Adding samba and general user management
This commit is contained in:
@@ -4,6 +4,24 @@ base_domain: vm.krislamo.org
|
||||
allow_reboot: false
|
||||
manage_network: false
|
||||
|
||||
users:
|
||||
- name: jellyfin
|
||||
|
||||
samba:
|
||||
users:
|
||||
- name: jellyfin
|
||||
password: jellyfin
|
||||
shares:
|
||||
- name: jellyfin
|
||||
path: /srv/jellyfin
|
||||
owner: jellyfin
|
||||
group: jellyfin
|
||||
valid_users: jellyfin
|
||||
firewall:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
|
||||
# proxy
|
||||
proxy:
|
||||
#production: true
|
||||
@@ -35,3 +53,4 @@ traefik_http_only: true # if behind reverse-proxy
|
||||
# jellyfin
|
||||
jellyfin_domain: "jellyfin.{{ base_domain }}"
|
||||
jellyfin_version: latest
|
||||
jellyfin_media: /srv/jellyfin
|
||||
|
||||
@@ -22,3 +22,9 @@
|
||||
name: ddclient
|
||||
state: restarted
|
||||
listen: restart_ddclient
|
||||
|
||||
- name: Restart Samba
|
||||
ansible.builtin.service:
|
||||
name: smbd
|
||||
state: restarted
|
||||
listen: restart_samba
|
||||
@@ -29,3 +29,8 @@
|
||||
ansible.builtin.import_tasks: wireguard.yml
|
||||
tags: wireguard
|
||||
when: wireguard is defined
|
||||
|
||||
- name: Import Samba tasks
|
||||
ansible.builtin.import_tasks: samba.yml
|
||||
tags: samba
|
||||
when: samba is defined
|
||||
|
||||
52
roles/base/tasks/samba.yml
Normal file
52
roles/base/tasks/samba.yml
Normal file
@@ -0,0 +1,52 @@
|
||||
- name: Install Samba
|
||||
ansible.builtin.apt:
|
||||
name: samba
|
||||
state: present
|
||||
|
||||
- name: Create nologin shell accounts for Samba
|
||||
ansible.builtin.user:
|
||||
name: "{{ item.name }}"
|
||||
state: present
|
||||
shell: /usr/sbin/nologin
|
||||
createhome: false
|
||||
system: yes
|
||||
loop: "{{ samba.users }}"
|
||||
when: item.manage_user is defined and item.manage_user is true
|
||||
|
||||
- name: Create Samba users
|
||||
ansible.builtin.shell: "smbpasswd -a {{ item.name }}"
|
||||
args:
|
||||
stdin: "{{ item.password }}\n{{ item.password }}"
|
||||
loop: "{{ samba.users }}"
|
||||
register: samba_users
|
||||
changed_when: "'User added' in samba_users.stdout"
|
||||
|
||||
- name: Ensure share directories exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
owner: "{{ item.owner }}"
|
||||
group: "{{ item.group }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
loop: "{{ samba.shares }}"
|
||||
|
||||
- name: Configure Samba shares
|
||||
ansible.builtin.template:
|
||||
src: smb.conf.j2
|
||||
dest: /etc/samba/smb.conf
|
||||
notify: restart_samba
|
||||
|
||||
- name: Start smbd and enable on boot
|
||||
ansible.builtin.service:
|
||||
name: smbd
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Allow SMB connections
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: 445
|
||||
proto: tcp
|
||||
from: "{{ item }}"
|
||||
state: enabled
|
||||
loop: "{{ samba.firewall }}"
|
||||
@@ -11,6 +11,23 @@
|
||||
mode: 0400
|
||||
when: authorized_keys is defined
|
||||
|
||||
- name: Create system users
|
||||
ansible.builtin.user:
|
||||
name: "{{ item.name }}"
|
||||
state: present
|
||||
shell: "{{ item.shell | default('/bin/bash') }}"
|
||||
create_home: "{{ item.home | default(false) }}"
|
||||
loop: "{{ users }}"
|
||||
when: users is defined
|
||||
|
||||
- name: Set authorized_keys for system users
|
||||
ansible.posix.authorized_key:
|
||||
user: "{{ item.key }}"
|
||||
key: "{{ item.value.key }}"
|
||||
state: present
|
||||
loop: "{{ users }}"
|
||||
when: users is defined and item.value.key is defined
|
||||
|
||||
- name: Manage filesystem mounts
|
||||
ansible.posix.mount:
|
||||
path: "{{ item.path }}"
|
||||
|
||||
19
roles/base/templates/smb.conf.j2
Normal file
19
roles/base/templates/smb.conf.j2
Normal file
@@ -0,0 +1,19 @@
|
||||
[global]
|
||||
workgroup = WORKGROUP
|
||||
server string = Samba Server %v
|
||||
netbios name = {{ ansible_hostname }}
|
||||
security = user
|
||||
map to guest = bad user
|
||||
dns proxy = no
|
||||
{% for user in samba.users %}
|
||||
smb encrypt = {{ 'mandatory' if user.encrypt | default(false) else 'disabled' }}
|
||||
{% endfor %}
|
||||
|
||||
{% for share in samba.shares %}
|
||||
[{{ share.name }}]
|
||||
path = {{ share.path }}
|
||||
browsable = yes
|
||||
guest ok = no
|
||||
read only = {{ 'yes' if share.read_only | default(false) else 'no' }}
|
||||
valid users = {{ share.valid_users }}
|
||||
{% endfor %}
|
||||
@@ -1,5 +1,4 @@
|
||||
jellyfin_name: jellyfin
|
||||
jellyfin_volume: "{{ jellyfin_name }}"
|
||||
jellyfin_router: "{{ jellyfin_name }}"
|
||||
jellyfin_rooturl: "https://{{ jellyfin_domain }}"
|
||||
jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}"
|
||||
|
||||
@@ -4,11 +4,6 @@
|
||||
state: directory
|
||||
mode: 0500
|
||||
|
||||
- name: Create jellyfin user
|
||||
ansible.builtin.user:
|
||||
name: jellyfin
|
||||
state: present
|
||||
|
||||
- name: Get user jellyfin uid
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
version: '3.7'
|
||||
|
||||
volumes:
|
||||
{{ jellyfin_volume }}:
|
||||
config:
|
||||
cache:
|
||||
|
||||
networks:
|
||||
traefik:
|
||||
@@ -24,6 +25,6 @@ services:
|
||||
- "traefik.docker.network=traefik"
|
||||
- "traefik.enable=true"
|
||||
volumes:
|
||||
- ./config:/config
|
||||
- ./cache:/cache
|
||||
- {{ jellyfin_volume }}:/media
|
||||
- config:/config
|
||||
- cache:/cache
|
||||
- {{ jellyfin_media }}:/media
|
||||
|
||||
@@ -19,14 +19,14 @@
|
||||
ansible.builtin.template:
|
||||
src: nginx.conf.j2
|
||||
dest: /etc/nginx/nginx.conf
|
||||
mode: '0644'
|
||||
mode: 0644
|
||||
notify: reload_nginx
|
||||
|
||||
- name: Install nginx sites configuration
|
||||
ansible.builtin.template:
|
||||
src: server-nginx.conf.j2
|
||||
dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
|
||||
mode: '0644'
|
||||
mode: 0400
|
||||
loop: "{{ proxy.servers }}"
|
||||
notify: reload_nginx
|
||||
register: nginx_sites
|
||||
|
||||
Reference in New Issue
Block a user