waffentrager: samba changes

This commit is contained in:
Mateusz Słodkowicz 2024-04-12 09:56:47 +02:00
parent d4125a7370
commit afac05dad3
Signed by: materus
GPG Key ID: 28D140BCA60B4FD1
8 changed files with 92 additions and 24 deletions

View File

@ -144,7 +144,8 @@
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "materus+acme@podkos.pl"; security.acme.defaults.email = "materus+acme@podkos.pl";
security.acme.defaults.credentialsFile = config.sops.secrets.certs.path ; security.acme.defaults.credentialsFile = config.sops.secrets.certs.path;
security.acme.defaults.dnsResolver = "9.9.9.9:53";
security.acme.certs."materus.pl" = { security.acme.certs."materus.pl" = {
domain = "materus.pl"; domain = "materus.pl";
group = "nginx"; group = "nginx";
@ -166,5 +167,14 @@
dnsProvider = "ovh"; dnsProvider = "ovh";
}; };
security.acme.certs."${materusArg.waffentrager.samba.domain}" = {
domain = materusArg.waffentrager.samba.domain;
extraDomainNames = [
"${materusArg.waffentrager.samba.netbiosName}.${materusArg.waffentrager.samba.domain}"
];
dnsProvider = "ovh";
};
} }

View File

@ -23,6 +23,7 @@
]; ];
sops.secrets.wireguard = { }; sops.secrets.wireguard = { };
sops.secrets."users/materus" = { neededForUsers = true; }; sops.secrets."users/materus" = { neededForUsers = true; };
sops.secrets.certs = { };
sops.secrets.elements = { }; sops.secrets.elements = { };
sops.secrets.nextcloud-adminpass = { }; sops.secrets.nextcloud-adminpass = { };
} }

View File

@ -3,6 +3,7 @@ nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdP
elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str] elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str]
users: users:
materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str] materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str]
certs: ENC[AES256_GCM,data:3Wzl23y3CDXRe6SlWKXcKBrYz/l3Y0fuif4HTs2UzjnqQ1z36IataIV11vnXbrERtGPtr6NOS66ebTLrVpsCyGTt0Lmucxmirleetqw2JI9/2Z0Y4M32FmQDHFjMltcOqNNT0q3QlSwU7rAeFzkgdayhbSIhxA5Hr/pn236KiSGHlauOniATIs9sBKjWhaa/facH5I4N1Vx5SMlurlefzaLFOQ==,iv:VFgbpyLsbalOnOA/7IgB8pUZ/U7JAswiCNeWEpjscMo=,tag:BIDj655QorEwPez7trCzkw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -18,8 +19,8 @@ sops:
eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA== ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-28T18:40:01Z" lastmodified: "2024-04-12T06:59:28Z"
mac: ENC[AES256_GCM,data:gHZRjD8y8u90S9yKgeI8zD0mIOd75tecNoXwVgykJ1XlkQyNJQRQJ9D1mWcwl88lQBtud/7AVp5Lv3mibiw6GfqFdIIm8elNHKAVo32l2qFAaBUJ3NHwoYbtmC83YPhuSS3cvCEkmsuBW4Os8UARgbOtR0EvG+GzA4Z+DB4PPLQ=,iv:vMfSCZHDvV2z7ccbV4RqU1HF1oqDU2G/9xKqG7tbdGs=,tag:LTu9jZPYcUNJaPn8wkd4lg==,type:str] mac: ENC[AES256_GCM,data:JA2hcgsXvmhmF4pUv7pk7zaDwqza7e3zVbHNnWGcoRb/rrgJgsDlJL76RWuSGciAolmmJ6flou6IrGGoV9tq9A/tceepPyw3+CJ8+8zfFBltrDKnclzz4mhuw14rec1wFYziuqf719XTut0IY0hCTPd27W74irMJVP9hQ3YZtC0=,iv:NIn8abwLqhkY1eMkEGxCVdcXc+Ick1up4vuQZ/IfdA0=,tag:MWnmAPVclrUg6IXtRoD7vg==,type:str]
pgp: pgp:
- created_at: "2024-03-21T18:15:00Z" - created_at: "2024-03-21T18:15:00Z"
enc: |- enc: |-

View File

@ -0,0 +1,63 @@
{ config, materusArg, lib, pkgs, ... }:
let
cfg = config.waffentragerService.auth;
in
{
options.waffentragerService.auth.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable auth";
imports =
[
./samba.nix
];
config = lib.mkIf cfg.enable
{
waffentragerService.elements.enable = true;
waffentragerService.nginx.enable = true;
security.acme.defaults.credentialsFile = config.sops.secrets.certs.path;
systemd.services.resolvconf.enable = false;
networking.hosts = {
"${materusArg.ips.wireguard.waffentrager}" = [
materusArg.waffentrager.samba.domain
"${materusArg.waffentrager.samba.netbiosName}.${materusArg.waffentrager.samba.domain}"
materusArg.waffentrager.samba.netbiosName
];
};
environment.etc = {
resolvconf = {
text = ''
search ${materusArg.waffentrager.samba.domain}
nameserver ${materusArg.waffentrager.samba.dnsIp}
nameserver 9.9.9.9
'';
};
};
systemd.timers.rsync-acme = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1min";
OnUnitActiveSec = "1h";
Unit = "rsync-acme.service";
};
};
systemd.services.rsync-acme = {
description = "Sync acme for samba";
path = [ pkgs.rsync ];
requires = [ "var-lib-mnt_acme.mount" ];
after = [ "var-lib-mnt_acme.mount" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = false;
script = ''
rsync -avzr --chmod=0600 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/key.pem ${materusArg.waffentrager.samba.servicePath}/tls/
rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/chain.pem ${materusArg.waffentrager.samba.servicePath}/tls/
rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/fullchain.pem ${materusArg.waffentrager.samba.servicePath}/tls/
'';
};
};
}

View File

@ -1,12 +1,12 @@
{ materusArg, config, lib, pkgs, ... }: { materusArg, config, lib, pkgs, ... }:
{ {
options.waffentragerService.auth.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable auth";
config = config =
let let
cfg = config.waffentragerService.auth; cfg = config.waffentragerService.auth;
sambaCfg = config.services.samba; sambaCfg = config.services.samba;
servicePath = "/var/lib/elements/services/samba"; servicePath = materusArg.waffentrager.samba.servicePath;
smbToString = x: smbToString = x:
if builtins.typeOf x == "bool" if builtins.typeOf x == "bool"
then lib.boolToString x then lib.boolToString x
@ -20,25 +20,12 @@
)); ));
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
waffentragerService.elements.enable = true;
waffentragerService.nginx.enable = true;
systemd.services.resolvconf.enable = false;
environment.etc = {
resolvconf = {
text = ''
search ${materusArg.waffentrager.samba.domain}
nameserver ${materusArg.waffentrager.samba.dnsIp}
nameserver 9.9.9.9
'';
};
};
systemd.services.samba-smbd.enable = false; systemd.services.samba-smbd.enable = false;
systemd.services.samba = { systemd.services.samba = {
description = "Samba Service Daemon"; description = "Samba Service Daemon";
requires = [ "rsync-acme.service" ];
after = [ "rsync-acme.service" ];
requiredBy = [ "samba.target" ]; requiredBy = [ "samba.target" ];
partOf = [ "samba.target" ]; partOf = [ "samba.target" ];
@ -55,7 +42,9 @@
# https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage # https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268]; networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268];
networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464]; networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464];
systemd.tmpfiles.rules = [
"d ${servicePath}/tls/ 0600 root 3000000 -"
];
services.samba = { services.samba = {
enable = true; enable = true;
enableNmbd = false; enableNmbd = false;
@ -70,7 +59,11 @@
server role = active directory domain controller server role = active directory domain controller
workgroup = ${materusArg.waffentrager.samba.workgroup} workgroup = ${materusArg.waffentrager.samba.workgroup}
idmap_ldb:use rfc2307 = yes idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no ldap server require strong auth = yes
tls enabled = yes
tls keyfile = ${servicePath}/tls/key.pem
tls certfile = ${servicePath}/tls/fullchain.pem
tls cafile = ${servicePath}/tls/chain.pem
[sysvol] [sysvol]
path = ${servicePath}/sysvol path = ${servicePath}/sysvol

View File

@ -8,7 +8,7 @@
./gitea.nix ./gitea.nix
./nginx.nix ./nginx.nix
./nextcloud.nix ./nextcloud.nix
./auth.nix ./auth
]; ];
waffentragerService.elements.enable = true; waffentragerService.elements.enable = true;
waffentragerService.postgresql.enable = true; waffentragerService.postgresql.enable = true;