From c09d60d686dc53e19dbfb5d58fa705ad4a2ec06c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 28 Dec 2021 21:42:05 +0100 Subject: vidhar: samba --- hosts/vidhar/default.nix | 23 +++++++++++++++++++++++ hosts/vidhar/ruleset.nft | 16 +++++++++++----- hosts/vidhar/zfs.nix | 18 ++++++++++++++++++ 3 files changed, 52 insertions(+), 5 deletions(-) (limited to 'hosts') diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 327c51b3..d71674f8 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -336,5 +336,28 @@ }; }; }; + + services.samba = { + enable = true; + securityType = "user"; + extraConfig = '' + workgroup = WORKGROUP + ''; + shares = { + homes = { + path = "/home/%S"; + browseable = "no"; + "valid users" = "%S"; + "read only" = "no"; + "create mask" = "0700"; + "directory mask" = "0700"; + "browseable" = "no"; + }; + }; + }; + services.samba-wssd = { + enable = true; + workgroup = "WORKGROUP"; + }; }; } diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index 9135327f..53ae3c92 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft @@ -42,6 +42,13 @@ table inet filter { } + chain forward_icmp_accept { + oifname dsl limit name lim_icmp_dsl counter drop + iifname dsl limit name lim_icmp_dsl counter drop + oifname != dsl limit name lim_icmp_local counter drop + iifname != dsl limit name lim_icmp_local counter drop + counter accept + } chain forward { type filter hook forward priority filter policy drop @@ -52,11 +59,7 @@ table inet filter { iifname lo counter accept - oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop - iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop - oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop - iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop - meta l4proto $icmp_protos counter accept + oifname {eno1, dsl} meta l4proto $icmp_protos forward_icmp_accept iifname eno1 oifname dsl counter accept iifname dsl oifname eno1 ct state {established, related} counter accept @@ -104,6 +107,9 @@ table inet filter { iifname {eno1, mgmt} udp dport 67 counter accept + iifname eno1 udp dport { 137, 138, 3702 } counter accept + iifname eno1 tcp dport { 445, 139, 5357 } counter accept + ct state {established, related} counter accept diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix index 162377f0..5e1f225b 100644 --- a/hosts/vidhar/zfs.nix +++ b/hosts/vidhar/zfs.nix @@ -76,6 +76,24 @@ in { { device = "ssd-raid1/local/var-log"; fsType = "zfs"; }; + + "/home" = + { device = "hdd-raid6/safe/home"; + fsType = "zfs"; + options = [ "zfsutil" ]; + } + + "/home/gkleen" = + { device = "hdd-raid6/safe/home/gkleen"; + fsType = "zfs"; + options = [ "zfsutil" ]; + } + + "/home/mherold" = + { device = "hdd-raid6/safe/home/mherold"; + fsType = "zfs"; + options = [ "zfsutil" ]; + } }; systemd.services = -- cgit v1.2.3