d-grease
+B1tfpbHzEZOuJ9tBTIOTz85LcBU2xnQat8lmplg22u74RaafiZIkcmwpFmzMxng
+--- 9tKAHx41flR12gTUF8FFN88mCan63dmslZ56paBAOOo
+��� �L��
���9u��>�0���H�_8�CP�A�����"�
\ No newline at end of file
diff --git a/secrets/wraaath-sftp-password.txt.example b/secrets/wraaath-sftp-password.txt.example
new file mode 100644
index 0000000..5be9185
--- /dev/null
+++ b/secrets/wraaath-sftp-password.txt.example
@@ -0,0 +1 @@
+p@asSw0rd