2014-04-14 16:26:48 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
2009-03-06 13:26:50 +01:00
|
|
|
|
2014-04-14 16:26:48 +02:00
|
|
|
with lib;
|
2007-05-28 16:09:04 +02:00
|
|
|
|
|
|
|
let
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2015-04-16 19:16:00 +02:00
|
|
|
smbToString = x: if builtins.typeOf x == "bool"
|
2017-04-11 18:08:51 +02:00
|
|
|
then boolToString x
|
2015-04-16 19:16:00 +02:00
|
|
|
else toString x;
|
|
|
|
|
2009-04-21 18:30:32 +02:00
|
|
|
cfg = config.services.samba;
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2015-01-03 06:23:01 +01:00
|
|
|
samba = cfg.package;
|
2009-03-06 13:26:50 +01:00
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
setupScript =
|
|
|
|
''
|
2015-02-04 20:31:50 +01:00
|
|
|
mkdir -p /var/lock/samba /var/log/samba /var/cache/samba /var/lib/samba/private
|
2009-10-12 18:36:19 +02:00
|
|
|
'';
|
|
|
|
|
2014-12-07 21:42:22 +01:00
|
|
|
shareConfig = name:
|
|
|
|
let share = getAttr name cfg.shares; in
|
2015-04-16 19:16:00 +02:00
|
|
|
"[${name}]\n " + (smbToString (
|
2014-12-07 21:42:22 +01:00
|
|
|
map
|
2015-04-16 19:16:00 +02:00
|
|
|
(key: "${key} = ${smbToString (getAttr key share)}\n")
|
2014-12-07 21:42:22 +01:00
|
|
|
(attrNames share)
|
|
|
|
));
|
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
configFile = pkgs.writeText "smb.conf"
|
2014-09-06 23:37:57 +02:00
|
|
|
(if cfg.configText != null then cfg.configText else
|
2009-10-12 18:36:19 +02:00
|
|
|
''
|
2017-09-12 07:59:15 +02:00
|
|
|
[global]
|
2015-02-04 20:31:50 +01:00
|
|
|
security = ${cfg.securityType}
|
2017-01-29 11:11:01 +01:00
|
|
|
passwd program = /run/wrappers/bin/passwd %u
|
2015-04-16 19:16:00 +02:00
|
|
|
pam password change = ${smbToString cfg.syncPasswordsByPam}
|
|
|
|
invalid users = ${smbToString cfg.invalidUsers}
|
2007-05-28 16:09:04 +02:00
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
${cfg.extraConfig}
|
2014-12-07 21:42:22 +01:00
|
|
|
|
2015-04-16 19:16:00 +02:00
|
|
|
${smbToString (map shareConfig (attrNames cfg.shares))}
|
2014-09-06 23:37:57 +02:00
|
|
|
'');
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2011-04-13 22:06:29 +02:00
|
|
|
# This may include nss_ldap, needed for samba if it has to use ldap.
|
|
|
|
nssModulesPath = config.system.nssModules.path;
|
|
|
|
|
2012-12-27 00:54:37 +01:00
|
|
|
daemonService = appName: args:
|
2013-11-09 20:06:01 +01:00
|
|
|
{ description = "Samba Service Daemon ${appName}";
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2018-06-11 15:44:54 +02:00
|
|
|
after = [ "network.target" ];
|
2014-05-24 13:58:05 +02:00
|
|
|
requiredBy = [ "samba.target" ];
|
2012-12-27 00:54:37 +01:00
|
|
|
partOf = [ "samba.target" ];
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2011-04-28 10:07:17 +02:00
|
|
|
environment = {
|
|
|
|
LD_LIBRARY_PATH = nssModulesPath;
|
2012-07-16 17:27:59 +02:00
|
|
|
LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
|
2011-04-28 10:07:17 +02:00
|
|
|
};
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2012-12-27 00:54:37 +01:00
|
|
|
serviceConfig = {
|
2017-12-28 21:31:44 +01:00
|
|
|
ExecStart = "${samba}/sbin/${appName} --foreground --no-process-group ${args}";
|
2012-12-27 00:54:37 +01:00
|
|
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
2017-12-14 18:12:44 +01:00
|
|
|
LimitNOFILE = 16384;
|
2017-12-28 21:31:44 +01:00
|
|
|
PIDFile = "/run/${appName}.pid";
|
2016-09-30 21:18:04 +02:00
|
|
|
Type = "notify";
|
2017-12-28 21:31:44 +01:00
|
|
|
NotifyAccess = "all"; #may not do anything...
|
2012-12-27 00:54:37 +01:00
|
|
|
};
|
2011-04-13 22:06:29 +02:00
|
|
|
|
2012-12-27 00:54:37 +01:00
|
|
|
restartTriggers = [ configFile ];
|
2009-10-12 18:36:19 +02:00
|
|
|
};
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
in
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
{
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
###### interface
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
options = {
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
# !!! clean up the descriptions.
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
services.samba = {
|
|
|
|
|
|
|
|
enable = mkOption {
|
2015-02-04 20:31:50 +01:00
|
|
|
type = types.bool;
|
2009-10-12 18:36:19 +02:00
|
|
|
default = false;
|
2015-02-04 20:31:50 +01:00
|
|
|
description = ''
|
2010-07-07 14:32:56 +02:00
|
|
|
Whether to enable Samba, which provides file and print
|
|
|
|
services to Windows clients through the SMB/CIFS protocol.
|
2016-02-21 20:37:05 +01:00
|
|
|
|
|
|
|
<note>
|
|
|
|
<para>If you use the firewall consider adding the following:</para>
|
2019-06-17 12:01:51 +02:00
|
|
|
<programlisting>
|
|
|
|
networking.firewall.allowedTCPPorts = [ 139 445 ];
|
|
|
|
networking.firewall.allowedUDPPorts = [ 137 138 ];
|
|
|
|
</programlisting>
|
2016-02-21 20:37:05 +01:00
|
|
|
</note>
|
2015-02-04 20:31:50 +01:00
|
|
|
'';
|
2009-10-12 18:36:19 +02:00
|
|
|
};
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2017-02-17 18:04:45 +01:00
|
|
|
enableNmbd = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Whether to enable Samba's nmbd, which replies to NetBIOS over IP name
|
|
|
|
service requests. It also participates in the browsing protocols
|
|
|
|
which make up the Windows "Network Neighborhood" view.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
enableWinbindd = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Whether to enable Samba's winbindd, which provides a number of services
|
|
|
|
to the Name Service Switch capability found in most modern C libraries,
|
|
|
|
to arbitrary applications via PAM and ntlm_auth and to Samba itself.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2015-01-03 06:23:01 +01:00
|
|
|
package = mkOption {
|
2015-02-04 20:31:50 +01:00
|
|
|
type = types.package;
|
2015-01-03 06:23:01 +01:00
|
|
|
default = pkgs.samba;
|
2016-01-17 19:34:55 +01:00
|
|
|
defaultText = "pkgs.samba";
|
2016-02-21 20:37:05 +01:00
|
|
|
example = literalExample "pkgs.samba3";
|
2015-01-03 06:23:01 +01:00
|
|
|
description = ''
|
|
|
|
Defines which package should be used for the samba server.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
syncPasswordsByPam = mkOption {
|
2015-02-04 20:31:50 +01:00
|
|
|
type = types.bool;
|
2009-10-12 18:36:19 +02:00
|
|
|
default = false;
|
2015-02-04 20:31:50 +01:00
|
|
|
description = ''
|
|
|
|
Enabling this will add a line directly after pam_unix.so.
|
2009-10-12 18:36:19 +02:00
|
|
|
Whenever a password is changed the samba password will be updated as well.
|
2015-09-14 02:51:39 +02:00
|
|
|
However, you still have to add the samba password once, using smbpasswd -a user.
|
|
|
|
If you don't want to maintain an extra password database, you still can send plain text
|
2009-10-12 18:36:19 +02:00
|
|
|
passwords which is not secure.
|
2015-02-04 20:31:50 +01:00
|
|
|
'';
|
2009-10-12 18:36:19 +02:00
|
|
|
};
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2015-02-04 20:31:50 +01:00
|
|
|
invalidUsers = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [ "root" ];
|
|
|
|
description = ''
|
|
|
|
List of users who are denied to login via Samba.
|
2009-10-12 18:36:19 +02:00
|
|
|
'';
|
|
|
|
};
|
2009-04-21 18:30:32 +02:00
|
|
|
|
2015-02-04 20:31:50 +01:00
|
|
|
extraConfig = mkOption {
|
|
|
|
type = types.lines;
|
|
|
|
default = "";
|
|
|
|
description = ''
|
|
|
|
Additional global section and extra section lines go in here.
|
|
|
|
'';
|
2016-02-21 20:37:05 +01:00
|
|
|
example = ''
|
|
|
|
guest account = nobody
|
|
|
|
map to guest = bad user
|
|
|
|
'';
|
2009-10-12 18:36:19 +02:00
|
|
|
};
|
2010-03-16 17:34:27 +01:00
|
|
|
|
2014-09-06 23:37:57 +02:00
|
|
|
configText = mkOption {
|
|
|
|
type = types.nullOr types.lines;
|
|
|
|
default = null;
|
2015-02-04 20:31:50 +01:00
|
|
|
description = ''
|
2014-09-06 23:37:57 +02:00
|
|
|
Verbatim contents of smb.conf. If null (default), use the
|
|
|
|
autogenerated file from NixOS instead.
|
2015-02-04 20:31:50 +01:00
|
|
|
'';
|
2014-09-06 23:37:57 +02:00
|
|
|
};
|
|
|
|
|
2010-03-16 18:17:37 +01:00
|
|
|
securityType = mkOption {
|
2015-02-04 20:31:50 +01:00
|
|
|
type = types.str;
|
2012-11-30 15:07:39 +01:00
|
|
|
default = "user";
|
|
|
|
example = "share";
|
2015-02-04 20:31:50 +01:00
|
|
|
description = "Samba security type";
|
2010-03-16 18:17:37 +01:00
|
|
|
};
|
|
|
|
|
2013-08-25 22:12:14 +02:00
|
|
|
nsswins = mkOption {
|
|
|
|
default = false;
|
2015-06-15 18:10:26 +02:00
|
|
|
type = types.bool;
|
2013-08-25 22:12:14 +02:00
|
|
|
description = ''
|
|
|
|
Whether to enable the WINS NSS (Name Service Switch) plug-in.
|
|
|
|
Enabling it allows applications to resolve WINS/NetBIOS names (a.k.a.
|
|
|
|
Windows machine names) by transparently querying the winbindd daemon.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2014-12-07 21:42:22 +01:00
|
|
|
shares = mkOption {
|
|
|
|
default = {};
|
2015-02-04 20:31:50 +01:00
|
|
|
description = ''
|
2014-12-07 21:42:22 +01:00
|
|
|
A set describing shared resources.
|
|
|
|
See <command>man smb.conf</command> for options.
|
2015-02-04 20:31:50 +01:00
|
|
|
'';
|
|
|
|
type = types.attrsOf (types.attrsOf types.unspecified);
|
2014-12-07 21:42:22 +01:00
|
|
|
example =
|
2016-02-21 20:37:05 +01:00
|
|
|
{ public =
|
2016-09-30 21:18:04 +02:00
|
|
|
{ path = "/srv/public";
|
|
|
|
"read only" = true;
|
|
|
|
browseable = "yes";
|
|
|
|
"guest ok" = "yes";
|
|
|
|
comment = "Public samba share.";
|
|
|
|
};
|
2014-12-07 21:42:22 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2009-04-21 18:30:32 +02:00
|
|
|
};
|
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
};
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2007-05-28 16:09:04 +02:00
|
|
|
|
2009-10-12 18:36:19 +02:00
|
|
|
###### implementation
|
2009-03-06 13:26:50 +01:00
|
|
|
|
2012-11-30 15:07:39 +01:00
|
|
|
config = mkMerge
|
2017-02-17 18:04:45 +01:00
|
|
|
[ { assertions =
|
|
|
|
[ { assertion = cfg.nsswins -> cfg.enableWinbindd;
|
|
|
|
message = "If samba.nsswins is enabled, then samba.enableWinbindd must also be enabled";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
# Always provide a smb.conf to shut up programs like smbclient and smbspool.
|
2018-07-30 20:13:32 +02:00
|
|
|
environment.etc."samba/smb.conf".source = mkOptionDefault (
|
|
|
|
if cfg.enable then configFile
|
|
|
|
else pkgs.writeText "smb-dummy.conf" "# Samba is disabled."
|
|
|
|
);
|
2012-11-30 15:07:39 +01:00
|
|
|
}
|
2007-05-28 16:09:04 +02:00
|
|
|
|
2017-02-17 18:04:45 +01:00
|
|
|
(mkIf cfg.enable {
|
2013-10-15 14:47:51 +02:00
|
|
|
|
2013-08-25 22:12:14 +02:00
|
|
|
system.nssModules = optional cfg.nsswins samba;
|
|
|
|
|
2013-01-16 12:33:18 +01:00
|
|
|
systemd = {
|
2012-12-27 00:54:37 +01:00
|
|
|
targets.samba = {
|
2013-11-09 20:06:01 +01:00
|
|
|
description = "Samba Server";
|
2012-12-27 00:54:37 +01:00
|
|
|
requires = [ "samba-setup.service" ];
|
|
|
|
after = [ "samba-setup.service" "network.target" ];
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
2012-11-30 15:07:39 +01:00
|
|
|
};
|
2017-12-28 21:31:44 +01:00
|
|
|
# Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd
|
|
|
|
# for correct use with systemd
|
2012-12-27 00:54:37 +01:00
|
|
|
services = {
|
2019-08-13 23:52:01 +02:00
|
|
|
samba-smbd = daemonService "smbd" "";
|
|
|
|
samba-nmbd = mkIf cfg.enableNmbd (daemonService "nmbd" "");
|
|
|
|
samba-winbindd = mkIf cfg.enableWinbindd (daemonService "winbindd" "");
|
|
|
|
samba-setup = {
|
2013-11-09 20:06:01 +01:00
|
|
|
description = "Samba Setup Task";
|
2012-12-27 00:54:37 +01:00
|
|
|
script = setupScript;
|
2015-04-16 19:17:00 +02:00
|
|
|
unitConfig.RequiresMountsFor = "/var/lib/samba";
|
2012-12-27 00:54:37 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2007-05-28 16:09:04 +02:00
|
|
|
|
2017-08-11 22:13:33 +02:00
|
|
|
security.pam.services.samba = {};
|
2013-10-15 14:47:51 +02:00
|
|
|
|
2012-11-30 15:07:39 +01:00
|
|
|
})
|
|
|
|
];
|
2011-09-14 20:20:50 +02:00
|
|
|
|
2007-05-28 16:09:04 +02:00
|
|
|
}
|