summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-03-05 13:15:33 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2023-03-05 13:15:33 +0100
commit3206ce36cb1232e176715973c9bd443fd462b54b (patch)
tree7e3dfafd1afad237f3fb3fe60afdf96c798d7b0e /hosts
parent561046779758d2db6af5609b0a66aed134d86275 (diff)
downloadnixos-3206ce36cb1232e176715973c9bd443fd462b54b.tar
nixos-3206ce36cb1232e176715973c9bd443fd462b54b.tar.gz
nixos-3206ce36cb1232e176715973c9bd443fd462b54b.tar.bz2
nixos-3206ce36cb1232e176715973c9bd443fd462b54b.tar.xz
nixos-3206ce36cb1232e176715973c9bd443fd462b54b.zip
vidhar: remove printing
Diffstat (limited to 'hosts')
-rw-r--r--hosts/vidhar/default.nix2
-rw-r--r--hosts/vidhar/dns/default.nix6
-rw-r--r--hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa6
-rw-r--r--hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa4
-rw-r--r--hosts/vidhar/dns/zones/yggdrasil.soa7
-rw-r--r--hosts/vidhar/network/ruleset.nft18
-rw-r--r--hosts/vidhar/printing/default.nix170
-rw-r--r--hosts/vidhar/printing/ruleset.nft191
-rw-r--r--hosts/vidhar/samba.nix15
9 files changed, 13 insertions, 406 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 5c70c669..d064e3da 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
4 4
5{ 5{
6 imports = with flake.nixosModules.systemProfiles; [ 6 imports = with flake.nixosModules.systemProfiles; [
7 ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./printing 7 ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest
8 tmpfs-root zfs 8 tmpfs-root zfs
9 initrd-all-crypto-modules default-locale openssh rebuild-machines 9 initrd-all-crypto-modules default-locale openssh rebuild-machines
10 build-server 10 build-server
diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix
index f942b3f9..ade884e7 100644
--- a/hosts/vidhar/dns/default.nix
+++ b/hosts/vidhar/dns/default.nix
@@ -20,7 +20,7 @@ in {
20 enableRootTrustAnchor = false; 20 enableRootTrustAnchor = false;
21 settings = { 21 settings = {
22 server = { 22 server = {
23 interface = ["lo" "lan" "ve-printing"]; 23 interface = ["lo" "lan"];
24 prefer-ip6 = true; 24 prefer-ip6 = true;
25 access-control = ["0.0.0.0/0 allow" "::/0 allow"]; 25 access-control = ["0.0.0.0/0 allow" "::/0 allow"];
26 root-hints = "${pkgs.dns-root-data}/root.hints"; 26 root-hints = "${pkgs.dns-root-data}/root.hints";
@@ -79,10 +79,6 @@ in {
79 }; 79 };
80 }; 80 };
81 81
82 systemd.services.unbound = {
83 after = [ "container@printinp.service" ];
84 };
85
86 systemd.services.knot = { 82 systemd.services.knot = {
87 unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; 83 unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
88 serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys; 84 serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys;
diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa
index b23f6fd4..6074296e 100644
--- a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa
+++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa
@@ -1,7 +1,7 @@
1$ORIGIN 141.10.in-addr.arpa. 1$ORIGIN 141.10.in-addr.arpa.
2$TTL 300 2$TTL 300
3@ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li ( 3@ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li (
4 2023030500 ; serial 4 2023030501 ; serial
5 300 ; refresh 5 300 ; refresh
6 300 ; retry 6 300 ; retry
7 300 ; expire 7 300 ; expire
@@ -15,7 +15,3 @@ $TTL 300
151.1 IN PTR vidhar.mgmt.yggdrasil. 151.1 IN PTR vidhar.mgmt.yggdrasil.
162.1 IN PTR switch01.mgmt.yggdrasil. 162.1 IN PTR switch01.mgmt.yggdrasil.
174.1 IN PTR ap01.mgmt.yggdrasil. 174.1 IN PTR ap01.mgmt.yggdrasil.
18
193.2 IN PTR printer.printer.yggdrasil.
20
211.5 IN PTR printing.vidhar.lan.yggdrasil.
diff --git a/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa b/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa
index 39d59939..2d94b1e1 100644
--- a/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa
+++ b/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa
@@ -1,7 +1,7 @@
1$ORIGIN 1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. 1$ORIGIN 1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa.
2$TTL 300 2$TTL 300
3@ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li ( 3@ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li (
4 2023030500 ; serial 4 2023030501 ; serial
5 300 ; refresh 5 300 ; refresh
6 300 ; retry 6 300 ; retry
7 300 ; expire 7 300 ; expire
@@ -13,5 +13,3 @@ $TTL 300
130.0.0.0.0.0.0.0.0.0.0.0 IN PTR surtr.yggdrasil. 130.0.0.0.0.0.0.0.0.0.0.0 IN PTR surtr.yggdrasil.
140.0.0.0.0.0.0.0.0.0.0.1 IN PTR vidhar.yggdrasil. 140.0.0.0.0.0.0.0.0.0.0.1 IN PTR vidhar.yggdrasil.
150.0.0.0.0.0.0.0.0.0.0.2 IN PTR sif.yggdrasil. 150.0.0.0.0.0.0.0.0.0.0.2 IN PTR sif.yggdrasil.
16
170.0.0.0.0.5.0.0.0.0.0.1 IN PTR printing.vidhar.yggdrasil.
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa
index e2b1a61b..f679b741 100644
--- a/hosts/vidhar/dns/zones/yggdrasil.soa
+++ b/hosts/vidhar/dns/zones/yggdrasil.soa
@@ -1,7 +1,7 @@
1$ORIGIN yggdrasil. 1$ORIGIN yggdrasil.
2$TTL 300 2$TTL 300
3@ IN SOA vidhar.yggdrasil. hostmaster.yggdrasil.li ( 3@ IN SOA vidhar.yggdrasil. hostmaster.yggdrasil.li (
4 2023030500 ; serial 4 2023030501 ; serial
5 300 ; refresh 5 300 ; refresh
6 300 ; retry 6 300 ; retry
7 300 ; expire 7 300 ; expire
@@ -28,8 +28,3 @@ vidhar.mgmt IN A 10.141.1.1
28switch01.mgmt IN A 10.141.1.2 28switch01.mgmt IN A 10.141.1.2
29dsl01.mgmt IN A 10.141.1.3 29dsl01.mgmt IN A 10.141.1.3
30ap01.mgmt IN A 10.141.1.4 30ap01.mgmt IN A 10.141.1.4
31
32printer.printer IN A 10.141.3.2
33
34printing.vidhar.lan IN A 10.141.5.1
35printing.vidhar IN AAAA 2a03:4000:52:ada:5::1
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 2080cf64..833013e9 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -59,7 +59,6 @@ table inet filter {
59 counter fw-lo {} 59 counter fw-lo {}
60 counter fw-lan {} 60 counter fw-lan {}
61 counter fw-dsl {} 61 counter fw-dsl {}
62 counter fw-printing {}
63 62
64 counter fw-cups {} 63 counter fw-cups {}
65 64
@@ -140,16 +139,9 @@ table inet filter {
140 139
141 iifname lo counter name fw-lo accept 140 iifname lo counter name fw-lo accept
142 141
143 oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept 142 oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
144 iifname lan oifname { dsl, bifrost } counter name fw-lan accept 143 iifname lan oifname { dsl, bifrost } counter name fw-lan accept
145 144
146 iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept
147 iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept
148
149 # iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept
150 # iifname dsl oifname ve-printing ct state { established, related } counter name fw-dsl accept
151
152 iifname ve-printing oifname lan ct state { established, related } counter name fw-printing accept
153 iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept 145 iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept
154 146
155 147
@@ -178,7 +170,7 @@ table inet filter {
178 iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept 170 iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
179 iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept 171 iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
180 172
181 iifname { lan, mgmt, wifibh, yggdrasil, ve-printing } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept 173 iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
182 174
183 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept 175 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
184 176
@@ -188,7 +180,7 @@ table inet filter {
188 180
189 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept 181 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
190 182
191 iifname { mgmt, ve-printing } udp dport 123 counter name ntp-rx accept 183 iifname mgmt udp dport 123 counter name ntp-rx accept
192 184
193 iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept 185 iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept
194 186
@@ -255,7 +247,7 @@ table inet filter {
255 247
256table inet nat { 248table inet nat {
257 counter dsl-nat {} 249 counter dsl-nat {}
258 counter container-nat {} 250 # counter container-nat {}
259 251
260 chain postrouting { 252 chain postrouting {
261 type nat hook postrouting priority srcnat 253 type nat hook postrouting priority srcnat
@@ -263,7 +255,7 @@ table inet nat {
263 255
264 256
265 meta nfproto ipv4 oifname dsl counter name dsl-nat masquerade 257 meta nfproto ipv4 oifname dsl counter name dsl-nat masquerade
266 iifname ve-* oifname dsl counter name container-nat masquerade 258 # iifname ve-* oifname dsl counter name container-nat masquerade
267 } 259 }
268} 260}
269 261
diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix
deleted file mode 100644
index 55c55b37..00000000
--- a/hosts/vidhar/printing/default.nix
+++ /dev/null
@@ -1,170 +0,0 @@
1{ config, lib, ... }:
2
3with lib;
4
5let
6 containerConfig = config.containers.printing.config;
7in {
8 config = {
9 containers.printing = {
10 privateNetwork = true;
11 ephemeral = true;
12 autoStart = true;
13 hostAddress = "10.141.5.0";
14 hostAddress6 = "2a03:4000:52:ada:5::";
15 localAddress = "10.141.5.1";
16 localAddress6 = "2a03:4000:52:ada:5::1";
17 interfaces = [ "printer" ];
18 config = let
19 hostConfig = config;
20 in { ... }: {
21 config = {
22 services = {
23 kea = {
24 dhcp4 = {
25 enable = true;
26 settings = {
27 valid-lifetime = 4000;
28 rebind-timer = 2000;
29 renew-timer = 1000;
30
31 interfaces-config = {
32 interfaces = [ "printer" ];
33 };
34
35 lease-database = {
36 name = "/var/lib/kea/dhcp4.leases";
37 persist = true;
38 type = "memfile";
39 };
40
41 subnet4 = [
42 { subnet = "10.141.3.0/24";
43 option-data = [
44 { name = "domain-name-servers";
45 data = "10.141.5.0";
46 }
47 { name = "ntp-servers";
48 data = "10.141.5.0";
49 }
50 { name = "broadcast-address";
51 data = "10.141.3.255";
52 }
53 { name = "routers";
54 data = "10.141.3.1";
55 }
56 { name = "domain-name";
57 data = "yggdrasil";
58 }
59 { name = "domain-search";
60 data = "printer.yggdrasil, yggdrasil";
61 }
62 ];
63 pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ];
64 reservations = [
65 { hostname = "printer";
66 hw-address = "30:cd:a7:b0:55:8d";
67 ip-address = "10.141.3.2";
68 }
69 ];
70 }
71 ];
72 };
73 };
74 };
75
76 printing = {
77 enable = true;
78 listenAddresses = [
79 "*:631"
80 ];
81 logLevel = "all";
82 extraConf = mkForce ''
83 ServerName printing
84 ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil
85
86 DefaultEncryption Never
87
88 <Location />
89 Order allow,deny
90 Allow from 10.0.0.0/8
91 Satisfy any
92 </Location>
93
94 <Location /admin>
95 Order allow,deny
96 Allow from 10.0.0.0/8
97 Satisfy any
98 </Location>
99
100 <Location /admin/conf>
101 Order allow,deny
102 Allow from 10.0.0.0/8
103 Satisfy any
104 </Location>
105
106 <Policy default>
107 <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
108 Order allow,deny
109 Allow from 10.0.0.0/8
110 Satisfy any
111 </Limit>
112
113 <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
114 Order allow,deny
115 Allow from 10.0.0.0/8
116 Satisfy any
117 </Limit>
118
119 <Limit Cancel-Job CUPS-Authenticate-Job>
120 Order allow,deny
121 Allow from 10.0.0.0/8
122 Satisfy any
123 </Limit>
124
125 <Limit All>
126 Order allow,deny
127 Allow from 10.0.0.0/8
128 Satisfy any
129 </Limit>
130 </Policy>
131 '';
132 };
133
134 resolved.enable = false;
135 };
136
137 networking = {
138 firewall.enable = false;
139 nftables = {
140 enable = true;
141 rulesetFile = ./ruleset.nft;
142 };
143
144 useDHCP = false;
145 useNetworkd = true;
146
147 interfaces."printer" = {
148 ipv4.addresses = [
149 { address = "10.141.3.1"; prefixLength = 24; }
150 ];
151 };
152 };
153
154 environment.etc."resolv.conf".text = ''
155 nameserver ${hostConfig.containers.printing.hostAddress6}
156 '';
157
158 system.stateVersion = hostConfig.system.stateVersion;
159 };
160 };
161 };
162
163 networking = {
164 vlans.printer = {
165 id = 5;
166 interface = "eno2";
167 };
168 };
169 };
170}
diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft
deleted file mode 100644
index edf8597d..00000000
--- a/hosts/vidhar/printing/ruleset.nft
+++ /dev/null
@@ -1,191 +0,0 @@
1define icmp_protos = {ipv6-icmp, icmp, igmp}
2
3table arp filter {
4 limit lim_arp {
5 rate over 50 mbytes/second burst 50 mbytes
6 }
7
8 counter arp-rx {}
9 counter arp-tx {}
10
11 counter arp-ratelimit-rx {}
12 counter arp-ratelimit-tx {}
13
14 chain input {
15 type filter hook input priority filter
16 policy accept
17
18 limit name lim_arp counter name arp-ratelimit-rx drop
19
20 counter name arp-rx
21 }
22
23 chain output {
24 type filter hook output priority filter
25 policy accept
26
27 limit name lim_arp counter name arp-ratelimit-tx drop
28
29 counter name arp-tx
30 }
31}
32
33table inet filter {
34 limit lim_reject {
35 rate over 1000/second burst 1000 packets
36 }
37
38 limit lim_icmp {
39 rate over 50 mbytes/second burst 50 mbytes
40 }
41
42 counter invalid-fw {}
43 counter fw-lo {}
44 counter fw-printer {}
45 counter fw-host {}
46
47 counter icmp-fw {}
48 counter icmp-ratelimit-fw {}
49
50 counter reject-ratelimit-fw {}
51 counter reject-fw {}
52 counter reject-tcp-fw {}
53 counter reject-icmp-fw {}
54
55 counter drop-fw {}
56
57 counter invalid-rx {}
58
59 counter rx-lo {}
60 counter invalid-local4-rx {}
61 counter invalid-local6-rx {}
62
63 counter icmp-ratelimit-rx {}
64 counter icmp-rx {}
65
66 counter dhcp-rx {}
67 counter cups-rx {}
68
69 counter established-rx {}
70
71 counter reject-ratelimit-rx {}
72 counter reject-rx {}
73 counter reject-tcp-rx {}
74 counter reject-icmp-rx {}
75
76 counter drop-rx {}
77
78 counter tx-lo {}
79
80 counter icmp-ratelimit-tx {}
81 counter icmp-tx {}
82
83 counter cups-tx {}
84 counter dhcp-tx {}
85
86 counter tx {}
87
88 chain forward {
89 type filter hook forward priority filter
90 policy drop
91
92
93 ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
94
95
96 iifname lo counter name fw-lo accept
97
98
99 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
100 meta l4proto $icmp_protos counter name icmp-fw accept
101
102
103 iifname printer oifname eth0 ip daddr 10.141.5.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept
104 iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:5:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept
105 iifname eth0 oifname printer counter name fw-host accept
106
107
108 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
109 log level debug prefix "reject forward: " counter name reject-fw
110 meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
111 ct state new counter name reject-icmp-fw reject
112
113
114 counter name drop-fw
115 }
116
117 chain input {
118 type filter hook input priority filter
119 policy drop
120
121
122 ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
123
124
125 iifname lo counter name rx-lo accept
126 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
127 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
128
129 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
130 meta l4proto $icmp_protos counter name icmp-rx accept
131
132
133 tcp dport 631 counter name cups-rx accept
134
135 iifname printer udp dport 67 counter name dhcp-rx accept
136
137 ct state {established, related} counter name established-rx accept
138
139
140 limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
141 log level debug prefix "reject input: " counter name reject-rx
142 meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
143 ct state new counter name reject-icmp-rx reject
144
145
146 counter name drop-rx
147 }
148
149 chain output {
150 type filter hook output priority filter
151 policy accept
152
153
154 oifname lo counter name tx-lo accept
155
156 meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
157 meta l4proto $icmp_protos counter name icmp-tx accept
158
159
160 tcp sport 631 counter name cups-tx accept
161
162 udp sport 67 counter name dhcp-tx accept
163
164
165 counter name tx
166 }
167}
168
169table ip nat {
170 counter host-nat {}
171
172 chain postrouting {
173 type nat hook postrouting priority srcnat
174 policy accept
175
176
177 oifname eth0 counter name host-nat masquerade
178 }
179}
180
181table ip mss_clamp {
182 counter host-mss-clamp {}
183
184 chain postrouting {
185 type filter hook postrouting priority mangle
186 policy accept
187
188
189 oifname eth0 tcp flags & (syn|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu
190 }
191}
diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix
index cbe158a9..89d9f12e 100644
--- a/hosts/vidhar/samba.nix
+++ b/hosts/vidhar/samba.nix
@@ -4,28 +4,19 @@
4 services.samba = { 4 services.samba = {
5 enable = true; 5 enable = true;
6 securityType = "user"; 6 securityType = "user";
7 package = pkgs.samba4.override {
8 enablePrinting = true;
9 };
10 extraConfig = '' 7 extraConfig = ''
11 domain master = yes 8 domain master = yes
12 workgroup = WORKGROUP 9 workgroup = WORKGROUP
13 load printers = no 10 load printers = no
14 printing = cups 11 printing = bsd
15 cups server = 10.141.4.1 12 printcap name = /dev/null
13 disable spoolss = yes
16 guest account = nobody 14 guest account = nobody
17 bind interfaces only = yes 15 bind interfaces only = yes
18 interfaces = lo lan 16 interfaces = lo lan
19 server signing = mandatory 17 server signing = mandatory
20 server min protocol = SMB3 18 server min protocol = SMB3
21 server smb encrypt = required 19 server smb encrypt = required
22
23 [printers]
24 path = /srv/samba-printing
25 browseable = yes
26 printable = yes
27 writable = no
28 create mode = 0700
29 ''; 20 '';
30 shares = { 21 shares = {
31 homes = { 22 homes = {