From d4125a737035087627ca80095882300fdc75bf69 Mon Sep 17 00:00:00 2001
From: materus <materus@podkos.pl>
Date: Fri, 12 Apr 2024 01:38:50 +0200
Subject: [PATCH] waffentrager: prepare samba DC

---
 .../waffentrager/secrets/private/default.nix  | Bin 669 -> 874 bytes
 .../host/waffentrager/services/auth.nix       |  79 +++++++++++++++++-
 2 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/configurations/host/waffentrager/secrets/private/default.nix b/configurations/host/waffentrager/secrets/private/default.nix
index b369ccdefbaebe175917791a52f7b45bc3c41efc..94402b11a8e83c177a0c4a453af26d81dd2320e8 100644
GIT binary patch
literal 874
zcmZQ@_Y83kiVO&0czf01_t8T&v5|e29o9Sk1zxy!WcJ+&&mAw_@2LGdvodi@EYnRl
zxoy5N-7K-!+>3etE^N8DSaxIU8-ts>Q{0zb-qPa3m~<q?Ccs!-?D5KF7iL`jUMHZo
zv&x}C+kR5r^)<5jD~%R+pFcI%e6IkzN}R$bZ!;gsgYlMKs#zA6;j0gB_nW;%rg2;G
z?XOE;GtTZ?_F<>}uNcS5YqJ~{oe^F8=HC4I52n1`RhqNvh{2kr7E8^SoG$J;I)$ew
zN$1wxPd1+ftdFN&wQdwxapSPb_RGR5M-8o3J>C*4>>R!z|6r^5u2r%(L|UJD<SiDA
zJrXbcy6?zz_TyYEm!6#zKW4JmG05rWk-9sXt<grJj`e{)x3g{E1nq1O*&8iYP`zg7
z*KH|P^~V-%@GU;{YiY*HefO?bB`KKo$th0!cKrHk?jLG(Z0W)Iv!x}UF32!;U;F-G
z&7<y%(Qj&<z6h`74P217?()(fyEjQqyL{ZQ_lD-<S$l5kYN^jWme}2JXnLtumgqil
z^FxM8#hW%Sn;<B1NJ2|xw{g?c7Y_aPKPEEVE52QAct4rhYEg0qzl?Kd+GVb33$wXj
z9t`7Lmw8>P^e1<QQP8UrYln+Jl8y$=YfiVgxuxskXQnor)ET+_MqCjUUr#po1gx(V
zbGn#Sy>fq<yZG}%=Pz%ZapOMU(`C=vetzJyn0b6f+v+*F`$SH0?sK}k{Qf(w#*HWY
zciJw?tV;_wK4+NjzGvBoJy9-l413=^>N)izYnHn0_XYDNl(wXJ+>%c_Q1l{n+G*!z
z;q|OdwlfRadYF&Si}-X-#Pr)E)kD8ImoM*mv|m8J;+r0i!5*&L`_I2Sw=gc?^rzg_
zirxi|zn5+m*p&Xd-K)IEyu18)+4U30_51(aW8io;bIL-!qM#Sgk7>F+o+z$a__cA(
zp_0XdQTn??Sib2Sc<o)%bZ5%s*{Y>)O`Y>MH#FvWGCZ=0dEI^BbCR9K-(RYy{vAs{
zT>oBxd&(KcbtlZ4KCRqy^Y&?@X+68LZ%se9##hSW)G=e>qyH9m1w~ox6I*wHQ6o2P
zcb7(J+UNZid>gYizJD-zwE%B+YE5Uc$&zn7<R{K-xi$5)?dC;&r!RWH)nJ>HqOnt2
v^SZ>-J1yUC<yU!|)~~w0`@z|%!cz?xk21=c9Ic+48rQ%v;h64&?pxCUhfTih

literal 669
zcmZQ@_Y83kiVO&0h!JDC@ZC`Gv%t$|_wIa~xjW~;fv;1hn%QiUZ#ELiJM#S`mq~TI
z7;~T1vP{{#s!j1OX)1jTyOMl6e}Dh1KlAkKCTB7IlI)33lI*{6CWaU8a-3Fp^=QvU
z*>w^jFCC=n<ZbVlE%knIncrW-Rxf{X+1{fZQq5UKCh`5emseg9$lS4ux%a`lm5LiI
zHD3fV>h5Sa4?U=-?D%Kaj$H+^%i`<e?T&2qo9bO>*zk4nq?Y?Zzk_GZFKIC>6n*&Z
zA@_;He0s;dKOczM9Gn`m*dmxcr2D&OzS(+X?tJgmJt^e}_q^aOh~z&0?3UORlf1m0
zem`uSCmLCaMP%tqvp<mk(|eM!yw-00;oNqX<E!+I#iiCn7ELU?=<+g|+v0}q>lszY
zKk?fuOch8lWY1Ew%2JE$7C3XfE!=;NP;W_$Zrb1dK63x0>;113{+f5mcbDbN(~I<E
zpY7hr^i?)SzuEBHk@Qbf({wF2c%GC>do_L0*}t35u6R28ZR38K;HhVP<o|Ks>to!-
zX!7H-hD^W)3$-(IIj^}zzBAW}Yi(ve+3%-o-JRn1MMmRIt6D;a^@FZS%ExvZT)x6R
zL*)9;2YU`Cs}#xH_nWatxwXG1u$hk~Bi}CXuf}KT`E?qq8K3UoGIzbuf0)nw=4F${
z)MX+4caN?U@O>q`EM(#LQjwOcH`C{thLoPI^1t;WOF8+)r``W=Ij)p;*euV~wz&I&
zsgq~Hd6&$fylqX!^Jk^nD4qM%xRhy6@Fw$=@`A7a2|X7zK7S74wz*gRP$weLedZtT
z?n|88&#Ha8c+~bN#~-<3?K?joZOnYOLE^>Vbzg7P?06L$T(s^(;>$nY@{U?-_@;7P
h>uWb^KY25<ZlUcRm-T#_zuod~g~<sS@tN}T008zzK??u?

diff --git a/configurations/host/waffentrager/services/auth.nix b/configurations/host/waffentrager/services/auth.nix
index 134edb9..3774145 100644
--- a/configurations/host/waffentrager/services/auth.nix
+++ b/configurations/host/waffentrager/services/auth.nix
@@ -5,10 +5,87 @@
   config =
     let
       cfg = config.waffentragerService.auth;
+      sambaCfg = config.services.samba;
+      servicePath = "/var/lib/elements/services/samba";
+      smbToString = x:
+        if builtins.typeOf x == "bool"
+        then lib.boolToString x
+        else builtins.toString x;
+      shareConfig = name:
+        let share = lib.getAttr name cfg.shares; in
+        "[${name}]\n " + (smbToString (
+          map
+            (key: "${key} = ${smbToString (lib.getAttr key share)}\n")
+            (lib.attrNames share)
+        ));
     in
     lib.mkIf cfg.enable {
       waffentragerService.elements.enable = true;
       waffentragerService.nginx.enable = true;
 
+
+
+      systemd.services.resolvconf.enable = false;
+      environment.etc = {
+        resolvconf = {
+          text = ''
+            search ${materusArg.waffentrager.samba.domain}
+            nameserver ${materusArg.waffentrager.samba.dnsIp}
+            nameserver 9.9.9.9
+          '';
+        };
+      };
+      systemd.services.samba-smbd.enable = false;
+      systemd.services.samba = {
+        description = "Samba Service Daemon";
+
+        requiredBy = [ "samba.target" ];
+        partOf = [ "samba.target" ];
+
+        serviceConfig = {
+          ExecStart = "${pkgs.samba4Full}/sbin/samba --foreground --no-process-group";
+          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+          LimitNOFILE = 16384;
+          PIDFile = "/run/samba.pid";
+          Type = "notify";
+          NotifyAccess = "all";
+        };
+        unitConfig.RequiresMountsFor = servicePath;
+      };
+      # https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
+      networking.firewall.allowedTCPPorts = [ 139 445 389 88 53 464 636 3268];
+      networking.firewall.allowedUDPPorts = [ 135 137 138 389 88 53 123 464];
+
+      services.samba = {
+        enable = true;
+        enableNmbd = false;
+        enableWinbindd = false;
+        package = pkgs.samba4Full;
+        configText = ''
+          # Global parameters
+          [global]
+              dns forwarder = ${materusArg.waffentrager.samba.dnsIp}
+              netbios name = ${materusArg.waffentrager.samba.netbiosName}
+              realm = ${lib.toUpper materusArg.waffentrager.samba.domain}
+              server role = active directory domain controller
+              workgroup = ${materusArg.waffentrager.samba.workgroup}
+              idmap_ldb:use rfc2307 = yes
+              ldap server require strong auth = no
+
+          [sysvol]
+              path = ${servicePath}/sysvol
+              read only = No
+
+          [netlogon]
+              path = ${servicePath}/sysvol/${materusArg.waffentrager.samba.domain}/scripts
+              read only = No
+
+
+            ${sambaCfg.extraConfig}
+
+            ${smbToString (map shareConfig (lib.attrNames sambaCfg.shares))}
+        '';
+      };
     };
-}
\ No newline at end of file
+
+}