fix: samba wireguard access

feat: netbird samba host
2024-03-28 14:40:40 +01:00 · 2024-03-28 14:40:40 +01:00 · f9990eb01c
parent 5d681b78f3
commit f9990eb01c
4 changed files with 93 additions and 59 deletions
--- a/hosts/elisabeth/secrets/samba/netbird-env.age
+++ b/hosts/elisabeth/secrets/samba/netbird-env.age
@ -1,15 +1,16 @@
 age-encryption.org/v1
-> X25519 FTk4whtXQ4QKgotU+0iBZxrUcUVQReiHyhGwv/3pC2w
+-> X25519 8KelKlNhyqDN8pddQTPpmaoXCsR7uft/cB2C1T79WwU
-PGSxFJqC21n737Jyc4pQgv/7tsblQBB47dZlfNynOC0
+d5/gmNM0BA7WVS4Ln+6e1IBysWjTwZXDMS9t+TQMdBA
-> piv-p256 XTQkUA A1mVNcwBxkH0rysZRt1irvyi0k0ME5sccJox/xS1FRC4
+-> piv-p256 XTQkUA AwfejTufQTCGTbBRgZASantr/GBbw4Mnp1IvAECk8YxH
-Sy6Zz0a+Y5Z7J6F9M/b1OEKOau5JQm5JAUFsl4Ewk6k
+noyk11Kk6dkvN/6wB6I+yREBeesc/KH6OJWvvvXZvvY
-> piv-p256 ZFgiIw AsVavBKMJ+/39us+c0k7niiJab3Ev4Dj+SOo8SH73g3S
+-> piv-p256 ZFgiIw AhntWFLj+OSpO8uJLeEmiWWPH4KzeZcJv29++AA9gPC6
-ZoUlA/qcdfJ6ctaCeQ/OQYu2wFrIqJ5aR0/aPXCjl4o
+TvfAw/aL0Urtrl0QTwbHm+U92igPgjizw5JVu9Xr27M
-> piv-p256 5vmPtQ AnX/v0upSdNStu6uCpC3nVdqWsxX/iUjTpDvKwsdJfNs
+-> piv-p256 5vmPtQ AgBlp4aFbmUE9fVASSuXWIL60Ryz7Vt4vDmR2lNu5ob5
-lUR+WRlyxqqRuO0hBai6hdYk4ytpEL8SbQHxmR7sK94
+NYfzjIwTshjDJgV/Ijkzw7qEUC9kx9SyDcr9M3wCzLM
-> piv-p256 ZFgiIw Ax5SdGlJs1Gqusw6Lag/9bOuib7Ts3bksfdVN/FGRB4D
+-> piv-p256 ZFgiIw AtXr3k6gmYxEupwpS7pSOdnF2720SCJj7V0Ci5lijrJS
-Euvy40vrJVrC+W27xYHb0muLuK5SIPmY0zv3+SJgAy4
+z2klub/HC+YWunOR/NzMh9KPrdVD/UUm17VX/mXP31U
-> z:&o*}s-grease 4eL2m
+-> hen,g-grease Qg6] a X\b M[r_v^iK
-xIA4Vo9Z8niU+0+FsD8P6RsdLC/duMh4XtoLu3jYwuh3vA
+neSxR7VWYbpUF4T0xYBS8T3PcnJWEK++hBJTrdv2u6h52c1v3MF0GTQvy9aoKKca
--- TKHpQOtXIUtjoH4HNwcW5gKI8g9Ou6pXbNtt5ba0qQY
+SLQDw7QpxA
-–qà{+ëÝp‚˜l>µ¯<C2B5>]v‡í˜7„Kl£Ý…B"‹àP»Ð¼)Ô3oÂK[«(3õ>
§ÐXU
"€þ¯£å=^Ž£j”Á•²ƒ¿TUw°Ýu
+--- 2dt1yCMXFxH1V1xXFG6NXW1NzlhcLX+8Ft1tFz5/k5Y
 Çƒ“ÿßøG¼ŸíŒ®v›~uÊ!<"c<ùŽz¥/QPºƒ‰èSŠ®šóuñ½•3~÷›lý)Ay‡ÚÙ'¹ÛHëÒ-¦¢êfŠ×ŸOîýºŽa
--- a/modules/netbird-client.nix
+++ b/modules/netbird-client.nix
@ -28,6 +28,7 @@
    port
    str
    submodule
    bool
    path
    ;
@ -63,10 +64,17 @@ in {
                '';
              };
-              autoStart = mkEnableOption ''                automatically starting this tunnel on startup.
+              autoStart = mkEnableOption ''
-                              Need a setup key to work.
+                automatically starting this tunnel on startup.
                Needs a setup key to work.
              '';
              userAccess = mkOption {
                type = bool;
                description = "Allow unprivileged users access to the control socket";
                default = false;
              };
              environmentFile = mkOption {
                type = path;
                description = "An additional environment file for this service.";
@ -143,6 +151,19 @@ in {
        cfg.tunnels
      );
      systemd.tmpfiles.settings."10-netbird-access" = lib.flip lib.mapAttrs' cfg.tunnels (
        _: {
          stateDir,
          userAccess,
          ...
        }: (nameValuePair "/run/${stateDir}" {
          d.mode =
            if userAccess
            then "0755"
            else "0750";
        })
      );
      systemd.services =
        mapAttrs'
        (
@ -195,20 +216,20 @@ in {
                RestrictSUIDSGID = true;
                # Hardening
-                CapabilityBoundingSet = "";
+                #CapabilityBoundingSet = "";
-                PrivateUsers = true;
+                #PrivateUsers = true;
-                ProtectProc = "invisible";
+                #ProtectProc = "invisible";
-                ProcSubset = "pid";
+                #ProcSubset = "pid";
-                RestrictAddressFamilies = [
+                #RestrictAddressFamilies = [
-                  "AF_INET"
+                #  "AF_INET"
-                  "AF_INET6"
+                #  "AF_INET6"
-                  "AF_NETLINK"
+                #  "AF_NETLINK"
-                ];
+                #];
-                SystemCallArchitectures = "native";
+                #SystemCallArchitectures = "native";
-                SystemCallFilter = [
+                #SystemCallFilter = [
-                  "@system-service"
+                #  "@system-service"
-                  "@pkey"
+                #  "@pkey"
-                ];
+                #];
                UMask = "0077";
              };
--- a/modules/netbird-server.nix
+++ b/modules/netbird-server.nix
@ -222,20 +222,20 @@ in {
          RestrictSUIDSGID = true;
          # Hardening
-          CapabilityBoundingSet = "";
+          #CapabilityBoundingSet = "";
-          PrivateUsers = true;
+          #PrivateUsers = true;
-          ProtectProc = "invisible";
+          #ProtectProc = "invisible";
-          ProcSubset = "pid";
+          #ProcSubset = "pid";
-          RestrictAddressFamilies = [
+          #RestrictAddressFamilies = [
-            "AF_INET"
+          #  "AF_INET"
-            "AF_INET6"
+          #  "AF_INET6"
-            "AF_NETLINK"
+          #  "AF_NETLINK"
-          ];
+          #];
-          SystemCallArchitectures = "native";
+          #SystemCallArchitectures = "native";
-          SystemCallFilter = [
+          #SystemCallFilter = [
-            "@system-service"
+          #  "@system-service"
-            "@pkey"
+          #  "@pkey"
-          ];
+          #];
          UMask = "0077";
        };
        unitConfig = {
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@ -17,7 +17,7 @@
  imports = [../netbird-client.nix];
  services.netbird.tunnels = {
-    samba = {
+    netbird-samba = {
      environment.NB_MANAGEMENT_URL = "https://netbird.${config.secrets.secrets.global.domains.web}";
      autoStart = true;
      port = 56789;
@ -63,6 +63,8 @@
    openFirewall = true;
  };
  networking.nftables.firewall.zones.untrusted.interfaces = ["samba-patrick" "netbird-samba"];
  services.samba = {
    enable = true;
    securityType = "user";
@ -84,10 +86,8 @@
      # Disable netbios support. We don't need to support browsing since all
      # clients hardcode the host and share names.
      "disable netbios = yes"
      # Deny access to all hosts by default.
      "hosts deny = 0.0.0.0/0"
      # Allow access to local network
-      "hosts allow = 192.168.178. 127.0.0.1 10.43.0. localhost"
+      "hosts allow = 192.168.178. 10. localhost"
      "guest account = nobody"
      "map to guest = bad user"
@ -322,15 +322,27 @@
        mode = "0660";
      };
    }));
-  environment.persistence = lib.mkMerge (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v:
+  environment.persistence = lib.mkMerge (lib.flatten [
-    lib.optionalAttrs ((v ? "#persistRoot") && (v."#persistRoot" != "")) {
+    (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v:
-      ${v."#persistRoot"}.directories = [
+      lib.optionalAttrs ((v ? "#persistRoot") && (v."#persistRoot" != "")) {
-        {
+        ${v."#persistRoot"}.directories = [
-          directory = "${v.path}";
+          {
-          user = "${v."force user"}";
+            directory = "${v.path}";
-          group = "${v."force group"}";
+            user = "${v."force user"}";
-          mode = "0770";
+            group = "${v."force group"}";
-        }
+            mode = "0770";
-      ];
+          }
-    }));
+        ];
      }))
    (lib.flip lib.mapAttrsToList config.services.netbird.tunnels (
      _: v: {
        "/state".directories = [
          {
            directory = "/var/lib/${v.stateDir}";
            mode = "0770";
          }
        ];
      }
    ))
  ]);
 }