nixos/samba: migrate to structural settings (RFC42)

2024-04-08 22:34:05 +02:00 · 2024-04-08 22:34:05 +02:00 · 988c598106
commit 988c598106
parent 6423eb0fb7
3 changed files with 78 additions and 107 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -335,6 +335,13 @@
 - The `replay-sorcery` package and module was removed as it unmaintained upstream. Consider using `gpu-screen-recorder` or `obs-studio` instead.
 - To follow [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) a few options of `samba` have been moved from `extraConfig` to the new freeform option `settings` and renamed, e.g.:
  - `services.samba.invalidUsers` to `services.samba.settings.global."invalid users"`
  - `services.samba.securityType` to `services.samba.settings.global."security type"`
  - `services.samba.shares` to `services.samba.settings`
  - `services.samba.enableWinbindd` to `services.samba.winbindd.enable`
  - `services.samba.enableNmbd` to `services.samba.nmbd.enable`
 - `zx` was updated to v8, which introduces several breaking changes.
  See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information.
--- a/nixos/modules/services/network-filesystems/samba.nix
+++ b/nixos/modules/services/network-filesystems/samba.nix
@ -3,36 +3,13 @@
 with lib;
 let
  smbToString = x: if builtins.typeOf x == "bool"
                   then boolToString x
                   else toString x;
  cfg = config.services.samba;
  settingsFormat = pkgs.formats.ini { };
  configFile = settingsFormat.generate "smb.conf" cfg.settings;
  samba = cfg.package;
  shareConfig = name:
    let share = getAttr name cfg.shares; in
    "[${name}]\n " + (smbToString (
       map
         (key: "${key} = ${smbToString (getAttr key share)}\n")
         (attrNames share)
    ));
  configFile = pkgs.writeText "smb.conf"
    (if cfg.configText != null then cfg.configText else
    ''
      [global]
      security = ${cfg.securityType}
      passwd program = /run/wrappers/bin/passwd %u
      invalid users = ${smbToString cfg.invalidUsers}
      ${cfg.extraConfig}
      ${smbToString (map shareConfig (attrNames cfg.shares))}
    '');
  # This may include nss_ldap, needed for samba if it has to use ldap.
  nssModulesPath = config.system.nssModules.path;
@ -68,6 +45,19 @@ in
  imports = [
    (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "")
    (mkRemovedOptionModule [ "services" "samba" "syncPasswordsByPam" ] "This option has been removed by upstream, see https://bugzilla.samba.org/show_bug.cgi?id=10669#c10")
    (lib.mkRemovedOptionModule [ "services" "samba" "configText" ] ''
      Use services.samba.settings instead.
      This is part of the general move to use structured settings instead of raw
      text for config as introduced by RFC0042:
      https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
    '')
    (lib.mkRemovedOptionModule [ "services" "samba" "extraConfig" ] "Use services.samba.settings instead.")
    (lib.mkRenamedOptionModule [ "services" "samba" "invalidUsers" ] [ "services" "samba" "settings" "global" "invalid users" ])
    (lib.mkRenamedOptionModule [ "services" "samba" "securityType" ] [ "services" "samba" "settings" "global" "security type" ])
    (lib.mkRenamedOptionModule [ "services" "samba" "shares" ] [ "services" "samba" "settings" ])
  ];
  ###### interface
@ -125,41 +115,6 @@ in
        example = "samba4Full";
      };
      invalidUsers = mkOption {
        type = types.listOf types.str;
        default = [ "root" ];
        description = ''
          List of users who are denied to login via Samba.
        '';
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Additional global section and extra section lines go in here.
        '';
        example = ''
          guest account = nobody
          map to guest = bad user
        '';
      };
      configText = mkOption {
        type = types.nullOr types.lines;
        default = null;
        description = ''
          Verbatim contents of smb.conf. If null (default), use the
          autogenerated file from NixOS instead.
        '';
      };
      securityType = mkOption {
        type = types.enum [ "auto" "user" "domain" "ads" ];
        default = "user";
        description = "Samba security type";
      };
      nsswins = mkOption {
        default = false;
        type = types.bool;
@ -170,25 +125,31 @@ in
        '';
      };
-      shares = mkOption {
+      settings = lib.mkOption {
        type = lib.types.submodule { freeformType = settingsFormat.type; };
        default = {};
        example = {
          "global" = {
            "security" = "user";
            "passwd program" = "/run/wrappers/bin/passwd %u";
            "invalid users" = "root";
          };
          "public" = {
            "path" = "/srv/public";
            "read only" = "yes";
            "browseable" = "yes";
            "guest ok" = "yes";
            "comment" = "Public samba share.";
          };
        };
        description = ''
-          A set describing shared resources.
+          Configuration file for the Samba suite in ini format.
-          See {command}`man smb.conf` for options.
+          This file is located in /etc/samba/smb.conf
-        '';
+
-        type = types.attrsOf (types.attrsOf types.unspecified);
+          Refer to <https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html>
-        example = literalExpression ''
+          for all available options.
          { public =
            { path = "/srv/public";
              "read only" = true;
              browseable = "yes";
              "guest ok" = "yes";
              comment = "Public samba share.";
            };
          }
        '';
      };
    };
  };
--- a/nixos/tests/samba.nix
+++ b/nixos/tests/samba.nix
@ -1,46 +1,49 @@
-import ./make-test-python.nix ({ pkgs, ... }:
+import ./make-test-python.nix ({ pkgs, ... }: {
 {
  name = "samba";
  meta.maintainers = [ ];
-  nodes =
+  nodes = {
-    { client =
+    client =
-        { pkgs, ... }:
+      { ... }:
-        { virtualisation.fileSystems =
+      {
-            { "/public" = {
+        virtualisation.fileSystems = {
-                fsType = "cifs";
+          "/public" = {
-                device = "//server/public";
+            fsType = "cifs";
-                options = [ "guest" ];
+            device = "//server/public";
-              };
+            options = [ "guest" ];
-            };
+          };
        };
      };
-      server =
+    server =
-        { ... }:
+      { ... }:
-        { services.samba.enable = true;
+      {
-          services.samba.openFirewall = true;
+        services.samba = {
-          services.samba.shares.public =
+          enable = true;
-            { path = "/public";
+          openFirewall = true;
          settings = {
            "public" = {
              "path" = "/public";
              "read only" = true;
-              browseable = "yes";
+              "browseable" = "yes";
              "guest ok" = "yes";
-              comment = "Public samba share.";
+              "comment" = "Public samba share.";
            };
          };
        };
-    };
+      };
  };
  # client# [    4.542997] mount[777]: sh: systemd-ask-password: command not found
-  testScript =
+  testScript = ''
-    ''
+    server.start()
-      server.start()
+    server.wait_for_unit("samba.target")
-      server.wait_for_unit("samba.target")
+    server.succeed("mkdir -p /public; echo bar > /public/foo")
      server.succeed("mkdir -p /public; echo bar > /public/foo")
-      client.start()
+    client.start()
-      client.wait_for_unit("remote-fs.target")
+    client.wait_for_unit("remote-fs.target")
-      client.succeed("[[ $(cat /public/foo) = bar ]]")
+    client.succeed("[[ $(cat /public/foo) = bar ]]")
-    '';
+  '';
 })