n8r/nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add clearer permissions

Browse Source
This commit is contained in:
Nathan Anderson 2025-10-26 21:52:50 -06:00
parent 877560a974
commit 2eadf8918d
2 changed files with 62 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
shared/modules/services/dufs.nix
View File

@ -3,18 +3,34 @@
let
cfg = config.services.dufs;
# Helper to create auth arguments from user list
# Each user needs a separate -a flag
mkAuthArgs = users: readonlyUsers:
# User credential submodule
userCredential = lib.types.submodule {
options = {
username = lib.mkOption {
type = lib.types.str;
description = "Username for authentication";
};
passwordHash = lib.mkOption {
type = lib.types.str;
description = ''
SHA-512 password hash (generate with: mkpasswd -m sha-512)
Note: Must start with $6$ for dufs compatibility
'';
};
};
};
# Helper to create auth arguments for different permission levels
mkAuthArgs = rwUsers: roUsers:
let
rwUsers = lib.concatMapStringsSep " "
writers = lib.concatMapStringsSep " "
(user: "-a '${user.username}:${user.passwordHash}@/:rw'")
users;
roUsers = lib.concatMapStringsSep " "
rwUsers;
readers = lib.concatMapStringsSep " "
(user: "-a '${user.username}:${user.passwordHash}@/:ro'")
readonlyUsers;
roUsers;
in
"${rwUsers} ${roUsers}";
lib.concatStringsSep " " (lib.filter (s: s != "") [writers readers]);
in
{
options.services.dufs = {
@ -65,6 +81,12 @@ in
description = "Bind address for public instance";
};
users = lib.mkOption {
type = lib.types.listOf userCredential;
default = [];
description = "Users with read-write access";
};
allowSearch = lib.mkOption {
type = lib.types.bool;
default = true;
@ -88,55 +110,15 @@ in
};
users = lib.mkOption {
type = lib.types.listOf (lib.types.submodule {
options = {
username = lib.mkOption {
type = lib.types.str;
description = "Username for authentication";
};
passwordHash = lib.mkOption {
type = lib.types.str;
description = ''
SHA-512 password hash (generate with: mkpasswd -m sha-512)
Note: Must start with $6$ for dufs compatibility
'';
};
};
});
type = lib.types.listOf userCredential;
default = [];
description = "List of users with read-write access";
example = [
{
username = "admin";
passwordHash = "$6$rounds=656000$...";
}
];
description = "Users with read-write access";
};
readonlyUsers = lib.mkOption {
type = lib.types.listOf (lib.types.submodule {
options = {
username = lib.mkOption {
type = lib.types.str;
description = "Username for authentication";
};
passwordHash = lib.mkOption {
type = lib.types.str;
description = ''
SHA-512 password hash (generate with: mkpasswd -m sha-512)
Note: Must start with $6$ for dufs compatibility
'';
};
};
});
guestUsers = lib.mkOption {
type = lib.types.listOf userCredential;
default = [];
description = "List of users with read-only access";
example = [
{
username = "viewer";
passwordHash = "$6$rounds=656000$...";
}
];
description = "Guest users with read-only access";
};
allowUpload = lib.mkOption {
@ -192,10 +174,16 @@ in
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = ''
ExecStart =
let
hasAuth = (cfg.publicInstance.users != []);
authArgs = lib.optionalString hasAuth
(mkAuthArgs cfg.publicInstance.users []) + " -a @/"; # allows read only on all paths (public)
in ''
${cfg.package}/bin/dufs ${cfg.servePathPublic} \
--bind ${cfg.publicInstance.bind} \
--port ${toString cfg.publicInstance.port} \
${authArgs} \
${lib.optionalString cfg.publicInstance.allowSearch "--allow-search"}
'';
Restart = "on-failure";
@ -224,7 +212,7 @@ in
${cfg.package}/bin/dufs ${cfg.servePathPrivate} \
--bind ${cfg.privateInstance.bind} \
--port ${toString cfg.privateInstance.port} \
${mkAuthArgs cfg.privateInstance.users cfg.privateInstance.readonlyUsers} \
${mkAuthArgs cfg.privateInstance.users cfg.privateInstance.guestUsers} \
${lib.optionalString cfg.privateInstance.allowUpload "--allow-upload"} \
${lib.optionalString cfg.privateInstance.allowDelete "--allow-delete"} \
${lib.optionalString cfg.privateInstance.allowSearch "--allow-search"}

28
shared/server-configuration.nix
View File

@ -182,39 +182,38 @@ in
user = "kage";
group = "users";
# Public read-only instance
# Public instance with admin/guest authentication
publicInstance = {
enable = true;
port = 5000;
allowSearch = true;
# Admin users can upload/modify on public instance
users = [
{
username = "nate";
passwordHash = "$6$lJDBaW7zzlaAlzbV$u.mzsKCDOCWdUffPlXhx9dWRgJsxOUJRKj5Z5/NMEPC2WfPT9x9W145rThogzFLhynIT7UkYXd4zYdnsrGPRS0"; # open
}
];
};
# Private read-write instance with authentication
# Private instance with admin/user/guest authentication
privateInstance = {
enable = true;
port = 5001;
allowUpload = true;
allowDelete = true;
allowDelete = false;
allowSearch = true;
# Read-write users
users = [
# Generate password hash with: mkpasswd -m sha-512
# These are temporary passwords and should be changed
{
username = "nate";
passwordHash = "$6$eIqVeCL9q5GlN.Em$xm7RxNcGfArYFBprmnggt1zzDf.HluKwXcG9LsJNCK6.vnKGmQDb5b7h7g81tWY7jIDdPsgLu0jiTzbz1lFIC0"; # password
username = "user";
passwordHash = "$6$lJDBaW7zzlaAlzbV$u.mzsKCDOCWdUffPlXhx9dWRgJsxOUJRKj5Z5/NMEPC2WfPT9x9W145rThogzFLhynIT7UkYXd4zYdnsrGPRS0"; # open
}
];
# Read-only users
readonlyUsers = [
guestUsers = [
{
username = "guest";
passwordHash = "$6$.Ot.4AWNRpx0LJ1s$M01RpAJ.VZWJfDrTlali.P0Fhnn0Ji.uP/fIdgZP0ly64g8AzeGb6/2C9dbKmnARdVV9M12mLmU6ENmUbR/ym1"; # guest
}
{
username = "readonly";
passwordHash = "$6$3Z5KK8mIbxN2tZR4$eCOpbwAKAk6CKMZWgWddgJaQyTDUkYzB0T8tNXfSUQkUL2A/QEXoEONcPaZnF/jfem9qB..Snm2xR/7GTkyVg."; # readonly
}
];
};
};
@ -235,7 +234,6 @@ in
listenAddresses = [ "*:631" ];
allowFrom = [ "all" ];
browsing = true;
# browserAddress = "192.168.1.169:631";
defaultShared = true;
openFirewall = true;
};