Port Samba role

This commit is contained in:
Aathavan 2023-04-11 08:04:22 +00:00 committed by Brian Zalewski
parent 441d2ccec3
commit da82d052a8
7 changed files with 186 additions and 11 deletions

View file

@ -115,6 +115,9 @@
{{- writeToStdout "Chezmoi is running in headless environment.\n" -}} {{- writeToStdout "Chezmoi is running in headless environment.\n" -}}
{{- end -}} {{- end -}}
{{- $sambaNetBiosName := (default $hostname (env "SAMBA_NETBIOS_NAME")) -}}
{{- $sambaWorkGroupName := (default "BETELGEUSE" (env "SAMBA_WORKGROUP")) -}}
encryption: "age" encryption: "age"
age: age:
identity: "{{ .chezmoi.homeDir }}/.config/age/chezmoi.txt" identity: "{{ .chezmoi.homeDir }}/.config/age/chezmoi.txt"
@ -136,10 +139,14 @@ data:
secondary: 1.1.1.1#cloudflare-dns.com secondary: 1.1.1.1#cloudflare-dns.com
docker: docker:
doRegion: nyc1 doRegion: nyc1
domain: "{{ $domain }}"
headless: {{ $headless }} headless: {{ $headless }}
home: "{{ .chezmoi.homeDir }}" home: "{{ .chezmoi.homeDir }}"
homeParentFolder: "{{ if eq .chezmoi.os "linux" }}/home{{ else if eq .chezmoi.os "darwin" }}/Users{{ else }}C:\Users{{ end }}" homeParentFolder: "{{ if eq .chezmoi.os "linux" }}/home{{ else if eq .chezmoi.os "darwin" }}/Users{{ else }}C:\Users{{ end }}"
hostname: "{{ $hostname }}" hostname: "{{ $hostname }}"
samba:
netbiosName: "{{ $sambaNetBiosName }}"
workgroup: "{{ $sambaWorkGroupName }}"
ssh: ssh:
allowTCPForwarding: no allowTCPForwarding: no
allowUsers: {{ output "echo" "$USER" }} allowUsers: {{ output "echo" "$USER" }}
@ -149,6 +156,7 @@ data:
excludedSubnets: excludedSubnets:
- 10.0.0.0/24 - 10.0.0.0/24
- 10.14.50.0/24 - 10.14.50.0/24
- 192.168.1.0/24
qubes: {{ ne (stat (joinPath "usr" "bin" "qubes-session")) false }} qubes: {{ ne (stat (joinPath "usr" "bin" "qubes-session")) false }}
restricted: {{ $restricted }} restricted: {{ $restricted }}
softwareGroup: "{{ $softwareGroup }}" softwareGroup: "{{ $softwareGroup }}"
@ -163,6 +171,7 @@ data:
r2: "{{ $cloudflareR2AccountId }}" r2: "{{ $cloudflareR2AccountId }}"
username: "{{ $cloudflareUsername }}" username: "{{ $cloudflareUsername }}"
defaultBrowser: firefox defaultBrowser: firefox
# `domain` is kept here for backwards compatibility, but the .host.domain is the preferred selector
domain: "{{ $domain }}" domain: "{{ $domain }}"
email: "{{ $email }}" email: "{{ $email }}"
gcloud: gcloud:

View file

@ -1,10 +0,0 @@
{{- if (ne .host.distro.family "windows") -}}
#!/usr/bin/env bash
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
# Samba logic
echo true
{{ end -}}

View file

@ -0,0 +1,81 @@
{{- if (ne .host.distro.family "windows") -}}
#!/usr/bin/env bash
# @file Samba Configuration
# @brief This script configures Samba by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if the `smbd` application is available
# @description
# This script applies the Samba configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if Samba is installed.
# The script and default configuration set up two Samba shares.
#
# ## Security
#
# Both shares are configured by default to only accept connections
# from hosts with DNS that ends in `.local.PUBLIC_SERVICES_DOMAIN`, where `PUBLIC_SERVICES_DOMAIN` is an environment variable that
# can be passed into Install Doctor. So, if your `PUBLIC_SERVICES_DOMAIN` environment variable is set to `megabyte.space`, then
# a device with a FQDN of `alpha.local.megabyte.space` pointing to its LAN location will be able to connect but a device
# with a FQDN of `alpha.megabyte.space` will not be able to connect.
#
# ## Samba Shares / S3 Backup
#
# If CloudFlare R2 credentials are provided, Samba is configured to store its shared files in the Rclone mounts so that your
# Samba shares are synchronized to the S3 buckets. If not, new folders are created. Either way, the folder / symlink that the
# shares host data from are stored at `/mnt/samba-private` and `/mnt/samba-public`.
#
# 1. The **public** share (named "Public") can be accessed by anyone (including write permissions with the default settings)
# 2. The **private** share (named "Private") can be accessed by specifying the PAM credentials of anyone who has an account that is included in the `sambausers` group
#
# ## Symlinks
#
# Symlinks are disabled for security reasons. This is because, with symlinking enabled, people can create symlinks on the shares and use the symlinks to access system files outside of the
# Samba shares. There are commented-out lines in the default configuration that you can uncomment to enable the symlinks in shares.
#
# ## Printers
#
# Printer sharing is not enabled by default. There are commented lines in the default configuration that should provide a nice stepping
# stone if you want to use Samba for printer sharing (with CUPS).
#
# ## Environment Variables
#
# The following chart details some of the environment variables that are used to determine the configuration of the
# Samba shares:
#
# | Environment Variable | Description |
# |-----------------------------|-----------------------------------------------------------------------------------------------------|
# | `PUBLIC_SERVICES_DOMAIN` | Used to determine which hosts can connect to the Samba share (e.g. `.local.PUBLIC_SERVICES_DOMAIN`) |
# | `SAMBA_NETBIOS_NAME` | Determines the NetBIOS name (defaults to the `HOSTNAME` environment variable value) |
# | `SAMBA_WORKGROUP` | Controls Samba workgroup name (defaults to "BETELGEUSE") |
#
# ## Links
#
# * [Default Samba configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_local/samba/config.tmpl)
# * [Secrets / Environment variables documentation](https://install.doctor/docs/customization/secrets)
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
### Configure Samba server
if command -v smbd > /dev/null; then
### Ensure private Samba directory / symlink exists
if [ -d /mnt/s3-private ] && [ ! -d /mnt/samba-private ]; then
sudo ln -s /mnt/s3-private /mnt/samba-private
else
sudo mkdir /mnt/samba-private
fi
### Ensure public Samba directory / symlink exists
if [ -d /mnt/s3-public ] && [ ! -d /mnt/samba-public ]; then
sudo ln -s /mnt/s3-public /mnt/samba-public
else
sudo mkdir /mnt/samba-public
fi
### Copy the Samba server configuration file
logg info "Copying Samba server configuration to /etc/samba/smb.conf"
sudo cp -f "${XDG_DATA_HOME:-$HOME/.config}/samba/config" "/etc/samba/smb.conf"
### Reload configuration file changes
smbcontrol smbd reload-config
else
logg info "Samba server is not installed"
fi
{{ end -}}

View file

@ -0,0 +1,14 @@
[Unit]
Description=rclone S3 service (docker)
After=network-online.target
[Service]
Type=simple
User=rclone
ExecStart=/usr/local/bin/rclone-mount "rclone" "rclone" "s3-docker"
ExecStop=/bin/fusermount -u /mnt/s3-docker
Restart=always
RestartSec=10
[Install]
WantedBy=default.target

View file

@ -1,5 +1,5 @@
[Unit] [Unit]
Description=rclone S3 system service (public) Description=rclone S3 service (public)
After=network-online.target After=network-online.target
[Service] [Service]

View file

@ -0,0 +1,14 @@
[Unit]
Description=rclone S3 service (system)
After=network-online.target
[Service]
Type=simple
User=rclone
ExecStart=/usr/local/bin/rclone-mount "rclone" "rclone" "s3-system"
ExecStop=/bin/fusermount -u /mnt/s3-system
Restart=always
RestartSec=10
[Install]
WantedBy=default.target

View file

@ -0,0 +1,67 @@
[global]
# Allow connections with hostnames that can be resolved from hostname.local.{{ .user.domain }}
allow hosts = .local.{{ .user.domain }}
hostname lookups = yes
# Allows users without accounts to log in and be assigned to the guest account
map to guest = bad user
netbios name = {{ .host.samba.netbiosName }}
obey pam restrictions = yes
proxy = no
# Allow using DNS to specify allowed hosts
# Source: https://serverfault.com/questions/702455/samba-hosts-allow-example-com
dns proxy = yes
security = user
server role = standalone server
server string = Samba on %L
workgroup = {{ .host.samba.workgroup }}
# Printing - Uncomment these lines to enable Samba printer sharing with CUPSD
# Source: https://wiki.archlinux.org/index.php/CUPS/Printer_sharing
# load printers = yes
# printing = CUPS
# Symlinks - Uncomment the following two options to enable symlinking (including symlinks outside of the shared folder)
# This feature is disabled by default due to security concerns (i.e. people can create symlinks on the shares and access system files if the share is writable)
# unix extension = no
# wide links = yes
[Private]
browsable = yes
comment = Authenticated share with read/write capabilities (backed up to S3)
follow symlinks = no
guest only = no
path = /mnt/samba-private
public = no
valid users = @sambausers
writable = true
[Public]
browsable = yes
comment = Public folder provided for file sharing on the LAN (backed up to S3)
follow symlinks = no
guest only = yes
path = /mnt/samba-public
public = yes
writable = yes
# [printers]
# browsable = yes
# comment = Printers
# path = /var/spool/samba/
# printable = yes
# public = yes
# writable = no
# [print]
# browsable = yes
# comment = Printer drivers
# path = /var/lib/samba/printers
# public = yes
# writable = no
# [HPOfficeJetPro]
# comment = HP OfficeJet Pro printer
# path = /var/spool/samba/
# printable = yes
# # Source: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server
# printer name = HP OfficeJet Pro 6978
# public = yes
# writable = no