diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index 6fcf89999523..8c79bf663d15 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -6,25 +6,11 @@ let cfg = config.services.samba; - logDir = "/var/log/samba"; - privateDir = "/var/samba/private"; - samba = cfg.package; setupScript = '' - if ! test -d /var/samba ; then - mkdir -p /var/samba/locks /var/samba/cores/nmbd /var/samba/cores/smbd /var/samba/cores/winbindd - fi - - passwdFile="$(${pkgs.gnused}/bin/sed -n 's/^.*smb[ ]\+passwd[ ]\+file[ ]\+=[ ]\+\(.*\)/\1/p' ${configFile})" - if [ -n "$passwdFile" ]; then - echo 'INFO: [samba] creating directory containing passwd file' - mkdir -p "$(dirname "$passwdFile")" - fi - - mkdir -p ${logDir} - mkdir -p ${privateDir} + mkdir -p /var/lock/samba /var/log/samba /var/cache/samba /var/lib/samba/private ''; shareConfig = name: @@ -39,9 +25,10 @@ let (if cfg.configText != null then cfg.configText else '' [ global ] - log file = ${logDir}/log.%m - private dir = ${privateDir} - ${optionalString cfg.syncPasswordsByPam "pam password change = true"} + security = ${cfg.securityType} + passwd program = /var/setuid-wrappers/passwd %u + pam password change = ${toString cfg.syncPasswordsByPam} + invalid users = ${toString cfg.invalidUsers} ${cfg.extraConfig} @@ -83,14 +70,16 @@ in services.samba = { enable = mkOption { + type = types.bool; default = false; - description = " + description = '' Whether to enable Samba, which provides file and print services to Windows clients through the SMB/CIFS protocol. - "; + ''; }; package = mkOption { + type = types.package; default = pkgs.samba; example = pkgs.samba4; description = '' @@ -99,72 +88,47 @@ in }; syncPasswordsByPam = mkOption { + type = types.bool; default = false; - description = " - enabling this will add a line directly after pam_unix.so. + description = '' + Enabling this will add a line directly after pam_unix.so. Whenever a password is changed the samba password will be updated as well. However you still yave to add the samba password once using smbpasswd -a user If you don't want to maintain an extra pwd database you still can send plain text passwords which is not secure. - "; + ''; + }; + + invalidUsers = mkOption { + type = types.listOf types.str; + default = [ "root" ]; + description = '' + List of users who are denied to login via Samba. + ''; }; extraConfig = mkOption { - # !!! Bad default. - default = '' - # [global] continuing global section here, section is started by nix to set pids etc - - smb passwd file = /etc/samba/passwd - - # is this useful ? - domain master = auto - - encrypt passwords = Yes - client plaintext auth = No - - # yes: if you use this you probably also want to enable syncPasswordsByPam - # no: You can still use the pam password database. However - # passwords will be sent plain text on network (discouraged) - - workgroup = Users - server string = %h - comment = Samba - log file = /var/log/samba/log.%m - log level = 10 - max log size = 50000 - security = ${cfg.securityType} - - client lanman auth = Yes - dns proxy = no - invalid users = root - passdb backend = tdbsam - passwd program = /usr/bin/passwd %u + type = types.lines; + default = ""; + description = '' + Additional global section and extra section lines go in here. ''; - - description = " - additional global section and extra section lines go in here. - "; - }; - - configFile = mkOption { - description = " - internal use to pass filepath to samba pam module - "; }; configText = mkOption { type = types.nullOr types.lines; default = null; - description = " + description = '' Verbatim contents of smb.conf. If null (default), use the autogenerated file from NixOS instead. - "; + ''; }; securityType = mkOption { - description = "Samba security type"; + type = types.str; default = "user"; example = "share"; + description = "Samba security type"; }; nsswins = mkOption { @@ -179,12 +143,11 @@ in shares = mkOption { default = {}; - description = - '' + description = '' A set describing shared resources. See man smb.conf for options. - ''; - type = types.attrsOf (types.attrsOf types.str); + ''; + type = types.attrsOf (types.attrsOf types.unspecified); example = { srv = { path = "/srv";