Adding samba and general user management

2023-06-07 02:12:17 -04:00 · 2023-06-07 02:12:17 -04:00 · 4c2a1550c4
commit 4c2a1550c4
parent f02cf7b0cc
10 changed files with 125 additions and 12 deletions
--- a/dev/host_vars/mediaserver.yml
+++ b/dev/host_vars/mediaserver.yml
@ -4,6 +4,24 @@ base_domain: vm.krislamo.org
 allow_reboot: false
 manage_network: false

+users:
+  - name: jellyfin
+
+samba:
+  users:
+    - name: jellyfin
+      password: jellyfin
+  shares:
+    - name: jellyfin
+      path: /srv/jellyfin
+      owner: jellyfin
+      group: jellyfin
+      valid_users: jellyfin
+  firewall:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+
 # proxy
 proxy:
  #production: true
@ -35,3 +53,4 @@ traefik_http_only: true # if behind reverse-proxy
 # jellyfin
 jellyfin_domain: "jellyfin.{{ base_domain }}"
 jellyfin_version: latest
+jellyfin_media: /srv/jellyfin
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@ -22,3 +22,9 @@
    name: ddclient
    state: restarted
  listen: restart_ddclient
+
+- name: Restart Samba
+  ansible.builtin.service:
+    name: smbd
+    state: restarted
+  listen: restart_samba
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@ -29,3 +29,8 @@
  ansible.builtin.import_tasks: wireguard.yml
  tags: wireguard
  when: wireguard is defined
+
+- name: Import Samba tasks
+  ansible.builtin.import_tasks: samba.yml
+  tags: samba
+  when: samba is defined
--- a/roles/base/tasks/samba.yml
+++ b/roles/base/tasks/samba.yml
@ -0,0 +1,52 @@
+- name: Install Samba
+  ansible.builtin.apt:
+    name: samba
+    state: present
+
+- name: Create nologin shell accounts for Samba
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    state: present
+    shell: /usr/sbin/nologin
+    createhome: false
+    system: yes
+  loop: "{{ samba.users }}"
+  when: item.manage_user is defined and item.manage_user is true
+
+- name: Create Samba users
+  ansible.builtin.shell: "smbpasswd -a {{ item.name }}"
+  args:
+    stdin: "{{ item.password }}\n{{ item.password }}"
+  loop: "{{ samba.users }}"
+  register: samba_users
+  changed_when: "'User added' in samba_users.stdout"
+
+- name: Ensure share directories exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    state: directory
+    mode: 0755
+  loop: "{{ samba.shares }}"
+
+- name: Configure Samba shares
+  ansible.builtin.template:
+    src: smb.conf.j2
+    dest: /etc/samba/smb.conf
+  notify: restart_samba
+
+- name: Start smbd and enable on boot
+  ansible.builtin.service:
+    name: smbd
+    state: started
+    enabled: true
+
+- name: Allow SMB connections
+  community.general.ufw:
+    rule: allow
+    port: 445
+    proto: tcp
+    from: "{{ item }}"
+    state: enabled
+  loop: "{{ samba.firewall }}"
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@ -11,6 +11,23 @@
    mode: 0400
  when: authorized_keys is defined

+- name: Create system users
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    state: present
+    shell: "{{ item.shell | default('/bin/bash') }}"
+    create_home: "{{ item.home | default(false) }}"
+  loop: "{{ users }}"
+  when: users is defined
+
+- name: Set authorized_keys for system users
+  ansible.posix.authorized_key:
+    user: "{{ item.key }}"
+    key: "{{ item.value.key }}"
+    state: present
+  loop: "{{ users }}"
+  when: users is defined and item.value.key is defined
+
 - name: Manage filesystem mounts
  ansible.posix.mount:
    path: "{{ item.path }}"
--- a/roles/base/templates/smb.conf.j2
+++ b/roles/base/templates/smb.conf.j2
@ -0,0 +1,19 @@
+[global]
+   workgroup = WORKGROUP
+   server string = Samba Server %v
+   netbios name = {{ ansible_hostname }}
+   security = user
+   map to guest = bad user
+   dns proxy = no
+{% for user in samba.users %}
+   smb encrypt = {{ 'mandatory' if user.encrypt | default(false) else 'disabled' }}
+{% endfor %}
+
+{% for share in samba.shares %}
+[{{ share.name }}]
+   path = {{ share.path }}
+   browsable = yes
+   guest ok = no
+   read only = {{ 'yes' if share.read_only | default(false) else 'no' }}
+   valid users = {{ share.valid_users }}
+{% endfor %}
--- a/roles/jellyfin/defaults/main.yml
+++ b/roles/jellyfin/defaults/main.yml
@ -1,5 +1,4 @@
 jellyfin_name: jellyfin
-jellyfin_volume: "{{ jellyfin_name }}"
 jellyfin_router: "{{ jellyfin_name }}"
 jellyfin_rooturl: "https://{{ jellyfin_domain }}"
 jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}"
--- a/roles/jellyfin/tasks/main.yml
+++ b/roles/jellyfin/tasks/main.yml
@ -4,11 +4,6 @@
    state: directory
    mode: 0500

- name: Create jellyfin user
-  ansible.builtin.user:
-    name: jellyfin
-    state: present
-
 - name: Get user jellyfin uid
  ansible.builtin.getent:
    database: passwd
--- a/roles/jellyfin/templates/docker-compose.yml.j2
+++ b/roles/jellyfin/templates/docker-compose.yml.j2
@ -1,7 +1,8 @@
 version: '3.7'

 volumes:
-  {{ jellyfin_volume }}:
+  config:
+  cache:

 networks:
  traefik:
@ -24,6 +25,6 @@ services:
      - "traefik.docker.network=traefik"
      - "traefik.enable=true"
    volumes:
-      - ./config:/config
-      - ./cache:/cache
-      - {{ jellyfin_volume }}:/media
+      - config:/config
+      - cache:/cache
+      - {{ jellyfin_media }}:/media
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@ -19,14 +19,14 @@
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
-    mode: '0644'
+    mode: 0644
  notify: reload_nginx

 - name: Install nginx sites configuration
  ansible.builtin.template:
    src: server-nginx.conf.j2
    dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
-    mode: '0644'
+    mode: 0400
  loop: "{{ proxy.servers }}"
  notify: reload_nginx
  register: nginx_sites