add readonly
This commit is contained in:
parent
8730ce7e12
commit
0d00dbbcfd
@ -3,10 +3,18 @@
|
|||||||
let
|
let
|
||||||
cfg = config.services.dufs;
|
cfg = config.services.dufs;
|
||||||
|
|
||||||
# Helper to create auth string from user list
|
# Helper to create auth arguments from user list
|
||||||
mkAuthString = users: lib.concatMapStringsSep "|"
|
# Each user needs a separate -a flag
|
||||||
(user: "${user.username}:${user.passwordHash}@/:rw")
|
mkAuthArgs = users: readonlyUsers:
|
||||||
users;
|
let
|
||||||
|
rwUsers = lib.concatMapStringsSep " "
|
||||||
|
(user: "-a '${user.username}:${user.passwordHash}@/:rw'")
|
||||||
|
users;
|
||||||
|
roUsers = lib.concatMapStringsSep " "
|
||||||
|
(user: "-a '${user.username}:${user.passwordHash}@/:ro'")
|
||||||
|
readonlyUsers;
|
||||||
|
in
|
||||||
|
"${rwUsers} ${roUsers}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.services.dufs = {
|
options.services.dufs = {
|
||||||
@ -88,7 +96,10 @@ in
|
|||||||
};
|
};
|
||||||
passwordHash = lib.mkOption {
|
passwordHash = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "SHA-512 password hash (generate with: openssl passwd -6)";
|
description = ''
|
||||||
|
SHA-512 password hash (generate with: mkpasswd -m sha-512)
|
||||||
|
Note: Must start with $6$ for dufs compatibility
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
@ -102,6 +113,32 @@ in
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
readonlyUsers = lib.mkOption {
|
||||||
|
type = lib.types.listOf (lib.types.submodule {
|
||||||
|
options = {
|
||||||
|
username = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Username for authentication";
|
||||||
|
};
|
||||||
|
passwordHash = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = ''
|
||||||
|
SHA-512 password hash (generate with: mkpasswd -m sha-512)
|
||||||
|
Note: Must start with $6$ for dufs compatibility
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
default = [];
|
||||||
|
description = "List of users with read-only access";
|
||||||
|
example = [
|
||||||
|
{
|
||||||
|
username = "viewer";
|
||||||
|
passwordHash = "$6$rounds=656000$...";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
allowUpload = lib.mkOption {
|
allowUpload = lib.mkOption {
|
||||||
type = lib.types.bool;
|
type = lib.types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
@ -139,6 +176,12 @@ in
|
|||||||
|
|
||||||
users.groups.${cfg.group} = {};
|
users.groups.${cfg.group} = {};
|
||||||
|
|
||||||
|
# Ensure proper ownership of dufs directories
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${cfg.servePathPublic} 0755 ${cfg.user} ${cfg.group} -"
|
||||||
|
"d ${cfg.servePathPrivate} 0755 ${cfg.user} ${cfg.group} -"
|
||||||
|
];
|
||||||
|
|
||||||
# Public read-only instance
|
# Public read-only instance
|
||||||
systemd.services.dufs-public = lib.mkIf cfg.publicInstance.enable {
|
systemd.services.dufs-public = lib.mkIf cfg.publicInstance.enable {
|
||||||
description = "dufs public read-only file server";
|
description = "dufs public read-only file server";
|
||||||
@ -182,7 +225,7 @@ in
|
|||||||
${cfg.package}/bin/dufs ${cfg.servePathPrivate} \
|
${cfg.package}/bin/dufs ${cfg.servePathPrivate} \
|
||||||
--bind ${cfg.privateInstance.bind} \
|
--bind ${cfg.privateInstance.bind} \
|
||||||
--port ${toString cfg.privateInstance.port} \
|
--port ${toString cfg.privateInstance.port} \
|
||||||
--auth '${mkAuthString cfg.privateInstance.users}' \
|
${mkAuthArgs cfg.privateInstance.users cfg.privateInstance.readonlyUsers} \
|
||||||
${lib.optionalString cfg.privateInstance.allowUpload "--allow-upload"} \
|
${lib.optionalString cfg.privateInstance.allowUpload "--allow-upload"} \
|
||||||
${lib.optionalString cfg.privateInstance.allowDelete "--allow-delete"} \
|
${lib.optionalString cfg.privateInstance.allowDelete "--allow-delete"} \
|
||||||
${lib.optionalString cfg.privateInstance.allowSearch "--allow-search"} \
|
${lib.optionalString cfg.privateInstance.allowSearch "--allow-search"} \
|
||||||
|
|||||||
@ -194,20 +194,24 @@ in
|
|||||||
allowUpload = true;
|
allowUpload = true;
|
||||||
allowDelete = true;
|
allowDelete = true;
|
||||||
allowSearch = true;
|
allowSearch = true;
|
||||||
|
# Read-write users
|
||||||
users = [
|
users = [
|
||||||
# Generate password hash with: openssl passwd -6
|
# Generate password hash with: mkpasswd -m sha-512
|
||||||
# Replace with actual username and hash
|
# These are temporary passwords and should be changed
|
||||||
# {
|
|
||||||
# username = "admin";
|
|
||||||
# passwordHash = "$6$rounds=656000$...";
|
|
||||||
# }
|
|
||||||
{
|
{
|
||||||
username = "nate";
|
username = "nate";
|
||||||
passwordHash = "$6$rounds=656000$6$3.mottgY50yEZJlr$8a8ztrB/G2kZ39C0cAMDEfQGd93sqL4tS.gQKjnDrRQVvE.VTIlp5JF/GRW95YsKhaOF3r9ui9RTj88Z8LBV80";
|
passwordHash = "$6$eIqVeCL9q5GlN.Em$xm7RxNcGfArYFBprmnggt1zzDf.HluKwXcG9LsJNCK6.vnKGmQDb5b7h7g81tWY7jIDdPsgLu0jiTzbz1lFIC0"; # password
|
||||||
}
|
}
|
||||||
|
];
|
||||||
|
# Read-only users
|
||||||
|
readonlyUsers = [
|
||||||
{
|
{
|
||||||
username = "guest";
|
username = "guest";
|
||||||
passwordHash = "$6$rounds=656000$6$tJlnxZhnNFPaDEXf$0Q.wZwDczaLfk5rIvX6FfCYvS75IY16WpuXKJyRMbdq4Ie8mZC3fSp5oOB95bMDRHRcabexi5Fp8j39c0pYc8.";
|
passwordHash = "$6$.Ot.4AWNRpx0LJ1s$M01RpAJ.VZWJfDrTlali.P0Fhnn0Ji.uP/fIdgZP0ly64g8AzeGb6/2C9dbKmnARdVV9M12mLmU6ENmUbR/ym1"; # guest
|
||||||
|
}
|
||||||
|
{
|
||||||
|
username = "readonly";
|
||||||
|
passwordHash = "$6$3Z5KK8mIbxN2tZR4$eCOpbwAKAk6CKMZWgWddgJaQyTDUkYzB0T8tNXfSUQkUL2A/QEXoEONcPaZnF/jfem9qB..Snm2xR/7GTkyVg."; # readonly
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user