update..

ansible_user.yml

@@ -1,20 +0,0 @@
----
-
-# Intended to be run once for every new server to secure the ssh connection allowing the team access
-# with their public keys. This script will lock itself out from every server it is run on.
-# Further playbooks are intended to be run by logging in as one of the created users.
-# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
-# the time of this writing.
-
-# The used login data depends on the used server provider. In most cases the ansible_user will be
-# root, but we can't safely assume anything.
-# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
-# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
-# For real providers it could look like:
-# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
-# If you don't have a ssh-key on the server and the server expects password authentication use:
-# ansible-playbook first_run.yml -i hosts -u root --ask-pass
-
-- hosts: all
-  roles:
-    - ansible_user

group_vars/sprachenatelier.yml

@@ -4,6 +4,11 @@
 # vars used by roles/common/tasks/basic.yml
 # ==========
 
+
+# ==========
+# vars used by roles/common/tasks/sshd.yml
+# ==========
+
 sshd_permit_root_login: !!str "yes"
 
 
@@ -35,6 +40,9 @@ nfs_server: 192.168.92.10
 # Set 'fs_encrypted' to true if filesystem lives on an encrypted
 # partition.
 #
+# NOTE !!
+#    Take car to increase 'fsid' in case of more than one export
+#
 nfs_exports:
    - src: 192.168.92.10:/data/home
      path: /data/home
@@ -71,6 +79,9 @@ nfs_exports:
 # ! Notice !
 
 remove_system_users: []
+#remove_system_users:
+#  - name: test
+#  - name: jennifer.prost
 
 system_users: []
 #system_users:
@@ -93,15 +104,12 @@ base_home: /home
 #    - defaultdomain.j2
 nis_domain: sprachenatelier.netz
 
+# also used by template
+#
 nis_server_address: 192.168.92.10
 
 nis_server_name: file-spr.sprachenatelier.netz
 
-nis_common_packages:
-  - nis
-  - nscd
-
-
 nis_base_home: /data/home
 
 nis_groups:
@@ -112,16 +120,10 @@ nis_groups:
   - name: no-backup
     group_id: 1120
 
-remove_nis_users: []
 #remove_nis_users:
-#   - name: virginia
+#  - name: lea
-#   - name: marei
+#  - name: alina
-#   - name: alina
+remove_nis_users: []
-#   - name: hannah
-#   - name: kristin
-#   - name: elke
-#   - name: thea
-#   - name: katrine
 
 nis_user:
   - name: chris
@@ -203,14 +205,6 @@ nis_user:
     is_samba_user: true
     password: 'sommer13'
 
-  - name: lea
-    groups:
-      - intern
-      - buero
-      - lpadmin
-    is_samba_user: true
-    password: '091190'
-
   - name: linda
     groups:
       - intern
@@ -416,6 +410,7 @@ samba_server: file-spr.sprachenatelier.netz
 #    - remove_nis_users:      roles/common/tasks/nis-install-server.yml
 #    - nis_user:              roles/common/tasks/nis-install-server.yml
 
+
 # ==========
 # vars used by roles/common/tasks/mount_samba_shares.yml
 # ==========
@@ -426,14 +421,11 @@ samba_server: file-spr.sprachenatelier.netz
 #
 #    - nis_user:              roles/common/tasks/nis-install-server.yml
 
-#samba_workgroup: SPR
 samba_workgroup: SPR
-
-#samba_netbios_name: FILE-SPR
 samba_netbios_name: FILE-SPR
 
-
 samba_shares:
+
   - name: Transfer
     path: /data/samba/transfer
     group_valid_users: buero
@@ -453,7 +445,6 @@ samba_shares:
       - isadora
       - konstantin
       - lara
-      - lea
       - linda
       - margit
       - mariam
@@ -470,6 +461,7 @@ samba_shares:
       - simone
       - tali
       - yang
+
   - name: Verwaltung
     path: /data/samba/verwaltung
     group_valid_users: intern
@@ -489,7 +481,6 @@ samba_shares:
       - isadora
       - konstantin
       - lara
-      - lea
       - linda
       - margit
       - mariam
@@ -500,6 +491,7 @@ samba_shares:
       - simone
       - tali
       - yang
+
   - name: Multimedia
     path: /data/samba/no-backup-share/multimedia
     group_valid_users: no-backup
@@ -514,7 +506,6 @@ samba_shares:
       - musa
 
 
-
 # ==========
 # vars used by roles/common/tasks/system-user-systemfiles.yml
 # ==========

host_vars/file-mbr.mbr-bln.netz.yml

@@ -1,5 +1,79 @@
 ---
 
+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
+network_manage_devices: True
+
+# Should the interfaces be reloaded after config change?
+network_interface_reload: False
+
+network_interface_path: /etc/network/interfaces.d
+network_interface_required_packages:
+  - vlan
+  - bridge-utils
+  - ifmetric
+  - ifupdown
+  - ifenslave
+  - resolvconf
+
+
+network_interfaces:
+
+  - device: br0
+    # use only once per device (for the first device entry)
+    headline: br0 - bridge over device eno1
+
+    # auto & allow are only used for the first device entry
+    allow: [] # array of allow-[stanzas] eg. allow-hotplug
+    auto: true
+
+    family: inet
+    method: static
+    hwaddress: 0c:c4:7a:ea:dd:56
+    description:
+    address: 192.168.112.10
+    netmask: 24
+    gateway: 192.168.112.254
+
+    # optional dns settings nameservers: []
+    #
+    #    nameservers:
+    #      - 194.150.168.168  # dns.as250.net
+    #      - 91.239.100.100   # anycast.censurfridns.dk
+    #    search: warenform.de
+    #
+    nameservers:
+      - 192.168.112.1
+    search: mbr-bln.netz
+
+    # optional bridge parameters bridge: {}
+    # bridge:
+    #   ports:
+    #   stp:
+    #   fd:
+    #   maxwait:
+    #   waitport:
+    bridge:
+      ports: eno1 # for mor devices support a blank separated list
+      stp: !!str off
+      fd: 5
+      hello: 2
+      maxage: 12
+
+    # inline hook scripts
+    pre-up:
+      - !!str "ip link set dev eno1 up" # pre-up script lines
+    up: [] #up script lines
+    post-up: [] # post-up script lines (alias for up)
+    pre-down: [] # pre-down script lines (alias for down)
+    down: [] # down script lines
+    post-down: [] # post-down script lines
+
+
 
 # ---
 # vars used by roles/common/tasks/basic.yml
@@ -17,6 +91,43 @@ sshd_permit_root_login: !!str "yes"
 
 sshd_password_authentication: !!str "yes"
 
-sshd_use_pam: !!str "no"
+#sshd_use_pam: !!str "no"
-#
+
+
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_user_entries:
+
+  - name: "Daily Backup "
+    minute: "03"
+    hour: "00"
+    job: /root/crontab/backup-rcopy/rcopy.sh
+
+  - name: "Check if Postfix Mailservice is up and running. Restart service if needed."
+    minute: "*/15"
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check if CUPS main daemon is up and running. Restart service if needed."
+    minute: "*/30"
+    job: /root/bin/monitoring/check_cups.sh
+
+  - name: "Check if CUPS Browse daemon is up and running. Restart service if needed."
+    minute: "*/30"
+    job: /root/bin/monitoring/check_cups-browsed.sh
+
+  - name: "cleanup camera files."
+    minute: "32"
+    hour: "23"
+    job: /root/bin/admin-stuff/cleanup_from_old_files.sh
+
+
+cron_user_special_time_entries:
+
+  - name: "Restart DNS Cache service 'systemd-resolved'"
+    special_time: reboot
+    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+
 

hosts

@@ -21,7 +21,7 @@ cl109.sprachenatelier.netz
 file-spr.sprachenatelier.netz
 
 # -----
-# Sprachenatelier
+# MBR
 # -----
 
 [mbr:children]

roles/ansible_user/tasks/main.yml

@@ -1,48 +0,0 @@
----
-
-- name: Ensure remote users for ansible exists
-  user:
-    name: '{{ item.name }}'
-    state: present
-    uid: '{{ item.user_id | default(omit) }}'
-    #group: '{{ item.name | default(omit) }}'
-    shell: '{{ item.shell|d("/bin/bash") }}'
-    password: "{{ item.password }}"
-    update_password: on_create
-  with_items: '{{ ansible_remote_user }}'
-  loop_control:
-    label: ' user "{{ item.name }}" exists'
-  tags:
-    - ansible-remote-user
-
-- name: Ensure ansible user is part of sudo group
-  user:
-    name: "{{ item.name }}"
-    groups: sudo
-    append: yes
-  with_items: "{{ ansible_remote_user }}"
-  loop_control:
-    label: ' user "{{ item.name }}" is part of sudo group'
-  tags:
-    - sudo-users
-
-- name: Ensure authorized_key files are present for ansible user
-  authorized_key:
-    user: "{{ item.name }}"
-    key: "{{ ssh_keys_admin|join('\n') }}"
-    state: present
-  with_items:
-    - '{{ ansible_remote_user }}'
-  loop_control:
-    label: ' authorized_key of user "{{ item.name }}" is present'
-  tags:
-    - authorized_key
-
-- name: Ensure authorized_key files are present for user root
-  authorized_key:
-    user: root
-    key: "{{ ssh_keys_admin|join('\n') }}"
-    state: present
-  tags:
-    - authorized_key
-

roles/common/templates/etc/cups/cups-files.conf.j2

@@ -31,9 +31,9 @@ SystemGroup lpadmin
 #ConfigFilePerm 0640
 #LogFilePerm 00640
 
-< # Specifies the group name or ID that will be used for log files.
+# Specifies the group name or ID that will be used for log files.
-< # The default group in Debian is "adm".
+# The default group in Debian is "adm".
-< LogFileGroup adm
+LogFileGroup adm
 
 # Location of the file logging all access to the scheduler; may be the name
 # "syslog". If not an absolute path, the value of ServerRoot is used as the