Update to 2022-10-19 17:00

roles/nas/templates/exports.j2

@@ -0,0 +1,7 @@
+{% for share in nas_shares %}
+{% if share.protocols.nfs.enabled %}
+{{ share.path | default(nas_root_dir + '/data/' + share.name) }} *(rw,{{ share.protocols.nfs.root_squash | ternary('','no_') }}root_squash)
+{% else %}
+# NFS not enabled for share {{ share.name }}
+{% endif %}
+{% endfor %}

roles/nas/templates/httpd.conf.j2

@@ -0,0 +1,51 @@
+{% for share in nas_shares %}
+{% if share.protocols.http.enabled %}
+Alias /{{ share.name }} {{ share.path | default(nas_root_dir + '/data/' + share.name) }}
+RewriteEngine On
+{% if share.protocols.http.force_ssl %}
+RewriteCond %{HTTPS} =off
+RewriteRule ^/{{ share.name }}(/.*|$) https://%{HTTP_HOST}/{{ share.name }}$1
+{% endif %}
+
+<Directory {{ share.path | default(nas_root_dir + '/data/' + share.name) }}>
+  Options None
+  Options +FollowSymlinks
+{% if share.protocols.http.force_ssl %}
+  SSLRequireSSL On
+{% endif %}
+{% if share.protocols.http.indexes %}
+  Options +Indexes
+{% endif %}
+{% if share.protocols.http.webdav %}
+  Dav On
+{% endif %}
+{% if not share.protocols.http.public %}
+  AuthType Basic
+  AuthName "Authenicated zone"
+  AuthBasicProvider external
+  AuthExternal pwauth
+  
+  # Read only access
+  <Limit GET PROPFIND OPTIONS LOCK UNLOCK REPORT>
+{% for user in share.acl.read_users %}
+    Require user {{ user }}
+{% endfor %}
+{% for group in share.acl.read_groups %}
+    Require unix-group {{ group }}
+{% endfor %}
+  </Limit>
+  # Write access through webdav always requires authentication
+  <LimitExcept GET PROPFIND OPTIONS LOCK UNLOCK REPORT>
+{% for user in share.acl.write_users %}
+    Require user {{ user }}
+{% endfor %}
+{% for group in share.acl.write_groups %}
+    Require unix-group {{ group }}
+{% endfor %}
+  </LimitExcept>
+{% endif %}
+</Directory>
+
+
+{% endif %}
+{% endfor %}

roles/nas/templates/mod_authnz_external.conf.j2

@@ -0,0 +1,3 @@
+LoadModule authnz_external_module modules/mod_authnz_external.so
+AddExternalAuth pwauth /usr/sbin/pwauth
+SetExternalAuthMethod pwauth pipe

roles/nas/templates/mod_dav.conf.j2

@@ -0,0 +1,2 @@
+LoadModule dav_module modules/mod_dav.so
+LoadModule dav_fs_module modules/mod_dav_fs.so

roles/nas/templates/rsync.secrets.j2

@@ -0,0 +1,6 @@
+{% if item.protocols.rsync.enabled and item.protocols.rsync.users is defined and item.protocols.rsync.users.keys() | list | length > 0 %}
+{% for user in item.protocols.rsync.users.keys() | list %}
+{{ user }}:{{ item.protocols.rsync.users[user] }}
+{% endfor %}
+{% endif %}
+

roles/nas/templates/rsyncd.conf.j2

@@ -0,0 +1,18 @@
+{% for share in nas_shares %}
+{% if share.protocols.rsync.enabled %}
+[{{ share.name }}]
+path = {{ share.path | default(nas_root_dir + '/data/' + share.name) }}
+comment = {{ share.description }}
+uid = rsync
+gid = rsync
+read only = {{ share.protocols.rsync.read_only | ternary('yes','no') }}
+{% if share.protocols.rsync.users is defined and share.protocols.rsync.users.keys() | list | length > 0 %}
+auth users = {{ share.protocols.rsync.users.keys() | list | join(' ') }}
+secrets file = {{ nas_root_dir }}/meta/{{ share.name }}/rsync.secrets
+{% endif %}
+
+{% else %}
+# Rsync access is disabled for {{ share.name }}
+{% endif %}
+
+{% endfor %}

roles/nas/templates/setfacl.sh.j2

@@ -0,0 +1,42 @@
+#!/bin/bash -e
+
+WRITE_USERS=''
+READ_USERS=''
+WRITE_GROUPS=''
+READ_GROUPS=''
+{% if item.acl.read_users | length > 0 %}
+for U in '{{ item.acl.read_users | join("' '") }}'; do
+  getent passwd "$U" > /dev/null 2>&1 && READ_USERS=$READ_USERS",u:$U:rX,d:u:$U:rX"
+done
+{% endif %}
+{% if item.acl.write_users | length > 0 %}
+for U in '{{ item.acl.write_users | join("' '") }}'; do
+  getent passwd "$U" > /dev/null 2>&1 && WRITE_USERS=$WRITE_USERS",u:$U:rwX,d:u:$U:rwX"
+done
+{% endif %}
+{% if item.acl.read_groups | length > 0 %}
+for G in '{{ item.acl.read_groups | join("' '") }}'; do
+  getent group "$G" > /dev/null 2>&1 && READ_GROUPS=$READ_GROUPS",g:$G:rX,d:g:$G:rX"
+done
+{% endif %}
+{% if item.acl.write_groups | length > 0 %}
+for G in '{{ item.acl.write_groups | join("' '") }}'; do
+  getent group "$G" > /dev/null 2>&1 && WRITE_GROUPS=$WRITE_GROUPS",g:$G:rwX,d:g:$G:rwX"
+done
+{% endif %}
+
+chmod 770 {{ item.path | default(nas_root_dir + '/data/' + item.name) }}
+chmod 700 {{ item.path | default(nas_root_dir + '/meta/' + item.name) }}
+chown root:root {{ item.path | default(nas_root_dir + '/data/' + item.name) }}
+{% if not item.protocols.smb.nt_acl and not item.manual_permissions %}
+setfacl -R --remove-all --remove-default --physical {{ item.path | default(nas_root_dir + '/data/' + item.name) }}
+setfacl -R --remove-all --remove-default --physical {{ item.path | default(nas_root_dir + '/data/' + item.name) }}
+setfacl -R --physical -m g::---"$READ_USERS$WRITE_USERS$READ_GROUPS$WRITE_GROUPS" -- {{ item.path | default(nas_root_dir + '/data/' + item.name) }}
+{% if item.protocols.rsync.enabled %}
+setfacl -R --physical -m u:rsync:{{ item.protocols.rsync.read_only | ternary('rX','rwX') }},d:u:rsync:{{ item.protocols.rsync.read_only | ternary('rX','rwX') }} -- {{ item.path | default(nas_root_dir + '/data/' + item.name) }}
+{% endif %}
+{% endif %}
+setfacl -R -m mask::rwX,d:mask:rwX -- {{ item.path | default(nas_root_dir + '/data/' + item.name) }}
+{% if ansible_selinux.status == 'enabled' %}
+restorecon -R {{ item.path | default(nas_root_dir + '/data/' + item.name) }}
+{% endif %}

roles/nas/templates/smb.conf.j2

@@ -0,0 +1,56 @@
+{% if nas_share_homes.protocols.smb.enabled %}
+[homes]
+  comment = {{ nas_share_homes.description }}
+  browseable = no
+  guest ok = no
+  read only = no
+  writable = yes
+  printable = no
+  root preexec = /var/lib/samba/scripts/mkhomedir %u
+  vfs objects = {{ nas_share_homes.recycle_bin.enabled | ternary('recycle','') }} {{ nas_share_homes.protocols.smb.full_audit | ternary('full_audit','') }}
+{% if nas_share_homes.recycle_bin.enabled %}
+  recycle:exclude_dir = tmp,temp,cache
+  recycle:repository = {{ nas_share_homes.recycle_bin.dir }}
+  recycle:versions = no
+  recycle:keeptree = yes
+  recycle:touch = yes
+  recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*
+{% endif %}
+{% if nas_share_homes.protocols.smb.full_audit %}
+  full_audit:success=mkdir rmdir open opendir close closedir rename unlink
+  full_audit:failure=mkdir rmdir open opendir close closedir rename unlink connect disconnect
+  full_audit:prefix=%u|%D|%I|%M|%S
+{% endif %}
+
+
+{% endif %}
+{% if nas_shares | length < 1 %}
+# No share configured
+{% else %}
+{% for share in nas_shares %}
+{% if share.protocols.smb.enabled %}
+[{{ share.name }}]
+  comment = {{ share.description | default(share.name) }}
+  readonly = no
+  path = {{ share.path | default(nas_root_dir + '/data/' + share.name) }}
+  browseable = {{ share.protocols.smb.browseable | ternary('yes','no') }}
+  inherit acls = yes
+  guest ok = {{ share.protocols.smb.guest_ok | ternary('yes','no') }}
+  vfs objects = {{ share.recycle_bin.enabled | ternary('recycle','') }} {{ share.protocols.smb.full_audit | ternary('full_audit','') }} {{ share.protocols.smb.nt_acl | ternary('nfs4acl_xattr','') }}
+{% if share.recycle_bin.enabled %}
+  recycle:repository = {{ share.recycle_bin.dir }}
+  recycle:versions = no
+  recycle:keeptree = no
+  recycle:touch = yes
+  recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*
+{% endif %}
+{% if share.protocols.smb.full_audit %}
+  full_audit:success=mkdir rmdir open opendir close closedir rename unlink
+  full_audit:failure=mkdir rmdir open opendir close closedir rename unlink connect disconnect
+  full_audit:prefix=%u|%D|%I|%M|%S
+{% endif %}
+
+
+{% endif %}
+{% endfor %}
+{% endif %}