add nas-storage playbook

plays/nas-storage.yml

@@ -0,0 +1,193 @@
+---
+- hosts: nas
+  gather_facts: true
+  become: true
+
+  roles:
+    - snapraid
+    - mergerfs
+    - linux-system-roles.firewall
+    - linux-system-roles.selinux
+    - vladgh.samba.server
+
+  vars_files:
+    - "{{ inventory_dir }}/vars/vault.yaml"
+
+  vars:
+    # allow playbook to auto reboot server when changes are made to mountpoints
+    SKIP_REBOOT: False
+
+    samba_guest_account: "{{ vaulted_media_user }}"
+    samba_map_to_guest: bad user
+    samba_netbios_name: "{{ ansible_hostname }}"
+    samba_load_printers: false
+    samba_mitigate_cve_2017_7494: false # enabling this breaks share browsing plus this is already mitigated by SELinux
+    samba_shares_root: /mergerfs
+
+    samba_users:
+      - name: "{{ vaulted_media_user }}"
+        password: "{{ vaulted_media_password }}"
+
+    samba_shares:
+      - name: Data
+        path: /mergerfs/public
+        force_create_mode: '0664'
+        force_directory_mode: '0775'
+        guest_ok: "yes"
+        writable: "yes"
+        public: "yes"
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+      - name: private
+        path: /mergerfs/private
+        force_create_mode: '0664'
+        force_directory_mode: '0775'
+        valid_users: "{{ vaulted_media_user }}"
+        write_list: "{{ vaulted_media_user }}"
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+
+    snapraid_parity_disks:
+      - path: /mnt/parity1
+        parity: parity
+        disk: /dev/mapper/luks-parity1
+        crypted_disk: /dev/disk/by-id/ata-WDC_WD140EFGX-68B0GN0_9LJB4A4G
+        opts: _netdev
+
+      - path: /mnt/parity2
+        parity: 2-parity
+        disk: /dev/mapper/luks-parity2
+        crypted_disk: /dev/disk/by-id/ata-WDC_WD140EFGX-68B0GN0_9LJB0KBG
+        opts: _netdev
+
+    snapraid_data_disks:
+      - path: /mnt/disk1
+        disk: /dev/mapper/luks-disk1
+        crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFBX-68B0AN0_VCJW0TDP
+        opts: _netdev
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+      - path: /mnt/disk2
+        disk: /dev/mapper/luks-disk2
+        crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG6YNSN
+        opts: _netdev
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+      - path: /mnt/disk3
+        disk: /dev/mapper/luks-disk3
+        crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG6VGPN
+        opts: _netdev
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+      - path: /mnt/disk4
+        disk: /dev/mapper/luks-disk4
+        crypted_disk: /dev/disk/by-id/ata-WDC_WD60EFAX-68SHWN0_WD-WX31D298F8X9
+        opts: _netdev
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+      - path: /mnt/disk5
+        disk: /dev/mapper/luks-disk5
+        crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG7HUBN
+        opts: _netdev
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+      - path: /mnt/disk6
+        disk: /dev/mapper/luks-disk6
+        crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG6YXAN
+        opts: _netdev
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+
+    mergerfs_disks: "{{ snapraid_data_disks }}"
+
+    mergerfs_fstab:
+      - path: /mergerfs
+        owner: "{{ vaulted_media_user }}"
+        group: "{{ vaulted_media_group }}"
+        source: /mnt/disk*
+        opts:
+          - allow_other
+          - minfreespace=10G
+          - category.create=mfs
+          - use_ino
+          - func.getattr=newest
+          - fsname=mergerfs
+          - _netdev
+          - nonempty
+
+    selinux_booleans:
+      - name: samba_share_fusefs
+        state: on
+        persistent: yes
+
+    firewall:
+      - service: samba
+        state: enabled
+      - service: netbios-ns
+        state: enabled
+
+    server_notifications_topic: "{{ vaulted_server_notifications_topic }}"
+
+  pre_tasks:
+    - name: Create Media Group
+      group:
+        name: "{{ vaulted_media_group }}"
+        gid: "{{ vaulted_media_gid }}"
+
+    - name: Create Media User
+      user:
+        name: "{{ vaulted_media_user }}"
+        uid: "{{ vaulted_media_uid }}"
+        groups: "{{ vaulted_media_group }}"
+        append: yes
+        shell: /bin/bash
+
+    - name: Ensure disks are configured in /etc/crypttab
+      lineinfile:
+        path: /etc/crypttab
+        regexp: '^{{ item.disk | split("/") | last }}'
+        line: '{{ item.disk | split("/") | last }} {{ item.crypted_disk }} none {{ item.opts }}'
+      with_items:
+        - "{{ snapraid_parity_disks }}"
+        - "{{ snapraid_data_disks }}"
+      notify:
+        - Reboot
+
+    - name: Ensure disks are configured in /etc/fstab
+      mount:
+        path: "{{ item.path }}"
+        src: "{{ item.disk }}"
+        fstype: xfs
+        opts: "{{ item.opts }}"
+        state: present
+      with_items:
+        - "{{ snapraid_parity_disks }}"
+        - "{{ snapraid_data_disks }}"
+      notify:
+        - Reboot
+
+    - name: Ensure mountpoints exist
+      file:
+        path: "{{ item.path }}"
+        state: directory
+      with_items:
+        - "{{ snapraid_parity_disks }}"
+        - "{{ snapraid_data_disks }}"
+      notify:
+        - Reboot
+
+    - meta: flush_handlers
+      
+  handlers:
+    - name: Reboot
+      reboot:
+        post_reboot_delay: 120 # wait 2 minutes for disks to fully decrypt and mount themselves
+      when:
+        - SKIP_REBOOT == False