Update the account samba uses to serve to guests, and permission share directories accordingly

docs/configuration/shares.md

@@ -0,0 +1,12 @@
+# Shares
+
+Ansible-NAS uses the awesome [bertvv.samba](https://github.com/bertvv/ansible-role-samba) Ansible role to configure Samba - check out the project page for the many different options you can use to configure a share.
+
+## Share Examples
+
+Ansible-NAS shares are defined in the `samba_shares` section within `group_vars/all.yml`. The examples provided are
+"public" shares that anyone on your LAN can read and write to.
+
+## File Permissions
+
+Ansible-NAS creates an `ansible-nas` user and group on your server, which Samba will use to access the data in your shares. New data created will be permissioned correctly. However, if you have existing data this will need to be repermissioned so that Samba can read and serve it. An playbook is provided to do this for you - `permission_data.yml`. It is separated from the main Ansible-NAS playbook due to the time it can take to run with large amounts of data. You should only need to run this once.

group_vars/all.yml.dist

@@ -100,7 +100,13 @@ torrents_root: "{{ samba_shares_root }}/torrents"
 
 # The account used when Samba shares are accessed. Shouldn't need to change this unless you want to
 # mess with Samba user permissions.
-samba_guest_account: nobody
+samba_guest_account: ansible-nas
+
+# How Samba behaves when an unknown user connects, see Samba docs for more info
+samba_map_to_guest: Bad Password
+
+# The Netbios hostname used by Samba on your network
+samba_netbios_name: "{{ ansible_nas_hostname }}"
 
 # Shares you want published over Samba.
 samba_shares:
@@ -109,6 +115,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ downloads_root }}"
 
   - name: movies
@@ -116,6 +123,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ movies_root }}"
 
   - name: tv
@@ -123,6 +131,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ tv_root }}"
 
   - name: dump
@@ -130,6 +139,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ samba_shares_root }}/dump"
 
   - name: games
@@ -137,6 +147,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ samba_shares_root }}/games"
 
   - name: photos
@@ -144,6 +155,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ samba_shares_root }}/photos"
 
 

nas.yml

@@ -1,5 +1,21 @@
 ---
 - hosts: all
+
+  pre_tasks:
+    - import_tasks: tasks/users.yml
+      tags: users
+
+  roles:
+    - role: bertvv.samba
+      tags:
+        - samba
+        - skip_ansible_lint
+
+    - role: geerlingguy.docker
+      tags:
+        - docker
+        - skip_ansible_lint
+
   tasks:
   - import_tasks: tasks/general.yml
     tags: general
@@ -86,14 +102,4 @@
     when: guacamole_enabled
     tags: guacamole
 
-  roles:
-    - role: bertvv.samba
-      tags:
-        - samba
-        - skip_ansible_lint
-
-    - role: geerlingguy.docker
-      tags:
-        - docker
-        - skip_ansible_lint
 

permission_data.yml

@@ -0,0 +1,21 @@
+---
+- hosts: all
+  tasks:
+  - name: Warning!
+    debug:
+      msg: "This playbook will repermission ALL existing data in the shares defined in group_vars/all.yml to be owned by the ansible-nas user and group. If this is not what you want, exit now."
+
+  - name: 20s to change your mind...
+    pause:
+      seconds: 20
+
+  - name: "Permission share data"
+    file:
+      path: "{{ item.path }}"
+      owner: ansible-nas
+      group: ansible-nas
+      mode: "u=rwX,g=rwX,o=rX"
+      recurse: true
+    loop: "{{ samba_shares }}"
+
+

tasks/general.yml

@@ -42,3 +42,12 @@
 - name: "Set timezone to {{ ansible_nas_timezone }}"
   timezone:
     name: "{{ ansible_nas_timezone }}"
+
+- name: "Permission share directories"
+  file:
+    path: "{{ item.path }}"
+    owner: ansible-nas
+    group: ansible-nas
+    mode: "u=rwX,g=rwX,o=rX"
+    recurse: false
+  loop: "{{ samba_shares }}"

tasks/users.yml

@@ -0,0 +1,14 @@
+---
+- name: Create ansible-nas group
+  group:
+    name: ansible-nas
+    state: present
+
+- name: Create ansible-nas user
+  user:
+    name: ansible-nas
+    state: present
+    system: yes
+    update_password: on_create
+    create_home: no
+    group: ansible-nas

tests/test.yml

@@ -101,7 +101,13 @@ torrents_root: "{{ samba_shares_root }}/torrents"
 
 # The account used when Samba shares are accessed. Shouldn't need to change this unless you want to
 # mess with Samba user permissions.
-samba_guest_account: nobody
+samba_guest_account: ansible-nas
+
+# How Samba behaves when an unknown user connects, see Samba docs for more info
+samba_map_to_guest: Bad Password
+
+# The Netbios hostname used by Samba on your network
+samba_netbios_name: "{{ ansible_nas_hostname }}"
 
 # Shares you want published over Samba.
 samba_shares:
@@ -110,6 +116,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ downloads_root }}"
 
   - name: movies
@@ -117,6 +124,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ movies_root }}"
 
   - name: tv
@@ -124,6 +132,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ tv_root }}"
 
   - name: dump
@@ -131,6 +140,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ samba_shares_root }}/dump"
 
   - name: games
@@ -138,6 +148,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ samba_shares_root }}/games"
 
   - name: photos
@@ -145,6 +156,7 @@ samba_shares:
     guest_ok: yes
     public: yes
     writable: yes
+    browsable: yes
     path: "{{ samba_shares_root }}/photos"