typo

README.md

@@ -8,15 +8,15 @@ Ansible playbook for network vault.
 * How long the data will be kept depends on settings in rsnapshot.conf
 
 ## Use-Case:
-* Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like desaster-recovery-plans, password databases, network-plans, all the data you need in worst case and that should not be encrypted by any ransomware.
+* Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like disaster-recovery-plans, password databases, network-plans, contact-lists - all the data that should not be encrypted and you need in case of ransomware-attack to bootstrap youself.
 * When ransomware locks down your systems, this is your machine to go, plug in a console and start recovery.
 * When sealing the vault, you can not access it over ssh any more, change settings, access system over network so no ransomware can to this either.
 * You should **NOT NOT NOT NOT** have a KVM-Console connected because this can be used to access the system over the network
-* Place this machine on something like an Intel NUC, paint it red and put it into a safe place.
+* Place this machine on something like an Intel NUC, paint it red and put it into a safe place where you have network connection.
 * Create any job to copy your DR-plans there regular.
 * It uses cron-apt to update the system and reboots at 6 in the morning to keep kernel up to date
 
-Varialbes:
+Variables:
 * networkvault_vault_password -> password for user to access shares
 * networkvault_seal_vault -> when set to "true" it will uninstall ssh-server to prevent any access via network
 
@@ -24,6 +24,9 @@ ToDo:
 * Quota to ensure, space*backup-copies can not be exceed disk space and break backups by abusing share
 * Check diff-size and do some kind of alter
 * Add monitoring-agent/SNMP-support to be able to monitor system (alive? disk OK?)
-* Add more interfaces like WebDAV, FTP
+* Add more interfaces like WebDAV, FTP, email to receive data
 * Only reboot if required
-* check no unneeded ports open/block with firewall
+* check no unneeded ports open/block with firewall
+* encrypt harddrive
+* copy date on flash drive to have some kind of "rescue-dongle"
+* build checksums and signatures of data

handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: restart smbd
+  service:
+    name: smbd
+    state: restarted
+
+- name: restart cron
+  service:
+    name: cron
+    state: restarted

tasks/main.yml

@@ -30,6 +30,27 @@
       New SMB password: "{{ networkvault_vault_password }}"
       Retype new SMB password: "{{ networkvault_vault_password }}"
 
+- name: generate /etc/samba/smb.conf
+  template:
+    src: smb.conf.j2
+    dest: /etc/samba/smb.conf
+  notify:
+    - restart smbd
+
+- name: set permission for ro-share
+  file:
+    path: /var/cache/rsnapshot
+    mode: '0755'
+    state: directory
+    recurse: yes
+
+- name: generate /etc/rsnapshot.conf
+  template:
+    src: rsnapshot.conf.j2
+    dest: /etc/rsnapshot.conf
+  notify:
+    - restart cron
+
 - name: reboot at 6 in the morning to activate kernel-updates
   cron:
     name: "reboot"

templates/rsnapshot.conf.j2

@@ -12,7 +12,7 @@
 # CONFIG FILE VERSION #
 #######################
 
-config_version  1.2
+config_version	1.2
 
 ###########################
 # SNAPSHOT ROOT DIRECTORY #
@@ -20,7 +20,7 @@ config_version  1.2
 
 # All snapshots will be stored under this root directory.
 #
-snapshot_root   /var/cache/rsnapshot/
+snapshot_root	/var/cache/rsnapshot/
 
 # If no_create_root is enabled, rsnapshot will not automatically create the
 # snapshot_root directory. This is particularly useful if you are backing
@@ -37,16 +37,16 @@ snapshot_root   /var/cache/rsnapshot/
 #
 # See the README file or the man page for more details.
 #
-cmd_cp          /bin/cp
+cmd_cp	/bin/cp
 
 # uncomment this to use the rm program instead of the built-in perl routine.
 #
-cmd_rm          /bin/rm
+cmd_rm	/bin/rm
 
 # rsync must be enabled for anything to work. This is the only command that
 # must be enabled.
 #
-cmd_rsync       /usr/bin/rsync
+cmd_rsync	/usr/bin/rsync
 
 # Uncomment this to enable remote ssh backups over rsync.
 #
@@ -54,7 +54,7 @@ cmd_rsync       /usr/bin/rsync
 
 # Comment this out to disable syslog support.
 #
-cmd_logger      /usr/bin/logger
+cmd_logger	/usr/bin/logger
 
 # Uncomment this to specify the path to "du" for disk usage checks.
 # If you have an older version of "du", you may also want to check the
@@ -90,10 +90,10 @@ cmd_logger      /usr/bin/logger
 # e.g. alpha, beta, gamma, etc.         #
 #########################################
 
-retain  alpha   6
+retain	alpha	6
-retain  beta    7
+retain	beta	7
-retain  gamma   4
+retain	gamma	4
-retain delta   12
+retain	delta	12
 
 ############################################
 #              GLOBAL OPTIONS              #
@@ -107,13 +107,13 @@ retain delta   12
 # 4     Extra Verbose   Show extra verbose information
 # 5     Debug mode      Everything
 #
-verbose         2
+verbose	2
 
 # Same as "verbose" above, but controls the amount of data sent to the
 # logfile, if one is being used. The default is 3.
 # If you want the rsync output, you have to set it to 4
 #
-loglevel        3
+loglevel	3
 
 # If you enable this, data will be written to the file you specify. The
 # amount of data written is controlled by the "loglevel" parameter.
@@ -125,7 +125,7 @@ loglevel        3
 # If you enable this, make sure the lockfile directory is not world
 # writable. Otherwise anyone can prevent the program from running.
 #
-lockfile        /var/run/rsnapshot.pid
+lockfile	/var/run/rsnapshot.pid
 
 # By default, rsnapshot check lockfile, check if PID is running
 # and if not, consider lockfile as stale, then start
@@ -224,8 +224,8 @@ lockfile        /var/run/rsnapshot.pid
 ###############################
 
 # LOCALHOST
-#backup /home/          localhost/
+#backup /home/  localhost/
-#backup /etc/           localhost/
+#backup /etc/	localhost/
 #backup /usr/local/     localhost/
 
 #backup /var/log/rsnapshot              localhost/
@@ -251,4 +251,4 @@ lockfile        /var/run/rsnapshot.pid
 #backup rsync://rsync.samba.org/rsyncftp/       rsync.samba.org/rsyncftp/
 
 
-backup  /var/vault/     localhost/
+backup	/var/vault/	localhost/

templates/smb.conf.j2

@@ -245,11 +245,11 @@ create mask = 0755
 public = no
 
 [roshare]
-comment = Vault
+comment = Read Only Share
 path = /var/cache/rsnapshot
 browsable = yes
 guest ok = no
 read only = yes
 read list = vault
-create mask = 0755
+create mask = 0644
 public = no