vidhar: ...

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-29 00:22:52 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-29 00:22:52 +0100
commit: bb2ef19025d688433e7e3f9ef8edc26a3fa69d24 (patch)
tree: cf36f2a58805c400605c25ce7b143943fdb8b9a7 /modules
parent: ee01823de3c4ff26b42bc27e70c8151c9ca278e8 (diff)
download: nixos-bb2ef19025d688433e7e3f9ef8edc26a3fa69d24.tar
nixos-bb2ef19025d688433e7e3f9ef8edc26a3fa69d24.tar.gz
nixos-bb2ef19025d688433e7e3f9ef8edc26a3fa69d24.tar.bz2
nixos-bb2ef19025d688433e7e3f9ef8edc26a3fa69d24.tar.xz
nixos-bb2ef19025d688433e7e3f9ef8edc26a3fa69d24.zip
1 files changed, 126 insertions, 0 deletions
diff --git a/modules/samba-wsdd.nix b/modules/samba-wsdd.nix
new file mode 100644
index 00000000..0ad29dd4
--- /dev/null
+++ b/modules/samba-wsdd.nix
@@ -0,0 +1,126 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.samba-wsdd;
+in {
+  disabledModules = [ "services/network-filesystems/samba-wsdd.nix" ];
+  options = {
+    services.samba-wsdd = {
+      enable = mkEnableOption ''
+        Enable Web Services Dynamic Discovery host daemon. This enables (Samba) hosts, like your local NAS device,
+        to be found by Web Service Discovery Clients like Windows.
+        <note>
+          <para>If you use the firewall consider adding the following:</para>
+          <programlisting>
+            networking.firewall.allowedTCPPorts = [ 5357 ];
+            networking.firewall.allowedUDPPorts = [ 3702 ];
+          </programlisting>
+        </note>
+      '';
+      interface = mkOption {
+        type = types.nullOr (types.listOf types.str);
+        default = null;
+        example = ["eth0"];
+        description = "Interface or address to use.";
+      };
+      hoplimit = mkOption {
+        type = types.nullOr types.int;
+        default = null;
+        example = 2;
+        description = "Hop limit for multicast packets (default = 1).";
+      };
+      workgroup = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "HOME";
+        description = "Set workgroup name (default WORKGROUP).";
+      };
+      hostname = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "FILESERVER";
+        description = "Override (NetBIOS) hostname to be used (default hostname).";
+      };
+      domain = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Set domain name (disables workgroup).";
+      };
+      discovery = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable discovery operation mode.";
+      };
+      listen = mkOption {
+        type = types.str;
+        default = "/run/wsdd/wsdd.sock";
+        description = "Listen on path or localhost port in discovery mode.";
+      };
+      extraOptions = mkOption {
+        type = types.listOf types.str;
+        default = [ "--shortlog" ];
+        example = [ "--verbose" "--no-http" "--ipv4only" "--no-host" ];
+        description = "Additional wsdd options.";
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.wsdd ];
+    systemd.services.samba-wsdd = {
+      description = "Web Services Dynamic Discovery host daemon";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        DynamicUser = true;
+        Type = "simple";
+        ExecStart = ''
+          ${pkgs.wsdd}/bin/wsdd ${optionalString (cfg.interface != null) (concatMapStringsSep " " (interface: "--interface '${interface}'") cfg.interface)} \
+                                ${optionalString (cfg.hoplimit != null) "--hoplimit '${toString cfg.hoplimit}'"} \
+                                ${optionalString (cfg.workgroup != null) "--workgroup '${cfg.workgroup}'"} \
+                                ${optionalString (cfg.hostname != null) "--hostname '${cfg.hostname}'"} \
+                                ${optionalString (cfg.domain != null) "--domain '${cfg.domain}'"} \
+                                ${optionalString cfg.discovery "--discovery --listen '${cfg.listen}'"} \
+                                ${escapeShellArgs cfg.extraOptions}
+        '';
+        # Runtime directory and mode
+        RuntimeDirectory = "wsdd";
+        RuntimeDirectoryMode = "0750";
+        # Access write directories
+        UMask = "0027";
+        # Capabilities
+        CapabilityBoundingSet = "";
+        # Security
+        NoNewPrivileges = true;
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = false;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@cpu-emulation @debug @mount @obsolete @privileged @resources";
+      };
+    };
+  };
+}
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-29 00:22:52 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-29 00:22:52 +0100
commit	bb2ef19025d688433e7e3f9ef8edc26a3fa69d24 (patch)
tree	cf36f2a58805c400605c25ce7b143943fdb8b9a7 /modules
parent	ee01823de3c4ff26b42bc27e70c8151c9ca278e8 (diff)
download	nixos-bb2ef19025d688433e7e3f9ef8edc26a3fa69d24.tar nixos-bb2ef19025d688433e7e3f9ef8edc26a3fa69d24.tar.gz nixos-bb2ef19025d688433e7e3f9ef8edc26a3fa69d24.tar.bz2 nixos-bb2ef19025d688433e7e3f9ef8edc26a3fa69d24.tar.xz nixos-bb2ef19025d688433e7e3f9ef8edc26a3fa69d24.zip

diff --git a/modules/samba-wsdd.nix b/modules/samba-wsdd.nix new file mode 100644 index 00000000..0ad29dd4 --- /dev/null +++ b/modules/samba-wsdd.nix
@@ -0,0 +1,126 @@
	1	{ config, lib, pkgs, ... }:
	2
	3	with lib;
	4
	5	let
	6	cfg = config.services.samba-wsdd;
	7
	8	in {
	9	disabledModules = [ "services/network-filesystems/samba-wsdd.nix" ];
	10
	11	options = {
	12	services.samba-wsdd = {
	13	enable = mkEnableOption ''
	14	Enable Web Services Dynamic Discovery host daemon. This enables (Samba) hosts, like your local NAS device,
	15	to be found by Web Service Discovery Clients like Windows.
	16	<note>
	17	<para>If you use the firewall consider adding the following:</para>
	18	<programlisting>
	19	networking.firewall.allowedTCPPorts = [ 5357 ];
	20	networking.firewall.allowedUDPPorts = [ 3702 ];
	21	</programlisting>
	22	</note>
	23	'';
	24	interface = mkOption {
	25	type = types.nullOr (types.listOf types.str);
	26	default = null;
	27	example = ["eth0"];
	28	description = "Interface or address to use.";
	29	};
	30	hoplimit = mkOption {
	31	type = types.nullOr types.int;
	32	default = null;
	33	example = 2;
	34	description = "Hop limit for multicast packets (default = 1).";
	35	};
	36	workgroup = mkOption {
	37	type = types.nullOr types.str;
	38	default = null;
	39	example = "HOME";
	40	description = "Set workgroup name (default WORKGROUP).";
	41	};
	42	hostname = mkOption {
	43	type = types.nullOr types.str;
	44	default = null;
	45	example = "FILESERVER";
	46	description = "Override (NetBIOS) hostname to be used (default hostname).";
	47	};
	48	domain = mkOption {
	49	type = types.nullOr types.str;
	50	default = null;
	51	description = "Set domain name (disables workgroup).";
	52	};
	53	discovery = mkOption {
	54	type = types.bool;
	55	default = false;
	56	description = "Enable discovery operation mode.";
	57	};
	58	listen = mkOption {
	59	type = types.str;
	60	default = "/run/wsdd/wsdd.sock";
	61	description = "Listen on path or localhost port in discovery mode.";
	62	};
	63	extraOptions = mkOption {
	64	type = types.listOf types.str;
	65	default = [ "--shortlog" ];
	66	example = [ "--verbose" "--no-http" "--ipv4only" "--no-host" ];
	67	description = "Additional wsdd options.";
	68	};
	69	};
	70	};
	71
	72	config = mkIf cfg.enable {
	73
	74	environment.systemPackages = [ pkgs.wsdd ];
	75
	76	systemd.services.samba-wsdd = {
	77	description = "Web Services Dynamic Discovery host daemon";
	78	after = [ "network.target" ];
	79	wantedBy = [ "multi-user.target" ];
	80	serviceConfig = {
	81	DynamicUser = true;
	82	Type = "simple";
	83	ExecStart = ''
	84	${pkgs.wsdd}/bin/wsdd ${optionalString (cfg.interface != null) (concatMapStringsSep " " (interface: "--interface '${interface}'") cfg.interface)} \
	85	${optionalString (cfg.hoplimit != null) "--hoplimit '${toString cfg.hoplimit}'"} \
	86	${optionalString (cfg.workgroup != null) "--workgroup '${cfg.workgroup}'"} \
	87	${optionalString (cfg.hostname != null) "--hostname '${cfg.hostname}'"} \
	88	${optionalString (cfg.domain != null) "--domain '${cfg.domain}'"} \
	89	${optionalString cfg.discovery "--discovery --listen '${cfg.listen}'"} \
	90	${escapeShellArgs cfg.extraOptions}
	91	'';
	92	# Runtime directory and mode
	93	RuntimeDirectory = "wsdd";
	94	RuntimeDirectoryMode = "0750";
	95	# Access write directories
	96	UMask = "0027";
	97	# Capabilities
	98	CapabilityBoundingSet = "";
	99	# Security
	100	NoNewPrivileges = true;
	101	# Sandboxing
	102	ProtectSystem = "strict";
	103	ProtectHome = true;
	104	PrivateTmp = true;
	105	PrivateDevices = true;
	106	PrivateUsers = false;
	107	ProtectHostname = true;
	108	ProtectClock = true;
	109	ProtectKernelTunables = true;
	110	ProtectKernelModules = true;
	111	ProtectKernelLogs = true;
	112	ProtectControlGroups = true;
	113	RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
	114	RestrictNamespaces = true;
	115	LockPersonality = true;
	116	MemoryDenyWriteExecute = true;
	117	RestrictRealtime = true;
	118	RestrictSUIDSGID = true;
	119	PrivateMounts = true;
	120	# System Call Filtering
	121	SystemCallArchitectures = "native";
	122	SystemCallFilter = "~@cpu-emulation @debug @mount @obsolete @privileged @resources";
	123	};
	124	};
	125	};
	126	}