main.yml 3.66 KB
Newer Older
Lars Beckers's avatar
Lars Beckers committed
1
2
3
4
---
# file: roles/nfs-server/tasks/main.yml

- name: ensure nfs server utils are installed
Robin Sonnabend's avatar
Robin Sonnabend committed
5
6
7
8
9
10
11
12
  apt:
    name:
      - nfs-common
      - nfs-kernel-server
      - msktutil
      - librpcsecgss3
      - libgssrpc4
    state: present
Lars Beckers's avatar
Lars Beckers committed
13
14
15
16
  tags:
    - nfs-server

- name: ensure default umask and other user related stuff
Lars Beckers's avatar
Lars Beckers committed
17
18
19
20
21
22
  copy:
    src: login.defs
    dest: /etc/login.defs
    owner: root
    group: root
    mode: '0644'
Lars Beckers's avatar
Lars Beckers committed
23
24
25
26
27
  tags:
    - nfs-server
    - umask

- name: ensure exports configuration is in place
Lars Beckers's avatar
Lars Beckers committed
28
29
30
31
32
33
  template:
    src: exports.j2
    dest: /etc/exports
    owner: root
    group: root
    mode: '0644'
Lars Beckers's avatar
Lars Beckers committed
34
35
36
37
38
39
  notify:
    - restart nfs-server
  tags:
    - nfs-server

- name: ensure nfs-common is configured
Lars Beckers's avatar
Lars Beckers committed
40
41
42
43
44
45
  copy:
    src: nfs-common
    dest: /etc/default/nfs-common
    owner: root
    group: root
    mode: '0644'
Lars Beckers's avatar
Lars Beckers committed
46
47
48
49
50
51
  notify:
    - restart nfs-server
  tags:
    - nfs-server

- name: ensure nfs-kernel-server is configured
Lars Beckers's avatar
Lars Beckers committed
52
53
54
55
56
57
  copy:
    src: nfs-kernel-server
    dest: /etc/default/nfs-kernel-server
    owner: root
    group: root
    mode: '0644'
Lars Beckers's avatar
Lars Beckers committed
58
59
60
61
62
63
  notify:
    - restart nfs-server
  tags:
    - nfs-server

- name: ensure nfs-server is enabled and running
Lars Beckers's avatar
Lars Beckers committed
64
65
66
67
  service:
    name: nfs-server
    state: started
    enabled: true
Lars Beckers's avatar
Lars Beckers committed
68
69
70
71
  tags:
    - nfs-server

- name: ensure that there is a keytab available
Lars Beckers's avatar
Lars Beckers committed
72
73
74
  file:
    path: /etc/krb5.keytab
    state: file
Lars Beckers's avatar
Lars Beckers committed
75
76
77
  tags:
    - nfs-server
    - service-principal
78
  when: nfs_krb is defined
Lars Beckers's avatar
Lars Beckers committed
79
80

- name: check that we have a valid service principal
81
82
83
84
85
  shell: |
    set -o pipefail
    klist -k /etc/krb5.keytab | grep "nfs/{{ ansible_fqdn }}"
  args:
    executable: /bin/bash
Lars Beckers's avatar
Lars Beckers committed
86
  register: principal
Lars Beckers's avatar
Lars Beckers committed
87
  failed_when: false
Lars Beckers's avatar
Lars Beckers committed
88
89
90
  tags:
    - nfs-server
    - service-principal
91
  when: nfs_krb is defined
Lars Beckers's avatar
Lars Beckers committed
92
93
94

- block:
    - name: create service principal
Lars Beckers's avatar
Lars Beckers committed
95
      # yamllint disable-line rule:line-length
Hinrikus Wolf's avatar
Hinrikus Wolf committed
96
      command: samba-tool spn add "nfs/{{ ansible_fqdn }}" "{{ ansible_hostname | upper }}$"
97
      delegate_to: "{{ hostvars[groups['servers_ad'][0]]['ansible_host'] }}"
Lars Beckers's avatar
Lars Beckers committed
98
99
100
101
102
      tags:
        - nfs-server
        - service-principal

    - name: export keytab
Lars Beckers's avatar
Lars Beckers committed
103
      # yamllint disable-line rule:line-length
Hinrikus Wolf's avatar
Hinrikus Wolf committed
104
105
      command: samba-tool domain exportkeytab "/root/{{ ansible_fqdn }}.keytab" --principal "nfs/{{ ansible_fqdn }}"
      args:
Lars Beckers's avatar
Lars Beckers committed
106
        creates: "/root/{{ ansible_fqdn }}.keytab"
107
      delegate_to: "{{ hostvars[groups['servers_ad'][0]]['ansible_host'] }}"
Lars Beckers's avatar
Lars Beckers committed
108
109
110
111
112
113
114
      tags:
        - nfs-server
        - service-principal

    - name: copy keytab
      synchronize:
        src: "/root/{{ ansible_fqdn }}.keytab"
Hinrikus Wolf's avatar
Hinrikus Wolf committed
115
        dest: "/root/{{ ansible_fqdn }}.keytab"
116
      delegate_to: "{{ hostvars[groups['servers_ad'][0]]['ansible_host'] }}"
Lars Beckers's avatar
Lars Beckers committed
117
118
119
120
121
      tags:
        - nfs-server
        - service-principal

    - name: ensure pexpect is installed
Lars Beckers's avatar
Lars Beckers committed
122
123
124
      apt:
        name: python-pexpect
        state: present
Lars Beckers's avatar
Lars Beckers committed
125
126
127
128
129
      tags:
        - nfs-server
        - service-principal

    - name: merge keytabs
Hinrikus Wolf's avatar
Hinrikus Wolf committed
130
131
132
133
134
135
136
137
      expect:
        command: ktutil
        responses:
          ktutil(.*):
            - rkt /etc/krb5.keytab
            - "rkt /root/{{ ansible_fqdn }}.keytab"
            - wkt /etc/krb5.keytab
            - exit
Lars Beckers's avatar
Lars Beckers committed
138
139
140
141
142
143
144
      notify:
        - restart nfs-server
      tags:
        - nfs-server
        - service-principal

    - name: remove keytab at kdc
Lars Beckers's avatar
Lars Beckers committed
145
146
147
      file:
        path: "/root/{{ ansible_fqdn }}.keytab"
        state: absent
148
      delegate_to: "{{ hostvars[groups['servers_ad'][0]]['ansible_host'] }}"
Lars Beckers's avatar
Lars Beckers committed
149
150
151
152
153
      tags:
        - nfs-server
        - service-principal

    - name: remove keytab at host
Lars Beckers's avatar
Lars Beckers committed
154
155
156
      file:
        path: "/root/{{ ansible_fqdn }}.keytab"
        state: absent
Lars Beckers's avatar
Lars Beckers committed
157
158
159
      tags:
        - nfs-server
        - service-principal
Lars Beckers's avatar
Lars Beckers committed
160
  when: principal.rc == 1 and nfs_krb is defined
Lars Beckers's avatar
Lars Beckers committed
161
162

- meta: flush_handlers