fileshares moduleHEADmaster

2 files changed, 99 insertions, 0 deletions

diff --git a/nixos/default.nix b/nixos/default.nix
index ce04eac..8de9c02 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -5,6 +5,7 @@
 		./programs/home-manager.nix
 
 		./services/cgit.nix
+		./services/fileshares.nix
 		./services/gitea.nix
 		./services/searxng.nix
 		./services/router/dns-dhcp.nix
diff --git a/nixos/services/fileshares.nix b/nixos/services/fileshares.nix
new file mode 100644
index 0000000..d6af47b
--- /dev/null
+++ b/nixos/services/fileshares.nix
@@ -0,0 +1,98 @@
+{ lib, config, ... }: let
+	cfg = config.services._fileShares;
+	fileShareType = lib.types.submodule (
+		{ name, ... }: {
+			options = {
+				enable = lib.mkEnableOption "enable this file share";
+				name = lib.mkOption {
+					type = lib.types.str;
+					default = name;
+					description = "name of share";
+				};
+				protocol = {
+					nfs = lib.mkEnableOption "share file with nfs protocol";
+					smb = lib.mkEnableOption "share file with smb protocol";
+				};
+				path = lib.mkOption {
+					type = lib.types.path;
+					default = "";
+					description = "path to share";
+				};
+				readOnly = lib.mkEnableOption "make share read only";
+				allowGuests = lib.mkEnableOption "allow unauthenticated users to mount";
+				allowHosts = lib.mkOption {
+					type = lib.types.listOf lib.types.str;
+					default = [];
+					example = [ "192.168.1.100" "192.168.0.0/24" ];
+					description = "ip hosts to allow";
+				};
+				# TODO make this work with nfs or provide a warning or prefix with smb.
+				allowUser = lib.mkOption {
+					type = lib.types.nullOr lib.types.str;
+					default = null;
+					description = "allow user";
+				};
+				allowGroup = lib.mkOption {
+					type = lib.types.nullOr lib.types.str;
+					default = null;
+					description = "allow group";
+				};
+			};
+		}
+	);
+	boolToYesNo = lib.boolToYesNo;
+	mkSambaShare = s: {
+		"path" = s.path;
+		"browsable" = boolToYesNo true;
+		"read only" = boolToYesNo s.readOnly;
+		"guest ok" = boolToYesNo s.allowGuests;
+		"create mask" = "0644";
+		"directory mask" = "0755";
+		# allow user/group
+		"force user" = lib.mkIf (cfg.allowUser != null) cfg.allowUser;
+		"force group" = lib.mkIf (cfg.allowGroup != null) cfg.allowGroup;
+		# allow hosts
+		"hosts deny" = lib.mkIf (s.allowHosts != []) "ALL";
+		"hosts allow" = lib.concatStringSep " " s.allowHosts;
+	};
+	mkNFSShareHost = s: host: ''${host}(${if s.readOnly then "ro" else "rw"},sync,no_subtree_check)'';
+	mkNFSShare = s: ''
+		${s.path} ${lib.concatMapStringSep " " (mkNFSShareHost s) (if s.allowHosts == [] then ["*"] else s.allowHosts) }
+	'';
+in {
+	options.services._fileShares = {
+		enable = lib.mkEnableOption "protocol agnostic fileshares module";
+		shares = lib.mkOption {
+			type = lib.types.attrsOf fileShareType;
+			default = {};
+			description = "nfs/smb fileshares";
+		};
+		# TODO configure smb nfs here
+	};
+
+	config = {
+		services.samba = {
+			enable = true;
+			openFirewall = true;
+			settings = {
+				global = {
+					#"workgroup" = "WORKGROUP";
+					#"server string" = "smbnix";
+					#"netbios name" = "smbnix";
+					#"security" = "user";
+					##"use sendfile" = "yes";
+					##"max protocol" = "smb2";
+					## note: localhost is the ipv6 localhost ::1
+					#"hosts allow" = "192.168.0. 127.0.0.1 localhost";
+					#"hosts deny" = "0.0.0.0/0";
+					#"guest account" = "nobody";
+					#"map to guest" = "bad user";
+				};
+			} // lib.mapAttrs (name: value: mkSambaShare value) cfg.shares;
+		};
+		services.nfs.server = {
+			enable = true;
+			exports = lib.concatMapAttrsStringSep "\n" (name: value: mkNFSShare value) cfg.shares;
+		};
+	};
+}