From 9ca69f596644a129d4a30d76c21425af733e4856 Mon Sep 17 00:00:00 2001
From: Wojciech Kozlowski <wk@wojciechkozlowski.eu>
Date: Sun, 19 Feb 2023 21:12:16 +0100
Subject: [PATCH] Add music user and enable samba

---
 inventory/group_vars/asgard/vars.yml          |  3 +-
 inventory/host_vars/yggdrasil/vars.yml        | 25 +++++++++
 playbooks/music.yml                           | 17 ++++++
 .../music/datasets/meta/argument_specs.yml    | 13 +++++
 playbooks/roles/music/datasets/tasks/main.yml | 27 ++++++++++
 .../roles/music/rip/meta/argument_specs.yml   | 22 ++++++++
 .../music/rip/tasks/include/directories.yml   | 24 +++++++++
 .../roles/music/rip/tasks/include/samba.yml   | 54 +++++++++++++++++++
 .../roles/music/rip/tasks/include/user.yml    | 37 +++++++++++++
 playbooks/roles/music/rip/tasks/main.yml      | 15 ++++++
 requirements.txt                              |  1 +
 11 files changed, 237 insertions(+), 1 deletion(-)
 create mode 100644 playbooks/music.yml
 create mode 100644 playbooks/roles/music/datasets/meta/argument_specs.yml
 create mode 100644 playbooks/roles/music/datasets/tasks/main.yml
 create mode 100644 playbooks/roles/music/rip/meta/argument_specs.yml
 create mode 100644 playbooks/roles/music/rip/tasks/include/directories.yml
 create mode 100644 playbooks/roles/music/rip/tasks/include/samba.yml
 create mode 100644 playbooks/roles/music/rip/tasks/include/user.yml
 create mode 100644 playbooks/roles/music/rip/tasks/main.yml

diff --git a/inventory/group_vars/asgard/vars.yml b/inventory/group_vars/asgard/vars.yml
index 7555f90..04798af 100644
--- a/inventory/group_vars/asgard/vars.yml
+++ b/inventory/group_vars/asgard/vars.yml
@@ -3,7 +3,8 @@
 # system:base
 # --------------------------------------------------------------------------------------------------
 system_base_additional_tcp_ports: "{{
-  services_host_services | dict2items | map(attribute='value.tcp', default=[]) | flatten }}"
+  services_host_services | dict2items | map(attribute='value.tcp', default=[]) | flatten |
+  union(system_base_tcp_ports) }}"
 
 # --------------------------------------------------------------------------------------------------
 # system:var
diff --git a/inventory/host_vars/yggdrasil/vars.yml b/inventory/host_vars/yggdrasil/vars.yml
index 10a1b9f..43e382d 100644
--- a/inventory/host_vars/yggdrasil/vars.yml
+++ b/inventory/host_vars/yggdrasil/vars.yml
@@ -17,6 +17,18 @@ system_zfs_zpools_load_key:
 # --------------------------------------------------------------------------------------------------
 system_mail_smtp_pass: "{{ vault_system_mail_smtp_pass }}"
 
+# --------------------------------------------------------------------------------------------------
+# system:base
+# --------------------------------------------------------------------------------------------------
+system_base_additional_ssh_users:
+  - "music"
+system_base_udp_ports:
+  - 137                         # samba
+  - 138                         # samba
+system_base_tcp_ports:
+  - 139                         # samba
+  - 445                         # samba
+
 # --------------------------------------------------------------------------------------------------
 # system:var
 # --------------------------------------------------------------------------------------------------
@@ -73,6 +85,19 @@ backups_snapshots_sanoid_system_datasets:
     recursive: true
     children_only: true
 
+# --------------------------------------------------------------------------------------------------
+# music:rip
+# --------------------------------------------------------------------------------------------------
+music_user_name: "music"
+music_user_password: "{{ vault_music_user_password }}"
+music_user_samba_password: "{{ vault_music_user_samba_password }}"
+
+music_user_home_directory: "{{ system_var_home_directory }}/{{ music_user_name }}"
+music_user_data_directory: "{{ system_var_data_directory }}/{{ music_user_name }}"
+
+music_user_home_dataset: "rpool{{ music_user_home_directory }}"
+music_user_data_dataset: "rpool{{ music_user_data_directory }}"
+
 # --------------------------------------------------------------------------------------------------
 # services
 # --------------------------------------------------------------------------------------------------
diff --git a/playbooks/music.yml b/playbooks/music.yml
new file mode 100644
index 0000000..fe7ac9b
--- /dev/null
+++ b/playbooks/music.yml
@@ -0,0 +1,17 @@
+---
+- name: "music : yggdrasil"
+  hosts: "yggdrasil"
+  roles:
+    - role: "music/datasets"
+      tags: "music:datasets"
+    - role: "music/rip"
+      tags: "music:rip"
+      vars:
+        music_rip_public_key_file: "\
+        {% if (the_nine_worlds_production | bool) %}\
+        ~/.ssh/yggdrasil.pub\
+        {% else %}\
+        ~/.ssh/debian-virt.pub\
+        {% endif %}"
+    # - role: "music/org"
+    #   tags: "music:org"
diff --git a/playbooks/roles/music/datasets/meta/argument_specs.yml b/playbooks/roles/music/datasets/meta/argument_specs.yml
new file mode 100644
index 0000000..bace97e
--- /dev/null
+++ b/playbooks/roles/music/datasets/meta/argument_specs.yml
@@ -0,0 +1,13 @@
+---
+argument_specs:
+  main:
+    options:
+      music_user_home_dataset:
+        type: "str"
+        required: true
+      music_user_home_directory:
+        type: "str"
+        required: true
+      music_user_data_dataset:
+        type: "str"
+        required: true
diff --git a/playbooks/roles/music/datasets/tasks/main.yml b/playbooks/roles/music/datasets/tasks/main.yml
new file mode 100644
index 0000000..9426ce8
--- /dev/null
+++ b/playbooks/roles/music/datasets/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+- name: "create home dataset"
+  community.general.zfs:
+    name: "{{ music_user_home_dataset }}"
+    state: "present"
+  register: music_datasets_user_zfs_home
+
+- name: "populate home dataset with skeleton"
+  ansible.builtin.copy:
+    src: "/etc/skel/"
+    dest: "{{ music_user_home_directory }}"
+    mode: "preserve"
+    remote_src: true
+  when:
+    music_datasets_user_zfs_home.changed
+
+- name: "create data dataset"
+  community.general.zfs:
+    name: "{{ music_user_data_dataset }}"
+    state: "present"
+    extra_zfs_properties:
+      canmount: "off"
+
+- name: "create music volume dataset"
+  community.general.zfs:
+    name: "{{ music_user_data_dataset }}/flac"
+    state: "present"
diff --git a/playbooks/roles/music/rip/meta/argument_specs.yml b/playbooks/roles/music/rip/meta/argument_specs.yml
new file mode 100644
index 0000000..6649ec3
--- /dev/null
+++ b/playbooks/roles/music/rip/meta/argument_specs.yml
@@ -0,0 +1,22 @@
+---
+argument_specs:
+  main:
+    options:
+      music_user_name:
+        type: "str"
+        required: true
+      music_user_password:
+        type: "str"
+        required: true
+      music_user_samba_password:
+        type: "str"
+        required: true
+      music_user_home_directory:
+        type: "str"
+        required: true
+      music_user_data_directory:
+        type: "str"
+        required: true
+      music_rip_public_key_file:
+        type: "str"
+        required: true
diff --git a/playbooks/roles/music/rip/tasks/include/directories.yml b/playbooks/roles/music/rip/tasks/include/directories.yml
new file mode 100644
index 0000000..f161fa6
--- /dev/null
+++ b/playbooks/roles/music/rip/tasks/include/directories.yml
@@ -0,0 +1,24 @@
+---
+- name: "directories : create data directory"
+  ansible.builtin.file:
+    path: "{{ music_user_data_directory }}"
+    state: "directory"
+    owner: "{{ music_user_name }}"
+    group: "{{ music_user_name }}"
+    mode: 0755
+
+- name: "directories : create volume \"flac\""
+  ansible.builtin.file:
+    path: "{{ music_user_data_directory }}/flac"
+    state: "directory"
+    owner: "{{ music_user_name }}"
+    group: "{{ music_user_name }}"
+    mode: 0755
+
+- name: "directories : create directory \"rip\""
+  ansible.builtin.file:
+    path: "{{ music_user_home_directory }}/rip"
+    state: "directory"
+    owner: "{{ music_user_name }}"
+    group: "{{ music_user_name }}"
+    mode: 0755
diff --git a/playbooks/roles/music/rip/tasks/include/samba.yml b/playbooks/roles/music/rip/tasks/include/samba.yml
new file mode 100644
index 0000000..58fe85d
--- /dev/null
+++ b/playbooks/roles/music/rip/tasks/include/samba.yml
@@ -0,0 +1,54 @@
+---
+- name: "samba : install samba"
+  ansible.builtin.apt:
+    name:
+      - "samba"
+      - "samba-client"
+
+- name: "samba : configure samba share"
+  ansible.builtin.blockinfile:
+    path: "/etc/samba/smb.conf"
+    mode: 0644
+    insertafter: "EOF"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK MUSIC:RIP"
+    block: |
+      [music-rip]
+         comment = Music drive
+         path = {{ music_user_home_directory }}/rip
+         browseable = yes
+         read only = no
+         guest ok = no
+         create mask = 0644
+         directory mask = 0755
+  register: music_rip_samba_config
+
+- name: "samba : check for \"{{ music_user_name }}\" user"
+  ansible.builtin.shell: "pdbedit --user={{ music_user_name }} || /usr/bin/true"
+  changed_when: false
+  register: music_rip_samba_pdb_state
+
+- name: "samba : add \"{{ music_user_name }}\" user"
+  ansible.builtin.shell: |
+    (echo '{{ music_user_samba_password }}'; echo '{{ music_user_samba_password }}') |
+    smbpasswd -a {{ music_user_name }}
+  when:
+    not music_rip_samba_pdb_state.stdout is match('^' ~ music_user_name ~ ':')
+
+- name: "samba : enable samba"
+  ansible.builtin.systemd:
+    name: "smbd"
+    enabled: true
+
+- name: "samba : start samba"
+  ansible.builtin.systemd:
+    name: "smbd"
+    state: "started"
+  register: music_rip_samba_start
+
+- name: "samba : restart samba"
+  ansible.builtin.systemd:
+    name: "smbd"
+    state: "restarted"
+  when:
+    music_rip_samba_config.changed and
+    not music_rip_samba_start.changed
diff --git a/playbooks/roles/music/rip/tasks/include/user.yml b/playbooks/roles/music/rip/tasks/include/user.yml
new file mode 100644
index 0000000..a922c2b
--- /dev/null
+++ b/playbooks/roles/music/rip/tasks/include/user.yml
@@ -0,0 +1,37 @@
+---
+- name: "user : create user"
+  ansible.builtin.user:
+    name: "{{ music_user_name }}"
+    create_home: true
+    home: "{{ music_user_home_directory }}"
+    password: "{{ music_user_password }}"
+  register: music_rip_user_create
+
+- name: "rip : set default shell"
+  ansible.builtin.user:
+    name: "{{ music_user_name }}"
+    shell: "/usr/bin/rbash"
+
+- block:
+
+    - name: "user : set home directory ownership"
+      ansible.builtin.file:
+        path: "{{ music_user_home_directory }}"
+        state: "directory"
+        owner: "{{ music_user_name }}"
+        group: "{{ music_user_name }}"
+        recurse: true
+
+    - name: "user : ensure XDG_RUNTIME_DIR is set"
+      ansible.builtin.shell: |
+        echo '\nexport XDG_RUNTIME_DIR=/run/user/$(id -u)' >> \
+        {{ music_user_home_directory }}/.bashrc
+
+  when:
+    music_rip_user_create.changed
+
+- name: "user : set authorized key"
+  ansible.posix.authorized_key:
+    user: "{{ music_user_name }}"
+    state: "present"
+    key: "{{ lookup('ansible.builtin.file', music_rip_public_key_file) }}"
diff --git a/playbooks/roles/music/rip/tasks/main.yml b/playbooks/roles/music/rip/tasks/main.yml
new file mode 100644
index 0000000..76b509a
--- /dev/null
+++ b/playbooks/roles/music/rip/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: "play:music : role:rip : tasks:user"
+  ansible.builtin.import_tasks: "include/user.yml"
+  tags:
+    - "music:rip:user"
+
+- name: "play:music : role:rip : tasks:directories"
+  ansible.builtin.import_tasks: "include/directories.yml"
+  tags:
+    - "music:rip:directories"
+
+- name: "play:music : role:rip : tasks:samba"
+  ansible.builtin.import_tasks: "include/samba.yml"
+  tags:
+    - "music:rip:samba"
diff --git a/requirements.txt b/requirements.txt
index 091f1ad..73b2969 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,5 @@
 ansible
 keyring
 libvirt-python
+passlib
 requests