debops.nfs_server default variables

APT packages

nfs_server__base_packages

List of base APT packages required by the NFS server.

nfs_server__base_packages: [ 'nfs-kernel-server', 'acl' ]
nfs_server__packages

List of additional APT packages to install with the NFS server.

nfs_server__packages: []

Firewall configuration

nfs_server__allow

List of IP addresses or CIDR subnets which can access the NFS server.

nfs_server__allow: []
nfs_server__accept_any

By default the firewall does not accept connections to the NFS server if no networks are specified. If you change this variable to True, any hosts will be able to connect to the NFS server unless list of allowed hosts is specified.

nfs_server__accept_any: False
nfs_server__firewall_protocols

List of protocols which should be opened for NFS communication through the firewall.

nfs_server__firewall_protocols: '{{ [ "tcp", "udp" ] if nfs_server__v3|bool else "tcp" }}'
nfs_server__anchor_port

The various NFSv3 services use first available port to listen for connections. To change that and allow connections through the firewall, the role defines a static set of ports to use. This variable is used to specify the first port of that set.

nfs_server__anchor_port: '3550'
nfs_server__service_ports

This variable is a YAML dictionary which defines all port numbers used by various NFSv3 services.

nfs_server__service_ports:
  'rpc.nfs-cb':   '{{ (nfs_server__anchor_port | int + 0) }}'
  'rpc.lockd':    '{{ (nfs_server__anchor_port | int + 1) }}'
  'rpc.mountd':   '{{ (nfs_server__anchor_port | int + 2) }}'
  'rpc.statd':    '{{ (nfs_server__anchor_port | int + 3) }}'
  'rpc.statd-bc': '{{ (nfs_server__anchor_port | int + 4) }}'
nfs_server__firewall_ports

List of TCP/UDP ports which should be opened in the firewall for NFS access.

nfs_server__firewall_ports: '{{ ([ "nfs", "sunrpc" ] + (nfs_server__service_ports.keys() | list))
                                if nfs_server__v3|bool else [ "nfs" ] }}'

NFS server configuration

nfs_server__v3

Enable or disable support for NFSv3 features. By default the NFSv3 support is disabled to ensure better service security.

nfs_server__v3: False
nfs_server__threads

Number of nfsd threads to run. This depends on several factors, for example number of NFS clients that access the NFS shares. Check the nfsstat command to diagnose possible issues and adjust this number as necessary.

nfs_server__threads: '{{ ansible_processor_vcpus | int * 2 }}'
nfs_server__priority

Server thread priority, see nice(1) for more details.

nfs_server__priority: '0'
nfs_server__mountd_options

The arguments passed to the ;command:rpc.mountd process.

nfs_server__mountd_options: '--manage-gids --port {{ nfs_server__service_ports["rpc.mountd"] }}'
nfs_server__kerberos

Enable or disable Kerberos support.

nfs_server__kerberos: False
nfs_server__svcgssd_options

Arguments passed to the rpc.svcgssd process.

nfs_server__svcgssd_options: ''

NFS4 root pseudo-filesystem

nfs_server__root_path

Absolute path of the NFS4 root filesystem. All other NFS4 shares should be served as subdirectories of this directory.

nfs_server__root_path: '{{ (ansible_local.fhs.data | d("/srv"))
                           + "/nfs" }}'
nfs_server__root_options

List of options that are used to export the NFS4 root filesystem.

nfs_server__root_options: [ 'rw', 'fsid=root', 'sync', 'subtree_check', 'crossmnt' ]
nfs_server__root_security_options

List of NFS4 security options that are used to export the NFS4 root filesystem.

nfs_server__root_security_options: '{{ [ "sec=krb5p" ] if nfs_server__kerberos|bool else [] }}'
nfs_server__root_acl

The Access Control List of NFS clients that are allowed to mount the NFS4 root filesystem. See nfs_server__exports for more details.

nfs_server__root_acl: '{{ "*" if nfs_server__accept_any|bool else nfs_server__allow }}'

NFS server exports

The list of YAML dictionaries that define NFS exports. See nfs_server__exports for more details.

nfs_server__default_exports

The default NFS exports defined on the server. This usually includes the NFS4 root pseudo-filesystem.

nfs_server__default_exports:
  - path: '{{ nfs_server__root_path }}'
    acl: '{{ nfs_server__root_acl }}'
    options: '{{ (nfs_server__root_security_options.split(",")
                  if nfs_server__root_security_options is string
                  else nfs_server__root_security_options) +
                 (nfs_server__root_options.split(",")
                  if nfs_server__root_options is string
                  else nfs_server__root_options) }}'
nfs_server__exports

List of NFS server exports defined on all hosts in the Ansible inventory.

nfs_server__exports: []
nfs_server__group_exports

List of NFS server exports defined on hosts in specific Ansible inventory group.

nfs_server__group_exports: []
nfs_server__host_exports

List of NFS server exports defined on specific hosts in Ansible inventory.

nfs_server__host_exports: []
nfs_server__combined_exports

All of the NFS exports lists are combined in this variable and passed to tasks and templates in the role.

nfs_server__combined_exports: '{{ lookup("flattened", nfs_server__default_exports
                                  + nfs_server__exports + nfs_server__group_exports
                                  + nfs_server__host_exports) }}'

Configuration for other Ansible roles

nfs_server__etc_services__dependent_list

Configuration for the debops.etc_services Ansible role.

nfs_server__etc_services__dependent_list:

  - name: 'rpc.nfs-cb'
    port: '{{ nfs_server__service_ports["rpc.nfs-cb"] }}'
    comment: 'RPC NFS callback'

  - name: 'rpc.lockd'
    port: '{{ nfs_server__service_ports["rpc.lockd"] }}'
    comment: 'RPC lockd'

  - name: 'rpc.mountd'
    port: '{{ nfs_server__service_ports["rpc.mountd"] }}'
    comment: 'RPC mountd'

  - name: 'rpc.statd'
    port: '{{ nfs_server__service_ports["rpc.statd"] }}'
    comment: 'RPC statd'

  - name: 'rpc.statd-bc'
    port: '{{ nfs_server__service_ports["rpc.statd-bc"] }}'
    comment: 'RPC statd broadcast'
nfs_server__tcpwrappers__dependent_allow

Configuration for the debops.tcpwrappers Ansible role.

nfs_server__tcpwrappers__dependent_allow:

  - daemon: [ 'rpcbind', 'mountd', 'lockd', 'statd' ]
    client: '{{ nfs_server__allow }}'
    accept_any: '{{ nfs_server__accept_any }}'
    filename: 'nfs-server'
    state: '{{ "present" if nfs_server__v3|bool else "absent" }}'
nfs_server__ferm__dependent_rules

Configuration for the debops.ferm Ansible role.

nfs_server__ferm__dependent_rules:
  - name: 'nfs_server'
    type: 'accept'
    dport: '{{ nfs_server__firewall_ports }}'
    protocol: '{{ nfs_server__firewall_protocols }}'
    saddr: '{{ nfs_server__allow }}'
    accept_any: '{{ nfs_server__accept_any }}'