typo

README.md

@@ -8,15 +8,15 @@ Ansible playbook for network vault.
 * How long the data will be kept depends on settings in rsnapshot.conf
 
 ## Use-Case:
-* Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like desaster-recovery-plans, password databases, network-plans, all the data you need in worst case and that should not be encrypted by any ransomware.
+* Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like disaster-recovery-plans, password databases, network-plans, contact-lists - all the data that should not be encrypted and you need in case of ransomware-attack to bootstrap youself.
 * When ransomware locks down your systems, this is your machine to go, plug in a console and start recovery.
 * When sealing the vault, you can not access it over ssh any more, change settings, access system over network so no ransomware can to this either.
 * You should **NOT NOT NOT NOT** have a KVM-Console connected because this can be used to access the system over the network
-* Place this machine on something like an Intel NUC, paint it red and put it into a safe place.
+* Place this machine on something like an Intel NUC, paint it red and put it into a safe place where you have network connection.
 * Create any job to copy your DR-plans there regular.
 * It uses cron-apt to update the system and reboots at 6 in the morning to keep kernel up to date
 
-Varialbes:
+Variables:
 * networkvault_vault_password -> password for user to access shares
 * networkvault_seal_vault -> when set to "true" it will uninstall ssh-server to prevent any access via network
 
@@ -24,6 +24,9 @@ ToDo:
 * Quota to ensure, space*backup-copies can not be exceed disk space and break backups by abusing share
 * Check diff-size and do some kind of alter
 * Add monitoring-agent/SNMP-support to be able to monitor system (alive? disk OK?)
-* Add more interfaces like WebDAV, FTP
+* Add more interfaces like WebDAV, FTP, email to receive data
 * Only reboot if required
 * check no unneeded ports open/block with firewall
+* encrypt harddrive
+* copy date on flash drive to have some kind of "rescue-dongle"
+* build checksums and signatures of data

handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: restart smbd
+  service:
+    name: smbd
+    state: restarted
+
+- name: restart cron
+  service:
+    name: cron
+    state: restarted

tasks/main.yml

@@ -30,6 +30,27 @@
       New SMB password: "{{ networkvault_vault_password }}"
       Retype new SMB password: "{{ networkvault_vault_password }}"
 
+- name: generate /etc/samba/smb.conf
+  template:
+    src: smb.conf.j2
+    dest: /etc/samba/smb.conf
+  notify:
+    - restart smbd
+
+- name: set permission for ro-share
+  file:
+    path: /var/cache/rsnapshot
+    mode: '0755'
+    state: directory
+    recurse: yes
+
+- name: generate /etc/rsnapshot.conf
+  template:
+    src: rsnapshot.conf.j2
+    dest: /etc/rsnapshot.conf
+  notify:
+    - restart cron
+
 - name: reboot at 6 in the morning to activate kernel-updates
   cron:
     name: "reboot"

templates/smb.conf.j2

@@ -245,11 +245,11 @@ create mask = 0755
 public = no
 
 [roshare]
-comment = Vault
+comment = Read Only Share
 path = /var/cache/rsnapshot
 browsable = yes
 guest ok = no
 read only = yes
 read list = vault
-create mask = 0755
+create mask = 0644
 public = no