update..

2022-02-21 01:29:16 +01:00 · 2022-02-21 01:29:16 +01:00 · 3a23a7cee5
commit 3a23a7cee5
parent 1c57c66dca
8 changed files with 1560 additions and 103 deletions
--- a/ansible_user.yml
+++ b/ansible_user.yml
@ -1,20 +0,0 @@
---
-
-# Intended to be run once for every new server to secure the ssh connection allowing the team access
-# with their public keys. This script will lock itself out from every server it is run on.
-# Further playbooks are intended to be run by logging in as one of the created users.
-# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
-# the time of this writing.
-
-# The used login data depends on the used server provider. In most cases the ansible_user will be
-# root, but we can't safely assume anything.
-# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
-# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
-# For real providers it could look like:
-# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
-# If you don't have a ssh-key on the server and the server expects password authentication use:
-# ansible-playbook first_run.yml -i hosts -u root --ask-pass
-
- hosts: all
-  roles:
-    - ansible_user
--- a/group_vars/mbr.yml
+++ b/group_vars/mbr.yml
--- a/group_vars/sprachenatelier.yml
+++ b/group_vars/sprachenatelier.yml
@ -4,6 +4,11 @@
 # vars used by roles/common/tasks/basic.yml
 # ==========

+
+# ==========
+# vars used by roles/common/tasks/sshd.yml
+# ==========
+
 sshd_permit_root_login: !!str "yes"


@ -35,6 +40,9 @@ nfs_server: 192.168.92.10
 # Set 'fs_encrypted' to true if filesystem lives on an encrypted
 # partition.
 #
+# NOTE !!
+#    Take car to increase 'fsid' in case of more than one export
+#
 nfs_exports:
   - src: 192.168.92.10:/data/home
     path: /data/home
@ -71,6 +79,9 @@ nfs_exports:
 # ! Notice !

 remove_system_users: []
+#remove_system_users:
+#  - name: test
+#  - name: jennifer.prost

 system_users: []
 #system_users:
@ -93,15 +104,12 @@ base_home: /home
 #    - defaultdomain.j2
 nis_domain: sprachenatelier.netz

+# also used by template
+#
 nis_server_address: 192.168.92.10

 nis_server_name: file-spr.sprachenatelier.netz

-nis_common_packages:
-  - nis
-  - nscd
-
-
 nis_base_home: /data/home

 nis_groups:
@ -112,16 +120,10 @@ nis_groups:
  - name: no-backup
    group_id: 1120

-remove_nis_users: []
 #remove_nis_users:
-#   - name: virginia
-#   - name: marei
+#  - name: lea
 #  - name: alina
-#   - name: hannah
-#   - name: kristin
-#   - name: elke
-#   - name: thea
-#   - name: katrine
+remove_nis_users: []

 nis_user:
  - name: chris
@ -203,14 +205,6 @@ nis_user:
    is_samba_user: true
    password: 'sommer13'

-  - name: lea
-    groups:
-      - intern
-      - buero
-      - lpadmin
-    is_samba_user: true
-    password: '091190'
-
  - name: linda
    groups:
      - intern
@ -416,6 +410,7 @@ samba_server: file-spr.sprachenatelier.netz
 #    - remove_nis_users:      roles/common/tasks/nis-install-server.yml
 #    - nis_user:              roles/common/tasks/nis-install-server.yml

+
 # ==========
 # vars used by roles/common/tasks/mount_samba_shares.yml
 # ==========
@ -426,14 +421,11 @@ samba_server: file-spr.sprachenatelier.netz
 #
 #    - nis_user:              roles/common/tasks/nis-install-server.yml

-#samba_workgroup: SPR
 samba_workgroup: SPR
-
-#samba_netbios_name: FILE-SPR
 samba_netbios_name: FILE-SPR

-
 samba_shares:
+
  - name: Transfer
    path: /data/samba/transfer
    group_valid_users: buero
@ -453,7 +445,6 @@ samba_shares:
      - isadora
      - konstantin
      - lara
-      - lea
      - linda
      - margit
      - mariam
@ -470,6 +461,7 @@ samba_shares:
      - simone
      - tali
      - yang
+
  - name: Verwaltung
    path: /data/samba/verwaltung
    group_valid_users: intern
@ -489,7 +481,6 @@ samba_shares:
      - isadora
      - konstantin
      - lara
-      - lea
      - linda
      - margit
      - mariam
@ -500,6 +491,7 @@ samba_shares:
      - simone
      - tali
      - yang
+
  - name: Multimedia
    path: /data/samba/no-backup-share/multimedia
    group_valid_users: no-backup
@ -514,7 +506,6 @@ samba_shares:
      - musa


-
 # ==========
 # vars used by roles/common/tasks/system-user-systemfiles.yml
 # ==========
--- a/host_vars/file-mbr.mbr-bln.netz.yml
+++ b/host_vars/file-mbr.mbr-bln.netz.yml
@ -1,5 +1,79 @@
 ---

+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
+network_manage_devices: True
+
+# Should the interfaces be reloaded after config change?
+network_interface_reload: False
+
+network_interface_path: /etc/network/interfaces.d
+network_interface_required_packages:
+  - vlan
+  - bridge-utils
+  - ifmetric
+  - ifupdown
+  - ifenslave
+  - resolvconf
+
+
+network_interfaces:
+
+  - device: br0
+    # use only once per device (for the first device entry)
+    headline: br0 - bridge over device eno1
+
+    # auto & allow are only used for the first device entry
+    allow: [] # array of allow-[stanzas] eg. allow-hotplug
+    auto: true
+
+    family: inet
+    method: static
+    hwaddress: 0c:c4:7a:ea:dd:56
+    description:
+    address: 192.168.112.10
+    netmask: 24
+    gateway: 192.168.112.254
+
+    # optional dns settings nameservers: []
+    #
+    #    nameservers:
+    #      - 194.150.168.168  # dns.as250.net
+    #      - 91.239.100.100   # anycast.censurfridns.dk
+    #    search: warenform.de
+    #
+    nameservers:
+      - 192.168.112.1
+    search: mbr-bln.netz
+
+    # optional bridge parameters bridge: {}
+    # bridge:
+    #   ports:
+    #   stp:
+    #   fd:
+    #   maxwait:
+    #   waitport:
+    bridge:
+      ports: eno1 # for mor devices support a blank separated list
+      stp: !!str off
+      fd: 5
+      hello: 2
+      maxage: 12
+
+    # inline hook scripts
+    pre-up:
+      - !!str "ip link set dev eno1 up" # pre-up script lines
+    up: [] #up script lines
+    post-up: [] # post-up script lines (alias for up)
+    pre-down: [] # pre-down script lines (alias for down)
+    down: [] # down script lines
+    post-down: [] # post-down script lines
+
+

 # ---
 # vars used by roles/common/tasks/basic.yml
@ -17,6 +91,43 @@ sshd_permit_root_login: !!str "yes"

 sshd_password_authentication: !!str "yes"

-sshd_use_pam: !!str "no"
-#
+#sshd_use_pam: !!str "no"
+
+
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_user_entries:
+
+  - name: "Daily Backup "
+    minute: "03"
+    hour: "00"
+    job: /root/crontab/backup-rcopy/rcopy.sh
+
+  - name: "Check if Postfix Mailservice is up and running. Restart service if needed."
+    minute: "*/15"
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check if CUPS main daemon is up and running. Restart service if needed."
+    minute: "*/30"
+    job: /root/bin/monitoring/check_cups.sh
+
+  - name: "Check if CUPS Browse daemon is up and running. Restart service if needed."
+    minute: "*/30"
+    job: /root/bin/monitoring/check_cups-browsed.sh
+
+  - name: "cleanup camera files."
+    minute: "32"
+    hour: "23"
+    job: /root/bin/admin-stuff/cleanup_from_old_files.sh
+
+
+cron_user_special_time_entries:
+
+  - name: "Restart DNS Cache service 'systemd-resolved'"
+    special_time: reboot
+    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+

--- a/2
+++ b/2
@ -21,7 +21,7 @@ cl109.sprachenatelier.netz
 file-spr.sprachenatelier.netz

 # -----
-# Sprachenatelier
+# MBR
 # -----

 [mbr:children]
--- a/roles/ansible_user/tasks/main.yml
+++ b/roles/ansible_user/tasks/main.yml
@ -1,48 +0,0 @@
---
-
- name: Ensure remote users for ansible exists
-  user:
-    name: '{{ item.name }}'
-    state: present
-    uid: '{{ item.user_id | default(omit) }}'
-    #group: '{{ item.name | default(omit) }}'
-    shell: '{{ item.shell|d("/bin/bash") }}'
-    password: "{{ item.password }}"
-    update_password: on_create
-  with_items: '{{ ansible_remote_user }}'
-  loop_control:
-    label: ' user "{{ item.name }}" exists'
-  tags:
-    - ansible-remote-user
-
- name: Ensure ansible user is part of sudo group
-  user:
-    name: "{{ item.name }}"
-    groups: sudo
-    append: yes
-  with_items: "{{ ansible_remote_user }}"
-  loop_control:
-    label: ' user "{{ item.name }}" is part of sudo group'
-  tags:
-    - sudo-users
-
- name: Ensure authorized_key files are present for ansible user
-  authorized_key:
-    user: "{{ item.name }}"
-    key: "{{ ssh_keys_admin|join('\n') }}"
-    state: present
-  with_items:
-    - '{{ ansible_remote_user }}'
-  loop_control:
-    label: ' authorized_key of user "{{ item.name }}" is present'
-  tags:
-    - authorized_key
-
- name: Ensure authorized_key files are present for user root
-  authorized_key:
-    user: root
-    key: "{{ ssh_keys_admin|join('\n') }}"
-    state: present
-  tags:
-    - authorized_key
-
--- a/roles/common/files/mbr-bln.netz/root/bin/wakeup_lan.sh.j2
+++ b/roles/common/files/mbr-bln.netz/root/bin/wakeup_lan.sh.j2
--- a/roles/common/templates/etc/cups/cups-files.conf.j2
+++ b/roles/common/templates/etc/cups/cups-files.conf.j2
@ -31,9 +31,9 @@ SystemGroup lpadmin
 #ConfigFilePerm 0640
 #LogFilePerm 00640

-< # Specifies the group name or ID that will be used for log files.
-< # The default group in Debian is "adm".
-< LogFileGroup adm
+# Specifies the group name or ID that will be used for log files.
+# The default group in Debian is "adm".
+LogFileGroup adm

 # Location of the file logging all access to the scheduler; may be the name
 # "syslog". If not an absolute path, the value of ServerRoot is used as the