diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 84f41f4..16af167 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1077,6 +1077,7 @@ sshd_gateway_ports: !!str "no" # - diffie-hellman-group14-sha1 # #sshd_kexalgorithms: {} + sshd_hostkeyalgorithms: - ssh-ed25519 - ssh-ed25519-cert-v01@openssh.com @@ -1818,7 +1819,7 @@ samba_netbios_name: # samba_server_min_protocol # -samba_server_min_protocol: +samba_server_min_protocol: [] samba_groups: [] diff --git a/host_vars/file-ah.kanzlei-kiel.netz.yml b/host_vars/file-ah.kanzlei-kiel.netz.yml index ef78faf..5dd354f 100644 --- a/host_vars/file-ah.kanzlei-kiel.netz.yml +++ b/host_vars/file-ah.kanzlei-kiel.netz.yml @@ -135,17 +135,6 @@ default_user: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - name: localadmin - user_id: 1051 - group_id: 1051 - password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' - - name: back user_id: 1060 group_id: 1060 diff --git a/host_vars/file-ebs.ebs.netz.yml b/host_vars/file-ebs.ebs.netz.yml index 12dce89..050756b 100644 --- a/host_vars/file-ebs.ebs.netz.yml +++ b/host_vars/file-ebs.ebs.netz.yml @@ -219,15 +219,35 @@ samba_netbios_name: FILE-EBS samba_groups: + - name: admin + group_id: 1100 + - name: alle group_id: 1110 + - name: akten + group_id: 1120 + + - name: archiv + group_id: 1130 + + - name: kanzlei + group_id: 1140 + + - name: recherche + group_id: 1150 + samba_user: - name: chris groups: + - admin - alle + - akten + - archiv + - kanzlei + - recherche password: !vault | $ANSIBLE_VAULT;1.1;AES256 63643330373231636537366333326630333265303265653933613835656262323863363038653234 @@ -238,37 +258,66 @@ samba_user: - name: sysadm groups: + - admin - alle + - akten + - archiv + - kanzlei + - recherche password: 'IrcR3uo-QJ.5' - name: buero groups: - alle + - akten + - archiv + - kanzlei + - recherche password: 'buero-ebs/2022.%' - name: axel groups: - alle + - akten + - archiv + - kanzlei + - recherche password: 'ah-ebs.2022-!' - name: bjoern groups: - alle + - akten + - archiv + - kanzlei + - recherche password: 'be-ebs-2022/%' - name: christoph groups: - alle + - akten + - archiv + - kanzlei + - recherche password: 'ck-ebs-2022.%' - name: kristin groups: - alle + - akten + - archiv + - kanzlei + - recherche password: 'kp-ebs.2022_%' - name: maik groups: - alle + - akten + - archiv + - kanzlei + - recherche password: 'me-ebs_2022.!' @@ -291,6 +340,57 @@ samba_shares: file_create_mask: !!str 660 dir_create_mask: !!str 2770 vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + + - name: Akten + comment: Akten auf Fileserver + path: /data/samba/Akten + group_valid_users: akten + group_write_list: akten + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + + - name: Archiv + comment: Archiv auf Fileserver + path: /data/samba/Archiv + group_valid_users: archiv + group_write_list: archiv + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + + - name: Kanzlei + comment: Kanzlei auf Fileserver + path: /data/samba/Kanzlei + group_valid_users: kanzlei + group_write_list: kanzlei + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + + - name: Recherche + comment: Recherche auf Fileserver + path: /data/samba/Recherche + group_valid_users: recherche + group_write_list: recherche + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' + + - name: Install + comment: Install auf Fileserver + path: /data/samba/Install + group_valid_users: admin + group_write_list: admin + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle.Bin' diff --git a/host_vars/gw-123.oopen.de.yml b/host_vars/gw-123.oopen.de.yml index 1bb517b..f8f5070 100644 --- a/host_vars/gw-123.oopen.de.yml +++ b/host_vars/gw-123.oopen.de.yml @@ -26,6 +26,15 @@ copy_additional_plain_files_sysctl: # vars used by roles/common/tasks/sshd.yml # --- +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - ecdsa-sha2-nistp256 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com + # --- # vars used by roles/common/tasks/apt.yml diff --git a/host_vars/gw-ah.oopen.de.yml b/host_vars/gw-ah.oopen.de.yml index b630e5f..d86ae12 100644 --- a/host_vars/gw-ah.oopen.de.yml +++ b/host_vars/gw-ah.oopen.de.yml @@ -21,6 +21,15 @@ sshd_permit_root_login: !!str "prohibit-password" +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - ecdsa-sha2-nistp256 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com + # --- # vars used by roles/common/tasks/apt.yml diff --git a/host_vars/gw-ckubu.local.netz.yml b/host_vars/gw-ckubu.local.netz.yml index 3fb3c61..20b1c89 100644 --- a/host_vars/gw-ckubu.local.netz.yml +++ b/host_vars/gw-ckubu.local.netz.yml @@ -19,6 +19,13 @@ # vars used by roles/common/tasks/sshd.yml # --- +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com # --- # vars used by roles/common/tasks/apt.yml diff --git a/host_vars/gw-ebs.oopen.de.yml b/host_vars/gw-ebs.oopen.de.yml index 7ed5956..f2d433c 100644 --- a/host_vars/gw-ebs.oopen.de.yml +++ b/host_vars/gw-ebs.oopen.de.yml @@ -19,6 +19,15 @@ # vars used by roles/common/tasks/sshd.yml # --- +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - ecdsa-sha2-nistp256 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com + # --- # vars used by roles/common/tasks/apt.yml diff --git a/host_vars/gw-elster.oopen.de.yml b/host_vars/gw-elster.oopen.de.yml index b52cd35..324c0f3 100644 --- a/host_vars/gw-elster.oopen.de.yml +++ b/host_vars/gw-elster.oopen.de.yml @@ -127,6 +127,15 @@ cron_user_special_time_entries: # vars used by roles/common/tasks/sshd.yml # --- +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - ecdsa-sha2-nistp256 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com + # --- # vars used by roles/common/tasks/apt.yml diff --git a/hosts b/hosts index a483441..d739d28 100644 --- a/hosts +++ b/hosts @@ -36,6 +36,7 @@ gw-b3.oopen.de gw-blkr.oopen.de gw-d11.oopen.de gw-flr.oopen.de +172.16.102.22 gw-irights.irights.netz gw-km.oopen.de gw-mbr.oopen.de @@ -406,6 +407,7 @@ file-fhxb.fhxb.netz # Fluechtlingsrat BRB gw-flr.oopen.de +172.16.102.22 # iRights gw-irights.irights.netz @@ -1545,7 +1547,6 @@ bbb.b3-bornim.netz gw-blkr.oopen.de gw-replacement2.local.netz -gw-replacement3.local.netz [gateway_server_rw] @@ -1563,7 +1564,9 @@ gw-ak.oopen.de gw-akb.oopen.de gw-ckubu.local.netz gw-flr.oopen.de +172.16.102.22 gw-replacement.local.netz +gw-replacement3.local.netz gw-irights.irights.netz gw-km.oopen.de gw-mbr.oopen.de diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts index 10b47fa..73a0765 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -63,4 +63,4 @@ kitchenfantasy\.com$ kitchenfaucetcenter\.com$ fqmeta\.net$ kitchenespial\.com$ - +owboyhardware\.com$ diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets index edbea79..21e3b64 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -117,3 +117,9 @@ 146.59.88.240/29 # UA (Ukraine) 193.3.23.0/24 +# DE (u.a. lagerexpress.com) +41.216.188.0/24 +# US (u.a. echtzeit-video.com>) +104.161.0.0/17 +158.51.124.0/22 +193.42.38.0/24 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender index 0f64d43..8bf75f0 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender @@ -79,6 +79,9 @@ firmen-infos\.com$ @premiumversender\.com$ @longhornvapor\.com$ @d-logistik\.com$ +@corvsport\.com$ +@echtzeit-video\.com$ +@cortlandparkcashmere\.com$ # annoying spammer addresses ^error@mailfrom\.com$ diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2 index c238e0d..4c5bcd0 100644 --- a/roles/common/templates/etc/samba/smb.conf.j2 +++ b/roles/common/templates/etc/samba/smb.conf.j2 @@ -57,7 +57,7 @@ # # Example: server min protocol = NT1 # - server min protocol = {{ samba_server_min_protocol|default('SMB2_02') }} + server min protocol = {{ samba_server_min_protocol }} {% endif %}