Automating maintenance tasks with tools like Ansible can be a more efficient alternative to the potentially frustrating user interface of QNAP QTS. In this post, I’ll show you how to use Ansible to manage your QNAP NAS.

Note: This guide apply to QNAP NAS running QTS 5.1 or later. The QTS before 5.1 does not support ED25519 SSH key.

Prerequisite

To allow Ansible to communicate with the QNAP NAS, you need to enable SSH access. This can be done by navigating to Control Panel > Network & File Services > Telnet/SSH > tick Alllow SSH connection and Enable SFP. From QNAP

If you are using a dedicate user account(this user needs to be in the administrators group) for ansible, make sure you have enabled SSH access for that user account as well. You can enable it by navigating to Control Panel > Network & File Services > Telnet/SSH > edit Access Permission > tick the user account > Apply.

Configure Ansible to manage QNAP NAS

    qnap:
      hosts:
        stor:
        bkup:
      vars:
        ansible_user: ansible
        ansible_ssh_private_key_file: ~/.ssh/ansible_ed25519
        ansible_become_user: admin
        ansible_become_password: "{{ lookup('hashi_vault',
                         'secret/data/ansible_user
                          token={0}
                          url=https://{1}'.format(vault_token,vault_addr)).password }}"
        ansible_python_interpreter: /opt/python3/bin/python3

This example ansible config in YAML format defines the inventory of hosts for the ‘qnap’ group. It specifies the hosts ‘stor’ and ‘bkup’ and sets the variables for the group:

  1. The ‘ansible_user’ variable is set to ‘ansible’.
  2. The ‘ansible_ssh_private_key_file’ variable is set to use the ed25519 SSH key for authentication, ed25519 SSH key is supported by QNAP QTS 5.1 or later.
  3. The ‘ansible_become_user’ variable is set to ‘admin’, this is mandatory for QNAP NAS.
  4. The ‘ansible_become_password’ variable is set to retrieve the password from HashiCorp Vault using the ‘hashi_vault’ lookup plugin.
  5. The ‘ansible_python_interpreter’ variable is set to the path of the Python interpreter on QNAP NAS.

Use Ansible to deploy let’s encrypt certificate

- name: Deploy stunnel certificates
  template:
    src: "stunnel.pem.j2"
    dest: "/etc/config/stunnel/stunnel.pem"
  become: true

- name: Restart stunnel
  ansible.builtin.shell: /etc/init.d/stunnel.sh restart

- name: Stop reverse_proxy
  ansible.builtin.shell: /etc/init.d/reverse_proxy.sh stop

- name: Start reverse_proxy
  ansible.builtin.shell: /etc/init.d/reverse_proxy.sh start

- name: Restart Qthttpd
  ansible.builtin.shell: /etc/init.d/Qthttpd.sh restart

- name: Restart thttpd
  ansible.builtin.shell: /etc/init.d/thttpd.sh restart

The above ansible tasks deploy the let’s encrypt certificate to QNAP NAS and restart the associated services to load the new certificates.

The template file stunnel.pem.j2 contains the content of the certificate and the private key:

{{ stunnel_key }}

{{ stunnel_crt }}