Require auth for public samba share

Remove sauerbraten
Minimal kexec image builder
2022-05-16 13:22:00 -04:00 · 2022-05-16 13:07:32 -04:00 · 2022-05-16 13:04:31 -04:00
6 changed files with 90 additions and 9 deletions
--- a/common/pc/default.nix
+++ b/common/pc/default.nix
@ -42,7 +42,6 @@ in {
      nextcloud-client
      signal-desktop
      minecraft
      sauerbraten
      gparted
      libreoffice-fresh
      thunderbird
--- a/common/pc/mount-samba.nix
+++ b/common/pc/mount-samba.nix
@ -12,7 +12,7 @@ let
  auth_opts = "credentials=/run/agenix/smb-secrets";
  version_opts = "vers=2.1";
-  opts = "${network_opts},${user_opts},${version_opts}";
+  opts = "${network_opts},${user_opts},${version_opts},${auth_opts}";
 in {
  options.services.mount-samba = {
    enable = lib.mkEnableOption "enable mounting samba shares";
@ -22,13 +22,13 @@ in {
    fileSystems."/mnt/public" = {
        device = "//s0.zt.neet.dev/public";
        fsType = "cifs";
-        options = ["guest,${opts}"];
+        options = [ opts ];
    };
    fileSystems."/mnt/private" = {
        device = "//s0.zt.neet.dev/googlebot";
        fsType = "cifs";
-        options = ["${auth_opts},${opts}"];
+        options = [ opts ];
    };
    age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
--- a/common/server/samba.nix
+++ b/common/server/samba.nix
@ -35,7 +35,7 @@
          path = "/data/samba/Public";
          browseable = "yes";
          "read only" = "no";
-          "guest ok" = "yes";
+          "guest ok" = "no";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "public_data";
--- a/flake.nix
+++ b/flake.nix
@ -32,13 +32,10 @@
    archivebox.inputs.flake-utils.follows = "flake-utils";
  };
-  outputs = inputs: {
+  outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: {
    nixosConfigurations =
    let
      nixpkgs = inputs.nixpkgs;
      nixpkgs-unstable = inputs.nixpkgs-unstable;
      modules = system: [
        ./common
        inputs.simple-nixos-mailserver.nixosModule
@ -119,5 +116,16 @@
      "n6" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n6/configuration.nix;
      "n7" = mkSystem "aarch64-linux" nixpkgs ./machines/compute/n7/configuration.nix;
    };
    packages = let
      mkKexec = system:
        (nixpkgs.lib.nixosSystem {
          inherit system;
          modules = [ ./machines/kexec.nix ];
        }).config.system.build.kexec_tarball;
    in {
      "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
      "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
    };
  };
 }
--- a/machines/kexec.nix
+++ b/machines/kexec.nix
@ -0,0 +1,72 @@
 # From https://mdleom.com/blog/2021/03/09/nixos-oracle/#Build-a-kexec-tarball
 # Builds a kexec img
 { config, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/netboot/netboot.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  # stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
  system.build = rec {
    image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
      mkdir $out
      if [ -f ${config.system.build.kernel}/bzImage ]; then
        cp ${config.system.build.kernel}/bzImage $out/kernel
      else
        cp ${config.system.build.kernel}/Image $out/kernel
      fi
      cp ${config.system.build.netbootRamdisk}/initrd $out/initrd
      nuke-refs $out/kernel
    '';
    kexec_script = pkgs.writeTextFile {
      executable = true;
      name = "kexec-nixos";
      text = ''
        #!${pkgs.stdenv.shell}
        set -e
        ${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
        sync
        echo "executing kernel, filesystems will be improperly umounted"
        ${pkgs.kexectools}/bin/kexec -e
      '';
    };
    kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {
      storeContents = [
        {
          object = config.system.build.kexec_script;
          symlink = "/kexec_nixos";
        }
      ];
      contents = [ ];
    };
  };
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
  boot.kernelParams = [
    "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
    "console=ttyS0" # enable serial console
    "console=tty1"
  ];
  boot.kernel.sysctl."vm.overcommit_memory" = "1";
  environment.systemPackages = with pkgs; [
    cryptsetup
    btrfs-progs
  ];
  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
  networking.useDHCP = true;
  networking.hostName = "kexec";
  services.openssh = {
    enable = true;
    challengeResponseAuthentication = false;
    passwordAuthentication = false;
  };
  services.getty.autologinUser = "root";
  users.users.root.openssh.authorizedKeys.keys = (import ../common/ssh.nix).users;
 }
--- a/machines/ray/configuration.nix
+++ b/machines/ray/configuration.nix
@ -17,6 +17,8 @@
    allowDiscards = true;
  };
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  networking.hostName = "ray";
  hardware.enableAllFirmware = true;
Author	SHA1	Message	Date
Zuckerberg	63902fcb46	Require auth for public samba share	2022-05-16 13:22:00 -04:00
Zuckerberg	8a1e0b76f1	Remove sauerbraten	2022-05-16 13:07:32 -04:00
Zuckerberg	f144bda9e6	Minimal kexec image builder	2022-05-16 13:04:31 -04:00