diff --git a/roles/nbd-server/defaults/main.yml b/roles/nbd-server/defaults/main.yml new file mode 100644 index 0000000..7147ffa --- /dev/null +++ b/roles/nbd-server/defaults/main.yml @@ -0,0 +1 @@ +nbd_server_allow_list: true diff --git a/roles/nbd-server/files/nbd-server.socket b/roles/nbd-server/files/nbd-server.socket new file mode 100644 index 0000000..8be0fdd --- /dev/null +++ b/roles/nbd-server/files/nbd-server.socket @@ -0,0 +1,13 @@ +[Unit] +Description=Network Block Device Server socket + +[Socket] +# NBD clients cannot handle their addresses changing, which happens +# frequently for IPv6. Only bind to the IPv4 socket to work around this. +ListenStream=0.0.0.0:10809 +Accept=yes +KeepAlive=yes +KeepAliveTimeSec=5m + +[Install] +WantedBy=sockets.target diff --git a/roles/nbd-server/files/nbd-server@.service b/roles/nbd-server/files/nbd-server@.service new file mode 100644 index 0000000..a77ea64 --- /dev/null +++ b/roles/nbd-server/files/nbd-server@.service @@ -0,0 +1,11 @@ +[Unit] +Description=Network Block Device Server +CollectMode=inactive-or-failed +After=network.target + +[Service] +ExecStart=/usr/bin/nbd-server -d +User=nbd +Group=nbd +StandardInput=socket +StandardOutput=journal diff --git a/roles/nbd-server/handlers/main.yml b/roles/nbd-server/handlers/main.yml new file mode 100644 index 0000000..7ea76b6 --- /dev/null +++ b/roles/nbd-server/handlers/main.yml @@ -0,0 +1,9 @@ +- name: reload systemd + systemd: + daemon_reload: true + changed_when: true + +- name: restart nbd-server + systemd: + name: nbd-server.socket + state: restarted diff --git a/roles/nbd-server/tasks/main.yml b/roles/nbd-server/tasks/main.yml new file mode 100644 index 0000000..1c7f52c --- /dev/null +++ b/roles/nbd-server/tasks/main.yml @@ -0,0 +1,96 @@ +- name: ensure nbd is installed + package: + name: nbd + state: present + tags: + - install + +- name: ensure nbd user group exists + group: + name: nbd + system: true + state: present + tags: + - user + - group +- name: ensure nbd user exists + user: + name: nbd + system: true + group: nbd + home: /var/lib/nbd + create_home: false + shell: /sbin/nologin + state: present + tags: + - user + +- name: ensure nbd data directory exists + file: + path: /var/lib/nbd + mode: ug=rwx,o=rx + owner: nbd + group: nbd + state: directory + +- name: ensure nbd-server configuration directory exists + file: + path: /etc/nbd-server + mode: u=rwx,go=rx + owner: root + group: root + state: directory + tags: + - config +- name: ensure nbd-server configuration drop-in directory exists + file: + path: /etc/nbd-server/config.d + mode: u=rwx,go=rx + owner: root + group: root + state: directory + tags: + - config +- name: ensure nbd-server is configured + template: + src: nbd-server.config.j2 + dest: /etc/nbd-server/config + mode: u=rw,go=r + owner: root + group: root + notify: + - restart nbd-server + tags: + - config + +- name: ensure nbd-server unit files exist + copy: + src: '{{ item }}' + dest: /etc/systemd/system/ + mode: u=rw,go=r + owner: root + group: root + loop: + - nbd-server.socket + - nbd-server@.service + notify: + - reload systemd + - restart nbd-server + tags: + - systemd + +- name: ensure nbd-server socket is listening + systemd: + name: nbd-server.socket + state: started + tags: + - service + +- name: ensure firewall is configured for nbd-server + firewalld: + service: nbd + state: enabled + permanent: true + immediate: true + tags: + - firewall diff --git a/roles/nbd-server/templates/nbd-server.config.j2 b/roles/nbd-server/templates/nbd-server.config.j2 new file mode 100644 index 0000000..e110dc9 --- /dev/null +++ b/roles/nbd-server/templates/nbd-server.config.j2 @@ -0,0 +1,4 @@ +[generic] +port = 0 +allowlist = {{ nbd_server_allow_list|bool|string|lower }} +includedir = /etc/nbd-server/config.d