This repository contains Ansible playbooks and roles to transform your RaspberryPi (or another system based on Debian/Ubuntu) into a NAS. At the very heart, the term NAS refers to an OpenSSH server to securely backup user data to:
- secure OpenSSH server to automatically backup files
- encrypted file transfer (SSH)
- key-based authentication (e.g. backupnas for UNIX clients, FreeFileSync for Windows clients)
- with all users created automatically and their SSH keys in place
- with
fail2banenabled
However, this playbook supports a variety of services (e.g. Samba, DLNA, Nextcloud) that can be plugged in by specifying one or more tags.
While most configuration options are hard-coded to fit the recommendations for the respective service, you can configure (among others):
- the users, their SSH keys and passwords (individually for all services)
- the storage locations (for SSH-based backups and the Nextcloud instance)
- which folders to expose via DLNA
- the mail account to use for notifications
mount: automatically mount an external hard drive to extent storage capabilitiescloud: Nextcloud server to upload and share files in a personal cloud- encrypted file transfer (HTTPS)
- automatically renewed SSL certificates (Let's Encrypt)
- Mozilla's intermediate SSL configuration (secure but aiming for compatibility)
- fully installed and configured
- including all required components and users
- applying performance recommendations and hardening
- encrypted file transfer (HTTPS)
samba: Samba server to access stored files from any desktop or mobile device- password authentication for users, optional guest shares
- unencrypted file transfer
dlna: DLNA server to access stored media files from smartTVs etc.- automatically discover and play videos and/or music
- unencrypted file transfer
mumble: Mumble server (aka. Murmur) for low-latency voice chatsddns: dynamic DNS update client- hourly (and on reboot) reports the device's IP address to DynV6, to have it accessible via a domain
auto-upgrade: keep installed software up-to-dateufw: firewall to restrict incoming traffic to the selected services (i.e. specified tags)
In order to apply this playbook to one of your machines, there are basically two steps required:
- configure the inventory to your needs
- Run the playbook:
-
Use the named tags to precisely choose which services to install, e.g. only Samba and Nextcloud:
ansible-playbook -i inventories/custom setup.yml --tags samba,nextcloud
-
Omit tags to install all available services:
ansible-playbook -i inventories/custom setup.yml
-
The inventory inventories/custom is intended to be used when running this playbook and can be fully adapted to your needs.
Within this inventory, you must adapt the first two files and should make use of the third, though it's not technically required:
| Path | Defines |
|---|---|
hosts.yml |
hosts that the playbook is running against |
group_vars/custom/vars.yml |
variables that are used in the playbook |
group_vars/custom/vault.yml |
vault for credential variables |
The hosts file hosts.yml defines the machine that will be configured by this playbook.
Simply edit the file and place your machine's address/hostname (e.g. pi3):
all:
children:
nas:
hosts:
pi3
All variables of this playbook that have to be customized are defined in the YAML file group_vars/custom/vars.yml.
There are additional variables that usually do not need to be changed but are included in the table below.
The variables are loosely structured by the different features that this playbook offers and should be quite self-explanatory already. The table below lists which variables are available for each feature. You only need to care about the variables of features that you are going to install.
| Role | Variable | Description |
|---|---|---|
| * | setup_user |
remote user to login and use for the setup process |
| * | nas.hostname |
desired hostname of the NAS |
| * | nas.user.name |
name of the artificial NAS user that is used for service tasks (will be created if missing) |
| * | backup_location |
path to store all user data at. defaults to the primary mount, if specified |
| * | sshd.allow_additional_users |
list of users that are allowed to SSH into the NAS, in addition to the individual users |
| * | sshd.enable_password_authentication |
flag to enable the password-based authentication for SSH clients (default: false). strongly discouraged, specify authorized keys per user instead |
| * | users |
list of individual users, each having a user name, an initial_password hash, a nextcloud_password and a samba_password (if the respective features are used). you may also specify a backup_folder_name (defaults to username) and additional group assignments (groups) on the OS level. you may as well specify a list of authorized_keys for passwordless SSH access |
| mount | mounts_base_dir |
directory for mount points for external storage devices |
| mount | mounts.primary.* |
primary mount point that all user data will be stored at, by default. mounted via the uuid field. use fstype and opts to specify the filesystem and options of the mount (defaults fit NTFS-formatted drives) |
| mount | mounts.secondary.* |
optional secondary mount point, that the primary mount point will be mirrored to (same configuration options available) |
| auto-upgrade, cloud | mailing.* |
server, user name, address, password and sender_name for the mail account to be used for sending mails (e.g. notifications, password resets) |
| auto-upgrade, cloud | mail_recipient |
recipient for administrator mails (e.g. performed upgrades) |
| cloud | nas.domain |
public domain to access the machine |
| cloud | dynv6.token |
token to update the current IP address of the NAS domain on DynV6 |
| samba | samba.internal_shares |
internal Samba shares, each having a name and a path, that are accessible with any account |
| samba | samba.public_shares |
public Samba shares, each having a name and a path, that are accessible even without an account |
| dlna | minidlna.* |
display_name to be shown in client devices, directories to list paths that should be accessible for clients |
| mumble | mumble.password |
password that is required by clients to connect (may be empty) |
An Ansible vault is a place for storing credentials and sensitive information alike in an encrypted manner. Please refer to the official documentation if you want to learn how to create and use one.
Using a vault is mandatory if you want to have your credentials under version control, for example. For simplicity, you may choose to not use a vault and assign your credentials to the variables of this playbook directly. However, you should always strongly consider to use a vault for security reasons.
NOTE: Instead of forwarding the relevant ports from your router to the NAS, you should strongly consider to use a VPN to avoid any unencrypted file transfer in the internet.
The NAS runs different services that operate on various ports. When operating the NAS behind a router (i.e. firewall), these ports have to be accessible.
In case you insist on using port forwarding, the following ports are used by the respective services:
| Service | TCP | UDP |
|---|---|---|
| Samba | 139, 445 | 137, 138 |
| OpenSSH | 22 | |
| Nextcloud | 80, 443 |
These are the default ports. Strongly-consider to expose the services at non-default ports to prevent the load and risk that is caused by bots. An execption are the ports 80 and 443, as they are required for the automatic certificate renewal.