3 files changed, 52 insertions, 5 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 327c51b3..d71674f8 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -336,5 +336,28 @@
        };
      };
    };
+    services.samba = {
+      enable = true;
+      securityType = "user";
+      extraConfig = ''
+        workgroup = WORKGROUP
+      '';
+      shares = {
+        homes = {
+          path = "/home/%S";
+          browseable = "no";
+          "valid users" = "%S";
+          "read only" = "no";
+          "create mask" = "0700";
+          "directory mask" = "0700";
+          "browseable" = "no";
+        };
+      };
+    };
+    services.samba-wssd = {
+      enable = true;
+      workgroup = "WORKGROUP";
+    };
  };
 }
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index 9135327f..53ae3c92 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -42,6 +42,13 @@ table inet filter {
  }
+  chain forward_icmp_accept {
+    oifname dsl limit name lim_icmp_dsl counter drop
+    iifname dsl limit name lim_icmp_dsl counter drop
+    oifname != dsl limit name lim_icmp_local counter drop
+    iifname != dsl limit name lim_icmp_local counter drop
+    counter accept
+  }
  chain forward {
    type filter hook forward priority filter
    policy drop
@@ -52,11 +59,7 @@ table inet filter {
    iifname lo counter accept
-    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
+    oifname {eno1, dsl} meta l4proto $icmp_protos forward_icmp_accept
-    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
-    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
-    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
-    meta l4proto $icmp_protos counter accept
    iifname eno1 oifname dsl counter accept
    iifname dsl oifname eno1 ct state {established, related} counter accept
@@ -104,6 +107,9 @@ table inet filter {
    iifname {eno1, mgmt} udp dport 67 counter accept
+    iifname eno1 udp dport { 137, 138, 3702 } counter accept
+    iifname eno1 tcp dport { 445, 139, 5357 } counter accept
    ct state {established, related} counter accept
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 162377f0..5e1f225b 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -76,6 +76,24 @@ in {
        { device = "ssd-raid1/local/var-log";
          fsType = "zfs";
        };
+      "/home" =
+        { device = "hdd-raid6/safe/home";
+          fsType = "zfs";
+          options = [ "zfsutil" ];
+        }
+      "/home/gkleen" =
+        { device = "hdd-raid6/safe/home/gkleen";
+          fsType = "zfs";
+          options = [ "zfsutil" ];
+        }
+      "/home/mherold" =
+        { device = "hdd-raid6/safe/home/mherold";
+          fsType = "zfs";
+          options = [ "zfsutil" ];
+        }
    };
    systemd.services =

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 327c51b3..d71674f8 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -336,5 +336,28 @@
336	};	336	};
337	};	337	};
338	};	338	};
		339
		340	services.samba = {
		341	enable = true;
		342	securityType = "user";
		343	extraConfig = ''
		344	workgroup = WORKGROUP
		345	'';
		346	shares = {
		347	homes = {
		348	path = "/home/%S";
		349	browseable = "no";
		350	"valid users" = "%S";
		351	"read only" = "no";
		352	"create mask" = "0700";
		353	"directory mask" = "0700";
		354	"browseable" = "no";
		355	};
		356	};
		357	};
		358	services.samba-wssd = {
		359	enable = true;
		360	workgroup = "WORKGROUP";
		361	};
339	};	362	};
340	}	363	}


diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index 9135327f..53ae3c92 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft
@@ -42,6 +42,13 @@ table inet filter {
42	}	42	}
43		43
44		44
		45	chain forward_icmp_accept {
		46	oifname dsl limit name lim_icmp_dsl counter drop
		47	iifname dsl limit name lim_icmp_dsl counter drop
		48	oifname != dsl limit name lim_icmp_local counter drop
		49	iifname != dsl limit name lim_icmp_local counter drop
		50	counter accept
		51	}
45	chain forward {	52	chain forward {
46	type filter hook forward priority filter	53	type filter hook forward priority filter
47	policy drop	54	policy drop
@@ -52,11 +59,7 @@ table inet filter {
52		59
53	iifname lo counter accept	60	iifname lo counter accept
54		61
55	oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop	62	oifname {eno1, dsl} meta l4proto $icmp_protos forward_icmp_accept
56	iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
57	oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
58	iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
59	meta l4proto $icmp_protos counter accept
60		63
61	iifname eno1 oifname dsl counter accept	64	iifname eno1 oifname dsl counter accept
62	iifname dsl oifname eno1 ct state {established, related} counter accept	65	iifname dsl oifname eno1 ct state {established, related} counter accept
@@ -104,6 +107,9 @@ table inet filter {
104		107
105	iifname {eno1, mgmt} udp dport 67 counter accept	108	iifname {eno1, mgmt} udp dport 67 counter accept
106		109
		110	iifname eno1 udp dport { 137, 138, 3702 } counter accept
		111	iifname eno1 tcp dport { 445, 139, 5357 } counter accept
		112
107	ct state {established, related} counter accept	113	ct state {established, related} counter accept
108		114
109		115


diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix index 162377f0..5e1f225b 100644 --- a/hosts/vidhar/zfs.nix +++ b/hosts/vidhar/zfs.nix
@@ -76,6 +76,24 @@ in {
76	{ device = "ssd-raid1/local/var-log";	76	{ device = "ssd-raid1/local/var-log";
77	fsType = "zfs";	77	fsType = "zfs";
78	};	78	};
		79
		80	"/home" =
		81	{ device = "hdd-raid6/safe/home";
		82	fsType = "zfs";
		83	options = [ "zfsutil" ];
		84	}
		85
		86	"/home/gkleen" =
		87	{ device = "hdd-raid6/safe/home/gkleen";
		88	fsType = "zfs";
		89	options = [ "zfsutil" ];
		90	}
		91
		92	"/home/mherold" =
		93	{ device = "hdd-raid6/safe/home/mherold";
		94	fsType = "zfs";
		95	options = [ "zfsutil" ];
		96	}
79	};	97	};
80		98
81	systemd.services =	99	systemd.services =