diff options
| -rw-r--r-- | hosts/poweredge/fileshares.nix | 24 | ||||
| -rw-r--r-- | nixos/services/fileshares.nix | 106 |
2 files changed, 90 insertions, 40 deletions
diff --git a/hosts/poweredge/fileshares.nix b/hosts/poweredge/fileshares.nix index 8c3c9a0..c5fca71 100644 --- a/hosts/poweredge/fileshares.nix +++ b/hosts/poweredge/fileshares.nix @@ -1,5 +1,11 @@ { - services._fileShares.enable = true; + # Configure services + services._fileShares = { + enable = true; + smb.openFirewall = true; + nfs.openFirewall = true; + }; + # Shares services._fileShares.shares = { PS2 = { path = "/media/ingens/games/ps2"; @@ -23,6 +29,7 @@ tapes = { path = "/media/ingens/tapes"; nfs.enable = true; + smb.enable = true; }; backups = { path = "/media/ingens/backups"; @@ -30,14 +37,11 @@ }; }; - users.users = { - ps2 = { - isSystemUser = true; - password = "ps2"; - group = "ps2"; - }; - }; - users.groups = { - ps2 = {}; + # ps2 user + users.users.ps2 = { + isSystemUser = true; + password = "ps2"; + group = "ps2"; }; + users.groups.ps2 = {}; } diff --git a/nixos/services/fileshares.nix b/nixos/services/fileshares.nix index efeed4a..e61797f 100644 --- a/nixos/services/fileshares.nix +++ b/nixos/services/fileshares.nix @@ -1,5 +1,6 @@ { lib, config, ... }: let cfg = config.services._fileShares; + fileShareType = lib.types.submodule ( { name, ... }: { options = { @@ -10,8 +11,8 @@ description = "name of share"; }; path = lib.mkOption { - type = lib.types.path; - default = ""; + type = lib.types.str; + default = name; description = "path to share"; }; readOnly = lib.mkEnableOption "make share read only"; @@ -47,13 +48,33 @@ }; } ); + + # Shares + sambaShares = lib.filterAttrs (_: s: s.smb.enable) cfg.shares; + nfsShares = lib.filterAttrs (_: s: s.nfs.enable) cfg.shares; + + # SMB + sambaGlobalSettings.global = let + hostname = config.networking.hostName; + in { + "workgroup" = lib.mkDefault "WORKGROUP"; + "server string" = lib.mkDefault hostname; + "netbios name" = lib.mkDefault hostname; + "security" = lib.mkDefault "user"; + #"use sendfile" = "yes"; + #"max protocol" = "smb2"; + "hosts allow" = lib.mkDefault "192.168.1. 127.0.0.1 localhost"; # TODO does this work? + "hosts deny" = lib.mkDefault "0.0.0.0/0"; + "guest account" = lib.mkDefault "nobody"; + "map to guest" = lib.mkDefault "bad user"; + }; mkSambaShare = s: { "path" = s.path; "browsable" = lib.boolToYesNo true; "read only" = lib.boolToYesNo s.readOnly; "guest ok" = lib.boolToYesNo s.smb.allowGuests; - "create mask" = "0644"; - "directory mask" = "0755"; + "create mask" = "0644"; # TODO configure + "directory mask" = "0755"; # TODO configure # allow user/group "force user" = lib.mkIf (s.smb.allowUser != null) s.smb.allowUser; "force group" = lib.mkIf (s.smb.allowGroup != null) s.smb.allowGroup; @@ -61,10 +82,14 @@ "hosts deny" = lib.mkIf (s.allowHosts != []) "ALL"; "hosts allow" = lib.mkIf (s.allowHosts != []) (lib.concatStringsSep " " s.allowHosts); } // s.smb.extraOptions; - mkNFSShareHost = s: host: ''${host}(${if s.readOnly then "ro" else "rw"},sync,no_subtree_check)''; + sambaSettings = sambaGlobalSettings // lib.mapAttrs (_: v: mkSambaShare v) sambaShares; + + # NFS + mkNFSShareHost = s: host: ''${host}(${if s.readOnly then "ro" else "rw"},sync,no_subtree_check)''; # TODO configure mkNFSShare = s: '' ${s.path} ${lib.concatMapStringsSep " " (mkNFSShareHost s) (if s.allowHosts == [] then ["*"] else s.allowHosts) } ''; + nfsExports = lib.concatMapAttrsStringSep "\n" (_: v: mkNFSShare v) nfsShares; in { options.services._fileShares = { enable = lib.mkEnableOption "protocol agnostic fileshares module"; @@ -73,32 +98,53 @@ in { default = {}; description = "nfs/smb fileshares"; }; - # TODO configure smb nfs here - }; - - config = lib.mkIf cfg.enable { - services.samba = { - enable = true; - openFirewall = true; - settings = { - global = { - "workgroup" = "WORKGROUP"; - "server string" = "poweredge"; - "netbios name" = "poweredge"; - "security" = "user"; - #"use sendfile" = "yes"; - #"max protocol" = "smb2"; - # note: localhost is the ipv6 localhost ::1 - "hosts allow" = "192.168.1. 127.0.0.1 localhost"; - "hosts deny" = "0.0.0.0/0"; - "guest account" = "nobody"; - "map to guest" = "bad user"; - }; - } // lib.mapAttrs (name: value: mkSambaShare value) cfg.shares; + smb = { + openFirewall = lib.mkEnableOption "open firewall for smb"; }; - services.nfs.server = { - enable = true; - exports = lib.concatMapAttrsStringSep "\n" (name: value: mkNFSShare value) cfg.shares; + nfs = { + enableNFSv3 = lib.mkEnableOption "enable support for nfsv3"; + openFirewall = lib.mkEnableOption "open firewall for nfs(v4/v3)"; }; }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + # SMB config + (lib.mkIf (sambaShares != []) { + services.samba = { + enable = true; + openFirewall = lib.mkDefault cfg.smb.openFirewall; + settings = sambaSettings; + }; + }) + + # NFS(v4/v3) config + (lib.mkIf (nfsShares != []) { + services.nfs.server = lib.mkMerge [ + # Base config + { + enable = true; + exports = nfsExports; + } + + # NFSv3 additional config + (lib.mkIf cfg.nfs.enableNFSv3 { + # fixed rpc.statd port; for firewall + lockdPort = 4001; + mountdPort = 4002; + statdPort = 4000; + extraNfsdConfig = ''''; + }) + ]; + + # NFS firewall + networking.firewall = lib.mkIf cfg.nfs.openFirewall ( + if cfg.nfs.enableNFSv3 then { + allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ]; + allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ]; + } else { + allowedTCPPorts = [ 2049 ]; + } + ); + }) + ]); } |