From a077d65e5f7f415cc17abeee2264e24957ef97cd Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Fri, 13 Jan 2023 16:53:03 -0800 Subject: change domain to clarkzjw.cc --- .../ansible/roles/debian_init/defaults/main.yaml | 0 .../ansible/roles/debian_init/tasks/main.yaml | 66 ++++++++++++++++++++++ .../atlas/ansible/roles/init/tasks/main.yaml | 56 ++++++++++++++++++ .../atlas/ansible/roles/samba/defaults/main.yaml | 3 + .../atlas/ansible/roles/samba/tasks/main.yaml | 53 +++++++++++++++++ .../ansible/roles/samba/templates/smb.conf.j2 | 33 +++++++++++ 6 files changed, 211 insertions(+) create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/debian_init/defaults/main.yaml create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml create mode 100644 clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2 (limited to 'clarkzjw.cc/config/atlas/ansible/roles') diff --git a/clarkzjw.cc/config/atlas/ansible/roles/debian_init/defaults/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/debian_init/defaults/main.yaml new file mode 100644 index 0000000..e69de29 diff --git a/clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml new file mode 100644 index 0000000..e53d3eb --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/debian_init/tasks/main.yaml @@ -0,0 +1,66 @@ +- name: Disable unattended-upgrades + systemd: + name: unattended-upgrades + state: stopped + enabled: false + +- name: Install packages + apt: + name: + - apt-transport-https + - build-essential + - ca-certificates + - cifs-utils + - vnstat + - postfix + - lsb-release + - python3 + - python3-dev + - python3-pip + - unzip + - gnupg + - rsync + - sudo + - htop + - curl + - tree + - zip + - vim + - zsh + - git + update_cache: true + +- name: Enable bullseye-backport + apt_repository: + repo: deb https://deb.debian.org/debian {{ ansible_distribution_release | lower }}-backports main contrib non-free + state: present + +# Check https://wiki.debian.org/ZFS for additional information +- name: Install ZFS + apt: + name: + - linux-headers-amd64 + - linux-headers-{{ ansible_kernel }} + - zfsutils-linux + - zfs-dkms + update_cache: true + fail_on_autoremove: yes + default_release: "{{ ansible_distribution_release | lower }}-backports" + +- name: Load zfs kernel module + modprobe: + name: zfs + state: present + +- name: Clean unneeded packages + apt: + autoremove: true + purge: true + +- name: Remove useless packages from the cache + apt: + autoclean: yes + +- name: Run the equivalent of "apt-get clean" as a separate step + apt: + clean: yes diff --git a/clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml new file mode 100644 index 0000000..29cf529 --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/init/tasks/main.yaml @@ -0,0 +1,56 @@ +- name: Make sure we have a 'wheel' group + group: + name: wheel + state: present + +- name: Allow 'wheel' group to have passwordless sudo + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^%wheel' + line: '%wheel ALL=(ALL) NOPASSWD: ALL' + validate: visudo -cf %s + +- name: Add sudoers users to wheel group + user: + name: clarkzjw + groups: wheel + append: yes + +- name: Set authorized keys taken from url + authorized_key: + user: clarkzjw + state: present + key: https://github.com/clarkzjw.keys + +- name: Add Tailscale GPG apt Key + apt_key: + url: https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg + keyring: /usr/share/keyrings/tailscale-archive-keyring.gpg + state: present + +- name: Add Tailscale Repository + get_url: + url: https://pkgs.tailscale.com/stable/debian/bullseye.tailscale-keyring.list + dest: /etc/apt/sources.list.d/tailscale.list + +- name: Install Tailscale + apt: + name: + - tailscale + update_cache: true + +- name: Disable Root Login + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin yes' + line: "PermitRootLogin no" + state: present + backup: yes + +- name: Restart SSHD + systemd: + name: ssh + enabled: true + state: restarted + daemon_reload: true diff --git a/clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml new file mode 100644 index 0000000..88c23b1 --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/samba/defaults/main.yaml @@ -0,0 +1,3 @@ +samba_users: +- username: clarkzjw + password: "{{ lookup('env', 'SAMBA_PASSWORD') }}" \ No newline at end of file diff --git a/clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml b/clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml new file mode 100644 index 0000000..80950dc --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/samba/tasks/main.yaml @@ -0,0 +1,53 @@ +- name: Install Samba + apt: + name: + - samba + - smbclient + - cifs-utils + update_cache: true + +- name: Disable Samba NetBIOS server nmbd + systemd: + name: nmbd + state: stopped + enabled: false + +- name: render samba config file + template: + src: smb.conf.j2 + dest: "/etc/samba/smb.conf" + mode: 0644 + +# https://stackoverflow.com/questions/44762488/non-interactive-samba-user-creation-via-ansible +- name: shell - create samba users + shell: > + set -e -o pipefail + && (pdbedit --user={{ item.username }} 2>&1 > /dev/null) + || (echo '{{ item.password }}'; echo '{{ item.password }}') + | smbpasswd -s -a {{ item.username }} + args: + executable: /bin/bash + register: samba_create_users + changed_when: "'Added user' in samba_create_users.stdout" + loop: "{{ samba_users }}" + no_log: true + +- name: shell - set samba passwords correctly + shell: > + set -e -o pipefail + && (smbclient -U {{ item.username }}%{{ item.password }} -L 127.0.0.1 2>&1 > /dev/null) + || (echo '{{ item.password }}'; echo '{{ item.password }}') + | smbpasswd {{ item.username }} + args: + executable: /bin/bash + register: samba_verify_users + changed_when: "'New SMB password' in samba_verify_users.stdout" + loop: "{{ samba_users }}" + no_log: true + +- name: Restart SMB service + systemd: + name: smbd + state: restarted + enabled: true + daemon_reload: true diff --git a/clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2 b/clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2 new file mode 100644 index 0000000..06e2567 --- /dev/null +++ b/clarkzjw.cc/config/atlas/ansible/roles/samba/templates/smb.conf.j2 @@ -0,0 +1,33 @@ +[global] + workgroup = WORKGROUP + interfaces = 192.168.1.0/24 tailscale0 + bind interfaces only = yes + log file = /var/log/samba/log.%m + max log size = 1000 + logging = file + panic action = /usr/share/samba/panic-action %d + server role = standalone server + obey pam restrictions = yes + unix password sync = yes + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + pam password change = yes + map to guest = bad user + +[homes] + comment = Home Directories + browseable = no + read only = yes + create mask = 0700 + directory mask = 0700 + valid users = %S + +[pool1] + comment = NAS Share + path = /pool1/clarkzjw + writable = yes + guest ok = no + valid users = @clarkzjw + force create mode = 770 + force directory mode = 770 + inherit permissions = yes -- cgit v1.2.3