From a077d65e5f7f415cc17abeee2264e24957ef97cd Mon Sep 17 00:00:00 2001
From: clarkzjw <i@jinwei.me>
Date: Fri, 13 Jan 2023 16:53:03 -0800
Subject: change domain to clarkzjw.cc

---
 .../ansible/roles/debian_init/defaults/main.yaml   |  0
 .../ansible/roles/debian_init/tasks/main.yaml      | 66 ++++++++++++++++++++++
 .../atlas/ansible/roles/init/tasks/main.yaml       | 56 ++++++++++++++++++
 .../atlas/ansible/roles/samba/defaults/main.yaml   |  3 +
 .../atlas/ansible/roles/samba/tasks/main.yaml      | 53 +++++++++++++++++
 .../ansible/roles/samba/templates/smb.conf.j2      | 33 +++++++++++
 6 files changed, 211 insertions(+)
 create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/debian_init/defaults/main.yaml
 create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml
 create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml
 create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml
 create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml
 create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2

(limited to 'clarkzjw.cc/config/atlas/ansible/roles')

diff --git a/clarkzjw.cc/config/atlas/ansible/roles/debian_init/defaults/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/debian_init/defaults/main.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml
new file mode 100644
index 0000000..e53d3eb
--- /dev/null
+++ b/clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml
@@ -0,0 +1,66 @@
+- name: Disable unattended-upgrades
+  systemd:
+    name: unattended-upgrades
+    state: stopped
+    enabled: false
+
+- name: Install packages
+  apt:
+    name:
+      - apt-transport-https
+      - build-essential
+      - ca-certificates
+      - cifs-utils
+      - vnstat
+      - postfix
+      - lsb-release
+      - python3
+      - python3-dev
+      - python3-pip
+      - unzip
+      - gnupg
+      - rsync
+      - sudo
+      - htop
+      - curl
+      - tree
+      - zip
+      - vim
+      - zsh
+      - git
+    update_cache: true
+
+- name: Enable bullseye-backport
+  apt_repository:
+    repo: deb https://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main contrib non-free
+    state: present
+
+# Check https://wiki.debian.org/ZFS for additional information
+- name: Install ZFS
+  apt:
+    name:
+      - linux-headers-amd64
+      - linux-headers-{{ ansible_kernel }}
+      - zfsutils-linux
+      - zfs-dkms
+    update_cache: true
+    fail_on_autoremove: yes
+    default_release: "{{ ansible_distribution_release | lower }}-backports"
+
+- name: Load zfs kernel module
+  modprobe:
+    name: zfs
+    state: present
+
+- name: Clean unneeded packages
+  apt:
+    autoremove: true
+    purge: true
+
+- name: Remove useless packages from the cache
+  apt:
+    autoclean: yes
+
+- name: Run the equivalent of "apt-get clean" as a separate step
+  apt:
+    clean: yes
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml
new file mode 100644
index 0000000..29cf529
--- /dev/null
+++ b/clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml
@@ -0,0 +1,56 @@
+- name: Make sure we have a 'wheel' group
+  group:
+    name: wheel
+    state: present
+
+- name: Allow 'wheel' group to have passwordless sudo
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^%wheel'
+    line: '%wheel ALL=(ALL) NOPASSWD: ALL'
+    validate: visudo -cf %s
+
+- name: Add sudoers users to wheel group
+  user:
+    name: clarkzjw
+    groups: wheel
+    append: yes
+
+- name: Set authorized keys taken from url
+  authorized_key:
+    user: clarkzjw
+    state: present
+    key: https://github.com/clarkzjw.keys
+
+- name: Add Tailscale GPG apt Key
+  apt_key:
+    url: https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg
+    keyring: /usr/share/keyrings/tailscale-archive-keyring.gpg
+    state: present
+
+- name: Add Tailscale Repository
+  get_url:
+    url: https://pkgs.tailscale.com/stable/debian/bullseye.tailscale-keyring.list
+    dest: /etc/apt/sources.list.d/tailscale.list
+
+- name: Install Tailscale
+  apt:
+    name:
+      - tailscale
+    update_cache: true
+
+- name: Disable Root Login
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin yes'
+    line: "PermitRootLogin no"
+    state: present
+    backup: yes
+
+- name: Restart SSHD
+  systemd:
+    name: ssh
+    enabled: true
+    state: restarted
+    daemon_reload: true
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml
new file mode 100644
index 0000000..88c23b1
--- /dev/null
+++ b/clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml
@@ -0,0 +1,3 @@
+samba_users:
+- username: clarkzjw
+  password: "{{ lookup('env', 'SAMBA_PASSWORD') }}"
\ No newline at end of file
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml
new file mode 100644
index 0000000..80950dc
--- /dev/null
+++ b/clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml
@@ -0,0 +1,53 @@
+- name: Install Samba
+  apt:
+    name:
+      - samba
+      - smbclient
+      - cifs-utils
+    update_cache: true
+
+- name: Disable Samba NetBIOS server nmbd
+  systemd:
+    name: nmbd
+    state: stopped
+    enabled: false
+
+- name: render samba config file
+  template:
+    src: smb.conf.j2
+    dest: "/etc/samba/smb.conf"
+    mode: 0644
+
+# https://stackoverflow.com/questions/44762488/non-interactive-samba-user-creation-via-ansible
+- name: shell - create samba users
+  shell: >
+    set -e -o pipefail
+    && (pdbedit --user={{ item.username }} 2>&1 > /dev/null)
+    || (echo '{{ item.password }}'; echo '{{ item.password }}')
+    | smbpasswd -s -a {{ item.username }}
+  args:
+    executable: /bin/bash
+  register: samba_create_users
+  changed_when: "'Added user' in samba_create_users.stdout"
+  loop: "{{ samba_users }}"
+  no_log: true
+
+- name: shell - set samba passwords correctly
+  shell: >
+    set -e -o pipefail
+    && (smbclient -U {{ item.username }}%{{ item.password }} -L 127.0.0.1 2>&1 > /dev/null)
+    || (echo '{{ item.password }}'; echo '{{ item.password }}')
+    | smbpasswd {{ item.username }}
+  args:
+    executable: /bin/bash
+  register: samba_verify_users
+  changed_when: "'New SMB password' in samba_verify_users.stdout"
+  loop: "{{ samba_users }}"
+  no_log: true
+
+- name: Restart SMB service
+  systemd:
+    name: smbd
+    state: restarted
+    enabled: true
+    daemon_reload: true
diff --git a/clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2 b/clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2
new file mode 100644
index 0000000..06e2567
--- /dev/null
+++ b/clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2
@@ -0,0 +1,33 @@
+[global]
+    workgroup = WORKGROUP
+    interfaces = 192.168.1.0/24 tailscale0
+    bind interfaces only = yes
+    log file = /var/log/samba/log.%m
+    max log size = 1000
+    logging = file
+    panic action = /usr/share/samba/panic-action %d
+    server role = standalone server
+    obey pam restrictions = yes
+    unix password sync = yes
+    passwd program = /usr/bin/passwd %u
+    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+    pam password change = yes
+    map to guest = bad user
+
+[homes]
+   comment = Home Directories
+   browseable = no
+   read only = yes
+   create mask = 0700
+   directory mask = 0700
+   valid users = %S
+
+[pool1]
+    comment = NAS Share
+    path = /pool1/clarkzjw
+    writable = yes
+    guest ok = no
+    valid users = @clarkzjw
+    force create mode = 770
+    force directory mode = 770
+    inherit permissions = yes
-- 
cgit v1.2.3