I want to restrict discovery and access to a samba server running on my Raspberry Pi NAS w/ NixOS.
Here are the relevant bits of the Nix configuration:
networking = {
hostId = "6459f901"; # needed for ZFS
hostName = "nas";
useDHCP = false;
interfaces.eth0.useDHCP = true;
interfaces.wlan0.useDHCP = true;
firewall = {
interfaces.tailscale0.allowedTCPPorts = [ 22 80 139 443 445 ];
interfaces.tailscale0.allowedUDPPorts = [ 137 138 ];
};
};
services.samba = {
enable = true;
enableWinbindd = false;
extraConfig = ''
workgroup = WORKGROUP
server string = nas
netbios name = nas
security = user
min protocol = SMB2
guest account = nobody
map to guest = bad user
load printers = no
'';
shares.public = {
path = "/nas/backup";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"guest only" = "yes";
"force user" = "akhil";
};
};
services.tailscale.enable = true;
and the generated smb.conf
[global]
security = user
passwd program = /run/wrappers/bin/passwd %u
invalid users = root
workgroup = WORKGROUP
server string = nas
netbios name = nas
security = user
min protocol = SMB2
guest account = nobody
map to guest = bad user
load printers = no
[public]
browseable = yes
force user = akhil
guest ok = yes
guest only = yes
path = /nas/backup
read only = no
Is there some configuration missing that’s causing the NAS to be discoverable outside of Tailscale? The Samba docs mention an option for interfaces (smb.conf), but
By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable.