zfs conditionals and delegated perms
This commit is contained in:
parent
e7870f6ef6
commit
ea117c30f8
@ -6,6 +6,7 @@ zfs_prereq_packages:
|
|||||||
zfs_packages:
|
zfs_packages:
|
||||||
- zfs-utils
|
- zfs-utils
|
||||||
- zfs-dkms
|
- zfs-dkms
|
||||||
|
- mbuffer
|
||||||
zfs_arc_min: '1073741824'
|
zfs_arc_min: '1073741824'
|
||||||
zfs_arc_max: '4294967296'
|
zfs_arc_max: '4294967296'
|
||||||
zfs_zpool_ashift: '12'
|
zfs_zpool_ashift: '12'
|
||||||
|
1
ansible/roles/zfs-install/files/zfs-recv_authorized_keys
Normal file
1
ansible/roles/zfs-install/files/zfs-recv_authorized_keys
Normal file
@ -0,0 +1 @@
|
|||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+6ruP8XcCD3nWS9z0hp+Hnf6pxoL1nF4I0L9g9/3Sr zfs-recv@lab.balsillie.net
|
@ -1,77 +1,99 @@
|
|||||||
---
|
---
|
||||||
- name: install zfs prerequisites
|
- name: register kernel version
|
||||||
become: true
|
ansible.builtin.shell:
|
||||||
community.general.pacman:
|
cmd: uname -r
|
||||||
name: "{{ zfs_prereq_packages }}"
|
check_mode: no
|
||||||
state: latest
|
register: kernel_version
|
||||||
update_cache: true
|
|
||||||
when:
|
|
||||||
- ansible_os_family == 'Arch'
|
|
||||||
|
|
||||||
- name: add gpg parameters file from template
|
- name: check if zfs kernel module exists
|
||||||
become: true
|
ansible.builtin.stat:
|
||||||
ansible.builtin.template:
|
path: /lib/modules/{{ kernel_version.stdout }}/updates/dkms/zfs.ko.zst
|
||||||
src: key-params.j2
|
register: zfs_module
|
||||||
dest: /root/key-params
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0660
|
|
||||||
|
|
||||||
- name: generate gpg key for root
|
- block:
|
||||||
become: true
|
- name: install zfs prerequisites
|
||||||
ansible.builtin.shell:
|
become: true
|
||||||
cmd: gpg --batch --gen-key /root/key-params
|
community.general.pacman:
|
||||||
|
name: "{{ zfs_prereq_packages }}"
|
||||||
|
state: latest
|
||||||
|
update_cache: true
|
||||||
|
when:
|
||||||
|
- ansible_os_family == 'Arch'
|
||||||
|
|
||||||
- name: import zfs signing key
|
- name: add gpg parameters file from template
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.shell:
|
ansible.builtin.template:
|
||||||
cmd: gpg --receive-keys {{ aur_zfs_key_fingerprint|quote }}
|
src: key-params.j2
|
||||||
|
dest: /root/key-params
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0660
|
||||||
|
|
||||||
- name: trust zfs signing key
|
- name: generate gpg key for root
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.shell:
|
ansible.builtin.shell:
|
||||||
cmd: gpg --quick-lsign-key {{ aur_zfs_key_fingerprint|quote }}
|
cmd: gpg --batch --gen-key /root/key-params
|
||||||
|
|
||||||
- name: install zfs module
|
- name: import zfs signing key
|
||||||
become: true
|
become: true
|
||||||
community.general.pacman:
|
ansible.builtin.shell:
|
||||||
executable: /usr/bin/pikaur
|
cmd: gpg --receive-keys {{ aur_zfs_key_fingerprint|quote }}
|
||||||
name: "{{ zfs_packages }}"
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
when:
|
|
||||||
- ansible_os_family == 'Arch'
|
|
||||||
|
|
||||||
- name: set zfs module parameters
|
- name: trust zfs signing key
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.template:
|
ansible.builtin.shell:
|
||||||
src: zfs.conf.j2
|
cmd: gpg --quick-lsign-key {{ aur_zfs_key_fingerprint|quote }}
|
||||||
dest: /etc/modprobe.d/zfs.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0664
|
|
||||||
|
|
||||||
- name: load zfs module
|
- name: install zfs module
|
||||||
become: true
|
become: true
|
||||||
community.general.modprobe:
|
community.general.pacman:
|
||||||
name: zfs
|
executable: /usr/bin/pikaur
|
||||||
state: present
|
name: "{{ zfs_packages }}"
|
||||||
|
state: latest
|
||||||
|
update_cache: true
|
||||||
|
when:
|
||||||
|
- ansible_os_family == 'Arch'
|
||||||
|
|
||||||
|
- name: set zfs module parameters
|
||||||
|
become: true
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: zfs.conf.j2
|
||||||
|
dest: /etc/modprobe.d/zfs.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0664
|
||||||
|
|
||||||
|
- name: load zfs module
|
||||||
|
become: true
|
||||||
|
community.general.modprobe:
|
||||||
|
name: zfs
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: enable zfs services
|
||||||
|
become: true
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
loop:
|
||||||
|
- zfs-import-cache.service
|
||||||
|
- zfs-mount.service
|
||||||
|
- zfs.target
|
||||||
|
when: not zfs_module.stat.exists
|
||||||
|
|
||||||
|
- name: check if zpool exists
|
||||||
|
community.general.zpool_facts:
|
||||||
|
name: "{{ zfs_zpool_name }}"
|
||||||
|
|
||||||
- name: create zpool
|
- name: create zpool
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.shell:
|
ansible.builtin.shell:
|
||||||
cmd: zpool create -o ashift={{ zfs_zpool_ashift|quote }} -o autotrim=on -o cachefile=/etc/zfs/zpool.cache -O acltype=posixacl -O atime=off -O xattr=sa -O mountpoint=none -O canmount=off -O devices=off -O compression={{ zfs_zpool_compression|quote }} {{ zfs_zpool_name|quote }} {{ zfs_zpool_type|quote }} {{ zfs_zpool_disk_a|quote }} {{ zfs_zpool_disk_b|quote }}
|
cmd: zpool create -o ashift={{ zfs_zpool_ashift|quote }} -o autotrim=on -o cachefile=/etc/zfs/zpool.cache -O acltype=posixacl -O atime=off -O xattr=sa -O mountpoint=none -O canmount=off -O devices=off -O compression={{ zfs_zpool_compression|quote }} {{ zfs_zpool_name|quote }} {{ zfs_zpool_type|quote }} {{ zfs_zpool_disk_a|quote }} {{ zfs_zpool_disk_b|quote }}
|
||||||
|
when: ansible_zfs_pools[0].name != zfs_zpool_name
|
||||||
|
|
||||||
- name: enable zfs services
|
- name: check if zfs dataset exists
|
||||||
become: true
|
community.general.zfs_facts:
|
||||||
ansible.builtin.service:
|
name: "{{ zfs_backup_dataset }}"
|
||||||
name: "{{ item }}"
|
|
||||||
state: started
|
|
||||||
enabled: yes
|
|
||||||
loop:
|
|
||||||
- zfs-import-cache.service
|
|
||||||
- zfs-mount.service
|
|
||||||
- zfs.target
|
|
||||||
|
|
||||||
- name: create backup zfs dataset
|
- name: create backup zfs dataset
|
||||||
community.general.zfs:
|
community.general.zfs:
|
||||||
@ -88,4 +110,49 @@
|
|||||||
encryption: off
|
encryption: off
|
||||||
volmode: dev
|
volmode: dev
|
||||||
devices: off
|
devices: off
|
||||||
atime: off
|
atime: off
|
||||||
|
when: ansible_zfs_datasets[0].name != zfs_backup_dataset
|
||||||
|
|
||||||
|
- name: create zfs receive user
|
||||||
|
become: true
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: zfs-recv
|
||||||
|
shell: /bin/bash
|
||||||
|
state: present
|
||||||
|
create_home: yes
|
||||||
|
|
||||||
|
- name: add ssh directory for zfs receive user
|
||||||
|
become: true
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /home/zfs-recv/.ssh
|
||||||
|
state: directory
|
||||||
|
owner: zfs-recv
|
||||||
|
group: zfs-recv
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: add authorized key for zfs receive user
|
||||||
|
become: true
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: zfs-recv_authorized_keys
|
||||||
|
dest: /home/zfs-recv/.ssh/authorized_keys
|
||||||
|
owner: zfs-recv
|
||||||
|
group: zfs-recv
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: add zfs delegated permission for zfs-recv user
|
||||||
|
become: true
|
||||||
|
community.general.zfs_delegate_admin:
|
||||||
|
name: "{{ zfs_backup_dataset }}"
|
||||||
|
local: yes
|
||||||
|
descendents: yes
|
||||||
|
state: present
|
||||||
|
users:
|
||||||
|
- zfs-recv
|
||||||
|
permissions:
|
||||||
|
- compression
|
||||||
|
- mountpoint
|
||||||
|
- create
|
||||||
|
- mount
|
||||||
|
- receive
|
||||||
|
- rollback
|
||||||
|
- recordsize
|
Loading…
Reference in New Issue
Block a user