From 6a1700f0b797eb3c0e05ced3335c1b05f9708141 Mon Sep 17 00:00:00 2001 From: materus Date: Fri, 12 Jul 2024 15:53:54 +0200 Subject: [PATCH] waffentrager: samba and syncthing --- configurations/host/materusPC/network.nix | 17 ++- .../host/waffentrager/configuration.nix | 6 +- .../waffentrager/services/auth/default.nix | 4 - .../host/waffentrager/services/auth/samba.nix | 137 ------------------ .../host/waffentrager/services/default.nix | 5 +- .../host/waffentrager/services/samba.nix | 41 ++++++ .../host/waffentrager/services/syncthing.nix | 21 +++ .../profile/common/private/default.nix | Bin 942 -> 967 bytes 8 files changed, 83 insertions(+), 148 deletions(-) delete mode 100644 configurations/host/waffentrager/services/auth/samba.nix create mode 100644 configurations/host/waffentrager/services/samba.nix create mode 100644 configurations/host/waffentrager/services/syncthing.nix diff --git a/configurations/host/materusPC/network.nix b/configurations/host/materusPC/network.nix index b382d9d..52714d7 100644 --- a/configurations/host/materusPC/network.nix +++ b/configurations/host/materusPC/network.nix @@ -10,8 +10,14 @@ networking.networkmanager.enable = true; #networking.networkmanager.wifi.backend = "iwd"; networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 24800 5900 5357 4656 8080 9943 9944 ]; - networking.firewall.allowedUDPPorts = [ (lib.strings.toInt materusArg.wireguard.port) 24800 5900 3702 4656 6000 9943 9944 ]; + networking.firewall.allowedTCPPorts = [ + 24800 5900 5357 4656 8080 9943 9944 + 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port # Syncthing + ]; + networking.firewall.allowedUDPPorts = [ (lib.strings.toInt materusArg.wireguard.port) + 24800 5900 3702 4656 6000 9943 9944 + 22000 21027 # Syncthing + ]; networking.networkmanager.settings = { connectivity = { uri = "http://nmcheck.gnome.org/check_network_status.txt"; @@ -48,4 +54,11 @@ proxy = { }; }; }; + services = { + syncthing = { + enable = true; + user = "materus"; + dataDir = "/home/materus"; + }; + }; } diff --git a/configurations/host/waffentrager/configuration.nix b/configurations/host/waffentrager/configuration.nix index 969a86b..886c085 100644 --- a/configurations/host/waffentrager/configuration.nix +++ b/configurations/host/waffentrager/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running `nixos-help`). -{ config, pkgs, ... }: +{ config, pkgs, materusArg, ... }: { imports = @@ -38,9 +38,7 @@ users.users.materus = { isNormalUser = true; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEDY+H8Hc/RSLE064AAh8IojvqxPd8BE5gec2aOfYMh materus@podkos.pl" - ]; + openssh.authorizedKeys.keyFiles = [ ("${materusArg.cfg.path}" + "/extraFiles/keys/ssh/materus.pub") ]; hashedPasswordFile = config.sops.secrets."users/materus".path; shell = pkgs.zsh; }; diff --git a/configurations/host/waffentrager/services/auth/default.nix b/configurations/host/waffentrager/services/auth/default.nix index e133ac9..7033a18 100644 --- a/configurations/host/waffentrager/services/auth/default.nix +++ b/configurations/host/waffentrager/services/auth/default.nix @@ -1,11 +1,7 @@ { config, materusArg, lib, pkgs, ... }: -let - cfg = config.waffentragerService.auth; -in { imports = [ - ./samba.nix ]; config = { diff --git a/configurations/host/waffentrager/services/auth/samba.nix b/configurations/host/waffentrager/services/auth/samba.nix deleted file mode 100644 index 8bfa6e9..0000000 --- a/configurations/host/waffentrager/services/auth/samba.nix +++ /dev/null @@ -1,137 +0,0 @@ -{ materusArg, config, lib, pkgs, ... }: -{ - - options.waffentragerService.auth.samba.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable samba AD"; - - config = - let - cfg = config.waffentragerService.auth.samba; - sambaCfg = config.services.samba; - servicePath = materusArg.waffentrager.samba.servicePath; - smbToString = x: - if builtins.typeOf x == "bool" - then lib.boolToString x - else builtins.toString x; - shareConfig = name: - let share = lib.getAttr name cfg.shares; in - "[${name}]\n " + (smbToString ( - map - (key: "${key} = ${smbToString (lib.getAttr key share)}\n") - (lib.attrNames share) - )); - in - lib.mkIf cfg.enable { - - systemd.services.samba-smbd.enable = false; - systemd.services.samba = { - description = "Samba Service Daemon"; - requires = [ "rsync-acme.service" ]; - after = [ "rsync-acme.service" ]; - requiredBy = [ "samba.target" ]; - partOf = [ "samba.target" ]; - - serviceConfig = { - ExecStart = "${pkgs.samba4Full}/sbin/samba --foreground --no-process-group"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - LimitNOFILE = 16384; - PIDFile = "/run/samba.pid"; - Type = "notify"; - NotifyAccess = "all"; - }; - unitConfig.RequiresMountsFor = servicePath; - }; - # https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage - networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268]; - networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464]; - systemd.tmpfiles.rules = [ - "d ${servicePath}/tls/ 0600 root 3000000 -" - "d ${servicePath}/private/ 0600 root 3000000 -" - "d ${servicePath}/lock/ 0600 root 3000000 -" - "d ${servicePath}/cache/ 0600 root 3000000 -" - ]; - services.samba = { - enable = true; - enableNmbd = false; - enableWinbindd = false; - package = pkgs.samba4Full; - configText = '' - # Global parameters - [global] - dns forwarder = ${materusArg.waffentrager.samba.dnsIp} - netbios name = ${materusArg.waffentrager.samba.netbiosName} - realm = ${lib.toUpper materusArg.waffentrager.samba.domain} - server role = active directory domain controller - workgroup = ${materusArg.waffentrager.samba.workgroup} - idmap_ldb:use rfc2307 = yes - ldap server require strong auth = yes - private dir = ${servicePath}/private - lock dir = ${servicePath}/lock - state directory = ${servicePath}/lock - cache directory = ${servicePath}/cache - tls enabled = yes - tls keyfile = ${servicePath}/tls/key.pem - tls certfile = ${servicePath}/tls/fullchain.pem - tls cafile = ${servicePath}/tls/chain.pem - - [sysvol] - path = ${servicePath}/sysvol - read only = No - - [netlogon] - path = ${servicePath}/sysvol/${materusArg.waffentrager.samba.domain}/scripts - read only = No - - - ${sambaCfg.extraConfig} - - ${smbToString (map shareConfig (lib.attrNames sambaCfg.shares))} - ''; - }; - environment.etc = { - resolvconf = { - text = '' - search ${materusArg.waffentrager.samba.domain} - nameserver ${materusArg.waffentrager.samba.dnsIp} - nameserver 9.9.9.9 - ''; - }; - }; - networking.hosts = { - "${materusArg.ips.wireguard.waffentrager}" = [ - materusArg.waffentrager.samba.domain - "${materusArg.waffentrager.samba.netbiosName}.${materusArg.waffentrager.samba.domain}" - materusArg.waffentrager.samba.netbiosName - ]; - }; - systemd.timers.rsync-acme = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1min"; - OnUnitActiveSec = "1h"; - Unit = "rsync-acme.service"; - }; - }; - - systemd.services.rsync-acme = { - description = "Sync acme for samba"; - path = [ pkgs.rsync ]; - requires = [ "var-lib-mnt_acme.mount" ]; - after = [ "var-lib-mnt_acme.mount" ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = false; - script = '' - rsync -avzr --chmod=0600 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/key.pem ${materusArg.waffentrager.samba.servicePath}/tls/ - rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/chain.pem ${materusArg.waffentrager.samba.servicePath}/tls/ - rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/fullchain.pem ${materusArg.waffentrager.samba.servicePath}/tls/ - ''; - }; - waffentragerService.elements.enable = true; - waffentragerService.nginx.enable = true; - - - security.acme.defaults.credentialsFile = config.sops.secrets.certs.path; - - systemd.services.resolvconf.enable = false; - }; - -} diff --git a/configurations/host/waffentrager/services/default.nix b/configurations/host/waffentrager/services/default.nix index f6ab806..b4b5f1b 100644 --- a/configurations/host/waffentrager/services/default.nix +++ b/configurations/host/waffentrager/services/default.nix @@ -8,6 +8,8 @@ ./gitea.nix ./nginx.nix ./nextcloud.nix + ./samba.nix + ./syncthing.nix ./auth ]; waffentragerService.elements.enable = true; @@ -16,5 +18,6 @@ waffentragerService.gitea.enable = true; waffentragerService.nginx.enable = true; waffentragerService.nextcloud.enable = true; - + waffentragerService.samba.enable = true; + waffentragerService.syncthing.enable = true; } \ No newline at end of file diff --git a/configurations/host/waffentrager/services/samba.nix b/configurations/host/waffentrager/services/samba.nix new file mode 100644 index 0000000..fd98ce7 --- /dev/null +++ b/configurations/host/waffentrager/services/samba.nix @@ -0,0 +1,41 @@ +{ lib, pkgs, materusArg, config, ... }: +{ + options.waffentragerService.samba.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable samba"; + + config = + let + cfg = config.waffentragerService.samba; + in + lib.mkIf cfg.enable { + services.samba-wsdd.enable = true; + services.samba-wsdd.openFirewall = true; + services.samba = { + enable = true; + package = pkgs.sambaFull; + securityType = "user"; + openFirewall = true; + extraConfig = '' + workgroup = WORKGROUP + server string = smbwaffentrager + netbios name = smbwaffentrager + security = user + hosts allow = ${materusArg.wireguard.sambaIp} 192.168.100. 127.0.0.1 localhost + hosts deny = 0.0.0.0/0 + guest account = nobody + map to guest = bad user + ''; + shares = { + materus = { + path = "${config.waffentragerService.elements.path}/storage/materus"; + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "materus"; + "force group" = "users"; + }; + }; + }; + }; +} diff --git a/configurations/host/waffentrager/services/syncthing.nix b/configurations/host/waffentrager/services/syncthing.nix new file mode 100644 index 0000000..09d7722 --- /dev/null +++ b/configurations/host/waffentrager/services/syncthing.nix @@ -0,0 +1,21 @@ +{ lib, pkgs, materusArg, config, ... }: +{ + options.waffentragerService.syncthing.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable syncthing"; + + config = + let + cfg = config.waffentragerService.syncthing; + in + lib.mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port]; + networking.firewall.allowedUDPPorts = [ 22000 21027 ]; + services = { + syncthing = { + enable = true; + user = "materus"; + dataDir = "${config.waffentragerService.elements.path}/storage/materus"; + configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/"; + }; + }; + }; +} diff --git a/configurations/profile/common/private/default.nix b/configurations/profile/common/private/default.nix index 3805ae6139cbc225ae946467dc9ec0b920551cef..89ecdb23a52b662b9c556c2fff4ec4eddd216498 100644 GIT binary patch literal 967 zcmZQ@_Y83kiVO&0FwV1ze5uqtquYAU4E9JZo_Es@-LqkPn=8LtWm!vYRpeXA_M5?{ znRJ4}>*82%e0o$}U3Y2ADcM~w8x<=ICU2QO!Ohn4(}uM*TnDyaj=WQyVBB*dquRW8 z`>_q#&$P`RPg$_^o;q)0ZlCMv70K0Yhn;S4ojU!3eer^HGtQzAfkhXYKNiW%HI;jt zcXr7-XW5kprnCL~?{tv$Rc^@3yE{(BU2lJ;=$LZBu%d0PlGVDSNk6@2`&_k|JY(_R zGcF&~H;6y2^!i)wl4|RCiR)zVl~|_@MVEH%D?A+keJ9tJIH%-Y3z>6-S$>`CzxK8F z)8pjh>()PhUSNOcX{J)9!=?o{E~oBUA}8QjH*3-}X00;)mtwNK+k&5d*NJ)*HPh3| zU7~5h)(v*QF0TGADw3tJxkhTb;T6WvxlV6NKI&ZjZMbsj=F9wduAE7|=l>^l#$L(p zAD8EyoU-o56H67@3Cq@NyleMkT&DW#-l?w_9aem>anm^!Sj*CS%y@VG-H2V1J?Cyt zKJZJ0-F@4n_K(Ni4bt_p7d*M~>dU^+%=kSkRi-Ju*uHH4x1yX=Gd}#Q?$|RU>Dg(? zi2@Fj3?9fwf9Z_&4?UFn>`!M7@1ZS6&)kXJwKc^4dx(%npJ3bhKGV=S2fOC4J0^8V zbzV-x-A()x);*LkXxO;pTRy|uc4oJC3_I`7bCTKp($QmQG7Hc*d*>7H7XFY57 zVa55rohLQLIVStQ%2aW7Ry57=`2F6xqfYKo_1O;|o{95i;umkxSL&{7)p4HL@c59( zRAsq65jvA3KQr0ouG(2YDMKslv*5|TS%NXOEEN+vFZhL*OCD8wy7KMwq=jZH+f4hU z*Vv!=5}+INeU*u){R;NzDW6}hSYx(cxHy|z?e+fKFL^73zD}4JRBLFmQX(+JLQcG* zjJ0Bqe9DEoed)pv)sA*6dESy*6XV0rr@7ZK`Qf#D9%U#0P1l*%`g!8nKfNzajc>^3 zuh`vODfo$J-MSlbjK_ZTtPh##8`ZVGdE@oeH-{X>OLjaAT`BW1n$vlqyPo=ecV6*> zM&XPqZ)ab=SEW6R<<`T1Bg)?woRchI3jBG&_oY6|j<&4d3TwXmsQr5{C{kawck;Hr zsAmgi$KKeUFzrX{fl23e-XFG|BmMl>KBFDl=a$@mw5O$Nwrps(x_$Gdx{a%YJ{=0{ zYMYTJ9nGoDoTJjeBB#D#p_{RDu={&UhHFBSD-I^k`m@nn_2MVp@@$W;>|Z6_p3HhP o|7dV6Z}ePy*zbS1`E2#lgl2Z;f16FKl8(MPA%E_}M4O1W0OTm=DgXcg literal 942 zcmZQ@_Y83kiVO&0n4LfM!I_ZG`{&|qKZwh0&RpiX)9BzP-Gk>8i+)ZrPCvIlh;w`G z1Gc$)(zK8NU486HQlS2-wR3m`Wmw}M*v%9R+?FBUDblw#_vkc%e?og^ubZ<{NLqn8 zytnmk`j4A&9`lQTa6A?`nxT7AZk7T&KVP7P?8ZCYCIPL=R=adI+1ngE<}~fuV!s>t zD*v>9?vavQoAT9HdBW}Qcei|2{rg4ax%!?p4pC~xTRv7+b#$#UxxQux+oUf$xmU?L z$|V2Z6l<}z_{I_Aes(jR&HKe!_gefY4_Nu+R?o3jiiIIwjWQWp4}xY%-v5%OfA^nt z+$7eimbTs|^XpGNK79A(=D9YiNR8zq;NfPmf!idU~t7T{Y911v5CNI861O zBAC~BINdPp+81$`bq}>qU%PiZc-kZ%GnRr6J2H}P@_r~TVbl0_~ieNy)kNn6XT-J`RIP)vv4`{nfdWb&erL?Ja&!J(lR1a<=S>Z4tu|Qb2C|0 zF28m)>5ur5B%Q_`JJW9|$^DK{{Kx1!aa&20`s0R{lPd1LlAvI`Dw-CPBUX94{K&xAH1IIq`a5R`&R#pOV@q zrr+Ax`pe*sYQErhColFBDr&9&m{rbv>-3pcE6AE8!yT|IdBvXJg+Xftn)ZsOY${)` z6V3NX_UfaTGmcAoKfHHm0}rFpyZ$-X-)}3HTV2Mj9)JCCRPpl?x!+;!!REUf-rC)+ zdlTTH*>vJe)t3_&=e$VV-?$><_U;yC*{j!lznd^GtaX`v()U0zyY~YBd)JNro&R~R zF5va9_ij@*ndjL=e?I=>pz?mH#mz}Zw{610mH7-TmoF{qGc$a#wr~ILkm9J03(7)e zJd=3e{CLX9Y;;1XSdPEHjVbJ01>d6lJ)wM-%W4BeEDNWlg$XkHKInY2-B5O+eX88n z*_&^4RX;qsvgyhE^30z`y?i3S&nouxg?cS2mdl9aQ!;Y)c+1_YSlzvRN;+HhpWHu( MFHaT8;+ky=0Ka9;IRF3v