diff --git a/home/.chezmoi.yaml.tmpl b/home/.chezmoi.yaml.tmpl index 5825e2a5..e44c5833 100644 --- a/home/.chezmoi.yaml.tmpl +++ b/home/.chezmoi.yaml.tmpl @@ -115,6 +115,9 @@ {{- writeToStdout "Chezmoi is running in headless environment.\n" -}} {{- end -}} +{{- $sambaNetBiosName := (default $hostname (env "SAMBA_NETBIOS_NAME")) -}} +{{- $sambaWorkGroupName := (default "BETELGEUSE" (env "SAMBA_WORKGROUP")) -}} + encryption: "age" age: identity: "{{ .chezmoi.homeDir }}/.config/age/chezmoi.txt" @@ -136,10 +139,14 @@ data: secondary: 1.1.1.1#cloudflare-dns.com docker: doRegion: nyc1 + domain: "{{ $domain }}" headless: {{ $headless }} home: "{{ .chezmoi.homeDir }}" homeParentFolder: "{{ if eq .chezmoi.os "linux" }}/home{{ else if eq .chezmoi.os "darwin" }}/Users{{ else }}C:\Users{{ end }}" hostname: "{{ $hostname }}" + samba: + netbiosName: "{{ $sambaNetBiosName }}" + workgroup: "{{ $sambaWorkGroupName }}" ssh: allowTCPForwarding: no allowUsers: {{ output "echo" "$USER" }} @@ -149,6 +156,7 @@ data: excludedSubnets: - 10.0.0.0/24 - 10.14.50.0/24 + - 192.168.1.0/24 qubes: {{ ne (stat (joinPath "usr" "bin" "qubes-session")) false }} restricted: {{ $restricted }} softwareGroup: "{{ $softwareGroup }}" @@ -163,6 +171,7 @@ data: r2: "{{ $cloudflareR2AccountId }}" username: "{{ $cloudflareUsername }}" defaultBrowser: firefox + # `domain` is kept here for backwards compatibility, but the .host.domain is the preferred selector domain: "{{ $domain }}" email: "{{ $email }}" gcloud: diff --git a/home/.chezmoiscripts/universal/run_onchange_after_30-samba.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_30-samba.tmpl deleted file mode 100644 index 239e8278..00000000 --- a/home/.chezmoiscripts/universal/run_onchange_after_30-samba.tmpl +++ /dev/null @@ -1,10 +0,0 @@ -{{- if (ne .host.distro.family "windows") -}} -#!/usr/bin/env bash - -{{ includeTemplate "universal/profile" }} -{{ includeTemplate "universal/logg" }} - -# Samba logic -echo true - -{{ end -}} diff --git a/home/.chezmoiscripts/universal/run_onchange_after_51-samba.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_51-samba.tmpl new file mode 100644 index 00000000..9ba2bdeb --- /dev/null +++ b/home/.chezmoiscripts/universal/run_onchange_after_51-samba.tmpl @@ -0,0 +1,81 @@ +{{- if (ne .host.distro.family "windows") -}} +#!/usr/bin/env bash +# @file Samba Configuration +# @brief This script configures Samba by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if the `smbd` application is available +# @description +# This script applies the Samba configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if Samba is installed. +# The script and default configuration set up two Samba shares. +# +# ## Security +# +# Both shares are configured by default to only accept connections +# from hosts with DNS that ends in `.local.PUBLIC_SERVICES_DOMAIN`, where `PUBLIC_SERVICES_DOMAIN` is an environment variable that +# can be passed into Install Doctor. So, if your `PUBLIC_SERVICES_DOMAIN` environment variable is set to `megabyte.space`, then +# a device with a FQDN of `alpha.local.megabyte.space` pointing to its LAN location will be able to connect but a device +# with a FQDN of `alpha.megabyte.space` will not be able to connect. +# +# ## Samba Shares / S3 Backup +# +# If CloudFlare R2 credentials are provided, Samba is configured to store its shared files in the Rclone mounts so that your +# Samba shares are synchronized to the S3 buckets. If not, new folders are created. Either way, the folder / symlink that the +# shares host data from are stored at `/mnt/samba-private` and `/mnt/samba-public`. +# +# 1. The **public** share (named "Public") can be accessed by anyone (including write permissions with the default settings) +# 2. The **private** share (named "Private") can be accessed by specifying the PAM credentials of anyone who has an account that is included in the `sambausers` group +# +# ## Symlinks +# +# Symlinks are disabled for security reasons. This is because, with symlinking enabled, people can create symlinks on the shares and use the symlinks to access system files outside of the +# Samba shares. There are commented-out lines in the default configuration that you can uncomment to enable the symlinks in shares. +# +# ## Printers +# +# Printer sharing is not enabled by default. There are commented lines in the default configuration that should provide a nice stepping +# stone if you want to use Samba for printer sharing (with CUPS). +# +# ## Environment Variables +# +# The following chart details some of the environment variables that are used to determine the configuration of the +# Samba shares: +# +# | Environment Variable | Description | +# |-----------------------------|-----------------------------------------------------------------------------------------------------| +# | `PUBLIC_SERVICES_DOMAIN` | Used to determine which hosts can connect to the Samba share (e.g. `.local.PUBLIC_SERVICES_DOMAIN`) | +# | `SAMBA_NETBIOS_NAME` | Determines the NetBIOS name (defaults to the `HOSTNAME` environment variable value) | +# | `SAMBA_WORKGROUP` | Controls Samba workgroup name (defaults to "BETELGEUSE") | +# +# ## Links +# +# * [Default Samba configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_local/samba/config.tmpl) +# * [Secrets / Environment variables documentation](https://install.doctor/docs/customization/secrets) + +{{ includeTemplate "universal/profile" }} +{{ includeTemplate "universal/logg" }} + +### Configure Samba server +if command -v smbd > /dev/null; then + ### Ensure private Samba directory / symlink exists + if [ -d /mnt/s3-private ] && [ ! -d /mnt/samba-private ]; then + sudo ln -s /mnt/s3-private /mnt/samba-private + else + sudo mkdir /mnt/samba-private + fi + + ### Ensure public Samba directory / symlink exists + if [ -d /mnt/s3-public ] && [ ! -d /mnt/samba-public ]; then + sudo ln -s /mnt/s3-public /mnt/samba-public + else + sudo mkdir /mnt/samba-public + fi + + ### Copy the Samba server configuration file + logg info "Copying Samba server configuration to /etc/samba/smb.conf" + sudo cp -f "${XDG_DATA_HOME:-$HOME/.config}/samba/config" "/etc/samba/smb.conf" + + ### Reload configuration file changes + smbcontrol smbd reload-config +else + logg info "Samba server is not installed" +fi + +{{ end -}} diff --git a/home/dot_config/rclone/system/s3-docker.service.tmpl b/home/dot_config/rclone/system/s3-docker.service.tmpl new file mode 100644 index 00000000..d6efc0d7 --- /dev/null +++ b/home/dot_config/rclone/system/s3-docker.service.tmpl @@ -0,0 +1,14 @@ +[Unit] +Description=rclone S3 service (docker) +After=network-online.target + +[Service] +Type=simple +User=rclone +ExecStart=/usr/local/bin/rclone-mount "rclone" "rclone" "s3-docker" +ExecStop=/bin/fusermount -u /mnt/s3-docker +Restart=always +RestartSec=10 + +[Install] +WantedBy=default.target diff --git a/home/dot_config/rclone/system/s3-public.service.tmpl b/home/dot_config/rclone/system/s3-public.service.tmpl index 0c893775..1ff090fe 100644 --- a/home/dot_config/rclone/system/s3-public.service.tmpl +++ b/home/dot_config/rclone/system/s3-public.service.tmpl @@ -1,5 +1,5 @@ [Unit] -Description=rclone S3 system service (public) +Description=rclone S3 service (public) After=network-online.target [Service] diff --git a/home/dot_config/rclone/system/s3-system.service.tmpl b/home/dot_config/rclone/system/s3-system.service.tmpl new file mode 100644 index 00000000..72a35bcf --- /dev/null +++ b/home/dot_config/rclone/system/s3-system.service.tmpl @@ -0,0 +1,14 @@ +[Unit] +Description=rclone S3 service (system) +After=network-online.target + +[Service] +Type=simple +User=rclone +ExecStart=/usr/local/bin/rclone-mount "rclone" "rclone" "s3-system" +ExecStop=/bin/fusermount -u /mnt/s3-system +Restart=always +RestartSec=10 + +[Install] +WantedBy=default.target diff --git a/home/dot_config/samba/config.tmpl b/home/dot_config/samba/config.tmpl new file mode 100644 index 00000000..fe327d48 --- /dev/null +++ b/home/dot_config/samba/config.tmpl @@ -0,0 +1,67 @@ +[global] + # Allow connections with hostnames that can be resolved from hostname.local.{{ .user.domain }} + allow hosts = .local.{{ .user.domain }} + hostname lookups = yes + # Allows users without accounts to log in and be assigned to the guest account + map to guest = bad user + netbios name = {{ .host.samba.netbiosName }} + obey pam restrictions = yes + proxy = no + # Allow using DNS to specify allowed hosts + # Source: https://serverfault.com/questions/702455/samba-hosts-allow-example-com + dns proxy = yes + security = user + server role = standalone server + server string = Samba on %L + workgroup = {{ .host.samba.workgroup }} + # Printing - Uncomment these lines to enable Samba printer sharing with CUPSD + # Source: https://wiki.archlinux.org/index.php/CUPS/Printer_sharing + # load printers = yes + # printing = CUPS + # Symlinks - Uncomment the following two options to enable symlinking (including symlinks outside of the shared folder) + # This feature is disabled by default due to security concerns (i.e. people can create symlinks on the shares and access system files if the share is writable) + # unix extension = no + # wide links = yes + +[Private] + browsable = yes + comment = Authenticated share with read/write capabilities (backed up to S3) + follow symlinks = no + guest only = no + path = /mnt/samba-private + public = no + valid users = @sambausers + writable = true + +[Public] + browsable = yes + comment = Public folder provided for file sharing on the LAN (backed up to S3) + follow symlinks = no + guest only = yes + path = /mnt/samba-public + public = yes + writable = yes + +# [printers] +# browsable = yes +# comment = Printers +# path = /var/spool/samba/ +# printable = yes +# public = yes +# writable = no + +# [print] +# browsable = yes +# comment = Printer drivers +# path = /var/lib/samba/printers +# public = yes +# writable = no + +# [HPOfficeJetPro] +# comment = HP OfficeJet Pro printer +# path = /var/spool/samba/ +# printable = yes +# # Source: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Print_Server +# printer name = HP OfficeJet Pro 6978 +# public = yes +# writable = no