I want to restrict discovery and access to a samba server running on my Raspberry Pi NAS w/ NixOS.
Here are the relevant bits of the Nix configuration:
networking = {
hostId = "6459f901"; # needed for ZFS
hostName = "nas";
useDHCP = false;
interfaces.eth0.useDHCP = true;
interfaces.wlan0.useDHCP = true;
firewall = {
interfaces.tailscale0.allowedTCPPorts = [ 22 80 139 443 445 ];
interfaces.tailscale0.allowedUDPPorts = [ 137 138 ];
};
};
services.samba = {
enable = true;
enableWinbindd = false;
extraConfig = ''
workgroup = WORKGROUP
server string = nas
netbios name = nas
security = user
min protocol = SMB2
guest account = nobody
map to guest = bad user
load printers = no
'';
shares.public = {
path = "/nas/backup";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"guest only" = "yes";
"force user" = "akhil";
};
};
services.tailscale.enable = true;
and the generated smb.conf
[global]
security = user
passwd program = /run/wrappers/bin/passwd %u
invalid users = root
workgroup = WORKGROUP
server string = nas
netbios name = nas
security = user
min protocol = SMB2
guest account = nobody
map to guest = bad user
load printers = no
[public]
browseable = yes
force user = akhil
guest ok = yes
guest only = yes
path = /nas/backup
read only = no
Is there some configuration missing that’s causing the NAS to be discoverable outside of Tailscale? The Samba docs mention an option for interfaces (https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#INTERFACES), but
By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable.