nixos/samba: cleanup and update defaults

This commit is contained in:
Nikolay Amiantov 2015-02-04 22:31:50 +03:00
parent fe07c77ff1
commit b903bf0a57

View File

@ -6,25 +6,11 @@ let
cfg = config.services.samba;
logDir = "/var/log/samba";
privateDir = "/var/samba/private";
samba = cfg.package;
setupScript =
''
if ! test -d /var/samba ; then
mkdir -p /var/samba/locks /var/samba/cores/nmbd /var/samba/cores/smbd /var/samba/cores/winbindd
fi
passwdFile="$(${pkgs.gnused}/bin/sed -n 's/^.*smb[ ]\+passwd[ ]\+file[ ]\+=[ ]\+\(.*\)/\1/p' ${configFile})"
if [ -n "$passwdFile" ]; then
echo 'INFO: [samba] creating directory containing passwd file'
mkdir -p "$(dirname "$passwdFile")"
fi
mkdir -p ${logDir}
mkdir -p ${privateDir}
mkdir -p /var/lock/samba /var/log/samba /var/cache/samba /var/lib/samba/private
'';
shareConfig = name:
@ -39,9 +25,10 @@ let
(if cfg.configText != null then cfg.configText else
''
[ global ]
log file = ${logDir}/log.%m
private dir = ${privateDir}
${optionalString cfg.syncPasswordsByPam "pam password change = true"}
security = ${cfg.securityType}
passwd program = /var/setuid-wrappers/passwd %u
pam password change = ${toString cfg.syncPasswordsByPam}
invalid users = ${toString cfg.invalidUsers}
${cfg.extraConfig}
@ -83,14 +70,16 @@ in
services.samba = {
enable = mkOption {
type = types.bool;
default = false;
description = "
description = ''
Whether to enable Samba, which provides file and print
services to Windows clients through the SMB/CIFS protocol.
";
'';
};
package = mkOption {
type = types.package;
default = pkgs.samba;
example = pkgs.samba4;
description = ''
@ -99,72 +88,47 @@ in
};
syncPasswordsByPam = mkOption {
type = types.bool;
default = false;
description = "
enabling this will add a line directly after pam_unix.so.
description = ''
Enabling this will add a line directly after pam_unix.so.
Whenever a password is changed the samba password will be updated as well.
However you still yave to add the samba password once using smbpasswd -a user
If you don't want to maintain an extra pwd database you still can send plain text
passwords which is not secure.
";
'';
};
invalidUsers = mkOption {
type = types.listOf types.str;
default = [ "root" ];
description = ''
List of users who are denied to login via Samba.
'';
};
extraConfig = mkOption {
# !!! Bad default.
default = ''
# [global] continuing global section here, section is started by nix to set pids etc
smb passwd file = /etc/samba/passwd
# is this useful ?
domain master = auto
encrypt passwords = Yes
client plaintext auth = No
# yes: if you use this you probably also want to enable syncPasswordsByPam
# no: You can still use the pam password database. However
# passwords will be sent plain text on network (discouraged)
workgroup = Users
server string = %h
comment = Samba
log file = /var/log/samba/log.%m
log level = 10
max log size = 50000
security = ${cfg.securityType}
client lanman auth = Yes
dns proxy = no
invalid users = root
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
type = types.lines;
default = "";
description = ''
Additional global section and extra section lines go in here.
'';
description = "
additional global section and extra section lines go in here.
";
};
configFile = mkOption {
description = "
internal use to pass filepath to samba pam module
";
};
configText = mkOption {
type = types.nullOr types.lines;
default = null;
description = "
description = ''
Verbatim contents of smb.conf. If null (default), use the
autogenerated file from NixOS instead.
";
'';
};
securityType = mkOption {
description = "Samba security type";
type = types.str;
default = "user";
example = "share";
description = "Samba security type";
};
nsswins = mkOption {
@ -179,12 +143,11 @@ in
shares = mkOption {
default = {};
description =
''
description = ''
A set describing shared resources.
See <command>man smb.conf</command> for options.
'';
type = types.attrsOf (types.attrsOf types.str);
'';
type = types.attrsOf (types.attrsOf types.unspecified);
example =
{ srv =
{ path = "/srv";