Samba: Difference between revisions

← Older edit Newer edit →

VisualWikitext

@@ Line 8: / Line 8: @@
 services.samba = {
    enable = true;
-  securityType = "user";
    openFirewall = true;
    settings = {
@@ Line 15: / Line 14: @@
        "server string" = "smbnix";
        "netbios name" = "smbnix";
-       "security" = "user ";
+       "security" = "user";
        #"use sendfile" = "yes";
        #"max protocol" = "smb2";
@@ Line 70: / Line 69: @@
 === User Authentication ===
-For a user called <code>my_user</code>to be authenticated on the samba server, you must add their password using
+For a user called <code>my_user</code>to be authenticated on the samba server, you can add a password using:
 <syntaxhighlight lang="bash">
-smbpasswd -a my_user
+sudo smbpasswd -a my_user
 </syntaxhighlight>
+To automate creation of the samba user and the required system user, you can use [https://search.nixos.org/options?show=system.activationScripts system.activationScripts]:
+<syntaxhighlight lang="nix">
+{
+  # Make the samba user "my_user" on the system
+  users.users.my_user = {
+    description = "Write-access to samba media shares";
+    # Add this user to a group with permission to access the expected files
+    extraGroups = [ "users" ];
+    # Password can be set in clear text with a literal string or from a file.
+    # Using sops-nix we can use the same file so that the system user and samba
+    # user share the same credential (if desired).
+    hashedPasswordFile = config.sops.secrets.samba.path;
+    isNormalUser = true;
+  };
+  # Set "my_user" as a valid samba login
+  services.samba = {
+    enable = true;
+    securityType = "user";
+    openFirewall = true;
+    settings.my_share_directory = {
+      # ...
+      "valid users" = "my_user";
+    };
+  };
+  # Activation scripts run every time nixos switches build profiles. So if you're
+  # pulling the user/samba password from a file then it will be updated during
+  # nixos-rebuild. Again, in this example we're using sops-nix with a "samba" entry
+  # to avoid cleartext password, but this could be replaced with a static path.
+  system.activationScripts = {
+    # The "init_smbpasswd" script name is arbitrary, but a useful label for tracking
+    # failed scripts in the build output. An absolute path to smbpasswd is necessary
+    # as it is not in $PATH in the activation script's environment. The password
+    # is repeated twice with newline characters as smbpasswd requires a password
+    # confirmation even in non-interactive mode where input is piped in through stdin.
+    init_smbpasswd.text = ''
+      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.sops.secrets.samba.path})\n$(/run/current-system/sw/bin/cat ${config.sops.secrets.samba.path})\n" | /run/current-system/sw/bin/smbpasswd -sa my_user
+    '';
+  };
+}
+</syntaxhighlight>
 === Configuration ===
@@ Line 119: / Line 163: @@
          <service>
            <type>_adisk._tcp</type>
+          <!--
+            change tm_share to share name, if you changed it.
+          -->
            <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>
            <txt-record>sys=waMa=0,adVF=0x100</txt-record>
@@ Line 142: / Line 189: @@
    openFirewall = true;
    settings = {
+    "global" = {
        "load printers" = "yes";
        "printing" = "cups";
@@ Line 376: / Line 424: @@
    services.gvfs = {
      enable = true;
-     package = lib.mkForce pkgs.gnome3.gvfs;
+     package = lib.mkForce pkgs.gnome.gvfs;
    };
 </syntaxhighlight>