diff --git a/ansible/README.md b/ansible/README.md index 3eb7abf..2abdccd 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -1,4 +1,9 @@ -Usage: `ansible-playbook main.yml -i hosts.cfg --extra-vars "gandi_api_key=GANDI_API_KEY" --limit=cabinet` +Usage: + +``` +export GANDI_API_KEY=mykey +ansible-playbook main.yml -i hosts.cfg --extra-vars "gandi_api_key=$GANDI_API_KEY" --limit=cabinet +``` All additional variables: - `gandi_api_key`: gandi api key for dynamic dns @@ -10,19 +15,19 @@ Assumes: - OS (Debian) has been installed and IPs have been configured in hosts.cfg - Host is already trusted via ssh and can be ssh'd into using keys - Passwordless sudo is enabled for the user ansible uses - - Root and user pw is something memorable - ZFS server: - - ZFS is configured with a volume at /bigdata for sharing + - ZFS is configured with a volume at /bigdata - Media server: - - Create /media-vtluug folder + - Create /media-vtluug folder ??? TODO!! - Remote: - - joe/pew users have been created + - users have already been created - Laptop/etc: - Manually configure ssh and tor - TODO: - fix for network-online.target debian 10 bug + - add samba stuff for fogcutter diff --git a/ansible/files/smb.conf b/ansible/files/smb.conf new file mode 100644 index 0000000..5c1d791 --- /dev/null +++ b/ansible/files/smb.conf @@ -0,0 +1,234 @@ +# +# Sample configuration file for the Samba suite for Debian GNU/Linux. +# +# +# This is the main Samba configuration file. You should read the +# smb.conf(5) manual page in order to understand the options listed +# here. Samba has a huge number of configurable options most of which +# are not shown in this example +# +# Some options that are often worth tuning have been included as +# commented-out examples in this file. +# - When such options are commented with ";", the proposed setting +# differs from the default Samba behaviour +# - When commented with "#", the proposed setting is the default +# behaviour of Samba but the option is considered important +# enough to be mentioned here +# +# NOTE: Whenever you modify this file you should run the command +# "testparm" to check that you have not made any basic syntactic +# errors. + +#======================= Global Settings ======================= + +[global] + +## Browsing/Identification ### + +# Change this to the workgroup/NT-domain name your Samba server will part of + workgroup = PEWWG + +#### Networking #### + +# The specific set of interfaces / networks to bind to +# This can be either the interface name or an IP address/netmask; +# interface names are normally preferred +; interfaces = 127.0.0.0/8 eth0 +interfaces = 2601:5c0:c280:8e30::/64 10.42.0.0/24 eno1 + +# Only bind to the named interfaces and/or networks; you must use the +# 'interfaces' option above to use this. +# It is recommended that you enable this feature if your Samba machine is +# not protected by a firewall or is a firewall itself. However, this +# option cannot handle dynamic or non-broadcast interfaces correctly. +; bind interfaces only = yes + + + +#### Debugging/Accounting #### + +# This tells Samba to use a separate log file for each machine +# that connects + log file = /var/log/samba/log.%m + +# Cap the size of the individual log files (in KiB). + max log size = 1000 + +# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}. +# Append syslog@1 if you want important messages to be sent to syslog too. + logging = file + +# Do something sensible when Samba crashes: mail the admin a backtrace + panic action = /usr/share/samba/panic-action %d + + +####### Authentication ####### + +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone server" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + + obey pam restrictions = yes + +# This boolean parameter controls whether Samba attempts to sync the Unix +# password with the SMB password when the encrypted SMB password in the +# passdb is changed. + unix password sync = yes + +# For Unix password sync to work on a Debian GNU/Linux system, the following +# parameters must be set (thanks to Ian Kahan < for +# sending the correct chat script for the passwd program in Debian Sarge). + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + +# This boolean controls whether PAM will be used for password changes +# when requested by an SMB client instead of the program listed in +# 'passwd program'. The default is 'no'. + pam password change = yes + +# This option controls how unsuccessful authentication attempts are mapped +# to anonymous connections + map to guest = bad user + +########## Domains ########### + +# +# The following settings only takes effect if 'server role = classic +# primary domain controller', 'server role = classic backup domain controller' +# or 'domain logons' is set +# + +# It specifies the location of the user's +# profile directory from the client point of view) The following +# required a [profiles] share to be setup on the samba server (see +# below) +; logon path = \\%N\profiles\%U +# Another common choice is storing the profile in the user's home directory +# (this is Samba's default) +# logon path = \\%N\%U\profile + +# The following setting only takes effect if 'domain logons' is set +# It specifies the location of a user's home directory (from the client +# point of view) +; logon drive = H: +# logon home = \\%N\%U + +# The following setting only takes effect if 'domain logons' is set +# It specifies the script to run during logon. The script must be stored +# in the [netlogon] share +# NOTE: Must be store in 'DOS' file format convention +; logon script = logon.cmd + +# This allows Unix users to be created on the domain controller via the SAMR +# RPC pipe. The example command creates a user account with a disabled Unix +# password; please adapt to your needs +; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u + +# This allows machine accounts to be created on the domain controller via the +# SAMR RPC pipe. +# The following assumes a "machines" group exists on the system +; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u + +# This allows Unix groups to be created on the domain controller via the SAMR +# RPC pipe. +; add group script = /usr/sbin/addgroup --force-badname %g + +############ Misc ############ + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting +; include = /home/samba/etc/smb.conf.%m + +# Some defaults for winbind (make sure you're not using the ranges +# for something else.) +; idmap config * : backend = tdb +; idmap config * : range = 3000-7999 +; idmap config YOURDOMAINHERE : backend = tdb +; idmap config YOURDOMAINHERE : range = 100000-999999 +; template shell = /bin/bash + +# Setup usershare options to enable non-root users to share folders +# with the net usershare command. + +# Maximum number of usershare. 0 means that usershare is disabled. +# usershare max shares = 100 + +# Allow users who've been granted usershare privileges to create +# public shares, not just authenticated ones + usershare allow guests = yes + +#======================= Share Definitions ======================= + +[pew-photos] + comment = pew photos + browseable = yes + path = /bigdata/archive/photos + guest ok = no + read only = no + create mask = 0700 + directory mask = 0700 + valid users = paul + +[incoming-photos] + comment = incoming pew photos + browseable = yes + path = /bigdata/tmp/incoming-photos + guest ok = no + read only = no + create mask = 0700 + directory mask = 0700 + valid users = paul + +# Un-comment the following and create the netlogon directory for Domain Logons +# (you need to configure Samba to act as a domain controller too.) +;[netlogon] +; comment = Network Logon Service +; path = /home/samba/netlogon +; guest ok = yes +; read only = yes + +# Un-comment the following and create the profiles directory to store +# users profiles (see the "logon path" option above) +# (you need to configure Samba to act as a domain controller too.) +# The path below should be writable by all users so that their +# profile directory may be created the first time they log on +;[profiles] +; comment = Users profiles +; path = /home/samba/profiles +; guest ok = no +; browseable = no +; create mask = 0600 +; directory mask = 0700 + +;[printers] +; comment = All Printers +; browseable = no +; path = /var/spool/samba +; printable = yes +; guest ok = no +; read only = yes +; create mask = 0700 + +# Windows clients look for this share name as a source of downloadable +# printer drivers +;[print$] +; comment = Printer Drivers +; path = /var/lib/samba/printers +; browseable = yes +; read only = yes +; guest ok = no +# Uncomment to allow remote administration of Windows print drivers. +# You may need to replace 'lpadmin' with the name of the group your +# admin users are members of. +# Please note that you also need to set appropriate Unix permissions +# to the drivers directory for these users to have write rights in it +; write list = root, @lpadmin + diff --git a/ansible/handlers.yml b/ansible/handlers.yml index a041d27..664a779 100644 --- a/ansible/handlers.yml +++ b/ansible/handlers.yml @@ -55,3 +55,8 @@ daemon_reload: yes enabled: yes state: started + +- name: Restart smbd + service: + name: smbd + state: restarted diff --git a/ansible/hosts.cfg b/ansible/hosts.cfg index 2c34fdc..e8fc840 100644 --- a/ansible/hosts.cfg +++ b/ansible/hosts.cfg @@ -1,17 +1,14 @@ [all:vars] ansible_python_interpreter=/usr/bin/python3 -[compute] -fogcutter hostname=fogcutter.seaturtle.pw interface=eno1 +[homelab] +fogcutter hostname=fogcutter.seaturtle.pw interface=eno1 admin=joe [daily] -cabinet hostname=cabinet.seaturtle.pw interface=enp9s0 - -[nfs] -bigdummy hostname=bigdummy.seaturtle.pw interface=enp2s0 +cabinet hostname=cabinet.seaturtle.pw interface=enp9s0 admin=paul [irc] -joe@madone.seaturtle.pw hostname=madone.seaturtle.pw interface=enp1s0 +joe@madone.seaturtle.pw hostname=madone.seaturtle.pw interface=enp1s0 admin=joe -[proxy] -polyvalent hostname=polyvalent.seaturtle.pw interface=eth0 +[cloudlab] +polyvalent hostname=polyvalent.seaturtle.pw interface=eth0 admin=joe diff --git a/ansible/main.yml b/ansible/main.yml index 054ecba..c3b26aa 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -1,7 +1,7 @@ # All hosts are debian 10 or 11 --- # Common -- hosts: daily,compute,nfs,proxy,irc +- hosts: cloudlab,daily,homelab,irc become: yes handlers: - import_tasks: handlers.yml @@ -15,6 +15,7 @@ apt: name: - apt-listchanges + - beets - chrony - curl - dma @@ -38,6 +39,11 @@ force_apt_get: yes update_cache: yes + - name: Install rclone + apt: + deb: https://downloads.rclone.org/rclone-current-linux-amd64.deb + force_apt_get: yes + - name: Disable MOTDs file: path: /etc/update-motd.d/10-uname @@ -144,7 +150,7 @@ msg: Manually get tor hostname # Common dynamic settings -- hosts: compute,daily,proxy +- hosts: cloudlab,daily,homelab become: yes handlers: - import_tasks: handlers.yml @@ -166,101 +172,35 @@ user: root when: gandi_api_key is defined -# Custom repo config -- hosts: compute +# Docker +- hosts: homelab,irc become: yes - handlers: - - import_tasks: handlers.yml tasks: - - name: Install compute packages + - name: Add Docker GPG key + apt_key: + url: https://download.docker.com/linux/debian/gpg + + - name: Add Docker APT repository + apt_repository: + repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable + + - name: Install Docker CE apt: name: - - podman - - sshfs + - docker-ce + - docker-ce-cli + - containerd.io force_apt_get: yes update_cache: yes - - name: Mount bigdummy /bigdata via NFS - mount: - src: root@10.42.0.202:/bigdata - path: /bigdata - fstype: fuse.sshfs - opts: reconnect,allow_other,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast - state: mounted - - - name: Mount vtluug /media via sshfs - mount: - src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media - path: /media-vtluug - fstype: fuse.sshfs - opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast - state: mounted - - # /home/paul/.ssh/id_rsa_fast must exist - - name: Install sshtunnel systemd service - copy: - src: files/fogcutter/sshtunnel.service - dest: /etc/systemd/system/sshtunnel.service - owner: root - group: root - mode: '0644' - notify: Load, start, and enable sshtunnel service - - - debug: - msg: Start podman services manually - -# NFS core config -# ASSUMES /bigdata IS CONFIGURED (make sure dir is 755) -- hosts: nfs - become: yes - handlers: - - import_tasks: handlers.yml - tasks: - - name: Install zfs-zed, and nfs-kernel-server - apt: - name: - - beets - - nfs-kernel-server - - zfs-auto-snapshot - - zfs-zed - force_apt_get: yes - update_cache: yes - - - name: Configure zfs-zed - copy: - src: files/zed.rc - dest: /etc/zfs/zed.d/zed.rc - owner: root - group: root - mode: '0644' - notify: Restart zfs-zed - - - name: Install weekly bigdata scrub cron job - cron: - name: 'Weekly zfs pool status check' - special_time: weekly - job: '/usr/sbin/zpool status | mail -s "ZFS STATUS" paulsw.pw+alerts@gmail.com' - user: root - - - name: Install rclone - apt: - deb: https://github.com/rclone/rclone/releases/download/v1.49.2/rclone-v1.49.2-linux-amd64.deb - force_apt_get: yes - - - debug: - msg: Manually configure rclone remote drive - - - name: Export /bigdata - copy: - src: files/exports - dest: /etc/exports - owner: root - group: root - mode: '0644' - notify: Re-export exportfs + - name: Add admin to docker group + user: + name: "{{ admin }}" + groups: docker + append: yes # Proxy config -- hosts: proxy +- hosts: cloudlab become: yes tasks: ## Changes will take effect during next reboot @@ -296,35 +236,80 @@ mode: '0644' notify: Restart haproxy +# Compute config +- hosts: homelab + become: yes + handlers: + - import_tasks: handlers.yml + tasks: + - name: Install zfs-zed + apt: + name: + - zfs-auto-snapshot + - zfs-zed + force_apt_get: yes + update_cache: yes + + - name: Configure zfs-zed + copy: + src: files/zed.rc + dest: /etc/zfs/zed.d/zed.rc + owner: root + group: root + mode: '0644' + notify: Restart zfs-zed + + - name: Install weekly bigdata scrub cron job + cron: + name: 'Weekly zfs pool status check' + special_time: weekly + job: '/usr/sbin/zpool status | mail -s "ZFS STATUS" paulsw.pw+alerts@gmail.com' + user: root + + - name: Mount vtluug /media via sshfs + mount: + src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media + path: /media-vtluug + fstype: fuse.sshfs + opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast + state: mounted + + # /home/paul/.ssh/id_rsa_fast must exist + - name: Install sshtunnel systemd service + copy: + src: files/fogcutter/sshtunnel.service + dest: /etc/systemd/system/sshtunnel.service + owner: root + group: root + mode: '0644' + notify: Load, start, and enable sshtunnel service + + - name: Install rclone + apt: + deb: https://downloads.rclone.org/rclone-current-linux-amd64.deb + force_apt_get: yes + + - debug: + msg: Manually configure rclone remote drive + + - name: Configure samba + copy: + src: files/smb.conf + dest: /etc/samba/smb.conf + owner: root + group: root + mode: '0644' + notify: Restart smbd + + - debug: + msg: Manually set samba password + # IRC config - hosts: irc become: yes handlers: - import_tasks: handlers.yml tasks: - - name: Add Docker GPG key - apt_key: - url: https://download.docker.com/linux/debian/gpg - - - name: Add Docker APT repository - apt_repository: - repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable - - - name: Install Docker CE - apt: - name: - - docker-ce - - docker-ce-cli - - containerd.io - force_apt_get: yes - update_cache: yes - - - name: Add joe to docker group - user: - name: joe - groups: docker - append: yes - - name: Install weechat systemd service copy: src: files/weechat.service @@ -333,6 +318,3 @@ group: root mode: '0644' notify: Enable weechat service - - - debug: - msg: Clone docker repo to start services diff --git a/ansible/templates/gandi-ddns.sh.j2 b/ansible/templates/gandi-ddns.sh.j2 index 2ee288a..5eced39 100644 --- a/ansible/templates/gandi-ddns.sh.j2 +++ b/ansible/templates/gandi-ddns.sh.j2 @@ -3,7 +3,7 @@ APIKEY={{ gandi_api_key }} NAME=$(hostname --short) -IPV6=$(ip -6 addr | grep mngtmpaddr | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}') +IPV6=$(ip -6 addr | grep global | grep -v temporary | head -n 1 | awk '/inet6 / {gsub(/\/.*/,"",$2); print $2}') curl \ --header "Authorization: Apikey $APIKEY" \