feat: better smb config

2024-01-02 15:57:33 +01:00 · 2024-01-02 15:57:33 +01:00 · 7b5e621860
parent fe3d8a9774
commit 7b5e621860
5 changed files with 120 additions and 71 deletions
--- a/hosts/testienix/secrets/host.pub
+++ b/hosts/testienix/secrets/host.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEIOTaOyLL8TcuZAdZnPI4M2FTXnMsm/T40fLmfqBTkE
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCROFpRK7KqqBpbeGirNPXA5jzVuCFS+LtDiN4vaC+D
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@ -6,7 +6,6 @@
      gid = id;
    };
  in {
-    smb = uidGid 200;
    nscd = uidGid 201;
    sshd = uidGid 202;
    tss = uidGid 203;
@ -24,5 +23,7 @@
    radicale = uidGid 215;
    systemd-oom = uidGid 300;
    systemd-coredump = uidGid 301;
+    patrick = uidGid 1000;
+    smb = uidGid 2000;
  };
 }
--- a/modules/services/nextcloud.nix
+++ b/modules/services/nextcloud.nix
@ -64,7 +64,7 @@ in {
        configureRedis = true;
        config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}"; # DON'T DO THIS IN PRODUCTION - the password file will be world-readable in the Nix Store!
        extraApps = with config.services.nextcloud.package.packages.apps; {
-          inherit contacts calendar tasks notes unsplash maps;
+          inherit contacts calendar tasks notes maps;
        };
        # TODO increase outer nginx upload size as well
        maxUploadSize = "2G";
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@ -1,4 +1,8 @@
-{config, ...}: {
+{
+  config,
+  lib,
+  ...
+}: {
  services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
  networking.firewall.allowedTCPPorts = [
    5357 # wsdd
@ -10,77 +14,123 @@
    enable = true;
    securityType = "user";
    openFirewall = true;
-    extraConfig = ''
-      logging = systemd
-      log level = 0 auth:2 passdb:2
-      hosts allow = 192.168.178. 127.0.0.1 10.0.0. localhost
-      hosts deny = 0.0.0.0/0
-      guest account = nobody
-      map to guest = bad user
-      passdb backend = tdbsam:${config.age.secrets.smbpassdb.path}
-      server role = standalone
-    '';
-    shares = {
-      ggr-data = {
-        path = /media/smb/ggr-data;
-        "read only" = "no";
-        "guest ok" = "no";
-        "create mask" = "0640";
-        "directory mask" = "0750";
-        "force user" = "smb";
-        "force group" = "smb";
-        "valid users" = "smb";
+    extraConfig = lib.concatLines [
+      ''
+        logging = systemd
+        log level = 0 auth:2 passdb:2
+        passdb backend = tdbsam:${config.age.secrets.smbpassdb.path}
+        server role = standalone
+      ''
+      # Show the server host name in the printer comment box in print manager
+      # and next to the IPC connection in net view.
+      "server string = patricks-tolles-nas"
+      # Set the NetBIOS name by which the Samba server is known.
+      "netbios name = my-nas"
+      # Disable netbios support. We don't need to support browsing since all
+      # clients hardcode the host and share names.
+      "disable netbios = yes"
+      # Deny access to all hosts by default.
+      "hosts deny = 0.0.0.0/0"
+      # Allow access to local network
+      "hosts allow = 192.168.178. 127.0.0.1 10.0.0. localhost"
+
+      "guest account = nobody"
+      "map to guest = bad user"
+
+      # Clients should only connect using the latest SMB3 protocol (e.g., on
+      # clients running Windows 8 and later).
+      "server min protocol = SMB3_11"
+      # Require native SMB transport encryption by default.
+      "server smb encrypt = required"
+
+      # Disable printer sharing. By default Samba shares printers configured
+      # using CUPS.
+      "load printers = no"
+      "printing = bsd"
+      "printcap name = /dev/null"
+      "disable spoolss = yes"
+      "show add printer wizard = no"
+    ];
+    shares = let
+      mkShare = {
+        name,
+        user ? "smb",
+        group ? "smb",
+      }: cfg: {
+        "${name}" =
+          {
+            "path" = "/media/smb/${name}";
+            "read only" = "no";
+            "guest ok" = "no";
+            "create mask" = "0640";
+            "directory mask" = "0750";
+            "force user" = "${user}";
+            "force group" = "${group}";
+            "valid users" = "${user} @${group}";
+            "force create mode" = "0660";
+            "force directory mode" = "0770";
+            "acl allow execute always" = "yes";
+          }
+          // cfg;
      };
-      patri-data = {
-        path = /media/smb/patri-data;
-        "read only" = "no";
-        "guest ok" = "no";
-        "create mask" = "0640";
-        "directory mask" = "0755";
-        "force user" = "smb";
-        "force group" = "smb";
-        "valid users" = "smb";
-      };
-      media = {
-        path = /media/smb/media;
-        "read only" = "yes";
-        "guest ok" = "yes";
-        "create mask" = "0640";
-        "directory mask" = "0750";
-        "force user" = "smb";
-        "force group" = "smb";
-        "write list" = "smb";
-      };
-    };
+    in
+      lib.mkMerge [
+        (mkShare {
+          name = "ggr-data";
+          user = "ggr";
+          group = "ggr";
+        } {})
+        (mkShare {
+          name = "patri-data";
+          user = "patrick";
+          group = "patrick";
+        } {})
+        ((mkShare {name = "media";})
+          {
+            "read only" = "yes";
+            "write list" = "smb";
+          })
+      ];
  };
  # to get this file start a smbd add users using 'smbpasswd -a <user>'
  # then export the database using 'pdbedit -e tdbsam:<location>'
  age.secrets.smbpassdb = {
    rekeyFile = ../../secrets/smbpassdb.tdb.age;
  };
-  users.users.smb = {
-    isSystemUser = true;
-    group = "smb";
+  users = let
+    users = lib.unique (lib.mapAttrsToList (_: val: val."force user") config.services.samba.shares);
+    groups = lib.unique (users ++ (lib.mapAttrsToList (_: val: val."force group") config.services.samba.shares));
+  in {
+    users = lib.mkMerge (lib.flip map users (user: {
+        ${user} = {
+          isNormalUser = true;
+          home = "/var/empty";
+          createHome = false;
+          useDefaultShell = false;
+          autoSubUidGidRange = false;
+          group = "${user}";
+        };
+      })
+      ++ [
+        {
+          patrick.extraGroups = [
+            "family"
+          ];
+          ggr.extraGroups = [
+            "family"
+          ];
+        }
+      ]);
+    groups = lib.mkMerge (lib.flip map groups (group: {
+      ${group} = {
+      };
+    }));
  };
-  users.groups.smb = {};
-  environment.persistence."/panzer/persist".directories = [
-    {
-      directory = "/media/smb/ggr-data";
-      user = "smb";
-      group = "smb";
-      mode = "0750";
-    }
-    {
-      directory = "/media/smb/patri-data";
-      user = "smb";
-      group = "smb";
-      mode = "0750";
-    }
-    {
-      directory = "/media/smb/media";
-      user = "smb";
-      group = "smb";
-      mode = "0750";
-    }
-  ];
+
+  environment.persistence."/panzer/persist".directories = lib.flip lib.mapAttrsToList config.services.samba.shares (_: v: {
+    directory = "${v.path}";
+    user = "${v."force user"}";
+    group = "${v."force group"}";
+    mode = "0770";
+  });
 }
--- a/users/patrick/default.nix
+++ b/users/patrick/default.nix
@ -9,7 +9,6 @@ lib.optionalAttrs (!minimal) {
  users.users.patrick = {
    shell = pkgs.zsh;
    isNormalUser = true;
-    uid = 1000;
    createHome = true;
    extraGroups = [
      "wheel"
@ -36,7 +35,6 @@ lib.optionalAttrs (!minimal) {
      }
    ];
  };
-  users.groups.patrick.gid = config.users.users.patrick.uid;

  environment.systemPackages = with pkgs; [
    # xournalpp needs this or else it will crash