From 5a123dc4cef4d8108609f35e58c0db4cd575dff0 Mon Sep 17 00:00:00 2001 From: David Stephens Date: Fri, 28 Dec 2018 13:07:40 +0000 Subject: [PATCH] Update the account samba uses to serve to guests, and permission share directories accordingly --- docs/configuration/shares.md | 12 ++++++++++++ group_vars/all.yml.dist | 14 +++++++++++++- nas.yml | 26 ++++++++++++++++---------- permission_data.yml | 21 +++++++++++++++++++++ tasks/general.yml | 11 ++++++++++- tasks/users.yml | 14 ++++++++++++++ tests/test.yml | 14 +++++++++++++- 7 files changed, 99 insertions(+), 13 deletions(-) create mode 100644 docs/configuration/shares.md create mode 100644 permission_data.yml create mode 100644 tasks/users.yml diff --git a/docs/configuration/shares.md b/docs/configuration/shares.md new file mode 100644 index 00000000..5f7eccaf --- /dev/null +++ b/docs/configuration/shares.md @@ -0,0 +1,12 @@ +# Shares + +Ansible-NAS uses the awesome [bertvv.samba](https://github.com/bertvv/ansible-role-samba) Ansible role to configure Samba - check out the project page for the many different options you can use to configure a share. + +## Share Examples + +Ansible-NAS shares are defined in the `samba_shares` section within `group_vars/all.yml`. The examples provided are +"public" shares that anyone on your LAN can read and write to. + +## File Permissions + +Ansible-NAS creates an `ansible-nas` user and group on your server, which Samba will use to access the data in your shares. New data created will be permissioned correctly. However, if you have existing data this will need to be repermissioned so that Samba can read and serve it. An playbook is provided to do this for you - `permission_data.yml`. It is separated from the main Ansible-NAS playbook due to the time it can take to run with large amounts of data. You should only need to run this once. \ No newline at end of file diff --git a/group_vars/all.yml.dist b/group_vars/all.yml.dist index 7ea58dc4..8ce736f8 100644 --- a/group_vars/all.yml.dist +++ b/group_vars/all.yml.dist @@ -100,7 +100,13 @@ torrents_root: "{{ samba_shares_root }}/torrents" # The account used when Samba shares are accessed. Shouldn't need to change this unless you want to # mess with Samba user permissions. -samba_guest_account: nobody +samba_guest_account: ansible-nas + +# How Samba behaves when an unknown user connects, see Samba docs for more info +samba_map_to_guest: Bad Password + +# The Netbios hostname used by Samba on your network +samba_netbios_name: "{{ ansible_nas_hostname }}" # Shares you want published over Samba. samba_shares: @@ -109,6 +115,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ downloads_root }}" - name: movies @@ -116,6 +123,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ movies_root }}" - name: tv @@ -123,6 +131,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ tv_root }}" - name: dump @@ -130,6 +139,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ samba_shares_root }}/dump" - name: games @@ -137,6 +147,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ samba_shares_root }}/games" - name: photos @@ -144,6 +155,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ samba_shares_root }}/photos" diff --git a/nas.yml b/nas.yml index 6b6220ee..ba99b530 100644 --- a/nas.yml +++ b/nas.yml @@ -1,5 +1,21 @@ --- - hosts: all + + pre_tasks: + - import_tasks: tasks/users.yml + tags: users + + roles: + - role: bertvv.samba + tags: + - samba + - skip_ansible_lint + + - role: geerlingguy.docker + tags: + - docker + - skip_ansible_lint + tasks: - import_tasks: tasks/general.yml tags: general @@ -86,14 +102,4 @@ when: guacamole_enabled tags: guacamole - roles: - - role: bertvv.samba - tags: - - samba - - skip_ansible_lint - - - role: geerlingguy.docker - tags: - - docker - - skip_ansible_lint diff --git a/permission_data.yml b/permission_data.yml new file mode 100644 index 00000000..c415316c --- /dev/null +++ b/permission_data.yml @@ -0,0 +1,21 @@ +--- +- hosts: all + tasks: + - name: Warning! + debug: + msg: "This playbook will repermission ALL existing data in the shares defined in group_vars/all.yml to be owned by the ansible-nas user and group. If this is not what you want, exit now." + + - name: 20s to change your mind... + pause: + seconds: 20 + + - name: "Permission share data" + file: + path: "{{ item.path }}" + owner: ansible-nas + group: ansible-nas + mode: "u=rwX,g=rwX,o=rX" + recurse: true + loop: "{{ samba_shares }}" + + diff --git a/tasks/general.yml b/tasks/general.yml index dac8229d..c8ebae6a 100644 --- a/tasks/general.yml +++ b/tasks/general.yml @@ -41,4 +41,13 @@ - name: "Set timezone to {{ ansible_nas_timezone }}" timezone: - name: "{{ ansible_nas_timezone }}" \ No newline at end of file + name: "{{ ansible_nas_timezone }}" + +- name: "Permission share directories" + file: + path: "{{ item.path }}" + owner: ansible-nas + group: ansible-nas + mode: "u=rwX,g=rwX,o=rX" + recurse: false + loop: "{{ samba_shares }}" \ No newline at end of file diff --git a/tasks/users.yml b/tasks/users.yml new file mode 100644 index 00000000..b17eb0a9 --- /dev/null +++ b/tasks/users.yml @@ -0,0 +1,14 @@ +--- +- name: Create ansible-nas group + group: + name: ansible-nas + state: present + +- name: Create ansible-nas user + user: + name: ansible-nas + state: present + system: yes + update_password: on_create + create_home: no + group: ansible-nas \ No newline at end of file diff --git a/tests/test.yml b/tests/test.yml index 195ee24f..6b77bd42 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -101,7 +101,13 @@ torrents_root: "{{ samba_shares_root }}/torrents" # The account used when Samba shares are accessed. Shouldn't need to change this unless you want to # mess with Samba user permissions. -samba_guest_account: nobody +samba_guest_account: ansible-nas + +# How Samba behaves when an unknown user connects, see Samba docs for more info +samba_map_to_guest: Bad Password + +# The Netbios hostname used by Samba on your network +samba_netbios_name: "{{ ansible_nas_hostname }}" # Shares you want published over Samba. samba_shares: @@ -110,6 +116,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ downloads_root }}" - name: movies @@ -117,6 +124,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ movies_root }}" - name: tv @@ -124,6 +132,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ tv_root }}" - name: dump @@ -131,6 +140,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ samba_shares_root }}/dump" - name: games @@ -138,6 +148,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ samba_shares_root }}/games" - name: photos @@ -145,6 +156,7 @@ samba_shares: guest_ok: yes public: yes writable: yes + browsable: yes path: "{{ samba_shares_root }}/photos"