ansible/nis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

make sprachenatelier working..

Browse Source
This commit is contained in:
Christoph
2022-02-20 23:36:51 +01:00
parent 42c3774ca6
commit 1c57c66dca
87 changed files with 19196 additions and 1382 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
roles/common/files/mbr-bln.netz/root/bin/wakeup_lan.sh.j2 Executable file
View File

@ -0,0 +1,78 @@
#!/usr/bin/env bash
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
declare -i pc_nr=101
pc_nr_max=135
brcast_ip="192.168.112.255"
pc101="80:ee:73:ea:3a:9d 80:ee:73:ea:3a:9e"
pc102="80:ee:73:ea:3a:e7 80:ee:73:ea:3a:e8"
pc103="80:ee:73:ea:3a:0b 80:ee:73:ea:3a:0c"
pc104="80:ee:73:ea:3b:73 80:ee:73:ea:3b:74"
pc105="80:ee:73:c5:e7:4f 80:ee:73:c5:e7:50"
pc106="20:25:64:0c:55:ca"
pc107="10:e7:c6:37:f7:35"
pc108="74:d4:35:8d:0d:8c"
pc109="80:ee:73:e2:20:8b 80:ee:73:e2:20:8c"
pc110="80:ee:73:c5:e6:5f 80:ee:73:c5:e6:60"
pc111="80:ee:73:b5:e4:50 80:ee:73:b5:e4:51"
pc112="f8:b4:6a:be:48:75"
pc113="20:25:64:0c:55:6b"
pc114="00:22:4d:88:4b:d0"
pc115="00:22:4d:88:4b:be"
pc116="80:ee:73:c9:91:d7 80:ee:73:c9:91:d8"
pc117="74:d4:35:be:a4:5a"
pc118="b0:0c:d1:54:ed:12"
pc121="80:ee:73:bd:ad:56 80:ee:73:bd:ad:57"
pc123="00:22:4d:88:4b:33"
pc124="80:ee:73:c0:7f:fb 80:ee:73:c0:7f:fc"
pc125="80:ee:73:b9:8e:9b 80:ee:73:b9:8e:9c"
pc126="80:ee:73:c5:e8:39 80:ee:73:c5:e8:3a"
pc127="a8:a1:59:0c:d5:eb"
pc128="a8:a1:59:0d:01:b9"
#pc129="a8:a1:59:0a:28:22"
pc129="a8:a1:59:06:12:b8"
pc135="1c:69:7a:a3:e1:b3"
#pc119="00:22:4d:88:4b:b2"
pc120="00:22:4d:88:48:c7"
pc122="00:22:4d:88:4b:dc"
#pc127="08:9e:01:35:10:55"
#pc128="80:ee:73:b5:e2:95"
pc131="80:ee:73:d9:de:32"
if [ $# = "1" ]; then
echo ""
echo -e " \033[32mWake up PC '$1'\033[m.."
_nic=`eval eval echo '$'$1`
if [[ -n "$_nic" ]]; then
for _mac in $_nic ; do
echo -n " "
wakeonlan -i $brcast_ip $_mac
sleep 1
done
else
echo -e " \033[1;31mPC '$1' NOT found!\033[m"
fi
echo ""
else
while [[ $pc_nr -le $pc_nr_max ]]; do
[[ -z "$pc_nr" ]] && continue
_nic=$(eval eval echo '$pc'$pc_nr)
if [[ -n "$_nic" ]]; then
echo ""
echo -e " \033[32mWake up PC 'pc$pc_nr'\033[m.."
for _mac in $_nic ; do
echo -n " "
/usr/bin/wakeonlan -i $brcast_ip $_mac
sleep 1
done
fi
(( pc_nr++ ))
done
echo ""
fi

62
roles/common/files/sprachenatelier.netz/root/bin/wakeup_lan.sh Executable file
View File

@ -0,0 +1,62 @@
#!/usr/bin/env bash
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
cl101="80:ee:73:c5:e9:b9"
cl101_alt="70:71:bc:72:25:98"
cl102="80:ee:73:c5:d3:87"
cl103="80:ee:73:bb:da:93"
cl103_alt="70:71:bc:72:24:cc"
cl104="74:d4:35:ac:78:19"
cl105_alt="70:71:bc:72:25:93"
cl105="80:ee:73:c5:2c:97"
cl106_alt="70:71:bc:72:26:e4"
cl106="80:ee:73:c5:2d:8d"
cl107_alt="e0:69:95:45:71:4b"
cl107="80:ee:73:c5:2e:83"
cl108_alt="70:71:bc:72:25:85"
cl108="80:ee:73:d0:a3:30"
cl109="38:60:77:39:f2:49"
cl110="38:60:77:4e:34:fe"
if [ $# = "1" ]; then
_nic=`eval eval echo '$'$1`
wakeonlan $_nic
else
wakeonlan $cl101
sleep 2
wakeonlan $cl101_alt
sleep 2
wakeonlan $cl102
sleep 2
wakeonlan $cl103
sleep 2
wakeonlan $cl103_alt
sleep 2
wakeonlan $cl104
sleep 2
wakeonlan $cl105
sleep 2
wakeonlan $cl105_alt
sleep 2
wakeonlan $cl106
sleep 2
wakeonlan $cl106_alt
sleep 2
wakeonlan $cl107
sleep 2
wakeonlan $cl107_alt
sleep 2
wakeonlan $cl108
sleep 2
wakeonlan $cl108_alt
sleep 2
wakeonlan $cl109
sleep 2
wakeonlan $cl110
sleep 2
fi
exit 0

48
roles/common/tasks/cron.yml Normal file
View File

@ -0,0 +1,48 @@
---
- name: (cron.yml) Set env entries in user crontabs
cron:
name: '{{ item.name }}'
env: 'yes'
user: '{{ item.user | default("root", true) }}'
job: '{{ item.job }}'
insertafter: '{{ item.insertafter | default(omit) }}'
loop: "{{ cron_env_entries }}"
loop_control:
label: '{{ item.name }}'
when: item.job is defined
tags:
- user_crontab
- name: (cron.yml) Set special time entries in user crontabs
cron:
name: '{{ item.name }}'
special_time: '{{ item.special_time }}'
user: '{{ item.user | default("root", true) }}'
job: '{{ item.job }}'
state: present
loop: "{{ cron_user_special_time_entries }}"
loop_control:
label: '{{ item.name }}'
when: item.job is defined
tags:
- user_crontab
- name: (cron.yml) Set normal entries in user crontabs
cron:
name: '{{ item.name }}'
minute: '{{ item.minute | default(omit) }}'
hour: '{{ item.hour | default(omit) }}'
day: '{{ day | default(omit) }}'
weekday: '{{ item.weekday | default(omit) }}'
month: '{{ item.month | default(omit) }}'
user: '{{ item.user | default("root", true) }}'
job: '{{ item.job }}'
loop: "{{ cron_user_entries }}"
loop_control:
label: '{{ item.name }}'
when: item.job is defined
tags:
- user_crontab

4
roles/common/tasks/cups-install.yml
View File

@ -7,11 +7,10 @@
- name: (cups-install.yml) Ensure CUPS packages server (buster) are installed.
package:
pkg: '{{ apt_install_server_cups_buster }}'
pkg: '{{ apt_install_server_cups }}'
state: present
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
tags:
- cups-server
@ -25,6 +24,7 @@
pkg: "{{ apt_install_client_cups }}"
state: present
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"
tags:

6
roles/common/tasks/main.yml
View File

@ -199,6 +199,12 @@
- sudoers
- import_tasks: cron.yml
tags:
- cron
# tags supported inside mount_samba_shares.yml:
#
#- import_tasks: mount_samba_shares.yml

18
roles/common/tasks/nis-user-systemfiles.yml
View File

@ -39,7 +39,7 @@
- name: (nis-user-systemfiles.yml) copy .profile if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') }}"
src: "{{ lookup('fileglob', inventory_dir + '/files/' + nis_domain + '/homedirs/' + item.item.name + '/_profile') }}"
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
@ -49,13 +49,13 @@
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
- lookup('fileglob', inventory_dir + '/files/' + nis_domain + '/homedirs/' + item.item.name + '/_profile')
tags:
- profile
- name: (nis-user-systemfiles.yml) copy default .profile if it exists
template:
src: files/homedirs/DEFAULT/_profile.j2
src: "{{ lookup('fileglob', inventory_dir + '/files/' + nis_domain + '/homedirs/DEFAULT/_profile.j2') }}"
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
@ -94,7 +94,7 @@
- name: (nis-user-systemfiles.yml) copy .bashrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') }}"
src: "{{ lookup('fileglob', inventory_dir + '/files/' + nis_domain + '/homedirs/' + item.item.name + '/_bashrc') }}"
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
@ -104,13 +104,13 @@
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
- lookup('fileglob', inventory_dir + '/files/' + nis_domain + '/homedirs/' + item.item.name + '/_bashrc')
tags:
- bashrc
- name: (nis-user-systemfiles.yml) copy default .bashrc if it exists
copy:
src: files/homedirs/DEFAULT/_bashrc
src: "{{ 'files/' + nis_domain + '/homedirs/DEFAULT/_bashrc' }}"
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
@ -145,7 +145,7 @@
- vimrc
- name: (nis-user-systemfiles.yml) Check if .vim directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim
local_action: stat path={{ inventory_dir }}/files/{{ nis_domain }}/homedirs/{{ item.name }}/.vim
with_items: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
@ -153,7 +153,7 @@
- name: (nis-user-systemfiles.yml) copy .vim directory if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/' + item.item.name + '/.vim' }}"
src: "{{ inventory_dir + '/files/' + nis_domain + '/homedirs/' + item.item.name + '/.vim' }}"
dest: "~{{ item.item.name }}"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
@ -168,7 +168,7 @@
- name: (nis-user-systemfiles.yml) copy default .vimrc if it exists
copy:
src: files/homedirs/DEFAULT/_vimrc
src: "{{ 'files/' + nis_domain + '/homedirs/DEFAULT/_vimrc' }}"
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"

2
roles/common/tasks/root-files-scripts.yml
View File

@ -12,7 +12,7 @@
- name: (root_files_scripts.yml) Ensure script 'wakeup_lan.sh' is present
template:
src: "root/bin/wakeup_lan.sh.j2"
src: "{{ role_path + '/files/' + nis_domain + '/root/bin/wakeup_lan.sh' }}"
dest: /root/bin/wakeup_lan.sh
owner: root
group: root

122
roles/common/tasks/sshd.yml
View File

@ -1,5 +1,54 @@
---
# ---
# Set some facts
# ---
- name: (sshd.yml) Set fact_sshd_kexalgorithms (comma separated list)
set_fact:
fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}"
when:
- sshd_kexalgorithms is defined and sshd_kexalgorithms | length > 0
tags:
- sshd-config
- name: (sshd.yml) Set fact_sshd_ciphers (comma separated list)
set_fact:
fact_sshd_ciphers: "{{ sshd_ciphers | join (',') }}"
when:
- sshd_ciphers is defined and sshd_ciphers | length > 0
tags:
- sshd-config
- name: (sshd.yml) Set fact_sshd_macs
set_fact:
fact_sshd_macs: "{{ sshd_macs | join (',') }}"
when:
- sshd_macs is defined and sshd_macs | length > 0
tags:
- sshd-config
- name: (sshd.yml) Set fact_sshd_hostkeyalgorithms (blank separated list)
set_fact:
fact_sshd_hostkeyalgorithms: "{{ sshd_hostkeyalgorithms | join (',') }}"
when:
- sshd_hostkeyalgorithms is defined and sshd_hostkeyalgorithms | length > 0
tags:
- sshd-config
- name: (sshd.yml) Set fact_sshd_allowed_users (blank separated list)
set_fact:
fact_sshd_allowed_users: "{{ sshd_allowed_users | join (' ') }}"
when:
- sshd_allowed_users is defined and sshd_allowed_users | length > 0
tags:
- sshd-config
# ---
# Create new sshd_config
# ---
- name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
stat:
path: /etc/ssh/sshd_config.ORIG
@ -24,6 +73,79 @@
validate: 'sshd -f %s -T'
#backup: yes
notify: "Restart ssh"
when:
- ansible_facts['distribution'] == "Ubuntu"
tags:
- sshd-config
- name: (sshd.yml) Create/Update new sshd_config from template sshd_config.j2
template:
src: etc/ssh/sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
validate: 'sshd -f %s -T'
notify: "Restart ssh"
when:
- create_sftp_group is undefined or create_sftp_group is defined and not create_sftp_group
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] <= "10"
tags:
- sshd-config
- name: (sshd.yml) Create/Update sshd_config for chrooted sftp_group from template sshd_config.j2
template:
src: etc/ssh/sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
validate: 'sshd -f %s -T -C user=sftp_users'
notify: "Restart ssh"
when:
- create_sftp_group is defined and create_sftp_group
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] <= "10"
tags:
- sshd-config
- name: (sshd.yml) Check if sshd_config contains activ parameter 'Subsystem sftp'..
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Subsystem\s+sftp(.+)$'
state: absent
check_mode: yes
changed_when: false
register: sshd_config_sftp
tags:
- sshd-config
- name: (sshd.yml) Ensure directory '/etc/ssh/sshd_config.d' exists
file:
path: /etc/ssh/sshd_config.d
state: directory
mode: 0755
group: root
owner: root
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] > "10"
tags:
- sshd-config
- name: (sshd.yml) Create/Update file '/etc/ssh/sshd_config.d/50-sshd-local.conf' from template sshd_config.j2
template:
src: etc/ssh/sshd_config.j2
dest: /etc/ssh/sshd_config.d/50-sshd-local.conf
owner: root
group: root
mode: 0644
notify: "Restart ssh"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] > "10"
tags:
- sshd-config

9
roles/common/tasks/ubuntu-x11vnc-1604-amd64.yml
View File

@ -36,8 +36,13 @@
src: lib/systemd/system/x11vnc.service.j2
dest: /lib/systemd/system/x11vnc.service
- name: "(ubuntu-x11vnc-1604-amd64.yml) Start x11vnc service"
shell: service x11vnc start
# - name: "(ubuntu-x11vnc-1604-amd64.yml) Start x11vnc service"
# shell: service x11vnc start
- name: (ubuntu-x11vnc-1604-amd64.yml) Start x11vnc service
service:
name: x11vnc
state: started
- name: "(ubuntu-x11vnc-1604-amd64.yml) Enable x11vnc service on boot"
systemd:

32
roles/common/templates/etc/cups/cups-browsed.conf.server.j2
View File

@ -1,4 +1,3 @@
# {{ ansible_managed }}
# All configuration options described here can also be supplied on the
# command line of cups-browsed via the "-o" option. In case of
@ -312,7 +311,7 @@ BrowseLocalProtocols CUPS
# Set HTTP timeout (in seconds) for requests sent to local/remote
# resources Note that too short timeouts can make services getting
# missed when they are present and operations be unneccessarily
# missed when they are present and operations be unnecessarily
# repeated and too long timeouts can make operations take too long
# when the server does not respond.
@ -321,7 +320,7 @@ BrowseLocalProtocols CUPS
# Set how many retries (N) should cups-browsed do for creating print
# queues for remote printers which receive timeouts during print queue
# creation. The printers which are not successfuly set up even after
# creation. The printers which are not successfully set up even after
# N retries, are skipped until the next restart of the service. Note
# that too many retries can cause high CPU load.
@ -556,6 +555,23 @@ BrowseLocalProtocols CUPS
# NewIPPPrinterQueuesShared Yes
# How to handle the print queues cups-browsed creates when
# cups-browsed is shut down:
# "KeepGeneratedQueuesOnShutdown No" makes the queues being
# removed. This makes sense as these queues only work while
# cups-browsed is running. cups-browsed has to determine to which
# member printer of a cluster to pass on the job.
# "KeepGeneratedQueuesOnShutdown Yes" (the default) makes the queues
# not being removed. This is the recommended setting for a system
# where cups-browsed is permanently running and only stopped for short
# times (like log rotation) or on shutdown. This avoids the
# re-creation of the queues when cups-browsed is restarted, which
# often causes a clutter of CUPS notifications on the desktop.
# KeepGeneratedQueuesOnShutdown No
# If there is more than one remote CUPS printer whose local queue
# would get the same name and AutoClustering is set to "Yes" (the
# default) only one local queue is created which makes up a
@ -651,7 +667,7 @@ BrowseLocalProtocols CUPS
# As DNS-SD service names are unique in a network you can create a
# cluster from exactly specified printers (spaces replaced by
# underscors):
# underscores):
# Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2
@ -745,3 +761,11 @@ BrowseLocalProtocols CUPS
# shutdown.
# AutoShutdownTimeout 30
# DebugLogFileSize defines the maximum size possible (in KBytes)
# of the log files (cups-browsed_log and cups-browsed_previous_logs)
# that is created using cups-browsed in the debugging mode.
# Setting its value to 0 would turn off any restriction
# on the size of the file.
# DebugLogFileSize 300

4
roles/common/templates/etc/cups/cups-files.conf.j2
View File

@ -31,6 +31,10 @@ SystemGroup lpadmin
#ConfigFilePerm 0640
#LogFilePerm 00640
< # Specifies the group name or ID that will be used for log files.
< # The default group in Debian is "adm".
< LogFileGroup adm
# Location of the file logging all access to the scheduler; may be the name
# "syslog". If not an absolute path, the value of ServerRoot is used as the
# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.

171
roles/common/templates/etc/ssh/sshd_config.j2
View File

@ -83,7 +83,7 @@ MaxSessions {{ sshd_max_sessions }}
#
#UsePrivilegeSeparation sandbox
{% else %}
UsePrivilegeSeparation sandbox
UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
{% endif %}
# The server disconnects after this time if the user has not
@ -202,48 +202,137 @@ UsePAM {{ sshd_use_pam }}
# Cryptography
#-----------------------------
# Specifies the available KEX (Key Exchange) algorithms.
# KexAlgorithms
#
# Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated.
# Alternately if the specified value begins with a + character, then the specified methods will be ap
# pended to the default set instead of replacing them. If the specified value begins with a - charac
# ter, then the specified methods (including wildcards) will be removed from the default set instead of
# replacing them. The supported algorithms are:
#
# curve25519-sha256
# curve25519-sha256@libssh.org
# diffie-hellman-group1-sha1
# diffie-hellman-group14-sha1
# diffie-hellman-group14-sha256
# diffie-hellman-group16-sha512
# diffie-hellman-group18-sha512
# diffie-hellman-group-exchange-sha1
# diffie-hellman-group-exchange-sha256
# ecdh-sha2-nistp256
# ecdh-sha2-nistp384
# ecdh-sha2-nistp521
#
# The default is:
## curve25519-sha256@libssh.org,
## ecdh-sha2-nistp256,
## ecdh-sha2-nistp384,
## ecdh-sha2-nistp521,
## diffie-hellman-group-exchange-sha256,
## diffie-hellman-group14-sha1.
#
# curve25519-sha256,curve25519-sha256@libssh.org,
# ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
# diffie-hellman-group-exchange-sha256,
# diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
# diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
#
# The list of available key exchange algorithms may also be obtained using "ssh -Q kex".
#
{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
KexAlgorithms {{ fact_sshd_kexalgorithms }}
{% else %}
#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
{% endif %}
# Specifies the ciphers allowed for protocol version 2.
# Ciphers
#
# Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins
# with a + character, then the specified ciphers will be appended to the default set instead of replac
# ing them. If the specified value begins with a - character, then the specified ciphers (including
# wildcards) will be removed from the default set instead of replacing them.
#
# The supported ciphers are:
#
# 3des-cbc
# aes128-cbc
# aes192-cbc
# aes256-cbc
# aes128-ctr
# aes192-ctr
# aes256-ctr
# aes128-gcm@openssh.com
# aes256-gcm@openssh.com
# chacha20-poly1305@openssh.com
#
# The default is:
## aes128-ctr,
## aes192-ctr,
## aes256-ctr,
## aes128-gcm@openssh.com,
## aes256-gcm@openssh.com,
## chacha20-poly1305@openssh.com.
#
# chacha20-poly1305@openssh.com,
# aes128-ctr,aes192-ctr,aes256-ctr,
# aes128-gcm@openssh.com,aes256-gcm@openssh.com
#
# The list of available ciphers may also be obtained using "ssh -Q cipher".
#
{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
Ciphers {{ fact_sshd_ciphers }}
{% else %}
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
{% endif %}
# Specifies the available MAC (message authentication code) algorithms.
# MACs
#
# Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for
# data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins
# with a + character, then the specified algorithms will be appended to the default set instead of re
# placing them. If the specified value begins with a - character, then the specified algorithms (in
# cluding wildcards) will be removed from the default set instead of replacing them.
#
# The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are
# considered safer and their use recommended. The supported MACs are:
#
# hmac-md5
# hmac-md5-96
# hmac-sha1
# hmac-sha1-96
# hmac-sha2-256
# hmac-sha2-512
# umac-64@openssh.com
# umac-128@openssh.com
# hmac-md5-etm@openssh.com
# hmac-md5-96-etm@openssh.com
# hmac-sha1-etm@openssh.com
# hmac-sha1-96-etm@openssh.com
# hmac-sha2-256-etm@openssh.com
# hmac-sha2-512-etm@openssh.com
# umac-64-etm@openssh.com
# umac-128-etm@openssh.com
#
# The default is:
## umac-64-etm@openssh.com,
## umac-128-etm@openssh.com,
## hmac-sha2-256-etm@openssh.com,
## hmac-sha2-512-etm@openssh.com,
## umac-64@openssh.com,
## umac-128@openssh.com,
## hmac-sha2-256,
## hmac-sha2-512.
#
# umac-64-etm@openssh.com,umac-128-etm@openssh.com,
# hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
# hmac-sha1-etm@openssh.com,
# umac-64@openssh.com,umac-128@openssh.com,
# hmac-sha2-256,hmac-sha2-512,hmac-sha1
#
# The list of available MAC algorithms may also be obtained using "ssh -Q mac".
#
{% if (fact_sshd_macs is defined) and fact_sshd_macs %}
MACs {{ fact_sshd_macs }}
{% else %}
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
#MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,mac-sha2-256,hmac-sha2-512,hmac-sha1
{% endif %}
# HostKeyAlgorithms
#
# Specifies the host key algorithms that the server offers. The default for this option is:
#
# ecdsa-sha2-nistp256-cert-v01@openssh.com,
# ecdsa-sha2-nistp384-cert-v01@openssh.com,
# ecdsa-sha2-nistp521-cert-v01@openssh.com,
# ssh-ed25519-cert-v01@openssh.com,
# rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
# ssh-rsa-cert-v01@openssh.com,
# ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
# ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
#
# The list of available key types may also be obtained using "ssh -Q key".
{% if (fact_sshd_hostkeyalgorithms is defined) and fact_sshd_hostkeyalgorithms %}
HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
{% endif %}
@ -290,7 +379,15 @@ AcceptEnv LANG LC_*
# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 11 %}
{% if sshd_config_sftp.found|int == 0 %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% else %}
#Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}
{% else %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}
# Specifies whether sshd(8) should look up the remote host name and check
# that the resolved host name for the remote IP address maps back to the
@ -326,6 +423,17 @@ TCPKeepAlive yes
# The default is “yes”.
PrintLastLog yes
# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
# other remote hosts from connecting to forwarded ports.
#
# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
# bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be
# no to force remote port forwardings to be available to the local host only, yes to force
# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
# client to select the address to which the forwarding is bound. The default is no.
GatewayPorts {{ sshd_gateway_ports }}
#-----------------------------
# Kerberos options
@ -343,7 +451,16 @@ PrintLastLog yes
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
{% if ( create_sftp_group is defined) and create_sftp_group %}
#-----------------------------
# Match Blocks
#-----------------------------
Match group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp
{% endif -%}

94
roles/network_interfaces/README.md Normal file
View File

@ -0,0 +1,94 @@
based on:
https://github.com/dresden-weekly/ansible-network-interfaces (https://galaxy.ansible.com/dresden-weekly/network-interfaces/)
Example Playbook
----------------
```yml
- hosts: all
become: true
become_user: root
roles:
- role: dresden-weekly.network-interfaces
network_interfaces:
- device: eth0
description: just a description for humans to understand
auto: true
family: inet
method: static
address: 192.168.1.11
network: 192.168.1.0
netmask: 193.168.1.255
gateway: 192.168.1.1
mtu: 9000
metric: 1
nameservers:
- 8.8.8.8
- 8.8.4.4
subnets:
- 192.168.1.12/32
- device: eth1
description: simple dhcp client interface
auto: true
family: inet
method: dhcp
- device: wlan0
description: sample wlan interface using wpa_supplicant (note: does not install wpasupplicant)
auto: true
family: inet
method: dhcp
additional_options:
wpa-driver: nl80211
wpa-ssid: my-wifi
wpa-psk: password123
- device: eth0.123
description: sample vlan interface using eth0 and tagged for VLAN 123.
method: static
address: 1.2.3.4
netmask: 24
broadcast: 1.2.3.255
vlan:
raw-device: eth0
up:
- route add default gw 1.2.3.254
- device: eth2
description: First bonding device
auto: true
family: inet
method: manual
bond:
master: bond0
- device: eth3
description: Second bonding device
auto: true
family: inet
method: manual
bond:
master: bond0
- device: bond0
description: This bonding device only has one interface
allow:
- hotplug
family: inet
method: static
bond:
mode: 802.3ad
xmit-hash-policy: layer3+4
miimon: 100
slaves: eth2 eth3
address: 192.160.50.1
netmask: 255.255.255.0
dns_search: "localdomain"
up:
- ip route add 172.16.0.0/24 via 192.168.50.254 dev bond0
```

13
roles/network_interfaces/defaults/main.yml Normal file
View File

@ -0,0 +1,13 @@
---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: False
# Should the interfaces be reloaded after config change?
network_interface_reload: True
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown2

59
roles/network_interfaces/tasks/interfaces.yml Normal file
View File

@ -0,0 +1,59 @@
---
- name: (interfaces.yml) Check if file /etc/network/interfaces.ORIG exists
stat:
path: /etc/network/interfaces.ORIG
register: stat_result
tags:
- network-interfaces
- name: (interfaces.yml) Backup existing file '/etc/network/interfaces'
command: cp -a /etc/network/interfaces /etc/network/interfaces.ORIG
when: stat_result.stat.exists == False
tags:
- network-interfaces
- name: (interfaces.yml) Ensure interfaces file is latest
template:
src: "etc/network/interfaces.j2"
dest: /etc/network/interfaces
with_items: network_interfaces
tags:
- network-interfaces
- name: (interfaces.yml) Ensure imported device files at interfaces.d are latest
template:
src: "etc/network/interfaces.d/device.j2"
dest: "{{ network_interface_path }}/device-{{ item.0 }}"
with_items:
- "{{network_interfaces | default([]) | groupby('device') }}"
register: network_configuration_result
tags:
- network-interfaces
# ---
# Remove device files not configured here
# ---
- name: (interfaces.yml) list existing files
find:
path: "{{ network_interface_path }}"
file_type: file
register: files_matched
tags:
- network-interfaces
- name: (interfaces.yml) configured files
set_fact:
network_configured_files: >
[{% for item in network_configuration_result.results | default([]) -%}
u"{{ item.dest | default(item.path) }}"
{{ '' if loop.last else ',' }}
{%- endfor %}]
- name: (interfaces.yml) remove configurations
file:
dest: "{{ item.path }}"
state: absent
when: item.path not in network_configured_files
with_items: "{{ files_matched.files | default([]) }}"

14
roles/network_interfaces/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- import_tasks: packages.yml
when: network_interfaces is defined and network_manage_devices|bool
tags:
- networking
- network_interfaces
- import_tasks: interfaces.yml
when: network_interfaces is defined and network_manage_devices|bool
tags:
- networking
- network_interfaces

15
roles/network_interfaces/tasks/packages.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: (packages.yml) Ensure basic networking tools are installed
apt:
pkg: "{{ network_interface_required_packages }}"
state: present
update_cache: yes
cache_valid_time: 86400
- name: Enable service systemd-resolved
ansible.builtin.systemd:
name: systemd-resolved
enabled: yes
masked: no

143
roles/network_interfaces/templates/etc/network/interfaces.d/device.j2 Normal file
View File

@ -0,0 +1,143 @@
{{ ansible_managed | comment }}
{# {% for config in network_interfaces %} #}
{% for config in item.1 %}
{% if config.headline is defined and config.headline %}
#-----------------------------
# {{ config.headline }}
#-----------------------------
{% endif %}
{# {% if config.auto is defined and config.auto is sameas true %} #}
{% if config.auto | default(loop.first) %}
auto {{ config.device }}
{% endif %}
{% for stanza in config.allow | default([]) %}
allow-{{ stanza }}
{% endfor -%}
iface {{ config.device }} {{ config.family | default('inet', true) }} {{ config.method | default('static', true) }}
{% if config.method == "static" %}
{% if (config.description is defined and config.description) %}
description {{ config.description }}
{% endif %}
{% if config.hwaddress is defined and config.hwaddress %}
hwaddress {{ config.hwaddress }}
{% endif %}
{% if (config.address is defined) and (0 < config.address | length) %}
{% if config.netmask is defined %}
address {{ config.address }}/{{ config.netmask }}
{% else %}
address {{ config.address }}
{% endif -%}
{% endif -%}
{% set iface_keys = ['gateway', 'metric', 'pointopoint', 'media', 'mtu', 'scope'] %}
{% for key in iface_keys %}
{% if key in config and config[key] %}
{{ key }} {{ config[key] }}
{% endif %}
{% endfor -%}
{% elif config.method == "dhcp" %}
{% set iface_keys = ['hwaddress', 'hostname', 'metric', 'leasehours', 'vendor', 'client' ] %}
{% for key in iface_keys %}
{% if key in config and config[key] %}
{{ key }} {{ config[key] }}
{% endif %}
{% endfor -%}
{% elif config.method == "ppp" %}
{% if (config.provider is defined and config.provider) %}
provider {{ config.provider }}
{% endif %}
{% elif config.method == "wvdial" %}
{% if (config.provider is defined and config.provider) %}
provider {{ config.provider }}
{% endif %}
{% elif config.method == "bootp" %}
{% set iface_keys = ['hwaddr', 'bootfile', 'server'] %}
{% for key in iface_keys %}
{% if key in config and config[key] %}
{{ key }} {{ config[key] }}
{% endif %}
{% endfor -%}
{% endif %}
{# #}
{# subnets #}
{%- if (config.subnets is defined) and (0 < config.subnets | length) %}
# additional subnets
{% for subnet in config.subnets %}
up /sbin/ip addr add {{ subnet }} dev {{ config.device }}
down /sbin/ip addr del {{ subnet }} dev {{ config.device }}
{% endfor %}
{% endif -%}
{# #}
{# bridge settings #}
{%- if config['bridge'] is defined %}
# bridge settings
{% for key in config.bridge %}
bridge_{{ key }} {{ config.bridge[key] }}
{% endfor %}
{% endif -%}
{# #}
{# bond parameters #}
{% set bond_keys = ['master', 'primary', 'slaves', 'mode', 'miimon', 'lacp-rate', 'ad-select', 'downdelay', 'updelay'] %}
{%- if (config.bond is defined) and (bond_keys | intersect(config.bond.keys())) %}
# bond parameters
{% for key in bond_keys %}
{% if key in config.bond %}
bond-{{ key }} {{ config.bond[key] }}
{% endif %}
{% endfor %}
{% endif -%}
{# #}
{# nameservers #}
{%- if (config.nameservers is defined and config.nameservers) or (config.search is defined and config.search) %}
# dns-* options are implemented by the resolvconf package, if installed
# sets entries in /etc/resolv.conf
#
{% endif -%}
{% if config.search is defined and config.search %}
dns-search {{ config.search }}
{% endif -%}
{%- if (config.nameservers is defined) and config.nameservers %}
{% for _ip in config.nameservers %}
dns-nameservers {{ _ip }}
{% endfor %}
{% endif %}
{%- if (config.nameservers is defined and config.nameservers) or (config.search is defined and config.search) %}
{% endif -%}
{# #}
{# vlan #}
{% set vlan_keys = ['raw-device'] %}
{%- if (config.vlan is defined) and (vlan_keys | intersect(config.vlan.keys())) -%}
# vlan
{% for key in vlan_keys %}
{% if key in config.vlan %}
vlan-{{ key }} {{ config.vlan[key] }}
{% endif %}
{% endfor %}
{# #}
{% endif -%}
{# #}
{# hook scripts #}
{% set hook_keys = ['pre-up', 'up', 'post-up', 'pre-down', 'down', 'post-down'] %}
{%- if hook_keys | intersect(config.keys()) %}
# hook scripts
{% for key in hook_keys %}
{% if key in config %}
{% for value in config[key] %}
{{ key }} {{ value }}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}

24
roles/network_interfaces/templates/etc/network/interfaces.j2 Normal file
View File

@ -0,0 +1,24 @@
{{ ansible_managed | comment }}
source /etc/network/interfaces.d/*
#-----------------------------
# lo: loopback
#-----------------------------
auto lo
iface lo inet loopback
{% if network_interfaces_additional_loopback_ip_v4|d() %}
{% for ip in network_interfaces_additional_loopback_ip_v4 %}
up /sbin/ip addr add {{ ip }} dev lo
down /sbin/ip addr del {{ ip }} dev lo
{% endfor %}
{% endif -%}
iface lo inet6 loopback
{% if network_interfaces_additional_loopback_ip_v6|d() %}
{% for ip in network_interfaces_additional_loopback_ip_v6 %}
up /sbin/ip addr add {{ ip }} dev lo
down /sbin/ip addr del {{ ip }} dev lo
{% endfor %}
{% endif %}