debops.nfs_server default variables
Sections
APT packages
- nfs_server__base_packages
List of base APT packages required by the NFS server.
nfs_server__base_packages: [ 'nfs-kernel-server', 'acl' ]
- nfs_server__packages
List of additional APT packages to install with the NFS server.
nfs_server__packages: []
Firewall configuration
- nfs_server__allow
List of IP addresses or CIDR subnets which can access the NFS server.
nfs_server__allow: []
- nfs_server__accept_any
By default the firewall does not accept connections to the NFS server if no
networks are specified. If you change this variable to True
, any hosts
will be able to connect to the NFS server unless list of allowed hosts is
specified.
nfs_server__accept_any: False
- nfs_server__firewall_protocols
List of protocols which should be opened for NFS communication through the firewall.
nfs_server__firewall_protocols: '{{ ["tcp", "udp"] if nfs_server__v3 | bool else "tcp" }}'
- nfs_server__anchor_port
The various NFSv3 services use first available port to listen for connections. To change that and allow connections through the firewall, the role defines a static set of ports to use. This variable is used to specify the first port of that set.
nfs_server__anchor_port: '3550'
- nfs_server__service_ports
This variable is a YAML dictionary which defines all port numbers used by various NFSv3 services.
nfs_server__service_ports:
'rpc.nfs-cb': '{{ (nfs_server__anchor_port | int + 0) }}'
'rpc.lockd': '{{ (nfs_server__anchor_port | int + 1) }}'
'rpc.mountd': '{{ (nfs_server__anchor_port | int + 2) }}'
'rpc.statd': '{{ (nfs_server__anchor_port | int + 3) }}'
'rpc.statd-bc': '{{ (nfs_server__anchor_port | int + 4) }}'
- nfs_server__firewall_ports
List of TCP/UDP ports which should be opened in the firewall for NFS access.
nfs_server__firewall_ports: '{{ (["nfs", "sunrpc"] + (nfs_server__service_ports.keys() | list))
if nfs_server__v3 | bool else ["nfs"] }}'
NFS server configuration
- nfs_server__v3
Enable or disable support for NFSv3 features. By default the NFSv3 support is disabled to ensure better service security.
nfs_server__v3: False
- nfs_server__threads
Number of nfsd threads to run. This depends on several factors, for example number of NFS clients that access the NFS shares. Check the nfsstat command to diagnose possible issues and adjust this number as necessary.
nfs_server__threads: '{{ ansible_processor_vcpus | int * 2 }}'
- nfs_server__priority
Server thread priority, see nice(1) for more details.
nfs_server__priority: '0'
- nfs_server__mountd_options
The arguments passed to the ;command:rpc.mountd process.
nfs_server__mountd_options: '--manage-gids --port {{ nfs_server__service_ports["rpc.mountd"] }}'
- nfs_server__kerberos
Enable or disable Kerberos support.
nfs_server__kerberos: False
- nfs_server__svcgssd_options
Arguments passed to the rpc.svcgssd
process.
nfs_server__svcgssd_options: ''
NFS4 root pseudo-filesystem
- nfs_server__root_path
Absolute path of the NFS4 root filesystem. All other NFS4 shares should be served as subdirectories of this directory.
nfs_server__root_path: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/nfs" }}'
- nfs_server__root_options
List of options that are used to export the NFS4 root filesystem.
nfs_server__root_options: [ 'rw', 'fsid=root', 'sync', 'subtree_check', 'crossmnt' ]
- nfs_server__root_security_options
List of NFS4 security options that are used to export the NFS4 root filesystem.
nfs_server__root_security_options: '{{ ["sec=krb5p"] if nfs_server__kerberos | bool else [] }}'
- nfs_server__root_acl
The Access Control List of NFS clients that are allowed to mount the NFS4 root filesystem. See nfs_server__exports for more details.
nfs_server__root_acl: '{{ "*" if nfs_server__accept_any | bool else nfs_server__allow }}'
NFS server exports
The list of YAML dictionaries that define NFS exports. See nfs_server__exports for more details.
- nfs_server__default_exports
The default NFS exports defined on the server. This usually includes the NFS4 root pseudo-filesystem.
nfs_server__default_exports:
- path: '{{ nfs_server__root_path }}'
acl: '{{ nfs_server__root_acl }}'
options: '{{ (nfs_server__root_security_options.split(",")
if nfs_server__root_security_options is string
else nfs_server__root_security_options) +
(nfs_server__root_options.split(",")
if nfs_server__root_options is string
else nfs_server__root_options) }}'
- nfs_server__exports
List of NFS server exports defined on all hosts in the Ansible inventory.
nfs_server__exports: []
- nfs_server__group_exports
List of NFS server exports defined on hosts in specific Ansible inventory group.
nfs_server__group_exports: []
- nfs_server__host_exports
List of NFS server exports defined on specific hosts in Ansible inventory.
nfs_server__host_exports: []
- nfs_server__combined_exports
All of the NFS exports lists are combined in this variable and passed to tasks and templates in the role.
nfs_server__combined_exports: '{{ lookup("flattened", nfs_server__default_exports
+ nfs_server__exports + nfs_server__group_exports
+ nfs_server__host_exports) }}'
Configuration for other Ansible roles
- nfs_server__etc_services__dependent_list
Configuration for the debops.etc_services Ansible role.
nfs_server__etc_services__dependent_list:
- name: 'rpc.nfs-cb'
port: '{{ nfs_server__service_ports["rpc.nfs-cb"] }}'
comment: 'RPC NFS callback'
- name: 'rpc.lockd'
port: '{{ nfs_server__service_ports["rpc.lockd"] }}'
comment: 'RPC lockd'
- name: 'rpc.mountd'
port: '{{ nfs_server__service_ports["rpc.mountd"] }}'
comment: 'RPC mountd'
- name: 'rpc.statd'
port: '{{ nfs_server__service_ports["rpc.statd"] }}'
comment: 'RPC statd'
- name: 'rpc.statd-bc'
port: '{{ nfs_server__service_ports["rpc.statd-bc"] }}'
comment: 'RPC statd broadcast'
- nfs_server__tcpwrappers__dependent_allow
Configuration for the debops.tcpwrappers Ansible role.
nfs_server__tcpwrappers__dependent_allow:
- daemon: [ 'rpcbind', 'mountd', 'lockd', 'statd' ]
client: '{{ nfs_server__allow }}'
accept_any: '{{ nfs_server__accept_any }}'
filename: 'nfs-server'
state: '{{ "present" if nfs_server__v3 | bool else "absent" }}'
- nfs_server__ferm__dependent_rules
Configuration for the debops.ferm Ansible role.
nfs_server__ferm__dependent_rules:
- name: 'nfs_server'
type: 'accept'
dport: '{{ nfs_server__firewall_ports }}'
protocol: '{{ nfs_server__firewall_protocols }}'
saddr: '{{ nfs_server__allow }}'
accept_any: '{{ nfs_server__accept_any }}'