diff options
Diffstat (limited to 'clarkzjw.cc/config/atlas/ansible/roles')
6 files changed, 211 insertions, 0 deletions
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/debian_init/defaults/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/debian_init/defaults/main.yaml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/debian_init/defaults/main.yaml | |||
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml new file mode 100644 index 0000000..e53d3eb --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml | |||
@@ -0,0 +1,66 @@ | |||
1 | - name: Disable unattended-upgrades | ||
2 | systemd: | ||
3 | name: unattended-upgrades | ||
4 | state: stopped | ||
5 | enabled: false | ||
6 | |||
7 | - name: Install packages | ||
8 | apt: | ||
9 | name: | ||
10 | - apt-transport-https | ||
11 | - build-essential | ||
12 | - ca-certificates | ||
13 | - cifs-utils | ||
14 | - vnstat | ||
15 | - postfix | ||
16 | - lsb-release | ||
17 | - python3 | ||
18 | - python3-dev | ||
19 | - python3-pip | ||
20 | - unzip | ||
21 | - gnupg | ||
22 | - rsync | ||
23 | - sudo | ||
24 | - htop | ||
25 | - curl | ||
26 | - tree | ||
27 | - zip | ||
28 | - vim | ||
29 | - zsh | ||
30 | - git | ||
31 | update_cache: true | ||
32 | |||
33 | - name: Enable bullseye-backport | ||
34 | apt_repository: | ||
35 | repo: deb https://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main contrib non-free | ||
36 | state: present | ||
37 | |||
38 | # Check https://wiki.debian.org/ZFS for additional information | ||
39 | - name: Install ZFS | ||
40 | apt: | ||
41 | name: | ||
42 | - linux-headers-amd64 | ||
43 | - linux-headers-{{ ansible_kernel }} | ||
44 | - zfsutils-linux | ||
45 | - zfs-dkms | ||
46 | update_cache: true | ||
47 | fail_on_autoremove: yes | ||
48 | default_release: "{{ ansible_distribution_release | lower }}-backports" | ||
49 | |||
50 | - name: Load zfs kernel module | ||
51 | modprobe: | ||
52 | name: zfs | ||
53 | state: present | ||
54 | |||
55 | - name: Clean unneeded packages | ||
56 | apt: | ||
57 | autoremove: true | ||
58 | purge: true | ||
59 | |||
60 | - name: Remove useless packages from the cache | ||
61 | apt: | ||
62 | autoclean: yes | ||
63 | |||
64 | - name: Run the equivalent of "apt-get clean" as a separate step | ||
65 | apt: | ||
66 | clean: yes | ||
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml new file mode 100644 index 0000000..29cf529 --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml | |||
@@ -0,0 +1,56 @@ | |||
1 | - name: Make sure we have a 'wheel' group | ||
2 | group: | ||
3 | name: wheel | ||
4 | state: present | ||
5 | |||
6 | - name: Allow 'wheel' group to have passwordless sudo | ||
7 | lineinfile: | ||
8 | dest: /etc/sudoers | ||
9 | state: present | ||
10 | regexp: '^%wheel' | ||
11 | line: '%wheel ALL=(ALL) NOPASSWD: ALL' | ||
12 | validate: visudo -cf %s | ||
13 | |||
14 | - name: Add sudoers users to wheel group | ||
15 | user: | ||
16 | name: clarkzjw | ||
17 | groups: wheel | ||
18 | append: yes | ||
19 | |||
20 | - name: Set authorized keys taken from url | ||
21 | authorized_key: | ||
22 | user: clarkzjw | ||
23 | state: present | ||
24 | key: https://github.com/clarkzjw.keys | ||
25 | |||
26 | - name: Add Tailscale GPG apt Key | ||
27 | apt_key: | ||
28 | url: https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg | ||
29 | keyring: /usr/share/keyrings/tailscale-archive-keyring.gpg | ||
30 | state: present | ||
31 | |||
32 | - name: Add Tailscale Repository | ||
33 | get_url: | ||
34 | url: https://pkgs.tailscale.com/stable/debian/bullseye.tailscale-keyring.list | ||
35 | dest: /etc/apt/sources.list.d/tailscale.list | ||
36 | |||
37 | - name: Install Tailscale | ||
38 | apt: | ||
39 | name: | ||
40 | - tailscale | ||
41 | update_cache: true | ||
42 | |||
43 | - name: Disable Root Login | ||
44 | lineinfile: | ||
45 | dest: /etc/ssh/sshd_config | ||
46 | regexp: '^PermitRootLogin yes' | ||
47 | line: "PermitRootLogin no" | ||
48 | state: present | ||
49 | backup: yes | ||
50 | |||
51 | - name: Restart SSHD | ||
52 | systemd: | ||
53 | name: ssh | ||
54 | enabled: true | ||
55 | state: restarted | ||
56 | daemon_reload: true | ||
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml new file mode 100644 index 0000000..88c23b1 --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml | |||
@@ -0,0 +1,3 @@ | |||
1 | samba_users: | ||
2 | - username: clarkzjw | ||
3 | password: "{{ lookup('env', 'SAMBA_PASSWORD') }}" \ No newline at end of file | ||
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml new file mode 100644 index 0000000..80950dc --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml | |||
@@ -0,0 +1,53 @@ | |||
1 | - name: Install Samba | ||
2 | apt: | ||
3 | name: | ||
4 | - samba | ||
5 | - smbclient | ||
6 | - cifs-utils | ||
7 | update_cache: true | ||
8 | |||
9 | - name: Disable Samba NetBIOS server nmbd | ||
10 | systemd: | ||
11 | name: nmbd | ||
12 | state: stopped | ||
13 | enabled: false | ||
14 | |||
15 | - name: render samba config file | ||
16 | template: | ||
17 | src: smb.conf.j2 | ||
18 | dest: "/etc/samba/smb.conf" | ||
19 | mode: 0644 | ||
20 | |||
21 | # https://stackoverflow.com/questions/44762488/non-interactive-samba-user-creation-via-ansible | ||
22 | - name: shell - create samba users | ||
23 | shell: > | ||
24 | set -e -o pipefail | ||
25 | && (pdbedit --user={{ item.username }} 2>&1 > /dev/null) | ||
26 | || (echo '{{ item.password }}'; echo '{{ item.password }}') | ||
27 | | smbpasswd -s -a {{ item.username }} | ||
28 | args: | ||
29 | executable: /bin/bash | ||
30 | register: samba_create_users | ||
31 | changed_when: "'Added user' in samba_create_users.stdout" | ||
32 | loop: "{{ samba_users }}" | ||
33 | no_log: true | ||
34 | |||
35 | - name: shell - set samba passwords correctly | ||
36 | shell: > | ||
37 | set -e -o pipefail | ||
38 | && (smbclient -U {{ item.username }}%{{ item.password }} -L 127.0.0.1 2>&1 > /dev/null) | ||
39 | || (echo '{{ item.password }}'; echo '{{ item.password }}') | ||
40 | | smbpasswd {{ item.username }} | ||
41 | args: | ||
42 | executable: /bin/bash | ||
43 | register: samba_verify_users | ||
44 | changed_when: "'New SMB password' in samba_verify_users.stdout" | ||
45 | loop: "{{ samba_users }}" | ||
46 | no_log: true | ||
47 | |||
48 | - name: Restart SMB service | ||
49 | systemd: | ||
50 | name: smbd | ||
51 | state: restarted | ||
52 | enabled: true | ||
53 | daemon_reload: true | ||
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2 b/clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2 new file mode 100644 index 0000000..06e2567 --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2 | |||
@@ -0,0 +1,33 @@ | |||
1 | [global] | ||
2 | workgroup = WORKGROUP | ||
3 | interfaces = 192.168.1.0/24 tailscale0 | ||
4 | bind interfaces only = yes | ||
5 | log file = /var/log/samba/log.%m | ||
6 | max log size = 1000 | ||
7 | logging = file | ||
8 | panic action = /usr/share/samba/panic-action %d | ||
9 | server role = standalone server | ||
10 | obey pam restrictions = yes | ||
11 | unix password sync = yes | ||
12 | passwd program = /usr/bin/passwd %u | ||
13 | passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . | ||
14 | pam password change = yes | ||
15 | map to guest = bad user | ||
16 | |||
17 | [homes] | ||
18 | comment = Home Directories | ||
19 | browseable = no | ||
20 | read only = yes | ||
21 | create mask = 0700 | ||
22 | directory mask = 0700 | ||
23 | valid users = %S | ||
24 | |||
25 | [pool1] | ||
26 | comment = NAS Share | ||
27 | path = /pool1/clarkzjw | ||
28 | writable = yes | ||
29 | guest ok = no | ||
30 | valid users = @clarkzjw | ||
31 | force create mode = 770 | ||
32 | force directory mode = 770 | ||
33 | inherit permissions = yes | ||