---
- hosts: nas
gather_facts: true
become: true
roles:
- snapraid
- mergerfs
- linux-system-roles.firewall
- linux-system-roles.selinux
- vladgh.samba.server
vars_files:
- "{{ inventory_dir }}/vars/vault.yaml"
vars:
# don't allow playbook to auto reboot server when changes are made to mountpoints
ALLOW_REBOOT_ON_STORAGE_CHANGE: False
samba_guest_account: "{{ vaulted_media_user }}"
samba_map_to_guest: bad user
samba_netbios_name: "{{ ansible_hostname }}"
samba_load_printers: false
samba_mitigate_cve_2017_7494: false # enabling this breaks share browsing plus this is already mitigated by SELinux
samba_shares_root: /mergerfs
samba_users:
- name: "{{ vaulted_media_user }}"
password: "{{ vaulted_media_password }}"
samba_shares:
- name: Data
path: /mergerfs/public
force_create_mode: '0664'
force_directory_mode: '0775'
guest_ok: "yes"
writable: "yes"
public: "yes"
owner: "{{ vaulted_media_user }}"
group: "{{ vaulted_media_group }}"
- name: private
path: /mergerfs/private
force_create_mode: '0664'
force_directory_mode: '0775'
valid_users: "{{ vaulted_media_user }}"
write_list: "{{ vaulted_media_user }}"
owner: "{{ vaulted_media_user }}"
group: "{{ vaulted_media_group }}"
snapraid_parity_disks:
- path: /mnt/parity1
parity: parity
disk: /dev/mapper/luks-parity1
crypted_disk: /dev/disk/by-id/ata-WDC_WD140EFGX-68B0GN0_9LJB0KBG
opts: _netdev
- path: /mnt/parity2
parity: 2-parity
disk: /dev/mapper/luks-parity2
crypted_disk: /dev/disk/by-id/ata-WDC_WD161KFGX-68AFPN0_3HH7TZHN
opts: _netdev
snapraid_data_disks:
- path: /mnt/disk1
disk: /dev/mapper/luks-disk1
crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFBX-68B0AN0_VCJW0TDP
opts: _netdev
owner: "{{ vaulted_media_user }}"
group: "{{ vaulted_media_group }}"
- path: /mnt/disk2
disk: /dev/mapper/luks-disk2
crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG6YNSN
opts: _netdev
owner: "{{ vaulted_media_user }}"
group: "{{ vaulted_media_group }}"
- path: /mnt/disk3
disk: /dev/mapper/luks-disk3
crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG6VGPN
opts: _netdev
owner: "{{ vaulted_media_user }}"
group: "{{ vaulted_media_group }}"
- path: /mnt/disk4
disk: /dev/mapper/luks-disk4
crypted_disk: /dev/disk/by-id/ata-WDC_WD140EFGX-68B0GN0_9LJ4N5JG
opts: _netdev
owner: "{{ vaulted_media_user }}"
group: "{{ vaulted_media_group }}"
- path: /mnt/disk5
disk: /dev/mapper/luks-disk5
crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG7HUBN
opts: _netdev
owner: "{{ vaulted_media_user }}"
group: "{{ vaulted_media_group }}"
- path: /mnt/disk6
disk: /dev/mapper/luks-disk6
crypted_disk: /dev/disk/by-id/ata-WDC_WD101EFAX-68LDBN0_VCG6YXAN
opts: _netdev
owner: "{{ vaulted_media_user }}"
group: "{{ vaulted_media_group }}"
mergerfs_disks: "{{ snapraid_data_disks }}"
mergerfs_fstab:
- path: /mergerfs
owner: "{{ vaulted_media_user }}"
group: "{{ vaulted_media_group }}"
source: /mnt/disk*
opts:
- allow_other
- minfreespace=10G
- category.create=mfs
- use_ino
- func.getattr=newest
- fsname=mergerfs
- _netdev
- nonempty
selinux_booleans:
- name: samba_share_fusefs
state: on
persistent: yes
firewall:
- service: samba
state: enabled
- service: netbios-ns
state: enabled
server_notifications_topic: "{{ vaulted_server_notifications_topic }}"
pre_tasks:
- name: Create Media Group
group:
name: "{{ vaulted_media_group }}"
gid: "{{ vaulted_media_gid }}"
- name: Create Media User
user:
name: "{{ vaulted_media_user }}"
uid: "{{ vaulted_media_uid }}"
groups: "{{ vaulted_media_group }}"
append: yes
shell: /bin/bash
- name: Ensure disks are configured in /etc/crypttab
lineinfile:
path: /etc/crypttab
regexp: '^{{ item.disk | split("/") | last }}'
line: '{{ item.disk | split("/") | last }} {{ item.crypted_disk }} none {{ item.opts }}'
with_items:
- "{{ snapraid_parity_disks }}"
- "{{ snapraid_data_disks }}"
notify:
- Reboot
- name: Ensure disks are configured in /etc/fstab
mount:
path: "{{ item.path }}"
src: "{{ item.disk }}"
fstype: xfs
opts: "{{ item.opts }}"
state: present
with_items:
- "{{ snapraid_parity_disks }}"
- "{{ snapraid_data_disks }}"
notify:
- Reboot
- name: Ensure mountpoints exist
file:
path: "{{ item.path }}"
state: directory
with_items:
- "{{ snapraid_parity_disks }}"
- "{{ snapraid_data_disks }}"
notify:
- Reboot
- meta: flush_handlers
handlers:
- name: Reboot
reboot:
post_reboot_delay: 120 # wait 2 minutes for disks to fully decrypt and mount themselves
when:
- ALLOW_REBOOT_ON_STORAGE_CHANGE == True