update..

group_vars/all/main.yml

@@ -146,6 +146,7 @@ apt_upgrade_dpkg_options:
 
 apt_initial_install_stretch:
   - apt-transport-https
+  - cryptsetup
   - dbus
   - openssh-server
   - rssh
@@ -259,6 +260,7 @@ apt_initial_install_stretch:
 
 apt_initial_install_buster:
   - apt-transport-https
+  - cryptsetup
   - dbus
   - openssh-server
   - rush
@@ -377,6 +379,7 @@ apt_initial_install_buster:
 
 apt_initial_install_bullseye:
   - apt-transport-https
+  - cryptsetup
   - dbus
   - openssh-server
   - rush
@@ -495,6 +498,7 @@ apt_initial_install_bullseye:
 
 apt_initial_install_xenial:
   - apt-transport-https
+  - cryptsetup
   - dbus
   - openssh-server
   - rush
@@ -607,6 +611,7 @@ apt_initial_install_xenial:
 
 apt_initial_install_bionic:
   - apt-transport-https
+  - cryptsetup
   - dbus
   - openssh-server
   - rush

host_vars/file-ah.kanzlei-kiel.netz.yml

@@ -308,8 +308,8 @@ samba_shares:
     path: /data/samba/shares/Buero
     group_valid_users: intern
     group_write_list: intern
-    file_create_mask: 664
-    dir_create_mask: 2775
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 
@@ -317,8 +317,8 @@ samba_shares:
     path: /data/samba/shares/Verwaltung
     group_valid_users: verwaltung
     group_write_list: verwaltung
-    file_create_mask: 660
-    dir_create_mask: 2770
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 
@@ -326,8 +326,8 @@ samba_shares:
     path: /data/samba/shares/Scans_schnell
     group_valid_users: intern
     group_write_list: intern
-    file_create_mask: '664'
-    dir_create_mask: 2775
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 
@@ -335,8 +335,8 @@ samba_shares:
     path: /data/samba/shares/Hoffmann-Elberling
     group_valid_users: hoffmann-elberling
     group_write_list: hoffmann-elberling
-    file_create_mask: '664'
-    dir_create_mask: 2775
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 
@@ -344,8 +344,8 @@ samba_shares:
     path: /data/samba/shares/Gubitz-Partner
     group_valid_users: gubitz-partner
     group_write_list: gubitz-partner
-    file_create_mask: '664'
-    dir_create_mask: 2775
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 
@@ -353,8 +353,8 @@ samba_shares:
     path: /data/samba/non-backup-shares/Gubitz-Backup
     group_valid_users: gubitz
     group_write_list: gubitz
-    file_create_mask: 660
-    dir_create_mask: 2770
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 
@@ -367,8 +367,8 @@ samba_shares:
     path: /data/samba/shares/WinServer2016-Backup
     group_valid_users: {}
     group_write_list: {}
-    file_create_mask: 664
-    dir_create_mask: 2775
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
     guest_ok: !!str yes
     vfs_object_recycle: false
 

host_vars/file-ebs.ebs.netz.yml

@@ -190,8 +190,8 @@ nfs_server: 192.168.182.10
 #    Take car to increase 'fsid' in case of more than one export
 #
 nfs_exports:
-   - src: 192.168.182.10:/data/samba
-     path: /data/samba
+   - src: 192.168.182.10:/data/samba/shares
+     path: /data/samba/shares
      mount_opts: users,rsize=8192,wsize=8192,hard,intr
      export_opt: rw,root_squash,sync,subtree_check
      export_networks:
@@ -334,7 +334,7 @@ samba_shares:
 
   - name: 4all
     comment: 4all auf Fileserver
-    path: /data/samba/4all
+    path: /data/samba/shares/4all
     group_valid_users: alle
     group_write_list: alle
     file_create_mask: !!str 660
@@ -344,7 +344,7 @@ samba_shares:
 
   - name: Akten
     comment: Akten auf Fileserver
-    path: /data/samba/Akten
+    path: /data/samba/shares/Akten
     group_valid_users: akten
     group_write_list: akten
     file_create_mask: !!str 660
@@ -354,7 +354,7 @@ samba_shares:
 
   - name: Archiv
     comment: Archiv auf Fileserver
-    path: /data/samba/Archiv
+    path: /data/samba/shares/Archiv
     group_valid_users: archiv
     group_write_list: archiv
     file_create_mask: !!str 660
@@ -364,7 +364,7 @@ samba_shares:
 
   - name: Kanzlei
     comment: Kanzlei auf Fileserver
-    path: /data/samba/Kanzlei
+    path: /data/samba/shares/Kanzlei
     group_valid_users: kanzlei
     group_write_list: kanzlei
     file_create_mask: !!str 660
@@ -374,7 +374,7 @@ samba_shares:
 
   - name: Recherche
     comment: Recherche auf Fileserver
-    path: /data/samba/Recherche
+    path: /data/samba/shares/Recherche
     group_valid_users: recherche
     group_write_list: recherche
     file_create_mask: !!str 660
@@ -384,7 +384,7 @@ samba_shares:
 
   - name: Install
     comment: Install auf Fileserver
-    path: /data/samba/Install
+    path: /data/samba/shares/Install
     group_valid_users: admin
     group_write_list: admin
     file_create_mask: !!str 660
@@ -392,6 +392,19 @@ samba_shares:
     vfs_object_recycle: true
     recycle_path: '@Recycle.Bin'
 
+    # ---
+    # - This share will be written by windows schedulescript 'backup-advoware.bat'
+    # ---
+  - name: Advoware-Backup
+    comment: Advoware-Backup (only read) on Fileserver
+    path: /data/samba/shares/Advoware-Backup
+    group_valid_users: back
+    group_write_list: back
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
+    guest_ok: !!str yes
+    vfs_object_recycle: false
+
 
 
 # ==============================

host_vars/gw-flr.oopen.de.yml

@@ -0,0 +1,243 @@
+---
+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
+network_manage_devices: True
+
+# Should the interfaces be reloaded after config change?
+network_interface_reload: False
+
+network_interface_path: /etc/network/interfaces.d
+network_interface_required_packages:
+  - vlan
+  - bridge-utils
+  - ifmetric
+  - ifupdown
+  - ifenslave
+  - resolvconf
+
+network_interfaces:
+
+  - device: eno1
+    headline: eno1 - Uplink DSL via Fritz!Box
+    auto: true
+    family: inet
+    method: static
+    address: 172.16.102.1
+    netmask: 24
+    gateway: 172.16.102.254
+    nameservers:
+      - 127.0.0.1
+      - 172.16.102.254
+    search: flr.netz
+
+
+  - device: eno2
+    headline: eno2 -  LAN 
+    auto: true
+    family: inet
+    method: static
+    address: 192.168.102.254
+    netmask: 24
+
+
+  - device: eno2:ns
+    headline: eno2:ns - Alias on eno2 (Nameserver)
+    auto: true
+    family: inet
+    method: static
+    address: 192.168.102.1
+    netmask: 32
+
+
+  - device: eno3
+    headline: eno3 -  WLAN 
+    auto: true
+    family: inet
+    method: static
+    address: 192.168.103.254
+    netmask: 24
+
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+cron_user_entries:
+
+  - name: "Check if Postfix Mailservice is up and running?"
+    minute: '*/15'
+    hour: '*'
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check if SSH service is up and running?"
+    minute: '*/15'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if OpenVPN service is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_vpn.sh
+
+  - name: "Check if nameservice (bind) is running?"
+    minute: '*/10'
+    hour: '*'
+    job: /root/bin/monitoring/check_dns.sh
+
+  - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
+    minute: '0-59/2'
+    hour: '*'
+    job: /root/bin/monitoring/check_forwarding.sh
+
+  - name: "Copy gateway configuration"
+    minute: '09'
+    hour: '3'
+    job: /root/bin/manage-gw-config/copy_gateway-config.sh FLR-BRB
+
+
+#cron_user_special_time_entries: []
+cron_user_special_time_entries:
+
+  - name: "Check if Postfix Service is running at boot time"
+    special_time: reboot
+    job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
+    insertafter: PATH
+
+  - name: "Restart Systemd's resolved at boottime."
+    special_time: reboot
+    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+sshd_hostkeyalgorithms:
+  - ssh-ed25519
+  - ssh-ed25519-cert-v01@openssh.com
+  - rsa-sha2-256
+  - rsa-sha2-512
+  - ecdsa-sha2-nistp256
+  - rsa-sha2-256-cert-v01@openssh.com
+  - rsa-sha2-512-cert-v01@openssh.com
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+insert_ssh_keypair_backup_server: false
+ssh_keypair_backup_server:
+  - name: backup
+    backup_user: back
+    priv_key_src: root/.ssh/id_rsa.backup.oopen.de
+    priv_key_dest: /root/.ssh/id_rsa
+    pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
+    pub_key_dest: /root/.ssh/id_rsa.pub
+
+insert_keypair_backup_client: true
+ssh_keypair_backup_client:
+  - name: backup
+    priv_key_src: root/.ssh/id_ed25519.oopen-server
+    priv_key_dest: /root/.ssh/id_ed25519
+    pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
+    pub_key_dest: /root/.ssh/id_ed25519.pub
+    target: backup.oopen.de
+
+default_user:
+
+  - name: chris
+    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: sysadm
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+
+sudo_users:
+  - chris
+  - sysadm
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+apt_install_bind9_packages: true
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+git_firewall_repository:
+  name: ipt-gateway
+  repo: https://git.oopen.de/firewall/ipt-gateway
+  dest: /usr/local/src/ipt-gateway
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
+

roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts

@@ -64,3 +64,5 @@ kitchenfaucetcenter\.com$
 fqmeta\.net$
 kitchenespial\.com$
 owboyhardware\.com$
+comicartcollective\.com$
+fesg56wesg\.xyz$

roles/common/files/mailserver/etc/postfix/postfwd.bl-nets

@@ -123,3 +123,5 @@
 104.161.0.0/17
 158.51.124.0/22
 193.42.38.0/24
+# US (u.a. pro-versender.com)
+173.254.192.0/18

roles/common/files/mailserver/etc/postfix/postfwd.bl-sender

@@ -82,6 +82,7 @@ firmen-infos\.com$
 @corvsport\.com$
 @echtzeit-video\.com$
 @cortlandparkcashmere\.com$
+@pro-versender\.com$
 
 # annoying spammer addresses
 ^error@mailfrom\.com$