sigma: samba smb

2024-05-09 17:24:46 +02:00 · 2024-05-09 17:24:46 +02:00 · 5bfc0b0c7d
parent 4229d33150
commit 5bfc0b0c7d
4 changed files with 68 additions and 1 deletions
--- a/hosts/sigma/default.nix
+++ b/hosts/sigma/default.nix
@ -13,6 +13,7 @@
    ./mail.nix
    ./memos.nix
    ./network.nix
+    ./samba.nix
    ./sonarr.nix
  ];

--- a/hosts/sigma/deluge.nix
+++ b/hosts/sigma/deluge.nix
@ -57,7 +57,6 @@
  # Add caspervk user to the 'torrent' group to allow viewing downloads
  users.groups.torrent.members = ["caspervk"];

-
  environment.persistence."/nix/persist" = {
    directories = [
      # Deluge data directory. This is *NOT* where the downloads are saved
--- a/hosts/sigma/network.nix
+++ b/hosts/sigma/network.nix
@ -136,10 +136,16 @@
    allowedUDPPortRanges = lib.mkForce [];
    interfaces = {
      "enp5s0" = {
+        allowedUDPPorts = [
+          139 # Samba
+          445 # Samba
+        ];
        allowedTCPPorts = [
+          139 # Samba
          22 # SSH
          25 # Mail SMTP
          443 # Caddy
+          445 # Samba
          465 # Mail ESMTP
          80 # Caddy
          993 # Mail IMAPS
--- a/hosts/sigma/samba.nix
+++ b/hosts/sigma/samba.nix
@ -0,0 +1,61 @@
+{
+  config,
+  secrets,
+  ...
+}: {
+  # Samba provides file and print services for various Microsoft Windows
+  # clients.
+  # https://wiki.nixos.org/wiki/Samba
+  #
+  # The setup can be tested by:
+  # > smbclient -L \\\\192.168.0.10
+  # > smbclient \\\\192.168.0.21\\downloads -U caspervk
+  #
+  # Running .exe's and installing programs through a network drive doesn't
+  # always work on Windows. The following tricks Windows by "mounting" the
+  # network drive to a local drive letter (or something like that, who knows).
+  # In cmd as administrator:
+  # > net use \\192.168.0.10\downloads
+  # > SUBST M: \\192.168.0.10\downloads
+  # > dir M:
+  # > M:\Programs\install.exe
+  services.samba = {
+    enable = true;
+    # Disable discovery: don't reply to NetBIOS over IP name service requests
+    # or participate in the browsing protocols which make up the Windows
+    # “Network Neighborhood” view.
+    enableNmbd = false;
+    # Disable Samba’s winbindd, which provides a number of services to the Name
+    # Service Switch capability found in most modern C libraries, to arbitrary
+    # applications via PAM and ntlm_auth and to Samba itself.
+    enableWinbindd = false;
+    # https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
+    extraConfig = ''
+      # Only allow local access. This should also be enforced by the firewall.
+      hosts deny ALL
+      hosts allow = 192.168.0.0/16 127.0.0.1 localhost
+      # Use user and group information from TDB database.
+      # The age-encrypted database is created by setting in the config
+      # > passdb backend = passdb backend = tdbsam:/tmp/samba-password-database
+      # and running
+      # > sudo pdbedit --create --user=caspervk
+      passdb backend = tdbsam:${config.age.secrets.samba-password-database.path}
+      # Allow Windows clients to run .exe's
+      acl allow execute always = True
+    '';
+    shares = {
+      downloads = {
+        path = "/srv/torrents/downloads";
+        # Use the 'torrent' group for access for all users connecting
+        "force group" = "torrent";
+      };
+    };
+  };
+
+  age.secrets.samba-password-database = {
+    file = "${secrets}/secrets/samba-password-database.age";
+    mode = "400";
+    owner = "root";
+    group = "root";
+  };
+}