From ea117c30f84b7c75824306411e047126ac56b619 Mon Sep 17 00:00:00 2001
From: michael <michael@balsillie.net>
Date: Wed, 7 Sep 2022 01:28:00 +1200
Subject: [PATCH] zfs conditionals and delegated perms

---
 ansible/roles/zfs-install/defaults/main.yml   |   1 +
 .../files/zfs-recv_authorized_keys            |   1 +
 ansible/roles/zfs-install/tasks/main.yml      | 189 ++++++++++++------
 3 files changed, 130 insertions(+), 61 deletions(-)
 create mode 100644 ansible/roles/zfs-install/files/zfs-recv_authorized_keys

diff --git a/ansible/roles/zfs-install/defaults/main.yml b/ansible/roles/zfs-install/defaults/main.yml
index f3532ed..6ca30c8 100644
--- a/ansible/roles/zfs-install/defaults/main.yml
+++ b/ansible/roles/zfs-install/defaults/main.yml
@@ -6,6 +6,7 @@ zfs_prereq_packages:
 zfs_packages:
   - zfs-utils
   - zfs-dkms
+  - mbuffer
 zfs_arc_min: '1073741824' 
 zfs_arc_max: '4294967296'
 zfs_zpool_ashift: '12'
diff --git a/ansible/roles/zfs-install/files/zfs-recv_authorized_keys b/ansible/roles/zfs-install/files/zfs-recv_authorized_keys
new file mode 100644
index 0000000..0bc2368
--- /dev/null
+++ b/ansible/roles/zfs-install/files/zfs-recv_authorized_keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+6ruP8XcCD3nWS9z0hp+Hnf6pxoL1nF4I0L9g9/3Sr zfs-recv@lab.balsillie.net
\ No newline at end of file
diff --git a/ansible/roles/zfs-install/tasks/main.yml b/ansible/roles/zfs-install/tasks/main.yml
index 9f9011e..949e2f7 100644
--- a/ansible/roles/zfs-install/tasks/main.yml
+++ b/ansible/roles/zfs-install/tasks/main.yml
@@ -1,77 +1,99 @@
 ---
-- name: install zfs prerequisites
-  become: true
-  community.general.pacman:
-    name: "{{ zfs_prereq_packages }}"
-    state: latest
-    update_cache: true
-  when:
-    - ansible_os_family == 'Arch'
+- name: register kernel version
+  ansible.builtin.shell: 
+    cmd: uname -r
+  check_mode: no
+  register: kernel_version
 
-- name: add gpg parameters file from template
-  become: true
-  ansible.builtin.template:
-    src: key-params.j2
-    dest: /root/key-params
-    owner: root
-    group: root
-    mode: 0660
+- name: check if zfs kernel module exists
+  ansible.builtin.stat:
+    path: /lib/modules/{{ kernel_version.stdout }}/updates/dkms/zfs.ko.zst
+  register: zfs_module
 
-- name: generate gpg key for root
-  become: true
-  ansible.builtin.shell:
-    cmd: gpg --batch --gen-key /root/key-params
+- block:
+  - name: install zfs prerequisites
+    become: true
+    community.general.pacman:
+      name: "{{ zfs_prereq_packages }}"
+      state: latest
+      update_cache: true
+    when:
+      - ansible_os_family == 'Arch'
 
-- name: import zfs signing key
-  become: true
-  ansible.builtin.shell:
-    cmd: gpg --receive-keys {{ aur_zfs_key_fingerprint|quote }}
+  - name: add gpg parameters file from template
+    become: true
+    ansible.builtin.template:
+      src: key-params.j2
+      dest: /root/key-params
+      owner: root
+      group: root
+      mode: 0660
 
-- name: trust zfs signing key
-  become: true
-  ansible.builtin.shell:
-    cmd: gpg --quick-lsign-key {{ aur_zfs_key_fingerprint|quote }}
+  - name: generate gpg key for root
+    become: true
+    ansible.builtin.shell:
+      cmd: gpg --batch --gen-key /root/key-params
 
-- name: install zfs module
-  become: true
-  community.general.pacman:
-    executable: /usr/bin/pikaur
-    name: "{{ zfs_packages }}"
-    state: latest
-    update_cache: true
-  when:
-    - ansible_os_family == 'Arch'
+  - name: import zfs signing key
+    become: true
+    ansible.builtin.shell:
+      cmd: gpg --receive-keys {{ aur_zfs_key_fingerprint|quote }}
 
-- name: set zfs module parameters
-  become: true
-  ansible.builtin.template:
-    src: zfs.conf.j2
-    dest: /etc/modprobe.d/zfs.conf
-    owner: root
-    group: root
-    mode: 0664
+  - name: trust zfs signing key
+    become: true
+    ansible.builtin.shell:
+      cmd: gpg --quick-lsign-key {{ aur_zfs_key_fingerprint|quote }}
 
-- name: load zfs module
-  become: true
-  community.general.modprobe:
-    name: zfs
-    state: present
+  - name: install zfs module
+    become: true
+    community.general.pacman:
+      executable: /usr/bin/pikaur
+      name: "{{ zfs_packages }}"
+      state: latest
+      update_cache: true
+    when:
+      - ansible_os_family == 'Arch'
+
+  - name: set zfs module parameters
+    become: true
+    ansible.builtin.template:
+      src: zfs.conf.j2
+      dest: /etc/modprobe.d/zfs.conf
+      owner: root
+      group: root
+      mode: 0664
+
+  - name: load zfs module
+    become: true
+    community.general.modprobe:
+      name: zfs
+      state: present
+
+  - name: enable zfs services
+    become: true
+    ansible.builtin.service:
+      name: "{{ item }}"
+      state: started
+      enabled: yes
+    loop:
+      - zfs-import-cache.service
+      - zfs-mount.service
+      - zfs.target
+  when: not zfs_module.stat.exists 
+
+- name: check if zpool exists
+  community.general.zpool_facts: 
+    name: "{{ zfs_zpool_name }}"
 
 - name: create zpool
   become: true
   ansible.builtin.shell:
     cmd: zpool create -o ashift={{ zfs_zpool_ashift|quote }} -o autotrim=on -o cachefile=/etc/zfs/zpool.cache -O acltype=posixacl -O atime=off -O xattr=sa -O mountpoint=none -O canmount=off -O devices=off -O compression={{ zfs_zpool_compression|quote }} {{ zfs_zpool_name|quote }} {{ zfs_zpool_type|quote }} {{ zfs_zpool_disk_a|quote }} {{ zfs_zpool_disk_b|quote }} 
+  when: ansible_zfs_pools[0].name != zfs_zpool_name
 
-- name: enable zfs services
-  become: true
-  ansible.builtin.service:
-    name: "{{ item }}"
-    state: started
-    enabled: yes
-  loop:
-    - zfs-import-cache.service
-    - zfs-mount.service
-    - zfs.target
+- name: check if zfs dataset exists
+  community.general.zfs_facts:
+    name: "{{ zfs_backup_dataset }}"
 
 - name: create backup zfs dataset
   community.general.zfs:
@@ -88,4 +110,49 @@
       encryption: off
       volmode: dev
       devices: off
-      atime: off
\ No newline at end of file
+      atime: off
+  when: ansible_zfs_datasets[0].name != zfs_backup_dataset
+
+- name: create zfs receive user
+  become: true
+  ansible.builtin.user:
+    name: zfs-recv
+    shell: /bin/bash
+    state: present
+    create_home: yes
+
+- name: add ssh directory for zfs receive user
+  become: true
+  ansible.builtin.file:
+    path: /home/zfs-recv/.ssh
+    state: directory
+    owner: zfs-recv
+    group: zfs-recv
+    mode: 0755
+
+- name: add authorized key for zfs receive user
+  become: true
+  ansible.builtin.copy:
+    src: zfs-recv_authorized_keys
+    dest: /home/zfs-recv/.ssh/authorized_keys
+    owner: zfs-recv
+    group: zfs-recv
+    mode: 0644
+
+- name: add zfs delegated permission for zfs-recv user
+  become: true
+  community.general.zfs_delegate_admin:
+    name: "{{ zfs_backup_dataset }}"
+    local: yes
+    descendents: yes
+    state: present
+    users:
+      - zfs-recv
+    permissions:
+      - compression
+      - mountpoint
+      - create
+      - mount
+      - receive
+      - rollback
+      - recordsize
\ No newline at end of file