nixos-config/configurations/host/waffentrager/services/auth/samba.nix

{ materusArg, config, lib, pkgs, ... }:
{
  

  config =
    let
      cfg = config.waffentragerService.auth;
      sambaCfg = config.services.samba;
      servicePath = materusArg.waffentrager.samba.servicePath;
      smbToString = x:
        if builtins.typeOf x == "bool"
        then lib.boolToString x
        else builtins.toString x;
      shareConfig = name:
        let share = lib.getAttr name cfg.shares; in
        "[${name}]\n " + (smbToString (
          map
            (key: "${key} = ${smbToString (lib.getAttr key share)}\n")
            (lib.attrNames share)
        ));
    in
    lib.mkIf cfg.enable {
      
      systemd.services.samba-smbd.enable = false;
      systemd.services.samba = {
        description = "Samba Service Daemon";
        requires = [ "rsync-acme.service" ];
        after = [ "rsync-acme.service" ];
        requiredBy = [ "samba.target" ];
        partOf = [ "samba.target" ];

        serviceConfig = {
          ExecStart = "${pkgs.samba4Full}/sbin/samba --foreground --no-process-group";
          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
          LimitNOFILE = 16384;
          PIDFile = "/run/samba.pid";
          Type = "notify";
          NotifyAccess = "all";
        };
        unitConfig.RequiresMountsFor = servicePath;
      };
      # https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
      networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268];
      networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464];
      systemd.tmpfiles.rules = [
        "d    ${servicePath}/tls/  0600    root    3000000     -"
        "d    ${servicePath}/private/  0600    root    3000000     -"
        "d    ${servicePath}/lock/  0600    root    3000000     -"
        "d    ${servicePath}/cache/  0600    root    3000000     -"
      ];
      services.samba = {
        enable = true;
        enableNmbd = false;
        enableWinbindd = false;
        package = pkgs.samba4Full;
        configText = ''
          # Global parameters
          [global]
              dns forwarder = ${materusArg.waffentrager.samba.dnsIp}
              netbios name = ${materusArg.waffentrager.samba.netbiosName}
              realm = ${lib.toUpper materusArg.waffentrager.samba.domain}
              server role = active directory domain controller
              workgroup = ${materusArg.waffentrager.samba.workgroup}
              idmap_ldb:use rfc2307 = yes
              ldap server require strong auth = yes
              private dir = ${servicePath}/private
              lock dir = ${servicePath}/lock
              state directory = ${servicePath}/lock
              cache directory = ${servicePath}/cache
              tls enabled  = yes
              tls keyfile  = ${servicePath}/tls/key.pem
              tls certfile = ${servicePath}/tls/fullchain.pem
              tls cafile   = ${servicePath}/tls/chain.pem

          [sysvol]
              path = ${servicePath}/sysvol
              read only = No

          [netlogon]
              path = ${servicePath}/sysvol/${materusArg.waffentrager.samba.domain}/scripts
              read only = No


            ${sambaCfg.extraConfig}

            ${smbToString (map shareConfig (lib.attrNames sambaCfg.shares))}
        '';
      };
    };

}
waffentrager: prepare auth service 2024-04-02 19:43:49 +02:00			`{ materusArg, config, lib, pkgs, ... }:`
			`{`
waffentrager: samba changes 2024-04-12 09:56:47 +02:00
waffentrager: prepare auth service 2024-04-02 19:43:49 +02:00
			`config =`
			`let`
waffentrager: fix auth 2024-04-05 22:41:05 +02:00			`cfg = config.waffentragerService.auth;`
waffentrager: prepare samba DC 2024-04-12 01:38:50 +02:00			`sambaCfg = config.services.samba;`
waffentrager: samba changes 2024-04-12 09:56:47 +02:00			`servicePath = materusArg.waffentrager.samba.servicePath;`
waffentrager: prepare samba DC 2024-04-12 01:38:50 +02:00			`smbToString = x:`
			`if builtins.typeOf x == "bool"`
			`then lib.boolToString x`
			`else builtins.toString x;`
			`shareConfig = name:`
			`let share = lib.getAttr name cfg.shares; in`
			`"[${name}]\n " + (smbToString (`
			`map`
			`(key: "${key} = ${smbToString (lib.getAttr key share)}\n")`
			`(lib.attrNames share)`
			`));`
waffentrager: prepare auth service 2024-04-02 19:43:49 +02:00			`in`
			`lib.mkIf cfg.enable {`
waffentrager: samba changes 2024-04-12 09:56:47 +02:00
waffentrager: prepare samba DC 2024-04-12 01:38:50 +02:00			`systemd.services.samba-smbd.enable = false;`
			`systemd.services.samba = {`
			`description = "Samba Service Daemon";`
waffentrager: samba changes 2024-04-12 09:56:47 +02:00			`requires = [ "rsync-acme.service" ];`
			`after = [ "rsync-acme.service" ];`
waffentrager: prepare samba DC 2024-04-12 01:38:50 +02:00			`requiredBy = [ "samba.target" ];`
			`partOf = [ "samba.target" ];`

			`serviceConfig = {`
			`ExecStart = "${pkgs.samba4Full}/sbin/samba --foreground --no-process-group";`
			`ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";`
			`LimitNOFILE = 16384;`
			`PIDFile = "/run/samba.pid";`
			`Type = "notify";`
			`NotifyAccess = "all";`
			`};`
			`unitConfig.RequiresMountsFor = servicePath;`
			`};`
			`# https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage`
			`networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268];`
			`networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464];`
waffentrager: samba changes 2024-04-12 09:56:47 +02:00			`systemd.tmpfiles.rules = [`
			`"d ${servicePath}/tls/ 0600 root 3000000 -"`
waffentrager: samba change dirs 2024-04-12 11:49:25 +02:00			`"d ${servicePath}/private/ 0600 root 3000000 -"`
			`"d ${servicePath}/lock/ 0600 root 3000000 -"`
			`"d ${servicePath}/cache/ 0600 root 3000000 -"`
waffentrager: samba changes 2024-04-12 09:56:47 +02:00			`];`
waffentrager: prepare samba DC 2024-04-12 01:38:50 +02:00			`services.samba = {`
			`enable = true;`
			`enableNmbd = false;`
			`enableWinbindd = false;`
			`package = pkgs.samba4Full;`
			`configText = ''`
			`# Global parameters`
			`[global]`
			`dns forwarder = ${materusArg.waffentrager.samba.dnsIp}`
			`netbios name = ${materusArg.waffentrager.samba.netbiosName}`
			`realm = ${lib.toUpper materusArg.waffentrager.samba.domain}`
			`server role = active directory domain controller`
			`workgroup = ${materusArg.waffentrager.samba.workgroup}`
			`idmap_ldb:use rfc2307 = yes`
waffentrager: samba changes 2024-04-12 09:56:47 +02:00			`ldap server require strong auth = yes`
waffentrager: samba change dirs 2024-04-12 11:49:25 +02:00			`private dir = ${servicePath}/private`
			`lock dir = ${servicePath}/lock`
			`state directory = ${servicePath}/lock`
			`cache directory = ${servicePath}/cache`
waffentrager: samba changes 2024-04-12 09:56:47 +02:00			`tls enabled = yes`
			`tls keyfile = ${servicePath}/tls/key.pem`
			`tls certfile = ${servicePath}/tls/fullchain.pem`
			`tls cafile = ${servicePath}/tls/chain.pem`
waffentrager: prepare samba DC 2024-04-12 01:38:50 +02:00
			`[sysvol]`
			`path = ${servicePath}/sysvol`
			`read only = No`

			`[netlogon]`
			`path = ${servicePath}/sysvol/${materusArg.waffentrager.samba.domain}/scripts`
			`read only = No`


			`${sambaCfg.extraConfig}`

			`${smbToString (map shareConfig (lib.attrNames sambaCfg.shares))}`
			`'';`
			`};`
waffentrager: prepare auth service 2024-04-02 19:43:49 +02:00			`};`
waffentrager: prepare samba DC 2024-04-12 01:38:50 +02:00
			`}`