From ce14de76cf2974dce375336dd707a77cb1aafe61 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 28 Oct 2020 02:39:46 +0100 Subject: [PATCH] Update.. --- group_vars/all/main.yml | 147 +- roles/common/tasks/apt.yml | 20 +- roles/common/tasks/basic.yml | 6 +- roles/common/tasks/cups-install.yml | 2 +- roles/common/tasks/luks.yml | 6 + roles/common/tasks/main.yml | 60 +- roles/common/tasks/nis-user-systemfiles.yml | 94 -- roles/common/tasks/nis-user.yml | 17 +- roles/common/tasks/ntp.yml | 6 +- ...les_scripts.yml => root-files-scripts.yml} | 0 roles/common/tasks/samba-install.yml | 132 +- roles/common/tasks/samba-remove-user.yml | 57 + roles/common/tasks/samba-user.yml | 53 - roles/common/tasks/sshd.yml | 1 + .../tasks/{user.yml => system-user.yml} | 20 +- .../common/tasks/ubuntu-x11vnc-1604-amd64.yml | 63 + .../common/tasks/ubuntu-x11vnc-1804-amd64.yml | 48 + roles/common/templates/etc/exports.j2 | 2 +- roles/common/templates/etc/samba/smb.conf.j2 | 73 +- .../templates/etc/samba/smb.conf.j2.BAK | 1292 ++++------------- .../lib/systemd/system/x11vnc.service.j2 | 10 + .../bin/samba/conf/clean_samba_trash.conf.j2 | 40 + .../conf/set_permissions_samba_shares.conf.j2 | 33 + tatus | 394 ----- 24 files changed, 923 insertions(+), 1653 deletions(-) create mode 100644 roles/common/tasks/luks.yml rename roles/common/tasks/{root_files_scripts.yml => root-files-scripts.yml} (100%) create mode 100644 roles/common/tasks/samba-remove-user.yml rename roles/common/tasks/{user.yml => system-user.yml} (71%) create mode 100644 roles/common/tasks/ubuntu-x11vnc-1604-amd64.yml create mode 100644 roles/common/tasks/ubuntu-x11vnc-1804-amd64.yml create mode 100644 roles/common/templates/lib/systemd/system/x11vnc.service.j2 create mode 100644 roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 create mode 100644 roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 delete mode 100644 tatus diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index d8d35dc..5e40708 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1,4 +1,3 @@ - --- @@ -15,9 +14,9 @@ locales: set_default_limit_nofile: false -# --- +# ========== # vars used by roles/common/tasks/sshd.yml -# --- +# ========== sshd_ports: - 22 @@ -73,7 +72,6 @@ sshd_use_dns: !!str "no" sshd_allowed_users: {} - # ========== # vars used by roles/common/tasks/apt.yml # ========== @@ -698,41 +696,24 @@ nfs_exports: - src: 192.168.82.10:/data/home path: /data/home mount_opts: user,exec,rsize=8192,wsize=8192,hard,intr - export_opt: rw,fsid=0,root_squash,sync,subtree_check + export_opt: rw,root_squash,sync,subtree_check export_networks: - 192.168.82.0/24 - 10.0.82.0/24 - 10.1.82.0/24 - 192.168.63.0/24 - fs_encrypted: false + use_fsid_option: true - src: 192.168.82.10:/data/samba path: /data/samba mount_opts: user,exec,rsize=8192,wsize=8192,hard,intr - export_opt: rw,fsid=1,root_squash,sync,subtree_check + export_opt: rw,root_squash,sync,subtree_check export_networks: - 192.168.82.0/24 - 10.0.82.0/24 - 10.1.82.0/24 - 192.168.63.0/24 - fs_encrypted: false - - -# ========== -# vars used by roles/common/tasks/samba-install.yml -# ========== - -apt_install_server_samba: - - samba - - nscd - -# - winbind - -apt_install_client_samba: - - samba-client - - samba-common - -samba_server: file-akb.akb.netz + use_fsid_option: true # ========== @@ -926,10 +907,8 @@ pureftpd_tls_certificate_openssl: # unit: '' - - # ========== -# vars used by roles/common/tasks/user.yml +# vars used by roles/common/tasks/system-user.yml # ========== # ! Notice ! @@ -1122,6 +1101,42 @@ nis_user: password: '20-birgit_20%' +# ========== +# vars used by roles/common/tasks/samba-install.yml +# ========== + +apt_install_server_samba: + - samba + - nscd + +# - winbind + +apt_install_client_samba: + - samba-client + - samba-common + +samba_server: file-akb.akb.netz + +samba_cronjob_trash_dirs: + name: Clean up Samba Trash Dirs + minute: "11" + hour: "23" + day: "*" + month: "*" + weekday: '*' + user: root + job: "/root/bin/samba/clean_samba_trash.sh" + +samba_cronjob_permissions: + name: Set (group and access) Permissons for Samba shares + minute: "0-59/30" + hour: "*" + day: "*" + month: "*" + weekday: '*' + user: root + job: "/root/bin/samba/set_permissions_samba_shares.sh" + # ========== # vars used by roles/common/tasks/samba-user.yml # ========== @@ -1130,7 +1145,7 @@ nis_user: # # variables used from other previos sections: # -# - remove_system_users: roles/common/tasks/user.yml +# - remove_system_users: roles/common/tasks/system-user.yml # - remove_nis_users: roles/common/tasks/nis-install-server.yml # - nis_user: roles/common/tasks/nis-install-server.yml @@ -1145,11 +1160,19 @@ nis_user: # # - nis_user: roles/common/tasks/nis-install-server.yml + +samba_workgroup: AKB +samba_netbios_name: FILE-AKB + samba_shares: - name: Transfer path: /data/samba/Transfer group_valid_users: transfer group_write_list: transfer + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - anna - buero @@ -1165,6 +1188,10 @@ samba_shares: path: /data/samba/Verwaltung group_valid_users: verwaltung group_write_list: verwaltung + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - anna - jonas @@ -1182,6 +1209,10 @@ samba_shares: path: /data/samba/Scans group_valid_users: scans group_write_list: scans + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - anna - buero @@ -1198,54 +1229,90 @@ samba_shares: path: /data/samba/Scans/Buero_Scans group_valid_users: scans group_write_list: scans + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - buero - name: Frauke_Scans path: /data/samba/Scans/Frauke_Scans group_valid_users: scans group_write_list: scans + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - frauke - name: FSJ_Scans path: /data/samba/Scans/FSJ_Scans group_valid_users: scans group_write_list: scans + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - fsj - name: Jibran_Scans path: /data/samba/Scans/Jibran_Scans group_valid_users: scans group_write_list: scans + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - jibran - name: Julia_Scans path: /data/samba/Scans/Julia_Scans group_valid_users: scans group_write_list: scans + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - julia - name: Maica_scans path: /data/samba/Scans/Maica_scans group_valid_users: scans group_write_list: scans + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - maica - name: Thomas_Scans path: /data/samba/Scans/Thomas_Scans group_valid_users: scans group_write_list: scans + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - thomas - name: Birgit_Scans path: /data/samba/Scans/Birgit_Scans group_valid_users: scans group_write_list: scans + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' user: - birgit - name: Kamera path: /data/samba/Kamera group_valid_users: intern group_write_list: intern + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: false + recycle_path: '@Recycle.Bin' user: - anna - buero @@ -1259,6 +1326,10 @@ samba_shares: path: /data/samba/Install group_valid_users: intern group_write_list: intern + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: false + recycle_path: '@Recycle.Bin' user: - anna - buero @@ -1271,7 +1342,18 @@ samba_shares: # ========== -# vars used by roles/common/tasks/user-systemfiles.yml +# vars used by roles/common/tasks/system-user-systemfiles.yml +# ========== + +# ! Notice ! +# +# variables used from other previos sections: +# +# - system_users: roles/common/tasks/system-user.yml + + +# ========== +# vars used by roles/common/tasks/nis-user-systemfiles.yml # ========== # ! Notice ! @@ -1281,7 +1363,6 @@ samba_shares: # - nis_user: roles/common/tasks/nis-install-server.yml - # ========== # vars used by roles/common/tasks/sudoers-pc.yml # ========== @@ -1329,7 +1410,6 @@ sudoers_pc_file_cmnd_aliases: sudoers_pc_file_runas_aliases: [] - # ========== # vars used by roles/common/tasks/sudoers-server.yml # ========== @@ -1410,6 +1490,9 @@ sudoers_server_file_user_privileges: [] sudoers_server_file_group_privileges: [] +# ==================== +# ==================== +# ==================== # ========== # vars used by roles/ansible_dependencies diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml index 77fd1c4..d774700 100644 --- a/roles/common/tasks/apt.yml +++ b/roles/common/tasks/apt.yml @@ -14,6 +14,7 @@ tags: - apt-configuration + - name: (apt.yml) apt update apt: update_cache: true @@ -28,6 +29,7 @@ - apt-compiler-pkgs - apt-webserver-pkgs + - name: (apt.yml) dpkg --configure command: > dpkg --configure -a @@ -43,6 +45,7 @@ - apt-compiler-pkgs - apt-webserver-pkgs + - name: (apt.yml) apt upgrade apt: upgrade: "{{ apt_upgrade_type }}" @@ -56,6 +59,7 @@ - apt-compiler-pkgs - apt-webserver-pkgs + - name: (apt.yml) Initial install debian packages (stretch) apt: name: "{{ apt_initial_install_stretch }}" @@ -66,6 +70,7 @@ tags: - apt-initial-install + - name: (apt.yml) Initial install debian packages (buster) apt: name: "{{ apt_initial_install_buster }}" @@ -76,6 +81,7 @@ tags: - apt-initial-install + - name: (apt.yml) Initial install ubuntu packages (bionic) apt: name: "{{ apt_initial_install_bionic }}" @@ -96,6 +102,7 @@ tags: - apt-initial-install + # --- # Microcode # --- @@ -114,6 +121,7 @@ - apt-initial-install - apt-microcode + - name: (apt.yml) Ensure we have CPU microcode from backports for AMD CPU (debian stretch) apt: name: "{{ microcode_amd_package }}" @@ -129,6 +137,7 @@ - apt-initial-install - apt-microcode + - name: (apt.yml) Install CPU microcode for Intel CPU (debian buster) apt: name: "{{ microcode_intel_package }}" @@ -142,6 +151,7 @@ - apt-initial-install - apt-microcode + - name: (apt.yml) Install CPU microcode for AMD CPU (debian buster) apt: name: "{{ microcode_amd_package }}" @@ -156,6 +166,7 @@ - apt-initial-install - apt-microcode + - name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu bionic) apt: name: "{{ microcode_intel_package }}" @@ -169,6 +180,7 @@ - apt-initial-install - apt-microcode + - name: (apt.yml) Install CPU microcode for AMD CPU (ubuntu bionic) apt: name: "{{ microcode_amd_package }}" @@ -183,6 +195,7 @@ - apt-initial-install - apt-microcode + - name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu xenial) apt: name: "{{ microcode_intel_package }}" @@ -196,6 +209,7 @@ - apt-initial-install - apt-microcode + - name: (apt.yml) Install CPU microcode for Intel AMD (ubuntu xenial) apt: name: "{{ microcode_amd_package }}" @@ -223,6 +237,7 @@ - apt-initial-install - apt-firmware + - name: (apt.yml) Install non-free Firmware packages apt: name: "{{ firmware_non_free_packages }}" @@ -256,8 +271,6 @@ - apt-autoremove - apt-initial-install - apt-microcode - - apt-compiler-pkgs - - apt-webserver-pkgs - name: (apt.yml) clean command: apt-get -y clean @@ -269,6 +282,3 @@ - apt-clean - apt-initial-install - apt-microcode - - apt-compiler-pkgs - - apt-mysql-server-pkgs - - apt-webserver-pkgs diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml index d58b47d..6ec39a0 100644 --- a/roles/common/tasks/basic.yml +++ b/roles/common/tasks/basic.yml @@ -14,6 +14,7 @@ tags: - locales + - name: (basic.yml) Create a symbolic link /bin/sh -> bash file: src: bash @@ -26,6 +27,7 @@ tags: - symlink-sh + - name: (basic.yml) Check file '/etc/systemd/system.conf' exists stat: path: /etc/systemd/system @@ -33,6 +35,7 @@ when: - set_default_limit_nofile|bool == true + - name: (basic.yml) Change DefaultLimitNOFILE to 1048576 lineinfile: dest: /etc/systemd/system.conf @@ -60,6 +63,7 @@ tags: - limits-conf + - name: (basic.yml) Create new sshd_config from template limits.conf.j2 template: src: etc/security/limits.conf.j2 @@ -92,7 +96,7 @@ - name: (basic.yml) addjust '/etc/hosts' add nis-server .. lineinfile: path: /etc/hosts - regexp: '^192\.168\.82\.' + regexp: '^192\.168\.' line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[0] }}' when: - "groups['nis_server']|string is search(inventory_hostname)" diff --git a/roles/common/tasks/cups-install.yml b/roles/common/tasks/cups-install.yml index 2e82e8f..0a5e777 100644 --- a/roles/common/tasks/cups-install.yml +++ b/roles/common/tasks/cups-install.yml @@ -33,7 +33,7 @@ # -- file /etc/cups/cups-browsed.conf -- name: (cups.yml) Check if file '/etc/cups/cups-browsed.conf.ORIGi' exists +- name: (cups.yml) Check if file '/etc/cups/cups-browsed.conf.ORIG' exists stat: path: /etc/cups/cups-browsed.conf.ORIG register: cups_browsed_conf_orig_exists diff --git a/roles/common/tasks/luks.yml b/roles/common/tasks/luks.yml new file mode 100644 index 0000000..2905035 --- /dev/null +++ b/roles/common/tasks/luks.yml @@ -0,0 +1,6 @@ +- name: (luks.ym) add new key to the LUKS container (container has to exist) + luks_device: + device: "{{ luks_device }}" + keyfile: "{{ role_path + '/files/vault/luks_default_passwd' }}" + new_keyfile: "{{ role_path + '/files/vault/luks_chris_passwd' }}" + diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 726b54b..91d10c1 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -47,6 +47,7 @@ tags: - ntp + # tags supported inside cups-install.yml: # # cups-server @@ -55,7 +56,8 @@ tags: - cups -# tags supported inside cups-install.yml: + +# tags supported inside pure-ftpd-install.yml: # - import_tasks: pure-ftpd-install.yml when: @@ -63,6 +65,7 @@ tags: - pure-ftpd + # tags supported inside nfs.yml: # # nfs-server @@ -78,13 +81,21 @@ # samba-client - import_tasks: samba-install.yml tags: + - samba-install - samba -# tags supported inside user.yml: +# tags supported inside samba-remove-user.yml: +# +- import_tasks: samba-remove-user.yml + tags: + - samba-remove-user + + +# tags supported inside system-user.yml: # # system-user -- import_tasks: user.yml +- import_tasks: system-user.yml when: "groups['file_server']|string is search(inventory_hostname)" tags: - system-user @@ -102,7 +113,7 @@ # tags supported inside nis-user.yml: # -# system-user +# nis-user - import_tasks: nis-user.yml when: "groups['nis_server']|string is search(inventory_hostname)" tags: @@ -127,6 +138,7 @@ tags: - nis-samba-user + # tags supported inside mount_samba_shares.yml: # - import_tasks: mount_samba_shares.yml @@ -155,12 +167,13 @@ when: "groups['nis_server']|string is search(inventory_hostname)" tags: - user-systemfiles + - nis-user-systemfiles -# tags supported root_files_scripts.yml: +# tags supported root-files-scripts.yml: # wakeup_lan -- import_tasks: root_files_scripts.yml +- import_tasks: root-files-scripts.yml tags: - root-files-scripts @@ -175,6 +188,7 @@ tags: - sudoers + # tags supported inside sudoers-server.yml: # # sudoers-remove @@ -185,3 +199,37 @@ tags: - sudoers + +# Tasks: Configure VNC (x11vnc) for Ubuntu systems +# +# Supported OS: +# - Ubuntu 16.04LTSi +# - Ubuntu 18.04LTSi + +- name: "For OS: Ubuntu 16.04LTS, Arch: amd64" + import_tasks: ubuntu-x11vnc-1604-amd64.yml + when: + - ansible_distribution_version == "16.04" + - ansible_architecture == "x86_64" + tags: + - x11vnc + - x11vnc-1604 + - finish-client-install + + +- name: "For OS: Ubuntu 18.04LTS, Arch: amd64" + import_tasks: ubuntu-x11vnc-1804-amd64.yml + when: + - ansible_distribution_version == "18.04" + - ansible_architecture == "x86_64" + tags: + - x11vnc + - x11vnc-1804 + - finish-client-install + + +#- name: "Configure LUKS" +# import_tasks: luks.yml +# when: "groups['client_pc']|string is search(inventory_hostname)" +# tags: +# - luks diff --git a/roles/common/tasks/nis-user-systemfiles.yml b/roles/common/tasks/nis-user-systemfiles.yml index 16bfa06..cfb64e2 100644 --- a/roles/common/tasks/nis-user-systemfiles.yml +++ b/roles/common/tasks/nis-user-systemfiles.yml @@ -12,11 +12,6 @@ label: '{{ item.name }}' register: local_template_dir_nis_user -# root -- name: (nis-user-systemfiles.yml) Check if local template directory exists for root - local_action: stat path={{ inventory_dir }}/files/homedirs/root - register: local_template_dir_root - # -- # Copy .profile @@ -73,32 +68,6 @@ tags: - profile -# -- root user -- name: (nis-user-systemfiles.yml) Check if file '/root/.profile.ORIG' exists - stat: - path: /root/.profile.ORIG - register: profile_root_orig_exists - tags: - - profile - -- name: (nis-user-systemfiles.yml) Backup existing users .profile file - command: cp -a /root/.profile /root/.profile.ORIG - when: profile_root_orig_exists.stat.exists == False - tags: - - profile - -- name: (nis-user-systemfiles.yml) copy .profile for user root - copy: - src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile') }}" - dest: "/root/.profile" - owner: root - group: root - mode: 0644 - when: - - local_template_dir_root.stat.exists - - lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile') - tags: - - profile # -- # Copy .bashrc @@ -154,32 +123,6 @@ tags: - bashrc -# -- root user -- name: (nis-user-systemfiles.yml) Check if file '/root/.bashrc.ORIG' exists - stat: - path: /root/.bashrc.ORIG - register: bashrc_root_orig_exists - tags: - - bash - -- name: (nis-user-systemfiles.yml) Backup /root/.bashrc file - command: cp /root/.bashrc /root/.bashrc.ORIG - when: bashrc_root_orig_exists.stat.exists == False - tags: - - bash - -- name: (nis-user-systemfiles.yml) copy .bashrc for user root - copy: - src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc') }}" - dest: "/root/.bashrc" - owner: root - group: root - mode: 0644 - when: - - local_template_dir_root.stat.exists - - lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc') - tags: - - bash # -- # Copy .vimrc @@ -238,40 +181,3 @@ tags: - vimrc - -- name: (nis-user-systemfiles.yml) copy .vimrc for user root - copy: - src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc') }}" - dest: "/root/.vimrc" - owner: root - group: root - mode: 0644 - when: - - local_template_dir_root.stat.exists - - lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc') - tags: - - vimrc - -- name: (nis-user-systemfiles.yml) Check if local template directory .vim exists for user root - local_action: stat path={{ inventory_dir }}/files/homedirs/root/.vim - register: local_template_dir_vim_root - with_items: 'root' - loop_control: - label: 'root' - -- name: (nis-user-systemfiles.yml) copy .vim directory for user root if it exists - copy: - src: "{{ inventory_dir + '/files/homedirs/root/.vim' }}" - dest: "/root" - owner: "root" - group: "root" - mode: 0644 - with_items: "{{ local_template_dir_vim_root.results }}" - loop_control: - label: 'root' - when: - - item.stat.exists - tags: - - vim - - diff --git a/roles/common/tasks/nis-user.yml b/roles/common/tasks/nis-user.yml index b61868f..5077d53 100644 --- a/roles/common/tasks/nis-user.yml +++ b/roles/common/tasks/nis-user.yml @@ -48,25 +48,20 @@ #- meta: end_host -- name: (nis_user.yml) Check if nis (system) user exists - shell: "getent passwd {{ item.name }}" - register: nis_user_exists - changed_when: "nis_user_exists.rc == 2" - failed_when: "nis_user_exists.rc > 2" - loop: "{{ nis_user }}" - loop_control: - label: '{{ item.name }}' - ignore_errors: true +- name: (nis_user.yml) Get database of nis (system) users + getent: + database: passwd tags: - nis-user - system-user -- name: (nis_user.yml) Add nis (system) users +- name: (nis_user.yml) Add nis (system) users if not yet exists.. shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'" loop: "{{ nis_user }}" loop_control: label: '{{ item.name }}' - when: nis_user_exists is changed + when: + - item.name not in getent_passwd notify: Renew nis databases tags: - nis-user diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml index cb28fd4..fe4e977 100644 --- a/roles/common/tasks/ntp.yml +++ b/roles/common/tasks/ntp.yml @@ -11,7 +11,7 @@ state: present when: - ansible_os_family == "Debian" - - "groups['file_server']|string is search(inventory_hostname)" + - groups['file_server']|string is search(inventory_hostname) tags: - ntp-server @@ -20,14 +20,14 @@ path: /etc/ntp.conf.ORIG register: etc_ntp_conf_ORIG when: - - "groups['file_server']|string is search(inventory_hostname)" + - groups['file_server']|string is search(inventory_hostname) tags: - ntp-server - name: (ntp.yml) Backup installation version of file '/etc/ntp.conf' command: cp -a /etc/ntp.conf /etc/ntp.conf.ORIG when: - - "groups['file_server']|string is search(inventory_hostname)" + - groups['file_server']|string is search(inventory_hostname) - etc_ntp_conf_ORIG.stat.exists == False tags: - ntp-server diff --git a/roles/common/tasks/root_files_scripts.yml b/roles/common/tasks/root-files-scripts.yml similarity index 100% rename from roles/common/tasks/root_files_scripts.yml rename to roles/common/tasks/root-files-scripts.yml diff --git a/roles/common/tasks/samba-install.yml b/roles/common/tasks/samba-install.yml index 524f379..1630662 100644 --- a/roles/common/tasks/samba-install.yml +++ b/roles/common/tasks/samba-install.yml @@ -13,6 +13,20 @@ tags: - samba-server +- name: (samba-install.yml) Ensure samba share directories exists + file: + path: "{{ item.path }}" + owner: "root" + group: "{{ item.group_write_list }}" + mode: '2770' + state: directory + with_items: "{{ samba_shares }}" + loop_control: + label: '{{ item.name }}' + tags: + - samba-shares + + # --- # /etc/samba/smb.conf # --- @@ -35,22 +49,6 @@ - samba-server -- name: (samba-install.yml) Ensure file /etc/samba/users.map exists - copy: - src: "{{ role_path + '/files//etc/samba/users.map' }}" - dest: /etc/samba/users.map - owner: root - group: root - mode: 0644 - when: - - "groups['samba_server']|string is search(inventory_hostname)" - notify: - - Restart smbd - - Restart nmbd - tags: - - samba-server - - - name: (samba-install.yml) /etc/samba/smb.conf template: dest: /etc/samba/smb.conf @@ -67,6 +65,106 @@ - samba-server +- name: (samba-install.yml) Ensure file /etc/samba/users.map exists + copy: + src: "{{ role_path + '/files/etc/samba/users.map' }}" + dest: /etc/samba/users.map + owner: root + group: root + mode: 0644 + when: + - "groups['samba_server']|string is search(inventory_hostname)" + notify: + - Restart smbd + - Restart nmbd + tags: + - samba-server + + +# --- +# Cronjob for cleaning up samba trash dirs +# --- + +- name: (samba-install.yml) Check if file '/root/bin/samba/clean_samba_trash.sh' exists + stat: + path: /root/bin/samba/clean_samba_trash.sh + register: clean_samba_trash_exists + +- name: (samba-install.yml) Adjust configuration for script 'clean_samba_trash.sh' + template: + dest: /root/bin/samba/conf/clean_samba_trash.conf + src: root/bin/samba/conf/clean_samba_trash.conf.j2 + when: + - clean_samba_trash_exists.stat.exists|bool + tags: + - samba-server + + +- name: Check if cleaning up trash dirs is configured + lineinfile: + path: /root/bin/samba/conf/clean_samba_trash.conf + regexp: "^trash_dirs=*" + state: absent + check_mode: yes + changed_when: false + register: clean_samba_trash_dirs + +- name: Creates a cron job for cleaning up samba trash dirs + cron: + name: '{{ samba_cronjob_trash_dirs.name }}' + minute: '{{ samba_cronjob_trash_dirs.minute }}' + hour: "{{ samba_cronjob_trash_dirs.hour | default('*') }}" + day: "{{ samba_cronjob_trash_dirs.hour.day | default('*') }}" + month: "{{ samba_cronjob_trash_dirs.hour.month| default('*') }}" + weekday: "{{ samba_cronjob_trash_dirs.hour.weekday| default('*') }}" + user: "{{ samba_cronjob_trash_dirs.user | default('root') }}" + job: "{{ samba_cronjob_trash_dirs.job }}" + when: + - clean_samba_trash_dirs.found + + +# --- +# Cronjob for setting permissions on samba shares +# --- + +- name: (samba-install.yml) Check if file '/root/bin/samba/set_permissions_samba_shares.sh' exists + stat: + path: /root/bin/samba/set_permissions_samba_shares.sh + register: set_permissions_on_samba_shares_exists + +- name: (samba-install.yml) Adjust configuration for script 'set_permissions_samba_shares.sh' + template: + dest: /root/bin/samba/conf/set_permissions_samba_shares.conf + src: root/bin/samba/conf/set_permissions_samba_shares.conf.j2 + when: + - set_permissions_on_samba_shares_exists.stat.exists|bool + tags: + - samba-server + + +- name: Check if cleaning up trash dirs is configured + lineinfile: + path: /root/bin/samba/conf/clean_samba_trash.conf + regexp: "^trash_dirs=*" + state: absent + check_mode: yes + changed_when: false + register: set_permissions_samba_shares + +- name: Creates a cron job for cleaning up samba trash dirs + cron: + name: '{{ samba_cronjob_permissions.name }}' + minute: '{{ samba_cronjob_permissions.minute }}' + hour: "{{ samba_cronjob_permissions.hour | default('*') }}" + day: "{{ samba_cronjob_permissions.day | default('*') }}" + month: "{{ samba_cronjob_permissions.month| default('*') }}" + weekday: "{{ samba_cronjob_permissions.weekday| default('*') }}" + user: "{{ samba_cronjob_permissions.user | default('root') }}" + job: "{{ samba_cronjob_permissions.job }}" + when: + - set_permissions_samba_shares.found + + # --- # Samba clients # --- @@ -81,5 +179,3 @@ tags: - samba-client - - diff --git a/roles/common/tasks/samba-remove-user.yml b/roles/common/tasks/samba-remove-user.yml new file mode 100644 index 0000000..a246c4e --- /dev/null +++ b/roles/common/tasks/samba-remove-user.yml @@ -0,0 +1,57 @@ +--- + +# --- +# - Remove unwanted users +# --- + + +- name: (samba-remove-user.yml) Check if samba user exists for removable system user + shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' + register: samba_remove_system_users_present + changed_when: "samba_remove_system_users_present.rc == 0" + failed_when: "samba_remove_system_users_present.rc > 1" + with_items: + - "{{ remove_system_users }}" + loop_control: + label: '{{ item.name }}' + tags: + - samba-user + + +- name: (samba-remove-user.yml) Remove (old) system users from samba + shell: > + smbpasswd -s -x {{ item.item.name }} + with_items: + - "{{ samba_remove_system_users_present.results }}" + loop_control: + label: '{{ item.item.name }}' + when: + - item.changed + tags: + - samba-user + + +- name: (samba-remove-user.yml) Check if samba user exists for removable nis user + shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' + register: samba_remove_nis_users_present + changed_when: "samba_remove_nis_users_present.rc == 0" + failed_when: "samba_remove_nis_users_present.rc > 1" + with_items: + - "{{ remove_nis_users }}" + loop_control: + label: '{{ item.name }}' + tags: + - samba-user + + +- name: (samba-remove-user.yml) Remove (old) nis users from samba + shell: > + smbpasswd -s -x {{ item.item.name }} + with_items: + - "{{ samba_remove_nis_users_present.results }}" + loop_control: + label: '{{ item.item.name }}' + when: + - item.changed + tags: + - samba-user diff --git a/roles/common/tasks/samba-user.yml b/roles/common/tasks/samba-user.yml index deca9f4..7b6a677 100644 --- a/roles/common/tasks/samba-user.yml +++ b/roles/common/tasks/samba-user.yml @@ -1,58 +1,5 @@ --- -# --- -# - Remove unwanted users -# --- - - -- name: (samba_user.yml) Check if samba user exists for removable system user - shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' - register: samba_remove_system_users_present - changed_when: "samba_remove_system_users_present.rc == 0" - failed_when: "samba_remove_system_users_present.rc > 1" - with_items: - - "{{ remove_system_users }}" - loop_control: - label: '{{ item.name }}' - tags: - - samba-user - - -- name: (samba_user.yml) Remove (old) system users from samba - shell: "smbpasswd -s -x {{ item.name }}" - with_items: - - "{{ remove_system_users }}" - loop_control: - label: '{{ item.name }}' - when: samba_remove_system_users_present is changed - tags: - - samba-user - - -- name: (samba_user.yml) Check if samba user exists for removable nis user - shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' - register: samba_remove_inis_users_present - changed_when: "samba_remove_inis_users_present.rc == 0" - failed_when: "samba_remove_inis_users_present.rc > 1" - with_items: - - "{{ remove_nis_users }}" - loop_control: - label: '{{ item.name }}' - tags: - - samba-user - - -- name: (samba_user.yml) Remove (old) nis users from samba - shell: "smbpasswd -s -x {{ item.name }}" - with_items: - - "{{ remove_nis_users }}" - loop_control: - label: '{{ item.name }}' - when: samba_remove_inis_users_present is changed - tags: - - samba-user - - # --- # - default user/groups # --- diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index 3ab1b69..96fca39 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -13,6 +13,7 @@ tags: - sshd-config + - name: (sshd.yml) Create new sshd_config from template sshd_config.j2 template: src: etc/ssh/sshd_config.j2 diff --git a/roles/common/tasks/user.yml b/roles/common/tasks/system-user.yml similarity index 71% rename from roles/common/tasks/user.yml rename to roles/common/tasks/system-user.yml index 88b889d..e29d4a2 100644 --- a/roles/common/tasks/user.yml +++ b/roles/common/tasks/system-user.yml @@ -17,7 +17,7 @@ - name: (user.yml) Remove home directory from deleted users file: - path: '{{ nis_base_home }}/{{ item.name }}' + path: '{{ base_home }}/{{ item.name }}' state: absent with_items: - "{{ remove_system_users }}" @@ -45,26 +45,20 @@ #- meta: end_host -- name: (user.yml) Check if system users exists - shell: "getent passwd {{ item.name }}" - register: system_users_exists - changed_when: "system_users_exists.rc == 2" - failed_when: "system_users_exists.rc > 2" - loop: "{{ system_users }}" - loop_control: - label: '{{ item.name }}' - ignore_errors: true +- name: (system-user.yml) Get database of nis (system) users + getent: + database: passwd tags: - system-user -- name: (user.yml) Add system users +- name: (system-user.yml) Add (system) users if not yet exists.. shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'" loop: "{{ system_users }}" loop_control: label: '{{ item.name }}' - when: system_users_exists is changed + when: + - item.name not in getent_passwd notify: Renew nis databases tags: - system-user - diff --git a/roles/common/tasks/ubuntu-x11vnc-1604-amd64.yml b/roles/common/tasks/ubuntu-x11vnc-1604-amd64.yml new file mode 100644 index 0000000..9793984 --- /dev/null +++ b/roles/common/tasks/ubuntu-x11vnc-1604-amd64.yml @@ -0,0 +1,63 @@ + # Title: app-x11vnc-server + # + # Author: Luc Rutten + # Version: 1.0 + # File: tasks/main.yml + # + # Description: + # Remote support + # + # Source: + # - http://c-nergy.be/blog/?p=8984 + + - name: "(ubuntu-x11vnc-1604-amd64.yml) check if x11vnc is already installed, if not found skipping...." + stat: + path: /usr/bin/x11vnc + register: x11vnc_active + + - name: "(ubuntu-x11vnc-1604-amd64.yml) Install packages" + apt: + name: ['x11vnc'] + update_cache: yes + state: present + when: x11vnc_active.stat.exists == False + + - name: "(ubuntu-x11vnc-1804-amd64.yml) Install packages" + apt: + name: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - x11vnc + + - name: "(ubuntu-x11vnc-1604-amd64.yml) Store password" + shell: "x11vnc -storepasswd {{ vnc_password }} /etc/x11vnc.pass" + + - name: "(ubuntu-x11vnc-1604-amd64.yml) Set permissions on /etc/x11vnc.pass" + file: + path: /etc/x11vnc.pass + mode: 0644 + + - name: "(ubuntu-x11vnc-1604-amd64.yml) Transfer x11vnc.service.j2 to /lib/systemd/system/x11vnc.service" + template: + src: lib/systemd/system/x11vnc.service.j2 + dest: /lib/systemd/system/x11vnc.service + + - name: "(ubuntu-x11vnc-1604-amd64.yml) Start x11vnc service" + shell: service x11vnc start + + - name: "(ubuntu-x11vnc-1604-amd64.yml) Enable x11vnc service on boot" + systemd: + name: x11vnc.service + daemon_reload: yes + enabled: yes + state: started + + - name: "(ubuntu-x11vnc-1604-amd64.yml) Blocks x11vnc in GreenOS Desktop Environment for enduser " + file: + path: "/usr/share/applications/x11vnc.desktop" + mode: 0740 + owner: root + group: administrator + diff --git a/roles/common/tasks/ubuntu-x11vnc-1804-amd64.yml b/roles/common/tasks/ubuntu-x11vnc-1804-amd64.yml new file mode 100644 index 0000000..7c803be --- /dev/null +++ b/roles/common/tasks/ubuntu-x11vnc-1804-amd64.yml @@ -0,0 +1,48 @@ +--- + # Title: app-x11vnc-server + # + # Author: Luc Rutten + # Version: 1.0 + # File: tasks/main.yml + # + # Description: + # Remote support + # + # Source: + # - http://c-nergy.be/blog/?p=8984 + + - name: "(ubuntu-x11vnc-1804-amd64.yml) Install packages" + apt: + name: "{{ packages }}" + update_cache: yes + state: present + vars: + packages: + - x11vnc + + - name: "(ubuntu-x11vnc-1804-amd64.yml) Store password" + raw: "x11vnc -storepasswd {{ vnc_password }} /etc/x11vnc.pass" + + - name: "(ubuntu-x11vnc-1804-amd64.yml) Set permissions on /etc/x11vnc.pass" + file: + path: "/etc/x11vnc.pass" + mode: 0644 + + - name: "(ubuntu-x11vnc-1804-amd64.yml) Transfer x11vnc.service.j2 to /lib/systemd/system/x11vnc.service" + template: + src: lib/systemd/system/x11vnc.service.j2 + dest: /lib/systemd/system/x11vnc.service + + - name: "(ubuntu-x11vnc-1804-amd64.yml) Enable service" + systemd: + name: x11vnc.service + enabled: true + state: restarted + + - name: "(ubuntu-x11vnc-1804-amd64.yml) Remove whisker menu entry for allusers (except owner and group)" + file: + path: "/usr/share/applications/x11vnc.desktop" + mode: 0750 + owner: root + group: root + diff --git a/roles/common/templates/etc/exports.j2 b/roles/common/templates/etc/exports.j2 index 62161dc..b4e6158 100644 --- a/roles/common/templates/etc/exports.j2 +++ b/roles/common/templates/etc/exports.j2 @@ -18,7 +18,7 @@ {% set count.nfs_exports = count.nfs_exports + 10 %} {% for network in export.export_networks %} -{% if export.fs_encrypted is defined and export.fs_encrypted is sameas true %} +{% if export.use_fsid_option is defined and export.use_fsid_option is sameas true %} {% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~",fsid="~count.nfs_exports~")" %} #{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }},fsid={{ count.nfs_exports }}) {% else %} diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2 index dd63048..d481e3b 100644 --- a/roles/common/templates/etc/samba/smb.conf.j2 +++ b/roles/common/templates/etc/samba/smb.conf.j2 @@ -29,7 +29,7 @@ # Change this to the workgroup/NT-domain name your Samba server will part of ; workgroup = WORKGROUP - workgroup = AKB + workgroup = {{ samba_workgroup|default('WORKGROUP') }} # Option 'netbios name' added to debian's default smb.conf # @@ -41,22 +41,8 @@ # Note that the maximum length for a NetBIOS name is 15 characters. # # Default: netbios name = # machine DNS name - netbios name = FILE-AKB - -# server string (G) -# -# This controls what string will show up in the printer comment box in print manager and next to the IPC -# connection in net view. It can be any string that you wish to show to your users. -# -# It also sets what will appear in browse lists next to the machine name. -# -# A %v will be replaced with the Samba version number. -# -# A %h will be replaced with the hostname. -# -# Default: server string = Samba %v -# - server string = File Server ( Samba %v ) +; netbios name = FILE + netbios name = {{ samba_netbios_name|default('FILE') }} #### Networking #### @@ -65,7 +51,7 @@ # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ; interfaces = 127.0.0.0/8 eth0 - interfaces = {{ ansible_default_ipv4.address }}/24 127.0.0.1/8 + interfaces = {{ ansible_default_ipv4.address }}/24 127.0.0.1/8 # Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf hosts deny = 0.0.0.0/0 @@ -115,8 +101,7 @@ # Default: log level = 0 # # Example: log level = 3 passdb:5 auth:10 winbind:2 -; log level = 0 - log level = 2 + log level = 0 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d @@ -278,11 +263,11 @@ # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. - read only = no + read only = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. - create mask = 0600 + create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. @@ -295,7 +280,6 @@ # This might need tweaking when using external authentication schemes valid users = %S - # Un-comment the following and create the netlogon directory for Domain Logons # (you need to configure Samba to act as a domain controller too.) ;[netlogon] @@ -317,17 +301,20 @@ ; create mask = 0600 ; directory mask = 0700 - {% for item in samba_shares | default([]) %} [{{ item.name }}] comment = {{ item.name }} path = {{ item.path }} - create mask = 0660 - force create mode = 0660 - directory mask = 2770 - force directory mode = 2770 + browseable = yes + read only = no + writeable = Yes + + create mask = {{ item.file_create_mask | default('0660') }} + force create mode = {{ item.file_create_mask | default('0660') }} + directory mask = {{ item.dir_create_mask | default('2770') }} + force directory mode = {{ item.dir_create_mask | default('2770') }} # can login into that share valid users = @{{ item.group_valid_users }} @@ -335,10 +322,11 @@ write list = @{{ item.group_write_list }} force group = +{{ item.group_write_list }} +{% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %} vfs objects = recycle recycle:keeptree = yes - # touch access time from this file + # touch access time from this file # note: this is not the modified time, which is # outdatet by ls-command # so yo can delete files older then n day with the following command: @@ -347,22 +335,29 @@ recycle:touch = yes recycle:touch_mtime = no recycle:versions = yes - recycle:maxsize = 10485760 # around 10MB + recycle:directory_mode = 2770 + + # - Dateien gößer als 10MB werden nicht + #recycle:maxsize = 10485760 # around 10MB + + # - Keine Begrenzung der Dateigröße. + recycle:maxsize = 0 + recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~?? recycle:excludedir = /tmp,/temp,/cache,.Trash - recycle:repository = .Trash/%U + recycle:repository = {{ item.recycle_path | default('@Recycle.Bin') }} + + # - This is a list of files and directories that are neither visible nor accessible. + # - Each entry in the list must be separated by a '/', which allows spaces to be + # - included in the entry. '*' and '?' can be used to specify multiple files or + # - directories as in DOS wildcards. + # - veto files = /.Trash/ - -[{{ item.name }}-Trash] - comment = Papierkorb ({{ item.name }}) - path = {{ item.path }}/.Trash - - browseable = yes - read only = yes + delete veto files = yes +{% endif %} {% endfor %} - ;[printers] ; comment = All Printers ; browseable = no diff --git a/roles/common/templates/etc/samba/smb.conf.j2.BAK b/roles/common/templates/etc/samba/smb.conf.j2.BAK index 19374cc..f0a5505 100644 --- a/roles/common/templates/etc/samba/smb.conf.j2.BAK +++ b/roles/common/templates/etc/samba/smb.conf.j2.BAK @@ -1,649 +1,335 @@ +# {{ ansible_managed }} + +# +# Sample configuration file for the Samba suite for Debian GNU/Linux. +# +# # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed -# here. Samba has a huge number of configurable options (perhaps too -# many!) most of which are not shown in this example +# here. Samba has a huge number of configurable options most of which +# are not shown in this example # -# For a step to step guide on installing, configuring and using samba, -# read the Samba HOWTO Collection. -# -# Any line which starts with a ; (semi-colon) or a # (hash) -# is a comment and is ignored. In this example we will use a # -# for commentry and a ; for parts of the config file that you -# may wish to enable -# -# NOTE: Whenever you modify this file you should run the command "testparm" -# to check that you have not made any basic syntactic errors. +# Some options that are often worth tuning have been included as +# commented-out examples in this file. +# - When such options are commented with ";", the proposed setting +# differs from the default Samba behaviour +# - When commented with "#", the proposed setting is the default +# behaviour of Samba but the option is considered important +# enough to be mentioned here # +# NOTE: Whenever you modify this file you should run the command +# "testparm" to check that you have not made any basic syntactic +# errors. -#======================= Globale Einstellungen ===================================== +#======================= Global Settings ======================= [global] - # workgroup = name - # - # Der Sambaserver wird Mitglied der Arbeitsgruppe "name". - # Diese Gruppenzuordnung ist sehr lose. jedeR kann in die - # Gruppe ein- oder austreten ohne irgendwelche - # Sicherheitskriterien zu erfüllen. Anders als bei den - # Domänen. - # !! Bei aktivierter Domänenfunktion wird dieser Parameter - # Domänname verwendetals !! - # - ## aktuell: workgroup = workgroup - ;workgroup = Aktionsbuendnis - workgroup = WORKGROUP +## Browsing/Identification ### - # netbios=name - # - # NetBIOS ist im Gegensatz zu DNS ein flacher Namensraum - # ohne Hirarchie. - # Diese Namen werden vollkommen dynamisch vergeben. Bootet - # ein (Windows)-Rechner, so versucht er seinen eigen - # NetBIOS-Namen zu reservieren. existiert dieser schon, so - # hat der neue Rechnwer Pech gehabt und kann nicht am Netzwerk - # teilnehmen. - # Damit wird für den Server "name" registriert. Unter diesem - # ist er für die Sambaclients ansprechbar. - # NetBIOS-Namen sind nicht unbedingt nur auf Computer anwendbar. - # Auch angemeldete Benutzer und Computergruppen können mit - # NetBIOS-Namen angesprochen werden. - # - ## aktuell: netbios name = anita - netbios name = FILE +# Change this to the workgroup/NT-domain name your Samba server will part of +; workgroup = WORKGROUP + workgroup = {{ samba_workgroup|default('WORKGROUP') }} - name resolve order = lmhosts wins bcast host - - # server string = name - # - # Die Kommentarzeile des Servers. - # - ## aktuell: server string = anita - server string = File Server ( Samba %v ) - - # kernel oplocks = yes | no - # oplock ( opportunistischer Lock) auf betriebssystemebene. - # In der Regel werden Daten ( Dateien ) zwischengespeichert - # und nicht jede Änderung gleich geschrieben. Samba kann intern - # (Parameter oplock einer Freigabe s.u.) davon gebrauch machen. - # Mit "kernel oplocks" kann dies auch auf Betriebssystemebene - # eingestellt werden. Es kann also sowohl per Samba als auch etwa - # direkt unter Unix/Linux oder NFS zugegriffen werden ohne auf - # die Geschwindigkeitsvorteile des Oplocks zu verzichten. - # Standardmäßig ist dieser Parameter aktiviert, sofern das - # Betriebssystem dies unterstützt (derzeit IRIX und Linux - # Kernel 2.4) - # - # !!! soll "level2 oplocks" aktiviert werden, so darf muß - # "kernel oplocks" deaktiviert werden. (s.u.) - # - ## aktuell: kernel oplocks = yes - kernel oplocks = no - - # oplock break wait time = - # Dies ist (eigentlich) ein Tuning-Parameter, der aufgrund - # von fehlerhaften Windowsbetriebssystemen aufgenommen wurde: - # Antwortet Samba zu schnell auf Anfragen, die einen "oplock break - # request" zur Folge haben können, so kann die Verbindung fehlschlagen - # und der client antwortet nicht auf den break request. Mit diesem - # Parameter wird Samba angewiesen die angegebene Zeit (in Millisekunden) - # zu warten, bevor ein oplock break request gesendet wird. - # Standardeinstellung: oplock break wait time = 0 - # - # by the way: - # SMB, steht für Server Message Block, und ist ein Protokoll - # welches die gemeinsame Benutzung von Dateien, Druckern, - # seriellen Ports, auch "named pipes" und "mail slots" zwischen - # Computern erlaubt. - # 2002-09-24 ch: fix oplock break prob? - oplock break wait time = 10 - - # deadtime = n - # nach n Minuten Inakrivität wird die Verbindung - # unterbrochen. - # - deadtime = 0 - - # keepalive = n - # überprüft alle n Sekunden, ob ein client noch erreichbar - # ist (ob er überhaupt noch lebt ). Wenn nicht, geht der - # Server davon aus, daß der client abgeschaltet oder abgestürzt - # ist und beendet die Verbindung. - # !! Besser ist es, dies nicht auf Samba-Ebene sondern auf - # Verbindungsebene zu regeln ( mit "socket options") - # - ## aktuell: keepalive = 30 - keepalive = 0; - - # socket options = OPTIONS - # - # TCP_NODELAY - # ist standardmäßig aktiviert. Pakete werden - # sofort abgeschickt. Normalerweise wird bei - # kleinen Datenmengen gewartet bis "genügend" - # Daten zusammen sind damit es sich lohnt diese - # übers Netz zu schicken. - # - # SO_KEEPALIVE - # Bei TCP-Verbindungen wird mit dieser Option - # erreicht, daß die Gegenstelle der Verbindung - # auf Erreichbarkeit und Funktionsbereitschaft - # überprüft wird. Ist dies nicht der Fall, so - # wird die Verbindung beendet - # - # SO_BROADCAST - # Erlaubt das Versenden von Broadcast-Meldungen an - # das gesamte Netzwerk. - # - # SO_REUSEADDR - # Erlaubt die Weiterverwendung von Socketadressen - # - # IPTOS_LOWDELAY - # IPTOS_THROUGHPUT - # Diese beiden Optionen sind fuer das routing. Soll die - # direkte (IPTOS_LOWDELAY) oder die mit mehr Bandbreite - # (IPTOS_THROUGHPUT) benutz werden ? Die meisten Router - # reagieren auf die entsprechenden Einträge in den - # Paketheadern nicht, so sind diese Socketoptionen meistens - # sinnlos - # - # SO_SNDBUF = - # der Sendepuffer kann mit dieser Option gesetzt werden - # Bemerkung: siehe SO_RCVBUF - # - # SO_RCVBUF = - # Der Empfangspuffer kann mit dieser Option gesetzt werden - # Bemerkung: - # Mit den beiden Optionen SO_SNDBUF und SO_RCVBUF kann der - # letzte Schliff in die Konfiguration gebracht werden. Wer - # aber nicht wirklich ein Geschwindigkeitsfanatiker ist, - # sollte die Finger davon lassen - # - # SO_SNDLOWAT = - # SO_RCVLOWAT = - # Diese beiden Parameter definieren, wievile Daten vorhanden sein - # müssen, damit sie vom socket weitergeleitet werden. Auch dies - # sollte gelassen werdewn wie es ist. Unter Linux kann das - # Verhalten gar nicht verändert werdeb - # - ## aktuell: socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY - socket options = TCP_NODELAY - - # security = share | user | server | domain - # - # Mit diesem Parameter wird der Sicherheitsmodus eingestellt. Es - # wird das "security mode bit" gesetzt. Es werden zur Zeit die vier - # unten aufgelisteten Modi unterstütz. - # - # share die Authentifizierung erfolgt auf Freigabeebene. Beim Einloggen - # Server wird noch keine Überprüfungen vorgenommen. Erst zum - # das Verbinden mit einer Freigabe ist ein Passwort (kein - # Benutzername) erforderlich. Windows sendet trotzdem ein - # Benutzername mit. Für Authentifizierung werden foldende - # Benutzer verwendet - # - wird ein benutzername mitgesendet wird zunächst dieser - # zur Anmeldung benutzt. - # - ist der rechner bereits beim Sambaserver angemeldet wird - # der hierbei verwendete Name benutzt - # - danach wird der Name der Freigabe benutzt - # - als nächstes wird der NetBIOS_Name des Clients versucht - # - schließlich werden die in der "username"_liste der Freigabe - # aufgeführten Namen versucht - # - falls der "guest ok" Parameter gesetzt, alle anderen - # Anmeldungen fehlschlugen, wird der "guest account" Name - # verwendet. - # - # user Bevor sich ein Client mit dem Server verbinden kann, muß er - # sich mit Benutzernamen und Passwort authentifizieren. Erst - # wenn dies erfolgreich war, wird die Liste der verfügbaren - # Freigaben gesendet - # - # server Dieser Modus funktioniert im Prinzip we der user-Modus. - # Allerdings wird zunächst ein anderer SMB-Server nach - # Benutzernamen und Passwort befragt (password server = Computername). - # Erst wenn dies fehlschlägt, wird in der eigenen Datenbank - # nachgeschaut. Dieser Modus ist durch den domain-Modus überholt. - # - # domain Ähnlich wie beim server-Modus wird auf die Benutzerauthentufizierung - # eines anderen Servers vertraut. Anders als beim server-Modus - # wird das NT-Domain-Sicherheitsprotokoll unterstützt. Das - # bedeute, daß auch Benutzer aus vertrauten Domänen der Zugang - # gestattet werden kann. - # - security = user +# Option 'netbios name' added to debian's default smb.conf +# +# This sets the NetBIOS name by which a Samba server is known. By default it +# is the same as the first component of the host's DNS name. If a machine is +# a browse server or logon server this name (or the first component of the +# hosts DNS name) will be the name that these services are advertised under. +# +# Note that the maximum length for a NetBIOS name is 15 characters. +# +# Default: netbios name = # machine DNS name +; netbios name = FILE + netbios name = {{ samba_netbios_name|default('FILE') }} - # encrypt passwords = yes | no - # aktiviert die Passwortverschlüsselung (= yes). Damit ist zwar - # die Verschlüsselung aktiviert, aber weil Microsoft eine andere - # Verschlüssellungsroutine benutzt als Linux, können die - # Linux-Paßwortdateien ("passwd","shadow" oder die NIS-Datenbank - # nicht benutzt werden. Samba benötigt eine eigene Paßwortdatei, - # üblicherweise heißt sie "smbpasswd" und liegt im private-Verzeichnis - # der Sambainstallation (s.u. parameter "smb passwd file") - # - encrypt passwords = true +#### Networking #### - passdb backend = smbpasswd - - - # smb passwd file = Dateiname - # Gibt den Ort und Namen der Samba-Paßwortdatei an. Diese wird benötigt - # wenn Paßwortverschlüsselung benutzt wird. - # - # !!! Die Paßwotdatei und die darin befindlichen Hashwerte sind angreifbar. - # Sie sollte dem user "root" gehören und nur von ihm lesbar, beschreibbar - # und ausführbar sein. (chmod 700) - # - # benötigt: encrypt passwords = yes - # - ## aktuell: /etc/samba/smbpasswd - #smb passwd file = /usr/local/samba/private/smbpasswd - smb passwd file = /etc/samba/smbpasswd - - - # unix password sync = yes | no - # Wenn Kennwörter durch den Client oder durch das Passwortprogramm - # smbpasswd geändert werden, so müßte anschließend auch das "normale" - # unix-Passwort geändert werden, wenn nicht mit zwei verschiedenen - # Kennwörtenr gearbeitet werden soll. Das läßt sich durch diesen - # Parameter (yes) ändern. Falls dieser Parameter aus Yes eingestellt - # ist, wird das in dem Parameter "passwd program" angegebene Programm - # als ROOT aufgerufen, um zu erlauben, das neue Passwort zu setzen ohne - # das alte angeben zu müssen. - # - ## aktuell: unix password sync = no - unix password sync = yes - - - # passwd program = Dateinme - # Dieser Parameter gibt den Ort und Namen des Programms an, mit dem - # das UNIX-Passwort geändert werden kann (i.allg. /bin/passwd oder - # /usr/bin/passwd). Diese Programm wird als root ausgeführt und weiß - # nicht, für welchen Namen das Passwort geändert werden soll. Daher - # sollte diesem mit dem Makro %u der Benutzername übergeben werden. - # - # Beachte: Passwortprogramme sind i.d.R. interaktive Programme. Die - # Unterhaltung (Chat) muß mit Hilfe des Parameters "passwd chat" - # konfiguriert werden (s.u.). - # - # benötigt: unix password sync = yes - # - ## aktuell: passwd program = /bin/passwd - passwd program = /usr/bin/passwd %u - - - # passwd chat = "Ausgabestring" "Eingabestring" - # [ "Ausgabestring" "Eingabestring" ] [...] - # - # Mit den anzugebenden Zeichenketten wird die Unterhaltung zwischen - # dem passwd-Programm und dem smbd beim Ändern des Passwortes - # konfiguriert (eine oder mehrere aufeinanderfolgende Aus- und - # Eingabepaare). Die Ein- und Ausgabestrings sind durch ein Leerzeichen - # voneinader getrennt. Der Ausgabeteil besteht aus dem Text, welches das - # passwd-Programm ausgibt. Dabei ist es möglich, das Jokerzeichen "*", - # welches für eine beliebige auch 0-Zeichen lange Zeichenkette steht. - # Der Eingabeteil sind die Eingaben, die das passwd-Programm benötigt. - # Hierbei wird "%o" für das alte (wir in der Regel nicht gebraucht, da - # das passwd-Programm als user "root" aufgerufen wird und somit das alte - # Passwort nicht benötigt wird) und "%n" für das neue Passwort verwendet. - # Ferner können folgende Escapesequenzen benutzt werden: - # /n Zeilenvorschub - # /r Wagenrücklauf - # /t Tabulator - # /s Leerzeichen - # - # beachte:Ein String kann durch doppelte Anführungszeichen - # "zusammengehalten" werden. Um Leerzeichen in Passwörten - # zu ermöglichen sollten in der Chat-Zeile "%n" und "%o" durch - # doppelte Anführungszeichen geschützt werden. - # - # Das Chat-script ist case-sensitiv - # - # benötigt: unix password sync = yes - # - # Für Red Hat 7.2: - # passwd chat = *asswor*\n* "%n"\n *asswor* "%n"\n *success* - # - #passwd chat = *new*password* "%n"\n **new*password* "%n"\n *success* - passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . - - # guest account = - # Mit diesem Parameter werden Gastzugriffe einem echten - # Unix-Benutzer zugeordnet. ( Freigabe Parameter guset = ok - # oder guest only = yes) - # Standardeinstellung: guest account = nobody - # - ## aktuell: guest account = nobody - ; guest account = nobody - - # guest ok = yes |no - # Soll eine Freigabe auch für Gäste zugänglich sein, so ist dieser - # Parameter auf "yes" zu setzen - # - guest ok = no - - # map to guest = Never | Bad User | Bad Passwort - # Mit diesem Parameter wird eingestellt, was mit Anfrgaen - # passeirt, die keinen Benutzern und kein gültiges - # Passwort besitzen - # - # Never - # Requests mit ungültigem Passwort werden zurückgewiesen. Es - # werden noch nichteinmal die Freigaben gezeigt. - # (Standardeinstellung) - # - # Bad User - # Benutzer mit faslchem Passwort werden zurückgewiesen. Bei - # unbekanntem Benutzer wird auf den "guest account" gemappt - # - # Bad Password - # Benutzer mit falschem Passwort werden auf den "guest account" - # gemappt. - # VORSICHT: - # der Benutzer erkennt dies nicht und weiß somit - # nicht mit welchen Rechten er auf den Server zufreift. - # Das kann zu Verwirrungen führen. - # - ## aktuell: map to guest = Bad User - map to guest = Never - - # username map = - # Wenn auf den Windows-Clients ein Usere unter anderem Namen - # Auftritt als auf dem Samba-Server, so bietet sich eine Datei - # für die Zuordnung an - # Bsp.: - # root = admin administrator - # weist den usernamen admin oder administraor den unixnamen - # root zu - ; username map = /usr/local/samba/lib/users.map - - # hide files = [DateiOderVerzeichnis[/andereDateiOderVerzeichnis[/... - # Mir diesem Parameter kann eine Liste von Dateien und/oder - # Verzeichnissen angegeben werden, die nicht angezeigt werden - # sollen (hidden Attribut wird gesetzt). Die einzelnen - # Dateien/Verzeichnisse werden durch ein Slash "/" getrennt und - # können Wildcards "*" und "?" enthalten, nicht aber den Slash - # selbst. Die Eintraege mussen den UNIX Dateinamenkonventionen - # gehorchen. - # - ## aktuell: hide files = /DesktopFolderDB/TrashFor%m/resource.frk/Icon%0D/ - hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ - - # default case = upper | lower - # Standardschreibweise für neu angelegte Dateien - # Standardeinstellung: default case = lower - # - defaultcase = lower - - # preserve case = yes | no - # Mit diesem Parameter kann festgelegt werden, ob bei neu angelegte - # Dateien die Klein/Großschreibung des Clienten beibehalten - # wird (yes) oder die Standardeinstellung (Parameter "default case") - # benutzt wird (no). - # - preserve case = yes - - # short preserve case = yes | no - # Wie Parameter "preserve case" jedoch nur gültig für kurze - # im DOS-Format 8.3 gehaltene Dateien - # - short preserve case = yes - - # dos charset = - # Mit dieser Option wird der Zeichensatz eingestellt, mit dem Samba zu - # den DOS-Clienten sprechen soll - # Standardeinstellung: hängt von den installierten Zeichensätzen ab. Samba - # versucht den Zeichensatz 850 zu benutzen. Ist dieser nicht vorhanden, wird - # der ASCII Zeichensatz genommen. - # - dos charset = CP850 - - # unix charset = - # Gibt an, welchen Zeichensatz Samba (auf der Unix Maschine) benutzen soll. - # Diese Angabe wird benötigt, damit Samba weiß, wie es text für die clients konvertieren muß - # Standardeinstellung: unix charset = UTF8 - # - ##unix charset = ISO-8859-1 - unix charset = UTF8 - - # display charset = - # Zeichensatz den Sammba für Ausgaben auf stdout, stderr und für SWAT - # benutzt. Sollte der gleiche wie für den Parameter "unix charset" - # sein. - # Standardeinstellung: display charset = ASCII - # - ##display charset = ISO-8859-1 - #display charset = UTF8 - - - # valid chars - # In Samba 3.x nicht mehr verfügbar - ## aktuell valid chars = 0224:0231 0204:0216 0201:0232 - - # character set = - # In Samba 3.x nicht mehr verfügbar - ## aktuell: character set = ISO8859-15 - - # client code page = - # In Samba 3.x nicht mehr verfügbar - ## aktuell: client code page = 850 - - - os level = 50 - local master = yes - preferred master = yes - domain master = yes - - # wins support = yes | no - # Ist dieser Parameter auf yes, so übernimmt der nmbd die - # Funktion eines WINS-Servers. Die Datenbankdatei mit dem - # namen wins.dat (ascii-format) wird im lock-Verzeichnis - # gespeichert - # Standardeinstellung: wins support = no - # - # !! VORSICHT !! - # Es kann immer nur ein Samba-Server wins support aktiviert - # haben. Andernfalls kan es zu großen Problemen kommen. - #wins support = Yes - - # If you want Samba to use an existing wins server, please uncomment the - # following line and replace the dummy with the wins server's ip number. - ;wins server = 192.168.52.1 - - - - - # log file = - # Dieser Parameter erlaibt es, eine alternative Log-Datei - # anzulegen. (Die einkompilierten Angaben werden dabei - # Überschrieben). Durch Makros wird es möglich, für jeden - # Nutzer oder jede Maschine seperate Log_dateien zu schreiben: - # log file = /log.%u legt für jeden - # User eine eigene Protokolldatei an. - # - ## aktuel: deaktiviert - # - # für jede Maschine ein eigenes log-file - log file = /var/log/samba/%m.log - - # log level = 0-10 | 100 - # Dieser Parameter spezifiziert, wie ausführlich die Meldungen - # von Samba sein sollen. (0 nur kritische Fehlermeldungen) - # Der Wert 100 spielt eine besondere Rolle. err speichert die - # während der Authetifizierung verwendeten Passworte - # - ## aktuell: log level = 2 - log level = 2 - - # max log size (G) - # - # Gibt die Größe (in Kilobyte) an, bis zu der die Logfiles - # wachsen dürfen. - # Samba überprüft regelmäßig die Größe. Falls das angegebene - # Maximum überschritten ist, wird der Logdatei die Endung .old - # angehangen und eine neue angelegt. - # - # A size of 0 means no limit. - # - # Default: max log size = 5000 - # - # Example: max log size = 1000 - # - max log size = 5000 - - ## - To use the CUPS printing interface set - ## - printcap name = cups - ## - - ## - This should be supplemented by an addtional setting - ## - printing = cups - ## - - #printcap name = /etc/printcap - printcap name = cups - printing = cups - - ## - A boolean variable that controls whether all printers in the - ## - printcap will be loaded for browsing by default. - ## - - ## - Default: load printers = yes - ## - - load printers = Yes - - # interfaces = IP-Adress/Subnetzmaske[ IP-Adress/Subnetzmaske... - # Dieser Parameter gibt das bzw. die Netzwerk(e) an, die Samba - # verwendet. - # Standard: erstes gefundenes Netzwerk und 127.0.0.1 - # - # !! VORSICHT !! - # eben die Standardeinstellung kann zum Problem werden, da - # Samba häufig das Dummy-Device als solches erkennt. Auch wenn - # nur ein Netzwerk installiert ist, ist es also sinnvoll, diesen - # Parameter zu verwendn - # - ;interfaces = eth0 192.168.82.10/24 lo 127.0.0.1/8 - interfaces = {{ ansible_default_ipv4.address }}/24 127.0.0.1/8 +# The specific set of interfaces / networks to bind to +# This can be either the interface name or an IP address/netmask; +# interface names are normally preferred +; interfaces = 127.0.0.0/8 eth0 + interfaces = {{ ansible_default_ipv4.address }}/24 127.0.0.1/8 +# Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf hosts deny = 0.0.0.0/0 hosts allow = 192.168.0.0/16 10.0.0.0/8 127.0.0.0/8 - # bindet nur an die im Parameter "interfaces" angegebenen Adressesn - # - # !! VORSICHT !! - # Wenn "bind interfaces only" gesetzt ist und die Netzwerkadresse - # 127.0.0.1 nicht im Parameter "interfaces" mit angegeben ist, dann - # arbeiten "smppasswd" und "swat" nicht wie erwartet. - # (siehe auch manpage smb.conf) - # - bind interfaces only = Yes - - local master = yes - prefered master = yes - domain master = yes - time server = yes +# Only bind to the named interfaces and/or networks; you must use the +# 'interfaces' option above to use this. +# It is recommended that you enable this feature if your Samba machine is +# not protected by a firewall or is a firewall itself. However, this +# option cannot handle dynamic or non-broadcast interfaces correctly. +# +# Notice: +# If bind interfaces only is set and the network address 127.0.0.1 is not added to the +# interfaces parameter list smbpasswd(8) may not work as expected due to the reasons +# covered below. +# +# Default: bind interfaces only = no + bind interfaces only = yes +#### Debugging/Accounting #### -# Do you wan't samba to act as a logon-server for your windows 95/98 -# clients, so uncomment the following: - domain logons = NO -# For a specific logon script per user -; logon script = %U.bat -# For a specific logon script per machine -; logon script = %m.bat +# This tells Samba to use a separate log file for each machine +# that connects +; log file = /var/log/samba/log.%m + log file = /var/log/samba/%I.log -# Where to store the logon scripts. -;[netlogon] -; comment = Network Logon Service -; path = /var/lib/samba/netlogon +# Cap the size of the individual log files (in KiB). +; max log size = 1000 + max log size = 10000 -# Where profiles of Windows 9x systems are stored. -# First example for a centralized place. -; logon home = \\%L\profiles\%U -# Second example for a subdirectory of the users home. -; logon home = \\%L\%U\profile -# Where profiles of Windows NT systems are stored. -; logon path = \\%L\profiles\%U +# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}. +# Append syslog@1 if you want important messages to be sent to syslog too. + logging = file + +# Option 'log level' added to debian's default smb.conf +# +# The value of the parameter (a astring) allows the debug level (logging level) to be +# specified in the smb.conf file. +# +# This parameter has been extended since the 2.2.x series, now it allows one to specify +# the debug level for multiple debug classes. This is to give greater flexibility in +# the configuration of the system. +# +# See manpage for implemented debug classes +# +# Default: log level = 0 +# +# Example: log level = 3 passdb:5 auth:10 winbind:2 + log level = 0 + +# Do something sensible when Samba crashes: mail the admin a backtrace + panic action = /usr/share/samba/panic-action %d +####### Authentication ####### -#============================ Freigaben ============================== +# Option 'ntlm auth' added to debian's default smb.conf +# +# This parameter determines whether or not smbd(8) will attempt to authenticate +# users using the NTLM encrypted password response for this local passdb (SAM +# or account database). +# +# If disabled, both NTLM and LanMan authencication against the local passdb is +# disabled. +# +# Note that these settings apply only to local users, authentication will still +# be forwarded to and NTLM authentication accepted against any domain we are +# joined to, and any trusted domain, even if disabled or if NTLMv2-only is +# enforced here. To control NTLM authentiation for domain users, this must option +# must be configured on each DC. +# +# By default with lanman auth set to no and ntlm auth set to ntlmv2-only only +# NTLMv2 logins will be permited. Most clients support NTLMv2 by default, but some +# older clients will require special configuration to use it. +# +# The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. +# +# The available settings are: +# +# ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients. +# +# ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2. +# +# mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that +# it is providing MSCHAPv2 authentication (such as the ntlm_auth tool). +# +# disabled - Do not accept NTLM (or LanMan) authentication of any level, nor +# permit NTLM password changes. +# +# The default changed from yes to no with Samba 4.5. The default chagned again to +# ntlmv2-only with Samba 4.7, however the behaviour is unchanged. +# +# Default: ntlm auth = ntlmv2-only + ntlm auth = ntlmv1-permitted -# Extra share for profiles. Default is the home of the user. -#[profiles] -# comment = Network Profiles Service -# path = /var/lib/samba/profiles -# browseable = No +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone server" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + + obey pam restrictions = yes + +# This boolean parameter controls whether Samba attempts to sync the Unix +# password with the SMB password when the encrypted SMB password in the +# passdb is changed. + unix password sync = yes + +# For Unix password sync to work on a Debian GNU/Linux system, the following +# parameters must be set (thanks to Ian Kahan < for +# sending the correct chat script for the passwd program in Debian Sarge). + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + +# This boolean controls whether PAM will be used for password changes +# when requested by an SMB client instead of the program listed in +# 'passwd program'. The default is 'no'. + pam password change = yes + +# This option controls how unsuccessful authentication attempts are mapped +# to anonymous connections + map to guest = bad user + +# Option 'username map' added to debian's default smb.conf +# + username map = /etc/samba/users.map + +########## Domains ########### + +# +# The following settings only takes effect if 'server role = primary +# classic domain controller', 'server role = backup domain controller' +# or 'domain logons' is set +# + +# It specifies the location of the user's +# profile directory from the client point of view) The following +# required a [profiles] share to be setup on the samba server (see +# below) +; logon path = \\%N\profiles\%U +# Another common choice is storing the profile in the user's home directory +# (this is Samba's default) +# logon path = \\%N\%U\profile + +# The following setting only takes effect if 'domain logons' is set +# It specifies the location of a user's home directory (from the client +# point of view) +; logon drive = H: +# logon home = \\%N\%U + +# The following setting only takes effect if 'domain logons' is set +# It specifies the script to run during logon. The script must be stored +# in the [netlogon] share +# NOTE: Must be store in 'DOS' file format convention +; logon script = logon.cmd + +# This allows Unix users to be created on the domain controller via the SAMR +# RPC pipe. The example command creates a user account with a disabled Unix +# password; please adapt to your needs +; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u + +# This allows machine accounts to be created on the domain controller via the +# SAMR RPC pipe. +# The following assumes a "machines" group exists on the system +; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u + +# This allows Unix groups to be created on the domain controller via the SAMR +# RPC pipe. +; add group script = /usr/sbin/addgroup --force-badname %g + +############ Misc ############ + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting +; include = /home/samba/etc/smb.conf.%m + +# Some defaults for winbind (make sure you're not using the ranges +# for something else.) +; idmap config * : backend = tdb +; idmap config * : range = 3000-7999 +; idmap config YOURDOMAINHERE : backend = tdb +; idmap config YOURDOMAINHERE : range = 100000-999999 +; template shell = /bin/bash + +# Setup usershare options to enable non-root users to share folders +# with the net usershare command. + +# Maximum number of usershare. 0 means that usershare is disabled. +# usershare max shares = 100 + +# Allow users who've been granted usershare privileges to create +# public shares, not just authenticated ones + usershare allow guests = yes + +#======================= Share Definitions ======================= + +# {{ ansible_managed }} [homes] - comment = Home Directories - read only = No - create mask = 0640 - directory mask = 0750 - browseable = No + comment = Home Directories + browseable = no - # By default, \\server\username shares can be connected to by anyone - # with access to the samba server. - # The following parameter makes sure that only "username" can connect - # to \\server\username - # This might need tweaking when using external authentication schemes +# By default, the home directories are exported read-only. Change the +# next parameter to 'no' if you want to be able to write to them. + read only = yes + +# File creation mask is set to 0700 for security reasons. If you want to +# create files with group=rw permissions, set next parameter to 0775. + create mask = 0700 + +# Directory creation mask is set to 0700 for security reasons. If you want to +# create dirs. with group=rw permissions, set next parameter to 0775. + directory mask = 0700 + +# By default, \\server\username shares can be connected to by anyone +# with access to the samba server. +# The following parameter makes sure that only "username" can connect +# to \\server\username +# This might need tweaking when using external authentication schemes valid users = %S +# Un-comment the following and create the netlogon directory for Domain Logons +# (you need to configure Samba to act as a domain controller too.) +;[netlogon] +; comment = Network Logon Service +; path = /home/samba/netlogon +; guest ok = yes +; read only = yes -[Transfer] - comment = Transfer - path = /data/samba/Transfer - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba +# Un-comment the following and create the profiles directory to store +# users profiles (see the "logon path" option above) +# (you need to configure Samba to act as a domain controller too.) +# The path below should be writable by all users so that their +# profile directory may be created the first time they log on +;[profiles] +; comment = Users profiles +; path = /home/samba/profiles +; guest ok = no +; browseable = no +; create mask = 0600 +; directory mask = 0700 - # oplocks = yes | no - # - # oplock ist die Kurzform für opportunistischer Lock. - # Der Client speichert Dateien intern zwischen und schickt nicht - # jede Änderung gleich übers Netz. (Geschwindigkeitsvorteil). Sobald - # ein anderer Client auf die Daten zugreift, wird ein "oplock break" - # gesendet. Die Zwischengespeicherten Daten werden nun geschrieben und - # beide Clients greifen auf dieselben Daten zu. - # - oplocks = yes +{% for item in samba_shares | default([]) %} - # level2 oplocks = yes | no - # Ist ein "oplock break" gesendet worden werden keinerlei Zugriffe - # mehr zwischengespeichert. Wollen jedoch alle zugreifenden Clients - # nur lesen, so gibt es dafür keinen Grund. Mit diesem Parameter - # wird ermöglicht, daß lesende Zugriffe trotzdem zwischengespeichert - # werden - # - # !!!! Unix kennt keine solchen "schreibgeschützten Oplocks". Ist - # also "kernel oplocks" aktiviert, so kann die ganze Sache nicht - # funktionieren - # - # benötigt: oplocks = yes, kernel oplocks = no - # - level2 oplocks = yes +[{{ item.name }}] + comment = {{ item.name }} + path = {{ item.path }} browseable = yes read only = no writeable = Yes - force group = +transfer + create mask = {{ item.file_create_mask | default('0660') }} + force create mode = {{ item.file_create_mask | default('0660') }} + directory mask = {{ item.dir_create_mask | default('2770') }} + force directory mode = {{ item.dir_create_mask | default('2770') }} + # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @transfer + valid users = @{{ item.group_valid_users }} # allow to write - write list = @transfer + write list = @{{ item.group_write_list }} - create mask = 0664 - force create mode = 664 - directory mask = 2775 - force directory mode = 2775 + force group = +{{ item.group_write_list }} - ;vfs objects = vscan-clamav recycle - ;vscan-clamav: config-file = /usr/local/samba/lib/vscan-clamav.conf vfs objects = recycle recycle:keeptree = yes - # touch access time from this file + # touch access time from this file # note: this is not the modified time, which is # outdatet by ls-command # so yo can delete files older then n day with the following command: - # find /data/samba/share/bhoch3/.Trash -atime + -exec rm -rf {} \; + # find /data/samba/share//.Trash -atime + -exec rm -rf {} \; # recycle:touch = yes recycle:touch_mtime = no @@ -654,395 +340,37 @@ recycle:repository = .Trash/%U veto files = /.Trash/ -[Transfer-trash] - comment = Papierkorb (Transfer) - path = /data/samba/Transfer/.Trash +[{{ item.name }}-Trash] + comment = Papierkorb ({{ item.name }}) + path = {{ item.path }}/.Trash browseable = yes read only = yes -##[Archiv] -## comment = Archiv -## path = /data/samba/archiv -## ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv -## ;root postexec = umount /dev/md2 -## -## # oplocks = yes | no -## # -## # oplock ist die Kurzform für opportunistischer Lock. -## # Der Client speichert Dateien intern zwischen und schickt nicht -## # jede Änderung gleich übers Netz. (Geschwindigkeitsvorteil). Sobald -## # ein anderer Client auf die Daten zugreift, wird ein "oplock break" -## # gesendet. Die Zwischengespeicherten Daten werden nun geschrieben und -## # beide Clients greifen auf dieselben Daten zu. -## # -## oplocks = yes -## -## # level2 oplocks = yes | no -## # Ist ein "oplock break" gesendet worden werden keinerlei Zugriffe -## # mehr zwischengespeichert. Wollen jedoch alle zugreifenden Clients -## # nur lesen, so gibt es dafür keinen Grund. Mit diesem Parameter -## # wird ermöglicht, daß lesende Zugriffe trotzdem zwischengespeichert -## # werden -## # -## # !!!! Unix kennt keine solchen "schreibgeschützten Oplocks". Ist -## # also "kernel oplocks" aktiviert, so kann die ganze Sache nicht -## # funktionieren -## # -## # benötigt: oplocks = yes, kernel oplocks = no -## # -## level2 oplocks = yes -## -## browseable = yes -## read only = no -## writeable = Yes -## -## force group = +archive -## -## # can login into that share -## valid users = @users -## # allow to write -## write list = @archive -## -## create mask = 664 -## directory mask = 2775 +{% endfor %} -[Verwaltung] - comment = Verwaltung - path = /data/samba/Verwaltung - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv +;[printers] +; comment = All Printers +; browseable = no +; path = /var/spool/samba +; printable = yes +; guest ok = no +; read only = yes +; create mask = 0700 - browseable = yes - read only = no - writeable = Yes +# Windows clients look for this share name as a source of downloadable +# printer drivers +;[print$] +; comment = Printer Drivers +; path = /var/lib/samba/printers +; browseable = yes +; read only = yes +; guest ok = no +# Uncomment to allow remote administration of Windows print drivers. +# You may need to replace 'lpadmin' with the name of the group your +# admin users are members of. +# Please note that you also need to set appropriate Unix permissions +# to the drivers directory for these users to have write rights in it +; write list = root, @lpadmin - force group = +verwaltung - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @verwaltung - # allow to write - write list = @verwaltung - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - - ;vfs objects = vscan-clamav recycle - ;vscan-clamav: config-file = /usr/local/samba/lib/vscan-clamav.conf - vfs objects = recycle - recycle:keeptree = yes - # touch access time from this file - # note: this is not the modified time, which is - # outdatet by ls-command - # so yo can delete files older then n day with the following command: - # find /data/samba/share/bhoch3/.Trash -atime + -exec rm -rf {} \; - # - recycle:touch = yes - recycle:touch_mtime = no - recycle:versions = yes - recycle:maxsize = 10485760 # around 10MB - recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~?? - recycle:excludedir = /tmp,/temp,/cache,.Trash - recycle:repository = .Trash/%U - veto files = /.Trash/ - - -[Verwaltung-trash] - comment = Papierkorb (Verwaltung) - path = /data/samba/Verwaltung/.Trash - - browseable = yes - read only = yes - - -[Scans] - comment = Scans - path = /data/samba/Scans - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv - - browseable = yes - read only = no - writeable = Yes - - force group = +scans - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @scans - # allow to write - write list = @scans - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - -[Buero_Scans] - comment = Scans Buero - path = /data/samba/Scans/Buero_Scans - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv - - browseable = yes - read only = no - writeable = Yes - - force group = +scans - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @scans - # allow to write - write list = @scans - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - -[Frauke_Scans] - comment = Scans Frauke - path = /data/samba/Scans/Frauke_Scans - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv - - browseable = yes - read only = no - writeable = Yes - - force group = +scans - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @scans - # allow to write - write list = @scans - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - -[FSJ_Scans] - comment = Scans FSJ - path = /data/samba/Scans/FSJ_Scans - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv - - browseable = yes - read only = no - writeable = Yes - - force group = +scans - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @scans - # allow to write - write list = @scans - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - -[Jibran_Scans] - comment = Scans Jibran - path = /data/samba/Scans/Jibran_Scans - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv - - browseable = yes - read only = no - writeable = Yes - - force group = +scans - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @scans - # allow to write - write list = @scans - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - -[Julia_Scans] - comment = Scans Julia - path = /data/samba/Scans/Julia_Scans - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv - - browseable = yes - read only = no - writeable = Yes - - force group = +scans - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @scans - # allow to write - write list = @scans - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - -[Maica_scans] - comment = Scans Maica - path = /data/samba/Scans/Maica_scans - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv - - browseable = yes - read only = no - writeable = Yes - - force group = +scans - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @scans - # allow to write - write list = @scans - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - -[Thomas_Scans] - comment = Scans Thomas - path = /data/samba/Scans/Thomas_Scans - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv - - browseable = yes - read only = no - writeable = Yes - - force group = +scans - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @scans - # allow to write - write list = @scans - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - -[Kamera] - comment = Kamera - path = /data/samba/Kamera - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv - - browseable = yes - read only = no - writeable = Yes - - force group = +intern - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @intern - # allow to write - write list = @intern - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - -[Install] - comment = Install - path = /data/samba/Install - ;root preexec = mount /dev/md1 /data ; mount /dev/md2 /data/samba ; chown sysadm:sysadm /data/samba/archiv - - browseable = yes - read only = no - writeable = Yes - - force group = +intern - - # can login into that share - ;valid users = chris,jonas,anna,ralf,annika,frauke - valid users = @intern - # allow to write - write list = @intern - - force create mode = 660 - create mask = 0660 - force directory mode = 2775 - directory mask = 2775 - - -## - # Un-comment the following and create the netlogon directory for Domain Logons -## - # (you need to configure Samba to act as a domain controller too.) -## - ;[netlogon] -## - ; comment = Network Logon Service -## - ; path = /home/samba/netlogon -## - ; guest ok = yes -## - ; read only = yes -## - -## - # Un-comment the following and create the profiles directory to store -## - # users profiles (see the "logon path" option above) -## - # (you need to configure Samba to act as a domain controller too.) -## - # The path below should be writable by all users so that their -## - # profile directory may be created the first time they log on -## - ;[profiles] -## - ; comment = Users profiles -## - ; path = /home/samba/profiles -## - ; guest ok = no -## - ; browseable = no -## - ; create mask = 0600 -## - ; directory mask = 0700 -## - -## - [printers] -## - comment = All Printers -## - browseable = no -## - path = /var/spool/samba -## - printable = yes -## - guest ok = no -## - read only = yes -## - create mask = 0700 -## - -## - # Windows clients look for this share name as a source of downloadable -## - # printer drivers -## - [print$] -## - comment = Printer Drivers -## - path = /var/lib/samba/printers -## - browseable = yes -## - read only = yes -## - guest ok = no -## - # Uncomment to allow remote administration of Windows print drivers. -## - # You may need to replace 'lpadmin' with the name of the group your -## - # admin users are members of. -## - # Please note that you also need to set appropriate Unix permissions -## - # to the drivers directory for these users to have write rights in it -## - ; write list = root, @lpadmin -## - -## - # A sample share for sharing your CD-ROM with others. -## - ;[cdrom] -## - ; comment = Samba server's CD-ROM -## - ; read only = yes -## - ; locking = no -## - ; path = /cdrom -## - ; guest ok = yes -## - -## - # The next two parameters show how to auto-mount a CD-ROM when the -## - # cdrom share is accesed. For this to work /etc/fstab must contain -## - # an entry like this: -## - # -## - # /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0 -## - # -## - # The CD-ROM gets unmounted automatically after the connection to the -## - # -## - # If you don't want to use auto-mounting/unmounting make sure the CD -## - # is mounted on /cdrom -## - # -## - ; preexec = /bin/mount /cdrom -## - ; postexec = /bin/umount /cdrom -## - diff --git a/roles/common/templates/lib/systemd/system/x11vnc.service.j2 b/roles/common/templates/lib/systemd/system/x11vnc.service.j2 new file mode 100644 index 0000000..cca2330 --- /dev/null +++ b/roles/common/templates/lib/systemd/system/x11vnc.service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Start x11vnc at startup. +After=multi-user.target + +[Service] +Type=simple +ExecStart=/usr/bin/x11vnc -auth guess -forever -loop -noxdamage -repeat -rfbauth /etc/x11vnc.pass -rfbport 5900 -shared + +[Install] +WantedBy=multi-user.target diff --git a/roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 b/roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 new file mode 100644 index 0000000..040981e --- /dev/null +++ b/roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 @@ -0,0 +1,40 @@ +# {{ ansible_managed }} + +# ------------------------------------ +# - Settings for script clean_trash.sh +# ------------------------------------ + +# - days +# - +# - Files older then 'days' will be deleted. +# - +# - Defaults to: days=31 +# - +#days=31 + +# - trash_dirs +# - +# - Directories where files older than given days will be deleted. +# - +# - Example: +# - trash_dirs="/data/samba/transfer/.Trash /data/samba/no-backup-share/multimedia/.Trash" +# - +#trash_dirs="" + +{%- set count = namespace(trash_dirs=0) %} + +{%- for item in samba_shares | default([]) %} +{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %} +{% set count.trash_dirs = count.trash_dirs + 1 %} +{% endif %} +{% endfor %} + +{% if count.trash_dirs > 0 %} +trash_dirs=" +{% for item in samba_shares %} +{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %} + {{ item.path }}/{{ item.recycle_path }} +{% endif %} +{% endfor %} +" +{% endif %} diff --git a/roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 b/roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 new file mode 100644 index 0000000..23b886c --- /dev/null +++ b/roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 @@ -0,0 +1,33 @@ +# {{ ansible_managed }} + +# ----------------------------------------------------- +# - Settings for script set_permissions_samba_shares.sh +# ----------------------------------------------------- + +# - dir_permissions +# - +# - Recursive set Permissions (group and file- and directory-mode) +# - +# - Multiple options are possible. Use semicolon separated list. +# - +# - Usage: +# - dir_permissions=":::;[:::];[.." +# - +# - Example: +# - dir_permissions="/data/samba/transfer:buero:664:2775;/data/samba/verwaltung:intern:660:2770" +# - +#dir_permissions="" + +{%- set count = namespace(samba_shares=0) %} + +{%- for item in samba_shares | default([]) %} +{% set count.samba_shares = count.samba_shares + 1 %} +{% endfor %} + +{% if count.samba_shares > 0 %} +dir_permissions=" +{% for item in samba_shares | default([]) %} + {{ item.path }}:{{ item.group_write_list }}:{{ item.file_create_mask | default('0660') }}:{{ item.dir_create_mask | default('2770') }}; +{% endfor %} +" +{% endif %} diff --git a/tatus b/tatus deleted file mode 100644 index 4dd4404..0000000 --- a/tatus +++ /dev/null @@ -1,394 +0,0 @@ -diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml -index 7b325e6..603929a 100644 ---- a/group_vars/all/main.yml -+++ b/group_vars/all/main.yml -@@ -554,10 +554,18 @@ apt_initial_install_bionic: - - ifupdown - - socat -  --microcode_package:  -+microcode_intel_package:  - - intel-microcode -+ -+microcode_amd_package:  - - amd64-microcode -  -+firmware_packages: -+ - firmware-linux -+ -+firmware_non_free_packages: -+ - firmware-linux-nonfree -+ - apt_install_state: latest -  - apt_remove: -@@ -727,6 +735,167 @@ apt_install_client_samba: - samba_server: file-akb.akb.netz -  -  -+# ========== -+# vars used by roles/common/tasks/pure-ftpd-install.yml -+# ========== -+ -+pureftpd_global_config_file: /etc/default/pure-ftpd-common -+ -+pureftpd_config_dir: /etc/pure-ftpd -+pureftpd_config_conf_dir: "{{ pureftpd_config_dir }}/conf" -+pureftpd_config_auth_dir: "{{ pureftpd_config_dir }}/auth" -+pureftpd_config_db_dir: "{{ pureftpd_config_dir }}/db" -+ -+pureftpd_config_fortune_file: "{{ pureftpd_config_dir }}/pureftpd-fortune.txt" -+ -+pureftpd_tls_certificate_pem: /etc/ssl/private/pure-ftpd.pem -+ -+pureftpd_packages: -+ - pure-ftpd-common -+ - pure-ftpd -+ -+# pure-ftpd-common.j2 -+pureftpd_global_config_mode: standalone -+pureftpd_global_config_virtualchroot: false -+pureftpd_global_config_uploadscript: ''  -+pureftpd_global_config_uploaduid: '' -+pureftpd_global_config_uploadgid: '' -+ -+pureftpd_config: -+ AltLog: 'clf:/var/log/pure-ftpd/transfer.log' -+ AnonymousCantUpload: 'yes' -+ Bind: ',21' -+ CustomerProof: 'yes' -+ DisplayDotFiles: 'yes' -+ DontResolve: 'yes' -+ FSCharset: 'UTF-8' -+ ForcePassiveIP: '' -+ MaxDiskUsage: '80' -+ MinUID: '1000' -+ NoAnonymous: 'yes' -+ PAMAuthentication: 'no' -+ PassivePortRange: '50000 50400' -+ ProhibitDotFilesRead: 'no' -+ ProhibitDotFilesWrite: 'yes' -+ PureDB: '/etc/pure-ftpd/pureftpd.pdb' -+ SyslogFacility: 'ftp' -+ TLS: '1' -+ TLSCipherSuite: 'HIGH' -+ UnixAuthentication: 'no' -+ #  -+ # Available properties -+ # -+ # Available properties -+ # AllowAnonymousFXP: 'no' -+ # AllowUserFXP: 'no' -+ # AltLog: 'clf:/var/log/pure-ftpd/transfer.log' -+ # AnonymousBandwidth: '8' -+ # AnonymousCanCreateDirs: 'no' -+ # AnonymousCantUpload: 'yes' -+ # AnonymousOnly: 'no' -+ # AnonymousRatio: '1 10' -+ # AntiWarez: 'yes' -+ # AutoRename: 'no' -+ # Bind: '127.0.0.1,21' -+ # BrokenClientsCompatibility: 'no' -+ # CallUploadScript: 'yes' -+ # ChrootEveryone: 'yes' -+ # ClientCharset: 'UTF-8' -+ # CreateHomeDir: 'yes' -+ # CustomerProof: 'yes' -+ # Daemonize: 'yes' -+ # DisplayDotFiles: 'yes' -+ # DontResolve: 'yes' -+ # ExtAuth: /var/run/ftpd.sock -+ # ForcePassiveIP: '192.168.0.1' -+ # FortunesFile: '/etc/pure-ftpd/cookie' -+ # FSCharset: 'utf8' -+ # IPV4Only: 'yes' -+ # IPV6Only: 'yes' -+ # KeepAllFiles: 'yes' -+ # LDAPConfigFile: /etc/pureftpd-ldap.conf -+ # LimitRecursion: '10000 8' -+ # LogPID: 'yes' -+ # MaxClientsNumber: '10' -+ # MaxClientsPerIP: "{{ ansible_processor_cores }}" -+ # MaxDiskUsage: '80' -+ # MaxIdleTime: '15' -+ # MaxLoad: '4' -+ # MinUID: '1000' -+ # MySQLConfigFile: /etc/pure-ftpd/mysql.conf -+ # NoAnonymous: 'yes' -+ # NoChmod: 'yes' -+ # NoRename: 'yes' -+ # NoTruncate: 'yes' -+ # PAMAuthentication: 'no' -+ # PassivePortRange: '30000 50000' -+ # PerUserLimits: '3 20' -+ # PGSQLConfigFile: /etc/pureftpd-pgsql.conf -+ # PIDFile: '/var/run/pure-ftpd.pid' -+ # ProhibitDotFilesRead: 'yes' -+ # ProhibitDotFilesWrite: 'yes' -+ # PureDB: /etc/pure-ftpd/pureftpd.pdb -+ # Quota: '1000 10' -+ # SyslogFacility: 'ftp' -+ # TLS: '0' -+ # TLSCipherSuite: 'ALL:!aNULL:!SSLv3' -+ # TrustedIP: '10.1.1.1' -+ # Umask: '113 002' -+ # UnixAuthentication: 'no' -+ # UserBandwidth: '8' -+ # UserRatio: '1 10' -+ # VerboseLog: 'no' -+ -+pureftpd_auth_puredb: 50 -+pureftpd_auth_mysql: 0 -+pureftpd_auth_postgresql: 0 -+pureftpd_auth_ldap: 0 -+pureftpd_auth_unix: 65 -+pureftpd_auth_pam: 70 -+ -+# Default FTP user/group -+pureftpd_virtual_users_group: nobody -+pureftpd_virtual_users_user: nogroup -+# pureftpd_virtual_users_gid: '65534' -+# pureftpd_virtual_users_uid: '65534' -+ -+pureftpd_virtual_users: -+ - name: maica_scan -+ password: maica_scan -+ homedir: /data/samba/Scans/Maica_scans -+ uid: maica -+ gid: users -+ - name: buero_scan -+ password: buero_scan -+ homedir: /data/samba/Scans/Buero_Scans -+ uid: buero -+ gid: users -+ - name: jibran_scan -+ password: jibran_scan -+ homedir: /data/samba/Scans/Jibran_scan_Scans -+ uid: jibran -+ gid: users -+ # Available properties -+ # - name: vuser1 -+ # password: p4ssW0rd -+ # homedir: /var/ftp/vuser1 -+ # uid: 2000 -+ # gid: 2000 -+ # quota_files: 2000 -+ # quota_size: 500 -+ # bandwidth_ul: 5 -+ # bandwidth_dl: 5 -+ # ratio_ul: 10 -+ # ratio_dl: 1 -+ -+pureftpd_virtual_deleted_users: [] -+ # Available properties -+ # - name: vuser2 -+ -+pureftpd_virtual_users_import: false -+ -+ -+ - # ========== - # vars used by roles/common/tasks/user.yml - # ========== -diff --git a/hosts b/hosts -index 98add24..e3079cd 100644 ---- a/hosts -+++ b/hosts -@@ -53,4 +53,8 @@ file-akb.akb.netz ansible_user=root - file-akb.akb.netz ansible_user=root - 192.168.82.20 ansible_user=root -  -+[ftp_server] -+file-akb.akb.netz ansible_user=root -+192.168.82.20 ansible_user=root -+ - [gateway_server] -diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml -index f9391f6..be73450 100644 ---- a/roles/common/handlers/main.yml -+++ b/roles/common/handlers/main.yml -@@ -59,3 +59,12 @@ - name: cups-browsed - daemon_reload: yes - state: restarted -+ -+- name: reload Pure-FTPd users -+ command: pure-pw mkdb -+ -+- name: restart Pure-FTPd -+ service: -+ name: pure-ftpd -+ state: restarted -+ -diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml -index 466edd1..77fd1c4 100644 ---- a/roles/common/tasks/apt.yml -+++ b/roles/common/tasks/apt.yml -@@ -96,12 +96,17 @@ - tags: - - apt-initial-install -  --- name: (apt.yml) Ensure we have CPU microcode from backports (debian stretch) -+# --- -+# Microcode -+# --- -+ -+- name: (apt.yml) Ensure we have CPU microcode from backports for Intel CPU (debian stretch) - apt: -- name: "{{ microcode_package }}" -+ name: "{{ microcode_intel_package }}" - state: present - default_release: "{{ ansible_distribution_release }}-backports" - when: -+ - apt_backports_enable - - ansible_facts['distribution'] == "Debian" - - ansible_facts['distribution_major_version'] == "9" - - ansible_facts['processor']|string is search("Intel") -@@ -109,9 +114,24 @@ - - apt-initial-install - - apt-microcode -  --- name: (apt.yml) Install CPU microcode (debian buster) -+- name: (apt.yml) Ensure we have CPU microcode from backports for AMD CPU (debian stretch) -+ apt: -+ name: "{{ microcode_amd_package }}" -+ state: present -+ default_release: "{{ ansible_distribution_release }}-backports" -+ when: -+ - apt_backports_enable -+ - apt_debian_contrib_nonfree_enable -+ - ansible_facts['distribution'] == "Debian" -+ - ansible_facts['distribution_major_version'] == "9" -+ - ansible_facts['processor']|string is search("AMD") -+ tags: -+ - apt-initial-install -+ - apt-microcode -+ -+- name: (apt.yml) Install CPU microcode for Intel CPU (debian buster) - apt: -- name: "{{ microcode_package }}" -+ name: "{{ microcode_intel_package }}" - state: present - default_release: "{{ ansible_distribution_release }}" - when: -@@ -122,9 +142,23 @@ - - apt-initial-install - - apt-microcode -  --- name: (apt.yml) Install CPU microcode (ubuntu bionic) -+- name: (apt.yml) Install CPU microcode for AMD CPU (debian buster) - apt: -- name: "{{ microcode_package }}" -+ name: "{{ microcode_amd_package }}" -+ state: present -+ default_release: "{{ ansible_distribution_release }}" -+ when: -+ - apt_debian_contrib_nonfree_enable -+ - ansible_facts['distribution'] == "Debian" -+ - ansible_facts['distribution_major_version'] == "10" -+ - ansible_facts['processor']|string is search("AMD") -+ tags: -+ - apt-initial-install -+ - apt-microcode -+ -+- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu bionic) -+ apt: -+ name: "{{ microcode_intel_package }}" - state: present - default_release: "{{ ansible_distribution_release }}" - when: -@@ -135,9 +169,23 @@ - - apt-initial-install - - apt-microcode -  --- name: (apt.yml) Install CPU microcode (ubuntu xenial) -+- name: (apt.yml) Install CPU microcode for AMD CPU (ubuntu bionic) - apt: -- name: "{{ microcode_package }}" -+ name: "{{ microcode_amd_package }}" -+ state: present -+ default_release: "{{ ansible_distribution_release }}" -+ when: -+ - apt_debian_contrib_nonfree_enable -+ - ansible_facts['distribution'] == "Ubuntu" -+ - ansible_facts['distribution_release'] == "bionic" -+ - ansible_facts['processor']|string is search("AMD") -+ tags: -+ - apt-initial-install -+ - apt-microcode -+ -+- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu xenial) -+ apt: -+ name: "{{ microcode_intel_package }}" - state: present - default_release: "{{ ansible_distribution_release }}" - when: -@@ -148,6 +196,49 @@ - - apt-initial-install - - apt-microcode -  -+- name: (apt.yml) Install CPU microcode for Intel AMD (ubuntu xenial) -+ apt: -+ name: "{{ microcode_amd_package }}" -+ state: present -+ default_release: "{{ ansible_distribution_release }}" -+ when: -+ - apt_debian_contrib_nonfree_enable -+ - ansible_facts['distribution'] == "Ubuntu" -+ - ansible_facts['distribution_release'] == "xenial" -+ - ansible_facts['processor']|string is search("AMD") -+ tags: -+ - apt-initial-install -+ - apt-microcode -+ -+# --- -+# Firmware -+# --- -+ -+- name: (apt.yml) Install Firmware packages -+ apt: -+ name: "{{ firmware_non_free_packages }}" -+ state: present -+ default_release: "{{ ansible_distribution_release }}" -+ tags: -+ - apt-initial-install -+ - apt-firmware -+ -+- name: (apt.yml) Install non-free Firmware packages -+ apt: -+ name: "{{ firmware_non_free_packages }}" -+ state: present -+ default_release: "{{ ansible_distribution_release }}" -+ when: -+ - apt_debian_contrib_nonfree_enable -+ tags: -+ - apt-initial-install -+ - apt-firmware -+ -+ -+# --- -+# unwanted packages -+# --- -+ - - name: (apt.yml) Remove unwanted packages - apt: - name: "{{ apt_remove }}" -diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml -index cba68be..b9802b6 100644 ---- a/roles/common/tasks/main.yml -+++ b/roles/common/tasks/main.yml -@@ -55,6 +55,14 @@ - tags: - - cups -  -+# tags supported inside cups-install.yml: -+# -+- import_tasks: pure-ftpd-install.yml -+ when:  -+ - groups['ftp_server']|string is search(inventory_hostname) -+ tags: -+ - pure-ftpd -+ - # tags supported inside nfs.yml: - # - # nfs-server