From 4c2a1550c4982f858db777aef76cf313fbf0e2e2 Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Wed, 7 Jun 2023 02:12:17 -0400
Subject: [PATCH] Adding samba and general user management

---
 dev/host_vars/mediaserver.yml                 | 19 +++++++
 roles/base/handlers/main.yml                  |  6 +++
 roles/base/tasks/main.yml                     |  5 ++
 roles/base/tasks/samba.yml                    | 52 +++++++++++++++++++
 roles/base/tasks/system.yml                   | 17 ++++++
 roles/base/templates/smb.conf.j2              | 19 +++++++
 roles/jellyfin/defaults/main.yml              |  1 -
 roles/jellyfin/tasks/main.yml                 |  5 --
 .../jellyfin/templates/docker-compose.yml.j2  |  9 ++--
 roles/proxy/tasks/main.yml                    |  4 +-
 10 files changed, 125 insertions(+), 12 deletions(-)
 create mode 100644 roles/base/tasks/samba.yml
 create mode 100644 roles/base/templates/smb.conf.j2

diff --git a/dev/host_vars/mediaserver.yml b/dev/host_vars/mediaserver.yml
index 39dafe1..eda610d 100644
--- a/dev/host_vars/mediaserver.yml
+++ b/dev/host_vars/mediaserver.yml
@@ -4,6 +4,24 @@ base_domain: vm.krislamo.org
 allow_reboot: false
 manage_network: false
 
+users:
+  - name: jellyfin
+
+samba:
+  users:
+    - name: jellyfin
+      password: jellyfin
+  shares:
+    - name: jellyfin
+      path: /srv/jellyfin
+      owner: jellyfin
+      group: jellyfin
+      valid_users: jellyfin
+  firewall:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+
 # proxy
 proxy:
   #production: true
@@ -35,3 +53,4 @@ traefik_http_only: true # if behind reverse-proxy
 # jellyfin
 jellyfin_domain: "jellyfin.{{ base_domain }}"
 jellyfin_version: latest
+jellyfin_media: /srv/jellyfin
diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml
index 59f85df..333a146 100644
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@@ -22,3 +22,9 @@
     name: ddclient
     state: restarted
   listen: restart_ddclient
+
+- name: Restart Samba
+  ansible.builtin.service:
+    name: smbd
+    state: restarted
+  listen: restart_samba
\ No newline at end of file
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 8a0d8c0..aec925c 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -29,3 +29,8 @@
   ansible.builtin.import_tasks: wireguard.yml
   tags: wireguard
   when: wireguard is defined
+
+- name: Import Samba tasks
+  ansible.builtin.import_tasks: samba.yml
+  tags: samba
+  when: samba is defined
diff --git a/roles/base/tasks/samba.yml b/roles/base/tasks/samba.yml
new file mode 100644
index 0000000..a580adb
--- /dev/null
+++ b/roles/base/tasks/samba.yml
@@ -0,0 +1,52 @@
+- name: Install Samba
+  ansible.builtin.apt:
+    name: samba
+    state: present
+
+- name: Create nologin shell accounts for Samba
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    state: present
+    shell: /usr/sbin/nologin
+    createhome: false
+    system: yes
+  loop: "{{ samba.users }}"
+  when: item.manage_user is defined and item.manage_user is true
+
+- name: Create Samba users
+  ansible.builtin.shell: "smbpasswd -a {{ item.name }}"
+  args:
+    stdin: "{{ item.password }}\n{{ item.password }}"
+  loop: "{{ samba.users }}"
+  register: samba_users
+  changed_when: "'User added' in samba_users.stdout"
+
+- name: Ensure share directories exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    state: directory
+    mode: 0755
+  loop: "{{ samba.shares }}"
+
+- name: Configure Samba shares
+  ansible.builtin.template:
+    src: smb.conf.j2
+    dest: /etc/samba/smb.conf
+  notify: restart_samba
+
+- name: Start smbd and enable on boot
+  ansible.builtin.service:
+    name: smbd
+    state: started
+    enabled: true
+
+- name: Allow SMB connections
+  community.general.ufw:
+    rule: allow
+    port: 445
+    proto: tcp
+    from: "{{ item }}"
+    state: enabled
+  loop: "{{ samba.firewall }}"
diff --git a/roles/base/tasks/system.yml b/roles/base/tasks/system.yml
index 89b5ef3..d6d1e79 100644
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -11,6 +11,23 @@
     mode: 0400
   when: authorized_keys is defined
 
+- name: Create system users
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    state: present
+    shell: "{{ item.shell | default('/bin/bash') }}"
+    create_home: "{{ item.home | default(false) }}"
+  loop: "{{ users }}"
+  when: users is defined
+
+- name: Set authorized_keys for system users
+  ansible.posix.authorized_key:
+    user: "{{ item.key }}"
+    key: "{{ item.value.key }}"
+    state: present
+  loop: "{{ users }}"
+  when: users is defined and item.value.key is defined
+
 - name: Manage filesystem mounts
   ansible.posix.mount:
     path: "{{ item.path }}"
diff --git a/roles/base/templates/smb.conf.j2 b/roles/base/templates/smb.conf.j2
new file mode 100644
index 0000000..5884176
--- /dev/null
+++ b/roles/base/templates/smb.conf.j2
@@ -0,0 +1,19 @@
+[global]
+   workgroup = WORKGROUP
+   server string = Samba Server %v
+   netbios name = {{ ansible_hostname }}
+   security = user
+   map to guest = bad user
+   dns proxy = no
+{% for user in samba.users %}
+   smb encrypt = {{ 'mandatory' if user.encrypt | default(false) else 'disabled' }}
+{% endfor %}
+
+{% for share in samba.shares %}
+[{{ share.name }}]
+   path = {{ share.path }}
+   browsable = yes
+   guest ok = no
+   read only = {{ 'yes' if share.read_only | default(false) else 'no' }}
+   valid users = {{ share.valid_users }}
+{% endfor %}
diff --git a/roles/jellyfin/defaults/main.yml b/roles/jellyfin/defaults/main.yml
index 7140f4b..c71d408 100644
--- a/roles/jellyfin/defaults/main.yml
+++ b/roles/jellyfin/defaults/main.yml
@@ -1,5 +1,4 @@
 jellyfin_name: jellyfin
-jellyfin_volume: "{{ jellyfin_name }}"
 jellyfin_router: "{{ jellyfin_name }}"
 jellyfin_rooturl: "https://{{ jellyfin_domain }}"
 jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}"
diff --git a/roles/jellyfin/tasks/main.yml b/roles/jellyfin/tasks/main.yml
index cf45dea..f29a8ba 100644
--- a/roles/jellyfin/tasks/main.yml
+++ b/roles/jellyfin/tasks/main.yml
@@ -4,11 +4,6 @@
     state: directory
     mode: 0500
 
-- name: Create jellyfin user
-  ansible.builtin.user:
-    name: jellyfin
-    state: present
-
 - name: Get user jellyfin uid
   ansible.builtin.getent:
     database: passwd
diff --git a/roles/jellyfin/templates/docker-compose.yml.j2 b/roles/jellyfin/templates/docker-compose.yml.j2
index 51e7d0d..c4e5330 100644
--- a/roles/jellyfin/templates/docker-compose.yml.j2
+++ b/roles/jellyfin/templates/docker-compose.yml.j2
@@ -1,7 +1,8 @@
 version: '3.7'
 
 volumes:
-  {{ jellyfin_volume }}:
+  config:
+  cache:
 
 networks:
   traefik:
@@ -24,6 +25,6 @@ services:
       - "traefik.docker.network=traefik"
       - "traefik.enable=true"
     volumes:
-      - ./config:/config
-      - ./cache:/cache
-      - {{ jellyfin_volume }}:/media
+      - config:/config
+      - cache:/cache
+      - {{ jellyfin_media }}:/media
diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml
index f7ba8c6..7045fab 100644
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -19,14 +19,14 @@
   ansible.builtin.template:
     src: nginx.conf.j2
     dest: /etc/nginx/nginx.conf
-    mode: '0644'
+    mode: 0644
   notify: reload_nginx
 
 - name: Install nginx sites configuration
   ansible.builtin.template:
     src: server-nginx.conf.j2
     dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
-    mode: '0644'
+    mode: 0400
   loop: "{{ proxy.servers }}"
   notify: reload_nginx
   register: nginx_sites