Port Samba role
This commit is contained in:
parent
441d2ccec3
commit
da82d052a8
7 changed files with 186 additions and 11 deletions
|
@ -115,6 +115,9 @@
|
|||
{{- writeToStdout "Chezmoi is running in headless environment.\n" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $sambaNetBiosName := (default $hostname (env "SAMBA_NETBIOS_NAME")) -}}
|
||||
{{- $sambaWorkGroupName := (default "BETELGEUSE" (env "SAMBA_WORKGROUP")) -}}
|
||||
|
||||
encryption: "age"
|
||||
age:
|
||||
identity: "{{ .chezmoi.homeDir }}/.config/age/chezmoi.txt"
|
||||
|
@ -136,10 +139,14 @@ data:
|
|||
secondary: 1.1.1.1#cloudflare-dns.com
|
||||
docker:
|
||||
doRegion: nyc1
|
||||
domain: "{{ $domain }}"
|
||||
headless: {{ $headless }}
|
||||
home: "{{ .chezmoi.homeDir }}"
|
||||
homeParentFolder: "{{ if eq .chezmoi.os "linux" }}/home{{ else if eq .chezmoi.os "darwin" }}/Users{{ else }}C:\Users{{ end }}"
|
||||
hostname: "{{ $hostname }}"
|
||||
samba:
|
||||
netbiosName: "{{ $sambaNetBiosName }}"
|
||||
workgroup: "{{ $sambaWorkGroupName }}"
|
||||
ssh:
|
||||
allowTCPForwarding: no
|
||||
allowUsers: {{ output "echo" "$USER" }}
|
||||
|
@ -149,6 +156,7 @@ data:
|
|||
excludedSubnets:
|
||||
- 10.0.0.0/24
|
||||
- 10.14.50.0/24
|
||||
- 192.168.1.0/24
|
||||
qubes: {{ ne (stat (joinPath "usr" "bin" "qubes-session")) false }}
|
||||
restricted: {{ $restricted }}
|
||||
softwareGroup: "{{ $softwareGroup }}"
|
||||
|
@ -163,6 +171,7 @@ data:
|
|||
r2: "{{ $cloudflareR2AccountId }}"
|
||||
username: "{{ $cloudflareUsername }}"
|
||||
defaultBrowser: firefox
|
||||
# `domain` is kept here for backwards compatibility, but the .host.domain is the preferred selector
|
||||
domain: "{{ $domain }}"
|
||||
email: "{{ $email }}"
|
||||
gcloud:
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
{{- if (ne .host.distro.family "windows") -}}
|
||||
#!/usr/bin/env bash
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
# Samba logic
|
||||
echo true
|
||||
|
||||
{{ end -}}
|
|
@ -0,0 +1,81 @@
|
|||
{{- if (ne .host.distro.family "windows") -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file Samba Configuration
|
||||
# @brief This script configures Samba by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if the `smbd` application is available
|
||||
# @description
|
||||
# This script applies the Samba configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if Samba is installed.
|
||||
# The script and default configuration set up two Samba shares.
|
||||
#
|
||||
# ## Security
|
||||
#
|
||||
# Both shares are configured by default to only accept connections
|
||||
# from hosts with DNS that ends in `.local.PUBLIC_SERVICES_DOMAIN`, where `PUBLIC_SERVICES_DOMAIN` is an environment variable that
|
||||
# can be passed into Install Doctor. So, if your `PUBLIC_SERVICES_DOMAIN` environment variable is set to `megabyte.space`, then
|
||||
# a device with a FQDN of `alpha.local.megabyte.space` pointing to its LAN location will be able to connect but a device
|
||||
# with a FQDN of `alpha.megabyte.space` will not be able to connect.
|
||||
#
|
||||
# ## Samba Shares / S3 Backup
|
||||
#
|
||||
# If CloudFlare R2 credentials are provided, Samba is configured to store its shared files in the Rclone mounts so that your
|
||||
# Samba shares are synchronized to the S3 buckets. If not, new folders are created. Either way, the folder / symlink that the
|
||||
# shares host data from are stored at `/mnt/samba-private` and `/mnt/samba-public`.
|
||||
#
|
||||
# 1. The **public** share (named "Public") can be accessed by anyone (including write permissions with the default settings)
|
||||
# 2. The **private** share (named "Private") can be accessed by specifying the PAM credentials of anyone who has an account that is included in the `sambausers` group
|
||||
#
|
||||
# ## Symlinks
|
||||
#
|
||||
# Symlinks are disabled for security reasons. This is because, with symlinking enabled, people can create symlinks on the shares and use the symlinks to access system files outside of the
|
||||
# Samba shares. There are commented-out lines in the default configuration that you can uncomment to enable the symlinks in shares.
|
||||
#
|
||||
# ## Printers
|
||||
#
|
||||
# Printer sharing is not enabled by default. There are commented lines in the default configuration that should provide a nice stepping
|
||||
# stone if you want to use Samba for printer sharing (with CUPS).
|
||||
#
|
||||
# ## Environment Variables
|
||||
#
|
||||
# The following chart details some of the environment variables that are used to determine the configuration of the
|
||||
# Samba shares:
|
||||
#
|
||||
# | Environment Variable | Description |
|
||||
# |-----------------------------|-----------------------------------------------------------------------------------------------------|
|
||||
# | `PUBLIC_SERVICES_DOMAIN` | Used to determine which hosts can connect to the Samba share (e.g. `.local.PUBLIC_SERVICES_DOMAIN`) |
|
||||
# | `SAMBA_NETBIOS_NAME` | Determines the NetBIOS name (defaults to the `HOSTNAME` environment variable value) |
|
||||
# | `SAMBA_WORKGROUP` | Controls Samba workgroup name (defaults to "BETELGEUSE") |
|
||||
#
|
||||
# ## Links
|
||||
#
|
||||
# * [Default Samba configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_local/samba/config.tmpl)
|
||||
# * [Secrets / Environment variables documentation](https://install.doctor/docs/customization/secrets)
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
### Configure Samba server
|
||||
if command -v smbd > /dev/null; then
|
||||
### Ensure private Samba directory / symlink exists
|
||||
if [ -d /mnt/s3-private ] && [ ! -d /mnt/samba-private ]; then
|
||||
sudo ln -s /mnt/s3-private /mnt/samba-private
|
||||
else
|
||||
sudo mkdir /mnt/samba-private
|
||||
fi
|
||||
|
||||
### Ensure public Samba directory / symlink exists
|
||||
if [ -d /mnt/s3-public ] && [ ! -d /mnt/samba-public ]; then
|
||||
sudo ln -s /mnt/s3-public /mnt/samba-public
|
||||
else
|
||||
sudo mkdir /mnt/samba-public
|
||||
fi
|
||||
|
||||
### Copy the Samba server configuration file
|
||||
logg info "Copying Samba server configuration to /etc/samba/smb.conf"
|
||||
sudo cp -f "${XDG_DATA_HOME:-$HOME/.config}/samba/config" "/etc/samba/smb.conf"
|
||||
|
||||
### Reload configuration file changes
|
||||
smbcontrol smbd reload-config
|
||||
else
|
||||
logg info "Samba server is not installed"
|
||||
fi
|
||||
|
||||
{{ end -}}
|
14
home/dot_config/rclone/system/s3-docker.service.tmpl
Normal file
14
home/dot_config/rclone/system/s3-docker.service.tmpl
Normal file
|
@ -0,0 +1,14 @@
|
|||
[Unit]
|
||||
Description=rclone S3 service (docker)
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=rclone
|
||||
ExecStart=/usr/local/bin/rclone-mount "rclone" "rclone" "s3-docker"
|
||||
ExecStop=/bin/fusermount -u /mnt/s3-docker
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
|
@ -1,5 +1,5 @@
|
|||
[Unit]
|
||||
Description=rclone S3 system service (public)
|
||||
Description=rclone S3 service (public)
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
|
|
14
home/dot_config/rclone/system/s3-system.service.tmpl
Normal file
14
home/dot_config/rclone/system/s3-system.service.tmpl
Normal file
|
@ -0,0 +1,14 @@
|
|||
[Unit]
|
||||
Description=rclone S3 service (system)
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=rclone
|
||||
ExecStart=/usr/local/bin/rclone-mount "rclone" "rclone" "s3-system"
|
||||
ExecStop=/bin/fusermount -u /mnt/s3-system
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
67
home/dot_config/samba/config.tmpl
Normal file
67
home/dot_config/samba/config.tmpl
Normal file
|
@ -0,0 +1,67 @@
|
|||
[global]
|
||||
# Allow connections with hostnames that can be resolved from hostname.local.{{ .user.domain }}
|
||||
allow hosts = .local.{{ .user.domain }}
|
||||
hostname lookups = yes
|
||||
# Allows users without accounts to log in and be assigned to the guest account
|
||||
map to guest = bad user
|
||||
netbios name = {{ .host.samba.netbiosName }}
|
||||
obey pam restrictions = yes
|
||||
proxy = no
|
||||
# Allow using DNS to specify allowed hosts
|
||||
# Source: https://serverfault.com/questions/702455/samba-hosts-allow-example-com
|
||||
dns proxy = yes
|
||||
security = user
|
||||
server role = standalone server
|
||||
server string = Samba on %L
|
||||
workgroup = {{ .host.samba.workgroup }}
|
||||
# Printing - Uncomment these lines to enable Samba printer sharing with CUPSD
|
||||
# Source: https://wiki.archlinux.org/index.php/CUPS/Printer_sharing
|
||||
# load printers = yes
|
||||
# printing = CUPS
|
||||
# Symlinks - Uncomment the following two options to enable symlinking (including symlinks outside of the shared folder)
|
||||
# This feature is disabled by default due to security concerns (i.e. people can create symlinks on the shares and access system files if the share is writable)
|
||||
# unix extension = no
|
||||
# wide links = yes
|
||||
|
||||
[Private]
|
||||
browsable = yes
|
||||
comment = Authenticated share with read/write capabilities (backed up to S3)
|
||||
follow symlinks = no
|
||||
guest only = no
|
||||
path = /mnt/samba-private
|
||||
public = no
|
||||
valid users = @sambausers
|
||||
writable = true
|
||||
|
||||
[Public]
|
||||
browsable = yes
|
||||
comment = Public folder provided for file sharing on the LAN (backed up to S3)
|
||||
follow symlinks = no
|
||||
guest only = yes
|
||||
path = /mnt/samba-public
|
||||
public = yes
|
||||
writable = yes
|
||||
|
||||
# [printers]
|
||||
# browsable = yes
|
||||
# comment = Printers
|
||||
# path = /var/spool/samba/
|
||||
# printable = yes
|
||||
# public = yes
|
||||
# writable = no
|
||||
|
||||
# [print]
|
||||
# browsable = yes
|
||||
# comment = Printer drivers
|
||||
# path = /var/lib/samba/printers
|
||||
# public = yes
|
||||
# writable = no
|
||||
|
||||
# [HPOfficeJetPro]
|
||||
# comment = HP OfficeJet Pro printer
|
||||
# path = /var/spool/samba/
|
||||
# printable = yes
|
||||
# # Source: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server
|
||||
# printer name = HP OfficeJet Pro 6978
|
||||
# public = yes
|
||||
# writable = no
|
Loading…
Reference in a new issue