From 19811d68546a3089daf665351af3fc7e24abac60 Mon Sep 17 00:00:00 2001
From: Tristan <tristan@tristans.cloud>
Date: Tue, 5 Aug 2025 14:37:57 +0100
Subject: [PATCH] alpine: add samba for public jellyfin library

---
 flake.nix                   |  2 ++
 nixos/services/fail2ban.nix |  5 ++++
 nixos/services/loki.nix     |  5 +++-
 nixos/services/samba.nix    | 52 +++++++++++++++++++++++++++++++++++++
 4 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 nixos/services/fail2ban.nix
 create mode 100644 nixos/services/samba.nix

diff --git a/flake.nix b/flake.nix
index 67b55a2..e93b95e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -84,6 +84,7 @@
       alpine = mkConf {
         nixos-modules = [
           ./hardware/alpine.nix
+          ./nixos/services/fail2ban.nix
           ./nixos/services/anki.nix
           ./nixos/services/forgejo.nix
           ./nixos/services/vaultwarden.nix
@@ -99,6 +100,7 @@
           ./nixos/services/authentik.nix
           ./nixos/services/monero.nix
           ./nixos/services/arr.nix
+          ./nixos/services/samba.nix
         ];
       };
 
diff --git a/nixos/services/fail2ban.nix b/nixos/services/fail2ban.nix
new file mode 100644
index 0000000..8b05b75
--- /dev/null
+++ b/nixos/services/fail2ban.nix
@@ -0,0 +1,5 @@
+{...}: {
+  services.fail2ban = {
+    enable = true;
+  };
+}
diff --git a/nixos/services/loki.nix b/nixos/services/loki.nix
index a5bf354..67afff0 100644
--- a/nixos/services/loki.nix
+++ b/nixos/services/loki.nix
@@ -48,6 +48,9 @@ in {
   ];
   services.alloy = {
     enable = true;
+    extraFlags = [
+      "--server.http.listen-addr=100.106.241.122:12345"
+    ];
   };
   environment.etc."alloy/config.alloy" = {
     text = ''
@@ -79,7 +82,7 @@ in {
         endpoint {
           url = "http://localhost:3100/loki/api/v1/push"
         }
-        max_streams = 24
+        max_streams = 64
       }
 
     '';
diff --git a/nixos/services/samba.nix b/nixos/services/samba.nix
new file mode 100644
index 0000000..e1e0fb8
--- /dev/null
+++ b/nixos/services/samba.nix
@@ -0,0 +1,52 @@
+{...}: {
+  users.users.guest = {
+    extraGroups = ["media"];
+    isNormalUser = true;
+  };
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "server string" = "Tristan's Media Server";
+        "netbios name" = "alpine";
+        "security" = "user";
+        #"use sendfile" = "yes";
+        #"max protocol" = "smb2";
+        # note: localhost is the ipv6 localhost ::1
+        "hosts allow" = "192.168.1. 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "guest";
+        "map to guest" = "bad user";
+      };
+      "Music" = {
+        "path" = "/mnt/storage/media/Public/";
+        "browseable" = "yes";
+        "read only" = "no";
+        "guest ok" = "yes";
+        "guest only" = "yes";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+      };
+    };
+  };
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.avahi = {
+    publish.enable = true;
+    publish.userServices = true;
+    # ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile`
+    nssmdns4 = true;
+    # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
+    enable = true;
+    openFirewall = true;
+  };
+
+  networking.firewall.enable = true;
+  networking.firewall.allowPing = true;
+}