From 4e6df015f51e9a252298c3b0b0b4cdb6482b980d Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Sun, 10 May 2020 23:13:47 +0200
Subject: [PATCH] Added roles nfs/server and nfs/export

---
 roles/nfs/export/defaults/main.yml        | 12 ++++++
 roles/nfs/export/handlers/main.yml        |  7 ++++
 roles/nfs/export/meta/main.yml            |  7 ++++
 roles/nfs/export/tasks/main.yml           | 47 +++++++++++++++++++++++
 roles/nfs/export/templates/bind.mount     | 10 +++++
 roles/nfs/export/templates/export.exports |  7 ++++
 roles/nfs/server/defaults/main.yml        |  6 +++
 roles/nfs/server/handlers/main.yml        |  5 +++
 roles/nfs/server/meta/main.yml            |  3 ++
 roles/nfs/server/tasks/main.yml           | 39 +++++++++++++++++++
 roles/nfs/server/templates/root.exports   |  1 +
 11 files changed, 144 insertions(+)
 create mode 100644 roles/nfs/export/defaults/main.yml
 create mode 100644 roles/nfs/export/handlers/main.yml
 create mode 100644 roles/nfs/export/meta/main.yml
 create mode 100644 roles/nfs/export/tasks/main.yml
 create mode 100644 roles/nfs/export/templates/bind.mount
 create mode 100644 roles/nfs/export/templates/export.exports
 create mode 100644 roles/nfs/server/defaults/main.yml
 create mode 100644 roles/nfs/server/handlers/main.yml
 create mode 100644 roles/nfs/server/meta/main.yml
 create mode 100644 roles/nfs/server/tasks/main.yml
 create mode 100644 roles/nfs/server/templates/root.exports

diff --git a/roles/nfs/export/defaults/main.yml b/roles/nfs/export/defaults/main.yml
new file mode 100644
index 0000000..91a87b6
--- /dev/null
+++ b/roles/nfs/export/defaults/main.yml
@@ -0,0 +1,12 @@
+---
+
+export_name: "{{ real_path | basename }}"
+# real_path: "/exported/path"
+export_path: "{{ root_directory }}/{{ export_name }}"
+export_config_name: "{{ export_name | regex_replace('/', '-') }}"
+mount_unit_name: "{{ export_path | regex_replace('^/') | regex_replace('/', '-') }}.mount"
+
+export_hosts:
+  - "*"
+squash_user: "nfs_exports" # If not empty, creates user and changes requests to it
+readonly: on # export is readonly
diff --git a/roles/nfs/export/handlers/main.yml b/roles/nfs/export/handlers/main.yml
new file mode 100644
index 0000000..cf3bb62
--- /dev/null
+++ b/roles/nfs/export/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- name: mount export
+  systemd:
+    enabled: yes
+    name: "{{ mount_unit_name }}"
+    state: restarted
diff --git a/roles/nfs/export/meta/main.yml b/roles/nfs/export/meta/main.yml
new file mode 100644
index 0000000..dddb69f
--- /dev/null
+++ b/roles/nfs/export/meta/main.yml
@@ -0,0 +1,7 @@
+---
+
+allow_duplicates: yes
+
+dependencies:
+  - role: misc/handlers
+  - role: nfs/server
diff --git a/roles/nfs/export/tasks/main.yml b/roles/nfs/export/tasks/main.yml
new file mode 100644
index 0000000..fb18406
--- /dev/null
+++ b/roles/nfs/export/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+
+- name: Create user account for export
+  user:
+    state: present
+    name: "{{ squash_user }}"
+    system: yes
+    shell: "/bin/false"
+    create_home: no
+  when: squash_user != ""
+  register: user_info
+
+- name: Create original export directory
+  file:
+    state: directory
+    path: "{{ real_path }}"
+    owner: "{{ squash_user | default('root') }}"
+    group: "{{ squash_user | default('root') }}"
+    mode: u=rwx,g=rx,o=rx
+
+- name: Create directory for bind mount
+  file:
+    state: directory
+    path: "{{ export_path }}"
+    owner: "{{ squash_user | default('root') }}"
+    group: "{{ squash_user | default('root') }}"
+    mode: u=rwx,g=rx,o=rx
+
+- name: Configure bind mount
+  template:
+    src: bind.mount
+    dest: "{{ global_systemd_configuration_directory }}/{{ mount_unit_name }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify:
+    - reload systemd
+    - mount export
+
+- name: Configure export
+  template:
+    src: export.exports
+    dest: "{{ exports_config_directory }}/{{ export_config_name }}.exports"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: reload nfs exports
diff --git a/roles/nfs/export/templates/bind.mount b/roles/nfs/export/templates/bind.mount
new file mode 100644
index 0000000..d1eb0c2
--- /dev/null
+++ b/roles/nfs/export/templates/bind.mount
@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount for NFS of {{ export_name }}
+
+[Mount]
+What={{ real_path }}
+Where={{ export_path }}
+Options=bind
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/nfs/export/templates/export.exports b/roles/nfs/export/templates/export.exports
new file mode 100644
index 0000000..27d6bfb
--- /dev/null
+++ b/roles/nfs/export/templates/export.exports
@@ -0,0 +1,7 @@
+{{ root_directory }}/{{ export_name }} {% for host in export_hosts -%}
+  {{ host }}({{ readonly | ternary('ro', 'rw') }},sync
+  {%- if squash_user != "" -%}
+    ,all_squash,anonuid={{ user_info.uid }},anongid={{ user_info.group }}
+  {%- endif -%}
+  ,crossmnt,no_subtree_check)
+{%- endfor %}
diff --git a/roles/nfs/server/defaults/main.yml b/roles/nfs/server/defaults/main.yml
new file mode 100644
index 0000000..06fb5a0
--- /dev/null
+++ b/roles/nfs/server/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+
+root_directory: "{{ global_webservers_directory }}/nfs"
+
+exports_config: "/etc/exports"
+exports_config_directory: "/etc/exports.d"
diff --git a/roles/nfs/server/handlers/main.yml b/roles/nfs/server/handlers/main.yml
new file mode 100644
index 0000000..6681175
--- /dev/null
+++ b/roles/nfs/server/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: reload nfs exports
+  # export all = read config files, reexport = disable removed entries, be verbose
+  command: exportfs -arv
diff --git a/roles/nfs/server/meta/main.yml b/roles/nfs/server/meta/main.yml
new file mode 100644
index 0000000..611d474
--- /dev/null
+++ b/roles/nfs/server/meta/main.yml
@@ -0,0 +1,3 @@
+---
+
+allow_duplicates: no
diff --git a/roles/nfs/server/tasks/main.yml b/roles/nfs/server/tasks/main.yml
new file mode 100644
index 0000000..a6f6ad5
--- /dev/null
+++ b/roles/nfs/server/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+
+- name: Install required packages
+  apt:
+    state:  present
+    name:
+      - nfs-kernel-server
+
+- name: Create exports root directory
+  file:
+    state: directory
+    path: "{{ root_directory }}"
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=rx
+
+- name: Configure exports root
+  template:
+    src: root.exports
+    dest: "{{ exports_config }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify:
+    - reload nfs exports
+
+- name: Create exports config directory
+  file:
+    state: directory
+    path: "{{ exports_config_directory }}"
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=rx
+
+- name: Allow ports in firewall
+  ufw:
+    rule: allow
+    port: "{{ global_nfs_port }}"
+    proto: tcp
diff --git a/roles/nfs/server/templates/root.exports b/roles/nfs/server/templates/root.exports
new file mode 100644
index 0000000..d6fc3f6
--- /dev/null
+++ b/roles/nfs/server/templates/root.exports
@@ -0,0 +1 @@
+{{ root_directory }} *(ro,sync,all_squash,no_subtree_check,fsid=root)