Port Samba role
This commit is contained in:
parent
441d2ccec3
commit
da82d052a8
7 changed files with 186 additions and 11 deletions
|
@ -115,6 +115,9 @@
|
||||||
{{- writeToStdout "Chezmoi is running in headless environment.\n" -}}
|
{{- writeToStdout "Chezmoi is running in headless environment.\n" -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $sambaNetBiosName := (default $hostname (env "SAMBA_NETBIOS_NAME")) -}}
|
||||||
|
{{- $sambaWorkGroupName := (default "BETELGEUSE" (env "SAMBA_WORKGROUP")) -}}
|
||||||
|
|
||||||
encryption: "age"
|
encryption: "age"
|
||||||
age:
|
age:
|
||||||
identity: "{{ .chezmoi.homeDir }}/.config/age/chezmoi.txt"
|
identity: "{{ .chezmoi.homeDir }}/.config/age/chezmoi.txt"
|
||||||
|
@ -136,10 +139,14 @@ data:
|
||||||
secondary: 1.1.1.1#cloudflare-dns.com
|
secondary: 1.1.1.1#cloudflare-dns.com
|
||||||
docker:
|
docker:
|
||||||
doRegion: nyc1
|
doRegion: nyc1
|
||||||
|
domain: "{{ $domain }}"
|
||||||
headless: {{ $headless }}
|
headless: {{ $headless }}
|
||||||
home: "{{ .chezmoi.homeDir }}"
|
home: "{{ .chezmoi.homeDir }}"
|
||||||
homeParentFolder: "{{ if eq .chezmoi.os "linux" }}/home{{ else if eq .chezmoi.os "darwin" }}/Users{{ else }}C:\Users{{ end }}"
|
homeParentFolder: "{{ if eq .chezmoi.os "linux" }}/home{{ else if eq .chezmoi.os "darwin" }}/Users{{ else }}C:\Users{{ end }}"
|
||||||
hostname: "{{ $hostname }}"
|
hostname: "{{ $hostname }}"
|
||||||
|
samba:
|
||||||
|
netbiosName: "{{ $sambaNetBiosName }}"
|
||||||
|
workgroup: "{{ $sambaWorkGroupName }}"
|
||||||
ssh:
|
ssh:
|
||||||
allowTCPForwarding: no
|
allowTCPForwarding: no
|
||||||
allowUsers: {{ output "echo" "$USER" }}
|
allowUsers: {{ output "echo" "$USER" }}
|
||||||
|
@ -149,6 +156,7 @@ data:
|
||||||
excludedSubnets:
|
excludedSubnets:
|
||||||
- 10.0.0.0/24
|
- 10.0.0.0/24
|
||||||
- 10.14.50.0/24
|
- 10.14.50.0/24
|
||||||
|
- 192.168.1.0/24
|
||||||
qubes: {{ ne (stat (joinPath "usr" "bin" "qubes-session")) false }}
|
qubes: {{ ne (stat (joinPath "usr" "bin" "qubes-session")) false }}
|
||||||
restricted: {{ $restricted }}
|
restricted: {{ $restricted }}
|
||||||
softwareGroup: "{{ $softwareGroup }}"
|
softwareGroup: "{{ $softwareGroup }}"
|
||||||
|
@ -163,6 +171,7 @@ data:
|
||||||
r2: "{{ $cloudflareR2AccountId }}"
|
r2: "{{ $cloudflareR2AccountId }}"
|
||||||
username: "{{ $cloudflareUsername }}"
|
username: "{{ $cloudflareUsername }}"
|
||||||
defaultBrowser: firefox
|
defaultBrowser: firefox
|
||||||
|
# `domain` is kept here for backwards compatibility, but the .host.domain is the preferred selector
|
||||||
domain: "{{ $domain }}"
|
domain: "{{ $domain }}"
|
||||||
email: "{{ $email }}"
|
email: "{{ $email }}"
|
||||||
gcloud:
|
gcloud:
|
||||||
|
|
|
@ -1,10 +0,0 @@
|
||||||
{{- if (ne .host.distro.family "windows") -}}
|
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
{{ includeTemplate "universal/profile" }}
|
|
||||||
{{ includeTemplate "universal/logg" }}
|
|
||||||
|
|
||||||
# Samba logic
|
|
||||||
echo true
|
|
||||||
|
|
||||||
{{ end -}}
|
|
|
@ -0,0 +1,81 @@
|
||||||
|
{{- if (ne .host.distro.family "windows") -}}
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# @file Samba Configuration
|
||||||
|
# @brief This script configures Samba by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if the `smbd` application is available
|
||||||
|
# @description
|
||||||
|
# This script applies the Samba configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if Samba is installed.
|
||||||
|
# The script and default configuration set up two Samba shares.
|
||||||
|
#
|
||||||
|
# ## Security
|
||||||
|
#
|
||||||
|
# Both shares are configured by default to only accept connections
|
||||||
|
# from hosts with DNS that ends in `.local.PUBLIC_SERVICES_DOMAIN`, where `PUBLIC_SERVICES_DOMAIN` is an environment variable that
|
||||||
|
# can be passed into Install Doctor. So, if your `PUBLIC_SERVICES_DOMAIN` environment variable is set to `megabyte.space`, then
|
||||||
|
# a device with a FQDN of `alpha.local.megabyte.space` pointing to its LAN location will be able to connect but a device
|
||||||
|
# with a FQDN of `alpha.megabyte.space` will not be able to connect.
|
||||||
|
#
|
||||||
|
# ## Samba Shares / S3 Backup
|
||||||
|
#
|
||||||
|
# If CloudFlare R2 credentials are provided, Samba is configured to store its shared files in the Rclone mounts so that your
|
||||||
|
# Samba shares are synchronized to the S3 buckets. If not, new folders are created. Either way, the folder / symlink that the
|
||||||
|
# shares host data from are stored at `/mnt/samba-private` and `/mnt/samba-public`.
|
||||||
|
#
|
||||||
|
# 1. The **public** share (named "Public") can be accessed by anyone (including write permissions with the default settings)
|
||||||
|
# 2. The **private** share (named "Private") can be accessed by specifying the PAM credentials of anyone who has an account that is included in the `sambausers` group
|
||||||
|
#
|
||||||
|
# ## Symlinks
|
||||||
|
#
|
||||||
|
# Symlinks are disabled for security reasons. This is because, with symlinking enabled, people can create symlinks on the shares and use the symlinks to access system files outside of the
|
||||||
|
# Samba shares. There are commented-out lines in the default configuration that you can uncomment to enable the symlinks in shares.
|
||||||
|
#
|
||||||
|
# ## Printers
|
||||||
|
#
|
||||||
|
# Printer sharing is not enabled by default. There are commented lines in the default configuration that should provide a nice stepping
|
||||||
|
# stone if you want to use Samba for printer sharing (with CUPS).
|
||||||
|
#
|
||||||
|
# ## Environment Variables
|
||||||
|
#
|
||||||
|
# The following chart details some of the environment variables that are used to determine the configuration of the
|
||||||
|
# Samba shares:
|
||||||
|
#
|
||||||
|
# | Environment Variable | Description |
|
||||||
|
# |-----------------------------|-----------------------------------------------------------------------------------------------------|
|
||||||
|
# | `PUBLIC_SERVICES_DOMAIN` | Used to determine which hosts can connect to the Samba share (e.g. `.local.PUBLIC_SERVICES_DOMAIN`) |
|
||||||
|
# | `SAMBA_NETBIOS_NAME` | Determines the NetBIOS name (defaults to the `HOSTNAME` environment variable value) |
|
||||||
|
# | `SAMBA_WORKGROUP` | Controls Samba workgroup name (defaults to "BETELGEUSE") |
|
||||||
|
#
|
||||||
|
# ## Links
|
||||||
|
#
|
||||||
|
# * [Default Samba configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_local/samba/config.tmpl)
|
||||||
|
# * [Secrets / Environment variables documentation](https://install.doctor/docs/customization/secrets)
|
||||||
|
|
||||||
|
{{ includeTemplate "universal/profile" }}
|
||||||
|
{{ includeTemplate "universal/logg" }}
|
||||||
|
|
||||||
|
### Configure Samba server
|
||||||
|
if command -v smbd > /dev/null; then
|
||||||
|
### Ensure private Samba directory / symlink exists
|
||||||
|
if [ -d /mnt/s3-private ] && [ ! -d /mnt/samba-private ]; then
|
||||||
|
sudo ln -s /mnt/s3-private /mnt/samba-private
|
||||||
|
else
|
||||||
|
sudo mkdir /mnt/samba-private
|
||||||
|
fi
|
||||||
|
|
||||||
|
### Ensure public Samba directory / symlink exists
|
||||||
|
if [ -d /mnt/s3-public ] && [ ! -d /mnt/samba-public ]; then
|
||||||
|
sudo ln -s /mnt/s3-public /mnt/samba-public
|
||||||
|
else
|
||||||
|
sudo mkdir /mnt/samba-public
|
||||||
|
fi
|
||||||
|
|
||||||
|
### Copy the Samba server configuration file
|
||||||
|
logg info "Copying Samba server configuration to /etc/samba/smb.conf"
|
||||||
|
sudo cp -f "${XDG_DATA_HOME:-$HOME/.config}/samba/config" "/etc/samba/smb.conf"
|
||||||
|
|
||||||
|
### Reload configuration file changes
|
||||||
|
smbcontrol smbd reload-config
|
||||||
|
else
|
||||||
|
logg info "Samba server is not installed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
{{ end -}}
|
14
home/dot_config/rclone/system/s3-docker.service.tmpl
Normal file
14
home/dot_config/rclone/system/s3-docker.service.tmpl
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
[Unit]
|
||||||
|
Description=rclone S3 service (docker)
|
||||||
|
After=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User=rclone
|
||||||
|
ExecStart=/usr/local/bin/rclone-mount "rclone" "rclone" "s3-docker"
|
||||||
|
ExecStop=/bin/fusermount -u /mnt/s3-docker
|
||||||
|
Restart=always
|
||||||
|
RestartSec=10
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
|
@ -1,5 +1,5 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=rclone S3 system service (public)
|
Description=rclone S3 service (public)
|
||||||
After=network-online.target
|
After=network-online.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
|
14
home/dot_config/rclone/system/s3-system.service.tmpl
Normal file
14
home/dot_config/rclone/system/s3-system.service.tmpl
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
[Unit]
|
||||||
|
Description=rclone S3 service (system)
|
||||||
|
After=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User=rclone
|
||||||
|
ExecStart=/usr/local/bin/rclone-mount "rclone" "rclone" "s3-system"
|
||||||
|
ExecStop=/bin/fusermount -u /mnt/s3-system
|
||||||
|
Restart=always
|
||||||
|
RestartSec=10
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
67
home/dot_config/samba/config.tmpl
Normal file
67
home/dot_config/samba/config.tmpl
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
[global]
|
||||||
|
# Allow connections with hostnames that can be resolved from hostname.local.{{ .user.domain }}
|
||||||
|
allow hosts = .local.{{ .user.domain }}
|
||||||
|
hostname lookups = yes
|
||||||
|
# Allows users without accounts to log in and be assigned to the guest account
|
||||||
|
map to guest = bad user
|
||||||
|
netbios name = {{ .host.samba.netbiosName }}
|
||||||
|
obey pam restrictions = yes
|
||||||
|
proxy = no
|
||||||
|
# Allow using DNS to specify allowed hosts
|
||||||
|
# Source: https://serverfault.com/questions/702455/samba-hosts-allow-example-com
|
||||||
|
dns proxy = yes
|
||||||
|
security = user
|
||||||
|
server role = standalone server
|
||||||
|
server string = Samba on %L
|
||||||
|
workgroup = {{ .host.samba.workgroup }}
|
||||||
|
# Printing - Uncomment these lines to enable Samba printer sharing with CUPSD
|
||||||
|
# Source: https://wiki.archlinux.org/index.php/CUPS/Printer_sharing
|
||||||
|
# load printers = yes
|
||||||
|
# printing = CUPS
|
||||||
|
# Symlinks - Uncomment the following two options to enable symlinking (including symlinks outside of the shared folder)
|
||||||
|
# This feature is disabled by default due to security concerns (i.e. people can create symlinks on the shares and access system files if the share is writable)
|
||||||
|
# unix extension = no
|
||||||
|
# wide links = yes
|
||||||
|
|
||||||
|
[Private]
|
||||||
|
browsable = yes
|
||||||
|
comment = Authenticated share with read/write capabilities (backed up to S3)
|
||||||
|
follow symlinks = no
|
||||||
|
guest only = no
|
||||||
|
path = /mnt/samba-private
|
||||||
|
public = no
|
||||||
|
valid users = @sambausers
|
||||||
|
writable = true
|
||||||
|
|
||||||
|
[Public]
|
||||||
|
browsable = yes
|
||||||
|
comment = Public folder provided for file sharing on the LAN (backed up to S3)
|
||||||
|
follow symlinks = no
|
||||||
|
guest only = yes
|
||||||
|
path = /mnt/samba-public
|
||||||
|
public = yes
|
||||||
|
writable = yes
|
||||||
|
|
||||||
|
# [printers]
|
||||||
|
# browsable = yes
|
||||||
|
# comment = Printers
|
||||||
|
# path = /var/spool/samba/
|
||||||
|
# printable = yes
|
||||||
|
# public = yes
|
||||||
|
# writable = no
|
||||||
|
|
||||||
|
# [print]
|
||||||
|
# browsable = yes
|
||||||
|
# comment = Printer drivers
|
||||||
|
# path = /var/lib/samba/printers
|
||||||
|
# public = yes
|
||||||
|
# writable = no
|
||||||
|
|
||||||
|
# [HPOfficeJetPro]
|
||||||
|
# comment = HP OfficeJet Pro printer
|
||||||
|
# path = /var/spool/samba/
|
||||||
|
# printable = yes
|
||||||
|
# # Source: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server
|
||||||
|
# printer name = HP OfficeJet Pro 6978
|
||||||
|
# public = yes
|
||||||
|
# writable = no
|
Loading…
Reference in a new issue