diff --git a/ansible_user.yml b/ansible_user.yml deleted file mode 100644 index dbf4c48..0000000 --- a/ansible_user.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -# Intended to be run once for every new server to secure the ssh connection allowing the team access -# with their public keys. This script will lock itself out from every server it is run on. -# Further playbooks are intended to be run by logging in as one of the created users. -# It also ensures python2 is installed as it's necessary for the modules used in this playbook at -# the time of this writing. - -# The used login data depends on the used server provider. In most cases the ansible_user will be -# root, but we can't safely assume anything. -# The following line is an example for securing a new vagrant maching, after running `vagrant up`: -# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key' -# For real providers it could look like: -# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa' -# If you don't have a ssh-key on the server and the server expects password authentication use: -# ansible-playbook first_run.yml -i hosts -u root --ask-pass - -- hosts: all - roles: - - ansible_user diff --git a/group_vars/mbr.yml b/group_vars/mbr.yml new file mode 100644 index 0000000..0bed7ba --- /dev/null +++ b/group_vars/mbr.yml @@ -0,0 +1,1423 @@ +--- + +# ========== +# vars used by roles/common/tasks/basic.yml +# ========== + + +# ========== +# vars used by roles/common/tasks/sshd.yml +# ========== + +sshd_permit_root_login: !!str "prohibit-password" + + +# ========== +# vars used by roles/common/tasks/apt.yml +# ========== + + +# ========== +# vars used by roles/common/tasks/git.yml +# ========== + + +# ========== +# vars used by roles/common/tasks/ntp.yml +# ========== + +# name or ip-adress from the (local) ntp server, mostly the gateway +# +ntp_server: gw-mbr.mbr-bln.netz + + +# ========== +# vars used by roles/common/tasks/nfs.yml +# ========== + +nfs_server: 192.168.112.10 + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +# NOTE !! +# Take car to increase 'fsid' in case of more than one export +# +nfs_exports: + - src: 192.168.112.10:/data/home + path: /data/home + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.112.0/24 + - 10.0.112.0/24 + - 10.1.112.0/24 + - 192.168.63.0/24 + use_fsid_option: true + + - src: 192.168.112.10:/data/shares + path: /data/shares + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.112.0/24 + - 10.0.112.0/24 + - 10.1.112.0/24 + - 192.168.63.0/24 + use_fsid_option: true + + +# ========== +# vars used by roles/common/tasks/system-user.yml +# ========== + +# ! Notice ! +# +# On NIS supported Server put your users and groups in the +# appropriate section for playbook 'nis-user.yml' +# +# ! Notice ! + +remove_system_users: [] +#remove_system_users: +# - name: test +# - name: jennifer.prost + +system_users: [] +#system_users: +# - name: sysadm +# password: '9xFXkdPR_2' + +system_groups: [] + +base_home: /home + + +# ========== +# vars used by roles/common/tasks/nis-install-server.yml +# vars used by roles/common/tasks/nis-user.yml +# vars used by roles/common/tasks/nis-install-client.yml +# ========== + +# used by templates +# - yp.conf.j2 +# - defaultdomain.j2 +nis_domain: mbr-bln.netz + +# also used by template +# - yp.conf.j2 +nis_server_address: 192.168.112.10 + +nis_server_name: file-mbr.mbr-bln.netz + +nis_base_home: /data/home + +nis_groups: + - name: mbr-buero + group_id: 1200 + - name: mbr-finanzen + group_id: 1210 + - name: mbr-personal + group_id: 1220 + - name: mbr-kamera + group_id: 1250 + - name: mbr-admins + group_id: 1260 + - name: vdk + group_id: 1300 + - name: rias + group_id: 1400 + - name: rias-finanzen-personal + group_id: 1410 + - name: bgn + group_id: 1500 + - name: bgn-finanzen-personal + group_id: 1510 + - name: regishut + group_id: 1600 + - name: regishut-personal-finanzen + group_id: 1610 + - name: buero-scan + group_id: 1700 + - name: bmb + group_id: 1800 + - name: all-users + group_id: 1900 + +remove_nis_users: [] +#remove_nis_users: +# - name: test +# - name: jennifer.prost + +nis_user: + + - name: chris + groups: + - all-users + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + - regishut + - regishut-personal-finanzen + - buero-scan + - bmb + is_samba_user: true + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 35653838343532663632326462656437363665316337316336316335383263633630616638313736 + 3937666561356232666136646435613361336437303637360a353561316633373265323931623565 + 32643966373962313334343565643130373535353238316161623837333130353231343332663930 + 3638386337333636390a393738373935646638383237373663376434366361363938346335663438 + 6637 + + - name: lokaladmin + groups: + - all-users + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + - regishut + - regishut-personal-finanzen + - buero-scan + - bmb + is_samba_user: true + password: 'd4r1usz' + + - name: sysadm + groups: + - all-users + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + - regishut + - regishut-personal-finanzen + - buero-scan + - bmb + is_samba_user: true + password: 'KPk_Wf2F' + + - name: alexander.lorenz.milord + groups: + - all-users + - regishut + - buero-scan + is_samba_user: true + password: 'R3GI_20_poliz_!' + + - name: alexander.rasumny + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'twT9Rjbv9mjq' + + - name: alexander.steder + groups: + - all-users + - regishut + - regishut-personal-finanzen + - buero-scan + is_samba_user: true + password: 'SHUT_20_s3nc3!' + + - name: anna.mueller1 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '5xp5ll9ar13us!' + + - name: anne + groups: + - all-users + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + - buero-scan + is_samba_user: true + password: 'YA!LiLiC0MP5' + + - name: axis + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '20_axis_16' + + - name: benjamin + groups: + - all-users + - mbr-buero + - vdk + - rias + - rias-finanzen-personal + - buero-scan + is_samba_user: true + password: 'C2-0U#ch' + + - name: bianca + groups: + - all-users + - mbr-buero + - mbr-finanzen + - mbr-personal + - mbr-kamera + - mbr-admins + - vdk + - rias + - rias-finanzen-personal + - bgn + - bgn-finanzen-personal + - regishut + - regishut-personal-finanzen + - buero-scan + - bmb + is_samba_user: true + password: '73_BiBole_29' + + - name: bianca.loy + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'ctnrk3CczcJ9' + + - name: birgit.erhardt + groups: + - all-users + - mbr-buero + - mbr-finanzen + - vdk + - buero-scan + is_samba_user: true + password: '20_purpel!rain_17' + + - name: bjoern.renkewitz + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'Tz9-Wq-51' + + - name: christina.wendt + groups: + - all-users + - mbr-buero + - mbr-personal + - mbr-finanzen + - vdk + - rias-finanzen-personal + - bgn-finanzen-personal + - regishut + - regishut-personal-finanzen + - buero-scan + is_samba_user: true + password: '8!Varianten' + + - name: daniel.poensgen + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'rcMRCm7jcpbp' + + - name: doku.mbr2 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '*M0ss4d*' + + - name: doku.mbr4 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'PwmNvPh9KM4T' + + - name: doku.mbr5 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'G6Hz.ev/e24E' + + - name: dora.streibl + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '6jA,nmD,fdK!' + + - name: dorina.feldmann + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '17?4XPQ_!abc' + + - name: felix.mueller + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'U_i5zAR5H+ti' + + - name: franz.mohorn + groups: + - buero-scan + is_samba_user: true + + password: 'Kq5/b.4uWZIV' + - name: frederick.kannenberg + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'riasFK2019!#' + + - name: hamid.mohseni + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'TFhCW9J4Vn4F' + + - name: honorar.mbr1 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '_F313r4b3nd*' + + - name: honorar.mbr2 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'kQviLU-4rA_2' + + - name: honorar.rias1 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '6jA,nmD,fdK!' + + - name: isabella.greif + groups: + - mbr-buero + - buero-scan + is_samba_user: true + password: '5zv-Bo2.Cio9' + + - name: isabell.wiesner + groups: + - all-users + - mbr-buero + - mbr-finanzen + - vdk + - rias-finanzen-personal + - bgn-finanzen-personal + - regishut + - regishut-personal-finanzen + - buero-scan + is_samba_user: true + password: 'XY_bunt_2020!' + + - name: jennifer.pross + groups: + - all-users + - bmb + is_samba_user: true + password: 'V-S9Y/R+Am7H' + + - name: janine.budich + groups: + - all-users + - mbr-buero + - mbr-finanzen + - mbr-personal + - buero-scan + is_samba_user: true + password: 'LoS_r3f_20_AS!' + + - name: johannes.radke + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'Furzf4brik!' + - name: judith.heinmueller + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 't32_aHxV.' + + - name: julia.kopp + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '-a2%3bTzkW.A' + + - name: kerstin.kuballa + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'sVY2_2t+a+db' + + - name: lavinia.schwedersky + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'xJw.3R9vKf/N' + + - name: lena.mahler + groups: + - all-users + - mbr-buero + - bgn + - bgn-finanzen-personal + - buero-scan + is_samba_user: true + password: 'YZ_bgn_2020!' + + - name: linda.giesel + groups: + - all-users + - buero-scan + - regishut + - regishut-personal-finanzen + is_samba_user: true + password: 'SHUT_20_s3nc3!' + + - name: manja.kasten + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'Rasili_&n' + + - name: marc.schwietring + groups: + - all-users + - mbr-buero + - buero-scan + - regishut + - regishut-personal-finanzen + is_samba_user: true + password: '69UnNr-g.ZuQ' + + - name: mathias + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'p3r*45p3r4*4d*45tr4m' + + - name: matthias.mueller + groups: + - all-users + - mbr-buero + - mbr-personal + - buero-scan + is_samba_user: true + password: 'V1v@H@f3rdr1nk' + + - name: michael.sulies + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'Cryst4lp4l4c3' + + - name: nina.rink + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'BMW_mobit_2020!' + + - name: pia.lamberty + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'oasd31*as+Q%' + + - name: pierre.ahrent + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'GYiI3-s/_7wG' + + - name: praktikum.bgn1 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'MPL_baerin_20!' + + - name: praktikum.mbr1 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '2001_RAT_urban!' + + - name: praktikum.mbr2 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '20praktikum213' + + - name: praktikum.rias1 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '7z7F%d3cv_dfjz' + + - name: praktikum.rias2 + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'Q56V.6kf/JLQ' + + - name: samuel.signer + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'S4mmyC0mput3r!' + + - name: scan + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '20scan13' + + - name: simon + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'S4u3rkr4ut!' + + - name: tanja.kinzel + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: 'sd7/SAqzU+Qi' + + - name: till.hendlmeier + groups: + - all-users + - mbr-buero + - buero-scan + is_samba_user: true + password: '3/+v_7AGivxc' + + - name: ulf.balmer + groups: + - all-users + - mbr-buero + - bgn + - bgn-finanzen-personal + - buero-scan + is_samba_user: true + password: 'ALL3_e6ene#' + + +# ========== +# vars used by roles/common/tasks/samba-install.yml +# ========== + +samba_server: file-mbr.mbr-bln.netz + + +# ========== +# vars used by roles/common/tasks/samba-user.yml +# ========== + +# ! Notice ! +# +# variables used from other previos sections: +# +# - remove_system_users: roles/common/tasks/system-user.yml +# - remove_nis_users: roles/common/tasks/nis-install-server.yml +# - nis_user: roles/common/tasks/nis-install-server.yml + + +# ========== +# vars used by roles/common/tasks/mount_samba_shares.yml +# ========== + +# ! Notice ! +# +# variables used from other previos sections: +# +# - nis_user: roles/common/tasks/nis-install-server.yml + +samba_workgroup: MBR +samba_netbios_name: FILE-MBR + +samba_shares: + + - name: Arbeitsrechtliches + path: /data/shares/Arbeitsrechtliches + group_valid_users: mbr-finanzen + group_write_list: mbr-finanzen + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - anne + - bianca + - birgit.erhardt + - christina.wendt + - chris + - isabell.wiesner + - janine.budich + - sysadm + + - name: Ausschreibungen + path: /data/shares/Ausschreibungen + group_valid_users: mbr-personal + group_write_list: mbr-personal + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - anne + - bianca + - christina.wendt + - chris + - matthias.mueller + - janine.budich + - sysadm + + - name: BGN-Finanzen-Personal + path: /data/shares/BGN-Finanzen-Personal + group_valid_users: bgn-finanzen-personal + group_write_list: bgn-finanzen-personal + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - anne + - bianca + - christina.wendt + - chris + - isabell.wiesner + - lena.mahler + - sysadm + - ulf.balmer + + - name: BMB + path: /data/shares/BMB + group_valid_users: bmb + group_write_list: bmb + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - chris + - bianca + - jennifer.pross + - sysadm + + - name: Buero-Organisation + path: /data/shares/Buero-Organisation + group_valid_users: all-users + group_write_list: all-users + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - alexander.lorenz.milord + - alexander.rasumny + - alexander.steder + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - christina.wendt + - chris + - daniel.poensgen + - doku.mbr2 + - doku.mbr4 + - doku.mbr5 + - dora.streibl + - dorina.feldmann + - frederick.kannenberg + - felix.mueller + - hamid.mohseni + - isabell.wiesner + - janine.budich + - johannes.radke + - judith.heinmueller + - julia.kopp + - kerstin.kuballa + - lavinia.schwedersky + - lena.mahler + - linda.giesel + - manja.kasten + - marc.schwietring + - mathias + - matthias.mueller + - michael.sulies + - pia.lamberty + - honorar.mbr1 + - honorar.mbr2 + - nina.rink + - praktikum.bgn1 + - praktikum.mbr1 + - praktikum.mbr2 + - praktikum.rias1 + - bianca.loy + - praktikum.rias2 + - honorar.rias1 + - samuel.signer + - scan + - simon + - sysadm + - tanja.kinzel + - till.hendlmeier + - ulf.balmer + + - name: BVV-Projekt + path: /data/shares/BVV-Projekt + group_valid_users: mbr-buero + group_write_list: mbr-buero + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - christina.wendt + - chris + - daniel.poensgen + - doku.mbr2 + - doku.mbr4 + - doku.mbr5 + - dora.streibl + - dorina.feldmann + - felix.mueller + - frederick.kannenberg + - hamid.mohseni + - isabell.wiesner + - janine.budich + - johannes.radke + - judith.heinmueller + - julia.kopp + - kerstin.kuballa + - lavinia.schwedersky + - lena.mahler + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - pia.lamberty + - honorar.mbr1 + - honorar.mbr2 + - nina.rink + - praktikum.bgn1 + - praktikum.mbr1 + - praktikum.mbr2 + - praktikum.rias1 + - bianca.loy + - praktikum.rias2 + - honorar.rias1 + - samuel.signer + - scan + - simon + - sysadm + - tanja.kinzel + - till.hendlmeier + - ulf.balmer + + - name: Finanzen + path: /data/shares/Finanzen + group_valid_users: mbr-finanzen + group_write_list: mbr-finanzen + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - anne + - bianca + - birgit.erhardt + - christina.wendt + - chris + - isabell.wiesner + - janine.budich + - sysadm + + - name: Install + path: /data/shares/Install + group_valid_users: mbr-admins + group_write_list: mbr-admins + file_create_mask: '0660' + dir_create_mask: '2770' + user: + - chris + - sysadm + - lokaladmin + + - name: Kamera + path: /data/shares/Kamera + group_valid_users: mbr-kamera + group_write_list: mbr-kamera + file_create_mask: '0660' + dir_create_mask: '2770' + user: + - anne + - axis + - bianca + - chris + - sysadm + + - name: MBR + path: /data/shares/MBR + group_valid_users: mbr-buero + group_write_list: mbr-buero + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - christina.wendt + - chris + - daniel.poensgen + - doku.mbr2 + - doku.mbr4 + - doku.mbr5 + - dorina.feldmann + - dora.streibl + - felix.mueller + - frederick.kannenberg + - hamid.mohseni + - isabella.greif + - isabell.wiesner + - janine.budich + - johannes.radke + - judith.heinmueller + - julia.kopp + - kerstin.kuballa + - lavinia.schwedersky + - lena.mahler + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - pia.lamberty + - honorar.mbr1 + - honorar.mbr2 + - nina.rink + - praktikum.bgn1 + - praktikum.mbr1 + - praktikum.mbr2 + - praktikum.rias1 + - bianca.loy + - praktikum.rias2 + - honorar.rias1 + - samuel.signer + - scan + - simon + - sysadm + - tanja.kinzel + - till.hendlmeier + - ulf.balmer + + - name: Mobilisierungsplattform + path: /data/shares/Mobilisierungsplattform + group_valid_users: mbr-buero + group_write_list: mbr-buero + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - christina.wendt + - chris + - daniel.poensgen + - doku.mbr2 + - doku.mbr4 + - doku.mbr5 + - dora.streibl + - dorina.feldmann + - frederick.kannenberg + - felix.mueller + - hamid.mohseni + - isabell.wiesner + - janine.budich + - johannes.radke + - judith.heinmueller + - julia.kopp + - kerstin.kuballa + - lavinia.schwedersky + - lena.mahler + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - pia.lamberty + - honorar.mbr1 + - honorar.mbr2 + - nina.rink + - praktikum.bgn1 + - praktikum.mbr1 + - praktikum.mbr2 + - praktikum.rias1 + - bianca.loy + - praktikum.rias2 + - honorar.rias1 + - samuel.signer + - scan + - simon + - sysadm + - tanja.kinzel + - till.hendlmeier + - ulf.balmer + + - name: Regishut + path: /data/shares/Regishut + group_valid_users: regishut + group_write_list: regishut + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - alexander.steder + - alexander.lorenz.milord + - benjamin + - bianca + - christina.wendt + - isabell.wiesner + - linda.giesel + - marc.schwietring + + - name: Regishut-Personal-Finanzen + path: /data/shares/Regishut-Personal-Finanzen + group_valid_users: regishut-personal-finanzen + group_write_list: regishut-personal-finanzen + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - benjamin + - bianca + - christina.wendt + - isabell.wiesner + - linda.giesel + - marc.schwietring + + - name: RIAS + path: /data/shares/RIAS + group_valid_users: mbr-buero + group_write_list: mbr-buero + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - christina.wendt + - chris + - daniel.poensgen + - doku.mbr2 + - doku.mbr4 + - doku.mbr5 + - dora.streibl + - dorina.feldmann + - felix.mueller + - hamid.mohseni + - isabell.wiesner + - janine.budich + - johannes.radke + - judith.heinmueller + - julia.kopp + - kerstin.kuballa + - lavinia.schwedersky + - lena.mahler + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - pia.lamberty + - honorar.mbr1 + - honorar.mbr2 + - nina.rink + - praktikum.bgn1 + - praktikum.mbr1 + - praktikum.mbr2 + - praktikum.rias1 + - bianca.loy + - praktikum.rias2 + - honorar.rias1 + - samuel.signer + - scan + - simon + - sysadm + - tanja.kinzel + - till.hendlmeier + - ulf.balmer + + - name: RIAS-Finanzen-Personal + path: /data/shares/RIAS-Finanzen-Personal + group_valid_users: rias-finanzen-personal + group_write_list: rias-finanzen-personal + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - anne + - bianca + - benjamin + - birgit.erhardt + - christina.wendt + - chris + - isabell.wiesner + - sysadm + + - name: SCAN + path: /data/shares/SCAN + group_valid_users: buero-scan + group_write_list: buero-scan + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - alexander.lorenz.milord + - alexander.rasumny + - alexander.steder + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - christina.wendt + - chris + - daniel.poensgen + - doku.mbr2 + - doku.mbr4 + - doku.mbr5 + - dora.streibl + - dorina.feldmann + - franz.mohorn + - frederick.kannenberg + - felix.mueller + - hamid.mohseni + - isabella.greif + - isabell.wiesner + - janine.budich + - johannes.radke + - judith.heinmueller + - julia.kopp + - kerstin.kuballa + - lavinia.schwedersky + - lena.mahler + - linda.giesel + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - pia.lamberty + - honorar.mbr1 + - honorar.mbr2 + - nina.rink + - praktikum.bgn1 + - praktikum.mbr1 + - praktikum.mbr2 + - praktikum.rias1 + - bianca.loy + - praktikum.rias2 + - honorar.rias1 + - samuel.signer + - scan + - simon + - sysadm + - tanja.kinzel + - till.hendlmeier + - ulf.balmer + + - name: VDK + path: /data/shares/VDK + group_valid_users: mbr-buero + group_write_list: mbr-buero + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - christina.wendt + - chris + - daniel.poensgen + - doku.mbr2 + - doku.mbr4 + - doku.mbr5 + - dora.streibl + - dorina.feldmann + - felix.mueller + - frederick.kannenberg + - hamid.mohseni + - isabell.wiesner + - janine.budich + - johannes.radke + - judith.heinmueller + - julia.kopp + - kerstin.kuballa + - lavinia.schwedersky + - lena.mahler + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - pia.lamberty + - honorar.mbr1 + - honorar.mbr2 + - nina.rink + - praktikum.bgn1 + - praktikum.mbr1 + - praktikum.mbr2 + - praktikum.rias1 + - bianca.loy + - praktikum.rias2 + - honorar.rias1 + - samuel.signer + - scan + - simon + - sysadm + - tanja.kinzel + - till.hendlmeier + - ulf.balmer + + - name: Video + path: /data/shares/Video + group_valid_users: mbr-buero + group_write_list: mbr-buero + file_create_mask: '0660' + dir_create_mask: '2770' + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + user: + - alexander.rasumny + - anna.mueller1 + - anne + - benjamin + - bianca + - birgit.erhardt + - bjoern.renkewitz + - christina.wendt + - chris + - daniel.poensgen + - doku.mbr2 + - doku.mbr4 + - doku.mbr5 + - dora.streibl + - dorina.feldmann + - felix.mueller + - frederick.kannenberg + - hamid.mohseni + - isabella.greif + - isabell.wiesner + - janine.budich + - johannes.radke + - judith.heinmueller + - julia.kopp + - kerstin.kuballa + - lavinia.schwedersky + - lena.mahler + - manja.kasten + - mathias + - matthias.mueller + - michael.sulies + - pia.lamberty + - honorar.mbr1 + - honorar.mbr2 + - nina.rink + - praktikum.bgn1 + - praktikum.mbr1 + - praktikum.mbr2 + - praktikum.rias1 + - bianca.loy + - praktikum.rias2 + - honorar.rias1 + - samuel.signer + - scan + - simon + - sysadm + - tanja.kinzel + - till.hendlmeier + - ulf.balmer + + +# ========== +# vars used by roles/common/tasks/system-user-systemfiles.yml +# ========== + +# ! Notice ! +# +# variables used from other previos sections: +# +# - system_users: roles/common/tasks/system-user.yml + + +# ========== +# vars used by roles/common/tasks/nis-user-systemfiles.yml +# ========== + +# ! Notice ! +# +# variables used from other previos sections: +# +# - nis_user: roles/common/tasks/nis-install-server.yml + + +# ========== +# vars used by roles/common/tasks/sudoers-pc.yml +# ========== + +sudo_pc_users: + - chris + - sysadm + - lokaladmin + + +# ========== +# vars used by roles/common/tasks/sudoers-server.yml +# ========== + + +# ========== +# vars used by roles/common/tasks/ubuntu-x11vnc-1604-amd64.yml +# vars used by roles/common/tasks/ubuntu-x11vnc-1804-amd64.yml +# ========== + + +# ========== +# vars used by roles/common/tasks/luks.yml +# ========== + diff --git a/group_vars/sprachenatelier.yml b/group_vars/sprachenatelier.yml index ec746dd..9d4204c 100644 --- a/group_vars/sprachenatelier.yml +++ b/group_vars/sprachenatelier.yml @@ -4,6 +4,11 @@ # vars used by roles/common/tasks/basic.yml # ========== + +# ========== +# vars used by roles/common/tasks/sshd.yml +# ========== + sshd_permit_root_login: !!str "yes" @@ -35,6 +40,9 @@ nfs_server: 192.168.92.10 # Set 'fs_encrypted' to true if filesystem lives on an encrypted # partition. # +# NOTE !! +# Take car to increase 'fsid' in case of more than one export +# nfs_exports: - src: 192.168.92.10:/data/home path: /data/home @@ -71,6 +79,9 @@ nfs_exports: # ! Notice ! remove_system_users: [] +#remove_system_users: +# - name: test +# - name: jennifer.prost system_users: [] #system_users: @@ -93,15 +104,12 @@ base_home: /home # - defaultdomain.j2 nis_domain: sprachenatelier.netz +# also used by template +# nis_server_address: 192.168.92.10 nis_server_name: file-spr.sprachenatelier.netz -nis_common_packages: - - nis - - nscd - - nis_base_home: /data/home nis_groups: @@ -112,16 +120,10 @@ nis_groups: - name: no-backup group_id: 1120 -remove_nis_users: [] #remove_nis_users: -# - name: virginia -# - name: marei -# - name: alina -# - name: hannah -# - name: kristin -# - name: elke -# - name: thea -# - name: katrine +# - name: lea +# - name: alina +remove_nis_users: [] nis_user: - name: chris @@ -203,14 +205,6 @@ nis_user: is_samba_user: true password: 'sommer13' - - name: lea - groups: - - intern - - buero - - lpadmin - is_samba_user: true - password: '091190' - - name: linda groups: - intern @@ -416,6 +410,7 @@ samba_server: file-spr.sprachenatelier.netz # - remove_nis_users: roles/common/tasks/nis-install-server.yml # - nis_user: roles/common/tasks/nis-install-server.yml + # ========== # vars used by roles/common/tasks/mount_samba_shares.yml # ========== @@ -426,14 +421,11 @@ samba_server: file-spr.sprachenatelier.netz # # - nis_user: roles/common/tasks/nis-install-server.yml -#samba_workgroup: SPR samba_workgroup: SPR - -#samba_netbios_name: FILE-SPR samba_netbios_name: FILE-SPR - samba_shares: + - name: Transfer path: /data/samba/transfer group_valid_users: buero @@ -453,7 +445,6 @@ samba_shares: - isadora - konstantin - lara - - lea - linda - margit - mariam @@ -470,6 +461,7 @@ samba_shares: - simone - tali - yang + - name: Verwaltung path: /data/samba/verwaltung group_valid_users: intern @@ -489,7 +481,6 @@ samba_shares: - isadora - konstantin - lara - - lea - linda - margit - mariam @@ -500,6 +491,7 @@ samba_shares: - simone - tali - yang + - name: Multimedia path: /data/samba/no-backup-share/multimedia group_valid_users: no-backup @@ -514,7 +506,6 @@ samba_shares: - musa - # ========== # vars used by roles/common/tasks/system-user-systemfiles.yml # ========== diff --git a/host_vars/file-mbr.mbr-bln.netz.yml b/host_vars/file-mbr.mbr-bln.netz.yml index 5681ec5..b83916f 100644 --- a/host_vars/file-mbr.mbr-bln.netz.yml +++ b/host_vars/file-mbr.mbr-bln.netz.yml @@ -1,5 +1,79 @@ --- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + - resolvconf + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device eno1 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + method: static + hwaddress: 0c:c4:7a:ea:dd:56 + description: + address: 192.168.112.10 + netmask: 24 + gateway: 192.168.112.254 + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + nameservers: + - 192.168.112.1 + search: mbr-bln.netz + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: eno1 # for mor devices support a blank separated list + stp: !!str off + fd: 5 + hello: 2 + maxage: 12 + + # inline hook scripts + pre-up: + - !!str "ip link set dev eno1 up" # pre-up script lines + up: [] #up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + # --- # vars used by roles/common/tasks/basic.yml @@ -17,6 +91,43 @@ sshd_permit_root_login: !!str "yes" sshd_password_authentication: !!str "yes" -sshd_use_pam: !!str "no" -# +#sshd_use_pam: !!str "no" + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_entries: + + - name: "Daily Backup " + minute: "03" + hour: "00" + job: /root/crontab/backup-rcopy/rcopy.sh + + - name: "Check if Postfix Mailservice is up and running. Restart service if needed." + minute: "*/15" + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if CUPS main daemon is up and running. Restart service if needed." + minute: "*/30" + job: /root/bin/monitoring/check_cups.sh + + - name: "Check if CUPS Browse daemon is up and running. Restart service if needed." + minute: "*/30" + job: /root/bin/monitoring/check_cups-browsed.sh + + - name: "cleanup camera files." + minute: "32" + hour: "23" + job: /root/bin/admin-stuff/cleanup_from_old_files.sh + + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + diff --git a/hosts b/hosts index 2d7f267..3903294 100644 --- a/hosts +++ b/hosts @@ -21,7 +21,7 @@ cl109.sprachenatelier.netz file-spr.sprachenatelier.netz # ----- -# Sprachenatelier +# MBR # ----- [mbr:children] diff --git a/roles/ansible_user/tasks/main.yml b/roles/ansible_user/tasks/main.yml deleted file mode 100644 index 01de5d3..0000000 --- a/roles/ansible_user/tasks/main.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -- name: Ensure remote users for ansible exists - user: - name: '{{ item.name }}' - state: present - uid: '{{ item.user_id | default(omit) }}' - #group: '{{ item.name | default(omit) }}' - shell: '{{ item.shell|d("/bin/bash") }}' - password: "{{ item.password }}" - update_password: on_create - with_items: '{{ ansible_remote_user }}' - loop_control: - label: ' user "{{ item.name }}" exists' - tags: - - ansible-remote-user - -- name: Ensure ansible user is part of sudo group - user: - name: "{{ item.name }}" - groups: sudo - append: yes - with_items: "{{ ansible_remote_user }}" - loop_control: - label: ' user "{{ item.name }}" is part of sudo group' - tags: - - sudo-users - -- name: Ensure authorized_key files are present for ansible user - authorized_key: - user: "{{ item.name }}" - key: "{{ ssh_keys_admin|join('\n') }}" - state: present - with_items: - - '{{ ansible_remote_user }}' - loop_control: - label: ' authorized_key of user "{{ item.name }}" is present' - tags: - - authorized_key - -- name: Ensure authorized_key files are present for user root - authorized_key: - user: root - key: "{{ ssh_keys_admin|join('\n') }}" - state: present - tags: - - authorized_key - diff --git a/roles/common/files/mbr-bln.netz/root/bin/wakeup_lan.sh.j2 b/roles/common/files/mbr-bln.netz/root/bin/wakeup_lan.sh similarity index 100% rename from roles/common/files/mbr-bln.netz/root/bin/wakeup_lan.sh.j2 rename to roles/common/files/mbr-bln.netz/root/bin/wakeup_lan.sh diff --git a/roles/common/templates/etc/cups/cups-files.conf.j2 b/roles/common/templates/etc/cups/cups-files.conf.j2 index bf27049..ce8be0d 100644 --- a/roles/common/templates/etc/cups/cups-files.conf.j2 +++ b/roles/common/templates/etc/cups/cups-files.conf.j2 @@ -31,9 +31,9 @@ SystemGroup lpadmin #ConfigFilePerm 0640 #LogFilePerm 00640 -< # Specifies the group name or ID that will be used for log files. -< # The default group in Debian is "adm". -< LogFileGroup adm +# Specifies the group name or ID that will be used for log files. +# The default group in Debian is "adm". +LogFileGroup adm # Location of the file logging all access to the scheduler; may be the name # "syslog". If not an absolute path, the value of ServerRoot is used as the