fix: samba wireguard access

feat: netbird samba host
2024-03-28 14:40:40 +01:00 · 2024-03-28 14:40:40 +01:00 · f9990eb01c
parent 5d681b78f3
commit f9990eb01c
4 changed files with 93 additions and 59 deletions
--- a/hosts/elisabeth/secrets/samba/netbird-env.age
+++ b/hosts/elisabeth/secrets/samba/netbird-env.age
@ -1,15 +1,16 @@
 age-encryption.org/v1
-> X25519 FTk4whtXQ4QKgotU+0iBZxrUcUVQReiHyhGwv/3pC2w
-PGSxFJqC21n737Jyc4pQgv/7tsblQBB47dZlfNynOC0
-> piv-p256 XTQkUA A1mVNcwBxkH0rysZRt1irvyi0k0ME5sccJox/xS1FRC4
-Sy6Zz0a+Y5Z7J6F9M/b1OEKOau5JQm5JAUFsl4Ewk6k
-> piv-p256 ZFgiIw AsVavBKMJ+/39us+c0k7niiJab3Ev4Dj+SOo8SH73g3S
-ZoUlA/qcdfJ6ctaCeQ/OQYu2wFrIqJ5aR0/aPXCjl4o
-> piv-p256 5vmPtQ AnX/v0upSdNStu6uCpC3nVdqWsxX/iUjTpDvKwsdJfNs
-lUR+WRlyxqqRuO0hBai6hdYk4ytpEL8SbQHxmR7sK94
-> piv-p256 ZFgiIw Ax5SdGlJs1Gqusw6Lag/9bOuib7Ts3bksfdVN/FGRB4D
-Euvy40vrJVrC+W27xYHb0muLuK5SIPmY0zv3+SJgAy4
-> z:&o*}s-grease 4eL2m
-xIA4Vo9Z8niU+0+FsD8P6RsdLC/duMh4XtoLu3jYwuh3vA
--- TKHpQOtXIUtjoH4HNwcW5gKI8g9Ou6pXbNtt5ba0qQY
-–qà{+ëÝp‚˜l>µ¯<C2B5>]v‡í˜7„Kl£Ý…B"‹àP»Ð¼)Ô3oÂK[«(3õ>
§ÐXU
"€þ¯£å=^Ž£j”Á•²ƒ¿TUw°Ýu
+-> X25519 8KelKlNhyqDN8pddQTPpmaoXCsR7uft/cB2C1T79WwU
+d5/gmNM0BA7WVS4Ln+6e1IBysWjTwZXDMS9t+TQMdBA
+-> piv-p256 XTQkUA AwfejTufQTCGTbBRgZASantr/GBbw4Mnp1IvAECk8YxH
+noyk11Kk6dkvN/6wB6I+yREBeesc/KH6OJWvvvXZvvY
+-> piv-p256 ZFgiIw AhntWFLj+OSpO8uJLeEmiWWPH4KzeZcJv29++AA9gPC6
+TvfAw/aL0Urtrl0QTwbHm+U92igPgjizw5JVu9Xr27M
+-> piv-p256 5vmPtQ AgBlp4aFbmUE9fVASSuXWIL60Ryz7Vt4vDmR2lNu5ob5
+NYfzjIwTshjDJgV/Ijkzw7qEUC9kx9SyDcr9M3wCzLM
+-> piv-p256 ZFgiIw AtXr3k6gmYxEupwpS7pSOdnF2720SCJj7V0Ci5lijrJS
+z2klub/HC+YWunOR/NzMh9KPrdVD/UUm17VX/mXP31U
+-> hen,g-grease Qg6] a X\b M[r_v^iK
+neSxR7VWYbpUF4T0xYBS8T3PcnJWEK++hBJTrdv2u6h52c1v3MF0GTQvy9aoKKca
+SLQDw7QpxA
+--- 2dt1yCMXFxH1V1xXFG6NXW1NzlhcLX+8Ft1tFz5/k5Y
+Çƒ“ÿßøG¼ŸíŒ®v›~uÊ!<"c<ùŽz¥/QPºƒ‰èSŠ®šóuñ½•3~÷›lý)Ay‡ÚÙ'¹ÛHëÒ-¦¢êfŠ×ŸOîýºŽa
--- a/modules/netbird-client.nix
+++ b/modules/netbird-client.nix
@ -28,6 +28,7 @@
    port
    str
    submodule
+    bool
    path
    ;

@ -63,10 +64,17 @@ in {
                '';
              };

-              autoStart = mkEnableOption ''                automatically starting this tunnel on startup.
-                              Need a setup key to work.
+              autoStart = mkEnableOption ''
+                automatically starting this tunnel on startup.
+                Needs a setup key to work.
              '';

+              userAccess = mkOption {
+                type = bool;
+                description = "Allow unprivileged users access to the control socket";
+                default = false;
+              };
+
              environmentFile = mkOption {
                type = path;
                description = "An additional environment file for this service.";
@ -143,6 +151,19 @@ in {
        cfg.tunnels
      );

+      systemd.tmpfiles.settings."10-netbird-access" = lib.flip lib.mapAttrs' cfg.tunnels (
+        _: {
+          stateDir,
+          userAccess,
+          ...
+        }: (nameValuePair "/run/${stateDir}" {
+          d.mode =
+            if userAccess
+            then "0755"
+            else "0750";
+        })
+      );
+
      systemd.services =
        mapAttrs'
        (
@ -195,20 +216,20 @@ in {
                RestrictSUIDSGID = true;

                # Hardening
-                CapabilityBoundingSet = "";
-                PrivateUsers = true;
-                ProtectProc = "invisible";
-                ProcSubset = "pid";
-                RestrictAddressFamilies = [
-                  "AF_INET"
-                  "AF_INET6"
-                  "AF_NETLINK"
-                ];
-                SystemCallArchitectures = "native";
-                SystemCallFilter = [
-                  "@system-service"
-                  "@pkey"
-                ];
+                #CapabilityBoundingSet = "";
+                #PrivateUsers = true;
+                #ProtectProc = "invisible";
+                #ProcSubset = "pid";
+                #RestrictAddressFamilies = [
+                #  "AF_INET"
+                #  "AF_INET6"
+                #  "AF_NETLINK"
+                #];
+                #SystemCallArchitectures = "native";
+                #SystemCallFilter = [
+                #  "@system-service"
+                #  "@pkey"
+                #];
                UMask = "0077";
              };

--- a/modules/netbird-server.nix
+++ b/modules/netbird-server.nix
@ -222,20 +222,20 @@ in {
          RestrictSUIDSGID = true;

          # Hardening
-          CapabilityBoundingSet = "";
-          PrivateUsers = true;
-          ProtectProc = "invisible";
-          ProcSubset = "pid";
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_NETLINK"
-          ];
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "@pkey"
-          ];
+          #CapabilityBoundingSet = "";
+          #PrivateUsers = true;
+          #ProtectProc = "invisible";
+          #ProcSubset = "pid";
+          #RestrictAddressFamilies = [
+          #  "AF_INET"
+          #  "AF_INET6"
+          #  "AF_NETLINK"
+          #];
+          #SystemCallArchitectures = "native";
+          #SystemCallFilter = [
+          #  "@system-service"
+          #  "@pkey"
+          #];
          UMask = "0077";
        };
        unitConfig = {
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@ -17,7 +17,7 @@

  imports = [../netbird-client.nix];
  services.netbird.tunnels = {
-    samba = {
+    netbird-samba = {
      environment.NB_MANAGEMENT_URL = "https://netbird.${config.secrets.secrets.global.domains.web}";
      autoStart = true;
      port = 56789;
@ -63,6 +63,8 @@
    openFirewall = true;
  };

+  networking.nftables.firewall.zones.untrusted.interfaces = ["samba-patrick" "netbird-samba"];
+
  services.samba = {
    enable = true;
    securityType = "user";
@ -84,10 +86,8 @@
      # Disable netbios support. We don't need to support browsing since all
      # clients hardcode the host and share names.
      "disable netbios = yes"
-      # Deny access to all hosts by default.
-      "hosts deny = 0.0.0.0/0"
      # Allow access to local network
-      "hosts allow = 192.168.178. 127.0.0.1 10.43.0. localhost"
+      "hosts allow = 192.168.178. 10. localhost"

      "guest account = nobody"
      "map to guest = bad user"
@ -322,7 +322,8 @@
        mode = "0660";
      };
    }));
-  environment.persistence = lib.mkMerge (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v:
+  environment.persistence = lib.mkMerge (lib.flatten [
+    (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v:
      lib.optionalAttrs ((v ? "#persistRoot") && (v."#persistRoot" != "")) {
        ${v."#persistRoot"}.directories = [
          {
@ -332,5 +333,16 @@
            mode = "0770";
          }
        ];
-    }));
+      }))
+    (lib.flip lib.mapAttrsToList config.services.netbird.tunnels (
+      _: v: {
+        "/state".directories = [
+          {
+            directory = "/var/lib/${v.stateDir}";
+            mode = "0770";
+          }
+        ];
+      }
+    ))
+  ]);
 }