Commit 1e9f15fd6ffb

Vincent Demeester <vincent@sbr.pm>
2025-12-26 18:42:09
fix(samba): Harden security and improve client compatibility
- Disable guest access on all shares to prevent unauthorized access - Relax encryption requirement for broader client compatibility - Enable flexible signing to support diverse client capabilities Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 9eb15e1
Changed files (2)
systems
aix
extra.nix
common
services
samba.nix
systems/aix/extra.nix
@@ -64,25 +64,45 @@ in
 
     samba.settings = {
       global."server string" = "Aix";
-      vincent = libx.mkSambaShare {
-        name = "vincent";
-        path = "/data/share";
-      };
-      music = libx.mkSambaShare {
-        name = "music";
-        path = "/data/music";
-        readOnly = true;
-      };
-      ebooks = libx.mkSambaShare {
-        name = "ebooks";
-        path = "/data/ebooks";
-        readOnly = true;
-      };
-      audiobooks = libx.mkSambaShare {
-        name = "audiobooks";
-        path = "/data/audiobooks";
-        readOnly = true;
-      };
+      vincent =
+        (libx.mkSambaShare {
+          name = "vincent";
+          path = "/data/share";
+        })
+        // {
+          "guest ok" = "no";
+          public = "no";
+        };
+      music =
+        (libx.mkSambaShare {
+          name = "music";
+          path = "/data/music";
+          readOnly = true;
+        })
+        // {
+          "guest ok" = "no";
+          public = "no";
+        };
+      ebooks =
+        (libx.mkSambaShare {
+          name = "ebooks";
+          path = "/data/ebooks";
+          readOnly = true;
+        })
+        // {
+          "guest ok" = "no";
+          public = "no";
+        };
+      audiobooks =
+        (libx.mkSambaShare {
+          name = "audiobooks";
+          path = "/data/audiobooks";
+          readOnly = true;
+        })
+        // {
+          "guest ok" = "no";
+          public = "no";
+        };
     };
 
     wireguard = {
systems/common/services/samba.nix
@@ -13,7 +13,8 @@
         global = {
           security = "user";
           workgroup = "WORKGROUP";
-          "server smb encrypt" = "required";
+          "server smb encrypt" = "desired";
+          "server signing" = "auto";
           "server min protocol" = "SMB3_00";
           "hosts allow" = "192.168. 10.100. 127.0.0.1 localhost";
           "hosts deny" = "0.0.0.0/0";