patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

fix: samba wireguard access

Browse source 
feat: netbird samba host
This commit is contained in:
Patrick 2024-03-28 14:40:40 +01:00
parent 5d681b78f3
commit f9990eb01c
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
4 changed files with 93 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
hosts/elisabeth/secrets/samba/netbird-env.age
View file

@ -1,15 +1,16 @@
age-encryption.org/v1
-> X25519 FTk4whtXQ4QKgotU+0iBZxrUcUVQReiHyhGwv/3pC2w
PGSxFJqC21n737Jyc4pQgv/7tsblQBB47dZlfNynOC0
-> piv-p256 XTQkUA A1mVNcwBxkH0rysZRt1irvyi0k0ME5sccJox/xS1FRC4
Sy6Zz0a+Y5Z7J6F9M/b1OEKOau5JQm5JAUFsl4Ewk6k
-> piv-p256 ZFgiIw AsVavBKMJ+/39us+c0k7niiJab3Ev4Dj+SOo8SH73g3S
ZoUlA/qcdfJ6ctaCeQ/OQYu2wFrIqJ5aR0/aPXCjl4o
-> piv-p256 5vmPtQ AnX/v0upSdNStu6uCpC3nVdqWsxX/iUjTpDvKwsdJfNs
lUR+WRlyxqqRuO0hBai6hdYk4ytpEL8SbQHxmR7sK94
-> piv-p256 ZFgiIw Ax5SdGlJs1Gqusw6Lag/9bOuib7Ts3bksfdVN/FGRB4D
Euvy40vrJVrC+W27xYHb0muLuK5SIPmY0zv3+SJgAy4
-> z:&o*}s-grease 4eL2m
xIA4Vo9Z8niU+0+FsD8P6RsdLC/duMh4XtoLu3jYwuh3vA
--- TKHpQOtXIUtjoH4HNwcW5gKI8g9Ou6pXbNtt5ba0qQY
qà{+ëÝp˜l>µ¯<C2B5>]v‡í˜7„Kl£Ý…B"àP»Ð¼)Ô3oÂK[«(3õ> §ÐXU "€þ¯£å=^Ž£j”Á•²ƒ¿TUw°Ýu
-> X25519 8KelKlNhyqDN8pddQTPpmaoXCsR7uft/cB2C1T79WwU
d5/gmNM0BA7WVS4Ln+6e1IBysWjTwZXDMS9t+TQMdBA
-> piv-p256 XTQkUA AwfejTufQTCGTbBRgZASantr/GBbw4Mnp1IvAECk8YxH
noyk11Kk6dkvN/6wB6I+yREBeesc/KH6OJWvvvXZvvY
-> piv-p256 ZFgiIw AhntWFLj+OSpO8uJLeEmiWWPH4KzeZcJv29++AA9gPC6
TvfAw/aL0Urtrl0QTwbHm+U92igPgjizw5JVu9Xr27M
-> piv-p256 5vmPtQ AgBlp4aFbmUE9fVASSuXWIL60Ryz7Vt4vDmR2lNu5ob5
NYfzjIwTshjDJgV/Ijkzw7qEUC9kx9SyDcr9M3wCzLM
-> piv-p256 ZFgiIw AtXr3k6gmYxEupwpS7pSOdnF2720SCJj7V0Ci5lijrJS
z2klub/HC+YWunOR/NzMh9KPrdVD/UUm17VX/mXP31U
-> hen,g-grease Qg6] a X\b M[r_v^iK
neSxR7VWYbpUF4T0xYBS8T3PcnJWEK++hBJTrdv2u6h52c1v3MF0GTQvy9aoKKca
SLQDw7QpxA
--- 2dt1yCMXFxH1V1xXFG6NXW1NzlhcLX+8Ft1tFz5/k5Y
ǃ“ ÿßøG¼Ÿ팮v~uÊ!<"c< ùŽz¥/QPºƒ‰èSŠ®šóuñ½•3~÷lý)Ay‡ÚÙ'¹ÛHëÒ-¦¢êןOîýºŽa

53
modules/netbird-client.nix
View file

@ -28,6 +28,7 @@
port
str
submodule
bool
path
;
@ -63,10 +64,17 @@ in {
'';
};
autoStart = mkEnableOption '' automatically starting this tunnel on startup.
Need a setup key to work.
autoStart = mkEnableOption ''
automatically starting this tunnel on startup.
Needs a setup key to work.
'';
userAccess = mkOption {
type = bool;
description = "Allow unprivileged users access to the control socket";
default = false;
};
environmentFile = mkOption {
type = path;
description = "An additional environment file for this service.";
@ -143,6 +151,19 @@ in {
cfg.tunnels
);
systemd.tmpfiles.settings."10-netbird-access" = lib.flip lib.mapAttrs' cfg.tunnels (
_: {
stateDir,
userAccess,
...
}: (nameValuePair "/run/${stateDir}" {
d.mode =
if userAccess
then "0755"
else "0750";
})
);
systemd.services =
mapAttrs'
(
@ -195,20 +216,20 @@ in {
RestrictSUIDSGID = true;
# Hardening
CapabilityBoundingSet = "";
PrivateUsers = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
#CapabilityBoundingSet = "";
#PrivateUsers = true;
#ProtectProc = "invisible";
#ProcSubset = "pid";
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
# "AF_NETLINK"
#];
#SystemCallArchitectures = "native";
#SystemCallFilter = [
# "@system-service"
# "@pkey"
#];
UMask = "0077";
};

28
modules/netbird-server.nix
View file

@ -222,20 +222,20 @@ in {
RestrictSUIDSGID = true;
# Hardening
CapabilityBoundingSet = "";
PrivateUsers = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
#CapabilityBoundingSet = "";
#PrivateUsers = true;
#ProtectProc = "invisible";
#ProcSubset = "pid";
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
# "AF_NETLINK"
#];
#SystemCallArchitectures = "native";
#SystemCallFilter = [
# "@system-service"
# "@pkey"
#];
UMask = "0077";
};
unitConfig = {

42
modules/services/samba.nix
View file

@ -17,7 +17,7 @@
imports = [../netbird-client.nix];
services.netbird.tunnels = {
samba = {
netbird-samba = {
environment.NB_MANAGEMENT_URL = "https://netbird.${config.secrets.secrets.global.domains.web}";
autoStart = true;
port = 56789;
@ -63,6 +63,8 @@
openFirewall = true;
};
networking.nftables.firewall.zones.untrusted.interfaces = ["samba-patrick" "netbird-samba"];
services.samba = {
enable = true;
securityType = "user";
@ -84,10 +86,8 @@
# Disable netbios support. We don't need to support browsing since all
# clients hardcode the host and share names.
"disable netbios = yes"
# Deny access to all hosts by default.
"hosts deny = 0.0.0.0/0"
# Allow access to local network
"hosts allow = 192.168.178. 127.0.0.1 10.43.0. localhost"
"hosts allow = 192.168.178. 10. localhost"
"guest account = nobody"
"map to guest = bad user"
@ -322,15 +322,27 @@
mode = "0660";
};
}));
environment.persistence = lib.mkMerge (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v:
lib.optionalAttrs ((v ? "#persistRoot") && (v."#persistRoot" != "")) {
${v."#persistRoot"}.directories = [
{
directory = "${v.path}";
user = "${v."force user"}";
group = "${v."force group"}";
mode = "0770";
}
];
}));
environment.persistence = lib.mkMerge (lib.flatten [
(lib.flip lib.mapAttrsToList config.services.samba.shares (_: v:
lib.optionalAttrs ((v ? "#persistRoot") && (v."#persistRoot" != "")) {
${v."#persistRoot"}.directories = [
{
directory = "${v.path}";
user = "${v."force user"}";
group = "${v."force group"}";
mode = "0770";
}
];
}))
(lib.flip lib.mapAttrsToList config.services.netbird.tunnels (
_: v: {
"/state".directories = [
{
directory = "/var/lib/${v.stateDir}";
mode = "0770";
}
];
}
))
]);
}