-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support more scenarios #1
base: master
Are you sure you want to change the base?
Conversation
Ansible already executes the scripts from inside the host machines, which will always make the localhost to be the synology machine. Using the 127.0.0.1 instead of any supplied input saves from mistakenly using an unresolvable uri by synology thus avoid sending the GET request with the username and password in the URI to a foreign nslookup Also enable usage of a customized synology port through synology_dsm_port
Add logout, create user, delete user and many more webapi tasks. Structure the defaults into directories.
The main feedback that I have on this is that there's no way to disable the application of a bunch of this new configuration. For example, for the mail settings, there's no options other than disabling mail or actually configuring everything. I don't really have a good suggestion for how to implement the third option of leaving it alone, though. |
Keeping some settings untouched shall be done with a check for each setting whether it's configured for the task or not. Note: some options could be tricky, ie: password and __CiPhErTeXt, one and only of them is required for the user creation. |
deny: false | ||
custom: false | ||
permissions: | ||
- share_dir: "shared_dir1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this correct? Shouldn’t this be a list of shares which the user should have access to?
The 3 mentioned shares seem like boilerplate shares.
quotas_defaults: | ||
quota: 0 | ||
quotas: | ||
- share_dir: "shared_dir1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Boilerplate ?
user_name: "{{ synology_dsm_new_user_name }}" | ||
group_name: "{{ item }}" | ||
with_list: | ||
- group1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Boilerplate? Shouldn’t this be configurable?
@@ -0,0 +1,4 @@ | |||
--- | |||
synology_dsm_users_to_delete: | |||
- "to_be_deleted_user1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Preferably default this to an empty list:
synology_dsm_users_to_delete: []
@@ -0,0 +1,9 @@ | |||
--- | |||
synology_dsm_new_user_name: automated_user1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not have this as e.g. a dict?
synology_dsm_users:
automated_user1:
description: Automatically created test user
email: ""
cnt_chg_pw: false
expired: normal
notify_by_email: false
send_pw: false
pass: dXNlX2Ffc3Ryb25nX3Bhc3N3b3JkX2xpa2VfdGhpcw==
automated_user2:
# etc
Multiple users can be specified this way.
"password": "{{ synology_dsm_new_user_pass | b64decode }}" | ||
} | ||
] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If changing this to a list add:
loop: “{{ (synology_dsm_users | default({})) | dict2items }}”
"api": "SYNO.Core.User", | ||
"method": "create", | ||
"version": "1", | ||
"name": "{{ synology_dsm_new_user_name }}", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the loop added update this section:
"name": "{{ item.key }}",
"description": "{{ item.value.description }}",
"email": "{{ user_email }}", | ||
"expired": "{{ user_expiration }}", | ||
"cannot_chg_passwd": {{ user_cnt_chg_pw | to_json }}, | ||
"password": "{{ user_pass | b64decode }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why b64decode passwords? If it’s just to obscure the password I suggest to use Ansible Vault for storing the password in a variable (will be decrypted when running Ansible). Base64 can be decoded by anyone.
synology_dsm_login_pass: dXNlX2Ffc3Ryb25nX3Bhc3N3b3JkX2xpa2VfdGhpcw== | ||
|
||
# NOTE: for passwords, use a base64 hash, in example: | ||
# ```echo -n use_a_strong_password_like_this | base64``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same note as somewhere else. Why base64? That isn’t secure when checking into version control. Better to use Ansible Vault: https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml
If the action_plugin is the only place which needs it in base64 isn’t it possible to encode it in the python file?
Are you planning on completing the task/vpnserver stuff? Otherwise it might be better to remove the empty files. FYI: I don’t need it as I have my vpn configured on pfSense. |
The suggestion I have is to put sensible defaults in place. The default should be the same as after a fresh installation. |
Support the following
logout
method.