From b3d261316ebf890f5d8ad36da4497df14054d70e Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Sat, 30 Oct 2021 14:46:54 +0200 Subject: [PATCH] Add nfs tasks --- playbook.yml | 1 + tasks/nfs.yml | 40 ++++++++++++++++++++++++++++++ templates/nfs/exports.j2 | 13 ++++++++++ templates/nfs/nfs-common.j2 | 21 ++++++++++++++++ templates/nfs/nfs-kernel-server.j2 | 22 ++++++++++++++++ 5 files changed, 97 insertions(+) create mode 100644 tasks/nfs.yml create mode 100644 templates/nfs/exports.j2 create mode 100644 templates/nfs/nfs-common.j2 create mode 100644 templates/nfs/nfs-kernel-server.j2 diff --git a/playbook.yml b/playbook.yml index be4c821..55243bf 100644 --- a/playbook.yml +++ b/playbook.yml @@ -9,6 +9,7 @@ tasks: - import_tasks: 'tasks/setup.yml' - import_tasks: 'tasks/openvpn.yml' + - import_tasks: 'tasks/nfs.yml' - import_tasks: 'tasks/radicale.yml' - import_tasks: 'tasks/syncthing.yml' - import_tasks: 'tasks/transmission.yml' diff --git a/tasks/nfs.yml b/tasks/nfs.yml new file mode 100644 index 0000000..913f641 --- /dev/null +++ b/tasks/nfs.yml @@ -0,0 +1,40 @@ +- name: copy nfs configuration files + become: true + template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + mode: '{{ item.mode }}' + loop: + - { + src: 'templates/nfs/exports.j2', + dest: '/etc/exports', + mode: '0644' + } + - { + src: 'templates/nfs/nfs-common.j2', + dest: '/etc/defaults/nfs-common', + mode: '0644' + } + - { + src: 'templates/nfs/nfs-kernel-server.j2', + dest: '/etc/defaults/nfs-kernel-server', + mode: '0644' + } + +- name: mask rpcbind services + become: true + systemd: + name: '{{ item }}' + state: stopped + enabled: false + masked: true + loop: + - rpcbind.socket + - rpcbind.service + +- name: restart nfs service + become: true + systemd: + name: nfs-server + state: restarted + enabled: true diff --git a/templates/nfs/exports.j2 b/templates/nfs/exports.j2 new file mode 100644 index 0000000..c329a9f --- /dev/null +++ b/templates/nfs/exports.j2 @@ -0,0 +1,13 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +# /etc/exports: the access control list for filesystems which may be exported +# to NFS clients. See exports(5). +# +# Example for NFSv2 and NFSv3: +# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) +# +# Example for NFSv4: +# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) +# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) +# +/srv/nfs4/music {{ vpn_listen_address }}/24(rw,no_subtree_check) diff --git a/templates/nfs/nfs-common.j2 b/templates/nfs/nfs-common.j2 new file mode 100644 index 0000000..3449219 --- /dev/null +++ b/templates/nfs/nfs-common.j2 @@ -0,0 +1,21 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +# If you do not set values for the NEED_ options, they will be attempted +# autodetected; this should be sufficient for most people. Valid alternatives +# for the NEED_ options are "yes" and "no". + +# Do you want to start the statd daemon? It is not needed for NFSv4. +NEED_STATD=no + +# Options for rpc.statd. +# Should rpc.statd listen on a specific port? This is especially useful +# when you have a port-based firewall. To use a fixed port, set this +# this variable to a statd argument like: "--port 4000 --outgoing-port 4001". +# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS +STATDOPTS= + +# Do you want to start the idmapd daemon? It is only needed for NFSv4. +NEED_IDMAPD=yes + +# Do you want to start the gssd daemon? It is required for Kerberos mounts. +NEED_GSSD= diff --git a/templates/nfs/nfs-kernel-server.j2 b/templates/nfs/nfs-kernel-server.j2 new file mode 100644 index 0000000..68bb20d --- /dev/null +++ b/templates/nfs/nfs-kernel-server.j2 @@ -0,0 +1,22 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# +# Number of servers to start up +RPCNFSDCOUNT=8 + +# Runtime priority of server (see nice(1)) +RPCNFSDPRIORITY=0 + +# Options for rpc.mountd. +# If you have a port-based firewall, you might want to set up +# a fixed port here using the --port option. For more information, +# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS +# To disable NFSv4 on the server, specify '--no-nfs-version 4' here +RPCNFSDOPTS="-N 2 -N 3" +RPCMOUNTDOPTS="--manage-gids -N 2 -N 3" + +# Do you want to start the svcgssd daemon? It is only required for Kerberos +# exports. Valid alternatives are "yes" and "no"; the default is "no". +NEED_SVCGSSD="" + +# Options for rpc.svcgssd. +RPCSVCGSSDOPTS=""