ansible/mbr-bln
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph
2020-10-14 18:07:09 +02:00
parent cbf4d7b452
commit 76f24d9900
91 changed files with 23093 additions and 2155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
roles/common/files/etc/samba/users.map Normal file
View File

@ -0,0 +1,18 @@
# ############################################ #
# -------------------------- #
# ** DO NOT EDIT DIRECTLY ** #
# -------------------------- #
# Ansible managed file #
# ############################################ #
# This file allows you to map usernames from the clients to the server.
# Unix_name = SMB_name1 SMB_name2 ...
#
# See section 'username map' in the manual page of smb.conf for more
# information.
#
# This file is _not_ included in the default configuration as it makes the
# usage of an user named administrator impossible.
root = admin administrator

110
roles/common/files/root/_bashrc
View File

@ -1,110 +0,0 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
[ -z "$PS1" ] && return
# don't put duplicate lines in the history. See bash(1) for more options
# ... or force ignoredups and ignorespace
HISTCONTROL=ignoredups:ignorespace
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
alias ..='cd ..'
alias ...='cd ../..'
alias ....='cd ../../..'
alias poweroff='echo -e "\n\tplease use: /sbin/poweroff\n"'
alias reboot='echo -e "\n\tplease use: /sbin/reboot\n"'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
#if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
# . /etc/bash_completion
#fi
export EDITOR=vim

25
roles/common/files/root/_profile
View File

@ -1,25 +0,0 @@
# ~/.profile: executed by Bourne-compatible login shells.
if [ "$BASH" ]; then
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
if [ -d "$HOME/bin/admin-stuff" ] ; then
PATH="$HOME/bin/admin-stuff:$PATH"
fi
# this is for the midnight-commander
# to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander
#
if [ -f "/usr/share/mc/bin/mc.sh" ] ; then
source /usr/share/mc/bin/mc.sh
fi
mesg n || true

173
roles/common/files/root/_vimrc
View File

@ -1,173 +0,0 @@
" An example for a vimrc file.
"
" Maintainer: Bram Moolenaar <Bram@vim.org>
" Last change: 1999 Sep 09
"
" To use it, copy it to
" for Unix and OS/2: ~/.vimrc
" for Amiga: s:.vimrc
" for MS-DOS and Win32: $VIM\_vimrc
" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim
set nocompatible " Use Vim defaults (much better!)
set bs=2 " allow backspacing over everything in insert mode
set ai " always set autoindenting on
" set backup " keep a backup file
"set viminfo='20,\"50 " read/write a .viminfo file, don't store more
" than 50 lines of registers
set viminfo='20,\"50,:20,%,n~/.viminfo
set history=50 " keep 50 lines of command line history
set ruler " show the cursor position all the time
set ignorecase " suchen case-insenitiv
set showmatch " zeige passende klammern
set shell=/bin/bash " shell to start with !
set expandtab " tabs --> blanks
set showmode " anzeige INSERT/REPLACE/...
" set smartcase " Do smart case matching
set incsearch " Incremental search
" Start searching when you type the first character of
" the search string. As you type in more characters, the
" search is refined.
set t_Co=256 " To enable 256 colors in vim, put this your .vimrc before setting the colorscheme
" einrueckung
set shiftwidth=3
set tabstop=3
" Round indent to multiple of 'shiftwidth' for > and < commands
set shiftround
" For Win32 GUI: remove 't' flag from 'guioptions': no tearoff menu entries
" let &guioptions = substitute(&guioptions, "t", "", "g")
" Don't use Ex mode, use Q for formatting
map Q gq
" Make p in isual Visual mode replace the selected text with the "" register.
vnoremap p <Esc>:let current_reg = @"<CR>gvdi<C-R>=current_reg<CR><Esc>
" Switch syntax highlighting on, when the terminal has colors
" Also switch on highlighting the last used search pattern.
if &t_Co > 2 || has("gui_running")
syntax on
set hlsearch
endif
" Only do this part when compiled with support for autocommands.
if has("autocmd")
" In text files, always limit the width of text to 78 characters
autocmd BufRead *.txt set tw=78
augroup cprog
" Remove all cprog autocommands
au!
" When starting to edit a file:
" For C and C++ files set formatting of comments and set C-indenting on.
" For other files switch it off.
" Don't change the order, it's important that the line with * comes first.
autocmd FileType * set formatoptions=tcql nocindent comments&
autocmd FileType c,cpp set formatoptions=croql cindent comments=sr:/*,mb:*,el:*/,://
augroup END
augroup gzip
" Remove all gzip autocommands
au!
" Enable editing of gzipped files
" set binary mode before reading the file
autocmd BufReadPre,FileReadPre *.gz,*.bz2 set bin
autocmd BufReadPost,FileReadPost *.gz call GZIP_read("gunzip")
autocmd BufReadPost,FileReadPost *.bz2 call GZIP_read("bunzip2")
autocmd BufWritePost,FileWritePost *.gz call GZIP_write("gzip")
autocmd BufWritePost,FileWritePost *.bz2 call GZIP_write("bzip2")
autocmd FileAppendPre *.gz call GZIP_appre("gunzip")
autocmd FileAppendPre *.bz2 call GZIP_appre("bunzip2")
autocmd FileAppendPost *.gz call GZIP_write("gzip")
autocmd FileAppendPost *.bz2 call GZIP_write("bzip2")
" After reading compressed file: Uncompress text in buffer with "cmd"
fun! GZIP_read(cmd)
let ch_save = &ch
set ch=2
execute "'[,']!" . a:cmd
set nobin
let &ch = ch_save
execute ":doautocmd BufReadPost " . expand("%:r")
endfun
" After writing compressed file: Compress written file with "cmd"
fun! GZIP_write(cmd)
if rename(expand("<afile>"), expand("<afile>:r")) == 0
execute "!" . a:cmd . " <afile>:r"
endif
endfun
" Before appending to compressed file: Uncompress file with "cmd"
fun! GZIP_appre(cmd)
execute "!" . a:cmd . " <afile>"
call rename(expand("<afile>:r"), expand("<afile>"))
endfun
augroup END
" This is disabled, because it changes the jumplist. Can't use CTRL-O to go
" back to positions in previous files more than once.
if 0
" When editing a file, always jump to the last cursor position.
" This must be after the uncompress commands.
autocmd BufReadPost * if line("'\"") && line("'\"") <= line("$") | exe "normal `\"" | endif
endif
endif " has("autocmd")
" toggle syntax highlighting
map <F12> :if exists("syntax_on") <Bar> syntax off <Bar> else <Bar> syntax on <Bar> endif <CR><ESC>
map <F11> :nohls <CR>
" use <F6> to toggle line numbers
nmap <silent> <F6> :set number!<CR>
" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
set background=dark
" set color for search
hi clear search
hi search term=bold,reverse cterm=bold,reverse gui=bold,reverse
" set color for Comment
hi clear Comment
"highlight Comment term=bold cterm=bold ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=bold cterm=bold ctermfg=grey guifg=#80a0ff gui=bold
highlight Comment term=none cterm=none ctermfg=grey guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=177 guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=215 guifg=#80a0ff gui=bold
" Go back to the position the cursor was on the last time this file was edited
au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$")|execute("normal `\"")|endif
" visual shifting (does not exit Visual mode)
vnoremap < <gv
vnoremap > >gv
" Scroll when cursor gets within 3 characters of top/bottom edge
set scrolloff=3
" Show line, column number, and relative position within a file in the status line
" set statusline=%F%m%r%h%w\ [FORMAT=%{&ff}]\ [TYPE=%Y]\ [ASCII=\%03.3b]\ [HEX=\%02.2B]\ [POS=%04l,%04v][%p%%]\ [LEN=%L]
"set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)%(\|\ syntax:\ %{synIDattr(synID(line('.'),col('.'),0),'name')}%)\ \ %=line:\ %l/%L\ \|\ column:\ %c%V\ \|\ relative\:\ %p%%\
set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)\ \ %=line:\ %l/%L\ \|\ col:\ %c%V\ \|\ %p%%
" Always show status line, even for one window
set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue

6
roles/common/files/vault/luks_chris_passwd Normal file
View File

@ -0,0 +1,6 @@
$ANSIBLE_VAULT;1.1;AES256
62323434623266663935613930616166356337326431363364343533643737333563626366303561
3932643537656366666237653865356132646166373836300a663261383165356434313436653432
37383766366337373463393532393534393461343631666239326161306132393766393232316431
3838623633643964310a336132326136613738323863623536343739646135356464623832363932
63316661346433373266623562613062386266396334643737643662313439393836

6
roles/common/files/vault/luks_default_passwd Normal file
View File

@ -0,0 +1,6 @@
$ANSIBLE_VAULT;1.1;AES256
61616531623932306237316562643665383565373865386562326662343031393165373339363039
6365366161333663656235653238663139663063373939310a343035313832343861323331323038
36316539636134363165653765306530373130383363376335323332663737393761636564613535
3964373431393161340a623137376539363364313230633962343465393565316437623565363833
3263

32
roles/common/handlers/main.yml
View File

@ -45,7 +45,39 @@
daemon_reload: yes
state: restarted
- name: Restart smbd
service:
name: smbd
daemon_reload: yes
state: restarted
- name: Restart nmbd
service:
name: nmbd
daemon_reload: yes
state: restarted
- name: Reload samba config
shell: smbcontrol all reload-config
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- name: Restart cups
service:
name: cups
daemon_reload: yes
state: restarted
- name: Restart ntp
service:
name: ntp
daemon_reload: yes
state: restarted
- name: Restart cups-browsed
service:
name: cups-browsed
daemon_reload: yes
state: restarted

164
roles/common/tasks/apt.yml
View File

@ -8,10 +8,13 @@
group: root
mode: 0644
register: apt_config_updated
when: apt_manage_sources_list|bool
when:
- ansible_facts['distribution'] == "Debian"
- apt_manage_sources_list|bool
tags:
- apt-configuration
- name: (apt.yml) apt update
apt:
update_cache: true
@ -26,6 +29,7 @@
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) dpkg --configure
command: >
dpkg --configure -a
@ -41,6 +45,7 @@
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) apt upgrade
apt:
upgrade: "{{ apt_upgrade_type }}"
@ -54,6 +59,7 @@
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) Initial install debian packages (stretch)
apt:
name: "{{ apt_initial_install_stretch }}"
@ -64,6 +70,7 @@
tags:
- apt-initial-install
- name: (apt.yml) Initial install debian packages (buster)
apt:
name: "{{ apt_initial_install_buster }}"
@ -74,12 +81,39 @@
tags:
- apt-initial-install
- name: (apt.yml) Ensure we have CPU microcode from backports (debian stretch)
- name: (apt.yml) Initial install ubuntu packages (bionic)
apt:
name: "{{ microcode_package }}"
name: "{{ apt_initial_install_bionic }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
tags:
- apt-initial-install
- name: (apt.yml) Initial install ubuntu packages (xenial)
apt:
name: "{{ apt_initial_install_xenial }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
tags:
- apt-initial-install
# ---
# Microcode
# ---
- name: (apt.yml) Ensure we have CPU microcode from backports for Intel CPU (debian stretch)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}-backports"
when:
- apt_backports_enable
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
- ansible_facts['processor']|string is search("Intel")
@ -87,9 +121,26 @@
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode (debian buster)
- name: (apt.yml) Ensure we have CPU microcode from backports for AMD CPU (debian stretch)
apt:
name: "{{ microcode_package }}"
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}-backports"
when:
- apt_backports_enable
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel CPU (debian buster)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
@ -100,6 +151,109 @@
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for AMD CPU (debian buster)
apt:
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu bionic)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for AMD CPU (ubuntu bionic)
apt:
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu xenial)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel AMD (ubuntu xenial)
apt:
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
# ---
# Firmware
# ---
- name: (apt.yml) Install Firmware packages
apt:
name: "{{ firmware_non_free_packages }}"
state: present
default_release: "{{ ansible_distribution_release }}"
tags:
- apt-initial-install
- apt-firmware
- name: (apt.yml) Install non-free Firmware packages
apt:
name: "{{ firmware_non_free_packages }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
tags:
- apt-initial-install
- apt-firmware
# ---
# unwanted packages
# ---
- name: (apt.yml) Remove unwanted packages
apt:
name: "{{ apt_remove }}"

37
roles/common/tasks/basic.yml
View File

@ -14,6 +14,7 @@
tags:
- locales
- name: (basic.yml) Create a symbolic link /bin/sh -> bash
file:
src: bash
@ -21,9 +22,12 @@
owner: root
group: root
state: link
when:
- "groups['file_server']|string is search(inventory_hostname)"
tags:
- symlink-sh
- name: (basic.yml) Check file '/etc/systemd/system.conf' exists
stat:
path: /etc/systemd/system
@ -31,6 +35,7 @@
when:
- set_default_limit_nofile|bool == true
- name: (basic.yml) Change DefaultLimitNOFILE to 1048576
lineinfile:
dest: /etc/systemd/system.conf
@ -44,6 +49,7 @@
tags:
- systemd-nofiles
- name: (basic.yml) Check file '/etc/security/limits.conf.ORIG' exists
stat:
path: /etc/security/limits.conf.ORIG
@ -57,6 +63,7 @@
tags:
- limits-conf
- name: (basic.yml) Create new sshd_config from template limits.conf.j2
template:
src: etc/security/limits.conf.j2
@ -66,3 +73,33 @@
mode: 0644
tags:
- limits-conf
# - /etc/hosts
- name: (basic.yml) Check file '/etc/hosts.ORIG' exists
stat:
path: /etc/hosts.ORIG
register: etc_hosts_ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
tags:
- etc_hosts
- name: (basic.yml) Backup installation version of file '/etc/hosts'
command: cp -a /etc/hosts /etc/hosts.ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
- etc_hosts_ORIG.stat.exists == False
tags:
- etc_hosts
- name: (basic.yml) addjust '/etc/hosts' add nis-server ..
lineinfile:
path: /etc/hosts
regexp: '^192\.168\.'
line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[0] }}'
when:
- "groups['nis_server']|string is search(inventory_hostname)"
tags:
- etc_hosts

152
roles/common/tasks/cups-install.yml Normal file
View File

@ -0,0 +1,152 @@
---
# ---
# Cups Server
# ---
- name: (cups-install.yml) Ensure CUPS packages server (buster) are installed.
package:
pkg: '{{ apt_install_server_cups_buster }}'
state: present
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
tags:
- cups-server
# ---
# Cups clients
# ---
- name: (cups.yml) Ensure CUPS packages clients are installed.
package:
pkg: "{{ apt_install_client_cups }}"
state: present
when:
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"
tags:
- cups-client
# -- file /etc/cups/cups-browsed.conf
- name: (cups.yml) Check if file '/etc/cups/cups-browsed.conf.ORIGi' exists
stat:
path: /etc/cups/cups-browsed.conf.ORIG
register: cups_browsed_conf_orig_exists
tags:
- cups-server
- cups-client
- name: (cups.yml) Backup /etc/cups/cups-browsed.conf file
command: cp /etc/cups/cups-browsed.conf /etc/cups/cups-browsed.conf.ORIG
when: cups_browsed_conf_orig_exists.stat.exists == False
tags:
- cups-server
- cups-client
- name: (cups.yml) update configuration file server - /etc/cups/cups-browsed.conf
template:
src: "etc/cups/cups-browsed.conf.server.j2"
dest: /etc/cups/cups-browsed.conf
owner: root
group: root
mode: 0644
notify:
Restart cups-browsed
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- cups-server
- name: (cups.yml) update configuration file client - /etc/cups/cups-browsed.conf
template:
src: "etc/cups/cups-browsed.conf.client.j2"
dest: /etc/cups/cups-browsed.conf
owner: root
group: root
mode: 0644
notify:
Restart cups-browsed
when:
- groups['client_pc']|string is search(inventory_hostname)
tags:
- cups-client
# -- file /etc/cups/cupsd.conf
- name: (cups.yml) Check if file '/etc/cups/cupsd.conf.ORIG' exists
stat:
path: /etc/cups/cupsd.conf.ORIG
register: cupsd_conf_orig_exists
tags:
- cups-server
- cups-client
- name: (cups.yml) Backup /etc/cups/cupsd.conf file
command: cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.ORIG
when: cupsd_conf_orig_exists.stat.exists == False
tags:
- cups-server
- cups-client
- name: (cups.yml) update configuration file server - /etc/cups/cupsd.conf
template:
src: "etc/cups/cupsd.conf.server.j2"
dest: /etc/cups/cupsd.conf
owner: root
group: root
mode: 0644
notify:
Restart cups
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- cups-server
- name: (cups.yml) update configuration file client - /etc/cups/cupsd.conf
template:
src: "etc/cups/cupsd.conf.client.j2"
dest: /etc/cups/cupsd.conf
owner: root
group: root
mode: 0644
notify:
Restart cups
when:
- groups['client_pc']|string is search(inventory_hostname)
tags:
- cups-server
# -- file /etc/cups/cups-files.conf
- name: (cups.yml) Check if file '/etc/cups/cups-files.conf.ORIGi' exists
stat:
path: /etc/cups/cups-files.conf.ORIG
register: cups_files_conf_orig_exists
tags:
- cups-server
- cups-client
- name: (cups.yml) Backup /etc/cups/cups-files.conf file
command: cp /etc/cups/cups-files.conf /etc/cups/cups-files.conf.ORIG
when: cups_files_conf_orig_exists.stat.exists == False
tags:
- cups-server
- cups-client
- name: (cups.yml) update configuration file server - /etc/cups/cups-files.conf
template:
src: "etc/cups/cups-files.conf.j2"
dest: /etc/cups/cups-files.conf
owner: root
group: root
mode: 0644
notify:
Restart cups
tags:
- cups-server
- cups-client

66
roles/common/tasks/git.yml Normal file
View File

@ -0,0 +1,66 @@
---
# ---
# Default reposotories
# ---
- name: (git.yml) Install/Update default repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_default_repositories }}'
loop_control:
label: "{{ item.name }}"
tags:
- git-default-repositories
# ---
# Group [file_server] reposotories
# ---
- name: (git.yml) Install/Update file_server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_oopen_server_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- git-file-server-repositories
# ---
# Group [samba_server] reposotories
# ---
- name: (git.yml) Install/Update samba server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_samba_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['samba_server']|string is search(inventory_hostname)"
ignore_errors: True
tags:
- git-samba-server-repositories
# ---
# Group [gateway_server] reposotories
# ---
- name: (git.yml) Install/Update gateway repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_gateway_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['gateway_server']|string is search(inventory_hostname)"
tags:
- git-gateway-server-repositories

9
roles/common/tasks/luks.yml
View File

@ -1,9 +1,6 @@
- name: (luks.ym) add new key to the LUKS container (container has to exist)
luks_device:
#device: "{{ luks_device }}"
#keyfile: "{{ role_path + '/files/vault/luks_default_passwd' }}"
#new_keyfile: "{{ role_path + '/files/vault/luks_new_passwd' }}"
device: "/dev/sda3"
keyfile: "/vault/luks_default_passwd"
new_keyfile: "/vault/luks_new_passwd"
device: "{{ luks_device }}"
keyfile: "{{ role_path + '/files/vault/luks_default_passwd' }}"
new_keyfile: "{{ role_path + '/files/vault/luks_chris_passwd' }}"

184
roles/common/tasks/main.yml
View File

@ -1,6 +1,5 @@
---
# tags supported inside basic.yml
#
# timezone
@ -10,12 +9,14 @@
tags:
- basic
# tags supported inside sshd.yml
#
# sshd-config
- import_tasks: sshd.yml
tags: sshd
# tags supported inside apt.yml
#
# apt-update
@ -29,6 +30,42 @@
- import_tasks: apt.yml
tags: apt
# tags supportetd inside git.yml
#
# git-default-repositories
# git-file-server-repositories
# git-gateway-server-repositories
- import_tasks: git.yml
tags: git
# tags supported inside ntp.yml:
#
# ntp-server
- import_tasks: ntp.yml
tags:
- ntp
# tags supported inside cups-install.yml:
#
# cups-server
# cups-client
- import_tasks: cups-install.yml
tags:
- cups
# tags supported inside pure-ftpd-install.yml:
#
- import_tasks: pure-ftpd-install.yml
when:
- groups['ftp_server']|string is search(inventory_hostname)
tags:
- pure-ftpd
# tags supported inside nfs.yml:
#
# nfs-server
@ -37,68 +74,132 @@
tags:
- nfs
# tags supported inside nfs.yml:
# tags supported inside samba-install.yml:
#
# samba-server
# samba-client
- import_tasks: samba-install.yml
tags:
- samba-install
- samba
# tags supported inside samba-remove-user.yml:
#
- import_tasks: samba-remove-user.yml
tags:
- samba-remove-user
# tags supported inside system-user.yml:
#
# system-user
- import_tasks: system-user.yml
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- system-user
# tags supported inside nis-install-server.yml:
#
# nis-install-server
- import_tasks: nis-install-server.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-server
# tags supported inside nfs.yml:
# tags supported inside nis-user.yml:
#
# nis-user
- import_tasks: nis-user.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-user
# tags supported inside nis-install-client.yml:
#
# nis-install-client
- import_tasks: nis-install-client.yml
when: "groups['nis_client']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-client
# tags supported inside nis_user.yml:
#
# nis-user
# system-user
- import_tasks: nis_user.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-user
# tags supported inside samba_user.yml:
# tags supported inside samba-user.yml:
#
# samba-user
- import_tasks: samba_user.yml
- import_tasks: samba-user.yml
when: "groups['samba_server']|string is search(inventory_hostname)"
tags:
- nis-samba-user
- import_tasks: user-systemfiles.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- user-systemfiles
# tags supported inside sudoers.yml:
# tags supported inside mount_samba_shares.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- sudoers
# tags supported inside samba-server-shares.yml:
#
# samba-shares
# samba-config
- import_tasks: samba-server.yml
when: "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
#- import_tasks: mount_samba_shares.yml
# when: "groups['client_pc']|string is search(inventory_hostname)"
# tags:
# - samba-shares
# tags supported system-user-systemfiles.yml:
# profile
# bashrc
# vimrc
- import_tasks: system-user-systemfiles.yml
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- user-systemfiles
# tags supported nis-user-systemfiles.yml:
# profile
# bashrc
# vimrc
- import_tasks: nis-user-systemfiles.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- user-systemfiles
- nis-user-systemfiles
# tags supported root-files-scripts.yml:
# wakeup_lan
- import_tasks: root-files-scripts.yml
tags:
- root-files-scripts
# tags supported inside sudoers-pc.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers-pc.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- sudoers
# tags supported inside sudoers-server.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers-server.yml
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- sudoers
# Tasks: Configure VNC (x11vnc) for Ubuntu systems
#
# Supported OS:
@ -125,14 +226,9 @@
- x11vnc-1804
- finish-client-install
#- name: "Configure LUKS"
# import_tasks: luks.yml
# when: "groups['client_pc']|string is search(inventory_hostname)"
# tags:
# - luks
- import_tasks: root-systemfiles.yml
when: "groups['nis_client']|string is search(inventory_hostname)"
- name: "Configure LUKS"
import_tasks: luks.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- root-systemfiles
- finish-client-install
- luks

17
roles/common/tasks/nfs.yml
View File

@ -44,6 +44,23 @@
tags:
- nfs-server
- name: Enable service rpc-statd and ensure it is not masked
systemd:
name: rpc-statd
enabled: yes
masked: no
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
- name: Make sure service rpc-statd is running
systemd:
state: started
name: rpc-statd
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
tags:
- nfs-server
# ---
# NFS clients
# ---

6
roles/common/tasks/nis-install-client.yml
View File

@ -145,7 +145,7 @@
- name: (nis-install-client.yml) Add nis-server to file /etc/hosts
lineinfile:
path: /etc/hosts
line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[1] }}'
line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[0] }}'
insertafter: EOF
state: present
owner: root
@ -160,7 +160,7 @@
# /etc/nsswitch.conf
# ---
- name: (nis.yml) Check if file '/etc/nsswitch.conf.ORIG' exists
- name: (nis-install-client.yml) Check if file '/etc/nsswitch.conf.ORIG' exists
stat:
path: /etc/nsswitch.conf.ORIG
register: nsswitch_conf_orig_exists
@ -168,7 +168,7 @@
- nis-install
- nis-install-client
- name: (nis.yml) Backup existing file /etc/nsswitch.conf
- name: (nis-install-client.yml) Backup existing file /etc/nsswitch.conf
command: cp -a /etc/nsswitch.conf /etc/nsswitch.conf.ORIG
when:
- nsswitch_conf_orig_exists.stat.exists == False

35
roles/common/tasks/nis-install-server.yml
View File

@ -4,6 +4,16 @@
# Install nis
# ---
- name: (nis-install-server.yml) Install nis common packages
package:
name: "{{ item }}"
state: present
with_items: "{{ nis_common_packages }}"
register: nis_installed
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Set (nis) default domain (/etc/defaultdomain)
template:
dest: /etc/defaultdomain
@ -15,15 +25,16 @@
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Install nis common packages
package:
name: "{{ item }}"
state: present
with_items: "{{ nis_common_packages }}"
register: nis_installed
- name: (nis-install-server.yml) Create preconfigured /etc/yp.conf on nis clients
template:
dest: /etc/yp.conf
src: etc/yp.conf.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-server
- nis-install-client
# ---
@ -85,14 +96,14 @@
- nis-install
- nis-install-server
- name: (nis-install-client.yml) Comment line like '0.0.0.0 ..' to file /etc/ypserv.securenets
- name: (nis-install-server.yml) Comment line like '0.0.0.0 ..' to file /etc/ypserv.securenets
replace:
path: /etc/ypserv.securenets
regexp: '^(0.0.0.0\s+.*)'
replace: '#\1'
tags:
- nis-install
- nis-install-client
- nis-install-server
- name: (nis-install-server.yml) Add '255.255.0.0 192.168.0.0' to file /etc/ypserv.securenets
lineinfile:
@ -105,7 +116,7 @@
mode: '0644'
tags:
- nis-install
- nis-install-client
- nis-install-server
- name: (nis-install-server.yml) Add '255.0.0.0 10.0.0.0' to file /etc/ypserv.securenets
lineinfile:
@ -134,13 +145,13 @@
- name: (nis-install-server.yml) Ensure directoriy 'nis_base_home' (usually /data/home) exists
file:
path: '{{ nis_base_home}}'
path: '{{ nis_base_home }}'
owner: root
group: root
mode: '0755'
state: directory
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
- "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-server

183
roles/common/tasks/nis-user-systemfiles.yml Normal file
View File

@ -0,0 +1,183 @@
---
# ---
# Check if local template directories exists
# ---
# nis_users
- name: (nis-user-systemfiles.yml) Check if local template directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}
with_items: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_nis_user
# --
# Copy .profile
# ---
- name: (nis-user-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- profile
- name: (nis-user-systemfiles.yml) Backup existing users .profile file
command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == False
tags:
- profile
- name: (nis-user-systemfiles.yml) copy .profile if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') }}"
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
tags:
- profile
- name: (nis-user-systemfiles.yml) copy default .profile if it exists
template:
src: files/homedirs/DEFAULT/_profile.j2
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- profile
# --
# Copy .bashrc
# ---
- name: (nis-user-systemfiles.yml) Check if users file '.bashrc.ORIG' exists
stat:
path: "~{{ item.name }}/.bashrc.ORIG"
register: bashrc_user_orig_exists
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- bashrc
- name: (nis-user-systemfiles.yml) Backup existing users .bashrc file
command: cp -a ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG
loop: "{{ bashrc_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when: item.stat.exists == False
tags:
- bashrc
- name: (nis-user-systemfiles.yml) copy .bashrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') }}"
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
tags:
- bashrc
- name: (nis-user-systemfiles.yml) copy default .bashrc if it exists
copy:
src: files/homedirs/DEFAULT/_bashrc
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- bashrc
# --
# Copy .vimrc
# ---
- name: (nis-user-systemfiles.yml) copy .vimrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc') }}"
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc')
tags:
- vimrc
- name: (nis-user-systemfiles.yml) Check if .vim directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim
with_items: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_dotvim_default_user
- name: (nis-user-systemfiles.yml) copy .vim directory if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/' + item.item.name + '/.vim' }}"
dest: "~{{ item.item.name }}"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
with_items: "{{ local_template_dir_dotvim_default_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
tags:
- vimrc
- name: (nis-user-systemfiles.yml) copy default .vimrc if it exists
copy:
src: files/homedirs/DEFAULT/_vimrc
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- vimrc

21
roles/common/tasks/nis_user.yml → roles/common/tasks/nis-user.yml
View File

@ -9,7 +9,7 @@
name: '{{ item.name }}'
state: absent
with_items:
- "{{ nis_deleted_user }}"
- "{{ remove_nis_users }}"
loop_control:
label: '{{ item.name }}'
tags:
@ -21,7 +21,7 @@
path: '{{ nis_base_home }}/{{ item.name }}'
state: absent
with_items:
- "{{ nis_deleted_user }}"
- "{{ remove_nis_users }}"
loop_control:
label: '{{ item.name }}'
tags:
@ -48,25 +48,20 @@
#- meta: end_host
- name: (nis_user.yml) Check if nis (system) user exists
shell: "getent passwd {{ item.name }}"
register: nis_user_exists
changed_when: "nis_user_exists.rc == 2"
failed_when: "nis_user_exists.rc > 2"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
ignore_errors: true
- name: (nis_user.yml) Get database of nis (system) users
getent:
database: passwd
tags:
- nis-user
- system-user
- name: (nis_user.yml) Add nis (system) users
- name: (nis_user.yml) Add nis (system) users if not yet exists..
shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when: nis_user_exists is changed
when:
- item.name not in getent_passwd
notify: Renew nis databases
tags:
- nis-user

121
roles/common/tasks/nis_samba_user.yml
View File

@ -1,121 +0,0 @@
---
# ---
# - Remove unwanted users
# ---
- name: (nis_samba_user.yml) Check if samba user exists for removable nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_deleted_user_present
changed_when: "samba_deleted_user_present.rc == 0"
failed_when: "samba_deleted_user_present.rc > 1"
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (nis_samba_user.yml) Remove (old) users from samba
shell: "smbpasswd -s -x {{ item.name }}"
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
when: samba_deleted_user_present is changed
tags:
- samba-user
- name: (nis_samba_user.yml) Remove (old) users from system
user:
name: '{{ item.name }}'
state: absent
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
- name: (nis_samba_user.yml) Remove home directory from deleted users
file:
path: '{{ nis_base_home }}/{{ item.name }}'
state: absent
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
# ---
# - default user/groups
# ---
- name: (nis_samba_user.yml) Ensure nis groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
loop: "{{ nis_groups }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
notify: Renew nis databases
tags:
- nis-user
- system-user
#- meta: end_host
- name: (nis_samba_user.yml) Ensure nis users exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
#group: '{{ item.0.name | default(omit) }}'
groups: "{{ item.groups|join(', ') }}"
home: '{{ nis_base_home }}/{{ item.name }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password | password_hash('sha512') }}"
update_password: on_create
append: yes
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
notify: Renew nis databases
tags:
- nis-user
- system-user
- name: (nis_samba_user.yml) Check if samba user exists for nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_nis_user_present
changed_when: "samba_nis_user_present.rc > 0"
failed_when: "samba_nis_user_present.rc > 1"
with_items:
- "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- samba-user
- name: (nis_samba_user.yml) Add nis user to samba (with nis users password)
shell: "echo -e '{{ item.password }}\n{{ item.password }}\n' | smbpasswd -s -a {{ item.name }}"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- samba_nis_user_present is changed
notify: Renew nis databases
tags:
- samba-user

47
roles/common/tasks/ntp.yml Normal file
View File

@ -0,0 +1,47 @@
---
# ---
# NTP Server
# ---
- name: (ntp.yml) Ensure ntp package is installed.
apt:
name:
- ntp
state: present
when:
- ansible_os_family == "Debian"
- groups['file_server']|string is search(inventory_hostname)
tags:
- ntp-server
- name: (ntp.yml) Check file '/etc/ntp.conf.ORIG' exists
stat:
path: /etc/ntp.conf.ORIG
register: etc_ntp_conf_ORIG
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- ntp-server
- name: (ntp.yml) Backup installation version of file '/etc/ntp.conf'
command: cp -a /etc/ntp.conf /etc/ntp.conf.ORIG
when:
- groups['file_server']|string is search(inventory_hostname)
- etc_ntp_conf_ORIG.stat.exists == False
tags:
- ntp-server
- name: (ntp.yml) Update '/etc/ntp.conf'
template:
src: "etc/ntp.conf.j2"
dest: /etc/ntp.conf
owner: root
group: root
mode: 0644
notify: Restart ntp
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- ntp-server

52
roles/common/tasks/pure-ftpd-install.yml Normal file
View File

@ -0,0 +1,52 @@
---
# ==========
#
# mostly copied from:
# https://github.com/gcoop-libre/ansible-role-pure-ftpd
#
# git clone https://github.com/gcoop-libre/ansible-role-pure-ftpd.git
#
# ==========
# ---
# Install PureFTP Daemon
# ---
- include: pure-ftpd/setup.yml
# ---
# Configure PureFTP Daemon
# ---
- include: pure-ftpd/configure.yml
# ---
# Authentication Configuration
# ---
- include: pure-ftpd/authentication.yml
# ---
# Virtual user
# ---
- include: pure-ftpd/virtual-users.yml
# ---
# TLS Certificate
# ---
- include: pure-ftpd/tls-certificate.yml
- name: (pure-ftpd-install.yml) Ensure Pure-FTPd service is started enabled on startup.
service:
name: pure-ftpd
state: started
enabled: yes

66
roles/common/tasks/pure-ftpd/authentication.yml Normal file
View File

@ -0,0 +1,66 @@
---
# ---
# Authentication Configuration
# ---
- name: (pure-ftpd-install.yml) Get current authentications.
command: ls -1 {{ pureftpd_config_auth_dir }}
register: pureftpd_current_auth
changed_when: false
- name: (pure-ftpd-install.yml) Define empty pureftpd_authentications variable.
set_fact:
pureftpd_authentications: []
- name: (pure-ftpd-install.yml) Enable PureDB authentication.
file:
src: "{{ pureftpd_config_conf_dir }}/PureDB"
dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_puredb }}pure"
state: link
when: pureftpd_auth_puredb > 0 and pureftpd_config['PureDB'] is defined
notify: restart Pure-FTPd
- name: (pure-ftpd-install.yml) Add PureDB to Pure-FTPd authentications.
set_fact:
pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_puredb }}pure']"
when: pureftpd_auth_puredb > 0 and pureftpd_config['PureDB'] is defined
- name: (pure-ftpd-install.yml) Add PAM to Pure-FTPd authentications.
set_fact:
pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_pam }}pam']"
when: pureftpd_auth_pam > 0 and pureftpd_config['PAMAuthentication'] is defined
- name: (pure-ftpd-install.yml) Enable UNIX authentication.
file:
src: "{{ pureftpd_config_conf_dir }}/UnixAuthentication"
dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_unix }}unix"
state: link
when: pureftpd_auth_unix > 0 and pureftpd_config['UnixAuthentication'] is defined
notify: restart Pure-FTPd
- name: (pure-ftpd-install.yml) Add UnixAuthentication to Pure-FTPd authentications.
set_fact:
pureftpd_authentications: "{{ pureftpd_authentications }} + ['{{ pureftpd_auth_unix }}unix']"
when: pureftpd_auth_unix > 0 and pureftpd_config['UnixAuthentication'] is defined
- name: (pure-ftpd-install.yml) Enable PAM authentication.
file:
src: "{{ pureftpd_config_conf_dir }}/PAMAuthentication"
dest: "{{ pureftpd_config_auth_dir }}/{{ pureftpd_auth_pam }}pam"
state: link
when: pureftpd_auth_pam > 0 and pureftpd_config['PAMAuthentication'] is defined
notify: restart Pure-FTPd
# Delete unused authentification if exists
- name: (pure-ftpd-install.yml) Delete old authentications.
file:
path: "{{ pureftpd_config_auth_dir }}/{{ item }}"
state: absent
when: item not in pureftpd_authentications
with_items: "{{ pureftpd_current_auth.stdout_lines }}"
notify: restart Pure-FTPd

45
roles/common/tasks/pure-ftpd/configure.yml Normal file
View File

@ -0,0 +1,45 @@
---
# ---
# Configure PureFTP Daemon
# ---
# Remove old current configurations if exists
- name: Upload Pure-FTPd global configuration file.
template:
src: etc/default/pure-ftpd-common.j2
dest: "{{ pureftpd_global_config_file }}"
owner: root
group: root
mode: '0644'
notify: restart Pure-FTPd
- name: (pure-ftpd-install.yml) Compile Pure-FTPd configurations (set fact..).
set_fact:
pureftpd_config_compiled: "{{ pureftpd_config }}"
- name: (pure-ftpd-install.yml) Get current configuration.
command: ls -1 {{ pureftpd_config_conf_dir }}
register: pureftpd_current_config
changed_when: false
- name: (pure-ftpd-install.yml) Delete old configuration.
file:
path: "{{ pureftpd_config_conf_dir }}/{{ item }}"
state: absent
when: pureftpd_config_compiled[item] is not defined
with_items: "{{ pureftpd_current_config.stdout_lines }}"
notify: restart Pure-FTPd
# write new configuration
- name: (pure-ftpd-install.yml) Write configuration.
template:
src: etc/pure-ftpd/conf/config.j2
dest: "{{ pureftpd_config_conf_dir }}/{{ item.key }}"
owner: root
group: root
mode: '0644'
with_dict: '{{ pureftpd_config_compiled }}'
notify: restart Pure-FTPd

34
roles/common/tasks/pure-ftpd/create-virtual-ftp-user.yml Normal file
View File

@ -0,0 +1,34 @@
---
# ---
# Add virtual ftp users
# ---
- name: "(create-virtual-ftp-user.yml) Verify if virtual ftp user {{ user.name }} exists"
command: pure-pw show {{ user.name }}
register: pureftpd_virtual_user_exists
changed_when: "pureftpd_virtual_user_exists.rc != 0"
failed_when:
- "pureftpd_virtual_user_exists.rc != 0"
- "pureftpd_virtual_user_exists.rc != 16"
ignore_errors: true
loop_control:
label: '{{ user.name }}'
- name: "(create-virtual-ftp-user.yml) Create virtual ftp user {{ user.name }} ."
shell: "(echo {{ user.password }}; echo {{ user.password }}) | pure-pw useradd {{ user.name }} -u {{ user.uid | default(pureftpd_virtual_users_user) }} -g {{ user.gid | default(pureftpd_virtual_users_group) }} -d {{ user.homedir }} -n {{ user.quota_files | default('\"\"') }} -N {{ user.quota_size | default('\"\"') }} -t {{ user.bandwidth_dl | default('\"\"') }} -T {{ user.bandwidth_ul | default('\"\"') }} -q {{ user.ratio_ul | default('\"\"') }} -Q {{ user.ratio_dl | default('\"\"') }}"
#when: pureftpd_virtual_user_exists.failed is defined and pureftpd_virtual_user_exists.failed
when: pureftpd_virtual_user_exists.changed
notify: reload Pure-FTPd users
- name: "User {{ user.name }}: Update virtual user"
command: "pure-pw usermod {{ user.name }} -u {{ user.uid | default(pureftpd_virtual_users_user) }} -g {{ user.gid | default(pureftpd_virtual_users_group) }} -d {{ user.homedir }} -n {{ user.quota_files | default('\"\"') }} -N {{ user.quota_size | default('\"\"') }} -t {{ user.bandwidth_dl | default('\"\"') }} -T {{ user.bandwidth_ul | default('\"\"') }} -q {{ user.ratio_ul | default('\"\"') }} -Q {{ user.ratio_dl | default('\"\"') }}"
#when: pureftpd_virtual_user_exists.failed is defined and not pureftpd_virtual_user_exists.failed
when: not pureftpd_virtual_user_exists.changed
notify: reload Pure-FTPd users
- name: "User {{ user.name }}: Update virtual user password"
shell: "(echo {{ user.password }}; echo {{ user.password }}) | pure-pw passwd {{ user.name }}"
when: not pureftpd_virtual_user_exists.changed
notify: reload Pure-FTPd users

19
roles/common/tasks/pure-ftpd/remove-virtual-user.yml Normal file
View File

@ -0,0 +1,19 @@
---
# ---
# Remove virtual ftp users
# ---
- name: "User {{ user.name }}: Verify if it exists"
command: pure-pw show {{ user.name }}
register: pureftpd_virtual_user_exists
changed_when: "pureftpd_virtual_user_exists.rc == 0"
failed_when:
- "pureftpd_virtual_user_exists.rc != 0"
- "pureftpd_virtual_user_exists.rc != 16"
ignore_errors: true
- name: "User {{ user.name }}: Remove virtual user"
shell: "pure-pw userdel {{ user.name }}"
when: pureftpd_virtual_user_exists.changed
notify: reload Pure-FTPd users

21
roles/common/tasks/pure-ftpd/setup.yml Normal file
View File

@ -0,0 +1,21 @@
---
# ---
# Install PureFTP Daemon
# ---
- name: (pure-ftpd-install.yml) Ensure Pure-FTPd is installed.
apt:
name: "{{ pureftpd_packages }}"
state: present
cache_valid_time: 3600
update_cache: yes
- name: (pure-ftpd-install.yml) Upload Pure-FTPd global configuration file.
template:
src: etc/default/pure-ftpd-common.j2
dest: "{{ pureftpd_global_config_file }}"
owner: root
group: root
mode: '0644'
notify: restart Pure-FTPd

40
roles/common/tasks/pure-ftpd/tls-certificate.yml Normal file
View File

@ -0,0 +1,40 @@
---
# ---
# TLS Certificate
# ---
# - method 'generate'
- name: Generate Pure-FTPd TLS certificate.
command: openssl req -x509 -nodes -newkey rsa:{{ pureftpd_tls_certificate_openssl.size | default(4096) }} -sha256 -days {{ pureftpd_tls_certificate_openssl.days | default(365) }} -keyout {{ pureftpd_tls_certificate_pem }} -out {{ pureftpd_tls_certificate_pem }} -subj "/C={{ pureftpd_tls_certificate_openssl.country | default('') }}/ST={{ pureftpd_tls_certificate_openssl.state | default('') }}/L={{ pureftpd_tls_certificate_openssl.locality | default('') }}/O={{ pureftpd_tls_certificate_openssl.organization | default('') }}/OU={{ pureftpd_tls_certificate_openssl.unit | default('') }}/CN={{ pureftpd_tls_certificate_openssl.fqdn }}"
args:
creates: "{{ pureftpd_tls_certificate_pem }}"
when:
- pureftpd_tls_certificate_method == 'generate'
- pureftpd_tls_certificate_openssl | length > 0
notify: restart Pure-FTPd
- name: Ensure Pure-FTPd TLS certificate permissions.
file:
path: "{{ pureftpd_tls_certificate_pem }}"
owner: root
group: root
mode: '0600'
state: file
when:
- pureftpd_tls_certificate_method == 'generate'
- pureftpd_tls_certificate_openssl | length > 0
# - final checks
- name: (pure-ftpd-install.yml) Verify TLS certificate exists.
stat:
path: "{{ pureftpd_tls_certificate_pem }}"
register: pureftpd_tls_certificate
- name: (pure-ftpd-install.yml) Fail when no certificate is found.
fail:
msg: |
The certificate file was not found at {{ pureftpd_tls_certificate_pem }}
when: not pureftpd_tls_certificate.stat.exists | default(False)

57
roles/common/tasks/pure-ftpd/virtual-users.yml Normal file
View File

@ -0,0 +1,57 @@
---
# Default virtual users/group
- name: (pure-ftpd-install.yml) Ensure Pure-FTPd group exists.
group:
name: "{{ pureftpd_virtual_users_group }}"
gid: "{{ pureftpd_virtual_users_gid | default(omit) }}"
system: no
state: present
when: pureftpd_virtual_users | length > 0
- name: (pure-ftpd-install.yml) Ensure Pure-FTPd user exists.
user:
name: "{{ pureftpd_virtual_users_user }}"
uid: "{{ pureftpd_virtual_users_uid | default(omit) }}"
group: "{{ pureftpd_virtual_users_group }}"
home: /dev/null
shell: /usr/sbin/nologin
system: no
state: present
when: pureftpd_virtual_users | length > 0
# user databas
- name: (pure-ftpd-install.yml) Verify virtual users database existence.
stat:
path: "{{ pureftpd_config_dir }}/pureftpd.passwd"
register: pureftpd_virtual_users_database
- name: (pure-ftpd-install.yml) Ensure virtual users database exists.
file:
path: "{{ pureftpd_config_dir }}/pureftpd.passwd"
owner: root
group: root
mode: '0600'
state: touch
when: (pureftpd_virtual_users | length > 0) and not pureftpd_virtual_users_database.stat.exists | default(False)
# - Cretate virtual user
- include_tasks: create-virtual-ftp-user.yml
vars:
user: "{{ item }}"
with_items: "{{ pureftpd_virtual_users }}"
when: pureftpd_virtual_users | length > 0
no_log: true
# Remove virtual user
# -
- include_tasks: remove-virtual-user.yml
vars:
user: "{{ item }}"
with_items: "{{ pureftpd_virtual_deleted_users }}"
when: pureftpd_virtual_deleted_users | length > 0

51
roles/common/tasks/root-files-scripts.yml Normal file
View File

@ -0,0 +1,51 @@
---
- name: (root_files_scripts.yml) Ensure directory /root/bin exists
file:
path: /root/bin
owner: root
group: root
mode: '0700'
state: directory
when:
- groups['file_server']|string is search(inventory_hostname)
- name: (root_files_scripts.yml) Ensure script 'wakeup_lan.sh' is present
template:
src: "root/bin/wakeup_lan.sh.j2"
dest: /root/bin/wakeup_lan.sh
owner: root
group: root
mode: 0755
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- wakeup_lan
- name: (root_files_scripts.yml) Check file '/etc/motd.ORIG' exists
stat:
path: /etc/motd.ORIG
register: etc_motd_ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
tags:
- etc_motd
- name: (basic.yml) Backup installation version of file '/etc/motd'
command: cp -a /etc/motd /etc/motd.ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
- etc_motd_ORIG.stat.exists == False
tags:
- etc_motd
- name: (root_files_scripts.yml) Write new '/etc/motd' file..
shell: >
figlet '{{ nis_server_name.split(".")[0] }}' > /etc/motd
when:
- "groups['file_server']|string is search(inventory_hostname)"
- etc_motd_ORIG.stat.exists == False
tags:
- etc_motd

88
roles/common/tasks/root-systemfiles.yml
View File

@ -1,88 +0,0 @@
---
# ---
# Check if local template directories exists
# ---
# root
- name: (root-systemfiles.yml) Check if local template directory exists for root
local_action: stat path={{ role_path }}/files/root
register: local_template_dir_root
# --
# Copy .bashrc
# ---
- name: (root-systemfiles.yml) Check if file '/root/.bashrc.ORIG' exists
stat:
path: /root/.bashrc.ORIG
register: bashrc_root_orig_exists
tags:
- bash
- name: (root-systemfiles.yml) Backup /root/.bashrc file
command: cp /root/.bashrc /root/.bashrc.ORIG
when: bashrc_root_orig_exists.stat.exists == False
tags:
- bash
- name: (root-systemfiles.yml) copy .bashrc for user root
copy:
src: "{{ role_path + '/files/root/_bashrc' }}"
dest: "/root/.bashrc"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', role_path + '/files/root/_bashrc')
tags:
- bash
# --
# Copy .profile
# ---
- name: (root-systemfiles.yml) Check if file '/root/.profile.ORIG' exists
stat:
path: /root/.profile.ORIG
register: profile_root_orig_exists
tags:
- profile
- name: (root-systemfiles.yml) Backup existing users .profile file
command: cp -a /root/.profile /root/.profile.ORIG
when: profile_root_orig_exists.stat.exists == False
tags:
- profile
- name: (root-systemfiles.yml) copy .profile for user root
copy:
src: "{{ role_path + '/files/root/_profile' }}"
dest: "/root/.profile"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', role_path + '/files/root/_profile')
tags:
- profile
# --
# Copy .vimrc
# ---
- name: (root-systemfiles.yml) copy .vimrc for user root
copy:
src: "{{ role_path + '/files/root/_vimrc' }}"
dest: "/root/.vimrc"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', role_path + '/files/root/_vimrc')
tags:
- vim

181
roles/common/tasks/samba-install.yml Normal file
View File

@ -0,0 +1,181 @@
---
# ---
# Samba Server
# ---
- name: (samba-install.yml) Ensure samba packages server (buster) are installed.
package:
pkg: '{{ apt_install_server_samba }}'
state: present
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- name: (samba-install.yml) Ensure samba share directories exists
file:
path: "{{ item.path }}"
owner: "root"
group: "{{ item.group_write_list }}"
mode: '2770'
state: directory
with_items: "{{ samba_shares }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-shares
# ---
# /etc/samba/smb.conf
# ---
- name: (samba-install.yml) Check if file '/etc/samba/smb.conf.ORIG exists'
stat:
path: /etc/samba/smb.conf.ORIG
register: smb_conf_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- name: (samba-install.yml) Backup existing file /etc/samba/smb.conf
command: cp -a /etc/samba/smb.conf /etc/samba/smb.conf.ORIG
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- smb_conf_exists.stat.exists == False
tags:
- samba-server
- name: (samba-install.yml) /etc/samba/smb.conf
template:
dest: /etc/samba/smb.conf
src: etc/samba/smb.conf.j2
owner: root
group: root
mode: 0644
when:
- "groups['samba_server']|string is search(inventory_hostname)"
notify:
- Restart smbd
- Restart nmbd
tags:
- samba-server
- name: (samba-install.yml) Ensure file /etc/samba/users.map exists
copy:
src: "{{ role_path + '/files/etc/samba/users.map' }}"
dest: /etc/samba/users.map
owner: root
group: root
mode: 0644
when:
- "groups['samba_server']|string is search(inventory_hostname)"
notify:
- Restart smbd
- Restart nmbd
tags:
- samba-server
# ---
# Cronjob for cleaning up samba trash dirs
# ---
- name: (samba-install.yml) Check if file '/root/bin/samba/clean_samba_trash.sh' exists
stat:
path: /root/bin/samba/clean_samba_trash.sh
register: clean_samba_trash_exists
- name: (samba-install.yml) Adjust configuration for script 'clean_samba_trash.sh'
template:
dest: /root/bin/samba/conf/clean_samba_trash.conf
src: root/bin/samba/conf/clean_samba_trash.conf.j2
when:
- clean_samba_trash_exists.stat.exists|bool
tags:
- samba-server
- name: Check if cleaning up trash dirs is configured
lineinfile:
path: /root/bin/samba/conf/clean_samba_trash.conf
regexp: "^trash_dirs=*"
state: absent
check_mode: yes
changed_when: false
register: clean_samba_trash_dirs
- name: Creates a cron job for cleaning up samba trash dirs
cron:
name: '{{ samba_cronjob_trash_dirs.name }}'
minute: '{{ samba_cronjob_trash_dirs.minute }}'
hour: "{{ samba_cronjob_trash_dirs.hour | default('*') }}"
day: "{{ samba_cronjob_trash_dirs.hour.day | default('*') }}"
month: "{{ samba_cronjob_trash_dirs.hour.month| default('*') }}"
weekday: "{{ samba_cronjob_trash_dirs.hour.weekday| default('*') }}"
user: "{{ samba_cronjob_trash_dirs.user | default('root') }}"
job: "{{ samba_cronjob_trash_dirs.job }}"
when:
- clean_samba_trash_dirs.found
# ---
# Cronjob for setting permissions on samba shares
# ---
- name: (samba-install.yml) Check if file '/root/bin/samba/set_permissions_samba_shares.sh' exists
stat:
path: /root/bin/samba/set_permissions_samba_shares.sh
register: set_permissions_on_samba_shares_exists
- name: (samba-install.yml) Adjust configuration for script 'set_permissions_samba_shares.sh'
template:
dest: /root/bin/samba/conf/set_permissions_samba_shares.conf
src: root/bin/samba/conf/set_permissions_samba_shares.conf.j2
when:
- set_permissions_on_samba_shares_exists.stat.exists|bool
tags:
- samba-server
- name: Check if cleaning up trash dirs is configured
lineinfile:
path: /root/bin/samba/conf/clean_samba_trash.conf
regexp: "^trash_dirs=*"
state: absent
check_mode: yes
changed_when: false
register: set_permissions_samba_shares
- name: Creates a cron job for cleaning up samba trash dirs
cron:
name: '{{ samba_cronjob_permissions.name }}'
minute: '{{ samba_cronjob_permissions.minute }}'
hour: "{{ samba_cronjob_permissions.hour | default('*') }}"
day: "{{ samba_cronjob_permissions.day | default('*') }}"
month: "{{ samba_cronjob_permissions.month| default('*') }}"
weekday: "{{ samba_cronjob_permissions.weekday| default('*') }}"
user: "{{ samba_cronjob_permissions.user | default('root') }}"
job: "{{ samba_cronjob_permissions.job }}"
when:
- set_permissions_samba_shares.found
# ---
# Samba clients
# ---
- name: (samba-install.yml) Ensure samba packages clients are installed.
package:
pkg: "{{ apt_install_client_samba }}"
state: present
when:
- "groups['nis_client']|string is search(inventory_hostname)"
- ansible_distribution == "Ubuntu"
tags:
- samba-client

57
roles/common/tasks/samba-remove-user.yml Normal file
View File

@ -0,0 +1,57 @@
---
# ---
# - Remove unwanted users
# ---
- name: (samba-remove-user.yml) Check if samba user exists for removable system user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_remove_system_users_present
changed_when: "samba_remove_system_users_present.rc == 0"
failed_when: "samba_remove_system_users_present.rc > 1"
with_items:
- "{{ remove_system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (samba-remove-user.yml) Remove (old) system users from samba
shell: >
smbpasswd -s -x {{ item.item.name }}
with_items:
- "{{ samba_remove_system_users_present.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.changed
tags:
- samba-user
- name: (samba-remove-user.yml) Check if samba user exists for removable nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_remove_nis_users_present
changed_when: "samba_remove_nis_users_present.rc == 0"
failed_when: "samba_remove_nis_users_present.rc > 1"
with_items:
- "{{ remove_nis_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (samba-remove-user.yml) Remove (old) nis users from samba
shell: >
smbpasswd -s -x {{ item.item.name }}
with_items:
- "{{ samba_remove_nis_users_present.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.changed
tags:
- samba-user

41
roles/common/tasks/samba-server.yml
View File

@ -1,41 +0,0 @@
---
- name: (samba-server.yml) Ensure samba share directories exists
file:
path: "/data/shares/{{ item.name }}"
owner: "root"
group: "{{ item.group }}"
mode: '2770'
state: directory
with_items: "{{ samba_shares }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-shares
- name: (samba-server.yml) Checki if file '/etc/samba/smbconf.ORIG' exists
stat:
path: /etc/samba/smb.conf.ORIG
register: etc_samba_smb_conf_ORIG
tags:
- samba-config
- name: (samba-server.yml) Backup installation version of file '/etc/samba/smb.conf'
command: cp -a /etc/samba/smb.conf /etc/samba/smb.conf.ORIG
when: etc_samba_smb_conf_ORIG.stat.exists == False
tags:
- samba-config
- name: (samba-server.yml) Create new smb.conf from template smb.conf.j2
template:
src: etc/samba/smb.conf.j2
dest: /etc/samba/smb.conf
owner: root
group: root
mode: 0644
#backup: yes
notify: "Reload samba config"
tags:
- samba-config

30
roles/common/tasks/samba-user.yml Normal file
View File

@ -0,0 +1,30 @@
---
# ---
# - default user/groups
# ---
- name: (samba-user.yml) Check if samba user exists for nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_nis_user_present
changed_when: "samba_nis_user_present.rc == 1"
failed_when: "samba_nis_user_present.rc > 1"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- samba-user
- name: (samba-user.yml) Add nis user to samba (with nis users password)
shell: >
(echo '{{ item.item.password }}'; echo '{{ item.item.password }}')
| smbpasswd -s -a {{ item.item.name }}
loop: "{{ samba_nis_user_present.results }}"
when: item.changed
loop_control:
label: '{{ item.item.name }}'
tags:
- samba-user

60
roles/common/tasks/samba_user.yml
View File

@ -1,60 +0,0 @@
---
# ---
# - Remove unwanted users
# ---
- name: (samba_user.yml) Check if samba user exists for removable nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_deleted_user_present
changed_when: "samba_deleted_user_present.rc == 0"
failed_when: "samba_deleted_user_present.rc > 1"
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (samba_user.yml) Remove (old) users from samba
shell: "smbpasswd -s -x {{ item.name }}"
with_items:
- "{{ nis_deleted_user }}"
loop_control:
label: '{{ item.name }}'
when: samba_deleted_user_present is changed
tags:
- samba-user
# ---
# - default user/groups
# ---
- name: (samba_user.yml) Check if samba user exists for nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_nis_user_present
changed_when: "samba_nis_user_present.rc > 0"
failed_when: "samba_nis_user_present.rc > 1"
with_items:
- "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- samba-user
- name: (samba_user.yml) Add nis user to samba (with nis users password)
shell: "echo -e '{{ item.password }}\n{{ item.password }}\n' | smbpasswd -s -a {{ item.name }}"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- samba_nis_user_present is changed
notify: Renew nis databases
tags:
- samba-user

1
roles/common/tasks/sshd.yml
View File

@ -13,6 +13,7 @@
tags:
- sshd-config
- name: (sshd.yml) Create new sshd_config from template sshd_config.j2
template:
src: etc/ssh/sshd_config.j2

32
roles/common/tasks/sudoers-pc.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: (sudoers-pc.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.d/50-user.pc.j2
dest: /etc/sudoers.d/50-user
validate: visudo -cf %s
owner: root
group: root
mode: 0440
tags:
- sudoers-file-configuration
- name: (sudoers-pc.yml) update global sudoers configuration file
template:
src: etc/sudoers.pc.j2
dest: /etc/sudoers
owner: root
group: root
mode: 0440
validate: visudo -cf %s
tags:
- sudoers-global-configuration
- name: (sudoers-pc.yml) Ensure all sudo_users are in sudo group
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudo_pc_users }}"
tags:
- sudo-users

57
roles/common/tasks/sudoers-server.yml Normal file
View File

@ -0,0 +1,57 @@
---
#- name: (sudoers-server.yml) include variables
# include_vars: "{{ item }}"
# with_first_found:
# - "sudoers-{{ inventory_hostname }}.yml"
# - "sudoers-{{ ansible_distribution_release }}.yml"
# - "sudoers-{{ ansible_distribution | lower }}.yml"
# - "sudoers-default.yml"
# tags:
# - sudoers-remove
# - sudoers-file-configuration
# - sudoers-global-configuration
- name: (sudoers-server.yml) Remove user entries in file /etc/sudoers
lineinfile:
dest: /etc/sudoers
state: absent
regexp: '^{{ item }}'
owner: root
group: root
mode: 0440
validate: visudo -cf %s
with_items: '{{ sudoers_server_remove_user }}'
tags:
- sudoers-remove
- name: (sudoers-server.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.d/50-user.server.j2
dest: /etc/sudoers.d/50-user
#validate: visudo -cf %s
owner: root
group: root
mode: 0440
tags:
- sudoers-file-configuration
- name: (sudoers-server.yml) update global sudoers configuration file
template:
src: etc/sudoers.server.j2
dest: /etc/sudoers
owner: root
group: root
mode: 0440
#validate: visudo -cf %s
tags:
- sudoers-global-configuration
- name: (sudoers-server.yml) Ensure all sudo_users are in sudo group
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudo_server_users }}"
tags:
- sudo-users

32
roles/common/tasks/sudoers.yml
View File

@ -1,32 +0,0 @@
---
- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.d/50-user.j2
dest: /etc/sudoers.d/50-user
validate: visudo -cf %s
owner: root
group: root
mode: 0440
tags:
- sudoers-file-configuration
- name: (sudoers.yml) update global sudoers configuration file
template:
src: etc/sudoers.j2
dest: /etc/sudoers
owner: root
group: root
mode: 0440
validate: visudo -cf %s
tags:
- sudoers-global-configuration
#- name: (sudoers.yml) Ensure all sudo_users are in sudo group
# user:
# name: "{{ item }}"
# groups: sudo
# append: yes
# with_items: "{{ sudo_users }}"
# tags:
# - sudo-users

278
roles/common/tasks/system-user-systemfiles.yml Normal file
View File

@ -0,0 +1,278 @@
---
# ---
# Check if local template directories exists
# ---
# system_user
- name: (system-user-systemfiles.yml) Check if local template directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}
with_items: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_system_users
# root
- name: (system-user-systemfiles.yml) Check if local template directory exists for root
local_action: stat path={{ inventory_dir }}/files/homedirs/root
register: local_template_dir_root
# --
# Copy .profile
# ---
- name: (user-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
loop: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- profile
- name: (user-systemfiles.yml) Backup existing users .profile file
command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == False
tags:
- profile
- name: (system-user-systemfiles.yml) copy .profile if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') }}"
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
tags:
- profile
- name: (system-user-systemfiles.yml) copy default .profile if it exists
template:
src: files/homedirs/DEFAULT/_profile
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
- lookup('fileglob', inventory_dir + '/files/homedirs/DEFAULT/_profile')
tags:
- profile
# -- root user
- name: (system-user-systemfiles.yml) Check if file '/root/.profile.ORIG' exists
stat:
path: /root/.profile.ORIG
register: profile_root_orig_exists
tags:
- profile
- name: (system-user-systemfiles.yml) Backup existing users .profile file
command: cp -a /root/.profile /root/.profile.ORIG
when: profile_root_orig_exists.stat.exists == False
tags:
- profile
- name: (system-user-systemfiles.yml) copy .profile for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile') }}"
dest: "/root/.profile"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile')
tags:
- profile
# --
# Copy .bashrc
# ---
- name: (system-user-systemfiles.yml) Check if users file '.bashrc.ORIG' exists
stat:
path: "~{{ item.name }}/.bashrc.ORIG"
register: bashrc_user_orig_exists
loop: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- bashrc
- name: (system-user-systemfiles.yml) Backup existing users .bashrc file
command: cp -a ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG
loop: "{{ bashrc_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when: item.stat.exists == False
tags:
- bashrc
- name: (system-user-systemfiles.yml) copy .bashrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') }}"
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
tags:
- bashrc
- name: (system-user-systemfiles.yml) copy default .bashrc if it exists
copy:
src: files/homedirs/DEFAULT/_bashrc
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- bashrc
# -- root user
- name: (system-user-systemfiles.yml) Check if file '/root/.bashrc.ORIG' exists
stat:
path: /root/.bashrc.ORIG
register: bashrc_root_orig_exists
tags:
- bash
- name: (system-user-systemfiles.yml) Backup /root/.bashrc file
command: cp /root/.bashrc /root/.bashrc.ORIG
when: bashrc_root_orig_exists.stat.exists == False
tags:
- bash
- name: (system-user-systemfiles.yml) copy .bashrc for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc') }}"
dest: "/root/.bashrc"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc')
tags:
- bash
# --
# Copy .vimrc
# ---
- name: (system-user-systemfiles.yml) copy .vimrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc') }}"
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc')
tags:
- vimrc
- name: (system-user-systemfiles.yml) Check if .vim directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim
with_items: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_dotvim_default_user
- name: (system-user-systemfiles.yml) copy .vim directory if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/' + item.item.name + '/.vim' }}"
dest: "~{{ item.item.name }}"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
with_items: "{{ local_template_dir_dotvim_default_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
tags:
- vimrc
- name: (system-user-systemfiles.yml) copy default .vimrc if it exists
copy:
src: files/homedirs/DEFAULT/_vimrc
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- vimrc
- name: (system-user-systemfiles.yml) copy .vimrc for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc') }}"
dest: "/root/.vimrc"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc')
tags:
- vimrc
- name: (system-user-systemfiles.yml) Check if local template directory .vim exists for user root
local_action: stat path={{ inventory_dir }}/files/homedirs/root/.vim
register: local_template_dir_vim_root
with_items: 'root'
loop_control:
label: 'root'
- name: (system-user-systemfiles.yml) copy .vim directory for user root if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/root/.vim' }}"
dest: "/root"
owner: "root"
group: "root"
mode: 0644
with_items: "{{ local_template_dir_vim_root.results }}"
loop_control:
label: 'root'
when:
- item.stat.exists
tags:
- vim

64
roles/common/tasks/system-user.yml Normal file
View File

@ -0,0 +1,64 @@
---
# ---
# - Remove unwanted users
# ---
- name: (user.yml) Remove (old) users from system
user:
name: '{{ item.name }}'
state: absent
with_items:
- "{{ remove_system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- system-user
- name: (user.yml) Remove home directory from deleted users
file:
path: '{{ base_home }}/{{ item.name }}'
state: absent
with_items:
- "{{ remove_system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- system-user
# ---
# - default user/groups
# ---
- name: (user.yml) Ensure system groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
loop: "{{ system_groups }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
notify: Renew nis databases
tags:
- system-user
#- meta: end_host
- name: (system-user.yml) Get database of nis (system) users
getent:
database: passwd
tags:
- system-user
- name: (system-user.yml) Add (system) users if not yet exists..
shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'"
loop: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
when:
- item.name not in getent_passwd
notify: Renew nis databases
tags:
- system-user

39
roles/common/tasks/user-systemfiles.yml
View File

@ -1,39 +0,0 @@
---
- name: (user-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- profile
- name: (user-systemfiles.yml) Backup existing users .profile file
command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- item.stat.exists == False
tags:
- profile
- name: (user-systemfiles.yml) Create new users .profile file
template:
src: user_homedirs/dot.profile.j2
dest: "~{{ item.name }}/.profile"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- profile

746
roles/common/templates/etc/cups/cups-browsed.conf.client.j2 Normal file
View File

@ -0,0 +1,746 @@
# {{ ansible_managed }}
# All configuration options described here can also be supplied on the
# command line of cups-browsed via the "-o" option. In case of
# contradicting settings the setting defined in the configuration file
# will get used.
# Unknown directives are ignored, also unknown values.
# Where should cups-browsed save information about the print queues it had
# generated when shutting down, like whether one of these queues was the
# default printer, or default option settings of the queues?
# CacheDir /var/cache/cups
# Where should cups-browsed create its debug log file (if "DebugLogging file"
# is set)?
# LogDir /var/log/cups
# How should debug logging be done? Into the file
# /var/log/cups/cups-browsed_log ('file'), to stderr ('stderr'), or
# not at all ('none')?
# Note that if cups-browsed is running as a system service (for
# example via systemd) logging to stderr makes the log output going to
# the journal or syslog. Only if you run cups-browsed from the command
# line (for development or debugging) it will actually appear on
# stderr.
# DebugLogging file
# DebugLogging stderr
# DebugLogging file stderr
# DebugLogging none
# Which protocols will we use to discover printers on the network?
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
#BrowseRemoteProtocols dnssd cups
BrowseRemoteProtocols CUPS
# Which protocols will we use to broadcast shared local printers to the network?
# Can use DNSSD and/or CUPS, or 'none' for neither.
# Only CUPS is actually supported, as DNSSD is done by CUPS itself (we ignore
# DNSSD in this directive).
# BrowseLocalProtocols none
# Settings of this directive apply to both BrowseRemoteProtocols and
# BrowseLocalProtocols.
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
# BrowseProtocols none
# Only browse remote printers (via DNS-SD or CUPS browsing) from
# selected servers using the "BrowseAllow", "BrowseDeny", and
# "BrowseOrder" directives
# This serves for restricting the choice of printers in print dialogs
# to trusted servers or to reduce the number of listed printers in the
# print dialogs to a more user-friendly amount in large networks with
# very many shared printers.
# This only filters the selection of remote printers for which
# cups-browsed creates local queues. If the print dialog uses other
# mechanisms to list remote printers as for example direct DNS-SD
# access, cups-browsed has no influence. cups-browsed also does not
# prevent the user from manually accessing non-listed printers.
# "BrowseAllow": Accept printers from these hosts or networks. If
# there are only "BrowseAllow" lines and no "BrowseOrder" and/or
# "BrowseDeny" lines, only servers matching at last one "BrowseAllow"
# line are accepted.
# "BrowseDeny": Deny printers from these hosts or networks. If there
# are only "BrowseDeny" lines and no "BrowseOrder" and/or
# "BrowseAllow" lines, all servers NOT matching any of the
# "BrowseDeny" lines are accepted.
# "BrowseOrder": Determine the order in which "BrowseAllow" and
# "BrowseDeny" lines are applied. With "BrowseOrder Deny,Allow" in the
# beginning all servers are accepted, then the "BrowseDeny" lines are
# applied to exclude unwished servers or networks and after that the
# "BrowseAllow" lines to re-include servers or networks. With
# "BrowseOrder Allow,Deny" we start with denying all servers, then
# applying the "BrowseAllow" lines and afterwards the "BrowseDeny"
# lines.
# Default for "BrowseOrder" is "Deny.Allow" if there are both
# "BrowseAllow" and "BrowseDeny" lines.
# If there are no "Browse..." lines at all, all servers are accepted.
# BrowseAllow All
# BrowseAllow cups.example.com
# BrowseAllow 192.168.1.12
# BrowseAllow 192.168.1.0/24
# BrowseAllow 192.168.1.0/255.255.255.0
# BrowseDeny All
# BrowseDeny printserver.example.com
# BrowseDeny 192.168.1.13
# BrowseDeny 192.168.3.0/24
# BrowseDeny 192.168.3.0/255.255.255.0
# BrowseOrder Deny,Allow
# BrowseOrder Allow,Deny
# The interval between browsing/broadcasting cycles, local and/or
# remote, can be adjusted with the BrowseInterval directive.
# BrowseInterval 60
# Browsing-related operations such as adding or removing printer queues
# and broadcasting are each allowed to take up to a given amount of time.
# It can be configured, in seconds, with the BrowseTimeout directive.
# Especially queues discovered by CUPS broadcasts will be removed after
# this timeout if no further broadcast from the server happens.
# BrowseTimeout 300
# Filtering of remote printers by other properties than IP addresses
# of their servers
# Often the desired selection of printers cannot be reached by only
# taking into account the IP addresses of the servers. For these cases
# there is the BrowseFilter directive to filter by most of the known
# properties of the printer.
# By default there is no BrowseFilter line meaning that no filtering
# is applied.
# To do filtering one can supply one or more BrowseFilter directives
# like this:
# BrowseFilter [NOT] [EXACT] <FIELD> [<VALUE>]
# The BrowseFilter directive always starts with the word
# "BrowseFilter" and it must at least contain the name of the data
# field (<FIELD>) of the printer's properties to which it should
# apply.
# Available field names are:
# name: Name of the local print queue to be created
# host: Host name of the remote print server
# port: Port through which the printer is accessed on the server
# service: DNS/SD service name of the remote printer
# domain: Domain of the remote print server
# Also all field names in the TXT records of DNS-SD-advertised printers
# are valid, like "color", "duplex", "pdl", ... If the field name of
# the filter rule does not exist for the printer, the rule is skipped.
# The optional <VALUE> field is either the exact value (when the
# option EXACT is supplied) or a regular expression (Run "man 7 regex"
# in a terminal window) to be matched with the data field.
# If no <VALUE> filed is supplied, rules with field names of the TXT
# record are considered for boolean matching (true/false) of boolean
# field (like duplex, which can have the values "T" for true and "F"
# for false).
# If the option NOT is supplied, the filter rule is fulfilled if the
# regular expression or the exact value DOES NOT match the content of
# the data field. In a boolean rule (without <VALUE>) the rule matches
# false.
# Regular expressions are always considered case-insensitive and
# extended POSIX regular expressions. Field names and options (NOT,
# EXACT) are all evaluated case-insensitive. If there is an error in a
# regular expression, the BrowseFilter line gets ignored.
# Especially to note is that supplying any simple string consisting of
# only letters, numbers, spaces, and some basic special characters as
# a regular expression matches if it is contained somewhere in the
# data field.
# If there is more than one BrowseFilter directive, ALL the directives
# need to be fulfilled for the remote printer to be accepted. If one
# is not fulfilled, the printer will get ignored.
# Examples:
# Rules for standard data items which are supplied with any remote
# printer advertised via DNS-SD:
# Print queue name must contain "hum_res_", this matches
# "hum_res_mono" or "hum_res_color" but also "old_hum_res_mono":
# BrowseFilter name hum_res_
# This matches if the remote host name contains "printserver", like
# "printserver.local", "printserver2.example.com", "newprintserver":
# BrowseFilter host printserver
# This matches all ports with 631 int its number, for example 631,
# 8631, 10631,...:
# BrowseFilter port 631
# This rule matches if the DNS-SD service name contains "@ printserver":
# Browsefilter service @ printserver
# Matches all domains with "local" in their names, not only "local" but
# also things like "printlocally.com":
# BrowseFilter domain local
# Examples for rules applying to items of the TXT record:
# This rule selects PostScript printers, as the "PDL" field in the TXT
# record contains "postscript" then. This includes also remote CUPS
# queues which accept PostScript, independent of whether the physical
# printer behind the CUPS queue accepts PostScript or not.
# BrowseFilter pdl postscript
# Color printers usually contain a "Color" entry set to "T" (for true)
# in the TXT record. This rule selects them:
# BrowseFilter color
# This is a similar rule to select only duplex (automatic double-sided
# printing) printers:
# BrowseFilter duplex
# Rules with the NOT option:
# This rule EXCLUDES printers from all hosts containing "financial" in
# their names, nice to get rid of the 100s of printers of the
# financial department:
# BrowseFilter NOT host financial
# Get only monochrome printers ("Color" set to "F", meaning false, in
# the TXT record):
# BrowseFilter NOT color
# Rules with more advanced use of regular expressions:
# Only queue names which BEGIN WITH "hum_res_" are accepted now, so we
# still get "hum_res_mono" or "hum_res_color" but not
# "old_hum_res_mono" any more:
# BrowseFilter name ^hum_res_
# Server names is accepted if it contains "print_server" OR
# "graphics_dep_server":
# BrowseFilter host print_server|graphics_dep_server
# "printserver1", "printserver2", and "printserver3", nothing else:
# BrowseFilter host ^printserver[1-3]$
# Printers understanding at least one of PostScript, PCL, or PDF:
# BrowseFilter pdl postscript|pcl|pdf
# Examples for the EXACT option:
# Only printers from "printserver.local" are accepted:
# BrowseFilter EXACT host printserver.local
# Printers from all servers except "prinserver2.local" are accepted:
# BrowseFilter NOT EXACT host prinserver2.local
# Use BrowsePoll to poll a particular CUPS server
# BrowsePoll cups.example.com
# BrowsePoll cups.example.com:631
# BrowsePoll cups.example.com:631/version=1.1
# LDAP browsing configuration
# The default value for all options is an empty string. Example configuration:
# BrowseLDAPBindDN cn=cups-browsed,dc=domain,dc=tld
# BrowseLDAPCACertFile /path/to/server/certificate.pem
# BrowseLDAPDN ou=printers,dc=domain,dc=tld
# BrowseLDAPFilter (printerLocation=/Office 1/*)
# BrowseLDAPPassword s3cret
# BrowseLDAPServer ldaps://ldap.domain.tld
# Use DomainSocket to access the local CUPS daemon via another than the
# default domain socket. "None" or "Off" lets cups-browsed not use CUPS'
# domain socket.
# DomainSocket /var/run/cups/cups.sock
# DomainSocket None
# DomainSocket Off
# Set HTTP timeout (in seconds) for requests sent to local/remote
# resources Note that too short timeouts can make services getting
# missed when they are present and operations be unneccessarily
# repeated and too long timeouts can make operations take too long
# when the server does not respond.
# HttpLocalTimeout 5
# HttpRemoteTimeout 10
# Set how many retries (N) should cups-browsed do for creating print
# queues for remote printers which receive timeouts during print queue
# creation. The printers which are not successfuly set up even after
# N retries, are skipped until the next restart of the service. Note
# that too many retries can cause high CPU load.
# HttpMaxRetries 5
# Set OnlyUnsupportedByCUPS to "Yes" will make cups-browsed not create
# local queues for remote printers for which CUPS creates queues by
# itself. These printers are printers advertised via DNS-SD and doing
# CUPS-supported (currently PWG Raster and Apple Raster) driverless
# printing, including remote CUPS queues. Queues for other printers
# (like for legacy PostScript/PCL printers) are always created
# (depending on the other configuration settings of cups-browsed).
# With OnlyUnsupportedByCUPS set to "No", cups-browsed creates queues
# for all printers which it supports, including printers for which
# CUPS would create queues by itself. Temporary queues created by CUPS
# will get overwritten. This way it is assured that any extra
# functionality of cups-browsed will apply to these queues. As queues
# created by cups-browsed are permanent CUPS queues this setting is
# also recommended if applications/print dialogs which do not support
# temporary CUPS queues are installed. This setting is the default.
# OnlyUnsupportedByCUPS Yes
# With UseCUPSGeneratedPPDs set to "Yes" cups-browsed creates queues
# for IPP printers with PPDs generated by the PPD generator of CUPS
# and not with the one of cups-browsed. So any new development in
# CUPS' PPD generator gets available. As CUPS' PPD generator is not
# directly accessible, we need to make CUPS generate a temporary print
# queue with the desired PPD. Therefore we can only use these PPDs
# when our queue replaces a temporary CUPS queue, meaning that the
# queue is for a printer on which CUPS supports driverless printing
# (IPP 2.x, PDLs: PDF, PWG Raster, and/or Apple Raster) and that its
# name is the same as CUPS uses for the temporary queue
# ("LocalQueueNamingIPPPrinter DNS-SD" must be set). The directive
# applies only to IPP printers, not to remote CUPS queues, to not
# break clustering. Setting this directive to "No" lets cups-browsed
# generate the PPD file. Default setting is "No".
# UseCUPSGeneratedPPDs No
# With the directives LocalQueueNamingRemoteCUPS and
# LocalQueueNamingIPPPrinter you can determine how the names for local
# queues generated by cups-browsed are generated, separately for
# remote CUPS printers and IPP printers.
# DNS-SD (the default in both cases) bases the naming on the service
# name of the printer's advertised DNS-SD record. This is exactly the
# same naming scheme as CUPS uses for its temporary queues, so the
# local queue from cups-browsed prevents CUPS from listing and
# creating an additional queue. As DNS-SD service names have to be
# unique, queue names of printers from different servers will also be
# unique and so there is no automatic clustering for load-balanced
# printing.
# MakeModel bases the queue name on the printer's manufacturer and
# model names. This scheme cups-browsed used formerly for IPP
# printers.
# RemoteName is only available for remote CUPS queues and uses the
# name of the queue on the remote CUPS server as the local queue's
# name. This makes printers on different CUPS servers with equal queue
# names automatically forming a load-balancing cluster as CUPS did
# formerly (CUPS 1.5.x and older) with CUPS-broadcasted remote
# printers. This scheme cups-browsed used formerly for remote CUPS
# printers.
# LocalQueueNamingRemoteCUPS DNS-SD
# LocalQueueNamingRemoteCUPS MakeModel
# LocalQueueNamingRemoteCUPS RemoteName
# LocalQueueNamingIPPPrinter DNS-SD
# LocalQueueNamingIPPPrinter MakeModel
# Set DNSSDBasedDeviceURIs to "Yes" if cups-browsed should use
# DNS-SD-service-name-based device URIs for its local queues, as CUPS
# also does. These queues use the DNS-SD service name of the
# discovered printer. With this the URI is independent of network
# interfaces and ports, giving reliable connections to always the same
# physical device. This setting is the default.
# Set DNSSDBasedDeviceURIs to "No" if cups-browsed should use the
# conventional host-name/IP-based URIs.
# Note that this option has only influence on URIs for printers
# discovered via DNS-SD, not via legacy CUPS broewsing or LDAP.
# Those printers get always assigned the conventional URIs.
# DNSSDBasedDeviceURIs Yes
# Set IPBasedDeviceURIs to "Yes" if cups-browsed should create its
# local queues with device URIs with the IP addresses instead of the
# host names of the remote servers. This mode is there for any
# problems with host name resolution in the network, especially also
# if avahi-daemon is only run for printer discovery and already
# stopped while still printing. By default this mode is turned off,
# meaning that we use URIs with host names.
# Note that the IP addresses depend on the network interface through
# which the printer is accessed. So do not use IP-based URIs on systems
# with many network interfaces and where interfaces can appear and
# disappear frequently.
# This mode could also be useful for development and debugging.
# If you prefer IPv4 or IPv6 IP addresses in the URIs, you can set
# IPBasedDeviceURIs to "IPv4" to only get IPv4 IP addresses or
# IPBasedDeviceURIs to "IPv6" to only get IPv6 IP addresses.
# IPBasedDeviceURIs No
# IPBasedDeviceURIs Yes
# IPBasedDeviceURIs IPv4
# IPBasedDeviceURIs IPv6
# The AllowResharingRemoteCUPSPrinters directive determines whether a
# print queue pointing to a remote CUPS queue will be re-shared to the
# local network or not. Since the queues generated using the BrowsePoll
# directive are also pointing to remote queues, they are also shared
# automatically if the following option is set. Default is not to share
# remote printers.
# AllowResharingRemoteCUPSPrinters Yes
# The NewBrowsePollQueuesShared directive determines whether a print
# queue for a newly discovered printer (discovered by the BrowsePoll directive)
# will be shared to the local network or not. This directive will only work
# if AllowResharingRemoteCUPSPrinters is set to yes. Default is
# not to share printers discovered using BrowsePoll.
# NewBrowsePollQueuesShared Yes
# Set CreateRemoteRawPrinterQueues to "Yes" to let cups-browsed also
# create local queues pointing to remote raw CUPS queues. Normally,
# only queues pointing to remote queues with PPD/driver are created
# as we do not use drivers on the client side, but in some cases
# accessing a remote raw queue can make sense, for example if the
# queue forwards the jobs by a special backend like Tea4CUPS.
# CreateRemoteRawPrinterQueues Yes
# cups-browsed by default creates local print queues for each shared
# CUPS print queue which it discovers on remote machines in the local
# network(s). Set CreateRemoteCUPSPrinterQueues to "No" if you do not
# want cups-browsed to do this. For example you can set cups-browsed
# to only create queues for IPP network printers setting
# CreateIPPPrinterQueues not to "No" and CreateRemoteCUPSPrinterQueues
# to "No".
# CreateRemoteCUPSPrinterQueues No
# Set CreateIPPPrinterQueues to "All" to let cups-browsed discover IPP
# network printers (native printers, not CUPS queues) with known page
# description languages (PWG Raster, PDF, PostScript, PCL XL, PCL
# 5c/e) in the local network and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "Everywhere" to let cups-browsed
# discover IPP Everywhere printers in the local network (native
# printers, not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "AppleRaster" to let cups-browsed
# discover Apple Raster printers in the local network (native
# printers, not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "Driverless" to let cups-browsed
# discover printers designed for driverless use (currently IPP
# Everywhere and Apple Raster) in the local network (native printers,
# not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "LocalOnly" to auto-create print
# queues only for local printers made available as IPP printers. These
# are for example IPP-over-USB printers, made available via
# ippusbxd. This is the default.
# Set CreateIPPPrinterQueues to "No" to not auto-create print queues
# for IPP network printers.
# If queues with PPD file are created (see IPPPrinterQueueType
# directive below) the PPDs are auto-generated by cups-browsed based
# on properties of the printer polled via IPP. In case of missing
# information, info from the Bonjour record is used asd as last mean
# default values.
# If queues without PPD (see IPPPrinterQueueType directive below) are
# created clients have to IPP-poll the capabilities of the printer and
# send option settings as standard IPP attributes. Then we do not poll
# the capabilities by ourselves to not wake up the printer from
# power-saving mode when creating the queues. Jobs have to be sent in
# one of PDF, PWG Raster, or JPEG format. Other formats are not
# accepted.
# This functionality is primarily for mobile devices running
# CUPS to not need a printer setup tool nor a collection of printer
# drivers and PPDs.
# CreateIPPPrinterQueues No
# CreateIPPPrinterQueues LocalOnly
# CreateIPPPrinterQueues Everywhere
# CreateIPPPrinterQueues AppleRaster
# CreateIPPPrinterQueues Everywhere AppleRaster
# CreateIPPPrinterQueues Driverless
# CreateIPPPrinterQueues All
# If cups-browsed is automatically creating print queues for native
# IPP network printers ("CreateIPPPrinterQueues Yes"), the type of
# queue to be created can be selected by the "IPPPrinterQueueType"
# directive. The "PPD" (default) setting makes queues with PPD file
# being created. With "Interface" or "NoPPD" the queue is created with
# a System V interface script (Not supported with CUPS 2.2.x or
# later). "Auto" is for backward compatibility and also lets queues
# with PPD get created.
# IPPPrinterQueueType PPD
# IPPPrinterQueueType NoPPD
# IPPPrinterQueueType Interface
# IPPPrinterQueueType Auto
# The NewIPPPrinterQueuesShared directive determines whether a print
# queue for a newly discovered IPP network printer (not remote CUPS
# queue) will be shared to the local network or not. This is only
# valid for newly discovered printers. For printers discovered in an
# earlier cups-browsed session, cups-browsed will remember whether the
# printer was shared, so changes by the user get conserved. Default is
# not to share newly discovered IPP printers.
# NewIPPPrinterQueuesShared Yes
# If there is more than one remote CUPS printer whose local queue
# would get the same name and AutoClustering is set to "Yes" (the
# default) only one local queue is created which makes up a
# load-balancing cluster of the remote printers which would get this
# queue name (implicit class). This means that when several jobs are
# sent to this queue they get distributed between the printers, using
# the method chosen by the LoadBalancing directive.
# Note that the forming of clusters depends on the naming scheme for
# local queues created by cups-browsed. If you have set
# LocalQueueNamingRemoteCUPS to "DNSSD" you will not get automatic
# clustering as the DNS-SD service names are always unique. With
# LocalQueueNamingRemoteCUPS set to "RemoteName" local queues are
# named as the CUPS queues on the remote servers are named and so
# equally named queues on different servers get clustered (this is how
# CUPS did it in version 1.5.x or older). LocalQueueNamingRemoteCUPS
# set to "MakeModel" makes remote printers of the same model get
# clustered. Note that then a cluster can contain more than one queue
# of the same server.
# With AutoClustering set to "No", for each remote CUPS printer an
# individual local queue is created, and to avoid name clashes when
# using the LocalQueueNamingRemoteCUPS settings "RemoteName" or
# "MakeModel" "@<server name>" is added to the local queue name.
# Only remote CUPS printers get clustered, not IPP network printers or
# IPP-over-USB printers.
# AutoClustering Yes
# AutoClustering No
# Load-balancing printer cluster formation can also be manually
# controlled by defining explicitly which remote CUPS printers should
# get clustered together.
# This is done by the "Cluster" directive:
# Cluster <QUEUENAME>: <EXPRESSION1> <EXPRESSION2> ...
# Cluster <QUEUENAME>
# If no expressions are given, <QUEUENAME> is used as the first and
# only expression for this cluster.
# Discovered printers are matched against all the expressions of all
# defined clusters. The first expression which matches the discovered
# printer determines to which cluster it belongs. Note that this way a
# printer can only belong to one cluster. Once matched, further
# cluster definitions will not checked any more.
# With the first printer matching a cluster's expression a local queue
# with the name <QUEUENAME> is created. If more printers are
# discovered and match this cluster, they join the cluster. Printing
# to this queue prints to all these printers in a load-balancing
# manner, according to to the setting of the LoadBalancing directive.
# Each expression must be a string of characters without spaces. If
# spaces are needed, replace them by underscores ('_').
# An expression can be matched in three ways:
# 1. By the name of the CUPS queue on the remote server
# 2. By make and model name of the remote printer
# 3. By the DNS-SD service name of the remote printer
# Note that the matching is done case-insensitively and any group of
# non-alphanumerical characters is replaced by a single underscore.
# So if an expression is "HP_DeskJet_2540" and the remote server
# reports "hp Deskjet-2540" the printer gets matched to this cluster.
# If "AutoClustering" is not set to "No" both your manual cluster
# definitions will be followed and automatic clustering of
# equally-named remote queues will be performed. If a printer matches
# in both categories the match to the manually defined cluster has
# priority. Automatic clustering of equally-named remote printers is
# not performed if there is a manually defined cluster with this name
# (at least as the printers do not match this cluster).
# Examples:
# To cluster all remote CUPS queues named "laserprinter" in your local
# network but not cluster any other equally-named remote CUPS printers
# use (Local queue will get named "laserprinter"):
# AutoClustering No
# Cluster laserprinter
# To cluster all remote CUPS queues of HP LaserJet 4050 printers in a
# local queue named "LJ4050":
# Cluster LJ4050: HP_LaserJet_4050
# As DNS-SD service names are unique in a network you can create a
# cluster from exactly specified printers (spaces replaced by
# underscors):
# Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2
# The LoadBalancing directive switches between two methods of handling
# load balancing between equally-named remote queues which are
# represented by one local print queue making up a cluster of them
# (implicit class).
# The two methods are:
# Queuing of jobs on the client (LoadBalancing QueueOnClient):
# Here we queue up the jobs on the client and regularly check the
# clustered remote print queues. If we find an idle queue, we pass
# on a job to it.
# This is also the method which CUPS uses for classes. Advantage is a
# more even distribution of the job workload on the servers
# (especially if the printing speed of the servers is very different),
# and if a server fails, there are not several jobs stuck or
# lost. Disadvantage is that if one takes the client (laptop, mobile
# phone, ...) out of the local network, printing stops with the jobs
# waiting in the local queue.
# Queuing of jobs on the servers (LoadBalancing QueueOnServers):
# Here we check the number of jobs on each of the clustered remote
# printers and send an incoming job immediately to the remote printer
# with the lowest amount of jobs in its queue. This way no jobs queue
# up locally, all jobs which are waiting are waiting on one of the
# remote servers.
# Not having jobs waiting locally has the advantage that we can take
# the local machine from the network and all jobs get printed.
# Disadvantage is that if a server with a full queue of jobs goes
# away, the jobs go away, too.
# Default is queuing the jobs on the client as this is what CUPS does
# with classes.
# LoadBalancing QueueOnClient
# LoadBalancing QueueOnServers
# With the DefaultOptions directive one or more option settings can be
# defined to be applied to every print queue newly created by
# cups-browsed. Each option is supplied as one supplies options with
# the "-o" command line argument to the "lpadmin" command (Run "man
# lpadmin" for more details). More than one option can be supplied
# separating the options by spaces. By default no option settings are
# pre-defined.
# Note that print queues which cups-browsed already created before
# remember their previous settings and so these settings do not get
# applied.
# DefaultOptions Option1=Value1 Option2=Value2 Option3 noOption4
# The AutoShutdown directive specifies whether cups-browsed should
# automatically terminate when it has no local raw queues set up
# pointing to any discovered remote printers or no jobs on such queues
# depending on AutoShutdownOn setting (auto shutdown mode). Setting it
# to "On" activates the auto-shutdown mode, setting it to "Off"
# deactiivates it (the default). The special mode "avahi" turns auto
# shutdown off while avahi-daemon is running and on when avahi-daemon
# stops. This allows running cups-browsed on-demand when avahi-daemon
# is run on-demand.
# AutoShutdown Off
# AutoShutdown On
# AutoShutdown avahi
# The AutoShutdownOn directive determines what event cups-browsed
# considers as inactivity in auto shutdown mode. "NoQueues" (the
# default) means that auto shutdown is initiated when there are no
# queues for discovered remote printers generated by cups-browsed any
# more. "NoJobs" means that all queues generated by cups-browsed are
# without jobs.
# AutoShutdownOn NoQueues
# AutoShutdownOn NoJobs
# The AutoShutdownTimeout directive specifies after how many seconds
# without local raw queues set up pointing to any discovered remote
# printers or jobs on these queues cups-browsed should actually shut
# down in auto shutdown mode. Default is 30 seconds, 0 means immediate
# shutdown.
# AutoShutdownTimeout 30

747
roles/common/templates/etc/cups/cups-browsed.conf.server.j2 Normal file
View File

@ -0,0 +1,747 @@
# {{ ansible_managed }}
# All configuration options described here can also be supplied on the
# command line of cups-browsed via the "-o" option. In case of
# contradicting settings the setting defined in the configuration file
# will get used.
# Unknown directives are ignored, also unknown values.
# Where should cups-browsed save information about the print queues it had
# generated when shutting down, like whether one of these queues was the
# default printer, or default option settings of the queues?
# CacheDir /var/cache/cups
# Where should cups-browsed create its debug log file (if "DebugLogging file"
# is set)?
# LogDir /var/log/cups
# How should debug logging be done? Into the file
# /var/log/cups/cups-browsed_log ('file'), to stderr ('stderr'), or
# not at all ('none')?
# Note that if cups-browsed is running as a system service (for
# example via systemd) logging to stderr makes the log output going to
# the journal or syslog. Only if you run cups-browsed from the command
# line (for development or debugging) it will actually appear on
# stderr.
# DebugLogging file
# DebugLogging stderr
# DebugLogging file stderr
# DebugLogging none
# Which protocols will we use to discover printers on the network?
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
#BrowseRemoteProtocols dnssd cups
BrowseRemoteProtocols none
# Which protocols will we use to broadcast shared local printers to the network?
# Can use DNSSD and/or CUPS, or 'none' for neither.
# Only CUPS is actually supported, as DNSSD is done by CUPS itself (we ignore
# DNSSD in this directive).
# BrowseLocalProtocols none
BrowseLocalProtocols CUPS
# Settings of this directive apply to both BrowseRemoteProtocols and
# BrowseLocalProtocols.
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
# BrowseProtocols none
# Only browse remote printers (via DNS-SD or CUPS browsing) from
# selected servers using the "BrowseAllow", "BrowseDeny", and
# "BrowseOrder" directives
# This serves for restricting the choice of printers in print dialogs
# to trusted servers or to reduce the number of listed printers in the
# print dialogs to a more user-friendly amount in large networks with
# very many shared printers.
# This only filters the selection of remote printers for which
# cups-browsed creates local queues. If the print dialog uses other
# mechanisms to list remote printers as for example direct DNS-SD
# access, cups-browsed has no influence. cups-browsed also does not
# prevent the user from manually accessing non-listed printers.
# "BrowseAllow": Accept printers from these hosts or networks. If
# there are only "BrowseAllow" lines and no "BrowseOrder" and/or
# "BrowseDeny" lines, only servers matching at last one "BrowseAllow"
# line are accepted.
# "BrowseDeny": Deny printers from these hosts or networks. If there
# are only "BrowseDeny" lines and no "BrowseOrder" and/or
# "BrowseAllow" lines, all servers NOT matching any of the
# "BrowseDeny" lines are accepted.
# "BrowseOrder": Determine the order in which "BrowseAllow" and
# "BrowseDeny" lines are applied. With "BrowseOrder Deny,Allow" in the
# beginning all servers are accepted, then the "BrowseDeny" lines are
# applied to exclude unwished servers or networks and after that the
# "BrowseAllow" lines to re-include servers or networks. With
# "BrowseOrder Allow,Deny" we start with denying all servers, then
# applying the "BrowseAllow" lines and afterwards the "BrowseDeny"
# lines.
# Default for "BrowseOrder" is "Deny.Allow" if there are both
# "BrowseAllow" and "BrowseDeny" lines.
# If there are no "Browse..." lines at all, all servers are accepted.
# BrowseAllow All
# BrowseAllow cups.example.com
# BrowseAllow 192.168.1.12
# BrowseAllow 192.168.1.0/24
# BrowseAllow 192.168.1.0/255.255.255.0
# BrowseDeny All
# BrowseDeny printserver.example.com
# BrowseDeny 192.168.1.13
# BrowseDeny 192.168.3.0/24
# BrowseDeny 192.168.3.0/255.255.255.0
# BrowseOrder Deny,Allow
# BrowseOrder Allow,Deny
# The interval between browsing/broadcasting cycles, local and/or
# remote, can be adjusted with the BrowseInterval directive.
# BrowseInterval 60
# Browsing-related operations such as adding or removing printer queues
# and broadcasting are each allowed to take up to a given amount of time.
# It can be configured, in seconds, with the BrowseTimeout directive.
# Especially queues discovered by CUPS broadcasts will be removed after
# this timeout if no further broadcast from the server happens.
# BrowseTimeout 300
# Filtering of remote printers by other properties than IP addresses
# of their servers
# Often the desired selection of printers cannot be reached by only
# taking into account the IP addresses of the servers. For these cases
# there is the BrowseFilter directive to filter by most of the known
# properties of the printer.
# By default there is no BrowseFilter line meaning that no filtering
# is applied.
# To do filtering one can supply one or more BrowseFilter directives
# like this:
# BrowseFilter [NOT] [EXACT] <FIELD> [<VALUE>]
# The BrowseFilter directive always starts with the word
# "BrowseFilter" and it must at least contain the name of the data
# field (<FIELD>) of the printer's properties to which it should
# apply.
# Available field names are:
# name: Name of the local print queue to be created
# host: Host name of the remote print server
# port: Port through which the printer is accessed on the server
# service: DNS/SD service name of the remote printer
# domain: Domain of the remote print server
# Also all field names in the TXT records of DNS-SD-advertised printers
# are valid, like "color", "duplex", "pdl", ... If the field name of
# the filter rule does not exist for the printer, the rule is skipped.
# The optional <VALUE> field is either the exact value (when the
# option EXACT is supplied) or a regular expression (Run "man 7 regex"
# in a terminal window) to be matched with the data field.
# If no <VALUE> filed is supplied, rules with field names of the TXT
# record are considered for boolean matching (true/false) of boolean
# field (like duplex, which can have the values "T" for true and "F"
# for false).
# If the option NOT is supplied, the filter rule is fulfilled if the
# regular expression or the exact value DOES NOT match the content of
# the data field. In a boolean rule (without <VALUE>) the rule matches
# false.
# Regular expressions are always considered case-insensitive and
# extended POSIX regular expressions. Field names and options (NOT,
# EXACT) are all evaluated case-insensitive. If there is an error in a
# regular expression, the BrowseFilter line gets ignored.
# Especially to note is that supplying any simple string consisting of
# only letters, numbers, spaces, and some basic special characters as
# a regular expression matches if it is contained somewhere in the
# data field.
# If there is more than one BrowseFilter directive, ALL the directives
# need to be fulfilled for the remote printer to be accepted. If one
# is not fulfilled, the printer will get ignored.
# Examples:
# Rules for standard data items which are supplied with any remote
# printer advertised via DNS-SD:
# Print queue name must contain "hum_res_", this matches
# "hum_res_mono" or "hum_res_color" but also "old_hum_res_mono":
# BrowseFilter name hum_res_
# This matches if the remote host name contains "printserver", like
# "printserver.local", "printserver2.example.com", "newprintserver":
# BrowseFilter host printserver
# This matches all ports with 631 int its number, for example 631,
# 8631, 10631,...:
# BrowseFilter port 631
# This rule matches if the DNS-SD service name contains "@ printserver":
# Browsefilter service @ printserver
# Matches all domains with "local" in their names, not only "local" but
# also things like "printlocally.com":
# BrowseFilter domain local
# Examples for rules applying to items of the TXT record:
# This rule selects PostScript printers, as the "PDL" field in the TXT
# record contains "postscript" then. This includes also remote CUPS
# queues which accept PostScript, independent of whether the physical
# printer behind the CUPS queue accepts PostScript or not.
# BrowseFilter pdl postscript
# Color printers usually contain a "Color" entry set to "T" (for true)
# in the TXT record. This rule selects them:
# BrowseFilter color
# This is a similar rule to select only duplex (automatic double-sided
# printing) printers:
# BrowseFilter duplex
# Rules with the NOT option:
# This rule EXCLUDES printers from all hosts containing "financial" in
# their names, nice to get rid of the 100s of printers of the
# financial department:
# BrowseFilter NOT host financial
# Get only monochrome printers ("Color" set to "F", meaning false, in
# the TXT record):
# BrowseFilter NOT color
# Rules with more advanced use of regular expressions:
# Only queue names which BEGIN WITH "hum_res_" are accepted now, so we
# still get "hum_res_mono" or "hum_res_color" but not
# "old_hum_res_mono" any more:
# BrowseFilter name ^hum_res_
# Server names is accepted if it contains "print_server" OR
# "graphics_dep_server":
# BrowseFilter host print_server|graphics_dep_server
# "printserver1", "printserver2", and "printserver3", nothing else:
# BrowseFilter host ^printserver[1-3]$
# Printers understanding at least one of PostScript, PCL, or PDF:
# BrowseFilter pdl postscript|pcl|pdf
# Examples for the EXACT option:
# Only printers from "printserver.local" are accepted:
# BrowseFilter EXACT host printserver.local
# Printers from all servers except "prinserver2.local" are accepted:
# BrowseFilter NOT EXACT host prinserver2.local
# Use BrowsePoll to poll a particular CUPS server
# BrowsePoll cups.example.com
# BrowsePoll cups.example.com:631
# BrowsePoll cups.example.com:631/version=1.1
# LDAP browsing configuration
# The default value for all options is an empty string. Example configuration:
# BrowseLDAPBindDN cn=cups-browsed,dc=domain,dc=tld
# BrowseLDAPCACertFile /path/to/server/certificate.pem
# BrowseLDAPDN ou=printers,dc=domain,dc=tld
# BrowseLDAPFilter (printerLocation=/Office 1/*)
# BrowseLDAPPassword s3cret
# BrowseLDAPServer ldaps://ldap.domain.tld
# Use DomainSocket to access the local CUPS daemon via another than the
# default domain socket. "None" or "Off" lets cups-browsed not use CUPS'
# domain socket.
# DomainSocket /var/run/cups/cups.sock
# DomainSocket None
# DomainSocket Off
# Set HTTP timeout (in seconds) for requests sent to local/remote
# resources Note that too short timeouts can make services getting
# missed when they are present and operations be unneccessarily
# repeated and too long timeouts can make operations take too long
# when the server does not respond.
# HttpLocalTimeout 5
# HttpRemoteTimeout 10
# Set how many retries (N) should cups-browsed do for creating print
# queues for remote printers which receive timeouts during print queue
# creation. The printers which are not successfuly set up even after
# N retries, are skipped until the next restart of the service. Note
# that too many retries can cause high CPU load.
# HttpMaxRetries 5
# Set OnlyUnsupportedByCUPS to "Yes" will make cups-browsed not create
# local queues for remote printers for which CUPS creates queues by
# itself. These printers are printers advertised via DNS-SD and doing
# CUPS-supported (currently PWG Raster and Apple Raster) driverless
# printing, including remote CUPS queues. Queues for other printers
# (like for legacy PostScript/PCL printers) are always created
# (depending on the other configuration settings of cups-browsed).
# With OnlyUnsupportedByCUPS set to "No", cups-browsed creates queues
# for all printers which it supports, including printers for which
# CUPS would create queues by itself. Temporary queues created by CUPS
# will get overwritten. This way it is assured that any extra
# functionality of cups-browsed will apply to these queues. As queues
# created by cups-browsed are permanent CUPS queues this setting is
# also recommended if applications/print dialogs which do not support
# temporary CUPS queues are installed. This setting is the default.
# OnlyUnsupportedByCUPS Yes
# With UseCUPSGeneratedPPDs set to "Yes" cups-browsed creates queues
# for IPP printers with PPDs generated by the PPD generator of CUPS
# and not with the one of cups-browsed. So any new development in
# CUPS' PPD generator gets available. As CUPS' PPD generator is not
# directly accessible, we need to make CUPS generate a temporary print
# queue with the desired PPD. Therefore we can only use these PPDs
# when our queue replaces a temporary CUPS queue, meaning that the
# queue is for a printer on which CUPS supports driverless printing
# (IPP 2.x, PDLs: PDF, PWG Raster, and/or Apple Raster) and that its
# name is the same as CUPS uses for the temporary queue
# ("LocalQueueNamingIPPPrinter DNS-SD" must be set). The directive
# applies only to IPP printers, not to remote CUPS queues, to not
# break clustering. Setting this directive to "No" lets cups-browsed
# generate the PPD file. Default setting is "No".
# UseCUPSGeneratedPPDs No
# With the directives LocalQueueNamingRemoteCUPS and
# LocalQueueNamingIPPPrinter you can determine how the names for local
# queues generated by cups-browsed are generated, separately for
# remote CUPS printers and IPP printers.
# DNS-SD (the default in both cases) bases the naming on the service
# name of the printer's advertised DNS-SD record. This is exactly the
# same naming scheme as CUPS uses for its temporary queues, so the
# local queue from cups-browsed prevents CUPS from listing and
# creating an additional queue. As DNS-SD service names have to be
# unique, queue names of printers from different servers will also be
# unique and so there is no automatic clustering for load-balanced
# printing.
# MakeModel bases the queue name on the printer's manufacturer and
# model names. This scheme cups-browsed used formerly for IPP
# printers.
# RemoteName is only available for remote CUPS queues and uses the
# name of the queue on the remote CUPS server as the local queue's
# name. This makes printers on different CUPS servers with equal queue
# names automatically forming a load-balancing cluster as CUPS did
# formerly (CUPS 1.5.x and older) with CUPS-broadcasted remote
# printers. This scheme cups-browsed used formerly for remote CUPS
# printers.
# LocalQueueNamingRemoteCUPS DNS-SD
# LocalQueueNamingRemoteCUPS MakeModel
# LocalQueueNamingRemoteCUPS RemoteName
# LocalQueueNamingIPPPrinter DNS-SD
# LocalQueueNamingIPPPrinter MakeModel
# Set DNSSDBasedDeviceURIs to "Yes" if cups-browsed should use
# DNS-SD-service-name-based device URIs for its local queues, as CUPS
# also does. These queues use the DNS-SD service name of the
# discovered printer. With this the URI is independent of network
# interfaces and ports, giving reliable connections to always the same
# physical device. This setting is the default.
# Set DNSSDBasedDeviceURIs to "No" if cups-browsed should use the
# conventional host-name/IP-based URIs.
# Note that this option has only influence on URIs for printers
# discovered via DNS-SD, not via legacy CUPS broewsing or LDAP.
# Those printers get always assigned the conventional URIs.
# DNSSDBasedDeviceURIs Yes
# Set IPBasedDeviceURIs to "Yes" if cups-browsed should create its
# local queues with device URIs with the IP addresses instead of the
# host names of the remote servers. This mode is there for any
# problems with host name resolution in the network, especially also
# if avahi-daemon is only run for printer discovery and already
# stopped while still printing. By default this mode is turned off,
# meaning that we use URIs with host names.
# Note that the IP addresses depend on the network interface through
# which the printer is accessed. So do not use IP-based URIs on systems
# with many network interfaces and where interfaces can appear and
# disappear frequently.
# This mode could also be useful for development and debugging.
# If you prefer IPv4 or IPv6 IP addresses in the URIs, you can set
# IPBasedDeviceURIs to "IPv4" to only get IPv4 IP addresses or
# IPBasedDeviceURIs to "IPv6" to only get IPv6 IP addresses.
# IPBasedDeviceURIs No
# IPBasedDeviceURIs Yes
# IPBasedDeviceURIs IPv4
# IPBasedDeviceURIs IPv6
# The AllowResharingRemoteCUPSPrinters directive determines whether a
# print queue pointing to a remote CUPS queue will be re-shared to the
# local network or not. Since the queues generated using the BrowsePoll
# directive are also pointing to remote queues, they are also shared
# automatically if the following option is set. Default is not to share
# remote printers.
# AllowResharingRemoteCUPSPrinters Yes
# The NewBrowsePollQueuesShared directive determines whether a print
# queue for a newly discovered printer (discovered by the BrowsePoll directive)
# will be shared to the local network or not. This directive will only work
# if AllowResharingRemoteCUPSPrinters is set to yes. Default is
# not to share printers discovered using BrowsePoll.
# NewBrowsePollQueuesShared Yes
# Set CreateRemoteRawPrinterQueues to "Yes" to let cups-browsed also
# create local queues pointing to remote raw CUPS queues. Normally,
# only queues pointing to remote queues with PPD/driver are created
# as we do not use drivers on the client side, but in some cases
# accessing a remote raw queue can make sense, for example if the
# queue forwards the jobs by a special backend like Tea4CUPS.
# CreateRemoteRawPrinterQueues Yes
# cups-browsed by default creates local print queues for each shared
# CUPS print queue which it discovers on remote machines in the local
# network(s). Set CreateRemoteCUPSPrinterQueues to "No" if you do not
# want cups-browsed to do this. For example you can set cups-browsed
# to only create queues for IPP network printers setting
# CreateIPPPrinterQueues not to "No" and CreateRemoteCUPSPrinterQueues
# to "No".
# CreateRemoteCUPSPrinterQueues No
# Set CreateIPPPrinterQueues to "All" to let cups-browsed discover IPP
# network printers (native printers, not CUPS queues) with known page
# description languages (PWG Raster, PDF, PostScript, PCL XL, PCL
# 5c/e) in the local network and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "Everywhere" to let cups-browsed
# discover IPP Everywhere printers in the local network (native
# printers, not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "AppleRaster" to let cups-browsed
# discover Apple Raster printers in the local network (native
# printers, not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "Driverless" to let cups-browsed
# discover printers designed for driverless use (currently IPP
# Everywhere and Apple Raster) in the local network (native printers,
# not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "LocalOnly" to auto-create print
# queues only for local printers made available as IPP printers. These
# are for example IPP-over-USB printers, made available via
# ippusbxd. This is the default.
# Set CreateIPPPrinterQueues to "No" to not auto-create print queues
# for IPP network printers.
# If queues with PPD file are created (see IPPPrinterQueueType
# directive below) the PPDs are auto-generated by cups-browsed based
# on properties of the printer polled via IPP. In case of missing
# information, info from the Bonjour record is used asd as last mean
# default values.
# If queues without PPD (see IPPPrinterQueueType directive below) are
# created clients have to IPP-poll the capabilities of the printer and
# send option settings as standard IPP attributes. Then we do not poll
# the capabilities by ourselves to not wake up the printer from
# power-saving mode when creating the queues. Jobs have to be sent in
# one of PDF, PWG Raster, or JPEG format. Other formats are not
# accepted.
# This functionality is primarily for mobile devices running
# CUPS to not need a printer setup tool nor a collection of printer
# drivers and PPDs.
# CreateIPPPrinterQueues No
# CreateIPPPrinterQueues LocalOnly
# CreateIPPPrinterQueues Everywhere
# CreateIPPPrinterQueues AppleRaster
# CreateIPPPrinterQueues Everywhere AppleRaster
# CreateIPPPrinterQueues Driverless
# CreateIPPPrinterQueues All
# If cups-browsed is automatically creating print queues for native
# IPP network printers ("CreateIPPPrinterQueues Yes"), the type of
# queue to be created can be selected by the "IPPPrinterQueueType"
# directive. The "PPD" (default) setting makes queues with PPD file
# being created. With "Interface" or "NoPPD" the queue is created with
# a System V interface script (Not supported with CUPS 2.2.x or
# later). "Auto" is for backward compatibility and also lets queues
# with PPD get created.
# IPPPrinterQueueType PPD
# IPPPrinterQueueType NoPPD
# IPPPrinterQueueType Interface
# IPPPrinterQueueType Auto
# The NewIPPPrinterQueuesShared directive determines whether a print
# queue for a newly discovered IPP network printer (not remote CUPS
# queue) will be shared to the local network or not. This is only
# valid for newly discovered printers. For printers discovered in an
# earlier cups-browsed session, cups-browsed will remember whether the
# printer was shared, so changes by the user get conserved. Default is
# not to share newly discovered IPP printers.
# NewIPPPrinterQueuesShared Yes
# If there is more than one remote CUPS printer whose local queue
# would get the same name and AutoClustering is set to "Yes" (the
# default) only one local queue is created which makes up a
# load-balancing cluster of the remote printers which would get this
# queue name (implicit class). This means that when several jobs are
# sent to this queue they get distributed between the printers, using
# the method chosen by the LoadBalancing directive.
# Note that the forming of clusters depends on the naming scheme for
# local queues created by cups-browsed. If you have set
# LocalQueueNamingRemoteCUPS to "DNSSD" you will not get automatic
# clustering as the DNS-SD service names are always unique. With
# LocalQueueNamingRemoteCUPS set to "RemoteName" local queues are
# named as the CUPS queues on the remote servers are named and so
# equally named queues on different servers get clustered (this is how
# CUPS did it in version 1.5.x or older). LocalQueueNamingRemoteCUPS
# set to "MakeModel" makes remote printers of the same model get
# clustered. Note that then a cluster can contain more than one queue
# of the same server.
# With AutoClustering set to "No", for each remote CUPS printer an
# individual local queue is created, and to avoid name clashes when
# using the LocalQueueNamingRemoteCUPS settings "RemoteName" or
# "MakeModel" "@<server name>" is added to the local queue name.
# Only remote CUPS printers get clustered, not IPP network printers or
# IPP-over-USB printers.
# AutoClustering Yes
# AutoClustering No
# Load-balancing printer cluster formation can also be manually
# controlled by defining explicitly which remote CUPS printers should
# get clustered together.
# This is done by the "Cluster" directive:
# Cluster <QUEUENAME>: <EXPRESSION1> <EXPRESSION2> ...
# Cluster <QUEUENAME>
# If no expressions are given, <QUEUENAME> is used as the first and
# only expression for this cluster.
# Discovered printers are matched against all the expressions of all
# defined clusters. The first expression which matches the discovered
# printer determines to which cluster it belongs. Note that this way a
# printer can only belong to one cluster. Once matched, further
# cluster definitions will not checked any more.
# With the first printer matching a cluster's expression a local queue
# with the name <QUEUENAME> is created. If more printers are
# discovered and match this cluster, they join the cluster. Printing
# to this queue prints to all these printers in a load-balancing
# manner, according to to the setting of the LoadBalancing directive.
# Each expression must be a string of characters without spaces. If
# spaces are needed, replace them by underscores ('_').
# An expression can be matched in three ways:
# 1. By the name of the CUPS queue on the remote server
# 2. By make and model name of the remote printer
# 3. By the DNS-SD service name of the remote printer
# Note that the matching is done case-insensitively and any group of
# non-alphanumerical characters is replaced by a single underscore.
# So if an expression is "HP_DeskJet_2540" and the remote server
# reports "hp Deskjet-2540" the printer gets matched to this cluster.
# If "AutoClustering" is not set to "No" both your manual cluster
# definitions will be followed and automatic clustering of
# equally-named remote queues will be performed. If a printer matches
# in both categories the match to the manually defined cluster has
# priority. Automatic clustering of equally-named remote printers is
# not performed if there is a manually defined cluster with this name
# (at least as the printers do not match this cluster).
# Examples:
# To cluster all remote CUPS queues named "laserprinter" in your local
# network but not cluster any other equally-named remote CUPS printers
# use (Local queue will get named "laserprinter"):
# AutoClustering No
# Cluster laserprinter
# To cluster all remote CUPS queues of HP LaserJet 4050 printers in a
# local queue named "LJ4050":
# Cluster LJ4050: HP_LaserJet_4050
# As DNS-SD service names are unique in a network you can create a
# cluster from exactly specified printers (spaces replaced by
# underscors):
# Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2
# The LoadBalancing directive switches between two methods of handling
# load balancing between equally-named remote queues which are
# represented by one local print queue making up a cluster of them
# (implicit class).
# The two methods are:
# Queuing of jobs on the client (LoadBalancing QueueOnClient):
# Here we queue up the jobs on the client and regularly check the
# clustered remote print queues. If we find an idle queue, we pass
# on a job to it.
# This is also the method which CUPS uses for classes. Advantage is a
# more even distribution of the job workload on the servers
# (especially if the printing speed of the servers is very different),
# and if a server fails, there are not several jobs stuck or
# lost. Disadvantage is that if one takes the client (laptop, mobile
# phone, ...) out of the local network, printing stops with the jobs
# waiting in the local queue.
# Queuing of jobs on the servers (LoadBalancing QueueOnServers):
# Here we check the number of jobs on each of the clustered remote
# printers and send an incoming job immediately to the remote printer
# with the lowest amount of jobs in its queue. This way no jobs queue
# up locally, all jobs which are waiting are waiting on one of the
# remote servers.
# Not having jobs waiting locally has the advantage that we can take
# the local machine from the network and all jobs get printed.
# Disadvantage is that if a server with a full queue of jobs goes
# away, the jobs go away, too.
# Default is queuing the jobs on the client as this is what CUPS does
# with classes.
# LoadBalancing QueueOnClient
# LoadBalancing QueueOnServers
# With the DefaultOptions directive one or more option settings can be
# defined to be applied to every print queue newly created by
# cups-browsed. Each option is supplied as one supplies options with
# the "-o" command line argument to the "lpadmin" command (Run "man
# lpadmin" for more details). More than one option can be supplied
# separating the options by spaces. By default no option settings are
# pre-defined.
# Note that print queues which cups-browsed already created before
# remember their previous settings and so these settings do not get
# applied.
# DefaultOptions Option1=Value1 Option2=Value2 Option3 noOption4
# The AutoShutdown directive specifies whether cups-browsed should
# automatically terminate when it has no local raw queues set up
# pointing to any discovered remote printers or no jobs on such queues
# depending on AutoShutdownOn setting (auto shutdown mode). Setting it
# to "On" activates the auto-shutdown mode, setting it to "Off"
# deactiivates it (the default). The special mode "avahi" turns auto
# shutdown off while avahi-daemon is running and on when avahi-daemon
# stops. This allows running cups-browsed on-demand when avahi-daemon
# is run on-demand.
# AutoShutdown Off
# AutoShutdown On
# AutoShutdown avahi
# The AutoShutdownOn directive determines what event cups-browsed
# considers as inactivity in auto shutdown mode. "NoQueues" (the
# default) means that auto shutdown is initiated when there are no
# queues for discovered remote printers generated by cups-browsed any
# more. "NoJobs" means that all queues generated by cups-browsed are
# without jobs.
# AutoShutdownOn NoQueues
# AutoShutdownOn NoJobs
# The AutoShutdownTimeout directive specifies after how many seconds
# without local raw queues set up pointing to any discovered remote
# printers or jobs on these queues cups-browsed should actually shut
# down in auto shutdown mode. Default is 30 seconds, 0 means immediate
# shutdown.
# AutoShutdownTimeout 30

95
roles/common/templates/etc/cups/cups-files.conf.j2 Normal file
View File

@ -0,0 +1,95 @@
# {{ ansible_managed }}
#
# File/directory/user/group configuration file for the CUPS scheduler.
# See "man cups-files.conf" for a complete description of this file.
#
# List of events that are considered fatal errors for the scheduler...
#FatalErrors config
# Do we call fsync() after writing configuration or status files?
#SyncOnClose Yes
# Default user and group for filters/backends/helper programs; this cannot be
# any user or group that resolves to ID 0 for security reasons...
#User lp
#Group lp
# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
# This cannot contain the Group value for security reasons...
SystemGroup lpadmin
# User that is substituted for unauthenticated (remote) root accesses...
#RemoteRoot remroot
# Do we allow file: device URIs other than to /dev/null?
#FileDevice No
# Permissions for configuration and log files...
#ConfigFilePerm 0640
#LogFilePerm 00640
# Location of the file logging all access to the scheduler; may be the name
# "syslog". If not an absolute path, the value of ServerRoot is used as the
# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.
AccessLog /var/log/cups/access_log
# Location of cache files used by the scheduler...
#CacheDir /var/cache/cups
# Location of data files used by the scheduler...
#DataDir /usr/share/cups
# Location of the static web content served by the scheduler...
#DocumentRoot /usr/share/cups/doc-root
# Location of the file logging all messages produced by the scheduler and any
# helper programs; may be the name "syslog". If not an absolute path, the value
# of ServerRoot is used as the root directory. Also see the "LogLevel"
# directive in cupsd.conf.
ErrorLog /var/log/cups/error_log
# Location of fonts used by older print filters...
#FontPath /usr/share/cups/fonts
# Location of LPD configuration
#LPDConfigFile
# Location of the file logging all pages printed by the scheduler and any
# helper programs; may be the name "syslog". If not an absolute path, the value
# of ServerRoot is used as the root directory. Also see the "PageLogFormat"
# directive in cupsd.conf.
PageLog /var/log/cups/page_log
# Location of the file listing all of the local printers...
#Printcap /run/cups/printcap
# Format of the Printcap file...
#PrintcapFormat bsd
#PrintcapFormat plist
#PrintcapFormat solaris
# Location of all spool files...
#RequestRoot /var/spool/cups
# Location of helper programs...
#ServerBin /usr/lib/cups
# SSL/TLS keychain for the scheduler...
#ServerKeychain ssl
# Location of other configuration files...
#ServerRoot /etc/cups
# Location of Samba configuration file...
#SMBConfigFile
# Location of scheduler state files...
#StateDir /run/cups
# Location of scheduler/helper temporary files. This directory is emptied on
# scheduler startup and cannot be one of the standard (public) temporary
# directory locations for security reasons...
#TempDir /var/spool/cups/tmp

307
roles/common/templates/etc/cups/cupsd.conf.client.j2 Normal file
View File

@ -0,0 +1,307 @@
# {{ ansible_managed }}
#
# Configuration file for the CUPS scheduler. See "man cupsd.conf" for a
# complete description of this file.
#
# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn
PageLogFormat
# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0
# Only listen for connections from the local machine.
#Listen localhost:631
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
ServerAlias *
HostNameLookups Off
## - Show shared printers on the local network.
Browsing Off
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Web interface setting...
WebInterface Yes
# Restrict access to the server...
<Location />
# Allow remote administration...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to the admin pages...
<Location /admin>
# Allow remote administration...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to log files...
<Location /admin/log>
AuthType Default
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Set the default printer/job policies...
<Policy default>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>
# Set the authenticated printer/job policies...
<Policy authenticated>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>
# Set the kerberized printer/job policies...
<Policy kerberos>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Negotiate
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Negotiate
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Negotiate
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>

307
roles/common/templates/etc/cups/cupsd.conf.server.j2 Normal file
View File

@ -0,0 +1,307 @@
# {{ ansible_managed }}
#
# Configuration file for the CUPS scheduler. See "man cupsd.conf" for a
# complete description of this file.
#
# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn
PageLogFormat
# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0
# Only listen for connections from the local machine.
#Listen localhost:631
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
ServerAlias *
HostNameLookups Off
# - Show shared printers on the local network.
Browsing On
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Web interface setting...
WebInterface Yes
# Restrict access to the server...
<Location />
# Allow remote administration...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to the admin pages...
<Location /admin>
# Allow remote administration...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to log files...
<Location /admin/log>
AuthType Default
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Set the default printer/job policies...
<Policy default>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>
# Set the authenticated printer/job policies...
<Policy authenticated>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>
# Set the kerberized printer/job policies...
<Policy kerberos>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Negotiate
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Negotiate
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Negotiate
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>

27
roles/common/templates/etc/default/pure-ftpd-common.j2 Normal file
View File

@ -0,0 +1,27 @@
# {{ ansible_managed }}
# Configuration for pure-ftpd
# (this file is sourced by /bin/sh, edit accordingly)
# STANDALONE_OR_INETD
# valid values are "standalone" and "inetd".
# Any change here overrides the setting in debconf.
STANDALONE_OR_INETD={{ pureftpd_global_config_mode }}
# VIRTUALCHROOT:
# whether to use binary with virtualchroot support
# valid values are "true" or "false"
# Any change here overrides the setting in debconf.
VIRTUALCHROOT={{ pureftpd_global_config_virtualchroot }}
# UPLOADSCRIPT: if this is set and the daemon is run in standalone mode,
# pure-uploadscript will also be run to spawn the program given below
# for handling uploads. see /usr/share/doc/pure-ftpd/README.gz or
# pure-uploadscript(8)
# example: UPLOADSCRIPT=/usr/local/sbin/uploadhandler.pl
UPLOADSCRIPT={{ pureftpd_global_config_uploadscript }}
# if set, pure-uploadscript will spawn running as the
# given uid and gid
UPLOADUID={{ pureftpd_global_config_uploaduid }}
UPLOADGID={{ pureftpd_global_config_uploadgid }}

2
roles/common/templates/etc/exports.j2
View File

@ -18,7 +18,7 @@
{% set count.nfs_exports = count.nfs_exports + 10 %}
{% for network in export.export_networks %}
{% if export.fs_encrypted is defined and export.fs_encrypted is sameas true %}
{% if export.use_fsid_option is defined and export.use_fsid_option is sameas true %}
{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~",fsid="~count.nfs_exports~")" %}
#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }},fsid={{ count.nfs_exports }})
{% else %}

64
roles/common/templates/etc/ntp.conf.j2 Normal file
View File

@ -0,0 +1,64 @@
# {{ ansible_managed }}
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Leap seconds definition provided by tzdata
leapfile /usr/share/zoneinfo/leap-seconds.list
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
server {{ ntp_server }}
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Needed for adding pool entries
restrict source notrap nomodify noquery
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

2
roles/common/templates/etc/pure-ftpd/conf/config.j2 Normal file
View File

@ -0,0 +1,2 @@
# {{ ansible_managed }}
{{ item.value }}

778
roles/common/templates/etc/samba/smb.conf.j2
View File

@ -29,7 +29,7 @@
# Change this to the workgroup/NT-domain name your Samba server will part of
; workgroup = WORKGROUP
workgroup = MBR
workgroup = {{ samba_workgroup|default('WORKGROUP') }}
# Option 'netbios name' added to debian's default smb.conf
#
@ -41,7 +41,8 @@
# Note that the maximum length for a NetBIOS name is 15 characters.
#
# Default: netbios name = # machine DNS name
netbios name = FILE-MBR
; netbios name = FILE
netbios name = {{ samba_netbios_name|default('FILE') }}
#### Networking ####
@ -50,7 +51,7 @@
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
interfaces = 192.168.112.10/24 127.0.0.1/8
interfaces = {{ ansible_default_ipv4.address }}/24 127.0.0.1/8
# Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf
hosts deny = 0.0.0.0/0
@ -254,6 +255,8 @@
#======================= Share Definitions =======================
# {{ ansible_managed }}
[homes]
comment = Home Directories
browseable = no
@ -298,35 +301,32 @@
; create mask = 0600
; directory mask = 0700
{% for item in samba_shares | default([]) %}
#============================ Shares ==============================
# {{ ansible_managed }}
[Arbeitsrechtliches]
comment = Arbeitsrechtliches
path = /data/shares/Arbeitsrechtliches
[{{ item.name }}]
comment = {{ item.name }}
path = {{ item.path }}
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
create mask = {{ item.file_create_mask | default('0660') }}
force create mode = {{ item.file_create_mask | default('0660') }}
directory mask = {{ item.dir_create_mask | default('2770') }}
force directory mode = {{ item.dir_create_mask | default('2770') }}
# can login into that share
valid users = @mbr-finanzen
valid users = @{{ item.group_valid_users }}
# allow to write
write list = @mbr-finanzen
force group = mbr-finanzen
write list = @{{ item.group_write_list }}
force group = +{{ item.group_write_list }}
{% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
@ -335,714 +335,50 @@
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
recycle:directory_mode = 2770
[Arbeitsrechtliches-Trash]
comment = Papierkorb (Arbeitsrechtliches)
path = /data/shares/Arbeitsrechtliches/.Trash
browseable = yes
read only = yes
[Ausschreibungen]
comment = Ausschreibungen
path = /data/shares/Ausschreibungen
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @mbr-personal
# allow to write
write list = @mbr-personal
force group = mbr-personal
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[Ausschreibungen-Trash]
comment = Papierkorb (Ausschreibungen)
path = /data/shares/Ausschreibungen/.Trash
browseable = yes
read only = yes
[BGN-Finanzen-Personal]
comment = BGN Finanzen Personal
path = /data/shares/BGN-Finanzen-Personal
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @bgn-finanzen-personal
# allow to write
write list = @bgn-finanzen-personal
force group = bgn-finanzen-personal
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[BGN-Finanzen-Personal-Trash]
comment = Papierkorb (BGN)
path = /data/shares/BGN-Finanzen-Personal/.Trash
browseable = yes
read only = yes
[BVV-Projekt]
comment = BVV-Projekt
path = /data/shares/BVV-Projekt
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @mbr-buero
# allow to write
write list = @mbr-buero
force group = mbr-buero
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[BVV-Projekt-Trash]
comment = Papierkorb (BVV-Projekt)
path = /data/shares/BVV-Projekt/.Trash
browseable = yes
read only = yes
[Cobra]
comment = Cobra
path = /data/shares/Cobra
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# - since version 4.9
# -
create mask = 0660
directory mask = 2770
# can login into that share
valid users = @mbr-buero
# allow to write
write list = @mbr-buero
force group = mbr-buero
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[Cobra-Trash]
comment = Papierkorb (Cobra)
path = /data/shares/Cobra/.Trash
browseable = yes
read only = yes
[Finanzen]
comment = Finanzen
path = /data/shares/Finanzen
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @mbr-finanzen
# allow to write
write list = @mbr-finanzen
force group = mbr-finanzen
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[Finanzen-Trash]
comment = Papierkorb (Finanzen)
path = /data/shares/Finanzen/.Trash
browseable = yes
read only = yes
[MBR]
comment = MBR
path = /data/shares/MBR
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @mbr-buero
# allow to write
write list = @mbr-buero
force group = mbr-buero
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[MBR-Trash]
comment = Papierkorb (MBR)
path = /data/shares/MBR/.Trash
browseable = yes
read only = yes
[Mobilisierungsplattform]
comment = Mobilisierungsplattform
path = /data/shares/Mobilisierungsplattform
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @mbr-buero
# allow to write
write list = @mbr-buero
force group = mbr-buero
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[Mobilisierungsplattform-Trash]
comment = Papierkorb (Mobilisierungsplattform)
path = /data/shares/Mobilisierungsplattform/.Trash
browseable = yes
read only = yes
[Regishut]
comment = Regishut
path = /data/shares/Regishut
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @regishut
# allow to write
write list = @regishut
force group = regishut
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[Regishut-Trash]
comment = Papierkorb (Regishut)
path = /data/shares/Regishut/.Trash
browseable = yes
read only = yes
[Regishut-Personal-Finanzen]
comment = Regishut
path = /data/shares/Regishut-Personal-Finanzen
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @regishut-personal-finanzen
# allow to write
write list = @regishut-personal-finanzen
force group = regishut-personal-finanzen
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[Regishut-Personal-Finanzen-Trash]
comment = Papierkorb (Regishut-Personal-Finanzen)
path = /data/shares/Regishut-Personal-Finanzen/.Trash
browseable = yes
read only = yes
[RIAS]
comment = RIAS
path = /data/shares/RIAS
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @mbr-buero
# allow to write
write list = @mbr-buero
force group = mbr-buero
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[RIAS-Trash]
comment = Papierkorb (RIAS)
path = /data/shares/RIAS/.Trash
browseable = yes
read only = yes
[RIAS-Finanzen-Personal]
comment = RIAS Finanzen Personal
path = /data/shares/RIAS-Finanzen-Personal
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @rias-finanzen-personal
# allow to write
write list = @rias-finanzen-personal
force group = rias-finanzen-personal
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[RIAS-Finanzen-Personal-Trash]
comment = Papierkorb (RIAS)
path = /data/shares/RIAS-Finanzen-Personal/.Trash
browseable = yes
read only = yes
[SCAN]
comment = SCAN
path = /data/shares/SCAN
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @scan
# allow to write
write list = @scan
force group = scan
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[SCAN-Trash]
comment = Papierkorb (SCAN)
path = /data/shares/SCAN/.Trash
browseable = yes
read only = yes
[VDK]
comment = VDK
path = /data/shares/VDK
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @mbr-buero
# allow to write
write list = @mbr-buero
force group = mbr-buero
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:maxsize = 10485760 # around 10MB
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = .Trash/%U
veto files = /.Trash/
[VDK-Trash]
comment = Papierkorb (VDK)
path = /data/shares/VDK/.Trash
browseable = yes
read only = yes
[Video]
comment = Video
path = /data/shares/Video
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @mbr-buero
# allow to write
write list = @mbr-buero
force group = mbr-buero
#vfs objects = recycle
#recycle:keeptree = yes
## touch access time from this file
## note: this is not the modified time, which is
## outdatet by ls-command
## so yo can delete files older then n day with the following command:
## find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
##
#recycle:touch = yes
#recycle:touch_mtime = no
#recycle:versions = yes
# - Dateien gößer als 10MB werden nicht
#recycle:maxsize = 10485760 # around 10MB
#recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
#recycle:excludedir = /tmp,/temp,/cache,.Trash
#recycle:repository = .Trash/%U
#veto files = /.Trash/
#[Video-Trash]
# comment = Papierkorb (Video)
# path = /data/shares/Video/.Trash
#
# browseable = yes
# read only = yes
# - Keine Begrenzung der Dateigröße.
recycle:maxsize = 0
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = {{ item.recycle_path | default('@Recycle.Bin') }}
[Kamera]
comment = Kamera
path = /data/shares/Kamera
# - This is a list of files and directories that are neither visible nor accessible.
# - Each entry in the list must be separated by a '/', which allows spaces to be
# - included in the entry. '*' and '?' can be used to specify multiple files or
# - directories as in DOS wildcards.
# -
veto files = /.Trash/
delete veto files = yes
{% endif %}
browseable = yes
read only = no
writeable = Yes
{% endfor %}
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
;[printers]
; comment = All Printers
; browseable = no
; path = /var/spool/samba
; printable = yes
; guest ok = no
; read only = yes
; create mask = 0700
# can login into that share
valid users = @mbr-kamera
# allow to write
write list = @mbr-kamera
force group = mbr-kamera
## ----------
[Backup-RO]
comment = Backup (altes System)
path = /data/shares/Backup-RO
readonly = yes
[Install]
comment = Install
path = /data/shares/Install
browseable = yes
read only = no
writeable = Yes
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
# can login into that share
valid users = @mbr-admins
# allow to write
write list = @mbr-admins
force group = mbr-admins
[printers]
comment = All Printers
path = /usr/local/samba/var/spool
browseable = Yes
read only = No
printable = Yes
[print$]
comment = Point and Print Printer Drivers
path = /usr/local/samba/var/print
read only = No
# Windows clients look for this share name as a source of downloadable
# printer drivers
;[print$]
; comment = Printer Drivers
; path = /var/lib/samba/printers
; browseable = yes
; read only = yes
; guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin

0
roles/common/templates/etc/sudoers.d/50-user.j2 → roles/common/templates/etc/sudoers.d/50-user.j2.BAK
View File

34
roles/common/templates/etc/sudoers.d/50-user.pc.j2 Normal file
View File

@ -0,0 +1,34 @@
# {{ ansible_managed }}
{% for item in sudoers_pc_file_defaults | default([]) %}
Defaults {{ item }}
{% endfor %}
# Host alias specification
{% for item in sudoers_pc_file_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_pc_file_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_pc_file_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_pc_file_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{# rules for nis users #}
{% for item in nis_user | default([]) %}
{{ item.name }} ALL=(root)NOPASSWD: MOUNT
{% endfor %}
# Group privilege specification

53
roles/common/templates/etc/sudoers.d/50-user.server.j2 Normal file
View File

@ -0,0 +1,53 @@
# {{ ansible_managed }}
{% for item in sudoers_server_file_defaults | default([]) %}
Defaults {{ item }}
{% endfor %}
# Host alias specification
{% for item in sudoers_server_file_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_server_file_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_server_file_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_server_file_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{# rule for user 'back' #}
{% for item in sudoers_server_file_user_back_privileges | default([]) %}
back {{ item }}
{% endfor -%}
{%- if ansible_virtualization_role == 'host' %}
{% for item in sudoers_server_file_user_back_disk_privileges | default([]) %}
back {{ item }}
{% endfor %}
{% endif -%}
{# other (host specific) rules #}
{%- if (sudoers_server_file_user_privileges is defined and sudoers_server_file_user_privileges) %}
{% for item in sudoers_server_file_user_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
{% endif %}
# Group privilege specification
{% for item in sudoers_server_file_group_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor -%}

14
roles/common/templates/etc/sudoers.j2 → roles/common/templates/etc/sudoers.pc.j2
View File

@ -7,34 +7,34 @@
#
# See the man page for details on how to write a sudoers file.
#
{% for item in sudoers_defaults %}
{% for item in sudoers_pc_defaults %}
{% if item != '' %}
Defaults {{ item }}
{% endif %}
{% endfor %}
# Host alias specification
{% for item in sudoers_host_aliases | default([]) %}
{% for item in sudoers_pc_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_user_aliases | default([]) %}
{% for item in sudoers_pc_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_cmnd_aliases | default([]) %}
{% for item in sudoers_pc_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_runas_aliases | default([]) %}
{% for item in sudoers_pc_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{% for item in sudoers_user_privileges | default([]) %}
{% for item in sudoers_pc_user_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
@ -46,7 +46,7 @@ Runas_Alias {{ item.name }} = {{ item.entry }}
# Group privilege specification
{% for item in sudoers_group_privileges | default([]) %}
{% for item in sudoers_pc_group_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}

53
roles/common/templates/etc/sudoers.server.j2 Normal file
View File

@ -0,0 +1,53 @@
# {{ ansible_managed }}
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
{% for item in sudoers_server_defaults %}
{% if item != '' %}
Defaults {{ item }}
{% endif %}
{% endfor %}
# Host alias specification
{% for item in sudoers_server_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_server_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_server_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_server_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{% for item in sudoers_server_user_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Group privilege specification
{% for item in sudoers_server_group_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

40
roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 Normal file
View File

@ -0,0 +1,40 @@
# {{ ansible_managed }}
# ------------------------------------
# - Settings for script clean_trash.sh
# ------------------------------------
# - days
# -
# - Files older then 'days' will be deleted.
# -
# - Defaults to: days=31
# -
#days=31
# - trash_dirs
# -
# - Directories where files older than given days will be deleted.
# -
# - Example:
# - trash_dirs="/data/samba/transfer/.Trash /data/samba/no-backup-share/multimedia/.Trash"
# -
#trash_dirs=""
{%- set count = namespace(trash_dirs=0) %}
{%- for item in samba_shares | default([]) %}
{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %}
{% set count.trash_dirs = count.trash_dirs + 1 %}
{% endif %}
{% endfor %}
{% if count.trash_dirs > 0 %}
trash_dirs="
{% for item in samba_shares %}
{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %}
{{ item.path }}/{{ item.recycle_path }}
{% endif %}
{% endfor %}
"
{% endif %}

33
roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 Normal file
View File

@ -0,0 +1,33 @@
# {{ ansible_managed }}
# -----------------------------------------------------
# - Settings for script set_permissions_samba_shares.sh
# -----------------------------------------------------
# - dir_permissions
# -
# - Recursive set Permissions (group and file- and directory-mode)
# -
# - Multiple options are possible. Use semicolon separated list.
# -
# - Usage:
# - dir_permissions="<directory>:<group>:<file-mod>:<dir-mod>;[<directory>:<group>:<file-mod>:<dir-mod>];[.."
# -
# - Example:
# - dir_permissions="/data/samba/transfer:buero:664:2775;/data/samba/verwaltung:intern:660:2770"
# -
#dir_permissions=""
{%- set count = namespace(samba_shares=0) %}
{%- for item in samba_shares | default([]) %}
{% set count.samba_shares = count.samba_shares + 1 %}
{% endfor %}
{% if count.samba_shares > 0 %}
dir_permissions="
{% for item in samba_shares | default([]) %}
{{ item.path }}:{{ item.group_write_list }}:{{ item.file_create_mask | default('0660') }}:{{ item.dir_create_mask | default('2770') }};
{% endfor %}
"
{% endif %}

77
roles/common/templates/root/bin/wakeup_lan.sh.j2 Executable file
View File

@ -0,0 +1,77 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
declare -i pc_nr=101
pc_nr_max=131
brcast_ip="192.168.112.255"
pc101="80:ee:73:ea:3a:9d 80:ee:73:ea:3a:9e"
pc102="80:ee:73:ea:3a:e7 80:ee:73:ea:3a:e8"
pc103="80:ee:73:ea:3a:0b 80:ee:73:ea:3a:0c"
pc104="80:ee:73:ea:3b:73 80:ee:73:ea:3b:74"
pc105="80:ee:73:c5:e7:4f 80:ee:73:c5:e7:50"
pc106="20:25:64:0c:55:ca"
pc107="10:e7:c6:37:f7:35"
pc108="74:d4:35:8d:0d:8c"
pc109="80:ee:73:e2:20:8b 80:ee:73:e2:20:8c"
pc110="80:ee:73:c5:e6:5f 80:ee:73:c5:e6:60"
pc111="80:ee:73:b5:e4:50 80:ee:73:b5:e4:51"
pc112="f8:b4:6a:be:48:75"
pc113="20:25:64:0c:55:6b"
pc114="00:22:4d:88:4b:d0"
pc115="00:22:4d:88:4b:be"
pc116="80:ee:73:c9:91:d7 80:ee:73:c9:91:d8"
pc117="74:d4:35:be:a4:5a"
pc118="b0:0c:d1:54:ed:12"
pc121="80:ee:73:bd:ad:56 80:ee:73:bd:ad:57"
pc123="00:22:4d:88:4b:33"
pc124="80:ee:73:c0:7f:fb 80:ee:73:c0:7f:fc"
pc125="80:ee:73:b9:8e:9b 80:ee:73:b9:8e:9c"
pc126="80:ee:73:c5:e8:39 80:ee:73:c5:e8:3a"
pc127="a8:a1:59:0c:d5:eb"
pc128="a8:a1:59:0d:01:b9"
#pc129="a8:a1:59:0a:28:22"
pc129="a8:a1:59:06:12:b8"
#pc119="00:22:4d:88:4b:b2"
pc120="00:22:4d:88:48:c7"
pc122="00:22:4d:88:4b:dc"
#pc127="08:9e:01:35:10:55"
#pc128="80:ee:73:b5:e2:95"
pc131="80:ee:73:d9:de:32"
if [ $# = "1" ]; then
echo ""
echo -e " \033[32mWake up PC '$1'\033[m.."
_nic=`eval eval echo '$'$1`
if [[ -n "$_nic" ]]; then
for _mac in $_nic ; do
echo -n " "
wakeonlan -i $brcast_ip $_mac
sleep 1
done
else
echo -e " \033[1;31mPC '$1' NOT found!\033[m"
fi
echo ""
else
while [[ $pc_nr -le $pc_nr_max ]]; do
[[ -z "$pc_nr" ]] && continue
_nic=$(eval eval echo '$pc'$pc_nr)
if [[ -n "$_nic" ]]; then
echo ""
echo -e " \033[32mWake up PC 'pc$pc_nr'\033[m.."
for _mac in $_nic ; do
echo -n " "
/usr/bin/wakeonlan -i $brcast_ip $_mac
sleep 1
done
fi
(( pc_nr++ ))
done
echo ""
fi

36
roles/common/templates/user_homedirs/dot.profile.j2
View File

@ -1,36 +0,0 @@
# {{ ansible_managed }}
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
# this is for the midnight-commander
# to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander
#
#. /usr/lib/mc/bin/mc.sh
#
if [ -f "/usr/share/mc/bin/mc.sh" ] ; then
source /usr/share/mc/bin/mc.sh
fi
export LANG="de_DE.utf8"

126
roles/common/templates/user_homedirs/dot.profile.j2.with_samba_mounts
View File

@ -1,126 +0,0 @@
# {{ ansible_managed }}
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
# this is for the midnight-commander
# to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander
#
#. /usr/lib/mc/bin/mc.sh
#
if [ -f "/usr/share/mc/bin/mc.sh" ] ; then
source /usr/share/mc/bin/mc.sh
fi
export LANG="de_DE.utf8"
# ---
# Mmount samba shares
# ---
# Don't try to mount samba shares if login at samba server
#
[[ "$(hostname --long)" = "{{ samba_server }}" ]] && return
SERVER="{{ samba_server }}"
USER="{{ item.name }}"
PASSWORD='{{ item.password }}'
VERSION="1.0"
# Use NTLMv2 password hashing and force packet signing
#
# SEC="ntlmv2i"
#
# Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message, and force packet signing
#
# SEC="ntlmsspi"
#
SEC="ntlmsspi"
# - uid/guid of the user at fielserver
# -
_UID="$(id -u)"
_GID="$(id -g)"
# Logfile to see what happened..
#
_logfile=/tmp/profile_${USER}.log
echo "" > $_logfile
echo "$(date +"%Y-%m-%d-%H%M")" >> $_logfile
# Network present
#
_network=false
if [ "X$_addr" = "X" ] ; then
echo "no inet address assigned yet.." >> $_logfile
declare -i count=1
while ! $_network && [[ $count -lt 5 ]] ; do
echo "sleeping 2 seconds.." >> $_logfile
sleep 2
_addr="$(hostname --ip-address)"
if [ "X$_addr" != "X" ] ; then
_network=true
echo "inet address present: $_addr" >> $_logfile
fi
((count++))
done
fi
for dir in $(ls /mnt/$USER) ; do
MOUNT_POINT=/mnt/$USER/$dir
SHARE=$dir
[ ! -d $MOUNT_POINT ] && continue
if ! mount | grep $MOUNT_POINT > /dev/null ; then
echo "Going to mount share '${SHARE}' .." >> $_logfile
if [ -x /usr/bin/smb4k_mount ]; then
## - Ubuntu <= 12.04
if [[ "$VERSION" = "1.0" ]]; then
sudo /usr/bin/smb4k_mount -o user=$USER,password=$PASSWORD,iocharset=utf8,vers=1.0 \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
else
sudo /usr/bin/smb4k_mount -o user=$USER,password=$PASSWORD,iocharset=utf8,uid=$_UID,gid=$_GID,vers=$VERSION \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
fi
else
## - Ubuntu Version >= 14.04
if [[ "$VERSION" = "1.0" ]]; then
sudo /bin/mount -o user=$USER,password=$PASSWORD,iocharset=utf8,cifsacl,vers=$VERSION \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
else
sudo /bin/mount -o user=$USER,password=$PASSWORD,iocharset=utf8,cifsacl,uid=$USER,sec=${SEC},vers=$VERSION \
-n -t cifs //$SERVER/$SHARE $MOUNT_POINT >> $_logfile 2>&1
fi
fi
else
echo "mount point $MOUNT_POINT already exists. nothing left to do.." >> $_logfile
fi
done