non-root smb share

2025-10-11 12:07:56 +00:00 · 2025-02-21 01:09:27 -08:00 · 2025-02-21 01:09:27 -08:00 · d693e31c85
commit d693e31c85
parent 077178cbe0
6 changed files with 60 additions and 16 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,6 @@
 .DS_Store
 __pycache__
+compose.override.yml

 # website
 website/gitea
@ -23,8 +24,8 @@ terraria/worlds
 terraria/password.txt

 # nas
-nas/mount.json
-nas/user.json
+nas/*.json
+nas/users.sh

 # backup
 data.zip
--- a/README.md
+++ b/README.md
@ -10,7 +10,7 @@ Services deployed on [matthewtran.com](https://matthewtran.com).
 - minecraft
 - minecraft bedrock
 - terraria
- nas (LAN only)
+- nas (`<server>/share` on LAN)

 ## setup

@ -26,12 +26,14 @@ Services deployed on [matthewtran.com](https://matthewtran.com).
 5. Configure, build, and start services.
    - Create `website/sendgrid.key` with a [SendGrid API key](https://app.sendgrid.com/settings/api_keys).
    - Create `terraria/password.txt` if needed.
+    - Create `nas/mounts.json` which contains a list of `"<name>":"<directory>"` for the SMB share.
+    - Create `nas/users.json` which contains a list of `"<user>":"<password>"` for the SMB share.
    - `scripts/setup_repo.py`
    - Restore backups if needed. Make sure to set correct ownership. For example, `chown -R 2000:2000 website/gitea`.
    - `docker compose build`
    - `docker compose up -d`
 6. Optionally, add additional drives. This script formats the drive as LUKS/BTRFS with the key file stored in `/opt/luks` and auto-mounts on boot. Make sure to backup the key file elsewhere.
-    - `scripts/setup_drive.py <drive> <mount path>`
+    - `scripts/setup_drive.py <drive> <mount>`
 7. Optionally, run `scripts/setup_peer.py <name>` for each WireGuard client.
 8. Optionally, add the following DNS entries at the registrar.
    | hosts                   | type   | data                     |
--- a/nas/Dockerfile
+++ b/nas/Dockerfile
@ -6,11 +6,15 @@ RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
 RUN apt-get update && apt-get -y upgrade
 RUN apt-get install -y samba

+# create required files and user
 RUN groupadd -g 2003 me && useradd -u 2003 -g 2003 -m me
 USER me
 WORKDIR /home/me
-
-# TODO copy config files
 RUN mkdir share samba samba/log samba/lock samba/state samba/cache samba/pid samba/private samba/ncalrpc
-COPY --chown=me:me smb.conf ./
-COPY --chown=me:me entry.sh ./
+COPY --chown=me:me smb.conf entry.sh ./
+
+# create additional users
+USER root
+COPY users.sh ./
+RUN /bin/sh users.sh && rm users.sh
+USER me
--- a/nas/entry.sh
+++ b/nas/entry.sh
@ -1,4 +1,6 @@
 #!/bin/sh

-# TODO sigterm?
-smbd -s smb.conf -l=/home/me/samba/log --foreground --no-process-group
+smbd -s smb.conf -l=/home/me/samba/log
+trap 'echo "stopping smbd..."' TERM
+tail -f /dev/null &
+wait $!
--- a/nas/smb.conf
+++ b/nas/smb.conf
@ -1,7 +1,26 @@
 [global]
 workgroup = WORKGROUP
-min protocol = SMB3
 smb ports = 8445
+load printers = no
+disable spoolss = yes
+
+server role = standalone
+security = user
+passdb backend = tdbsam
+map to guest = Never
+
+server min protocol = SMB3
+server smb encrypt = required
+server smb3 encryption algorithms = AES-256-GCM
+server smb3 signing algorithms = AES-128-GMAC AES-128-CMAC HMAC-SHA256
+server signing = mandatory
+
+client min protocol = SMB3
+client smb encrypt = required
+client smb3 encryption algorithms = AES-256-GCM
+client smb3 signing algorithms = AES-128-GMAC AES-128-CMAC HMAC-SHA256
+client signing = required
+client ipc signing = required

 lock directory = /home/me/samba/lock
 state directory = /home/me/samba/state
@ -17,8 +36,5 @@ directory mask = 0770
 force user = me
 force group = me

-# TODO auth + encrypt
-guest ok = yes
-
 [share]
 path = /home/me/share
--- a/scripts/setup_repo.py
+++ b/scripts/setup_repo.py
@ -1,5 +1,6 @@
 #!/usr/bin/env python3

+import json
 import shutil
 from pathlib import Path

@ -26,5 +27,23 @@ if __name__ == "__main__":
            Path(p).mkdir(parents=True, exist_ok=True)
            shutil.chown(p, group=group)

-    # TODO generate volumes to mount
-    # TODO generate users
+    # add users to nas
+    users = json.load(open("nas/users.json", "r"))
+    with open("nas/users.sh", "w") as f:
+        for id, user in enumerate(users):
+            id = 3000 + id
+            f.write(f"groupadd -g {id} {user}\n")
+            f.write(f"useradd -M -s /bin/false -u {id} -g {id} {user}\n")
+            f.write(f"su - me -c 'echo \"{users[user]}\\n{users[user]}\\n\" | pdbedit -s smb.conf -a {user}'\n")
+
+    # add volumes to nas
+    mounts = json.load(open("nas/mounts.json"))
+    with open("compose.override.yml", "w") as f:
+        if mounts:
+            f.writelines(s + "\n" for s in [
+                "services:",
+                "  nas:",
+                "    volumes:",
+            ] + [
+                f"      - {mounts[m]}:/home/me/share/{m}" for m in mounts
+            ])