From 6a1700f0b797eb3c0e05ced3335c1b05f9708141 Mon Sep 17 00:00:00 2001
From: materus <materus@podkos.pl>
Date: Fri, 12 Jul 2024 15:53:54 +0200
Subject: [PATCH] waffentrager: samba and syncthing

---
 configurations/host/materusPC/network.nix     |  17 ++-
 .../host/waffentrager/configuration.nix       |   6 +-
 .../waffentrager/services/auth/default.nix    |   4 -
 .../host/waffentrager/services/auth/samba.nix | 137 ------------------
 .../host/waffentrager/services/default.nix    |   5 +-
 .../host/waffentrager/services/samba.nix      |  41 ++++++
 .../host/waffentrager/services/syncthing.nix  |  21 +++
 .../profile/common/private/default.nix        | Bin 942 -> 967 bytes
 8 files changed, 83 insertions(+), 148 deletions(-)
 delete mode 100644 configurations/host/waffentrager/services/auth/samba.nix
 create mode 100644 configurations/host/waffentrager/services/samba.nix
 create mode 100644 configurations/host/waffentrager/services/syncthing.nix

diff --git a/configurations/host/materusPC/network.nix b/configurations/host/materusPC/network.nix
index b382d9d..52714d7 100644
--- a/configurations/host/materusPC/network.nix
+++ b/configurations/host/materusPC/network.nix
@@ -10,8 +10,14 @@
   networking.networkmanager.enable = true;
   #networking.networkmanager.wifi.backend = "iwd";
   networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 24800 5900 5357 4656 8080 9943 9944 ];
-  networking.firewall.allowedUDPPorts = [ (lib.strings.toInt materusArg.wireguard.port) 24800 5900 3702 4656 6000 9943 9944 ];
+  networking.firewall.allowedTCPPorts = [ 
+    24800 5900 5357 4656 8080 9943 9944 
+    22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port # Syncthing
+  ];
+  networking.firewall.allowedUDPPorts = [ (lib.strings.toInt materusArg.wireguard.port) 
+    24800 5900 3702 4656 6000 9943 9944 
+    22000 21027 # Syncthing
+  ];
   networking.networkmanager.settings = {
     connectivity = {
       uri = "http://nmcheck.gnome.org/check_network_status.txt";
@@ -48,4 +54,11 @@
       proxy = { };
     };
   };
+      services = {
+        syncthing = {
+            enable = true;
+            user = "materus";
+            dataDir = "/home/materus";
+        };
+      };
 }
diff --git a/configurations/host/waffentrager/configuration.nix b/configurations/host/waffentrager/configuration.nix
index 969a86b..886c085 100644
--- a/configurations/host/waffentrager/configuration.nix
+++ b/configurations/host/waffentrager/configuration.nix
@@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running `nixos-help`).
 
-{ config, pkgs, ... }:
+{ config, pkgs, materusArg, ... }:
 
 {
   imports =
@@ -38,9 +38,7 @@
   users.users.materus = {
     isNormalUser = true;
     extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEDY+H8Hc/RSLE064AAh8IojvqxPd8BE5gec2aOfYMh materus@podkos.pl"
-    ];
+    openssh.authorizedKeys.keyFiles = [ ("${materusArg.cfg.path}" + "/extraFiles/keys/ssh/materus.pub") ];
     hashedPasswordFile = config.sops.secrets."users/materus".path;
     shell = pkgs.zsh;
   };
diff --git a/configurations/host/waffentrager/services/auth/default.nix b/configurations/host/waffentrager/services/auth/default.nix
index e133ac9..7033a18 100644
--- a/configurations/host/waffentrager/services/auth/default.nix
+++ b/configurations/host/waffentrager/services/auth/default.nix
@@ -1,11 +1,7 @@
 { config, materusArg, lib, pkgs, ... }:
-let
-  cfg = config.waffentragerService.auth;
-in
 {
   imports =
     [
-      ./samba.nix
     ];
   config = 
     {
diff --git a/configurations/host/waffentrager/services/auth/samba.nix b/configurations/host/waffentrager/services/auth/samba.nix
deleted file mode 100644
index 8bfa6e9..0000000
--- a/configurations/host/waffentrager/services/auth/samba.nix
+++ /dev/null
@@ -1,137 +0,0 @@
-{ materusArg, config, lib, pkgs, ... }:
-{
-  
-  options.waffentragerService.auth.samba.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable samba AD";
-
-  config =
-    let
-      cfg = config.waffentragerService.auth.samba;
-      sambaCfg = config.services.samba;
-      servicePath = materusArg.waffentrager.samba.servicePath;
-      smbToString = x:
-        if builtins.typeOf x == "bool"
-        then lib.boolToString x
-        else builtins.toString x;
-      shareConfig = name:
-        let share = lib.getAttr name cfg.shares; in
-        "[${name}]\n " + (smbToString (
-          map
-            (key: "${key} = ${smbToString (lib.getAttr key share)}\n")
-            (lib.attrNames share)
-        ));
-    in
-    lib.mkIf cfg.enable {
-      
-      systemd.services.samba-smbd.enable = false;
-      systemd.services.samba = {
-        description = "Samba Service Daemon";
-        requires = [ "rsync-acme.service" ];
-        after = [ "rsync-acme.service" ];
-        requiredBy = [ "samba.target" ];
-        partOf = [ "samba.target" ];
-
-        serviceConfig = {
-          ExecStart = "${pkgs.samba4Full}/sbin/samba --foreground --no-process-group";
-          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-          LimitNOFILE = 16384;
-          PIDFile = "/run/samba.pid";
-          Type = "notify";
-          NotifyAccess = "all";
-        };
-        unitConfig.RequiresMountsFor = servicePath;
-      };
-      # https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
-      networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268];
-      networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464];
-      systemd.tmpfiles.rules = [
-        "d    ${servicePath}/tls/  0600    root    3000000     -"
-        "d    ${servicePath}/private/  0600    root    3000000     -"
-        "d    ${servicePath}/lock/  0600    root    3000000     -"
-        "d    ${servicePath}/cache/  0600    root    3000000     -"
-      ];
-      services.samba = {
-        enable = true;
-        enableNmbd = false;
-        enableWinbindd = false;
-        package = pkgs.samba4Full;
-        configText = ''
-          # Global parameters
-          [global]
-              dns forwarder = ${materusArg.waffentrager.samba.dnsIp}
-              netbios name = ${materusArg.waffentrager.samba.netbiosName}
-              realm = ${lib.toUpper materusArg.waffentrager.samba.domain}
-              server role = active directory domain controller
-              workgroup = ${materusArg.waffentrager.samba.workgroup}
-              idmap_ldb:use rfc2307 = yes
-              ldap server require strong auth = yes
-              private dir = ${servicePath}/private
-              lock dir = ${servicePath}/lock
-              state directory = ${servicePath}/lock
-              cache directory = ${servicePath}/cache
-              tls enabled  = yes
-              tls keyfile  = ${servicePath}/tls/key.pem
-              tls certfile = ${servicePath}/tls/fullchain.pem
-              tls cafile   = ${servicePath}/tls/chain.pem
-
-          [sysvol]
-              path = ${servicePath}/sysvol
-              read only = No
-
-          [netlogon]
-              path = ${servicePath}/sysvol/${materusArg.waffentrager.samba.domain}/scripts
-              read only = No
-
-
-            ${sambaCfg.extraConfig}
-
-            ${smbToString (map shareConfig (lib.attrNames sambaCfg.shares))}
-        '';
-      };
-      environment.etc = {
-        resolvconf = {
-          text = ''
-            search ${materusArg.waffentrager.samba.domain}
-            nameserver ${materusArg.waffentrager.samba.dnsIp}
-            nameserver 9.9.9.9
-          '';
-        };
-      };
-      networking.hosts = {
-        "${materusArg.ips.wireguard.waffentrager}" = [
-          materusArg.waffentrager.samba.domain
-          "${materusArg.waffentrager.samba.netbiosName}.${materusArg.waffentrager.samba.domain}"
-          materusArg.waffentrager.samba.netbiosName
-        ];
-      };
-      systemd.timers.rsync-acme = {
-        wantedBy = [ "timers.target" ];
-        timerConfig = {
-          OnBootSec = "1min";
-          OnUnitActiveSec = "1h";
-          Unit = "rsync-acme.service";
-        };
-      };
-
-      systemd.services.rsync-acme = {
-        description = "Sync acme for samba";
-        path = [ pkgs.rsync ];
-        requires = [ "var-lib-mnt_acme.mount" ];
-        after = [ "var-lib-mnt_acme.mount" ];
-        serviceConfig.Type = "oneshot";
-        serviceConfig.RemainAfterExit = false;
-        script = ''
-          rsync -avzr --chmod=0600 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/key.pem ${materusArg.waffentrager.samba.servicePath}/tls/
-          rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/chain.pem ${materusArg.waffentrager.samba.servicePath}/tls/
-          rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/fullchain.pem ${materusArg.waffentrager.samba.servicePath}/tls/
-        '';
-      };
-      waffentragerService.elements.enable = true;
-      waffentragerService.nginx.enable = true;
-
-
-      security.acme.defaults.credentialsFile = config.sops.secrets.certs.path;
-
-      systemd.services.resolvconf.enable = false;
-    };
-
-}
diff --git a/configurations/host/waffentrager/services/default.nix b/configurations/host/waffentrager/services/default.nix
index f6ab806..b4b5f1b 100644
--- a/configurations/host/waffentrager/services/default.nix
+++ b/configurations/host/waffentrager/services/default.nix
@@ -8,6 +8,8 @@
       ./gitea.nix
       ./nginx.nix
       ./nextcloud.nix
+      ./samba.nix
+      ./syncthing.nix
       ./auth
     ];
   waffentragerService.elements.enable = true;
@@ -16,5 +18,6 @@
   waffentragerService.gitea.enable = true;
   waffentragerService.nginx.enable = true;
   waffentragerService.nextcloud.enable = true;
-  
+  waffentragerService.samba.enable = true;
+  waffentragerService.syncthing.enable = true;
 }
\ No newline at end of file
diff --git a/configurations/host/waffentrager/services/samba.nix b/configurations/host/waffentrager/services/samba.nix
new file mode 100644
index 0000000..fd98ce7
--- /dev/null
+++ b/configurations/host/waffentrager/services/samba.nix
@@ -0,0 +1,41 @@
+{ lib, pkgs, materusArg, config, ... }:
+{
+  options.waffentragerService.samba.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable samba";
+
+  config =
+    let
+      cfg = config.waffentragerService.samba;
+    in
+    lib.mkIf cfg.enable {
+      services.samba-wsdd.enable = true;
+      services.samba-wsdd.openFirewall = true;
+      services.samba = {
+        enable = true;
+        package = pkgs.sambaFull;
+        securityType = "user";
+        openFirewall = true;
+        extraConfig = ''
+          workgroup = WORKGROUP
+          server string = smbwaffentrager
+          netbios name = smbwaffentrager
+          security = user 
+          hosts allow = ${materusArg.wireguard.sambaIp} 192.168.100. 127.0.0.1 localhost
+          hosts deny = 0.0.0.0/0
+          guest account = nobody
+          map to guest = bad user
+        '';
+        shares = {
+          materus = {
+            path = "${config.waffentragerService.elements.path}/storage/materus";
+            browseable = "yes";
+            "read only" = "no";
+            "guest ok" = "no";
+            "create mask" = "0644";
+            "directory mask" = "0755";
+            "force user" = "materus";
+            "force group" = "users";
+          };
+        };
+      };
+    };
+}
diff --git a/configurations/host/waffentrager/services/syncthing.nix b/configurations/host/waffentrager/services/syncthing.nix
new file mode 100644
index 0000000..09d7722
--- /dev/null
+++ b/configurations/host/waffentrager/services/syncthing.nix
@@ -0,0 +1,21 @@
+{ lib, pkgs, materusArg, config, ... }:
+{
+  options.waffentragerService.syncthing.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable syncthing";
+
+  config =
+    let
+      cfg = config.waffentragerService.syncthing;
+    in
+    lib.mkIf cfg.enable {
+      networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
+      networking.firewall.allowedUDPPorts = [ 22000 21027 ];
+      services = {
+        syncthing = {
+            enable = true;
+            user = "materus";
+            dataDir = "${config.waffentragerService.elements.path}/storage/materus";
+            configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/";  
+        };
+      };
+    };
+}
diff --git a/configurations/profile/common/private/default.nix b/configurations/profile/common/private/default.nix
index 3805ae6139cbc225ae946467dc9ec0b920551cef..89ecdb23a52b662b9c556c2fff4ec4eddd216498 100644
GIT binary patch
literal 967
zcmV;&133HuM@dveQdv+`05fhnS?MB!n2S4{m<L%Z4DOb~-aH2FZ6CWNri6WZS?w8z
z*;C5`EK*l~UIp0l;(L33(zMDQy6J%-crcT+mykw1Ir6Zrd<wv~(^=emU^9%+XnQw}
zx5lt*<|{Vil%S>FCk<h3jz!C;V|#|fLf8t*%jgHApl3D-a#Rqa(F5^v9Gx{D?QYGa
zu0tKEz?TO8|3bk9>TOi%-MGqL*N5gIL1fS|c!sSaI<CcH`AVBi)jX4!qrJ>T@n^6X
z<#|f|cSL19LDCAzjnrL2uyWG6zH!4}_qhtRUP5EKp#y9a1p3a8*7c3@<73CJujA)%
zKiuVMB56RfpxD!8yrdowL4KN&<^w8rFX<K?4YpI|_bgiCTA4{YM;L;jwXi<=(X00r
z6lx%|d>WTA)B#nULhN+$EYbThsim{i58TwuW!_KxWthDgi}=%?$&{|x<T)fAkfyIF
z?uSkRrX~8`%JtDesPH^SEXq-R1ck;kyMNtSx*3el*^|KfBnL;fl85ofM=)nDYoO%V
z>h!)<X<xjlB$guRx2C`La%{?&@cw&<yqIF<%NdanK$0-vA6xW^TTfNOW#;^eYz@M+
z#mwAUy0uh4_f!%{juD2>jx|-B!HS=*#u~yUo@{{KvJa51;TSN0vAFhc0Ii1uM(zN)
z-=0DoyXiqlxmlNW#yG68GC#Agemk0*!y%tdiODG!2$N0fX(U5KAvJ7B`|mr5ejeg`
z&G1M`VV@jdqqHv~i++VHLz#f%!W5Mw9=upAk{R;?K5eSGf0Ae_R`U_bj+zl%eFS)r
ziO^10cNxVd<*DuGVxcyvhBb~GtUt{3P%T{dsx(PIs0Uk=^XjOqHm?(NYYQgpzuV~z
zcoOxHky3pzG^rR-XgD4hcy<MNydPxHe!gcD;U>k4B1zgBtXxbF4k^7cW8v1`NOsBo
zmn@!z^O4Q`jp;Qr*dK4GyMuWV@(ix7*j@p~_>8YqnN3=XuY<AIW$eO17j(GcRjC~D
zTM0v<M=mGdM-3OjGFJg4?VHoydMla)+Tl>dBln=r8E^to`Or=2F9f)TYWpCp_e>`K
z?-3M#dcBjjj#}oRn_bwqV3zoWz>?1_@54Qu8|V7IGPo<wq~GGagnFADRf{J-gVKJn
zt5Wj9R*Ht0W*b`xD+6pKkEm>afT2b+LsLiZIRMrY8K}Wwn*6a#CDHONcWX$BYx;DH
pNdqpK{3r^ifk~~yPXAXon<sT(g9iitvo(5R#q7u*&hU{uSncE}=PCdI

literal 942
zcmV;f15x|{M@dveQdv+`0Gn@>;LKEs-_Bn>@E07jX{JfJGQqMf!OkIa`I0kd&c9L#
zw|(FSoxEl%$Nj6u<YG}Ts;!(15gY|y;69laQMPCoi4=~lZN-)l{t~>KuAHe78z2K$
zjfLH3_}N}apL6&K;}FGYEy*65AO{Z)Q5YSu+>10&g(Et;EV4g5!Nx+C=A%y7ZzTRJ
z`Meq#tz`90Baqwo-L&&1{qz*)C%mjcS|&5J@p*cPimWu(thfe}^tlVF9YGvp`?6g)
zt#jDKGmi&0EVI8C1-&@<cTlP1+Kk4kA#qenfgETm;8L0y-}GiL-TpgXk_DAHJxes7
zf6C*--RZNPJjTYDDgM>(M`mB<;#owkm=_6+rV<b@MHn_O;4<w4Ol(@}TY5DibcvJ0
z7hAxA_`|^DGF~xy=b^3oitb~VUZZ8pwMRaC0<55z2$VpTO_ULCfx~ApR@U?vM6Tg0
z%hul8Q<joUHUx0+xM*V84e)bx1}N~*Kx&1gS1_*;+)<HI_dTk|od}oz<P$%|Y?Ru-
zR35{4zeoJXm=)4@j>ZVsjcCe9!|xm6y3P+DmhzJ6E;U0lm`$E5nAz^?#9ci@Qj_k7
zC9<`3esyUMII=1%J7c!?;pFrxsXgA064!ub+NF0f5#;~4y<8>{kzQKPOfB*bI7H0z
z1LLU)g_jKsK7kt>926RND?U;{z4uEC0y=r8*41MC7o=h=fw;M6+9DqNSRwuaO_8>A
zS|{UxgvlgFjTsf#>XwLjOp=u==x<8viOdcsVyt}8(Uc9#QNR<j5iZ{d=zvGH4I<>o
z>%MA>uFAf5wrr5X$f7y-r1D~ik!RYuh59huC2tY8LP`h7BqoLa10>A$iA<J#5d~r#
z3sAaasJ#1eQmqhzy%l7#cdsm44&oiv;^~;j8B5{b+^`G*BJPiz*YCD-9;<c>CtugY
zT65=g9{W~@Q#ZPR?LOOn>`+K4g2>Ez^vKbi=wZKssA$`}gd-i*)=l>`1EGCHo5@YU
zV+Tv1Pu|xu{?GZ&eo*VW??#leH*P#z^T+tXBflD>gJLq<JXTjD4lp^VrE-ooG3c$1
zzq?d(T8Pji5_Sxd4ea>k0Ru9~5_298kA?zP&Ug-@Z@g6wIi`J36ghF0W>ygaP2h>_
zw=o@|KV=@Zo3q%8d*Q{Yg5;lfY56jZ4ix*%A&ibyN}_WfXkHE?GDAr13xy$ji>H)l
Q27CN%{KM0g6lw~aHNR!eIRF3v