From 5bfc0b0c7dcb0c8da45661f69d306305efbdc8e7 Mon Sep 17 00:00:00 2001 From: "Casper V. Kristensen" Date: Thu, 9 May 2024 17:24:46 +0200 Subject: [PATCH] sigma: samba smb --- hosts/sigma/default.nix | 1 + hosts/sigma/deluge.nix | 1 - hosts/sigma/network.nix | 6 ++++ hosts/sigma/samba.nix | 61 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 hosts/sigma/samba.nix diff --git a/hosts/sigma/default.nix b/hosts/sigma/default.nix index 158921f..eafee13 100644 --- a/hosts/sigma/default.nix +++ b/hosts/sigma/default.nix @@ -13,6 +13,7 @@ ./mail.nix ./memos.nix ./network.nix + ./samba.nix ./sonarr.nix ]; diff --git a/hosts/sigma/deluge.nix b/hosts/sigma/deluge.nix index c766f21..8680afb 100644 --- a/hosts/sigma/deluge.nix +++ b/hosts/sigma/deluge.nix @@ -57,7 +57,6 @@ # Add caspervk user to the 'torrent' group to allow viewing downloads users.groups.torrent.members = ["caspervk"]; - environment.persistence."/nix/persist" = { directories = [ # Deluge data directory. This is *NOT* where the downloads are saved diff --git a/hosts/sigma/network.nix b/hosts/sigma/network.nix index c200e7c..5222141 100644 --- a/hosts/sigma/network.nix +++ b/hosts/sigma/network.nix @@ -136,10 +136,16 @@ allowedUDPPortRanges = lib.mkForce []; interfaces = { "enp5s0" = { + allowedUDPPorts = [ + 139 # Samba + 445 # Samba + ]; allowedTCPPorts = [ + 139 # Samba 22 # SSH 25 # Mail SMTP 443 # Caddy + 445 # Samba 465 # Mail ESMTP 80 # Caddy 993 # Mail IMAPS diff --git a/hosts/sigma/samba.nix b/hosts/sigma/samba.nix new file mode 100644 index 0000000..ab61ca9 --- /dev/null +++ b/hosts/sigma/samba.nix @@ -0,0 +1,61 @@ +{ + config, + secrets, + ... +}: { + # Samba provides file and print services for various Microsoft Windows + # clients. + # https://wiki.nixos.org/wiki/Samba + # + # The setup can be tested by: + # > smbclient -L \\\\192.168.0.10 + # > smbclient \\\\192.168.0.21\\downloads -U caspervk + # + # Running .exe's and installing programs through a network drive doesn't + # always work on Windows. The following tricks Windows by "mounting" the + # network drive to a local drive letter (or something like that, who knows). + # In cmd as administrator: + # > net use \\192.168.0.10\downloads + # > SUBST M: \\192.168.0.10\downloads + # > dir M: + # > M:\Programs\install.exe + services.samba = { + enable = true; + # Disable discovery: don't reply to NetBIOS over IP name service requests + # or participate in the browsing protocols which make up the Windows + # “Network Neighborhood” view. + enableNmbd = false; + # Disable Samba’s winbindd, which provides a number of services to the Name + # Service Switch capability found in most modern C libraries, to arbitrary + # applications via PAM and ntlm_auth and to Samba itself. + enableWinbindd = false; + # https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html + extraConfig = '' + # Only allow local access. This should also be enforced by the firewall. + hosts deny ALL + hosts allow = 192.168.0.0/16 127.0.0.1 localhost + # Use user and group information from TDB database. + # The age-encrypted database is created by setting in the config + # > passdb backend = passdb backend = tdbsam:/tmp/samba-password-database + # and running + # > sudo pdbedit --create --user=caspervk + passdb backend = tdbsam:${config.age.secrets.samba-password-database.path} + # Allow Windows clients to run .exe's + acl allow execute always = True + ''; + shares = { + downloads = { + path = "/srv/torrents/downloads"; + # Use the 'torrent' group for access for all users connecting + "force group" = "torrent"; + }; + }; + }; + + age.secrets.samba-password-database = { + file = "${secrets}/secrets/samba-password-database.age"; + mode = "400"; + owner = "root"; + group = "root"; + }; +}