Samba: Difference between revisions

← Older edit Newer edit →

VisualWikitext

@@ Line 8: / Line 8: @@
 services.samba = {
    enable = true;
-  securityType = "user";
    openFirewall = true;
-   extraConfig = ''
+   settings = {
-     workgroup = WORKGROUP
+     global = {
-    server string = smbnix
+      "workgroup" = "WORKGROUP";
-    netbios name = smbnix
+      "server string" = "smbnix";
-    security = user
+      "netbios name" = "smbnix";
-    #use sendfile = yes
+      "security" = "user";
-    #max protocol = smb2
+      #"use sendfile" = "yes";
-    # note: localhost is the ipv6 localhost ::1
+      #"max protocol" = "smb2";
-    hosts allow = 192.168.0. 127.0.0.1 localhost
+      # note: localhost is the ipv6 localhost ::1
-    hosts deny = 0.0.0.0/0
+      "hosts allow" = "192.168.0. 127.0.0.1 localhost";
-    guest account = nobody
+      "hosts deny" = "0.0.0.0/0";
-    map to guest = bad user
+      "guest account" = "nobody";
-  '';
+      "map to guest" = "bad user";
-  shares = {
+    };
-     public = {
+     "public" = {
-       path = "/mnt/Shares/Public";
+       "path" = "/mnt/Shares/Public";
-       browseable = "yes";
+       "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "yes";
@@ Line 34: / Line 33: @@
        "force group" = "groupname";
      };
-     private = {
+     "private" = {
-       path = "/mnt/Shares/Private";
+       "path" = "/mnt/Shares/Private";
-       browseable = "yes";
+       "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
@@ Line 48: / Line 47: @@
 services.samba-wsdd = {
+  enable = true;
+  openFirewall = true;
+};
+services.avahi = {
+  publish.enable = true;
+  publish.userServices = true;
+  # ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile`
+  nssmdns4 = true;
+  # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
    enable = true;
    openFirewall = true;
@@ Line 56: / Line 65: @@
 </nowiki>}}
-The <code>samba-wsdd</code> service is used to advertise the shares to Windows hosts.
+The <code>samba-wsdd</code> service and avahi is used to advertise the shares to Windows hosts.
 === User Authentication ===
-For a user called <code>my_user</code>to be authenticated on the samba server, you must add their password using
+For a user called <code>my_user</code>to be authenticated on the samba server, you can add a password using:
 <syntaxhighlight lang="bash">
-smbpasswd -a my_user
+sudo smbpasswd -a my_user
+</syntaxhighlight>
+To automate creation of the samba user and the required system user, you can use [https://search.nixos.org/options?show=system.activationScripts system.activationScripts]:
+<syntaxhighlight lang="nix">
+{
+  # Make the samba user "my_user" on the system
+  users.users.my_user = {
+    description = "Write-access to samba media shares";
+    # Add this user to a group with permission to access the expected files
+    extraGroups = [ "users" ];
+    # Password can be set in clear text with a literal string or from a file.
+    # Using sops-nix we can use the same file so that the system user and samba
+    # user share the same credential (if desired).
+    hashedPasswordFile = config.sops.secrets.samba.path;
+    isNormalUser = true;
+  };
+  # Set "my_user" as a valid samba login
+  services.samba = {
+    enable = true;
+    securityType = "user";
+    openFirewall = true;
+    settings.my_share_directory = {
+      # ...
+      "valid users" = "my_user";
+    };
+  };
+  # Activation scripts run every time nixos switches build profiles. So if you're
+  # pulling the user/samba password from a file then it will be updated during
+  # nixos-rebuild. Again, in this example we're using sops-nix with a "samba" entry
+  # to avoid cleartext password, but this could be replaced with a static path.
+  system.activationScripts = {
+    # The "init_smbpasswd" script name is arbitrary, but a useful label for tracking
+    # failed scripts in the build output. An absolute path to smbpasswd is necessary
+    # as it is not in $PATH in the activation script's environment. The password
+    # is repeated twice with newline characters as smbpasswd requires a password
+    # confirmation even in non-interactive mode where input is piped in through stdin.
+    init_smbpasswd.text = ''
+      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.sops.secrets.samba.path})\n$(/run/current-system/sw/bin/cat ${config.sops.secrets.samba.path})\n" | /run/current-system/sw/bin/smbpasswd -sa my_user
+    '';
+  };
+}
 </syntaxhighlight>
 === Configuration ===
@@ Line 70: / Line 124: @@
 ==== Apple Time Machine ====
-Example configuration:
+In addition to the example above, add this to your configuration:
 <syntaxhighlight lang="nix">
 services.samba = {
-   shares = {
+   settings = {
-     tm_share = {
+     "tm_share" = {
-         path = "/mnt/Shares/tm_share";
+         "path" = "/mnt/Shares/tm_share";
          "valid users" = "username";
-         public = "no";
+         "public" = "no";
-         writeable = "yes";
+         "writeable" = "yes";
          "force user" = "username";
+        # Below are the most imporant for macOS compatibility
+        # Change the above to suit your needs
          "fruit:aapl" = "yes";
          "fruit:time machine" = "yes";
@@ Line 86: / Line 142: @@
      };
    };
-}
+};
+# Ensure Time Machine can discover the share without `tmutil`
+services.avahi = {
+  extraServiceFiles = {
+    timemachine = ''
+      <?xml version="1.0" standalone='no'?>
+      <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+      <service-group>
+        <name replace-wildcards="yes">%h</name>
+        <service>
+          <type>_smb._tcp</type>
+          <port>445</port>
+        </service>
+          <service>
+          <type>_device-info._tcp</type>
+          <port>0</port>
+          <txt-record>model=TimeCapsule8,119</txt-record>
+        </service>
+        <service>
+          <type>_adisk._tcp</type>
+          <!--
+            change tm_share to share name, if you changed it.
+          -->
+          <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>
+          <txt-record>sys=waMa=0,adVF=0x100</txt-record>
+        </service>
+      </service-group>
+    '';
+  };
+};
 </syntaxhighlight>
@@ Line 102: / Line 188: @@
    package = pkgs.sambaFull;
    openFirewall = true;
-   extraConfig = ''
+   settings = {
-     load printers = yes
+     "global" = {
-    printing = cups
+      "load printers" = "yes";
-    printcap name = cups
+      "printing" = "cups";
-  '';
+      "printcap name" = "cups";
-  shares = {
+    };
-     printers = {
+     "printers" = {
-       comment = "All Printers";
+       "comment" = "All Printers";
-       path = "/var/spool/samba";
+       "path" = "/var/spool/samba";
-       public = "yes";
+       "public" = "yes";
-       browseable = "yes";
+       "browseable" = "yes";
        # to allow user 'guest account' to print.
        "guest ok" = "yes";
-       writable = "no";
+       "writable" = "no";
-       printable = "yes";
+       "printable" = "yes";
        "create mode" = 0700;
      };
@@ Line 166: / Line 252: @@
         # Set pythonpath manually (bellow with overrideAttrs) as it is not set on 22.11 due to bug
      }).overrideAttrs (finalAttrs: previousAttrs: {
-         pythonPath = with super; [ python3Packages.dnspython tdb ldb talloc ];
+         pythonPath = with super; [ python3Packages.dnspython python3Packages.markdown tdb ldb talloc ];
        });
    })];
@@ Line 338: / Line 424: @@
    services.gvfs = {
      enable = true;
-     package = lib.mkForce pkgs.gnome3.gvfs;
+     package = lib.mkForce pkgs.gnome.gvfs;
    };
 </syntaxhighlight>