NixOS configuration for Samba

mmport80 · January 11, 2022, 9:50am

Hi Guys,

I am a beginner drunk on NixOS Koolaid.

Mostly good experience so far, but still trying to understand how to do ‘think’ within the Nix framework.

E.g. I want to setup a SMB share on my Nix server. I want to do it in a reproducible way.

I follow the clear instructions here:Samba - NixOS Wiki

Now, I should also run these imperative commands:

a) mkdir a folder to share
b) smbpasswd -a username to add a user and password to the Samba database

Should I include these commands in a derivation? Or a script to be run after configuration?

Sorry for the very obvious question. Hope someone can help.

John

justinas · January 11, 2022, 6:16pm

a) For creating folders, there is systemd.tmpfiles. Despite the implications of its name, you can use it to automatically ensure folders exist, without setting up any clean up. Looks something like this in my config:

systemd.tmpfiles.rules = [
  "d /mnt/media/Movies 0770 media media - -"
];

b) I don’t use SMB, but for normal Unix passwords, I just set them imperatively after installation.

More generally, you can do imperative things when activating a new NixOS configuration using system.activationScripts. Of course, the script you run should be idempotent and such changes would not be able to be rolled-back by standard NixOS mechanisms - imperative is imperative.

The other issue with this approach is that it is not really secure to include the password in your NixOS config, as the Nix store (to which the activation scripts get written) is world-readable (see this longstanding issue).

ryantm · January 11, 2022, 6:37pm

Yeah, I think tmpfiles is good for setting up empty Samba shares and permissions.

Basically everything in NixOS is done with activation scripts, so it is certainly possible to write them in a way that works with rolling back.

It ought to be possible to reproducibly and declaratively make the Samba state, but I haven’t seen any work on that (and I’ve looked a bit). If anyone knows about anyone working on that, I’d be very interested.

Princemachiavelli · January 11, 2022, 6:57pm

One issue is Samba uses a different hash type than /etc/passwd so I don’t see an easy way to directly keep the Linux & SMB passwords in sync. One hacky option would be to use the users.users.<name>.passwordFile option and then use an activationScript to populate the smbpasswd database.

Alternatively you could use the users.users.<name>.hashedPassword value directly as the SMB password but it might be annoying (you’d have to compute the hash on each client each time you mount the share).

If you have a lot of users or want the most professional option then LDAP is your best bet but it takes some effort to configure. The best option likely depends on your specific use case. IMO you may want to consider using NFS, SFTP, and SSHFS.

mmport80 · January 12, 2022, 11:05am

Thanks everyone! tmpfiles & activation scripts seem to be the way to go!

mmport80 · January 20, 2022, 4:38pm

Btw, I solved the password issue, by following this: security - Script samba password but securely - Unix & Linux Stack Exchange

Unsure whether this is v idiomatic, but it works:

system.activationScripts = {
      sambaUserSetup = {
        text = ''
           PATH=$PATH:${lib.makeBinPath [ pkgs.samba ]}
           pdbedit -i smbpasswd:/home/john/smbpasswd -e tdbsam:/var/lib/samba/private/passdb.tdb                                                                       
            '';
        deps = [ ];
      };
    };

tolgaerok · June 14, 2023, 3:13pm

Hi all,

How can I configure my home directory in NixOS to be accessible over the network only by valid users? I’m having trouble setting it up correctly. Additionally, is there a way to create users, groups, and add users to the database during the initial setup in configuration.nix?

Any guidance or examples would be greatly appreciated. Thank you!

 homes = {
      comment = "Home Directories";
      browseable = "no";
      "read only" = "no";
      "create mask" = "0700";
      "directory mask" = "0700";
      "valid users" = "%S";
      writable = "yes";
    };

homes = {
      comment = "Home Directories";
      browseable = "no";
      "read only" = "no";
      "create mask" = "0700";
      "directory mask" = "0700";
      "valid users" = "%S";
      writable = "yes";
    };

I have already successfully configured Samba and set up my shared folders except for my home folder:

...
shares = {
      NixOs23-KDE-Public  = {
        path = "/home/tolga/Public";
        browseable = "yes";
        "read only" = "no";
        "guest ok" = "yes";
        "writable" = "yes";
        "create mask" = "0777";
        "directory mask" = "0777";
        "force user" = "tolga";
        "force group" = "samba";
      };

nixinator · September 24, 2023, 5:43pm

these some good examples here that may help you

and a pretty details configuration here.

Samba - NixOS Wiki , say you have to run a imperative command, to set the smb password for each user… beware.

Logs are always good if you can provide them

I personally I use nfs for this kind of jobs ,

tolgaerok · September 25, 2023, 11:56pm

When you say nfs are you referring to setting up your fstab entries in hardware-configuration.nix?
Example:

fileSystems.“/mnt/nixos_share” = {
device = “//192.168.0.20/LinuxData/HOME/PROFILES/NIXOS-23-05/TOLGA/”;
fsType = “cifs”; etc etc

nixinator · September 27, 2023, 3:36pm

no i mean i use the unix ‘network file system’ NFS.

Which is greatly superior to cifs, what sweaty blamer & locked gates wrote.

Network File System (NFS) is a distributed file system protocol developed by Sun Microsystems in 1984.02 It allows a user on a client computer to access files over a computer network, similar to how local storage is accessed. NFS is an open IETF standard defined in a Request for Comments (RFC), allowing anyone to implement the protocol.2 It defines the way files are stored and retrieved from storage devices across networks