Update mediaserver playbook and fix Wireguard task

Adding samba and general user management
Refactor docker playbook
2023-06-08 03:47:54 -04:00 · 2023-06-07 02:12:17 -04:00 · 2023-05-08 16:26:16 -04:00
12 changed files with 88 additions and 31 deletions
--- a/dev/host_vars/mediaserver.yml
+++ b/dev/host_vars/mediaserver.yml
@@ -4,6 +4,24 @@ base_domain: vm.krislamo.org
 allow_reboot: false
 manage_network: false

+users:
+  - name: jellyfin
+
+samba:
+  users:
+    - name: jellyfin
+      password: jellyfin
+  shares:
+    - name: jellyfin
+      path: /srv/jellyfin
+      owner: jellyfin
+      group: jellyfin
+      valid_users: jellyfin
+  firewall:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+
 # proxy
 proxy:
  #production: true
@@ -35,3 +53,4 @@ traefik_http_only: true # if behind reverse-proxy
 # jellyfin
 jellyfin_domain: "jellyfin.{{ base_domain }}"
 jellyfin_version: latest
+jellyfin_media: /srv/jellyfin
--- a/docker.yml
+++ b/docker.yml
@@ -1,21 +1,7 @@
-# Copyright (C) 2020  Kris Lamoureux
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
 - name: Install Docker Server
-  hosts: dockerhosts
+  hosts: "{{ PLAYBOOK_HOST | default('none') }}"
  become: true
  roles:
    - base
-    - docker
    - jenkins
+    - docker
--- a/mediaserver.yml
+++ b/mediaserver.yml
@@ -1,8 +1,9 @@
 - name: Install Media Server
-  hosts: mediaservers
+  hosts: "{{ PLAYBOOK_HOST | default('none') }}"
  become: true
  roles:
    - base
+    - jenkins
    - proxy
    - docker
    - traefik
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@@ -22,3 +22,9 @@
    name: ddclient
    state: restarted
  listen: restart_ddclient
+
+- name: Restart Samba
+  ansible.builtin.service:
+    name: smbd
+    state: restarted
+  listen: restart_samba
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -29,3 +29,8 @@
  ansible.builtin.import_tasks: wireguard.yml
  tags: wireguard
  when: wireguard is defined
+
+- name: Import Samba tasks
+  ansible.builtin.import_tasks: samba.yml
+  tags: samba
+  when: samba is defined
--- a/roles/base/tasks/samba.yml
+++ b/roles/base/tasks/samba.yml
@@ -3,8 +3,18 @@
    name: samba
    state: present

+- name: Create nologin shell accounts for Samba
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    state: present
+    shell: /usr/sbin/nologin
+    createhome: false
+    system: yes
+  loop: "{{ samba.users }}"
+  when: item.manage_user is defined and item.manage_user is true
+
 - name: Create Samba users
-  ansible.builtin.command: "smbpasswd -a -s {{ item.name }}"
+  ansible.builtin.shell: "smbpasswd -a {{ item.name }}"
  args:
    stdin: "{{ item.password }}\n{{ item.password }}"
  loop: "{{ samba.users }}"
@@ -14,6 +24,8 @@
 - name: Ensure share directories exist
  ansible.builtin.file:
    path: "{{ item.path }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
    state: directory
    mode: 0755
  loop: "{{ samba.shares }}"
@@ -22,4 +34,19 @@
  ansible.builtin.template:
    src: smb.conf.j2
    dest: /etc/samba/smb.conf
-  notify: samba_restart
+  notify: restart_samba
+
+- name: Start smbd and enable on boot
+  ansible.builtin.service:
+    name: smbd
+    state: started
+    enabled: true
+
+- name: Allow SMB connections
+  community.general.ufw:
+    rule: allow
+    port: 445
+    proto: tcp
+    from: "{{ item }}"
+    state: enabled
+  loop: "{{ samba.firewall }}"
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -11,6 +11,23 @@
    mode: 0400
  when: authorized_keys is defined

+- name: Create system users
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    state: present
+    shell: "{{ item.shell | default('/bin/bash') }}"
+    create_home: "{{ item.home | default(false) }}"
+  loop: "{{ users }}"
+  when: users is defined
+
+- name: Set authorized_keys for system users
+  ansible.posix.authorized_key:
+    user: "{{ item.key }}"
+    key: "{{ item.value.key }}"
+    state: present
+  loop: "{{ users }}"
+  when: users is defined and item.value.key is defined
+
 - name: Manage filesystem mounts
  ansible.posix.mount:
    path: "{{ item.path }}"
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@@ -11,6 +11,7 @@
  args:
    chdir: /etc/wireguard/
    creates: /etc/wireguard/privatekey
+    executable: /usr/bin/bash

 - name: Grab WireGuard private key for configuration
  ansible.builtin.slurp:
--- a/roles/jellyfin/defaults/main.yml
+++ b/roles/jellyfin/defaults/main.yml
@@ -1,5 +1,4 @@
 jellyfin_name: jellyfin
-jellyfin_volume: "{{ jellyfin_name }}"
 jellyfin_router: "{{ jellyfin_name }}"
 jellyfin_rooturl: "https://{{ jellyfin_domain }}"
 jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}"
--- a/roles/jellyfin/tasks/main.yml
+++ b/roles/jellyfin/tasks/main.yml
@@ -4,11 +4,6 @@
    state: directory
    mode: 0500

- name: Create jellyfin user
-  ansible.builtin.user:
-    name: jellyfin
-    state: present
-
 - name: Get user jellyfin uid
  ansible.builtin.getent:
    database: passwd
--- a/roles/jellyfin/templates/docker-compose.yml.j2
+++ b/roles/jellyfin/templates/docker-compose.yml.j2
@@ -1,7 +1,8 @@
 version: '3.7'

 volumes:
-  {{ jellyfin_volume }}:
+  config:
+  cache:

 networks:
  traefik:
@@ -24,6 +25,6 @@ services:
      - "traefik.docker.network=traefik"
      - "traefik.enable=true"
    volumes:
-      - ./config:/config
-      - ./cache:/cache
-      - {{ jellyfin_volume }}:/media
+      - config:/config
+      - cache:/cache
+      - {{ jellyfin_media }}:/media
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -19,14 +19,14 @@
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
-    mode: '0644'
+    mode: 0644
  notify: reload_nginx

 - name: Install nginx sites configuration
  ansible.builtin.template:
    src: server-nginx.conf.j2
    dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
-    mode: '0644'
+    mode: 0400
  loop: "{{ proxy.servers }}"
  notify: reload_nginx
  register: nginx_sites
Author	SHA1	Message	Date
Kris Lamoureux	74a559f1f6	Update mediaserver playbook and fix Wireguard task	2023-06-08 03:47:54 -04:00
Kris Lamoureux	4c2a1550c4	Adding samba and general user management	2023-06-07 02:12:17 -04:00
Kris Lamoureux	f02cf7b0cc	Refactor docker playbook - Removed copyright notice - Variablize 'hosts' value in the playbook - Install Jenkins agent before running Docker role	2023-05-08 16:26:16 -04:00