1 { config, lib, pkgs, ... }:
7 smbToString = x: if builtins.typeOf x == "bool"
11 cfg = config.services.samba;
16 let share = getAttr name cfg.shares; in
17 "[${name}]\n " + (smbToString (
19 (key: "${key} = ${smbToString (getAttr key share)}\n")
23 configFile = pkgs.writeText "smb.conf"
24 (if cfg.configText != null then cfg.configText else
27 security = ${cfg.securityType}
28 passwd program = /run/wrappers/bin/passwd %u
29 invalid users = ${smbToString cfg.invalidUsers}
33 ${smbToString (map shareConfig (attrNames cfg.shares))}
36 # This may include nss_ldap, needed for samba if it has to use ldap.
37 nssModulesPath = config.system.nssModules.path;
39 daemonService = appName: args:
40 { description = "Samba Service Daemon ${appName}";
42 after = [ (mkIf (cfg.enableNmbd && "${appName}" == "smbd") "samba-nmbd.service") "network.target" ];
43 requiredBy = [ "samba.target" ];
44 partOf = [ "samba.target" ];
47 LD_LIBRARY_PATH = nssModulesPath;
48 LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
52 ExecStart = "${samba}/sbin/${appName} --foreground --no-process-group ${args}";
53 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
55 PIDFile = "/run/${appName}.pid";
57 NotifyAccess = "all"; #may not do anything...
59 unitConfig.RequiresMountsFor = "/var/lib/samba";
61 restartTriggers = [ configFile ];
68 (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "")
69 (mkRemovedOptionModule [ "services" "samba" "syncPasswordsByPam" ] "This option has been removed by upstream, see https://bugzilla.samba.org/show_bug.cgi?id=10669#c10")
76 # !!! clean up the descriptions.
83 description = lib.mdDoc ''
84 Whether to enable Samba, which provides file and print
85 services to Windows clients through the SMB/CIFS protocol.
88 If you use the firewall consider adding the following:
90 services.samba.openFirewall = true;
95 openFirewall = mkOption {
98 description = lib.mdDoc ''
99 Whether to automatically open the necessary ports in the firewall.
103 enableNmbd = mkOption {
106 description = lib.mdDoc ''
107 Whether to enable Samba's nmbd, which replies to NetBIOS over IP name
108 service requests. It also participates in the browsing protocols
109 which make up the Windows "Network Neighborhood" view.
113 enableWinbindd = mkOption {
116 description = lib.mdDoc ''
117 Whether to enable Samba's winbindd, which provides a number of services
118 to the Name Service Switch capability found in most modern C libraries,
119 to arbitrary applications via PAM and ntlm_auth and to Samba itself.
124 type = types.package;
125 default = pkgs.samba;
126 defaultText = literalExpression "pkgs.samba";
127 example = literalExpression "pkgs.samba4Full";
128 description = lib.mdDoc ''
129 Defines which package should be used for the samba server.
133 invalidUsers = mkOption {
134 type = types.listOf types.str;
135 default = [ "root" ];
136 description = lib.mdDoc ''
137 List of users who are denied to login via Samba.
141 extraConfig = mkOption {
144 description = lib.mdDoc ''
145 Additional global section and extra section lines go in here.
148 guest account = nobody
149 map to guest = bad user
153 configText = mkOption {
154 type = types.nullOr types.lines;
156 description = lib.mdDoc ''
157 Verbatim contents of smb.conf. If null (default), use the
158 autogenerated file from NixOS instead.
162 securityType = mkOption {
165 description = lib.mdDoc "Samba security type";
171 description = lib.mdDoc ''
172 Whether to enable the WINS NSS (Name Service Switch) plug-in.
173 Enabling it allows applications to resolve WINS/NetBIOS names (a.k.a.
174 Windows machine names) by transparently querying the winbindd daemon.
180 description = lib.mdDoc ''
181 A set describing shared resources.
182 See {command}`man smb.conf` for options.
184 type = types.attrsOf (types.attrsOf types.unspecified);
185 example = literalExpression ''
187 { path = "/srv/public";
191 comment = "Public samba share.";
202 ###### implementation
206 [ { assertion = cfg.nsswins -> cfg.enableWinbindd;
207 message = "If samba.nsswins is enabled, then samba.enableWinbindd must also be enabled";
210 # Always provide a smb.conf to shut up programs like smbclient and smbspool.
211 environment.etc."samba/smb.conf".source = mkOptionDefault (
212 if cfg.enable then configFile
213 else pkgs.writeText "smb-dummy.conf" "# Samba is disabled."
219 system.nssModules = optional cfg.nsswins samba;
220 system.nssDatabases.hosts = optional cfg.nsswins "wins";
224 description = "Samba Server";
225 after = [ "network.target" ];
226 wants = [ "network-online.target" ];
227 wantedBy = [ "multi-user.target" ];
229 # Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd
230 # for correct use with systemd
232 samba-smbd = daemonService "smbd" "";
233 samba-nmbd = mkIf cfg.enableNmbd (daemonService "nmbd" "");
234 samba-winbindd = mkIf cfg.enableWinbindd (daemonService "winbindd" "");
237 "d /var/lock/samba - - - - -"
238 "d /var/log/samba - - - - -"
239 "d /var/cache/samba - - - - -"
240 "d /var/lib/samba/private - - - - -"
244 security.pam.services.samba = {};
245 environment.systemPackages = [ cfg.package ];
247 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ 139 445 ];
248 networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ 137 138 ];