mirror of
https://github.com/materusPL/nixos-config
synced 2026-07-02 12:46:42 +00:00
waffentrager: samba changes
This commit is contained in:
@@ -0,0 +1,63 @@
|
||||
{ config, materusArg, lib, pkgs, ... }:
|
||||
let
|
||||
cfg = config.waffentragerService.auth;
|
||||
in
|
||||
{
|
||||
options.waffentragerService.auth.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable auth";
|
||||
imports =
|
||||
[
|
||||
./samba.nix
|
||||
];
|
||||
config = lib.mkIf cfg.enable
|
||||
{
|
||||
waffentragerService.elements.enable = true;
|
||||
waffentragerService.nginx.enable = true;
|
||||
|
||||
|
||||
security.acme.defaults.credentialsFile = config.sops.secrets.certs.path;
|
||||
|
||||
systemd.services.resolvconf.enable = false;
|
||||
networking.hosts = {
|
||||
"${materusArg.ips.wireguard.waffentrager}" = [
|
||||
materusArg.waffentrager.samba.domain
|
||||
"${materusArg.waffentrager.samba.netbiosName}.${materusArg.waffentrager.samba.domain}"
|
||||
materusArg.waffentrager.samba.netbiosName
|
||||
];
|
||||
};
|
||||
environment.etc = {
|
||||
resolvconf = {
|
||||
text = ''
|
||||
search ${materusArg.waffentrager.samba.domain}
|
||||
nameserver ${materusArg.waffentrager.samba.dnsIp}
|
||||
nameserver 9.9.9.9
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.timers.rsync-acme = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnBootSec = "1min";
|
||||
OnUnitActiveSec = "1h";
|
||||
Unit = "rsync-acme.service";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.rsync-acme = {
|
||||
description = "Sync acme for samba";
|
||||
path = [ pkgs.rsync ];
|
||||
requires = [ "var-lib-mnt_acme.mount" ];
|
||||
after = [ "var-lib-mnt_acme.mount" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.RemainAfterExit = false;
|
||||
script = ''
|
||||
rsync -avzr --chmod=0600 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/key.pem ${materusArg.waffentrager.samba.servicePath}/tls/
|
||||
rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/chain.pem ${materusArg.waffentrager.samba.servicePath}/tls/
|
||||
rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/fullchain.pem ${materusArg.waffentrager.samba.servicePath}/tls/
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
|
||||
};
|
||||
}
|
||||
+13
-20
@@ -1,12 +1,12 @@
|
||||
{ materusArg, config, lib, pkgs, ... }:
|
||||
{
|
||||
options.waffentragerService.auth.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable auth";
|
||||
|
||||
|
||||
config =
|
||||
let
|
||||
cfg = config.waffentragerService.auth;
|
||||
sambaCfg = config.services.samba;
|
||||
servicePath = "/var/lib/elements/services/samba";
|
||||
servicePath = materusArg.waffentrager.samba.servicePath;
|
||||
smbToString = x:
|
||||
if builtins.typeOf x == "bool"
|
||||
then lib.boolToString x
|
||||
@@ -20,25 +20,12 @@
|
||||
));
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
waffentragerService.elements.enable = true;
|
||||
waffentragerService.nginx.enable = true;
|
||||
|
||||
|
||||
|
||||
systemd.services.resolvconf.enable = false;
|
||||
environment.etc = {
|
||||
resolvconf = {
|
||||
text = ''
|
||||
search ${materusArg.waffentrager.samba.domain}
|
||||
nameserver ${materusArg.waffentrager.samba.dnsIp}
|
||||
nameserver 9.9.9.9
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.samba-smbd.enable = false;
|
||||
systemd.services.samba = {
|
||||
description = "Samba Service Daemon";
|
||||
|
||||
requires = [ "rsync-acme.service" ];
|
||||
after = [ "rsync-acme.service" ];
|
||||
requiredBy = [ "samba.target" ];
|
||||
partOf = [ "samba.target" ];
|
||||
|
||||
@@ -55,7 +42,9 @@
|
||||
# https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
|
||||
networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268];
|
||||
networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${servicePath}/tls/ 0600 root 3000000 -"
|
||||
];
|
||||
services.samba = {
|
||||
enable = true;
|
||||
enableNmbd = false;
|
||||
@@ -70,7 +59,11 @@
|
||||
server role = active directory domain controller
|
||||
workgroup = ${materusArg.waffentrager.samba.workgroup}
|
||||
idmap_ldb:use rfc2307 = yes
|
||||
ldap server require strong auth = no
|
||||
ldap server require strong auth = yes
|
||||
tls enabled = yes
|
||||
tls keyfile = ${servicePath}/tls/key.pem
|
||||
tls certfile = ${servicePath}/tls/fullchain.pem
|
||||
tls cafile = ${servicePath}/tls/chain.pem
|
||||
|
||||
[sysvol]
|
||||
path = ${servicePath}/sysvol
|
||||
@@ -8,7 +8,7 @@
|
||||
./gitea.nix
|
||||
./nginx.nix
|
||||
./nextcloud.nix
|
||||
./auth.nix
|
||||
./auth
|
||||
];
|
||||
waffentragerService.elements.enable = true;
|
||||
waffentragerService.postgresql.enable = true;
|
||||
|
||||
Reference in New Issue
Block a user