---
- hosts: nas
  gather_facts: true
  become: true

  roles:
    - snapraid
    - mergerfs
    - linux-system-roles.firewall
    - linux-system-roles.selinux
    - vladgh.samba.server

  vars_files:
    - "{{ inventory_dir }}/vars/vault.yaml"

  vars:
    # allow playbook to auto reboot server when changes are made to mountpoints
    SKIP_REBOOT: False

    samba_guest_account: "{{ vaulted_media_user }}"
    samba_map_to_guest: bad user
    samba_netbios_name: "{{ ansible_hostname }}"
    samba_load_printers: false
    samba_mitigate_cve_2017_7494: false # enabling this breaks share browsing plus this is already mitigated by SELinux
    samba_shares_root: /mergerfs

    samba_users:
      - name: "{{ vaulted_media_user }}"
        password: "{{ vaulted_media_password }}"

    samba_shares:
      - name: Data
        path: /mergerfs/public
        force_create_mode: '0664'
        force_directory_mode: '0775'
        guest_ok: "yes"
        writable: "yes"
        public: "yes"
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"

      - name: private
        path: /mergerfs/private
        force_create_mode: '0664'
        force_directory_mode: '0775'
        valid_users: "{{ vaulted_media_user }}"
        write_list: "{{ vaulted_media_user }}"
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"


    snapraid_parity_disks:
      - path: /mnt/parity1
        parity: parity
        disk: /dev/mapper/luks-parity1
        crypted_disk: /dev/disk/by-id/ata-WDC_WD140EFGX-68B0GN0_9LJB0KBG
        opts: _netdev

      - path: /mnt/parity2
        parity: 2-parity
        disk: /dev/mapper/luks-parity2
        crypted_disk: /dev/disk/by-id/ata-WDC_WD161KFGX-68AFPN0_3HH7TZHN
        opts: _netdev

    snapraid_data_disks:
      - path: /mnt/disk1
        disk: /dev/mapper/luks-disk1
        crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFBX-68B0AN0_VCJW0TDP
        opts: _netdev
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"

      - path: /mnt/disk2
        disk: /dev/mapper/luks-disk2
        crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG6YNSN
        opts: _netdev
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"

      - path: /mnt/disk3
        disk: /dev/mapper/luks-disk3
        crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG6VGPN
        opts: _netdev
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"

      - path: /mnt/disk4
        disk: /dev/mapper/luks-disk4
        crypted_disk: /dev/disk/by-id/ata-WDC_WD140EFGX-68B0GN0_9LJ4N5JG
        opts: _netdev
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"

      - path: /mnt/disk5
        disk: /dev/mapper/luks-disk5
        crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG7HUBN
        opts: _netdev
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"

      - path: /mnt/disk6
        disk: /dev/mapper/luks-disk6
        crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG6YXAN
        opts: _netdev
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"

    mergerfs_disks: "{{ snapraid_data_disks }}"

    mergerfs_fstab:
      - path: /mergerfs
        owner: "{{ vaulted_media_user }}"
        group: "{{ vaulted_media_group }}"
        source: /mnt/disk*
        opts:
          - allow_other
          - minfreespace=10G
          - category.create=mfs
          - use_ino
          - func.getattr=newest
          - fsname=mergerfs
          - _netdev
          - nonempty

    selinux_booleans:
      - name: samba_share_fusefs
        state: on
        persistent: yes

    firewall:
      - service: samba
        state: enabled
      - service: netbios-ns
        state: enabled

    server_notifications_topic: "{{ vaulted_server_notifications_topic }}"

  pre_tasks:
    - name: Create Media Group
      group:
        name: "{{ vaulted_media_group }}"
        gid: "{{ vaulted_media_gid }}"

    - name: Create Media User
      user:
        name: "{{ vaulted_media_user }}"
        uid: "{{ vaulted_media_uid }}"
        groups: "{{ vaulted_media_group }}"
        append: yes
        shell: /bin/bash

    - name: Ensure disks are configured in /etc/crypttab
      lineinfile:
        path: /etc/crypttab
        regexp: '^{{ item.disk | split("/") | last }}'
        line: '{{ item.disk | split("/") | last }} {{ item.crypted_disk }} none {{ item.opts }}'
      with_items:
        - "{{ snapraid_parity_disks }}"
        - "{{ snapraid_data_disks }}"
      notify:
        - Reboot

    - name: Ensure disks are configured in /etc/fstab
      mount:
        path: "{{ item.path }}"
        src: "{{ item.disk }}"
        fstype: xfs
        opts: "{{ item.opts }}"
        state: present
      with_items:
        - "{{ snapraid_parity_disks }}"
        - "{{ snapraid_data_disks }}"
      notify:
        - Reboot

    - name: Ensure mountpoints exist
      file:
        path: "{{ item.path }}"
        state: directory
      with_items:
        - "{{ snapraid_parity_disks }}"
        - "{{ snapraid_data_disks }}"
      notify:
        - Reboot

    - meta: flush_handlers
      
  handlers:
    - name: Reboot
      reboot:
        post_reboot_delay: 120 # wait 2 minutes for disks to fully decrypt and mount themselves
      when:
        - SKIP_REBOOT == False