update fileshares module

2 files changed, 90 insertions, 40 deletions

diff --git a/hosts/poweredge/fileshares.nix b/hosts/poweredge/fileshares.nix
index 8c3c9a0..c5fca71 100644
--- a/hosts/poweredge/fileshares.nix
+++ b/hosts/poweredge/fileshares.nix
@@ -1,5 +1,11 @@
 {
-	services._fileShares.enable = true;
+	# Configure services
+	services._fileShares = {
+		enable = true;
+		smb.openFirewall = true;
+		nfs.openFirewall = true;
+	};
+	# Shares
 	services._fileShares.shares = {
 		PS2 = {
 			path = "/media/ingens/games/ps2";
@@ -23,6 +29,7 @@
 		tapes = {
 			path = "/media/ingens/tapes";
 			nfs.enable = true;
+			smb.enable = true;
 		};
 		backups = {
 			path = "/media/ingens/backups";
@@ -30,14 +37,11 @@
 		};
 	};
 
-	users.users = {
-		ps2 = {
-			isSystemUser = true;
-			password = "ps2";
-			group = "ps2";
-		};
-	};
-	users.groups = {
-		ps2 = {};
+	# ps2 user
+	users.users.ps2 = {
+		isSystemUser = true;
+		password = "ps2";
+		group = "ps2";
 	};
+	users.groups.ps2 = {};
 }
diff --git a/nixos/services/fileshares.nix b/nixos/services/fileshares.nix
index efeed4a..e61797f 100644
--- a/nixos/services/fileshares.nix
+++ b/nixos/services/fileshares.nix
@@ -1,5 +1,6 @@
 { lib, config, ... }: let
 	cfg = config.services._fileShares;
+
 	fileShareType = lib.types.submodule (
 		{ name, ... }: {
 			options = {
@@ -10,8 +11,8 @@
 					description = "name of share";
 				};
 				path = lib.mkOption {
-					type = lib.types.path;
-					default = "";
+					type = lib.types.str;
+					default = name;
 					description = "path to share";
 				};
 				readOnly = lib.mkEnableOption "make share read only";
@@ -47,13 +48,33 @@
 			};
 		}
 	);
+
+	# Shares
+	sambaShares = lib.filterAttrs (_: s: s.smb.enable) cfg.shares;
+	nfsShares   = lib.filterAttrs (_: s: s.nfs.enable) cfg.shares;
+
+	# SMB
+	sambaGlobalSettings.global = let
+		hostname = config.networking.hostName;
+	in {
+		"workgroup" = lib.mkDefault "WORKGROUP";
+		"server string" = lib.mkDefault hostname;
+		"netbios name" = lib.mkDefault hostname;
+		"security" = lib.mkDefault "user";
+		#"use sendfile" = "yes";
+		#"max protocol" = "smb2";
+		"hosts allow" = lib.mkDefault "192.168.1. 127.0.0.1 localhost";  # TODO does this work?
+		"hosts deny" = lib.mkDefault "0.0.0.0/0";
+		"guest account" = lib.mkDefault "nobody";
+		"map to guest" = lib.mkDefault "bad user";
+	};
 	mkSambaShare = s: {
 		"path" = s.path;
 		"browsable" = lib.boolToYesNo true;
 		"read only" = lib.boolToYesNo s.readOnly;
 		"guest ok" = lib.boolToYesNo s.smb.allowGuests;
-		"create mask" = "0644";
-		"directory mask" = "0755";
+		"create mask" = "0644";  # TODO configure
+		"directory mask" = "0755";  # TODO configure
 		# allow user/group
 		"force user" = lib.mkIf (s.smb.allowUser != null) s.smb.allowUser;
 		"force group" = lib.mkIf (s.smb.allowGroup != null) s.smb.allowGroup;
@@ -61,10 +82,14 @@
 		"hosts deny" = lib.mkIf (s.allowHosts != []) "ALL";
 		"hosts allow" = lib.mkIf (s.allowHosts != []) (lib.concatStringsSep " " s.allowHosts);
 	} // s.smb.extraOptions;
-	mkNFSShareHost = s: host: ''${host}(${if s.readOnly then "ro" else "rw"},sync,no_subtree_check)'';
+	sambaSettings = sambaGlobalSettings // lib.mapAttrs (_: v: mkSambaShare v) sambaShares;
+
+	# NFS
+	mkNFSShareHost = s: host: ''${host}(${if s.readOnly then "ro" else "rw"},sync,no_subtree_check)'';  # TODO configure
 	mkNFSShare = s: ''
 		${s.path} ${lib.concatMapStringsSep " " (mkNFSShareHost s) (if s.allowHosts == [] then ["*"] else s.allowHosts) }
 	'';
+	nfsExports = lib.concatMapAttrsStringSep "\n" (_: v: mkNFSShare v) nfsShares;
 in {
 	options.services._fileShares = {
 		enable = lib.mkEnableOption "protocol agnostic fileshares module";
@@ -73,32 +98,53 @@ in {
 			default = {};
 			description = "nfs/smb fileshares";
 		};
-		# TODO configure smb nfs here
-	};
-
-	config = lib.mkIf cfg.enable {
-		services.samba = {
-			enable = true;
-			openFirewall = true;
-			settings = {
-				global = {
-					"workgroup" = "WORKGROUP";
-					"server string" = "poweredge";
-					"netbios name" = "poweredge";
-					"security" = "user";
-					#"use sendfile" = "yes";
-					#"max protocol" = "smb2";
-					# note: localhost is the ipv6 localhost ::1
-					"hosts allow" = "192.168.1. 127.0.0.1 localhost";
-					"hosts deny" = "0.0.0.0/0";
-					"guest account" = "nobody";
-					"map to guest" = "bad user";
-				};
-			} // lib.mapAttrs (name: value: mkSambaShare value) cfg.shares;
+		smb = {
+			openFirewall = lib.mkEnableOption "open firewall for smb";
 		};
-		services.nfs.server = {
-			enable = true;
-			exports = lib.concatMapAttrsStringSep "\n" (name: value: mkNFSShare value) cfg.shares;
+		nfs = {
+			enableNFSv3 = lib.mkEnableOption "enable support for nfsv3";
+			openFirewall = lib.mkEnableOption "open firewall for nfs(v4/v3)";
 		};
 	};
+
+	config = lib.mkIf cfg.enable (lib.mkMerge [
+		# SMB config
+		(lib.mkIf (sambaShares != []) {
+			services.samba = {
+				enable = true;
+				openFirewall = lib.mkDefault cfg.smb.openFirewall;
+				settings = sambaSettings;
+			};
+		})
+
+		# NFS(v4/v3) config
+		(lib.mkIf (nfsShares != []) {
+			services.nfs.server = lib.mkMerge [
+				# Base config
+				{
+					enable = true;
+					exports = nfsExports;
+				}
+
+				# NFSv3 additional config
+				(lib.mkIf cfg.nfs.enableNFSv3 {
+					# fixed rpc.statd port; for firewall
+					lockdPort = 4001;
+					mountdPort = 4002;
+					statdPort = 4000;
+					extraNfsdConfig = '''';
+				})
+			];
+
+			# NFS firewall
+			networking.firewall = lib.mkIf cfg.nfs.openFirewall (
+				if cfg.nfs.enableNFSv3 then {
+					allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
+					allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
+				} else {
+					allowedTCPPorts = [ 2049 ];
+				}
+			);
+		})
+	]);
 }