forked from mirrors_public/oddlama_nix-config
feat: add samba users
This commit is contained in:
parent
6003922b4f
commit
36cb1d31cb
5 changed files with 70 additions and 16 deletions
|
@ -1,5 +1,20 @@
|
||||||
{lib, ...}: {
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
smbUsers = config.repo.secrets.local.samba.users;
|
||||||
|
smbGroups = config.repo.secrets.local.samba.groups;
|
||||||
|
in {
|
||||||
|
age.secrets."samba-passdb.tdb" = {
|
||||||
|
rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age";
|
||||||
|
mode = "600";
|
||||||
|
};
|
||||||
|
|
||||||
services.samba = {
|
services.samba = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = true;
|
||||||
|
|
||||||
# Disable Samba's nmbd, because we don't want to reply to NetBIOS over IP
|
# Disable Samba's nmbd, because we don't want to reply to NetBIOS over IP
|
||||||
# requests, since all of our clients hardcode the server shares.
|
# requests, since all of our clients hardcode the server shares.
|
||||||
enableNmbd = false;
|
enableNmbd = false;
|
||||||
|
@ -21,9 +36,17 @@
|
||||||
# Allow access to local network and TODO: wireguard
|
# Allow access to local network and TODO: wireguard
|
||||||
"hosts allow = 192.168.1.0/22 192.168.100.0/24"
|
"hosts allow = 192.168.1.0/22 192.168.100.0/24"
|
||||||
|
|
||||||
|
# Set sane logging options
|
||||||
|
"log level = 0 auth:2 passdb:2"
|
||||||
|
"log file = /dev/null"
|
||||||
|
"max log size = 0"
|
||||||
|
"logging = systemd"
|
||||||
|
|
||||||
# TODO: allow based on wireguard ip without username and password
|
# TODO: allow based on wireguard ip without username and password
|
||||||
# Users always have to login with an account and are never mapped
|
# Users always have to login with an account and are never mapped
|
||||||
# to a guest account.
|
# to a guest account.
|
||||||
|
"passdb backend = tdbsam:${config.age.secrets."samba-passdb.tdb".path}"
|
||||||
|
"server role = standalone"
|
||||||
"guest account = nobody"
|
"guest account = nobody"
|
||||||
"map to guest = never"
|
"map to guest = never"
|
||||||
|
|
||||||
|
@ -50,20 +73,23 @@
|
||||||
"fruit:delete_empty_adfiles = yes"
|
"fruit:delete_empty_adfiles = yes"
|
||||||
];
|
];
|
||||||
shares = let
|
shares = let
|
||||||
mkShare = path: {
|
mkShare = path: cfg:
|
||||||
|
{
|
||||||
inherit path;
|
inherit path;
|
||||||
public = "no";
|
public = "no";
|
||||||
writable = "yes";
|
writable = "yes";
|
||||||
"create mask" = "0660";
|
"create mask" = "0770";
|
||||||
"directory mask" = "0770";
|
"directory mask" = "0770";
|
||||||
"force create mode" = "0660";
|
# "force create mode" = "0660";
|
||||||
"force directory mode" = "0770";
|
# "force directory mode" = "0770";
|
||||||
"acl allow execute always" = "yes";
|
#"acl allow execute always" = "yes";
|
||||||
};
|
}
|
||||||
|
// cfg;
|
||||||
|
|
||||||
mkGroupShare = group:
|
mkGroupShare = group:
|
||||||
mkShare "/shares/groups/${group}" {
|
mkShare "/shares/groups/${group}" {
|
||||||
"valid users" = "@${group}";
|
"valid users" = "@${group}";
|
||||||
|
"force user" = "family";
|
||||||
"force group" = group;
|
"force group" = group;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -71,9 +97,27 @@
|
||||||
mkShare "/shares/users/${user}" {
|
mkShare "/shares/users/${user}" {
|
||||||
"valid users" = user;
|
"valid users" = user;
|
||||||
};
|
};
|
||||||
in {
|
in
|
||||||
family = mkGroupShare "family";
|
{}
|
||||||
myuser = mkUserShare "myuser";
|
// lib.mapAttrs (name: _: mkUserShare name) smbUsers
|
||||||
|
// lib.mapAttrs (name: _: mkGroupShare name) smbGroups;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users = let
|
||||||
|
mkUser = name: id: groups: {
|
||||||
|
isNormalUser = true;
|
||||||
|
uid = id;
|
||||||
|
group = name;
|
||||||
|
extraGroups = groups;
|
||||||
|
createHome = false;
|
||||||
|
home = "/var/empty";
|
||||||
|
useDefaultShell = false;
|
||||||
|
autoSubUidGidRange = false;
|
||||||
};
|
};
|
||||||
|
in
|
||||||
|
{}
|
||||||
|
// lib.mapAttrs (name: cfg: mkUser name cfg.id cfg.groups) smbUsers
|
||||||
|
// lib.mapAttrs (name: cfg: mkUser name cfg.id []) smbGroups;
|
||||||
|
|
||||||
|
users.groups = lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA2o/BF7dSaGgbmgYwHlT+jKu2ojlhNs/fXjcBDTAtcN
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMV+QsCngZ1k6Ta5pqz2wRHsiSlEwlfl7pgSRfHzF5Y
|
||||||
|
|
10
hosts/ward/secrets/samba/local.nix.age
Normal file
10
hosts/ward/secrets/samba/local.nix.age
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> X25519 rGyfugBW1UJ6ufBn8FUWby1AG3ZnBDnNXMBGEXOi/GM
|
||||||
|
I87QSk3ZBL4FZjdwFd7RS2aRNizPRn/gAdQEUDrnTak
|
||||||
|
-> piv-p256 xqSe8Q ArQj/8FR6hO8vrqY+1e/YN+h46hSCMg0c3tqZ6U3ApMS
|
||||||
|
+XzFGrEz4z2tU6N7b2taf6j8V4WJi4NfQq4IJHV53l0
|
||||||
|
-> #=2[OV-grease cKs OHnI
|
||||||
|
iLqxxLbFIrTYFSDGKsOtZ8j7nw
|
||||||
|
--- Uu8dPdMbw1Zvs8ZuzNbm/LBoeexh3sEiXht6IrkYf8A
|
||||||
|
…!ÂŐB¦Řß*ÇZśZ20&bÉĘ×~d-Ń;¤,…J2î�§ăôažtć>P}gŐ…z’sóMÝ„6ŽíU°ŕYŢâFĚÖ”©o@ă‡rS«ÖVĹ�KA7ĺ$ť“�—�ńXD‰ 6ě˙ĺGćüć�m»i!IŹDCFĄ'�ĄĹŻŻ‘ŰŻC™[w$iG.U:PŹ8Óľűż…h›µŻićô¨ŘčüÉżŠŐ‹Ć{ŠĹá×vç8Zpľ9˙˘˙uPŁÝÚVj�e×€ĘJ`CÎ:K0¬W0čv�i˙G–!÷2T�2ůŠĎCGÔpzVĐđ€ě� —nN&2é8)¶Ť%˘Fäo‘gůľű¨VëeeUiz
|
||||||
|
�"Ô¤ŮÍ!Ž)î%áHŢcswă'Ş(íͦ" Îtl•EţUŠâ[]Iľ`.>KˇÖfÂÄWŽ&�·çQ–®hĄ·{+ž7V
|
BIN
hosts/ward/secrets/samba/samba-passdb.tdb.age
Normal file
BIN
hosts/ward/secrets/samba/samba-passdb.tdb.age
Normal file
Binary file not shown.
BIN
hosts/ward/secrets/samba/samba-password-hashes.age
Normal file
BIN
hosts/ward/secrets/samba/samba-password-hashes.age
Normal file
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue