feat(samba): tls

modules/nixos/ldap/hosts.nix

@@ -77,6 +77,10 @@ in {
       type = str;
       default = "";
     };
+    idViewDnSuffix = mkOption {
+      type = str;
+      default = "";
+    };
     serviceDnSuffix = mkOption {
       type = str;
       default = "";

modules/nixos/samba.nix

@@ -1,13 +1,17 @@
 {
   config,
   lib,
+  inputs,
   pkgs,
   ...
 }: let
+  inherit (inputs.self.lib.lib) mkAlmostOptionDefault;
   inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkMerge mkBefore mkForce mkDefault mkOptionDefault;
-  inherit (lib.attrsets) mapAttrs' mapAttrsToList nameValuePair;
-  inherit (lib.strings) hasPrefix concatMapStringsSep;
+  inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkOptionDefault;
+  inherit (lib.attrsets) mapAttrs' mapAttrsToList listToAttrs nameValuePair;
+  inherit (lib.lists) concatLists;
+  inherit (lib.strings) toUpper hasPrefix concatMapStringsSep concatStringsSep;
+  inherit (lib.trivial) flip;
   inherit (config.services) samba-wsdd;
   cfg = config.services.samba;
   settingValue = value:
@@ -23,6 +27,31 @@ in {
     settingPrimitive = oneOf [str int bool];
     settingType = oneOf [settingPrimitive (listOf settingPrimitive)];
   in {
+    domain = {
+      netbiosName = mkOption {
+        type = nullOr str;
+        default = null;
+        defaultText = "networking.hostName";
+      };
+      netbiosName' = mkOption {
+        type = str;
+      };
+      isWorkgroup = mkOption {
+        type = bool;
+      };
+      name = mkOption {
+        type = nullOr str;
+        default = null;
+      };
+      netbiosHostAddresses = mkOption {
+        type = attrsOf (listOf str);
+        default = { };
+      };
+      lmhosts = mkOption {
+        type = attrsOf str;
+        default = { };
+      };
+    };
     ldap = {
       enable = mkEnableOption "LDAP";
       passdb = {
@@ -68,6 +97,34 @@ in {
         default = null;
       };
     };
+    tls = {
+      enable = mkEnableOption "tls" // {
+        default = cfg.tls.certPath != null;
+      };
+      peer.enable = mkEnableOption "peer verification" // {
+        default = cfg.tls.caPath != null;
+      };
+      useACMECert = mkOption {
+        type = nullOr str;
+        default = null;
+      };
+      certPath = mkOption {
+        type = nullOr path;
+        default = null;
+      };
+      keyPath = mkOption {
+        type = nullOr path;
+        default = null;
+      };
+      caPath = mkOption {
+        type = nullOr path;
+        default = null;
+      };
+      crlPath = mkOption {
+        type = nullOr path;
+        default = null;
+      };
+    };
     usershare = {
       enable = mkEnableOption "usershare";
       group = mkOption {
@@ -154,19 +211,39 @@ in {
 
   config = {
     services.samba = {
-      package = mkIf cfg.ldap.enable (mkDefault (
+      package = mkIf cfg.ldap.enable (mkAlmostOptionDefault (
         if cfg.ldap.passdb.enable && cfg.ldap.passdb.backend == "ipasam" then pkgs.samba-ipa else pkgs.samba-ldap
       ));
+      domain = {
+        isWorkgroup = mkOptionDefault (cfg.securityType != "domain" && cfg.securityType != "ads");
+        netbiosName' = let
+          name = if cfg.domain.netbiosName != null then cfg.domain.netbiosName else config.networking.hostName;
+        in mkOptionDefault (if cfg.domain.isWorkgroup then toUpper name else name);
+        netbiosHostAddresses = mkIf (cfg.domain.netbiosName != null) {
+          ${cfg.domain.netbiosName'} = [ "127.0.0.1" "::1" ];
+        };
+        lmhosts = let
+          addrs = mapAttrsToList (name: map (flip nameValuePair name)) cfg.domain.netbiosHostAddresses;
+        in listToAttrs (concatLists addrs);
+      };
       ldap = {
-        adminPasswordPath = mkIf (cfg.ldap.adminDn != null && hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkDefault (
+        adminPasswordPath = mkIf (cfg.ldap.adminDn != null && hasPrefix "name=anonymous," cfg.ldap.adminDn) (mkAlmostOptionDefault (
           pkgs.writeText "smb-ldap-anonymous" "anonymous"
         ));
+        idmap.domain = mkIf (cfg.domain.name != null) (mkAlmostOptionDefault cfg.domain.name);
+      };
+      tls = let
+        cert = config.security.acme.certs.${cfg.tls.useACMECert};
+      in {
+        certPath = mkIf (cfg.tls.useACMECert != null) (mkAlmostOptionDefault "${cert.directory}/fullchain.pem");
+        keyPath = mkIf (cfg.tls.useACMECert != null) (mkAlmostOptionDefault "${cert.directory}/key.pem");
+        caPath = mkIf (cfg.kerberos.enable && config.security.ipa.enable) (mkAlmostOptionDefault "${config.security.ipa.certificate}");
       };
       idmap.domains = mkMerge [
         (mkIf (cfg.ldap.enable && cfg.ldap.idmap.enable) {
           ldap = {
             backend = mkOptionDefault "ldap";
-            domain = mkDefault cfg.ldap.idmap.domain;
+            domain = mkAlmostOptionDefault cfg.ldap.idmap.domain;
             settings = {
               ldap_url = mkOptionDefault cfg.ldap.url;
             };
@@ -176,6 +253,10 @@ in {
       settings = mkMerge ([
         {
           "use sendfile" = mkOptionDefault true;
+          "mdns name" = mkOptionDefault "mdns";
+          "name resolve order" = mkOptionDefault [ "lmhosts" "host" "bcast" ];
+          workgroup = mkIf (cfg.domain.name != null) (mkOptionDefault cfg.domain.name);
+          "netbios name" = mkIf (cfg.domain.netbiosName != null) (mkOptionDefault cfg.domain.netbiosName);
         }
         (mkIf (cfg.passdb.smbpasswd.path != null) {
           "passdb backend" = mkOptionDefault "smbpasswd:${cfg.passdb.smbpasswd.path}";
@@ -194,8 +275,21 @@ in {
           "dedicated keytab file" = mkIf (cfg.kerberos.keytabPath != null) (mkOptionDefault
             "FILE:${cfg.kerberos.keytabPath}"
           );
+          "kerberos encryption types" = mkOptionDefault "strong";
           "create krb5 conf" = mkOptionDefault false;
         })
+        (mkIf cfg.enableWinbindd {
+          "winbind nss info" = mkOptionDefault "rfc2307";
+          "winbind use default domain" = mkOptionDefault true;
+        })
+        (mkIf cfg.tls.enable {
+          "tls enabled" = mkOptionDefault true;
+          "tls verify peer" = mkIf cfg.tls.peer.enable (mkOptionDefault "ca_and_name_if_available");
+          "tls certfile" = mkIf (cfg.tls.certPath != null) (mkOptionDefault cfg.tls.certPath);
+          "tls keyfile" = mkIf (cfg.tls.keyPath != null) (mkOptionDefault cfg.tls.keyPath);
+          "tls cafile" = mkIf (cfg.tls.caPath != null) (mkOptionDefault cfg.tls.caPath);
+          "tls crlfile" = mkIf (cfg.tls.crlPath != null) (mkOptionDefault cfg.tls.crlPath);
+        })
         (mkIf cfg.usershare.enable {
           "usershare allow guests" = mkOptionDefault true;
           "usershare max shares" = mkOptionDefault 16;
@@ -221,6 +315,11 @@ in {
         "-valid" = false;
       };
     };
+    services.samba-wsdd = {
+      workgroup = mkIf (cfg.domain.name != null && cfg.domain.isWorkgroup) (mkAlmostOptionDefault (toUpper cfg.domain.name));
+      domain = mkIf (cfg.domain.name != null && !cfg.domain.isWorkgroup) (mkAlmostOptionDefault cfg.domain.name);
+      hostname = mkIf (cfg.domain.netbiosName != null) (mkAlmostOptionDefault cfg.domain.netbiosName');
+    };
 
     systemd.services.samba-smbd = mkIf cfg.enable {
       serviceConfig = let
@@ -240,6 +339,17 @@ in {
       "d ${cfg.usershare.path} 1770 root ${cfg.usershare.group}"
     ];
 
+    networking.hosts = mkIf (cfg.enable && cfg.domain.netbiosName != null) {
+      "::1" = mkAfter [ cfg.domain.netbiosName' ];
+      # not a typo...
+      "127.0.0.2" = mkAfter [ cfg.domain.netbiosName' ];
+    };
+    environment.etc."samba/lmhosts" = mkIf (cfg.enable && cfg.domain.lmhosts != { }) {
+      text = mkMerge (
+        mapAttrsToList (address: name: "${address} ${name}") cfg.domain.lmhosts
+      );
+    };
+
     networking.firewall.interfaces.local = {
       allowedTCPPorts = mkMerge [
         (mkIf (cfg.enable && !cfg.openFirewall) [139 445])