Support more scenarios #1
Conversation
Ansible already executes the scripts from inside the host machines, which will always make the localhost to be the synology machine. Using the 127.0.0.1 instead of any supplied input saves from mistakenly using an unresolvable uri by synology thus avoid sending the GET request with the username and password in the URI to a foreign nslookup Also enable usage of a customized synology port through synology_dsm_port
Add logout, create user, delete user and many more webapi tasks. Structure the defaults into directories.
|
The main feedback that I have on this is that there's no way to disable the application of a bunch of this new configuration. For example, for the mail settings, there's no options other than disabling mail or actually configuring everything. I don't really have a good suggestion for how to implement the third option of leaving it alone, though. |
|
Keeping some settings untouched shall be done with a check for each setting whether it's configured for the task or not. Note: some options could be tricky, ie: password and __CiPhErTeXt, one and only of them is required for the user creation. |
| deny: false | ||
| custom: false | ||
| permissions: | ||
| - share_dir: "shared_dir1" |
There was a problem hiding this comment.
Is this correct? Shouldn’t this be a list of shares which the user should have access to?
The 3 mentioned shares seem like boilerplate shares.
| quotas_defaults: | ||
| quota: 0 | ||
| quotas: | ||
| - share_dir: "shared_dir1" |
| user_name: "{{ synology_dsm_new_user_name }}" | ||
| group_name: "{{ item }}" | ||
| with_list: | ||
| - group1 |
There was a problem hiding this comment.
Boilerplate? Shouldn’t this be configurable?
| @@ -0,0 +1,4 @@ | |||
| --- | |||
| synology_dsm_users_to_delete: | |||
| - "to_be_deleted_user1" | |||
There was a problem hiding this comment.
Preferably default this to an empty list:
synology_dsm_users_to_delete: []| @@ -0,0 +1,9 @@ | |||
| --- | |||
| synology_dsm_new_user_name: automated_user1 | |||
There was a problem hiding this comment.
Why not have this as e.g. a dict?
synology_dsm_users:
automated_user1:
description: Automatically created test user
email: ""
cnt_chg_pw: false
expired: normal
notify_by_email: false
send_pw: false
pass: dXNlX2Ffc3Ryb25nX3Bhc3N3b3JkX2xpa2VfdGhpcw==
automated_user2:
# etcMultiple users can be specified this way.
| "password": "{{ synology_dsm_new_user_pass | b64decode }}" | ||
| } | ||
| ] | ||
|
|
There was a problem hiding this comment.
If changing this to a list add:
loop: “{{ (synology_dsm_users | default({})) | dict2items }}”| "api": "SYNO.Core.User", | ||
| "method": "create", | ||
| "version": "1", | ||
| "name": "{{ synology_dsm_new_user_name }}", |
There was a problem hiding this comment.
With the loop added update this section:
"name": "{{ item.key }}",
"description": "{{ item.value.description }}",| "email": "{{ user_email }}", | ||
| "expired": "{{ user_expiration }}", | ||
| "cannot_chg_passwd": {{ user_cnt_chg_pw | to_json }}, | ||
| "password": "{{ user_pass | b64decode }}" |
There was a problem hiding this comment.
Why b64decode passwords? If it’s just to obscure the password I suggest to use Ansible Vault for storing the password in a variable (will be decrypted when running Ansible). Base64 can be decoded by anyone.
| synology_dsm_login_pass: dXNlX2Ffc3Ryb25nX3Bhc3N3b3JkX2xpa2VfdGhpcw== | ||
|
|
||
| # NOTE: for passwords, use a base64 hash, in example: | ||
| # ```echo -n use_a_strong_password_like_this | base64``` |
There was a problem hiding this comment.
Same note as somewhere else. Why base64? That isn’t secure when checking into version control. Better to use Ansible Vault: https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml
If the action_plugin is the only place which needs it in base64 isn’t it possible to encode it in the python file?
|
Are you planning on completing the task/vpnserver stuff? Otherwise it might be better to remove the empty files. FYI: I don’t need it as I have my vpn configured on pfSense. |
The suggestion I have is to put sensible defaults in place. The default should be the same as after a fresh installation. |
Support the following
logoutmethod.