From f2f99a932d3787edc0d347831c95d60f4e566429 Mon Sep 17 00:00:00 2001 From: Chewing_Bever Date: Sat, 3 Dec 2022 13:40:32 +0100 Subject: [PATCH 1/4] Install Vim config --- main.yml | 2 +- roles/base/tasks/main.yml | 25 +++++++++++++++++++++++++ roles/packages/tasks/main.yml | 11 ----------- 3 files changed, 26 insertions(+), 12 deletions(-) create mode 100644 roles/base/tasks/main.yml delete mode 100644 roles/packages/tasks/main.yml diff --git a/main.yml b/main.yml index 955fd60..6c37399 100644 --- a/main.yml +++ b/main.yml @@ -3,7 +3,7 @@ hosts: all become: yes roles: - - packages + - base - net-security tags: base diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..0d0f7ef --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,25 @@ +- name: Install packages + apt: + name: + # Needed for handling GPG keys for repositories + - debian-keyring + - debian-archive-keyring + - apt-transport-https + + # Easy to edit files + - vim + - tmux + state: present + +- name: Install Vim config + get_url: + url: 'https://r8r.be/vim' + dest: '{{ item.dest }}' + owner: "{{ item.user }}" + group: "{{ item.user }}" + mode: '644' + with_items: + - user: debian + dest: "/home/debian/.vimrc" + - user: root + dest: "/root/.vimrc" diff --git a/roles/packages/tasks/main.yml b/roles/packages/tasks/main.yml deleted file mode 100644 index 612137b..0000000 --- a/roles/packages/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: Install packages - apt: - name: - # Needed for handling GPG keys for repositories - - debian-keyring - - debian-archive-keyring - - apt-transport-https - - # Easy to edit files - - vim - state: present From 5ad30d334374261d873d77f00baf2b080f1671c1 Mon Sep 17 00:00:00 2001 From: Chewing_Bever Date: Sun, 24 Dec 2023 17:58:49 +0100 Subject: [PATCH 2/4] initial bootstrapping workflow --- README.md | 22 ++++++++--- first_run.yml | 11 ++++++ group_vars/{all.yml => all/vars.yml} | 16 ++++---- group_vars/all/vault.yml | 6 +++ initial-hosts.ini | 5 +++ roles/base/files/authorized_keys | 5 +++ roles/base/handlers/main.yml | 5 +++ roles/base/tasks/main.yml | 56 +++++++++++++++++----------- roles/base/templates/interfaces.j2 | 7 ++++ roles/common/tasks/main.yml | 26 +++++++++++++ roles/install-python/tasks/main.yml | 6 +++ 11 files changed, 129 insertions(+), 36 deletions(-) create mode 100644 first_run.yml rename group_vars/{all.yml => all/vars.yml} (75%) create mode 100644 group_vars/all/vault.yml create mode 100644 initial-hosts.ini create mode 100644 roles/base/files/authorized_keys create mode 100644 roles/base/handlers/main.yml create mode 100644 roles/base/templates/interfaces.j2 create mode 100644 roles/common/tasks/main.yml create mode 100644 roles/install-python/tasks/main.yml diff --git a/README.md b/README.md index 503e1de..a492204 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,20 @@ # Raspberry Pi NAS -This repository contains all configuration I use to set up a Raspberry Pi 4B as -a NAS and media storage server. This repository will most likely evolve a lot. +Ansible configuration repository for my Raspberry Pi's. -The Pi is used to host the following: +## Initial setup for new systems -* Samba network share for access to family pictures -* [Photoview](https://photoview.github.io/) instance for accessing image over the internet -* [Jellyfin](https://jellyfin.org/) for accessing media library as well +1. Flash [Debian Raspberry Pi](https://raspi.debian.net/) on the SD card. +2. Configure `/boot/firmware/sysconf.txt` + 1. Set `hostname` to the desired name + 2. Set `root_authorized_key` to the contents of the current computer's + public SSH key +3. Put SD card in Pi and boot +4. Connect Pi to wired internet +5. Determine IP address given to the new Pi +6. Add this IP address to the `initial-hosts.ini` file, along with the + `static_ip` host var set to the desired static IP address +8. Comment out `ansible_ssh_user` in `group_vars/all/vars.yml`, as this + overwrites the one set in the hosts file +9. Run `ansible-playbook -i initial-hosts.ini first_run.yml`. This command will + hang at the `restart networking` step; at this point you can Ctrl-C. diff --git a/first_run.yml b/first_run.yml new file mode 100644 index 0000000..7f22173 --- /dev/null +++ b/first_run.yml @@ -0,0 +1,11 @@ +--- +- name: Install Python + hosts: all + gather_facts: no + roles: + - install-python + +- name: Configure base system. + hosts: all + roles: + - base diff --git a/group_vars/all.yml b/group_vars/all/vars.yml similarity index 75% rename from group_vars/all.yml rename to group_vars/all/vars.yml index 71505f7..b08ee1c 100644 --- a/group_vars/all.yml +++ b/group_vars/all/vars.yml @@ -1,14 +1,13 @@ --- -ansible_ssh_user: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 63363333613666383765643633393735396439386662346364643730373138333931303833393339 - 6430306434646562396134373433343439316133303931640a343536383539666132633636303031 - 65643735333839613636613963303433623933366532623037323963646462366464623739393461 - 3233613932616531360a326235346464333566633466633864343261663831336166313230306635 - 3265 - +ansible_ssh_user: debian ansible_ssh_port: 22 +# Values for static IP configuration +broadcast_ip: 192.168.0.255 +router_ip: 192.168.0.1 + +debian_pass: "{{ vault_debian_pass }}" + ansible_become_pass: !vault | $ANSIBLE_VAULT;1.1;AES256 38306565386265383731653936353766396630626163316335643261613561363030653561346239 @@ -28,3 +27,4 @@ lambroek_password: !vault | 36386632303939646632393362373838663337663063326338623534326561656561633131376138 64376237373133333761313635346266306638383038663333366139303437323562303733373764 63316564393763643834643232663462333633373639633938663035633063356530 + diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml new file mode 100644 index 0000000..f4da912 --- /dev/null +++ b/group_vars/all/vault.yml @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +37303338366435366664333235623930303461666537326463613536303263353233303631653061 +3365613139333035616434376464386436653863366338650a366363336438313364646432626335 +32396334643064326531393930666263643163636163316430616434363139316665323262616538 +3665633530616432350a326439636231383765666365386433313432373432373938656638373636 +34323166343965616330366265353462626132356565316637313430343462363163 diff --git a/initial-hosts.ini b/initial-hosts.ini new file mode 100644 index 0000000..2574963 --- /dev/null +++ b/initial-hosts.ini @@ -0,0 +1,5 @@ +192.168.0.216 static_ip=192.168.0.3 + +[all:vars] +# These are expected to be the same +ansible_ssh_user=root diff --git a/roles/base/files/authorized_keys b/roles/base/files/authorized_keys new file mode 100644 index 0000000..c63ff39 --- /dev/null +++ b/roles/base/files/authorized_keys @@ -0,0 +1,5 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkDjXuZn+blanbJAhte8KttrpeCPeT5CGcZ5mlAZv724wTa4qebpwCnf4SK4aFuDQEuCusnia3+X7YWAyCDReNURznAWCtq+b8LGxyIm2hTBbLA1m8sj0xidR/djlUtOwDp9VpSNamUWyiPWJ+WNsPd9xLJ6BK3qRsoFiMN87sO12L7DHHDaMze628Oc+IxFd+VZnH0dPVgitis31f+lXCr8w5qSiEepDJ8Nde8M+Ev1RrPQbR5Q5C+wYxlbY0oPNlGqSrs5i1jJl0BVMI4DlibxatTfuteU5IwcDMQObJr3xJGKNTPswSdzpfJFrLfUBZvsDs94BXEHR2CtxZ4aLQPeLfosWe4zuGvX22p7TzSPx1LkuqIF85Tw1PvK3f7u3l9sozHORAoEA8sFHG+DolqldgjuUgCGpfF/QOY1jkGpbEhq57kKFH+VlFI2XePGQ6299R9RN/Y4S88v14ChLwoLSNWgxK+CgYgB4lbquAIKTKsRla3gkEeziz+qoHPQkD5RcajrWOfSKU4alORpgQerSFZ9zMoz9N2rfTVEzCsVUj0Jiwtd5O7pCX9PWBhz1Nl1ItrRPuFiTSKB05dqsQ1CDZAZMDPJNqotd6QRS5+cKzFLgvU6k/gk08/qV00VM+BxlXkh8PwAhaxNPjMxjzqHx0+xC38FtacuhJiOV91Q== roosensjef@gmail.com + +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgHqW7mLuaW8XEFJrg031ES7v7y6Uk5QUp++axTd0wzvt5qfqTox9Hg1Xk5C9hdEfYzS5NCU+uoiInR0aHZ3Cl+yxqi3VqDfO20j6Irrt2SOBB86Gsyu9Brj62xtS0rY/e9rmyULJGUtJEz3UmFvn8fE5hUpGjDg7NByFs8f054pzifWw8F/wOvF5rKo9GqkWeXEUZ456FmowXCQLl5SypQliOsHJDs89NiTVvOxiKQXULBhj8o4c0MyCeFfPWqOutSSAetmbnegEjOTy7f/0IiqB+5713KOh1Bm1/u+3J2IVbRgeG1iTJdDVeIxBGmA1wMLvrBtBRIS0MaKa1Xabo3QTgYPHNGrf2w+GMnuoQ6/tdD6omPWGTHXqtHKEeIW1JrlDyhOo86oCl+l2aveMwhFFGW4nQmW7sfrowyLHdU3BpGl4m7pGa+5sTsHiOGEqEN/a7xikztXkuKacQ8E/y1C8gDXgaX8zFl6VOwR5EfMEMX390tz+R+ErDU81h47tSkwbY3KhunSKwPT8jSMldBttnCIexd+QuQgOlSwXkYVPPmXtPUkfp+4VzWSWeGKAa9k3HtVMIvKdVk9eXDVNnVdaAL+EkHyXOyFVVGa9gJ3ZOWhHMNi2/kHAwWMI9CwRxj7AVk30KGBhPN0wdS9Dt8/0Aa33hWuY2p9DxtNaiNw== roosensjef@gmail.com + +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkcCTP0IE/ANIXJJIMWEg4f5riS8uv3KuypkzQC47XN roosensjef@gmail.com diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml new file mode 100644 index 0000000..de4832e --- /dev/null +++ b/roles/base/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart networking + service: + name: networking + state: restarted diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 0d0f7ef..dafa3f6 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -1,25 +1,37 @@ -- name: Install packages +--- +- name: Install sudo. apt: - name: - # Needed for handling GPG keys for repositories - - debian-keyring - - debian-archive-keyring - - apt-transport-https - - # Easy to edit files - - vim - - tmux + name: sudo state: present -- name: Install Vim config - get_url: - url: 'https://r8r.be/vim' - dest: '{{ item.dest }}' - owner: "{{ item.user }}" - group: "{{ item.user }}" - mode: '644' - with_items: - - user: debian - dest: "/home/debian/.vimrc" - - user: root - dest: "/root/.vimrc" +- name: Create debian user. + user: + name: debian + groups: sudo + append: true + create_home: yes + shell: /bin/bash + password: "{{ vault_debian_pass | password_hash('sha512') }}" + update_password: on_create + +- name: Create SSH directory. + file: + path: /home/debian/.ssh/ + state: directory + owner: debian + group: debian + mode: '700' + +- name: Add authorized SSH keys. + copy: + src: authorized_keys + dest: /home/debian/.ssh/authorized_keys + owner: debian + group: debian + mode: '600' + +- name: Install networking config file. + template: + src: interfaces.j2 + dest: /etc/network/interfaces.d/eth0 + notify: restart networking diff --git a/roles/base/templates/interfaces.j2 b/roles/base/templates/interfaces.j2 new file mode 100644 index 0000000..3afb5e2 --- /dev/null +++ b/roles/base/templates/interfaces.j2 @@ -0,0 +1,7 @@ +auto eth0 +iface eth0 inet static + address {{ static_ip }} + broadcast {{ broadcast_ip }} + netmask 255.255.255.0 + gateway {{ router_ip }} + dns-nameservers {{ router_ip }} 8.8.8.8 diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..ebc1050 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,26 @@ +- name: Install packages + apt: + name: + # Needed for handling GPG keys for repositories + - debian-keyring + - debian-archive-keyring + - apt-transport-https + + # Easy to edit files + - vim + - tmux + - htop + state: present + +- name: Install Vim config + get_url: + url: 'https://r8r.be/vim' + dest: '{{ item.dest }}' + owner: "{{ item.user }}" + group: "{{ item.user }}" + mode: '644' + with_items: + - user: debian + dest: "/home/debian/.vimrc" + - user: root + dest: "/root/.vimrc" diff --git a/roles/install-python/tasks/main.yml b/roles/install-python/tasks/main.yml new file mode 100644 index 0000000..484575f --- /dev/null +++ b/roles/install-python/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Update package database + raw: apt update + +- name: Install Python + raw: apt install -y python3 From 592992f031310e0cdcefdf044dc0a290ce344d80 Mon Sep 17 00:00:00 2001 From: Chewing_Bever Date: Sun, 24 Dec 2023 20:52:13 +0100 Subject: [PATCH 3/4] jelly, caddy, other stuff --- first_run.yml | 13 ++++++----- group_vars/all/vars.yml | 13 ----------- group_vars/nas/vars.yml | 2 ++ group_vars/nas/vault.yml | 7 ++++++ hosts.ini | 3 ++- nas.yml | 36 +++++++++++++++++++++++++++++ roles/base/tasks/main.yml | 9 +++++++- roles/caddy/files/Caddyfile | 16 +++++++++++++ roles/caddy/handlers/main.yml | 5 ++++ roles/caddy/tasks/main.yml | 17 ++++++++++++++ roles/common/tasks/main.yml | 12 ++++++++++ roles/install-python/tasks/main.yml | 6 ----- roles/jellyfin/tasks/main.yml | 12 +++++++++- roles/net-security/tasks/main.yml | 14 ----------- roles/raid/tasks/main.yml | 20 ++++++++++++++++ roles/samba/handlers/main.yml | 5 ++++ roles/samba/tasks/main.yml | 5 ++-- 17 files changed, 150 insertions(+), 45 deletions(-) create mode 100644 group_vars/nas/vars.yml create mode 100644 group_vars/nas/vault.yml create mode 100644 nas.yml create mode 100644 roles/caddy/files/Caddyfile create mode 100644 roles/caddy/handlers/main.yml delete mode 100644 roles/install-python/tasks/main.yml delete mode 100644 roles/net-security/tasks/main.yml create mode 100644 roles/raid/tasks/main.yml diff --git a/first_run.yml b/first_run.yml index 7f22173..45cc231 100644 --- a/first_run.yml +++ b/first_run.yml @@ -1,11 +1,12 @@ --- -- name: Install Python - hosts: all - gather_facts: no - roles: - - install-python - - name: Configure base system. hosts: all + gather_facts: no + # Debian installs don't have Python by default + pre_tasks: + - name: Update package database + raw: apt update + - name: Install Python + raw: apt install -y python3 roles: - base diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index b08ee1c..5579c57 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -15,16 +15,3 @@ ansible_become_pass: !vault | 36343435646561643662373138613237626461373330346566356132636366623731643838383633 3765666163656264340a663138623535626161376666323862373131383637356231323737313564 6430 - -lambroek_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 33373365393262643630646336323731376232646138613061363933366265393863636536303430 - 3738363338653035623039383463643761343261336366620a353532613132343439333563663664 - 61643135323936323362326365663366333864363735363438636361643734333930616566356563 - 3038373639646338380a393061376135353564373062353139366461383939333161333936613430 - 33383233336531663261373631363733323839353235613131363966643838373033373437613764 - 37306137366666663938616465393464653961643732636236636438396165623165653363623135 - 36386632303939646632393362373838663337663063326338623534326561656561633131376138 - 64376237373133333761313635346266306638383038663333366139303437323562303733373764 - 63316564393763643834643232663462333633373639633938663035633063356530 - diff --git a/group_vars/nas/vars.yml b/group_vars/nas/vars.yml new file mode 100644 index 0000000..4afc031 --- /dev/null +++ b/group_vars/nas/vars.yml @@ -0,0 +1,2 @@ +raid_uuid: '4d184875-19eb-4923-9b79-bf669c1f7978' +lambroek_password: "{{ vault_lambroek_password }}" diff --git a/group_vars/nas/vault.yml b/group_vars/nas/vault.yml new file mode 100644 index 0000000..547b0e2 --- /dev/null +++ b/group_vars/nas/vault.yml @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +63336531383736643438396339366463383265373633373666623566616538316666323136626537 +3462346135616462383838613531343537313165653962370a343965613330636566393363633733 +35313039626430346264373361306464343532316532353232666166656531346237613033383662 +3563663536616362620a626563666631336537373961636232386430366139396262666466626633 +30653138633830636130663139373462663266643332303234303564353162333031383331396562 +6136386164613435633835336462663834376130383362666561 diff --git a/hosts.ini b/hosts.ini index e91633a..cd752ae 100644 --- a/hosts.ini +++ b/hosts.ini @@ -1 +1,2 @@ -192.168.0.3 +[nas] +192.168.0.3 static_ip=192.168.0.3 diff --git a/nas.yml b/nas.yml new file mode 100644 index 0000000..d7c40d3 --- /dev/null +++ b/nas.yml @@ -0,0 +1,36 @@ +--- +- name: Perform common tasks + hosts: nas + become: yes + roles: + - base + - common + tags: base + +- name: Configure BTRFS RAID + hosts: nas + become: yes + roles: + - raid + tags: raid + +- name: Set up Samba + hosts: nas + become: yes + roles: + - samba + tags: samba + +- name: Set up Jellyfin + hosts: nas + become: yes + roles: + - jellyfin + tags: jellyfin + +- name: Set up Caddy + hosts: nas + become: yes + roles: + - caddy + tags: caddy diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index dafa3f6..8ec3e10 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -4,10 +4,17 @@ name: sudo state: present +- name: Create data group. + group: + name: data + gid: 1002 + - name: Create debian user. user: name: debian - groups: sudo + groups: + - sudo + - data append: true create_home: yes shell: /bin/bash diff --git a/roles/caddy/files/Caddyfile b/roles/caddy/files/Caddyfile new file mode 100644 index 0000000..fdb27ea --- /dev/null +++ b/roles/caddy/files/Caddyfile @@ -0,0 +1,16 @@ +# The Caddyfile is an easy way to configure your Caddy web server. +# +# Unless the file starts with a global options block, the first +# uncommented line is always the address of your site. +# +# To use your own domain name (with automatic HTTPS), first make +# sure your domain's A/AAAA DNS records are properly pointed to +# this machine's public IP, then replace ":80" below with your +# domain name. + +media.roosens.me { + reverse_proxy localhost:8096 +} + +# Refer to the Caddy docs for more information: +# https://caddyserver.com/docs/caddyfile diff --git a/roles/caddy/handlers/main.yml b/roles/caddy/handlers/main.yml new file mode 100644 index 0000000..ddf490e --- /dev/null +++ b/roles/caddy/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload-caddy + service: + name: caddy + state: reloaded diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml index 4f5faa3..f3eb347 100644 --- a/roles/caddy/tasks/main.yml +++ b/roles/caddy/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: Add Caddy GPG key apt_key: url: "https://dl.cloudsmith.io/public/caddy/stable/gpg.key" @@ -16,3 +17,19 @@ apt: name: caddy state: present + +- name: Copy over Caddyfile + copy: + src: Caddyfile + dest: '/etc/caddy/Caddyfile' + owner: root + group: root + mode: '644' + notify: reload-caddy + +- name: Ensure Caddy service is running & enabled + service: + name: caddy + state: started + enabled: true + diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index ebc1050..efe7bbf 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -10,6 +10,12 @@ - vim - tmux - htop + + # Spam prevention + - fail2ban + + # Disk monitoring + - smartmontools state: present - name: Install Vim config @@ -24,3 +30,9 @@ dest: "/home/debian/.vimrc" - user: root dest: "/root/.vimrc" + +- name: Enable fail2ban + service: + name: fail2ban + state: started + enabled: true diff --git a/roles/install-python/tasks/main.yml b/roles/install-python/tasks/main.yml deleted file mode 100644 index 484575f..0000000 --- a/roles/install-python/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Update package database - raw: apt update - -- name: Install Python - raw: apt install -y python3 diff --git a/roles/jellyfin/tasks/main.yml b/roles/jellyfin/tasks/main.yml index bea451e..48b969b 100644 --- a/roles/jellyfin/tasks/main.yml +++ b/roles/jellyfin/tasks/main.yml @@ -5,7 +5,7 @@ - name: Add Jellyfin repository apt_repository: - repo: "deb https://repo.jellyfin.org/debian bullseye main" + repo: "deb https://repo.jellyfin.org/debian bookworm main" filename: 'jellyfin' state: present @@ -14,6 +14,16 @@ name: jellyfin state: present +- name: Create Jellyfin user + user: + name: jellyfin + groups: + - data + append: true + create_home: no + shell: /bin/nologin + update_password: on_create + - name: Copy over service file copy: src: jellyfin.service.conf diff --git a/roles/net-security/tasks/main.yml b/roles/net-security/tasks/main.yml deleted file mode 100644 index 83332f2..0000000 --- a/roles/net-security/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Install fail2ban. - apt: - name: fail2ban - state: present - -# TODO add proper fail2ban config - -- name: Ensure fail2ban is started & enabled. - service: - name: fail2ban - state: started - enabled: true - -# TODO install UFW diff --git a/roles/raid/tasks/main.yml b/roles/raid/tasks/main.yml new file mode 100644 index 0000000..b0e10bf --- /dev/null +++ b/roles/raid/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Install BTRFS tools + apt: + name: btrfs-progs + state: present + +- name: Create mountpoint + file: + path: /mnt/data1 + state: directory + mode: '0755' + owner: debian + group: debian + +- name: Mount RAID + mount: + path: /mnt/data1 + src: "UUID={{ raid_uuid }}" + fstype: btrfs + state: mounted diff --git a/roles/samba/handlers/main.yml b/roles/samba/handlers/main.yml index e0b8a12..48e1e38 100644 --- a/roles/samba/handlers/main.yml +++ b/roles/samba/handlers/main.yml @@ -3,3 +3,8 @@ service: name: smbd state: restarted + +- name: smbpasswd-lambroek + shell: + cmd: "smbpasswd -sa lambroek" + stdin: "{{ lambroek_password }}\n{{ lambroek_password }}" diff --git a/roles/samba/tasks/main.yml b/roles/samba/tasks/main.yml index b46817e..60ea3c3 100644 --- a/roles/samba/tasks/main.yml +++ b/roles/samba/tasks/main.yml @@ -16,10 +16,9 @@ create_home: false groups: - data - password: "{{ lambroek_password }}" + password: "{{ lambroek_password | password_hash('sha512') }}" shell: /sbin/nologin - -# TODO run "smbpasswd -a lambroek" + notify: smbpasswd-lambroek - name: Copy over smb config file copy: From c930ccc44ad78faf619f9690d62a5a44507aed97 Mon Sep 17 00:00:00 2001 From: Chewing_Bever Date: Wed, 27 Dec 2023 21:34:51 +0100 Subject: [PATCH 4/4] rclone installation --- group_vars/nas/vars.yml | 4 +++ group_vars/nas/vault.yml | 35 ++++++++++++++++++++++----- nas.yml | 7 ++++++ roles/rclone/tasks/main.yml | 12 +++++++++ roles/rclone/templates/rclone.conf.j2 | 20 +++++++++++++++ 5 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 roles/rclone/tasks/main.yml create mode 100644 roles/rclone/templates/rclone.conf.j2 diff --git a/group_vars/nas/vars.yml b/group_vars/nas/vars.yml index 4afc031..29190e9 100644 --- a/group_vars/nas/vars.yml +++ b/group_vars/nas/vars.yml @@ -1,2 +1,6 @@ raid_uuid: '4d184875-19eb-4923-9b79-bf669c1f7978' lambroek_password: "{{ vault_lambroek_password }}" +s3_access_key_id: "{{ vault_s3_access_key_id }}" +s3_secret_access_key: "{{ vault_s3_secret_access_key }}" +rclone_photos_obf_pass: "{{ vault_rclone_photos_obf_pass }}" +rclone_photos_obf_pass2: "{{ vault_rclone_photos_obf_pass2 }}" diff --git a/group_vars/nas/vault.yml b/group_vars/nas/vault.yml index 547b0e2..a06f383 100644 --- a/group_vars/nas/vault.yml +++ b/group_vars/nas/vault.yml @@ -1,7 +1,30 @@ $ANSIBLE_VAULT;1.1;AES256 -63336531383736643438396339366463383265373633373666623566616538316666323136626537 -3462346135616462383838613531343537313165653962370a343965613330636566393363633733 -35313039626430346264373361306464343532316532353232666166656531346237613033383662 -3563663536616362620a626563666631336537373961636232386430366139396262666466626633 -30653138633830636130663139373462663266643332303234303564353162333031383331396562 -6136386164613435633835336462663834376130383362666561 +37323336656133626339366437393062613937366232613334643034363635623832333136313063 +3738353666646636323431663339623234306439323138650a373063376634333161666366303831 +34373963366334636238623134613863303464663133653262333064613863643362633531653061 +3934363435316636390a626531333463396137303132313363636163306464386138653538353633 +32663836316665376233346364383461323065383461623762323933316635336661363032333637 +30323831316239386365323266376439623761316330663063326539306339666362646138653537 +33663964353632613232653130653164303963386233626233313037653737663436373934303832 +66336466363465613839306662623631646531303865366536383030616139356539623730633033 +66353666396162316132663364373137646637353333623738393464366234643264303030393465 +38643734636336336563646361336165363133323738646531633835646262663637363964336134 +31346432643336613534396436353064373938386233353435386631373434633766363135653962 +35393230363735336436633033303465616362653734356235343261313464316138316539386238 +65346531613566643365336538663538353961333632623465636265613764373637333035623133 +62313564356534393338346631386365643736336138346532643638333737653835303862383863 +37336534646364643366376339656636613762323632613836323936326234663261386339333836 +36326334306136663638323738396337653663326539623936646437393537653538313439356636 +34366133353165346534366339306564323861386237333262633535646166343463663435396233 +35306533326234633133653336346161343735633364303662303637303534376337383539353165 +34313434323433363936623531393464303762616632666661323834303137383535303961333462 +64363635653039396464366663343661353665643534636464373333643438646536323330626366 +35636336626532663732393064626139306261306530653433633365326438396535333665616234 +33323566653634623364323663623833313063326438343766376436386430323834663031643135 +31326561353761396364343232386530356631636637643838376562346330303334626162646532 +35666132363939356263313834653836313033346439323765633364636236366234666333323663 +61323633666661316437643732383231303138666536313665373833383334383263613065666365 +32373536376461303762396535353733373630313966343431616337633334346565386263376666 +37633536363336373465383432656465373535393837623962303066366631643730326562626266 +38333337353062343562303534656166366136646232346364343134363436633436656165616538 +3236 diff --git a/nas.yml b/nas.yml index d7c40d3..9cbb433 100644 --- a/nas.yml +++ b/nas.yml @@ -34,3 +34,10 @@ roles: - caddy tags: caddy + +- name: Set up photo sync using Rclone + hosts: nas + become: yes + roles: + - rclone + tags: rclone diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml new file mode 100644 index 0000000..1cbbbd4 --- /dev/null +++ b/roles/rclone/tasks/main.yml @@ -0,0 +1,12 @@ +- name: Ensure Rclone is installed + ansible.builtin.apt: + name: rclone + state: present + +- name: Ensure Rclone configuration file is present + ansible.builtin.template: + src: 'rclone.conf.j2' + dest: /etc/rclone.conf + owner: root + group: root + mode: '0644' diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2 new file mode 100644 index 0000000..679b602 --- /dev/null +++ b/roles/rclone/templates/rclone.conf.j2 @@ -0,0 +1,20 @@ +# Copy the config entry below in your rclone configuration file. +[ovh-s3] +type = s3 +provider = Other +env_auth = false +access_key_id = {{ s3_access_key_id }} +secret_access_key = {{ s3_secret_access_key }} +acl = private +region = gra +location_constraint = gra +# API endpoint +# S3 standard endpoint +endpoint = https://s3.gra.io.cloud.ovh.net/ + +[photos-crypt] +type = crypt +remote = ovh-s3:pi-s3/photos +password = {{ rclone_photos_obf_pass }} +password2 = {{ rclone_photos_obf_pass2 }} +