roles/nfs_server/README.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190

NFS Server
==========

Description
-----------

The `nfs_server` role creates [zfs](../zfs/) filesystems, configures NFS and SMB
shares, adds `autofs` entries, and sets POSIX permissions and ACLs on the
corresponding directories.

This role also manages home directories, which are considered a special case.
Both users and groups can have home directories. User home directories are
owned by the user, whereas group home directories are group-owned by the group.
In either case, two subdirectories are created: `priv` and `pub`.

The `priv` directory is private to the user or group, while the `pub` directory
is world-readable. Both of directories get added to the automount map
`auto.nfs_user`, but the `priv` directory is also is automounted as `/home/$USER`.

This role was written with the assumption that you're using ZFS for the
underlying storage.

The lists and mappings for these role variables are somewhat complex. It's
probably easiest to start with the example playbook in the [Usage](#usage)
section at the bottom of this document.

Variables
---------

This role **accepts** the following variables:

Variable                    | Default      | Description
----------------------------|--------------|------------
`nfs_mountd_port`           | `20048`      | NFS `mountd` listening port
`nfs_exports`               | `[]`         | NFS exports to create (see [format](#nfs_exports) below)
`smb_shares`                | `[]`         | SMB shares to create (see [format](#smb_shares) below)
`nfs_homedirs`              | `[]`         | Home directories to create (see [format](#nfs_homedirs) below)
`nfs_homedir_user_dataset`  | `tank/user`  | ZFS dataset for user home directories
`nfs_homedir_group_dataset` | `tank/group` | ZFS dataset for group directories
`nfs_homedir_priv_quota`    | `50G`        | Default usage quota for private home/group directories
`nfs_homedir_pub_quota`     | `10G`        | Default usage quota for public home/group directories
`nfs_homedir_options`       | `rw`         | Export options for home/group directories
`nfs_homedir_clients`       | `[]`         | NFS clients for home/group directories (see [format](#nfs_homedir_clients) below)

### nfs\_exports

The `nfs_exports` variable is used to configure NFS shares. It
should contain a list of dictionaries of the following format:

Key             | Default            | Description
----------------|--------------------|-----------
`path`          | &nbsp;             | Path of export
`dataset`       | &nbsp;             | ZFS dataset to export
`group`         | &nbsp;             | Group owner for directory
`mode`          | &nbsp;             | Octal permissions for directory
`acl`           | `[]`               | List of POSIX ACL entries for directory (see [format](#acl) below)
`options`       | `[]`               | Export options (comma-separated or list, see `man 5 exports`)
`clients`       | `[]`               | List of clients (see [format](#clients) below)
`automount_map` | &nbsp;             | Automount map name for export
`automount_key` | basename of `path` | Automount key name for export
`smb_share`     | &nbsp;             | Also create SMB share with given share name

Either `path` or `dataset` should be specified, but not both.

#### acl

The `acl` key of an `nfs_exports` list item should contain a list of POSIX
ACLS, represented by dictionaries of the following format:

Key           | Default | Description
--------------|---------|------------
`entity`      | &nbsp;  | User or group name
`etype`       | &nbsp;  | Entity type (either `user` or `group`)
`permissions` | &nbsp;  | Some combination of `r`, `w`, `x`, or `X`
`default`     | no      | Apply ACL to all children of directory

See `man 5 acl` for more details.

#### clients

The `clients` key of an `nfs_exports` list item should contain a list of NFS
clients, represented by dictionaries of the following format:

Key        | Default | Description
-----------|---------|------------
`client`   | &nbsp;  | Client CIDR, IP address, or hostname
`options`  | &nbsp;  | Client-specific export options (comma-separated or list, see `man 5 exports`)

### smb\_shares

The `smb_shares` variable is used to configure SMB shares. It should contain a
list of dictionaries of the following format:

Key        | Default | Description
-----------|---------|------------
`name`     | &nbsp;  | Share name
`path`     | &nbsp;  | Share path

### nfs\_homedirs

The `nfs_homedirs` variable is used to configure user and group home
directories that should live on the host. It should contain a list of
dictionaries of the following format:

Key          | Default                        | Description
-------------|--------------------------------|------------
`user`       | &nbsp;                         | User name
`group`      | &nbsp;                         | Group name
`priv_quota` | `{{ nfs_homedir_priv_quota }}` | `priv` directory quota
`pub_quota`  | `{{ nfs_homedir_pub_quota }}`  | `pub` directory quota

Specifying `user` creates a user home directory. Specifying `group` creates a
group home directory. You should not specify `user` and `group` at the same
time.

### nfs\_homedir\_clients

The `nfs_homedir_clients` variable is used to configure client access for home
directory exports. It should contain a list of dictionaries of the following
format:

Key       | Default    | Description
----------|------------|------------
`client`  | &nbsp;     | Client IP, CIDR, or hostname
`options` | `[]`       | Export options (comma-separated or list, see `man 5 exports`)


Usage
-----

Example playbook:

````yaml
- hosts: nas1
  roles:
    - role: nfs_server
      vars:
        nfs_exports:
          - dataset: tank/media/pictures
            group: role-photo-admin
            mode: 02770
            acl:
              - entity: role-photo-admin
                etype: group
                permissions: rwX
                default: yes
            options: rw,crossmnt
            clients:
              - client: 10.10.10.0/24
                options: sec=krb5p
            automount_map: auto.nfs_media

          - dataset: tank/media/music
            group: role-music-admin
            mode: 02770
            acl:
              - entity: role-music-admin
                etype: group
                permissions: rwX
                default: yes

              - entity: role-music-access
                etype: group
                permissions: rX
                default: yes
            options: rw,crossmnt
            clients:
              - client: 10.10.10.0/24
                options: sec=krb5p
            automount_map: auto.nfs_media

        nfs_homedir_clients:
          - client: 10.10.10.0/24
            options: sec=krb5p

          - client: 10.10.11.0/24
            options: sec=sys

        nfs_homedirs:
          - user: johndoe
            priv_quota: 250G
          - user: janedoe
            priv_quota: 250G
          - group: doefamily
            priv_quota: 500G

        smb_shares:
          - name: media
            path: /tank/media
````