nixos/samba: cleanup and update defaults
This commit is contained in:
		
							parent
							
								
									fe07c77ff1
								
							
						
					
					
						commit
						b903bf0a57
					
				| @ -6,25 +6,11 @@ let | ||||
| 
 | ||||
|   cfg = config.services.samba; | ||||
| 
 | ||||
|   logDir = "/var/log/samba"; | ||||
|   privateDir = "/var/samba/private"; | ||||
| 
 | ||||
|   samba = cfg.package; | ||||
| 
 | ||||
|   setupScript = | ||||
|     '' | ||||
|       if ! test -d /var/samba ; then | ||||
|         mkdir -p /var/samba/locks /var/samba/cores/nmbd  /var/samba/cores/smbd /var/samba/cores/winbindd | ||||
|       fi | ||||
| 
 | ||||
|       passwdFile="$(${pkgs.gnused}/bin/sed -n 's/^.*smb[ ]\+passwd[ ]\+file[ ]\+=[ ]\+\(.*\)/\1/p' ${configFile})" | ||||
|       if [ -n "$passwdFile" ]; then | ||||
|         echo 'INFO: [samba] creating directory containing passwd file' | ||||
|         mkdir -p "$(dirname "$passwdFile")" | ||||
|       fi | ||||
| 
 | ||||
|       mkdir -p ${logDir} | ||||
|       mkdir -p ${privateDir} | ||||
|       mkdir -p /var/lock/samba /var/log/samba /var/cache/samba /var/lib/samba/private | ||||
|     ''; | ||||
| 
 | ||||
|   shareConfig = name: | ||||
| @ -39,9 +25,10 @@ let | ||||
|     (if cfg.configText != null then cfg.configText else | ||||
|     '' | ||||
|       [ global ] | ||||
|       log file = ${logDir}/log.%m | ||||
|       private dir = ${privateDir} | ||||
|       ${optionalString cfg.syncPasswordsByPam "pam password change = true"} | ||||
|       security = ${cfg.securityType} | ||||
|       passwd program = /var/setuid-wrappers/passwd %u | ||||
|       pam password change = ${toString cfg.syncPasswordsByPam} | ||||
|       invalid users = ${toString cfg.invalidUsers} | ||||
| 
 | ||||
|       ${cfg.extraConfig} | ||||
| 
 | ||||
| @ -83,14 +70,16 @@ in | ||||
|     services.samba = { | ||||
| 
 | ||||
|       enable = mkOption { | ||||
|         type = types.bool; | ||||
|         default = false; | ||||
|         description = " | ||||
|         description = '' | ||||
|           Whether to enable Samba, which provides file and print | ||||
|           services to Windows clients through the SMB/CIFS protocol. | ||||
|         "; | ||||
|         ''; | ||||
|       }; | ||||
| 
 | ||||
|       package = mkOption { | ||||
|         type = types.package; | ||||
|         default = pkgs.samba; | ||||
|         example = pkgs.samba4; | ||||
|         description = '' | ||||
| @ -99,72 +88,47 @@ in | ||||
|       }; | ||||
| 
 | ||||
|       syncPasswordsByPam = mkOption { | ||||
|         type = types.bool; | ||||
|         default = false; | ||||
|         description = " | ||||
|           enabling this will add a line directly after pam_unix.so. | ||||
|         description = '' | ||||
|           Enabling this will add a line directly after pam_unix.so. | ||||
|           Whenever a password is changed the samba password will be updated as well. | ||||
|           However you still yave to add the samba password once using smbpasswd -a user | ||||
|           If you don't want to maintain an extra pwd database you still can send plain text | ||||
|           passwords which is not secure. | ||||
|         "; | ||||
|         ''; | ||||
|       }; | ||||
| 
 | ||||
|       invalidUsers = mkOption { | ||||
|         type = types.listOf types.str; | ||||
|         default = [ "root" ]; | ||||
|         description = '' | ||||
|           List of users who are denied to login via Samba. | ||||
|         ''; | ||||
|       }; | ||||
| 
 | ||||
|       extraConfig = mkOption { | ||||
|         # !!! Bad default. | ||||
|         default = '' | ||||
|           # [global] continuing global section here, section is started by nix to set pids etc | ||||
| 
 | ||||
|             smb passwd file = /etc/samba/passwd | ||||
| 
 | ||||
|             # is this useful ? | ||||
|             domain master = auto | ||||
| 
 | ||||
|             encrypt passwords = Yes | ||||
|             client plaintext auth = No | ||||
| 
 | ||||
|             # yes: if you use this you probably also want to enable syncPasswordsByPam | ||||
|             # no: You can still use the pam password database. However | ||||
|             # passwords will be sent plain text on network (discouraged) | ||||
| 
 | ||||
|             workgroup = Users | ||||
|             server string = %h | ||||
|             comment = Samba | ||||
|             log file = /var/log/samba/log.%m | ||||
|             log level = 10 | ||||
|             max log size = 50000 | ||||
|             security = ${cfg.securityType} | ||||
| 
 | ||||
|             client lanman auth = Yes | ||||
|             dns proxy = no | ||||
|             invalid users = root | ||||
|             passdb backend = tdbsam | ||||
|             passwd program = /usr/bin/passwd %u | ||||
|         type = types.lines; | ||||
|         default = ""; | ||||
|         description = '' | ||||
|           Additional global section and extra section lines go in here. | ||||
|         ''; | ||||
| 
 | ||||
|         description = " | ||||
|           additional global section and extra section lines go in here. | ||||
|         "; | ||||
|       }; | ||||
| 
 | ||||
|       configFile = mkOption { | ||||
|         description = " | ||||
|           internal use to pass filepath to samba pam module | ||||
|         "; | ||||
|       }; | ||||
| 
 | ||||
|       configText = mkOption { | ||||
|         type = types.nullOr types.lines; | ||||
|         default = null; | ||||
|         description = " | ||||
|         description = '' | ||||
|           Verbatim contents of smb.conf. If null (default), use the | ||||
|           autogenerated file from NixOS instead. | ||||
|         "; | ||||
|         ''; | ||||
|       }; | ||||
| 
 | ||||
|       securityType = mkOption { | ||||
|         description = "Samba security type"; | ||||
|         type = types.str; | ||||
|         default = "user"; | ||||
|         example = "share"; | ||||
|         description = "Samba security type"; | ||||
|       }; | ||||
| 
 | ||||
|       nsswins = mkOption { | ||||
| @ -179,12 +143,11 @@ in | ||||
| 
 | ||||
|       shares = mkOption { | ||||
|         default = {}; | ||||
|         description = | ||||
|           '' | ||||
|         description = '' | ||||
|           A set describing shared resources. | ||||
|           See <command>man smb.conf</command> for options. | ||||
|           ''; | ||||
|         type = types.attrsOf (types.attrsOf types.str); | ||||
|         ''; | ||||
|         type = types.attrsOf (types.attrsOf types.unspecified); | ||||
|         example = | ||||
|           { srv = | ||||
|              { path = "/srv"; | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Nikolay Amiantov
						Nikolay Amiantov