add samba module

2025-11-22 13:52:30 +01:00 · 2025-11-22 13:52:30 +01:00 · 3f9a3dcacb
commit 3f9a3dcacb
parent 489eb21e16
2 changed files with 78 additions and 0 deletions
--- a/hosts/nixos/hs/system.nix
+++ b/hosts/nixos/hs/system.nix
@ -9,6 +9,7 @@
    ../../../modules/traefik.nix
    ../../../modules/borg/client.nix
    ../../../modules/login-display.nix
+    ../../../modules/samba.nix
  ];

  # GRUB bootloader with ZFS support
@ -262,4 +263,11 @@
    };
  };

+  # Samba file sharing
+  services.samba-custom = {
+    sharedPath = "/mnt/storage/Media";
+    shareName = "Media";
+    user = "yanlin";
+  };
+
 }
--- a/modules/samba.nix
+++ b/modules/samba.nix
@ -0,0 +1,70 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.samba-custom;
+in
+{
+  options.services.samba-custom = {
+    sharedPath = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Path to the folder to share via Samba. Set to null to disable Samba sharing.";
+      example = "/mnt/storage/shared";
+    };
+
+    shareName = lib.mkOption {
+      type = lib.types.str;
+      default = "shared";
+      description = "Name of the Samba share as it appears on the network";
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "yanlin";
+      description = "Unix user that owns the shared directory and will be used for Samba authentication";
+    };
+  };
+
+  config = lib.mkIf (cfg.sharedPath != null) {
+    # Enable Samba service
+    services.samba = {
+      enable = true;
+      openFirewall = true;
+
+      settings = {
+        global = {
+          "workgroup" = "WORKGROUP";
+          "server string" = "${config.networking.hostName} Samba Server";
+          "netbios name" = config.networking.hostName;
+          "security" = "user";
+          "guest account" = "nobody";
+          "map to guest" = "bad user";
+
+          # Security enhancements
+          "server min protocol" = "SMB3_00";
+          "smb encrypt" = "desired";
+        };
+
+        "${cfg.shareName}" = {
+          "path" = cfg.sharedPath;
+          "valid users" = cfg.user;
+          "public" = "no";
+          "writeable" = "yes";
+          "force user" = cfg.user;
+          "create mask" = "0644";
+          "directory mask" = "0755";
+        };
+      };
+    };
+
+    # Create directory and set permissions
+    systemd.tmpfiles.rules = [
+      "d ${cfg.sharedPath} 0755 ${cfg.user} users - -"
+    ];
+
+    # NOTE: Samba user password must be manually set using:
+    # sudo smbpasswd -a ${cfg.user}
+    # This creates a Samba password for the specified user.
+    # The user must already exist as a Unix user on the system.
+  };
+}