make sprachenatelier working..

2022-02-20 23:36:51 +01:00
parent 42c3774ca6
commit 1c57c66dca
87 changed files with 19196 additions and 1382 deletions
--- a/roles/common/files/mbr-bln.netz/root/bin/wakeup_lan.sh.j2
+++ b/roles/common/files/mbr-bln.netz/root/bin/wakeup_lan.sh.j2
@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+declare -i pc_nr=101
+pc_nr_max=135
+brcast_ip="192.168.112.255"
+
+pc101="80:ee:73:ea:3a:9d 80:ee:73:ea:3a:9e"
+pc102="80:ee:73:ea:3a:e7 80:ee:73:ea:3a:e8"
+pc103="80:ee:73:ea:3a:0b 80:ee:73:ea:3a:0c"
+pc104="80:ee:73:ea:3b:73 80:ee:73:ea:3b:74"
+pc105="80:ee:73:c5:e7:4f 80:ee:73:c5:e7:50"
+pc106="20:25:64:0c:55:ca"
+pc107="10:e7:c6:37:f7:35"
+pc108="74:d4:35:8d:0d:8c"
+pc109="80:ee:73:e2:20:8b 80:ee:73:e2:20:8c"
+pc110="80:ee:73:c5:e6:5f 80:ee:73:c5:e6:60"
+pc111="80:ee:73:b5:e4:50 80:ee:73:b5:e4:51"
+pc112="f8:b4:6a:be:48:75"
+pc113="20:25:64:0c:55:6b"
+pc114="00:22:4d:88:4b:d0"
+pc115="00:22:4d:88:4b:be"
+pc116="80:ee:73:c9:91:d7 80:ee:73:c9:91:d8"
+pc117="74:d4:35:be:a4:5a"
+pc118="b0:0c:d1:54:ed:12"
+
+
+pc121="80:ee:73:bd:ad:56 80:ee:73:bd:ad:57"
+pc123="00:22:4d:88:4b:33"
+pc124="80:ee:73:c0:7f:fb 80:ee:73:c0:7f:fc"
+pc125="80:ee:73:b9:8e:9b 80:ee:73:b9:8e:9c"
+pc126="80:ee:73:c5:e8:39 80:ee:73:c5:e8:3a"
+pc127="a8:a1:59:0c:d5:eb"
+pc128="a8:a1:59:0d:01:b9"
+#pc129="a8:a1:59:0a:28:22"
+pc129="a8:a1:59:06:12:b8"
+
+pc135="1c:69:7a:a3:e1:b3"
+
+#pc119="00:22:4d:88:4b:b2"
+pc120="00:22:4d:88:48:c7"
+pc122="00:22:4d:88:4b:dc"
+#pc127="08:9e:01:35:10:55"
+#pc128="80:ee:73:b5:e2:95"
+pc131="80:ee:73:d9:de:32"
+
+if [ $# = "1" ]; then
+   echo ""
+   echo -e "   \033[32mWake up PC '$1'\033[m.."
+   _nic=`eval eval echo  '$'$1`
+   if [[ -n "$_nic" ]]; then
+      for _mac in $_nic ; do
+         echo -n "   "
+         wakeonlan -i $brcast_ip $_mac
+         sleep 1
+      done
+   else
+      echo -e "   \033[1;31mPC '$1' NOT found!\033[m"
+   fi
+   echo ""
+else
+   while [[ $pc_nr -le $pc_nr_max ]]; do
+      [[ -z "$pc_nr" ]] && continue
+      _nic=$(eval eval echo '$pc'$pc_nr)
+      if [[ -n "$_nic" ]]; then
+         echo ""
+         echo -e "   \033[32mWake up PC 'pc$pc_nr'\033[m.."
+         for _mac in $_nic ; do
+            echo -n "   "
+            /usr/bin/wakeonlan -i $brcast_ip $_mac
+            sleep 1
+         done
+      fi
+      (( pc_nr++ ))
+   done
+   echo ""
+fi
--- a/roles/common/files/sprachenatelier.netz/root/bin/wakeup_lan.sh
+++ b/roles/common/files/sprachenatelier.netz/root/bin/wakeup_lan.sh
@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+cl101="80:ee:73:c5:e9:b9"
+cl101_alt="70:71:bc:72:25:98"
+cl102="80:ee:73:c5:d3:87"
+cl103="80:ee:73:bb:da:93"
+cl103_alt="70:71:bc:72:24:cc"
+cl104="74:d4:35:ac:78:19"
+cl105_alt="70:71:bc:72:25:93"
+cl105="80:ee:73:c5:2c:97"
+cl106_alt="70:71:bc:72:26:e4"
+cl106="80:ee:73:c5:2d:8d"
+cl107_alt="e0:69:95:45:71:4b"
+cl107="80:ee:73:c5:2e:83"
+cl108_alt="70:71:bc:72:25:85"
+cl108="80:ee:73:d0:a3:30"
+cl109="38:60:77:39:f2:49"
+cl110="38:60:77:4e:34:fe"
+
+if [ $# = "1" ]; then
+   _nic=`eval eval echo  '$'$1`
+   wakeonlan $_nic
+else
+   wakeonlan $cl101
+   sleep 2
+   wakeonlan $cl101_alt
+   sleep 2
+   wakeonlan $cl102
+   sleep 2
+   wakeonlan $cl103
+   sleep 2
+   wakeonlan $cl103_alt
+   sleep 2
+   wakeonlan $cl104
+   sleep 2
+   wakeonlan $cl105
+   sleep 2
+   wakeonlan $cl105_alt
+   sleep 2
+   wakeonlan $cl106
+   sleep 2
+   wakeonlan $cl106_alt
+   sleep 2
+   wakeonlan $cl107
+   sleep 2
+   wakeonlan $cl107_alt
+   sleep 2
+   wakeonlan $cl108
+   sleep 2
+   wakeonlan $cl108_alt
+   sleep 2
+   wakeonlan $cl109
+   sleep 2
+   wakeonlan $cl110
+   sleep 2
+fi
+
+
+exit 0
+
--- a/roles/common/tasks/cron.yml
+++ b/roles/common/tasks/cron.yml
@ -0,0 +1,48 @@
+---
+
+- name: (cron.yml) Set env entries in user crontabs
+  cron:
+    name: '{{ item.name }}'
+    env: 'yes'
+    user: '{{ item.user | default("root", true) }}'
+    job: '{{ item.job }}'
+    insertafter: '{{ item.insertafter | default(omit) }}'
+  loop: "{{ cron_env_entries }}"
+  loop_control:
+    label: '{{ item.name }}'
+  when: item.job is defined
+  tags:
+    - user_crontab
+
+
+- name: (cron.yml) Set special time entries in user crontabs
+  cron:
+    name: '{{ item.name }}'
+    special_time: '{{ item.special_time }}'
+    user: '{{ item.user | default("root", true) }}'
+    job: '{{ item.job }}'
+    state: present
+  loop: "{{ cron_user_special_time_entries }}"
+  loop_control:
+    label: '{{ item.name }}'
+  when: item.job is defined
+  tags:
+    - user_crontab
+
+
+- name: (cron.yml) Set normal entries in user crontabs
+  cron:
+    name: '{{ item.name }}'
+    minute: '{{ item.minute | default(omit) }}'
+    hour: '{{ item.hour | default(omit) }}'
+    day: '{{ day | default(omit) }}'
+    weekday: '{{ item.weekday | default(omit) }}'
+    month: '{{ item.month | default(omit) }}'
+    user: '{{ item.user | default("root", true) }}'
+    job: '{{ item.job }}'
+  loop: "{{ cron_user_entries }}"
+  loop_control:
+    label: '{{ item.name }}'
+  when: item.job is defined
+  tags:
+    - user_crontab
--- a/roles/common/tasks/cups-install.yml
+++ b/roles/common/tasks/cups-install.yml
@ -7,11 +7,10 @@

 - name: (cups-install.yml) Ensure CUPS packages server (buster) are installed.
  package:
-    pkg: '{{ apt_install_server_cups_buster }}'
+    pkg: '{{ apt_install_server_cups }}'
    state: present
  when:
    - ansible_facts['distribution'] == "Debian"
-    - ansible_facts['distribution_major_version'] == "10"
  tags:
    - cups-server

@ -25,6 +24,7 @@
    pkg: "{{ apt_install_client_cups }}"
    state: present
  when: 
+    - ansible_facts['distribution'] == "Ubuntu"
    - ansible_distribution_version ==  "18.04"
    - ansible_architecture == "x86_64"
  tags:
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -199,6 +199,12 @@
    - sudoers


+- import_tasks: cron.yml
+  tags:
+    - cron
+
+
+
 # tags supported inside mount_samba_shares.yml:
 #
 #- import_tasks: mount_samba_shares.yml
--- a/roles/common/tasks/nis-user-systemfiles.yml
+++ b/roles/common/tasks/nis-user-systemfiles.yml
@ -39,7 +39,7 @@

 - name: (nis-user-systemfiles.yml) copy .profile if it exists
  copy:
-    src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') }}"
+    src: "{{ lookup('fileglob', inventory_dir + '/files/' + nis_domain + '/homedirs/' + item.item.name + '/_profile') }}"
    dest: "~{{ item.item.name }}/.profile"
    owner: "{{ item.item.name }}"
    group: "{{ item.item.name }}"
@ -49,13 +49,13 @@
    label: '{{ item.item.name }}'
  when:
    - item.stat.exists
-    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
+    - lookup('fileglob', inventory_dir + '/files/' + nis_domain + '/homedirs/' + item.item.name + '/_profile')
  tags:
    - profile

 - name: (nis-user-systemfiles.yml) copy default .profile if it exists
  template:
-    src: files/homedirs/DEFAULT/_profile.j2
+    src: "{{ lookup('fileglob', inventory_dir + '/files/' + nis_domain + '/homedirs/DEFAULT/_profile.j2') }}"
    dest: "~{{ item.item.name }}/.profile"
    owner: "{{ item.item.name }}"
    group: "{{ item.item.name }}"
@ -94,7 +94,7 @@

 - name: (nis-user-systemfiles.yml) copy .bashrc if it exists
  copy:
-    src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') }}"
+    src: "{{ lookup('fileglob', inventory_dir + '/files/' + nis_domain + '/homedirs/' + item.item.name + '/_bashrc') }}"
    dest: "~{{ item.item.name }}/.bashrc"
    owner: "{{ item.item.name }}"
    group: "{{ item.item.name }}"
@ -104,13 +104,13 @@
    label: '{{ item.item.name }}'
  when:
    - item.stat.exists
-    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
+    - lookup('fileglob', inventory_dir + '/files/' + nis_domain + '/homedirs/' + item.item.name + '/_bashrc')
  tags:
    - bashrc

 - name: (nis-user-systemfiles.yml) copy default .bashrc if it exists
  copy:
-    src: files/homedirs/DEFAULT/_bashrc
+    src: "{{ 'files/' + nis_domain + '/homedirs/DEFAULT/_bashrc' }}"
    dest: "~{{ item.item.name }}/.bashrc"
    owner: "{{ item.item.name }}"
    group: "{{ item.item.name }}"
@ -145,7 +145,7 @@
    - vimrc

 - name: (nis-user-systemfiles.yml) Check if .vim directory exists for default users
-  local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim
+  local_action: stat path={{ inventory_dir }}/files/{{ nis_domain }}/homedirs/{{ item.name }}/.vim
  with_items: "{{ nis_user }}"
  loop_control:
    label: '{{ item.name }}'
@ -153,7 +153,7 @@

 - name: (nis-user-systemfiles.yml) copy .vim directory if it exists
  copy:
-    src: "{{ inventory_dir + '/files/homedirs/' + item.item.name + '/.vim' }}"
+    src: "{{ inventory_dir + '/files/' + nis_domain + '/homedirs/' + item.item.name + '/.vim' }}"
    dest: "~{{ item.item.name }}"
    owner: "{{ item.item.name }}"
    group: "{{ item.item.name }}"
@ -168,7 +168,7 @@

 - name: (nis-user-systemfiles.yml) copy default .vimrc if it exists
  copy:
-    src: files/homedirs/DEFAULT/_vimrc
+    src: "{{ 'files/' + nis_domain + '/homedirs/DEFAULT/_vimrc' }}"
    dest: "~{{ item.item.name }}/.vimrc"
    owner: "{{ item.item.name }}"
    group: "{{ item.item.name }}"
--- a/roles/common/tasks/root-files-scripts.yml
+++ b/roles/common/tasks/root-files-scripts.yml
@ -12,7 +12,7 @@

 - name: (root_files_scripts.yml) Ensure script 'wakeup_lan.sh' is present
  template:
-    src: "root/bin/wakeup_lan.sh.j2"
+    src: "{{ role_path + '/files/' + nis_domain + '/root/bin/wakeup_lan.sh' }}"
    dest: /root/bin/wakeup_lan.sh
    owner: root
    group: root
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@ -1,5 +1,54 @@
 ---

+
+# ---
+# Set some facts
+# ---
+
+- name: (sshd.yml) Set fact_sshd_kexalgorithms (comma separated list)
+  set_fact:
+    fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}"
+  when:
+    - sshd_kexalgorithms is defined and sshd_kexalgorithms | length > 0
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Set fact_sshd_ciphers (comma separated list)
+  set_fact:
+    fact_sshd_ciphers: "{{ sshd_ciphers | join (',') }}"
+  when:
+    - sshd_ciphers is defined and sshd_ciphers | length > 0
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Set fact_sshd_macs 
+  set_fact:
+    fact_sshd_macs: "{{ sshd_macs | join (',') }}"
+  when:
+    - sshd_macs is defined and sshd_macs | length > 0
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Set fact_sshd_hostkeyalgorithms (blank separated list)
+  set_fact:
+    fact_sshd_hostkeyalgorithms: "{{ sshd_hostkeyalgorithms | join (',') }}"
+  when:
+    - sshd_hostkeyalgorithms is defined and sshd_hostkeyalgorithms | length > 0
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Set fact_sshd_allowed_users (blank separated list)
+  set_fact:
+    fact_sshd_allowed_users: "{{ sshd_allowed_users | join (' ') }}"
+  when:
+    - sshd_allowed_users is defined and sshd_allowed_users | length > 0
+  tags:
+    - sshd-config
+
+# ---
+# Create new sshd_config
+# ---
+
 - name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
  stat:
    path: /etc/ssh/sshd_config.ORIG
@ -24,6 +73,79 @@
    validate: 'sshd -f %s -T'
    #backup: yes
  notify: "Restart ssh"
+  when:
+    - ansible_facts['distribution'] == "Ubuntu"
  tags:
    - sshd-config

+
+- name: (sshd.yml) Create/Update new sshd_config from template sshd_config.j2
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+    validate: 'sshd -f %s -T'
+  notify: "Restart ssh"
+  when:
+    - create_sftp_group is undefined or create_sftp_group is defined and not create_sftp_group
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] <= "10"
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Create/Update sshd_config for chrooted sftp_group from template sshd_config.j2
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+    validate: 'sshd -f %s -T -C user=sftp_users'
+  notify: "Restart ssh"
+  when:
+    - create_sftp_group is defined and create_sftp_group
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] <= "10"
+  tags:
+    - sshd-config
+
+
+- name: (sshd.yml) Check if sshd_config contains activ parameter 'Subsystem sftp'..
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^Subsystem\s+sftp(.+)$'
+    state: absent
+  check_mode: yes
+  changed_when: false
+  register: sshd_config_sftp
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Ensure directory '/etc/ssh/sshd_config.d' exists
+  file:
+    path: /etc/ssh/sshd_config.d
+    state: directory
+    mode: 0755
+    group: root
+    owner: root
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] > "10"
+  tags:
+    - sshd-config
+
+- name: (sshd.yml) Create/Update file '/etc/ssh/sshd_config.d/50-sshd-local.conf' from template sshd_config.j2
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config.d/50-sshd-local.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: "Restart ssh"
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] > "10"
+  tags:
+    - sshd-config
--- a/roles/common/tasks/ubuntu-x11vnc-1604-amd64.yml
+++ b/roles/common/tasks/ubuntu-x11vnc-1604-amd64.yml
@ -36,8 +36,13 @@
      src: lib/systemd/system/x11vnc.service.j2
      dest: /lib/systemd/system/x11vnc.service

-  - name: "(ubuntu-x11vnc-1604-amd64.yml) Start x11vnc service"
-    shell: service x11vnc start
+#  - name: "(ubuntu-x11vnc-1604-amd64.yml) Start x11vnc service"
+#    shell: service x11vnc start
+
+  - name: (ubuntu-x11vnc-1604-amd64.yml) Start x11vnc service
+    service:
+      name: x11vnc
+      state: started

  - name: "(ubuntu-x11vnc-1604-amd64.yml) Enable x11vnc service on boot"
    systemd:
--- a/roles/common/templates/etc/cups/cups-browsed.conf.server.j2
+++ b/roles/common/templates/etc/cups/cups-browsed.conf.server.j2
@ -1,4 +1,3 @@
-# {{ ansible_managed }}

 # All configuration options described here can also be supplied on the
 # command line of cups-browsed via the "-o" option. In case of
@ -312,7 +311,7 @@ BrowseLocalProtocols CUPS

 # Set HTTP timeout (in seconds) for requests sent to local/remote
 # resources Note that too short timeouts can make services getting
-# missed when they are present and operations be unneccessarily
+# missed when they are present and operations be unnecessarily
 # repeated and too long timeouts can make operations take too long
 # when the server does not respond.

@ -321,7 +320,7 @@ BrowseLocalProtocols CUPS

 # Set how many retries (N) should cups-browsed do for creating print
 # queues for remote printers which receive timeouts during print queue
-# creation.  The printers which are not successfuly set up even after
+# creation.  The printers which are not successfully set up even after
 # N retries, are skipped until the next restart of the service.  Note
 # that too many retries can cause high CPU load.

@ -556,6 +555,23 @@ BrowseLocalProtocols CUPS
 # NewIPPPrinterQueuesShared Yes


+# How to handle the print queues cups-browsed creates when
+# cups-browsed is shut down:
+
+# "KeepGeneratedQueuesOnShutdown No" makes the queues being
+# removed. This makes sense as these queues only work while
+# cups-browsed is running. cups-browsed has to determine to which
+# member printer of a cluster to pass on the job.
+
+# "KeepGeneratedQueuesOnShutdown Yes" (the default) makes the queues
+# not being removed. This is the recommended setting for a system
+# where cups-browsed is permanently running and only stopped for short
+# times (like log rotation) or on shutdown. This avoids the
+# re-creation of the queues when cups-browsed is restarted, which
+# often causes a clutter of CUPS notifications on the desktop.
+
+# KeepGeneratedQueuesOnShutdown No
+
 # If there is more than one remote CUPS printer whose local queue
 # would get the same name and AutoClustering is set to "Yes" (the
 # default) only one local queue is created which makes up a
@ -651,7 +667,7 @@ BrowseLocalProtocols CUPS

 # As DNS-SD service names are unique in a network you can create a
 # cluster from exactly specified printers (spaces replaced by
-# underscors):
+# underscores):

 # Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2

@ -745,3 +761,11 @@ BrowseLocalProtocols CUPS
 # shutdown.

 # AutoShutdownTimeout 30
+
+# DebugLogFileSize defines the maximum size possible (in KBytes)
+# of the log files (cups-browsed_log and cups-browsed_previous_logs)
+# that is created using cups-browsed in the debugging mode.
+# Setting its value to 0 would turn off any restriction
+# on the size of the file.
+
+# DebugLogFileSize 300
--- a/roles/common/templates/etc/cups/cups-files.conf.j2
+++ b/roles/common/templates/etc/cups/cups-files.conf.j2
@ -31,6 +31,10 @@ SystemGroup lpadmin
 #ConfigFilePerm 0640
 #LogFilePerm 00640

+< # Specifies the group name or ID that will be used for log files.
+< # The default group in Debian is "adm".
+< LogFileGroup adm
+
 # Location of the file logging all access to the scheduler; may be the name
 # "syslog". If not an absolute path, the value of ServerRoot is used as the
 # root directory.  Also see the "AccessLogLevel" directive in cupsd.conf.
--- a/roles/common/templates/etc/ssh/sshd_config.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.j2
@ -83,7 +83,7 @@ MaxSessions {{ sshd_max_sessions }}
 #
 #UsePrivilegeSeparation sandbox
 {% else %}
-UsePrivilegeSeparation sandbox
+UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
 {% endif %}

 # The server disconnects after this time if the user has not
@ -202,48 +202,137 @@ UsePAM {{ sshd_use_pam }}
 # Cryptography
 #-----------------------------

-# Specifies the available KEX (Key Exchange) algorithms.
+# KexAlgorithms
+#
+# Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.
+# Alternately if the specified value begins with a ‘+’ character, then the specified methods will be ap‐
+# pended to the default set instead of replacing them.  If the specified value begins with a ‘-’ charac‐
+# ter, then the specified methods (including wildcards) will be removed from the default set instead of
+# replacing them.  The supported algorithms are:
+#
+#       curve25519-sha256
+#       curve25519-sha256@libssh.org
+#       diffie-hellman-group1-sha1
+#       diffie-hellman-group14-sha1
+#       diffie-hellman-group14-sha256
+#       diffie-hellman-group16-sha512
+#       diffie-hellman-group18-sha512
+#       diffie-hellman-group-exchange-sha1
+#       diffie-hellman-group-exchange-sha256
+#       ecdh-sha2-nistp256
+#       ecdh-sha2-nistp384
+#       ecdh-sha2-nistp521
+#
 # The default is:
-## curve25519-sha256@libssh.org,
-## ecdh-sha2-nistp256,
-## ecdh-sha2-nistp384,
-## ecdh-sha2-nistp521,
-## diffie-hellman-group-exchange-sha256,
-## diffie-hellman-group14-sha1.
+#
+#       curve25519-sha256,curve25519-sha256@libssh.org,
+#       ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+#       diffie-hellman-group-exchange-sha256,
+#       diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
+#       diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
+#
+# The list of available key exchange algorithms may also be obtained using "ssh -Q kex".
+#
 {% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
 KexAlgorithms {{ fact_sshd_kexalgorithms }}
 {% else %}
-#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
 {% endif %}

-# Specifies the ciphers allowed for protocol version 2.
+# Ciphers
+#
+# Specifies the ciphers allowed.  Multiple ciphers must be comma-separated.  If the specified value begins
+# with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replac‐
+# ing them.  If the specified value begins with a ‘-’ character, then the specified ciphers (including
+# wildcards) will be removed from the default set instead of replacing them.
+#
+# The supported ciphers are:
+#
+#       3des-cbc
+#       aes128-cbc
+#       aes192-cbc
+#       aes256-cbc
+#       aes128-ctr
+#       aes192-ctr
+#       aes256-ctr
+#       aes128-gcm@openssh.com
+#       aes256-gcm@openssh.com
+#       chacha20-poly1305@openssh.com
+#
 # The default is:
-## aes128-ctr,
-## aes192-ctr,
-## aes256-ctr,
-## aes128-gcm@openssh.com,
-## aes256-gcm@openssh.com,
-## chacha20-poly1305@openssh.com.
+#
+#       chacha20-poly1305@openssh.com,
+#       aes128-ctr,aes192-ctr,aes256-ctr,
+#       aes128-gcm@openssh.com,aes256-gcm@openssh.com
+#
+# The list of available ciphers may also be obtained using "ssh -Q cipher".
+#
 {% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
 Ciphers {{ fact_sshd_ciphers }}
 {% else %}
 #Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 {% endif %}

-# Specifies the available MAC (message authentication code) algorithms.
+# MACs
+#
+# Specifies the available MAC (message authentication code) algorithms.  The MAC algorithm is used for
+# data integrity protection.  Multiple algorithms must be comma-separated.  If the specified value begins
+# with a ‘+’ character, then the specified algorithms will be appended to the default set instead of re‐
+# placing them.  If the specified value begins with a ‘-’ character, then the specified algorithms (in‐
+# cluding wildcards) will be removed from the default set instead of replacing them.
+#
+# The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac).  These are
+# considered safer and their use recommended.  The supported MACs are:
+#
+#       hmac-md5
+#       hmac-md5-96
+#       hmac-sha1
+#       hmac-sha1-96
+#       hmac-sha2-256
+#       hmac-sha2-512
+#       umac-64@openssh.com
+#       umac-128@openssh.com
+#       hmac-md5-etm@openssh.com
+#       hmac-md5-96-etm@openssh.com
+#       hmac-sha1-etm@openssh.com
+#       hmac-sha1-96-etm@openssh.com
+#       hmac-sha2-256-etm@openssh.com
+#       hmac-sha2-512-etm@openssh.com
+#       umac-64-etm@openssh.com
+#       umac-128-etm@openssh.com
+#
 # The default is:
-## umac-64-etm@openssh.com,
-## umac-128-etm@openssh.com,
-## hmac-sha2-256-etm@openssh.com,
-## hmac-sha2-512-etm@openssh.com,
-## umac-64@openssh.com,
-## umac-128@openssh.com,
-## hmac-sha2-256,
-## hmac-sha2-512.
+#
+#       umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+#       hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+#       hmac-sha1-etm@openssh.com,
+#       umac-64@openssh.com,umac-128@openssh.com,
+#       hmac-sha2-256,hmac-sha2-512,hmac-sha1
+#
+# The list of available MAC algorithms may also be obtained using "ssh -Q mac".
+#
 {% if (fact_sshd_macs is defined) and fact_sshd_macs %}
 MACs {{ fact_sshd_macs }}
 {% else %}
-#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+#MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,mac-sha2-256,hmac-sha2-512,hmac-sha1
+{% endif %}
+
+# HostKeyAlgorithms
+#
+# Specifies the host key algorithms that the server offers.  The default for this option is:
+#
+#    ecdsa-sha2-nistp256-cert-v01@openssh.com,
+#    ecdsa-sha2-nistp384-cert-v01@openssh.com,
+#    ecdsa-sha2-nistp521-cert-v01@openssh.com,
+#    ssh-ed25519-cert-v01@openssh.com,
+#    rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+#    ssh-rsa-cert-v01@openssh.com,
+#    ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+#    ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+#
+# The list of available key types may also be obtained using "ssh -Q key".
+{% if (fact_sshd_hostkeyalgorithms is defined) and fact_sshd_hostkeyalgorithms %}
+HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
 {% endif %}


@ -290,7 +379,15 @@ AcceptEnv LANG LC_*

 # Configures an external subsystem (e.g. file transfer daemon).
 # By default no subsystems are defined.
+{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if sshd_config_sftp.found|int == 0 %}
 Subsystem sftp /usr/lib/openssh/sftp-server
+{% else %}
+#Subsystem sftp /usr/lib/openssh/sftp-server
+{% endif %}
+{% else %}
+Subsystem sftp /usr/lib/openssh/sftp-server
+{% endif %}

 # Specifies whether sshd(8) should look up the remote host name and check 
 # that the resolved host name for the remote IP address maps back to the 
@ -326,6 +423,17 @@ TCPKeepAlive yes
 # The default is “yes”.
 PrintLastLog yes

+# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
+# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
+# other remote hosts from connecting to forwarded ports.
+#
+# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
+# bind to non-loopback addresses, thus allowing other hosts to connect.  The argument may be
+# no to force remote port forwardings to be available to the local host only, yes to force
+# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
+# client to select the address to which the forwarding is bound.  The default is no.
+GatewayPorts {{ sshd_gateway_ports }}
+

 #-----------------------------
 # Kerberos options
@ -343,7 +451,16 @@ PrintLastLog yes
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes

+{% if ( create_sftp_group is defined) and create_sftp_group %}

+#-----------------------------
+# Match Blocks
+#-----------------------------

+Match group sftp_users
+  X11Forwarding no
+  AllowTcpForwarding no
+  ChrootDirectory %h
+  ForceCommand internal-sftp

-
+{% endif -%}