From c09d60d686dc53e19dbfb5d58fa705ad4a2ec06c Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 28 Dec 2021 21:42:05 +0100
Subject: vidhar: samba

---
 hosts/vidhar/default.nix | 23 +++++++++++++++++++++++
 hosts/vidhar/ruleset.nft | 16 +++++++++++-----
 hosts/vidhar/zfs.nix     | 18 ++++++++++++++++++
 3 files changed, 52 insertions(+), 5 deletions(-)

(limited to 'hosts')

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 327c51b3..d71674f8 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -336,5 +336,28 @@
         };
       };
     };
+
+    services.samba = {
+      enable = true;
+      securityType = "user";
+      extraConfig = ''
+        workgroup = WORKGROUP
+      '';
+      shares = {
+        homes = {
+          path = "/home/%S";
+          browseable = "no";
+          "valid users" = "%S";
+          "read only" = "no";
+          "create mask" = "0700";
+          "directory mask" = "0700";
+          "browseable" = "no";
+        };
+      };
+    };
+    services.samba-wssd = {
+      enable = true;
+      workgroup = "WORKGROUP";
+    };
   };
 }
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index 9135327f..53ae3c92 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -42,6 +42,13 @@ table inet filter {
   }
 
 
+  chain forward_icmp_accept {
+    oifname dsl limit name lim_icmp_dsl counter drop
+    iifname dsl limit name lim_icmp_dsl counter drop
+    oifname != dsl limit name lim_icmp_local counter drop
+    iifname != dsl limit name lim_icmp_local counter drop
+    counter accept
+  }
   chain forward {
     type filter hook forward priority filter
     policy drop
@@ -52,11 +59,7 @@ table inet filter {
 
     iifname lo counter accept
 
-    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
-    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
-    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
-    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
-    meta l4proto $icmp_protos counter accept
+    oifname {eno1, dsl} meta l4proto $icmp_protos forward_icmp_accept
 
     iifname eno1 oifname dsl counter accept
     iifname dsl oifname eno1 ct state {established, related} counter accept
@@ -104,6 +107,9 @@ table inet filter {
 
     iifname {eno1, mgmt} udp dport 67 counter accept
 
+    iifname eno1 udp dport { 137, 138, 3702 } counter accept
+    iifname eno1 tcp dport { 445, 139, 5357 } counter accept
+
     ct state {established, related} counter accept
 
 
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 162377f0..5e1f225b 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -76,6 +76,24 @@ in {
         { device = "ssd-raid1/local/var-log";
           fsType = "zfs";
         };
+
+      "/home" =
+        { device = "hdd-raid6/safe/home";
+          fsType = "zfs";
+          options = [ "zfsutil" ];
+        }
+
+      "/home/gkleen" =
+        { device = "hdd-raid6/safe/home/gkleen";
+          fsType = "zfs";
+          options = [ "zfsutil" ];
+        }
+
+      "/home/mherold" =
+        { device = "hdd-raid6/safe/home/mherold";
+          fsType = "zfs";
+          options = [ "zfsutil" ];
+        }
     };
 
     systemd.services =
-- 
cgit v1.2.3