Official NixOS Wiki

Samba: Difference between revisions

← Older editNewer edit →
VisualWikitext
fix security option
User Authentication: add robust automated authentication example that provides full context and aims to give a basic, typical password-protected folder share
(5 intermediate revisions by 4 users not shown)
Line 8: Line 8:
services.samba = {
services.samba = {
   enable = true;
   enable = true;
  securityType = "user";
   openFirewall = true;
   openFirewall = true;
   settings = {
   settings = {
Line 70: Line 69:
=== User Authentication ===
=== User Authentication ===


For a user called <code>my_user</code>to be authenticated on the samba server, you must add their password using
For a user called <code>my_user</code>to be authenticated on the samba server, you can add a password using:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
smbpasswd -a my_user
sudo smbpasswd -a my_user
</syntaxhighlight>
</syntaxhighlight>
To automate creation of the samba user and the required system user, you can use [https://search.nixos.org/options?show=system.activationScripts system.activationScripts]:
<syntaxhighlight lang="nix">
{
  # Make the samba user "my_user" on the system
  users.users.my_user = {
    description = "Write-access to samba media shares";
    # Add this user to a group with permission to access the expected files
    extraGroups = [ "users" ];
    # Password can be set in clear text with a literal string or from a file.
    # Using sops-nix we can use the same file so that the system user and samba
    # user share the same credential (if desired).
    hashedPasswordFile = config.sops.secrets.samba.path;
    isNormalUser = true;
  };
  # Set "my_user" as a valid samba login
  services.samba = {
    enable = true;
    securityType = "user";
    openFirewall = true;
    settings.my_share_directory = {
      # ...
      "valid users" = "my_user";
    };
  };
  # Activation scripts run every time nixos switches build profiles. So if you're
  # pulling the user/samba password from a file then it will be updated during
  # nixos-rebuild. Again, in this example we're using sops-nix with a "samba" entry
  # to avoid cleartext password, but this could be replaced with a static path.
  system.activationScripts = {
    # The "init_smbpasswd" script name is arbitrary, but a useful label for tracking
    # failed scripts in the build output. An absolute path to smbpasswd is necessary
    # as it is not in $PATH in the activation script's environment. The password
    # is repeated twice with newline characters as smbpasswd requires a password
    # confirmation even in non-interactive mode where input is piped in through stdin.
    init_smbpasswd.text = ''
      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.sops.secrets.samba.path})\n$(/run/current-system/sw/bin/cat ${config.sops.secrets.samba.path})\n" | /run/current-system/sw/bin/smbpasswd -sa my_user
    '';
  };
}
</syntaxhighlight>


=== Configuration ===
=== Configuration ===
Line 119: Line 163:
         <service>
         <service>
           <type>_adisk._tcp</type>
           <type>_adisk._tcp</type>
          <!--
            change tm_share to share name, if you changed it.
          -->
           <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>
           <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>
           <txt-record>sys=waMa=0,adVF=0x100</txt-record>
           <txt-record>sys=waMa=0,adVF=0x100</txt-record>
Line 142: Line 189:
   openFirewall = true;
   openFirewall = true;
   settings = {
   settings = {
    "global" = {
       "load printers" = "yes";
       "load printers" = "yes";
       "printing" = "cups";
       "printing" = "cups";
Line 376: Line 424:
   services.gvfs = {
   services.gvfs = {
     enable = true;
     enable = true;
     package = lib.mkForce pkgs.gnome3.gvfs;
     package = lib.mkForce pkgs.gnome.gvfs;
   };
   };
</syntaxhighlight>
</syntaxhighlight>
Retrieved from "https://wiki.nixos.org/wiki/Samba"