jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: first commit

Browse Source
This commit is contained in:
Clément Désiles
2025-07-25 20:23:54 +02:00
parent 5c4016357f
commit c612cc7839
88 changed files with 3255 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
roles/nfs-server/README.md
+38
View File
@@ -0,0 +1,38 @@
# NFS Server
This configuration is meant to be simple. We do not use a keberos server, nor fine-grained user ACLs here. I try not to mess up with ZFS options either.
Security is only guaranteed by the network (and firewal). Security is based on the IP address of the client, so I suggest to use a VPN if you want to avoid ARP poisoning on your LAN.
## In a nutshell
**Supports:**
- NFSv4 (TCP/UDP)
- UFW firewal configuration
- Reload service and exportfs on configuration change
**Limitations:**
- Access control limited to the IP address of the client (unsecure)
## Inventory
Example of `nfs_shares` you can declare:
```yaml
nfs_shares:
- dir: "/srv/nfs/photos"
clients:
- host: "192.168.1.100" # privileged user with write a access
options: "rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000,insecure"
- host: "192.168.1.0/24" # readonly access for other lan clients
options: "ro,sync,no_subtree_check"
```
> Note: to make the share accessible from MacOS, you might use the `insecure` option (allowing to bind port numbers > 1024).
## Ressources
- https://wiki.archlinux.org/title/NFS
- https://www.fkylewright.com/wordpress/2023/06/functional-automount-of-network-shares-in-macos/
roles/nfs-server/defaults/main.yml
+19
View File
@@ -0,0 +1,19 @@
---
# Example:
# nfs_shares:
# - dir: "/srv/nfs/photos"
# clients:
# - host: "192.168.1.100" # privileged user with write a access
# options: "rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000,insecure"
# - host: "192.168.1.0/24" # readonly access for other lan clients
# options: "ro,sync,no_subtree_check"
nfs_shares: []
nfs_configuration_file: "/etc/nfs.conf"
nfs_exports_file: "/etc/exports"
nfs_port: 2049
nfs_server_firewall_allowed_sources:
- 127.0.0.0/8
roles/nfs-server/handlers/main.yml
+9
View File
@@ -0,0 +1,9 @@
---
- name: "Reload systemd and restart nfs-server"
ansible.builtin.systemd:
name: "nfsv4-server"
state: restarted
daemon_reload: yes
- name: "Update exportfs"
ansible.builtin.command: exportfs -ra
roles/nfs-server/tasks/main.yml
+38
View File
@@ -0,0 +1,38 @@
---
- name: install nfs-server
package:
name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('nfs-utils', 'nfs-kernel-server') }}"
state: present
- name: configure nfs configuration
ansible.builtin.template:
src: templates/nfs.conf.j2
dest: "{{ nfs_configuration_file }}"
owner: root
group: root
mode: "0644"
notify: Reload systemd and restart nfs-server
- name: configure nfs-server exports
ansible.builtin.template:
src: templates/exports.j2
dest: "{{ nfs_exports_file }}"
owner: root
group: root
mode: "0644"
notify: Update exportfs
- name: systemd service for nfs-server is started and enabled
ansible.builtin.systemd:
name: nfsv4-server
state: started
enabled: true
- name: setup firewall rules for nfs on port
community.general.ufw:
rule: allow
src: "{{ item }}"
port: "{{ nfs_port }}"
proto: any
direction: in
with_items: "{{ nfs_server_firewall_allowed_sources | default([]) }}"
roles/nfs-server/templates/exports.j2
+8
View File
@@ -0,0 +1,8 @@
# {{ ansible_managed }}
#
{% for share in nfs_shares %}
{% for client in share.clients %}
{{ share.dir }} {{ client.host }}({{ client.options }})
{% endfor %}
{% endfor %}
roles/nfs-server/templates/nfs.conf.j2
+4
View File
@@ -0,0 +1,4 @@
[nfsd]
{% for ip in nfs_bind_addresses %}
host={{ ip }}
{% endfor %}