From 3f9a3dcacbdb26bf3ad24c626919dc9e306f391b Mon Sep 17 00:00:00 2001
From: Yan Lin <github@yanlincs.com>
Date: Sat, 22 Nov 2025 13:52:30 +0100
Subject: [PATCH] add samba module

---
 hosts/nixos/hs/system.nix |  8 +++++
 modules/samba.nix         | 70 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 modules/samba.nix

diff --git a/hosts/nixos/hs/system.nix b/hosts/nixos/hs/system.nix
index 2bb6392..84f179f 100644
--- a/hosts/nixos/hs/system.nix
+++ b/hosts/nixos/hs/system.nix
@@ -9,6 +9,7 @@
     ../../../modules/traefik.nix
     ../../../modules/borg/client.nix
     ../../../modules/login-display.nix
+    ../../../modules/samba.nix
   ];
 
   # GRUB bootloader with ZFS support
@@ -262,4 +263,11 @@
     };
   };
 
+  # Samba file sharing
+  services.samba-custom = {
+    sharedPath = "/mnt/storage/Media";
+    shareName = "Media";
+    user = "yanlin";
+  };
+
 }
diff --git a/modules/samba.nix b/modules/samba.nix
new file mode 100644
index 0000000..97d0947
--- /dev/null
+++ b/modules/samba.nix
@@ -0,0 +1,70 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.samba-custom;
+in
+{
+  options.services.samba-custom = {
+    sharedPath = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Path to the folder to share via Samba. Set to null to disable Samba sharing.";
+      example = "/mnt/storage/shared";
+    };
+
+    shareName = lib.mkOption {
+      type = lib.types.str;
+      default = "shared";
+      description = "Name of the Samba share as it appears on the network";
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "yanlin";
+      description = "Unix user that owns the shared directory and will be used for Samba authentication";
+    };
+  };
+
+  config = lib.mkIf (cfg.sharedPath != null) {
+    # Enable Samba service
+    services.samba = {
+      enable = true;
+      openFirewall = true;
+
+      settings = {
+        global = {
+          "workgroup" = "WORKGROUP";
+          "server string" = "${config.networking.hostName} Samba Server";
+          "netbios name" = config.networking.hostName;
+          "security" = "user";
+          "guest account" = "nobody";
+          "map to guest" = "bad user";
+
+          # Security enhancements
+          "server min protocol" = "SMB3_00";
+          "smb encrypt" = "desired";
+        };
+
+        "${cfg.shareName}" = {
+          "path" = cfg.sharedPath;
+          "valid users" = cfg.user;
+          "public" = "no";
+          "writeable" = "yes";
+          "force user" = cfg.user;
+          "create mask" = "0644";
+          "directory mask" = "0755";
+        };
+      };
+    };
+
+    # Create directory and set permissions
+    systemd.tmpfiles.rules = [
+      "d ${cfg.sharedPath} 0755 ${cfg.user} users - -"
+    ];
+
+    # NOTE: Samba user password must be manually set using:
+    # sudo smbpasswd -a ${cfg.user}
+    # This creates a Samba password for the specified user.
+    # The user must already exist as a Unix user on the system.
+  };
+}