make sprachenatelier working..

roles/common/templates/etc/cups/cups-browsed.conf.server.j2

@@ -1,4 +1,3 @@
-# {{ ansible_managed }}
 
 # All configuration options described here can also be supplied on the
 # command line of cups-browsed via the "-o" option. In case of
@@ -312,7 +311,7 @@ BrowseLocalProtocols CUPS
 
 # Set HTTP timeout (in seconds) for requests sent to local/remote
 # resources Note that too short timeouts can make services getting
-# missed when they are present and operations be unneccessarily
+# missed when they are present and operations be unnecessarily
 # repeated and too long timeouts can make operations take too long
 # when the server does not respond.
 
@@ -321,7 +320,7 @@ BrowseLocalProtocols CUPS
 
 # Set how many retries (N) should cups-browsed do for creating print
 # queues for remote printers which receive timeouts during print queue
-# creation.  The printers which are not successfuly set up even after
+# creation.  The printers which are not successfully set up even after
 # N retries, are skipped until the next restart of the service.  Note
 # that too many retries can cause high CPU load.
 
@@ -556,6 +555,23 @@ BrowseLocalProtocols CUPS
 # NewIPPPrinterQueuesShared Yes
 
 
+# How to handle the print queues cups-browsed creates when
+# cups-browsed is shut down:
+
+# "KeepGeneratedQueuesOnShutdown No" makes the queues being
+# removed. This makes sense as these queues only work while
+# cups-browsed is running. cups-browsed has to determine to which
+# member printer of a cluster to pass on the job.
+
+# "KeepGeneratedQueuesOnShutdown Yes" (the default) makes the queues
+# not being removed. This is the recommended setting for a system
+# where cups-browsed is permanently running and only stopped for short
+# times (like log rotation) or on shutdown. This avoids the
+# re-creation of the queues when cups-browsed is restarted, which
+# often causes a clutter of CUPS notifications on the desktop.
+
+# KeepGeneratedQueuesOnShutdown No
+
 # If there is more than one remote CUPS printer whose local queue
 # would get the same name and AutoClustering is set to "Yes" (the
 # default) only one local queue is created which makes up a
@@ -651,7 +667,7 @@ BrowseLocalProtocols CUPS
 
 # As DNS-SD service names are unique in a network you can create a
 # cluster from exactly specified printers (spaces replaced by
-# underscors):
+# underscores):
 
 # Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2
 
@@ -745,3 +761,11 @@ BrowseLocalProtocols CUPS
 # shutdown.
 
 # AutoShutdownTimeout 30
+
+# DebugLogFileSize defines the maximum size possible (in KBytes)
+# of the log files (cups-browsed_log and cups-browsed_previous_logs)
+# that is created using cups-browsed in the debugging mode.
+# Setting its value to 0 would turn off any restriction
+# on the size of the file.
+
+# DebugLogFileSize 300

roles/common/templates/etc/cups/cups-files.conf.j2

@@ -31,6 +31,10 @@ SystemGroup lpadmin
 #ConfigFilePerm 0640
 #LogFilePerm 00640
 
+< # Specifies the group name or ID that will be used for log files.
+< # The default group in Debian is "adm".
+< LogFileGroup adm
+
 # Location of the file logging all access to the scheduler; may be the name
 # "syslog". If not an absolute path, the value of ServerRoot is used as the
 # root directory.  Also see the "AccessLogLevel" directive in cupsd.conf.

roles/common/templates/etc/ssh/sshd_config.j2

@@ -83,7 +83,7 @@ MaxSessions {{ sshd_max_sessions }}
 #
 #UsePrivilegeSeparation sandbox
 {% else %}
-UsePrivilegeSeparation sandbox
+UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
 {% endif %}
 
 # The server disconnects after this time if the user has not
@@ -202,48 +202,137 @@ UsePAM {{ sshd_use_pam }}
 # Cryptography
 #-----------------------------
 
-# Specifies the available KEX (Key Exchange) algorithms.
+# KexAlgorithms
+#
+# Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.
+# Alternately if the specified value begins with a ‘+’ character, then the specified methods will be ap‐
+# pended to the default set instead of replacing them.  If the specified value begins with a ‘-’ charac‐
+# ter, then the specified methods (including wildcards) will be removed from the default set instead of
+# replacing them.  The supported algorithms are:
+#
+#       curve25519-sha256
+#       curve25519-sha256@libssh.org
+#       diffie-hellman-group1-sha1
+#       diffie-hellman-group14-sha1
+#       diffie-hellman-group14-sha256
+#       diffie-hellman-group16-sha512
+#       diffie-hellman-group18-sha512
+#       diffie-hellman-group-exchange-sha1
+#       diffie-hellman-group-exchange-sha256
+#       ecdh-sha2-nistp256
+#       ecdh-sha2-nistp384
+#       ecdh-sha2-nistp521
+#
 # The default is:
-## curve25519-sha256@libssh.org,
-## ecdh-sha2-nistp256,
-## ecdh-sha2-nistp384,
-## ecdh-sha2-nistp521,
-## diffie-hellman-group-exchange-sha256,
-## diffie-hellman-group14-sha1.
+#
+#       curve25519-sha256,curve25519-sha256@libssh.org,
+#       ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+#       diffie-hellman-group-exchange-sha256,
+#       diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
+#       diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
+#
+# The list of available key exchange algorithms may also be obtained using "ssh -Q kex".
+#
 {% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
 KexAlgorithms {{ fact_sshd_kexalgorithms }}
 {% else %}
-#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
 {% endif %}
 
-# Specifies the ciphers allowed for protocol version 2.
+# Ciphers
+#
+# Specifies the ciphers allowed.  Multiple ciphers must be comma-separated.  If the specified value begins
+# with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replac‐
+# ing them.  If the specified value begins with a ‘-’ character, then the specified ciphers (including
+# wildcards) will be removed from the default set instead of replacing them.
+#
+# The supported ciphers are:
+#
+#       3des-cbc
+#       aes128-cbc
+#       aes192-cbc
+#       aes256-cbc
+#       aes128-ctr
+#       aes192-ctr
+#       aes256-ctr
+#       aes128-gcm@openssh.com
+#       aes256-gcm@openssh.com
+#       chacha20-poly1305@openssh.com
+#
 # The default is:
-## aes128-ctr,
-## aes192-ctr,
-## aes256-ctr,
-## aes128-gcm@openssh.com,
-## aes256-gcm@openssh.com,
-## chacha20-poly1305@openssh.com.
+#
+#       chacha20-poly1305@openssh.com,
+#       aes128-ctr,aes192-ctr,aes256-ctr,
+#       aes128-gcm@openssh.com,aes256-gcm@openssh.com
+#
+# The list of available ciphers may also be obtained using "ssh -Q cipher".
+#
 {% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
 Ciphers {{ fact_sshd_ciphers }}
 {% else %}
 #Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 {% endif %}
 
-# Specifies the available MAC (message authentication code) algorithms.
+# MACs
+#
+# Specifies the available MAC (message authentication code) algorithms.  The MAC algorithm is used for
+# data integrity protection.  Multiple algorithms must be comma-separated.  If the specified value begins
+# with a ‘+’ character, then the specified algorithms will be appended to the default set instead of re‐
+# placing them.  If the specified value begins with a ‘-’ character, then the specified algorithms (in‐
+# cluding wildcards) will be removed from the default set instead of replacing them.
+#
+# The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac).  These are
+# considered safer and their use recommended.  The supported MACs are:
+#
+#       hmac-md5
+#       hmac-md5-96
+#       hmac-sha1
+#       hmac-sha1-96
+#       hmac-sha2-256
+#       hmac-sha2-512
+#       umac-64@openssh.com
+#       umac-128@openssh.com
+#       hmac-md5-etm@openssh.com
+#       hmac-md5-96-etm@openssh.com
+#       hmac-sha1-etm@openssh.com
+#       hmac-sha1-96-etm@openssh.com
+#       hmac-sha2-256-etm@openssh.com
+#       hmac-sha2-512-etm@openssh.com
+#       umac-64-etm@openssh.com
+#       umac-128-etm@openssh.com
+#
 # The default is:
-## umac-64-etm@openssh.com,
-## umac-128-etm@openssh.com,
-## hmac-sha2-256-etm@openssh.com,
-## hmac-sha2-512-etm@openssh.com,
-## umac-64@openssh.com,
-## umac-128@openssh.com,
-## hmac-sha2-256,
-## hmac-sha2-512.
+#
+#       umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+#       hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+#       hmac-sha1-etm@openssh.com,
+#       umac-64@openssh.com,umac-128@openssh.com,
+#       hmac-sha2-256,hmac-sha2-512,hmac-sha1
+#
+# The list of available MAC algorithms may also be obtained using "ssh -Q mac".
+#
 {% if (fact_sshd_macs is defined) and fact_sshd_macs %}
 MACs {{ fact_sshd_macs }}
 {% else %}
-#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+#MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,mac-sha2-256,hmac-sha2-512,hmac-sha1
+{% endif %}
+
+# HostKeyAlgorithms
+#
+# Specifies the host key algorithms that the server offers.  The default for this option is:
+#
+#    ecdsa-sha2-nistp256-cert-v01@openssh.com,
+#    ecdsa-sha2-nistp384-cert-v01@openssh.com,
+#    ecdsa-sha2-nistp521-cert-v01@openssh.com,
+#    ssh-ed25519-cert-v01@openssh.com,
+#    rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+#    ssh-rsa-cert-v01@openssh.com,
+#    ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+#    ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+#
+# The list of available key types may also be obtained using "ssh -Q key".
+{% if (fact_sshd_hostkeyalgorithms is defined) and fact_sshd_hostkeyalgorithms %}
+HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
 {% endif %}
 
 
@@ -290,7 +379,15 @@ AcceptEnv LANG LC_*
 
 # Configures an external subsystem (e.g. file transfer daemon).
 # By default no subsystems are defined.
+{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if sshd_config_sftp.found|int == 0 %}
 Subsystem sftp /usr/lib/openssh/sftp-server
+{% else %}
+#Subsystem sftp /usr/lib/openssh/sftp-server
+{% endif %}
+{% else %}
+Subsystem sftp /usr/lib/openssh/sftp-server
+{% endif %}
 
 # Specifies whether sshd(8) should look up the remote host name and check 
 # that the resolved host name for the remote IP address maps back to the 
@@ -326,6 +423,17 @@ TCPKeepAlive yes
 # The default is “yes”.
 PrintLastLog yes
 
+# Specifies whether remote hosts are allowed to connect to ports forwarded for the client.
+# By default, sshd(8) binds remote port forwardings to the loopback address. This prevents
+# other remote hosts from connecting to forwarded ports.
+#
+# GatewayPorts can be used to specify that sshd should allow remote port forwardings to
+# bind to non-loopback addresses, thus allowing other hosts to connect.  The argument may be
+# no to force remote port forwardings to be available to the local host only, yes to force
+# remote port forwardings to bind to the wildcard address, or clientspecified to allow the
+# client to select the address to which the forwarding is bound.  The default is no.
+GatewayPorts {{ sshd_gateway_ports }}
+
 
 #-----------------------------
 # Kerberos options
@@ -343,7 +451,16 @@ PrintLastLog yes
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 
+{% if ( create_sftp_group is defined) and create_sftp_group %}
 
+#-----------------------------
+# Match Blocks
+#-----------------------------
 
+Match group sftp_users
+  X11Forwarding no
+  AllowTcpForwarding no
+  ChrootDirectory %h
+  ForceCommand internal-sftp
 
-
+{% endif -%}