waffentrager: samba changes
This commit is contained in:
parent
d4125a7370
commit
afac05dad3
|
@ -144,7 +144,8 @@
|
||||||
|
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
security.acme.defaults.email = "materus+acme@podkos.pl";
|
security.acme.defaults.email = "materus+acme@podkos.pl";
|
||||||
security.acme.defaults.credentialsFile = config.sops.secrets.certs.path ;
|
security.acme.defaults.credentialsFile = config.sops.secrets.certs.path;
|
||||||
|
security.acme.defaults.dnsResolver = "9.9.9.9:53";
|
||||||
security.acme.certs."materus.pl" = {
|
security.acme.certs."materus.pl" = {
|
||||||
domain = "materus.pl";
|
domain = "materus.pl";
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
|
@ -166,5 +167,14 @@
|
||||||
dnsProvider = "ovh";
|
dnsProvider = "ovh";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
security.acme.certs."${materusArg.waffentrager.samba.domain}" = {
|
||||||
|
domain = materusArg.waffentrager.samba.domain;
|
||||||
|
extraDomainNames = [
|
||||||
|
"${materusArg.waffentrager.samba.netbiosName}.${materusArg.waffentrager.samba.domain}"
|
||||||
|
];
|
||||||
|
dnsProvider = "ovh";
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -23,6 +23,7 @@
|
||||||
];
|
];
|
||||||
sops.secrets.wireguard = { };
|
sops.secrets.wireguard = { };
|
||||||
sops.secrets."users/materus" = { neededForUsers = true; };
|
sops.secrets."users/materus" = { neededForUsers = true; };
|
||||||
|
sops.secrets.certs = { };
|
||||||
sops.secrets.elements = { };
|
sops.secrets.elements = { };
|
||||||
sops.secrets.nextcloud-adminpass = { };
|
sops.secrets.nextcloud-adminpass = { };
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
|
@ -3,6 +3,7 @@ nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdP
|
||||||
elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str]
|
elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str]
|
||||||
users:
|
users:
|
||||||
materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str]
|
materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str]
|
||||||
|
certs: ENC[AES256_GCM,data:3Wzl23y3CDXRe6SlWKXcKBrYz/l3Y0fuif4HTs2UzjnqQ1z36IataIV11vnXbrERtGPtr6NOS66ebTLrVpsCyGTt0Lmucxmirleetqw2JI9/2Z0Y4M32FmQDHFjMltcOqNNT0q3QlSwU7rAeFzkgdayhbSIhxA5Hr/pn236KiSGHlauOniATIs9sBKjWhaa/facH5I4N1Vx5SMlurlefzaLFOQ==,iv:VFgbpyLsbalOnOA/7IgB8pUZ/U7JAswiCNeWEpjscMo=,tag:BIDj655QorEwPez7trCzkw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -18,8 +19,8 @@ sops:
|
||||||
eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
|
eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
|
||||||
ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
|
ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-03-28T18:40:01Z"
|
lastmodified: "2024-04-12T06:59:28Z"
|
||||||
mac: ENC[AES256_GCM,data:gHZRjD8y8u90S9yKgeI8zD0mIOd75tecNoXwVgykJ1XlkQyNJQRQJ9D1mWcwl88lQBtud/7AVp5Lv3mibiw6GfqFdIIm8elNHKAVo32l2qFAaBUJ3NHwoYbtmC83YPhuSS3cvCEkmsuBW4Os8UARgbOtR0EvG+GzA4Z+DB4PPLQ=,iv:vMfSCZHDvV2z7ccbV4RqU1HF1oqDU2G/9xKqG7tbdGs=,tag:LTu9jZPYcUNJaPn8wkd4lg==,type:str]
|
mac: ENC[AES256_GCM,data:JA2hcgsXvmhmF4pUv7pk7zaDwqza7e3zVbHNnWGcoRb/rrgJgsDlJL76RWuSGciAolmmJ6flou6IrGGoV9tq9A/tceepPyw3+CJ8+8zfFBltrDKnclzz4mhuw14rec1wFYziuqf719XTut0IY0hCTPd27W74irMJVP9hQ3YZtC0=,iv:NIn8abwLqhkY1eMkEGxCVdcXc+Ick1up4vuQZ/IfdA0=,tag:MWnmAPVclrUg6IXtRoD7vg==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2024-03-21T18:15:00Z"
|
- created_at: "2024-03-21T18:15:00Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
{ config, materusArg, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.waffentragerService.auth;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.waffentragerService.auth.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable auth";
|
||||||
|
imports =
|
||||||
|
[
|
||||||
|
./samba.nix
|
||||||
|
];
|
||||||
|
config = lib.mkIf cfg.enable
|
||||||
|
{
|
||||||
|
waffentragerService.elements.enable = true;
|
||||||
|
waffentragerService.nginx.enable = true;
|
||||||
|
|
||||||
|
|
||||||
|
security.acme.defaults.credentialsFile = config.sops.secrets.certs.path;
|
||||||
|
|
||||||
|
systemd.services.resolvconf.enable = false;
|
||||||
|
networking.hosts = {
|
||||||
|
"${materusArg.ips.wireguard.waffentrager}" = [
|
||||||
|
materusArg.waffentrager.samba.domain
|
||||||
|
"${materusArg.waffentrager.samba.netbiosName}.${materusArg.waffentrager.samba.domain}"
|
||||||
|
materusArg.waffentrager.samba.netbiosName
|
||||||
|
];
|
||||||
|
};
|
||||||
|
environment.etc = {
|
||||||
|
resolvconf = {
|
||||||
|
text = ''
|
||||||
|
search ${materusArg.waffentrager.samba.domain}
|
||||||
|
nameserver ${materusArg.waffentrager.samba.dnsIp}
|
||||||
|
nameserver 9.9.9.9
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.timers.rsync-acme = {
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig = {
|
||||||
|
OnBootSec = "1min";
|
||||||
|
OnUnitActiveSec = "1h";
|
||||||
|
Unit = "rsync-acme.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.rsync-acme = {
|
||||||
|
description = "Sync acme for samba";
|
||||||
|
path = [ pkgs.rsync ];
|
||||||
|
requires = [ "var-lib-mnt_acme.mount" ];
|
||||||
|
after = [ "var-lib-mnt_acme.mount" ];
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
serviceConfig.RemainAfterExit = false;
|
||||||
|
script = ''
|
||||||
|
rsync -avzr --chmod=0600 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/key.pem ${materusArg.waffentrager.samba.servicePath}/tls/
|
||||||
|
rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/chain.pem ${materusArg.waffentrager.samba.servicePath}/tls/
|
||||||
|
rsync -avzr --chmod=0640 --chown=root:root /var/lib/mnt_acme/${materusArg.waffentrager.samba.domain}/fullchain.pem ${materusArg.waffentrager.samba.servicePath}/tls/
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,12 +1,12 @@
|
||||||
{ materusArg, config, lib, pkgs, ... }:
|
{ materusArg, config, lib, pkgs, ... }:
|
||||||
{
|
{
|
||||||
options.waffentragerService.auth.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable auth";
|
|
||||||
|
|
||||||
config =
|
config =
|
||||||
let
|
let
|
||||||
cfg = config.waffentragerService.auth;
|
cfg = config.waffentragerService.auth;
|
||||||
sambaCfg = config.services.samba;
|
sambaCfg = config.services.samba;
|
||||||
servicePath = "/var/lib/elements/services/samba";
|
servicePath = materusArg.waffentrager.samba.servicePath;
|
||||||
smbToString = x:
|
smbToString = x:
|
||||||
if builtins.typeOf x == "bool"
|
if builtins.typeOf x == "bool"
|
||||||
then lib.boolToString x
|
then lib.boolToString x
|
||||||
|
@ -20,25 +20,12 @@
|
||||||
));
|
));
|
||||||
in
|
in
|
||||||
lib.mkIf cfg.enable {
|
lib.mkIf cfg.enable {
|
||||||
waffentragerService.elements.enable = true;
|
|
||||||
waffentragerService.nginx.enable = true;
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
systemd.services.resolvconf.enable = false;
|
|
||||||
environment.etc = {
|
|
||||||
resolvconf = {
|
|
||||||
text = ''
|
|
||||||
search ${materusArg.waffentrager.samba.domain}
|
|
||||||
nameserver ${materusArg.waffentrager.samba.dnsIp}
|
|
||||||
nameserver 9.9.9.9
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
systemd.services.samba-smbd.enable = false;
|
systemd.services.samba-smbd.enable = false;
|
||||||
systemd.services.samba = {
|
systemd.services.samba = {
|
||||||
description = "Samba Service Daemon";
|
description = "Samba Service Daemon";
|
||||||
|
requires = [ "rsync-acme.service" ];
|
||||||
|
after = [ "rsync-acme.service" ];
|
||||||
requiredBy = [ "samba.target" ];
|
requiredBy = [ "samba.target" ];
|
||||||
partOf = [ "samba.target" ];
|
partOf = [ "samba.target" ];
|
||||||
|
|
||||||
|
@ -55,7 +42,9 @@
|
||||||
# https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
|
# https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
|
||||||
networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268];
|
networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268];
|
||||||
networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464];
|
networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464];
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${servicePath}/tls/ 0600 root 3000000 -"
|
||||||
|
];
|
||||||
services.samba = {
|
services.samba = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableNmbd = false;
|
enableNmbd = false;
|
||||||
|
@ -70,7 +59,11 @@
|
||||||
server role = active directory domain controller
|
server role = active directory domain controller
|
||||||
workgroup = ${materusArg.waffentrager.samba.workgroup}
|
workgroup = ${materusArg.waffentrager.samba.workgroup}
|
||||||
idmap_ldb:use rfc2307 = yes
|
idmap_ldb:use rfc2307 = yes
|
||||||
ldap server require strong auth = no
|
ldap server require strong auth = yes
|
||||||
|
tls enabled = yes
|
||||||
|
tls keyfile = ${servicePath}/tls/key.pem
|
||||||
|
tls certfile = ${servicePath}/tls/fullchain.pem
|
||||||
|
tls cafile = ${servicePath}/tls/chain.pem
|
||||||
|
|
||||||
[sysvol]
|
[sysvol]
|
||||||
path = ${servicePath}/sysvol
|
path = ${servicePath}/sysvol
|
|
@ -8,7 +8,7 @@
|
||||||
./gitea.nix
|
./gitea.nix
|
||||||
./nginx.nix
|
./nginx.nix
|
||||||
./nextcloud.nix
|
./nextcloud.nix
|
||||||
./auth.nix
|
./auth
|
||||||
];
|
];
|
||||||
waffentragerService.elements.enable = true;
|
waffentragerService.elements.enable = true;
|
||||||
waffentragerService.postgresql.enable = true;
|
waffentragerService.postgresql.enable = true;
|
||||||
|
|
Binary file not shown.
Loading…
Reference in New Issue