nfs-server: debugged

nfs-server/handlers/main.yml

 ---
-# file: roles/nfs-client/handlers/main.yml
+# file: roles/nfs-server/handlers/main.yml
 
-- name: restart autofs
-  service: name=autofs state=restarted
+- name: restart nfs-server
+  service: name=nfs-server state=restarted
 
-- name: restart nfs-common
-  service: name=nfs-common state=restarted
-
-- name: reload sysctl
-  command: sysctl -p

nfs-server/nfs-common

+# If you do not set values for the NEED_ options, they will be attempted
+# autodetected; this should be sufficient for most people. Valid alternatives
+# for the NEED_ options are "yes" and "no".
+
+# Do you want to start the statd daemon? It is not needed for NFSv4.
+NEED_STATD=
+
+# Options for rpc.statd.
+#   Should rpc.statd listen on a specific port? This is especially useful
+#   when you have a port-based firewall. To use a fixed port, set this
+#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
+#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
+STATDOPTS=
+
+# Do you want to start the idmapd daemon? It is only needed for NFSv4.
+NEED_IDMAPD=yes
+
+# Do you want to start the gssd daemon? It is required for Kerberos mounts.
+NEED_GSSD=yes

nfs-server/nfs-kernel-server

+# Number of servers to start up
+RPCNFSDCOUNT=8
+
+# Runtime priority of server (see nice(1))
+RPCNFSDPRIORITY=0
+
+# Options for rpc.mountd.
+# If you have a port-based firewall, you might want to set up
+# a fixed port here using the --port option. For more information, 
+# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
+# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
+RPCMOUNTDOPTS="--manage-gids"
+
+# Do you want to start the svcgssd daemon? It is only required for Kerberos
+# exports. Valid alternatives are "yes" and "no"; the default is "no".
+NEED_SVCGSSD="yes"
+
+# Options for rpc.svcgssd.
+RPCSVCGSSDOPTS="-vvv"

nfs-server/tasks/main.yml

@@ -6,7 +6,7 @@
   with_items:
     - nfs-common
     - nfs-kernel-server
-    - msktutils
+    - msktutil
     - librpcsecgss3
     - libgssrpc4
   tags:
@@ -51,13 +51,13 @@
     - service
 
 - name: ensure that there is a keytab available
-  file: path=/etc/krb5.keytab state=present
+  file: path=/etc/krb5.keytab state=file
   tags:
     - nfs-server
     - service-principal
 
 - name: check that we have a valid service principal
-  shell: klist -k /etc/krb5.keytab | grep nfs/{{ ansible_fqdn }}
+  shell: klist -k /etc/krb5.keytab | grep "nfs/{{ ansible_fqdn }}"
   register: principal
   failed_when: False
   tags:
@@ -69,7 +69,7 @@
       shell: samba-tool user list | grep nfs-user
       register: nfsuser
       failed_when: False
-      delegate_to: "{{ authservers[0] }}"
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
       tags:
         - nfs-server
         - service-principal
@@ -77,22 +77,23 @@
     - name: ensure there is a nfs-user account
       command: samba-tool user create nfs-user --random-password
       when: nfsuser.rc == 1
-      delegate_to: "{{ authservers[0] }}"
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
       tags:
         - nfs-server
         - service-principal
 
     - name: create service principal
-      command: "samba-tool spn add nfs/{{ ansible_fqdn }} nfs-user"
-      delegate_to: "{{ authservers[0] }}"
+      command: samba-tool spn add "nfs/{{ ansible_fqdn }}" nfs-user
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
       tags:
         - nfs-server
         - service-principal
 
     - name: export keytab
-      command: "samba-tool domain exportkeytab /root/{{ ansible_fqdn }}.keytab --principal nfs/{{ ansible_fqdn }}"
+      command: samba-tool domain exportkeytab "/root/{{ ansible_fqdn }}.keytab" --principal "nfs/{{ ansible_fqdn }}"
+      args:
         creates: "/root/{{ ansible_fqdn }}.keytab"
-      delegate_to: "{{ authservers[0] }}"
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
       tags:
         - nfs-server
         - service-principal
@@ -100,8 +101,8 @@
     - name: copy keytab
       synchronize:
         src: "/root/{{ ansible_fqdn }}.keytab"
-        dest: "{{ ansible_fqdn }}:/root/{{ ansible_fqdn }}.keytab"
-      delegate_to: "{{ authservers[0] }}"
+        dest: "/root/{{ ansible_fqdn }}.keytab"
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
       tags:
         - nfs-server
         - service-principal
@@ -113,14 +114,14 @@
         - service-principal
 
     - name: merge keytabs
-      - expect:
-          command: ktutil
-          responses:
-            ktutil(.*):
-              - rkt /etc/krb5.keytab
-              - "rkt /root/{{ ansible_fqdn }}.keytab"
-              - wkt /etc/krb5.keytab
-              - exit
+      expect:
+        command: ktutil
+        responses:
+          ktutil(.*):
+            - rkt /etc/krb5.keytab
+            - "rkt /root/{{ ansible_fqdn }}.keytab"
+            - wkt /etc/krb5.keytab
+            - exit
       notify:
         - restart nfs-server
       tags:
@@ -129,7 +130,7 @@
 
     - name: remove keytab at kdc
       file: path="/root/{{ ansible_fqdn }}.keytab" state=absent
-      delegate_to: "{{ authservers[0] }}"
+      delegate_to: "{{ hostvars[groups['ad-server'][0]]['ansible_host'] }}"
       tags:
         - nfs-server
         - service-principal

nfs-server/templates/exports.j2

+# /etc/exports: the access control list for filesystems which may be exported
+#		to NFS clients.  See exports(5).
+#
+# Example for NFSv2 and NFSv3:
+# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
+#
+# Example for NFSv4:
+# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
+# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
+#
+
+{%- for export in nfs_exports %}
+{{ export.src }}	{{ export.dest }}({{ export.options }})
+{% endfor -%}
+
+