From d4125a737035087627ca80095882300fdc75bf69 Mon Sep 17 00:00:00 2001
From: materus <materus@podkos.pl>
Date: Fri, 12 Apr 2024 01:38:50 +0200
Subject: [PATCH] waffentrager: prepare samba DC

---
 .../waffentrager/secrets/private/default.nix  | Bin 669 -> 874 bytes
 .../host/waffentrager/services/auth.nix       |  79 +++++++++++++++++-
 2 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/configurations/host/waffentrager/secrets/private/default.nix b/configurations/host/waffentrager/secrets/private/default.nix
index b369ccdefbaebe175917791a52f7b45bc3c41efc..94402b11a8e83c177a0c4a453af26d81dd2320e8 100644
GIT binary patch
literal 874
zcmV-w1C{&$M@dveQdv+`0PWR4`^Cb1U0IGfh&#CcQPAGRo86G-LDJudef^nvVYFQW
z*+w3=O<aovUDii)4gH~n(W4!)h3qidyJSbE)3k(40b;~tJWw+y7UQX=(3sWteh?<P
zdO(0HKazgetQ~KuGNX&n%AGg85C<e)AhJs~Oc}vnIf^A}I5}6V!M9GEv>bu9bKCW$
z>j9gNrtrBx`dmSI)|x<~%oVNd-k+b~l<m58Y^uaCtfe@mH>AsRjK!1;a$+pn-SRy0
z5Ie_Z)jNR@sMy0ax6>0O#W6an<Fs89Lsy`0!G#yPsvX!Ah2}_ZqY+)iUlZ$&#Fq!h
z3Ix*T$rr{ny+Kk!*~EU_X@y%d6+wSdOxtTc>{7XhRJ~goaC@w|^|oYsf5xJ)O>@Hf
zrD&<X-qm_yAU2L3A(8gS*Q*QoCVmEIQ*WCa8Rej8Ge@oO!F=M2(Oc|&Li7`@4N;(O
zuG6LXyRsUV)5lJY*eT<hyxA=(Cz-}!i-5wHbt-BVz85#bF(Pxav!;*{6v7xPB)c<$
z<>)|<fB2CA-gDb~G2deYI-+A}4;({@X449mp=%52!Bz>bY1bNc`3q<=QtEU&K+*VO
z#ZsPwXE@okiqZ1|hCF4MZ4WXESa|ixgN#tGc@{#^YI~`_c1IWI!q3yOnAqPA<)-F_
z`S1=nna8MxtDJ4V6v_#{Lfxm|?ka(?$&a}`rfGg=S2NBrXGgrI@Vr_?9ss@U;*84p
zYMLiK_n@ATb%bO{+8<`Xa_Ci-%R_?`uLXiVnQ;b;1I3<L^3D`B_TnYN`w6F~jN-o#
zA9(gI3^2S3+rQ85&Y@mV%kpijAxm&U`=zxIvS;guN_UJmi+AUC*T}~&kNn;M2<DlT
zp)PV#=;y{MM&pqeDRK3Itip7o5n3<06a@A!FiO3og4~pon<aJaHA8Q+fPrjD0OCAc
z>x;niVm>(i`X$Q##%IHS?+^==%mJ>*HiGi0yxH5!GM0?GYucC2tW6p~%EmJj#r~m+
zQd&5^7OubnC~aoDiYQfP^S?L_v1+mJ;FGHm4Qpk5iE}ih_P8IBnS|Pv%RRHAj?2+Y
z?I;G4WGJ~CDc2a~+=TYpZ+c5Lf2!BJ;LVj2l`sLt0Uk8Pd!1!ofC!MrE#QmVmWNHg
A>;M1&

literal 669
zcmV;O0%H9DM@dveQdv+`09+OX(DyMB^APFg-rV+?yKKO~^^}!1JhC5yG8Asa_sI%0
zdxsVSjyk4k9o;2@UqogkjsUu1O^N&W^Dmjp>w-fTFLY~><YGVe31L@px<Qt4)y0g_
z9j+Ku=|CEOA3fi8rAy$`4^JpPE^niDy~PL`gKBa#Uylvbsnif@xVi(4;O?m*usJE{
zQUNWvhc{KhE+awwnz*`f9j0G?Up~aOPL)f3F@W`>l7!z<`%{{qbc8W+72)>b3&_I`
zF2_srz+AIaWmKa$QwLOw_bG2SuQLm8OJ%%dcfq{q4RBct$L87=lr(N`xlZ^zLy<B%
z7FcR88wcPY{Ef*0cYQvu!)=EI$Eq(g7aFWta*=V-MCoG-IM^-gn0m+Z4?iH45MVI}
zY9=~rCRvLR%*TdTPplG+bX+ZF{l82e{u_T!)N%Tr(oMQKnaiRs9p<~S0`(nSFM~1m
z#AouAW-U3eNy!>!>X)L;{j<%e<(ut+zZ_GQ%uFBt3*L?ax&bu!(<mHJus9~noe9=P
zS?)J1UWJ1L$&XGgJBwsa^c*Pcg(hHVJK&0vBgVNf)6@%?6xaFSyuo86ava}In7ku}
zkBm`+4g_d#K5qRe^BbRjC?#m}-`Y1t(2v6oH`&uPfn}ytkKM(t5KZb6rc|N#brgiv
z*=L?LRCUdIPul2eBV*|DyZ_ojsT)AE9|DG>i{LdvNpR0ZX;N;sf-|3*WjrFz@`0rS
zyi>9_WOs1&PhgDEDD(4D3q0O?;Vf8DN16N!i_!_V%_j2E#XZFc{2p^F-1*|MY38sP
z=>4ws*nGI^T~l(d@L}ovOCLchtPYh3){ciVhsoJlexW_wM6V7h`$lfsRvr>E4mA%9
D_C`Sq

diff --git a/configurations/host/waffentrager/services/auth.nix b/configurations/host/waffentrager/services/auth.nix
index 134edb9..3774145 100644
--- a/configurations/host/waffentrager/services/auth.nix
+++ b/configurations/host/waffentrager/services/auth.nix
@@ -5,10 +5,87 @@
   config =
     let
       cfg = config.waffentragerService.auth;
+      sambaCfg = config.services.samba;
+      servicePath = "/var/lib/elements/services/samba";
+      smbToString = x:
+        if builtins.typeOf x == "bool"
+        then lib.boolToString x
+        else builtins.toString x;
+      shareConfig = name:
+        let share = lib.getAttr name cfg.shares; in
+        "[${name}]\n " + (smbToString (
+          map
+            (key: "${key} = ${smbToString (lib.getAttr key share)}\n")
+            (lib.attrNames share)
+        ));
     in
     lib.mkIf cfg.enable {
       waffentragerService.elements.enable = true;
       waffentragerService.nginx.enable = true;
 
+
+
+      systemd.services.resolvconf.enable = false;
+      environment.etc = {
+        resolvconf = {
+          text = ''
+            search ${materusArg.waffentrager.samba.domain}
+            nameserver ${materusArg.waffentrager.samba.dnsIp}
+            nameserver 9.9.9.9
+          '';
+        };
+      };
+      systemd.services.samba-smbd.enable = false;
+      systemd.services.samba = {
+        description = "Samba Service Daemon";
+
+        requiredBy = [ "samba.target" ];
+        partOf = [ "samba.target" ];
+
+        serviceConfig = {
+          ExecStart = "${pkgs.samba4Full}/sbin/samba --foreground --no-process-group";
+          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+          LimitNOFILE = 16384;
+          PIDFile = "/run/samba.pid";
+          Type = "notify";
+          NotifyAccess = "all";
+        };
+        unitConfig.RequiresMountsFor = servicePath;
+      };
+      # https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
+      networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268];
+      networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464];
+
+      services.samba = {
+        enable = true;
+        enableNmbd = false;
+        enableWinbindd = false;
+        package = pkgs.samba4Full;
+        configText = ''
+          # Global parameters
+          [global]
+              dns forwarder = ${materusArg.waffentrager.samba.dnsIp}
+              netbios name = ${materusArg.waffentrager.samba.netbiosName}
+              realm = ${lib.toUpper materusArg.waffentrager.samba.domain}
+              server role = active directory domain controller
+              workgroup = ${materusArg.waffentrager.samba.workgroup}
+              idmap_ldb:use rfc2307 = yes
+              ldap server require strong auth = no
+
+          [sysvol]
+              path = ${servicePath}/sysvol
+              read only = No
+
+          [netlogon]
+              path = ${servicePath}/sysvol/${materusArg.waffentrager.samba.domain}/scripts
+              read only = No
+
+
+            ${sambaCfg.extraConfig}
+
+            ${smbToString (map shareConfig (lib.attrNames sambaCfg.shares))}
+        '';
+      };
     };
-}
\ No newline at end of file
+
+}