aboutsummaryrefslogtreecommitdiff
path: root/clarkzjw.ca/config/atlas/ansible/roles
diff options
context:
space:
mode:
Diffstat (limited to 'clarkzjw.ca/config/atlas/ansible/roles')
-rw-r--r--clarkzjw.ca/config/atlas/ansible/roles/debian_init/defaults/main.yaml0
-rw-r--r--clarkzjw.ca/config/atlas/ansible/roles/debian_init/tasks/main.yaml66
-rw-r--r--clarkzjw.ca/config/atlas/ansible/roles/init/tasks/main.yaml56
-rw-r--r--clarkzjw.ca/config/atlas/ansible/roles/samba/defaults/main.yaml3
-rw-r--r--clarkzjw.ca/config/atlas/ansible/roles/samba/tasks/main.yaml53
-rw-r--r--clarkzjw.ca/config/atlas/ansible/roles/samba/templates/smb.conf.j233
6 files changed, 211 insertions, 0 deletions
diff --git a/clarkzjw.ca/config/atlas/ansible/roles/debian_init/defaults/main.yaml b/clarkzjw.ca/config/atlas/ansible/roles/debian_init/defaults/main.yaml
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/clarkzjw.ca/config/atlas/ansible/roles/debian_init/defaults/main.yaml
diff --git a/clarkzjw.ca/config/atlas/ansible/roles/debian_init/tasks/main.yaml b/clarkzjw.ca/config/atlas/ansible/roles/debian_init/tasks/main.yaml
new file mode 100644
index 0000000..e53d3eb
--- /dev/null
+++ b/clarkzjw.ca/config/atlas/ansible/roles/debian_init/tasks/main.yaml
@@ -0,0 +1,66 @@
1- name: Disable unattended-upgrades
2 systemd:
3 name: unattended-upgrades
4 state: stopped
5 enabled: false
6
7- name: Install packages
8 apt:
9 name:
10 - apt-transport-https
11 - build-essential
12 - ca-certificates
13 - cifs-utils
14 - vnstat
15 - postfix
16 - lsb-release
17 - python3
18 - python3-dev
19 - python3-pip
20 - unzip
21 - gnupg
22 - rsync
23 - sudo
24 - htop
25 - curl
26 - tree
27 - zip
28 - vim
29 - zsh
30 - git
31 update_cache: true
32
33- name: Enable bullseye-backport
34 apt_repository:
35 repo: deb https://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main contrib non-free
36 state: present
37
38# Check https://wiki.debian.org/ZFS for additional information
39- name: Install ZFS
40 apt:
41 name:
42 - linux-headers-amd64
43 - linux-headers-{{ ansible_kernel }}
44 - zfsutils-linux
45 - zfs-dkms
46 update_cache: true
47 fail_on_autoremove: yes
48 default_release: "{{ ansible_distribution_release | lower }}-backports"
49
50- name: Load zfs kernel module
51 modprobe:
52 name: zfs
53 state: present
54
55- name: Clean unneeded packages
56 apt:
57 autoremove: true
58 purge: true
59
60- name: Remove useless packages from the cache
61 apt:
62 autoclean: yes
63
64- name: Run the equivalent of "apt-get clean" as a separate step
65 apt:
66 clean: yes
diff --git a/clarkzjw.ca/config/atlas/ansible/roles/init/tasks/main.yaml b/clarkzjw.ca/config/atlas/ansible/roles/init/tasks/main.yaml
new file mode 100644
index 0000000..29cf529
--- /dev/null
+++ b/clarkzjw.ca/config/atlas/ansible/roles/init/tasks/main.yaml
@@ -0,0 +1,56 @@
1- name: Make sure we have a 'wheel' group
2 group:
3 name: wheel
4 state: present
5
6- name: Allow 'wheel' group to have passwordless sudo
7 lineinfile:
8 dest: /etc/sudoers
9 state: present
10 regexp: '^%wheel'
11 line: '%wheel ALL=(ALL) NOPASSWD: ALL'
12 validate: visudo -cf %s
13
14- name: Add sudoers users to wheel group
15 user:
16 name: clarkzjw
17 groups: wheel
18 append: yes
19
20- name: Set authorized keys taken from url
21 authorized_key:
22 user: clarkzjw
23 state: present
24 key: https://github.com/clarkzjw.keys
25
26- name: Add Tailscale GPG apt Key
27 apt_key:
28 url: https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg
29 keyring: /usr/share/keyrings/tailscale-archive-keyring.gpg
30 state: present
31
32- name: Add Tailscale Repository
33 get_url:
34 url: https://pkgs.tailscale.com/stable/debian/bullseye.tailscale-keyring.list
35 dest: /etc/apt/sources.list.d/tailscale.list
36
37- name: Install Tailscale
38 apt:
39 name:
40 - tailscale
41 update_cache: true
42
43- name: Disable Root Login
44 lineinfile:
45 dest: /etc/ssh/sshd_config
46 regexp: '^PermitRootLogin yes'
47 line: "PermitRootLogin no"
48 state: present
49 backup: yes
50
51- name: Restart SSHD
52 systemd:
53 name: ssh
54 enabled: true
55 state: restarted
56 daemon_reload: true
diff --git a/clarkzjw.ca/config/atlas/ansible/roles/samba/defaults/main.yaml b/clarkzjw.ca/config/atlas/ansible/roles/samba/defaults/main.yaml
new file mode 100644
index 0000000..88c23b1
--- /dev/null
+++ b/clarkzjw.ca/config/atlas/ansible/roles/samba/defaults/main.yaml
@@ -0,0 +1,3 @@
1samba_users:
2- username: clarkzjw
3 password: "{{ lookup('env', 'SAMBA_PASSWORD') }}" \ No newline at end of file
diff --git a/clarkzjw.ca/config/atlas/ansible/roles/samba/tasks/main.yaml b/clarkzjw.ca/config/atlas/ansible/roles/samba/tasks/main.yaml
new file mode 100644
index 0000000..80950dc
--- /dev/null
+++ b/clarkzjw.ca/config/atlas/ansible/roles/samba/tasks/main.yaml
@@ -0,0 +1,53 @@
1- name: Install Samba
2 apt:
3 name:
4 - samba
5 - smbclient
6 - cifs-utils
7 update_cache: true
8
9- name: Disable Samba NetBIOS server nmbd
10 systemd:
11 name: nmbd
12 state: stopped
13 enabled: false
14
15- name: render samba config file
16 template:
17 src: smb.conf.j2
18 dest: "/etc/samba/smb.conf"
19 mode: 0644
20
21# https://stackoverflow.com/questions/44762488/non-interactive-samba-user-creation-via-ansible
22- name: shell - create samba users
23 shell: >
24 set -e -o pipefail
25 && (pdbedit --user={{ item.username }} 2>&1 > /dev/null)
26 || (echo '{{ item.password }}'; echo '{{ item.password }}')
27 | smbpasswd -s -a {{ item.username }}
28 args:
29 executable: /bin/bash
30 register: samba_create_users
31 changed_when: "'Added user' in samba_create_users.stdout"
32 loop: "{{ samba_users }}"
33 no_log: true
34
35- name: shell - set samba passwords correctly
36 shell: >
37 set -e -o pipefail
38 && (smbclient -U {{ item.username }}%{{ item.password }} -L 127.0.0.1 2>&1 > /dev/null)
39 || (echo '{{ item.password }}'; echo '{{ item.password }}')
40 | smbpasswd {{ item.username }}
41 args:
42 executable: /bin/bash
43 register: samba_verify_users
44 changed_when: "'New SMB password' in samba_verify_users.stdout"
45 loop: "{{ samba_users }}"
46 no_log: true
47
48- name: Restart SMB service
49 systemd:
50 name: smbd
51 state: restarted
52 enabled: true
53 daemon_reload: true
diff --git a/clarkzjw.ca/config/atlas/ansible/roles/samba/templates/smb.conf.j2 b/clarkzjw.ca/config/atlas/ansible/roles/samba/templates/smb.conf.j2
new file mode 100644
index 0000000..06e2567
--- /dev/null
+++ b/clarkzjw.ca/config/atlas/ansible/roles/samba/templates/smb.conf.j2
@@ -0,0 +1,33 @@
1[global]
2 workgroup = WORKGROUP
3 interfaces = 192.168.1.0/24 tailscale0
4 bind interfaces only = yes
5 log file = /var/log/samba/log.%m
6 max log size = 1000
7 logging = file
8 panic action = /usr/share/samba/panic-action %d
9 server role = standalone server
10 obey pam restrictions = yes
11 unix password sync = yes
12 passwd program = /usr/bin/passwd %u
13 passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
14 pam password change = yes
15 map to guest = bad user
16
17[homes]
18 comment = Home Directories
19 browseable = no
20 read only = yes
21 create mask = 0700
22 directory mask = 0700
23 valid users = %S
24
25[pool1]
26 comment = NAS Share
27 path = /pool1/clarkzjw
28 writable = yes
29 guest ok = no
30 valid users = @clarkzjw
31 force create mode = 770
32 force directory mode = 770
33 inherit permissions = yes
Powered by cgit v1.2.3 (git 2.41.0)