initial commit

Author: BojanZelic

.gitignore

@@ -0,0 +1,2 @@
+zfs_dataset.iml
+.idea

.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

LICENSE

@@ -0,0 +1,39 @@
+# Ansible ZFS Encrypted Dataset Playbook
+
+This playbook and role allows you to define a list of encrypted ZFS datasets.
+
+I used this on my proxmox setup, but it should be available 
+to use in all ZFS environments.
+
+Clone this repo into your roles directory:
+
+```
+git clone [email protected]:BojanZelic/ansible-zfs-encrypted-datasets.git roles/zfs_datasets
+```
+
+Add it to your play's roles:
+```
+- hosts: all
+  roles:
+    - role: bojanzelic.zfs_datasets
+      zfs_key: "{{ lookup('env','ZFS_KEY') }}"
+      zfs_datasources:
+        rpool:
+          state: present
+        rpool/backups:
+          encrypted: true
+          extra_zfs_properties:
+            sharenfs: [email protected]/24
+        rpool/documents:
+          encrypted: true
+        rpool/personal_media:
+          state: present
+        rpool/media:
+          state: present
+```
+
+Encryption works by loading the encryption key to zfs. The playbook then tries to mount
+the dataset. 
+
+Because it's encrypted... when you reboot the server, you'll need to run the 
+playbook to mount the dataset again.

README.md

@@ -0,0 +1,6 @@
+---
+defaults:
+  zfs_key: "{{ lookup('env','ZFS_KEY') | trim}}"
+  encrypted: false
+  state: present
+  mounted: true

defaults/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: Bojan Zelic
+  description: create & mount encrypted zfs datasets
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: GPL-3.0-only
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: ['zfs', 'dataset', 'encrypted']
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
+  

meta/main.yml

@@ -0,0 +1,39 @@
+---
+- name: 'Create Encrypted Datasets containers'
+  shell: echo {{ item.value.zfs_key | default(defaults.zfs_key) }} | /sbin/zfs create -o encryption=on -o keyformat=passphrase {{ item.key }}
+  register: result
+  changed_when: result.rc == 0
+  failed_when:
+    - result.rc != 0
+    - '"dataset already exists" not in result.stderr'
+  with_dict: "{{ zfs_datasources }}"
+  when: item.value.encrypted | default(defaults.encrypted)
+  no_log: true
+
+- name: 'Load Encryption key for Encrypted Datasets'
+  shell: echo {{ item.value.zfs_key | default(defaults.zfs_key) }} | /sbin/zfs load-key {{ item.key }}
+  register: result
+  changed_when: result.rc == 0
+  failed_when:
+    - result.rc != 0
+    - '"Key already loaded" not in result.stderr'
+  with_dict: "{{ zfs_datasources }}"
+  when: item.value.encrypted | default(defaults.encrypted)
+  no_log: true
+
+- name: Ensure additional properties for datasets
+  zfs:
+    name: "{{ item.key }}"
+    state: "{{ item.value.state | default(defaults.state) }}"
+    extra_zfs_properties: "{{ item.value.extra_zfs_properties | default({}) }}"
+  with_dict: "{{ zfs_datasources }}"
+
+- name: Ensure datasets are mounted
+  shell: /sbin/zfs mount {{ item.key }}
+  register: result
+  changed_when: result.rc == 0
+  failed_when:
+    - result.rc != 0
+    - '"filesystem already mounted" not in result.stderr'
+  with_dict: '{{ zfs_datasources }}'
+  when: item.value.mounted | default(defaults.mounted)

tasks/main.yml

@@ -0,0 +1,2 @@
+localhost
+

tests/inventory

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - zfs_dataset