nixos/samba: cleanup and update defaults

1 files changed, 31 insertions, 68 deletions

diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix
index 6fcf89999523..8c79bf663d15 100644
--- a/nixos/modules/services/network-filesystems/samba.nix
+++ b/nixos/modules/services/network-filesystems/samba.nix
@@ -6,25 +6,11 @@ let
 
   cfg = config.services.samba;
 
-  logDir = "/var/log/samba";
-  privateDir = "/var/samba/private";
-
   samba = cfg.package;
 
   setupScript =
     ''
-      if ! test -d /var/samba ; then
-        mkdir -p /var/samba/locks /var/samba/cores/nmbd  /var/samba/cores/smbd /var/samba/cores/winbindd
-      fi
-
-      passwdFile="$(${pkgs.gnused}/bin/sed -n 's/^.*smb[ ]\+passwd[ ]\+file[ ]\+=[ ]\+\(.*\)/\1/p' ${configFile})"
-      if [ -n "$passwdFile" ]; then
-        echo 'INFO: [samba] creating directory containing passwd file'
-        mkdir -p "$(dirname "$passwdFile")"
-      fi
-
-      mkdir -p ${logDir}
-      mkdir -p ${privateDir}
+      mkdir -p /var/lock/samba /var/log/samba /var/cache/samba /var/lib/samba/private
     '';
 
   shareConfig = name:
@@ -39,9 +25,10 @@ let
     (if cfg.configText != null then cfg.configText else
     ''
       [ global ]
-      log file = ${logDir}/log.%m
-      private dir = ${privateDir}
-      ${optionalString cfg.syncPasswordsByPam "pam password change = true"}
+      security = ${cfg.securityType}
+      passwd program = /var/setuid-wrappers/passwd %u
+      pam password change = ${toString cfg.syncPasswordsByPam}
+      invalid users = ${toString cfg.invalidUsers}
 
       ${cfg.extraConfig}
 
@@ -83,14 +70,16 @@ in
     services.samba = {
 
       enable = mkOption {
+        type = types.bool;
         default = false;
-        description = "
+        description = ''
           Whether to enable Samba, which provides file and print
           services to Windows clients through the SMB/CIFS protocol.
-        ";
+        '';
       };
 
       package = mkOption {
+        type = types.package;
         default = pkgs.samba;
         example = pkgs.samba4;
         description = ''
@@ -99,72 +88,47 @@ in
       };
 
       syncPasswordsByPam = mkOption {
+        type = types.bool;
         default = false;
-        description = "
-          enabling this will add a line directly after pam_unix.so.
+        description = ''
+          Enabling this will add a line directly after pam_unix.so.
           Whenever a password is changed the samba password will be updated as well.
           However you still yave to add the samba password once using smbpasswd -a user
           If you don't want to maintain an extra pwd database you still can send plain text
           passwords which is not secure.
-        ";
+        '';
       };
 
-      extraConfig = mkOption {
-        # !!! Bad default.
-        default = ''
-          # [global] continuing global section here, section is started by nix to set pids etc
-
-            smb passwd file = /etc/samba/passwd
-
-            # is this useful ?
-            domain master = auto
-
-            encrypt passwords = Yes
-            client plaintext auth = No
-
-            # yes: if you use this you probably also want to enable syncPasswordsByPam
-            # no: You can still use the pam password database. However
-            # passwords will be sent plain text on network (discouraged)
-
-            workgroup = Users
-            server string = %h
-            comment = Samba
-            log file = /var/log/samba/log.%m
-            log level = 10
-            max log size = 50000
-            security = ${cfg.securityType}
-
-            client lanman auth = Yes
-            dns proxy = no
-            invalid users = root
-            passdb backend = tdbsam
-            passwd program = /usr/bin/passwd %u
+      invalidUsers = mkOption {
+        type = types.listOf types.str;
+        default = [ "root" ];
+        description = ''
+          List of users who are denied to login via Samba.
         '';
-
-        description = "
-          additional global section and extra section lines go in here.
-        ";
       };
 
-      configFile = mkOption {
-        description = "
-          internal use to pass filepath to samba pam module
-        ";
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          Additional global section and extra section lines go in here.
+        '';
       };
 
       configText = mkOption {
         type = types.nullOr types.lines;
         default = null;
-        description = "
+        description = ''
           Verbatim contents of smb.conf. If null (default), use the
           autogenerated file from NixOS instead.
-        ";
+        '';
       };
 
       securityType = mkOption {
-        description = "Samba security type";
+        type = types.str;
         default = "user";
         example = "share";
+        description = "Samba security type";
       };
 
       nsswins = mkOption {
@@ -179,12 +143,11 @@ in
 
       shares = mkOption {
         default = {};
-        description =
-          ''
+        description = ''
           A set describing shared resources.
           See <command>man smb.conf</command> for options.
-          '';
-        type = types.attrsOf (types.attrsOf types.str);
+        '';
+        type = types.attrsOf (types.attrsOf types.unspecified);
         example =
           { srv =
              { path = "/srv";