From 7b5e6218609504b855bacbf6da88b16ebfd614fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= Date: Tue, 2 Jan 2024 15:57:33 +0100 Subject: [PATCH] feat: better smb config --- hosts/testienix/secrets/host.pub | 2 +- modules/config/users.nix | 3 +- modules/services/nextcloud.nix | 2 +- modules/services/samba.nix | 182 ++++++++++++++++++++----------- users/patrick/default.nix | 2 - 5 files changed, 120 insertions(+), 71 deletions(-) diff --git a/hosts/testienix/secrets/host.pub b/hosts/testienix/secrets/host.pub index 84ddaa9..fecb6bb 100644 --- a/hosts/testienix/secrets/host.pub +++ b/hosts/testienix/secrets/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEIOTaOyLL8TcuZAdZnPI4M2FTXnMsm/T40fLmfqBTkE +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCROFpRK7KqqBpbeGirNPXA5jzVuCFS+LtDiN4vaC+D diff --git a/modules/config/users.nix b/modules/config/users.nix index a7902ca..7ea81dc 100644 --- a/modules/config/users.nix +++ b/modules/config/users.nix @@ -6,7 +6,6 @@ gid = id; }; in { - smb = uidGid 200; nscd = uidGid 201; sshd = uidGid 202; tss = uidGid 203; @@ -24,5 +23,7 @@ radicale = uidGid 215; systemd-oom = uidGid 300; systemd-coredump = uidGid 301; + patrick = uidGid 1000; + smb = uidGid 2000; }; } diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index b1334d8..153ce4f 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -64,7 +64,7 @@ in { configureRedis = true; config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}"; # DON'T DO THIS IN PRODUCTION - the password file will be world-readable in the Nix Store! extraApps = with config.services.nextcloud.package.packages.apps; { - inherit contacts calendar tasks notes unsplash maps; + inherit contacts calendar tasks notes maps; }; # TODO increase outer nginx upload size as well maxUploadSize = "2G"; diff --git a/modules/services/samba.nix b/modules/services/samba.nix index 63c4cbc..e8e3525 100644 --- a/modules/services/samba.nix +++ b/modules/services/samba.nix @@ -1,4 +1,8 @@ -{config, ...}: { +{ + config, + lib, + ... +}: { services.samba-wsdd.enable = true; # make shares visible for windows 10 clients networking.firewall.allowedTCPPorts = [ 5357 # wsdd @@ -10,77 +14,123 @@ enable = true; securityType = "user"; openFirewall = true; - extraConfig = '' - logging = systemd - log level = 0 auth:2 passdb:2 - hosts allow = 192.168.178. 127.0.0.1 10.0.0. localhost - hosts deny = 0.0.0.0/0 - guest account = nobody - map to guest = bad user - passdb backend = tdbsam:${config.age.secrets.smbpassdb.path} - server role = standalone - ''; - shares = { - ggr-data = { - path = /media/smb/ggr-data; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0640"; - "directory mask" = "0750"; - "force user" = "smb"; - "force group" = "smb"; - "valid users" = "smb"; + extraConfig = lib.concatLines [ + '' + logging = systemd + log level = 0 auth:2 passdb:2 + passdb backend = tdbsam:${config.age.secrets.smbpassdb.path} + server role = standalone + '' + # Show the server host name in the printer comment box in print manager + # and next to the IPC connection in net view. + "server string = patricks-tolles-nas" + # Set the NetBIOS name by which the Samba server is known. + "netbios name = my-nas" + # Disable netbios support. We don't need to support browsing since all + # clients hardcode the host and share names. + "disable netbios = yes" + # Deny access to all hosts by default. + "hosts deny = 0.0.0.0/0" + # Allow access to local network + "hosts allow = 192.168.178. 127.0.0.1 10.0.0. localhost" + + "guest account = nobody" + "map to guest = bad user" + + # Clients should only connect using the latest SMB3 protocol (e.g., on + # clients running Windows 8 and later). + "server min protocol = SMB3_11" + # Require native SMB transport encryption by default. + "server smb encrypt = required" + + # Disable printer sharing. By default Samba shares printers configured + # using CUPS. + "load printers = no" + "printing = bsd" + "printcap name = /dev/null" + "disable spoolss = yes" + "show add printer wizard = no" + ]; + shares = let + mkShare = { + name, + user ? "smb", + group ? "smb", + }: cfg: { + "${name}" = + { + "path" = "/media/smb/${name}"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0640"; + "directory mask" = "0750"; + "force user" = "${user}"; + "force group" = "${group}"; + "valid users" = "${user} @${group}"; + "force create mode" = "0660"; + "force directory mode" = "0770"; + "acl allow execute always" = "yes"; + } + // cfg; }; - patri-data = { - path = /media/smb/patri-data; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0640"; - "directory mask" = "0755"; - "force user" = "smb"; - "force group" = "smb"; - "valid users" = "smb"; - }; - media = { - path = /media/smb/media; - "read only" = "yes"; - "guest ok" = "yes"; - "create mask" = "0640"; - "directory mask" = "0750"; - "force user" = "smb"; - "force group" = "smb"; - "write list" = "smb"; - }; - }; + in + lib.mkMerge [ + (mkShare { + name = "ggr-data"; + user = "ggr"; + group = "ggr"; + } {}) + (mkShare { + name = "patri-data"; + user = "patrick"; + group = "patrick"; + } {}) + ((mkShare {name = "media";}) + { + "read only" = "yes"; + "write list" = "smb"; + }) + ]; }; # to get this file start a smbd add users using 'smbpasswd -a ' # then export the database using 'pdbedit -e tdbsam:' age.secrets.smbpassdb = { rekeyFile = ../../secrets/smbpassdb.tdb.age; }; - users.users.smb = { - isSystemUser = true; - group = "smb"; + users = let + users = lib.unique (lib.mapAttrsToList (_: val: val."force user") config.services.samba.shares); + groups = lib.unique (users ++ (lib.mapAttrsToList (_: val: val."force group") config.services.samba.shares)); + in { + users = lib.mkMerge (lib.flip map users (user: { + ${user} = { + isNormalUser = true; + home = "/var/empty"; + createHome = false; + useDefaultShell = false; + autoSubUidGidRange = false; + group = "${user}"; + }; + }) + ++ [ + { + patrick.extraGroups = [ + "family" + ]; + ggr.extraGroups = [ + "family" + ]; + } + ]); + groups = lib.mkMerge (lib.flip map groups (group: { + ${group} = { + }; + })); }; - users.groups.smb = {}; - environment.persistence."/panzer/persist".directories = [ - { - directory = "/media/smb/ggr-data"; - user = "smb"; - group = "smb"; - mode = "0750"; - } - { - directory = "/media/smb/patri-data"; - user = "smb"; - group = "smb"; - mode = "0750"; - } - { - directory = "/media/smb/media"; - user = "smb"; - group = "smb"; - mode = "0750"; - } - ]; + + environment.persistence."/panzer/persist".directories = lib.flip lib.mapAttrsToList config.services.samba.shares (_: v: { + directory = "${v.path}"; + user = "${v."force user"}"; + group = "${v."force group"}"; + mode = "0770"; + }); } diff --git a/users/patrick/default.nix b/users/patrick/default.nix index fda4424..8b7a810 100644 --- a/users/patrick/default.nix +++ b/users/patrick/default.nix @@ -9,7 +9,6 @@ lib.optionalAttrs (!minimal) { users.users.patrick = { shell = pkgs.zsh; isNormalUser = true; - uid = 1000; createHome = true; extraGroups = [ "wheel" @@ -36,7 +35,6 @@ lib.optionalAttrs (!minimal) { } ]; }; - users.groups.patrick.gid = config.users.users.patrick.uid; environment.systemPackages = with pkgs; [ # xournalpp needs this or else it will crash