materus
/
nixos-config
mirror of https://github.com/materusPL/nixos-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

waffentrager: samba and syncthing

This commit is contained in:
Mateusz Słodkowicz 2024-07-12 15:53:54 +02:00
parent c8cbb1f2f9
commit 6a1700f0b7
Signed by: materus
GPG Key ID: 28D140BCA60B4FD1
8 changed files with 83 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
configurations/host/materusPC/network.nix
View File

@ -10,8 +10,14 @@
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
#networking.networkmanager.wifi.backend = "iwd"; #networking.networkmanager.wifi.backend = "iwd";
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 24800 5900 5357 4656 8080 9943 9944 ]; networking.firewall.allowedTCPPorts = [
networking.firewall.allowedUDPPorts = [ (lib.strings.toInt materusArg.wireguard.port) 24800 5900 3702 4656 6000 9943 9944 ]; 24800 5900 5357 4656 8080 9943 9944
22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port # Syncthing
];
networking.firewall.allowedUDPPorts = [ (lib.strings.toInt materusArg.wireguard.port)
24800 5900 3702 4656 6000 9943 9944
22000 21027 # Syncthing
];
networking.networkmanager.settings = { networking.networkmanager.settings = {
connectivity = { connectivity = {
uri = "http://nmcheck.gnome.org/check_network_status.txt"; uri = "http://nmcheck.gnome.org/check_network_status.txt";
@ -48,4 +54,11 @@
proxy = { }; proxy = { };
}; };
}; };
services = {
syncthing = {
enable = true;
user = "materus";
dataDir = "/home/materus";
};
};
} }

6
configurations/host/waffentrager/configuration.nix
View File

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`). # and in the NixOS manual (accessible by running `nixos-help`).
{ config, pkgs, ... }: { config, pkgs, materusArg, ... }:
{ {
imports = imports =
@ -38,9 +38,7 @@
users.users.materus = { users.users.materus = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keyFiles = [ ("${materusArg.cfg.path}" + "/extraFiles/keys/ssh/materus.pub") ];
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEDY+H8Hc/RSLE064AAh8IojvqxPd8BE5gec2aOfYMh materus@podkos.pl"
];
hashedPasswordFile = config.sops.secrets."users/materus".path; hashedPasswordFile = config.sops.secrets."users/materus".path;
shell = pkgs.zsh; shell = pkgs.zsh;
}; };

4
configurations/host/waffentrager/services/auth/default.nix
View File

@ -1,11 +1,7 @@
{ config, materusArg, lib, pkgs, ... }: { config, materusArg, lib, pkgs, ... }:
let
cfg = config.waffentragerService.auth;
in
{ {
imports = imports =
[ [
./samba.nix
]; ];
config = config =
{ {

137
configurations/host/waffentrager/services/auth/samba.nix
View File

@ -1,137 +0,0 @@
{ materusArg, config, lib, pkgs, ... }:
{
options.waffentragerService.auth.samba.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable samba AD";
config =
let
cfg = config.waffentragerService.auth.samba;
sambaCfg = config.services.samba;
servicePath = materusArg.waffentrager.samba.servicePath;
smbToString = x:
if builtins.typeOf x == "bool"
then lib.boolToString x
else builtins.toString x;
shareConfig = name:
let share = lib.getAttr name cfg.shares; in
"[${name}]\n " + (smbToString (
map
(key: "${key} = ${smbToString (lib.getAttr key share)}\n")
(lib.attrNames share)
));
in
lib.mkIf cfg.enable {
systemd.services.samba-smbd.enable = false;
systemd.services.samba = {
description = "Samba Service Daemon";
requires = [ "rsync-acme.service" ];
after = [ "rsync-acme.service" ];
requiredBy = [ "samba.target" ];
partOf = [ "samba.target" ];
serviceConfig = {
ExecStart = "${pkgs.samba4Full}/sbin/samba --foreground --no-process-group";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
LimitNOFILE = 16384;
PIDFile = "/run/samba.pid";
Type = "notify";
NotifyAccess = "all";
};
unitConfig.RequiresMountsFor = servicePath;
};
# https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268];
networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464];
systemd.tmpfiles.rules = [
"d ${servicePath}/tls/ 0600 root 3000000 -"
"d ${servicePath}/private/ 0600 root 3000000 -"
"d ${servicePath}/lock/ 0600 root 3000000 -"
"d ${servicePath}/cache/ 0600 root 3000000 -"
];
services.samba = {
enable = true;
enableNmbd = false;
enableWinbindd = false;
package = pkgs.samba4Full;
configText = ''
# Global parameters
[global]
dns forwarder = ${materusArg.waffentrager.samba.dnsIp}
netbios name = ${materusArg.waffentrager.samba.netbiosName}
realm = ${lib.toUpper materusArg.waffentrager.samba.domain}
server role = active directory domain controller
workgroup = ${materusArg.waffentrager.samba.workgroup}
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = yes
private dir = ${servicePath}/private
lock dir = ${servicePath}/lock
state directory = ${servicePath}/lock
cache directory = ${servicePath}/cache
tls enabled = yes
tls keyfile = ${servicePath}/tls/key.pem
tls certfile = ${servicePath}/tls/fullchain.pem
tls cafile = ${servicePath}/tls/chain.pem
[sysvol]
path = ${servicePath}/sysvol
read only = No
[netlogon]
path = ${servicePath}/sysvol/${materusArg.waffentrager.samba.domain}/scripts
read only = No
${sambaCfg.extraConfig}
${smbToString (map shareConfig (lib.attrNames sambaCfg.shares))}
'';
};
environment.etc = {
resolvconf = {
text = ''
search ${materusArg.waffentrager.samba.domain}
nameserver ${materusArg.waffentrager.samba.dnsIp}
nameserver 9.9.9.9
'';
};
};
networking.hosts = {
"${materusArg.ips.wireguard.waffentrager}" = [
materusArg.waffentrager.samba.domain
"${materusArg.waffentrager.samba.netbiosName}.${materusArg.waffentrager.samba.domain}"
materusArg.waffentrager.samba.netbiosName
];
};
systemd.timers.rsync-acme = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1min";
OnUnitActiveSec = "1h";
Unit = "rsync-acme.service";
};
};
systemd.services.rsync-acme = {
description = "Sync acme for samba";
path = [ pkgs.rsync ];
requires = [ "var-lib-mnt_acme.mount" ];
after = [ "var-lib-mnt_acme.mount" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = false;
script = ''
rsync -avzr --chmod=0600 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/key.pem ${materusArg.waffentrager.samba.servicePath}/tls/
rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/chain.pem ${materusArg.waffentrager.samba.servicePath}/tls/
rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/fullchain.pem ${materusArg.waffentrager.samba.servicePath}/tls/
'';
};
waffentragerService.elements.enable = true;
waffentragerService.nginx.enable = true;
security.acme.defaults.credentialsFile = config.sops.secrets.certs.path;
systemd.services.resolvconf.enable = false;
};
}

5
configurations/host/waffentrager/services/default.nix
View File

@ -8,6 +8,8 @@
./gitea.nix ./gitea.nix
./nginx.nix ./nginx.nix
./nextcloud.nix ./nextcloud.nix
./samba.nix
./syncthing.nix
./auth ./auth
]; ];
waffentragerService.elements.enable = true; waffentragerService.elements.enable = true;
@ -16,5 +18,6 @@
waffentragerService.gitea.enable = true; waffentragerService.gitea.enable = true;
waffentragerService.nginx.enable = true; waffentragerService.nginx.enable = true;
waffentragerService.nextcloud.enable = true; waffentragerService.nextcloud.enable = true;
waffentragerService.samba.enable = true;
waffentragerService.syncthing.enable = true;
} }

41
configurations/host/waffentrager/services/samba.nix Normal file
View File

@ -0,0 +1,41 @@
{ lib, pkgs, materusArg, config, ... }:
{
options.waffentragerService.samba.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable samba";
config =
let
cfg = config.waffentragerService.samba;
in
lib.mkIf cfg.enable {
services.samba-wsdd.enable = true;
services.samba-wsdd.openFirewall = true;
services.samba = {
enable = true;
package = pkgs.sambaFull;
securityType = "user";
openFirewall = true;
extraConfig = ''
workgroup = WORKGROUP
server string = smbwaffentrager
netbios name = smbwaffentrager
security = user
hosts allow = ${materusArg.wireguard.sambaIp} 192.168.100. 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
materus = {
path = "${config.waffentragerService.elements.path}/storage/materus";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "materus";
"force group" = "users";
};
};
};
};
}

21
configurations/host/waffentrager/services/syncthing.nix Normal file
View File

@ -0,0 +1,21 @@
{ lib, pkgs, materusArg, config, ... }:
{
options.waffentragerService.syncthing.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable syncthing";
config =
let
cfg = config.waffentragerService.syncthing;
in
lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
services = {
syncthing = {
enable = true;
user = "materus";
dataDir = "${config.waffentragerService.elements.path}/storage/materus";
configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/";
};
};
};
}

BIN
configurations/profile/common/private/default.nix
View File

Binary file not shown.