Add scan (working samba on Alpine) role

roles/scan/handlers/main.yml

@@ -0,0 +1,3 @@
+- name: reload smbd
+  command: service smbd reload
+  when: "'handler' not in ansible_skip_tags"

roles/scan/tasks/main.yml

@@ -0,0 +1,76 @@
+- name: Install packages
+  package:
+    name:
+      - py3-cryptography
+      - nss_wrapper
+      - nss
+      - musl-nscd
+      - samba-libnss-winbind
+      - chrony
+      - samba
+      - samba-winbind
+      - heimdal
+
+- name: Create share directory
+  file:
+    path: /shares/scan
+    state: directory
+
+- name: Enable smbd, nmbd, winbindd in samba config
+  lineinfile:
+    path: /etc/conf.d/samba
+    regexp: '^daemon_list='
+    line: daemon_list="smbd nmbd winbindd"
+
+- name: Configure samba
+  template:
+    dest: /etc/samba/smb.conf
+    src: smb.conf.j2
+    mode: 0600
+  notify: reload smbd
+
+- name: Check domain membership
+  command: 'net ads testjoin'
+  changed_when: false
+  failed_when: false
+  register: ad_join
+
+- name: Join host to AD domain
+  when: ad_join.rc != 0
+  block:
+    - pause:
+        prompt: 'AD username'
+      register: ad_user
+
+    - pause:
+        prompt: 'AD password'
+        echo: no
+      register: ad_pass
+
+    # work around https://gitlab.freedesktop.org/realmd/adcli/-/merge_requests/52
+    #- name: Get and store domain SID
+    #  expect:
+    #    command: net -U {{ ad_user.user_input }} rpc getsid -S {{ domain }} -D {{ domain }}
+    #    responses:
+    #      'Password for': '{{ ad_pass.user_input }}'
+
+    # work around https://bugzilla.redhat.com/show_bug.cgi?id=1665794
+    #- name: Set missing keys in secrets.tdb
+    #  command: tdbtool /var/lib/samba/private/secrets.tdb store {{ item }}/{{ domain | upper | split('.') | first }} '\0'
+    #  loop:
+    #    - SECRETS/MACHINE_LAST_CHANGE_TIME
+    #    - SECRETS/MACHINE_PASSWORD
+    #    - SECRETS/MACHINE_PASSWORD.PREV
+
+    - name: Join AD
+      command: samba-tool domain join {{ domain | upper }} MEMBER -U {{ ad_user.user_input | upper }} --password="{{ad_pass.user_input}}"
+
+- name: Enable services
+  service:
+    name: '{{ item }}'
+    enabled: true
+    state: started
+  loop:
+    - samba
+    # - winbind
+

roles/scan/templates/smb.conf.j2

@@ -0,0 +1,67 @@
+[global]
+# Need the old protocol for the printers
+# server min protocol = SMB3
+# smb ports = 445
+
+use sendfile = yes
+winbind max domain connections = 10
+
+# disable attack vectors
+load printers = no
+disable spoolss = yes
+disable netbios = yes
+
+# auto-create home directories with pam_mkhomedir
+obey pam restrictions = yes
+
+# template homedir = /home/%U@%D
+# template shell = /bin/bash
+
+# domain settings
+security = ads
+kerberos method = secrets and keytab
+realm = {{ domain | upper }}
+workgroup = {{ domain | split('.') | first | upper }}
+
+idmap config * : backend = autorid
+# idmap config {{ domain | split('.') | first | upper }} :
+idmap config * : range = 600000-2147483647
+
+[scan]
+comment = Scan
+path = /shares/scan
+admin users = "@domain admins@{{ domain }}"
+browseable = yes
+read only = no
+create mask = 0700
+directory mask = 0700
+vfs objects = acl_xattr
+map acl inherit = yes
+inherit acls = yes
+inherit permissions = yes
+
+# TODO parametrize this somehow
+#[profiles]
+#comment = Users profiles
+#path = /home/profiles
+#read only = no
+#browsable = yes
+#create mask = 0600
+#directory mask = 0700
+#vfs objects = acl_xattr
+#map acl inherit = yes
+##inherit acls = yes # default on for acl_xattr
+## inherit permissions = yes
+#
+#[ucilnice_d]
+#comment = Users profiles
+#path = /home/ucilnice_d
+#read only = no
+#guest ok = yes
+#browsable = yes
+#create mask = 0600
+#directory mask = 0700
+#vfs objects = acl_xattr
+#map acl inherit = yes
+##inherit acls = yes # default on for acl_xattr
+## inherit permissions = yes