From 2c095f167498ee927025b00c7cfc4931f3bbac31 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 28 Oct 2020 02:38:09 +0100 Subject: [PATCH] Update.. --- group_vars/all/main.yml | 35 ++++- group_vars/all/vars.yml.sample | 10 +- host_vars/stolpersteine.oopen.de.yml | 72 +++++++++ roles/common/tasks/sshd.yml | 36 +++++ roles/common/templates/etc/ssh/sshd_config.j2 | 141 ++++++++++++++---- rolesset_permissions_samba_shares.conf.j2 | 40 +++++ 6 files changed, 299 insertions(+), 35 deletions(-) create mode 100644 host_vars/stolpersteine.oopen.de.yml create mode 100644 rolesset_permissions_samba_shares.conf.j2 diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 2052520..df2fa8b 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -722,7 +722,6 @@ sshd_listen_address: sshd_host_keys: - /etc/ssh/ssh_host_rsa_key - - /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ed25519_key # only for debian version <= 9 @@ -749,16 +748,44 @@ sshd_print_motd: !!str "no" # - diffie-hellman-group-exchange-sha256 # - diffie-hellman-group14-sha1 # -sshd_kexalgorithms: {} +#sshd_kexalgorithms: {} +sshd_kexalgorithms: + - curve25519-sha256 + - curve25519-sha256@libssh.org + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 + - diffie-hellman-group-exchange-sha256 -# sshd_kexalgorithms +# sshd__ciphers # # Example: # sshd_ciphers: # - chacha20-poly1305@openssh.com # - aes256-gcm@openssh.com # - aes256-ctr -sshd_ciphers: {} +#sshd_ciphers: {} +sshd_ciphers: + - chacha20-poly1305@openssh.com + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr + +#sshd_macs: {} +sshd_macs: + - hmac-sha2-256-etm@openssh.com + - hmac-sha2-512-etm@openssh.com + - umac-128-etm@openssh.com + +#sshd_hostkeyalgorithms: {} +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com sshd_use_dns: !!str "no" diff --git a/group_vars/all/vars.yml.sample b/group_vars/all/vars.yml.sample index 8ef5fca..273c4bd 100644 --- a/group_vars/all/vars.yml.sample +++ b/group_vars/all/vars.yml.sample @@ -15,11 +15,6 @@ # --- -# --- -# vars used by roles/common/tasks/sshd.yml -# --- - - # --- # vars used by apt.yml # --- @@ -40,6 +35,11 @@ # --- +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + # --- # vars used by roles/common/tasks/sudoers.yml # --- diff --git a/host_vars/stolpersteine.oopen.de.yml b/host_vars/stolpersteine.oopen.de.yml new file mode 100644 index 0000000..9943dc4 --- /dev/null +++ b/host_vars/stolpersteine.oopen.de.yml @@ -0,0 +1,72 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_privileges: + - name: eike + entry: 'ALL=(www-data) NOPASSWD: ALL' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index dc4467b..c688dca 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -1,5 +1,41 @@ --- + +# --- +# Set some facts +# --- + +- name: (sshd.yml) Set fact_sshd_kexalgorithms (comma separated list) + set_fact: + fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}" + when: + - sshd_kexalgorithms is defined and sshd_kexalgorithms | length > 0 + +- name: (sshd.yml) Set fact_sshd_ciphers (comma separated list) + set_fact: + fact_sshd_ciphers: "{{ sshd_ciphers | join (',') }}" + when: + - sshd_ciphers is defined and sshd_ciphers | length > 0 + +- name: (sshd.yml) Set fact_sshd_macs + set_fact: + fact_sshd_macs: "{{ sshd_macs | join (',') }}" + when: + - sshd_macs is defined and sshd_macs | length > 0 + +- name: (sshd.yml) Set fact_sshd_hostkeyalgorithms (blank separated list) + set_fact: + fact_sshd_hostkeyalgorithms: "{{ sshd_hostkeyalgorithms | join (',') }}" + when: + - sshd_hostkeyalgorithms is defined and sshd_hostkeyalgorithms | length > 0 + +- name: (sshd.yml) Set fact_sshd_allowed_users (blank separated list) + set_fact: + fact_sshd_allowed_users: "{{ sshd_allowed_users | join (' ') }}" + when: + - sshd_allowed_users is defined and sshd_allowed_users | length > 0 + + - name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists stat: path: /etc/ssh/sshd_config.ORIG diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2 index 7598885..46b801d 100644 --- a/roles/common/templates/etc/ssh/sshd_config.j2 +++ b/roles/common/templates/etc/ssh/sshd_config.j2 @@ -52,7 +52,6 @@ HostKey {{ item }} # to the SSH daemon. See sshd_config(5) for specifiing the three colon # separated values. # The default is 10. -#MaxStartups 10:30:100 #MaxStartups 3 MaxStartups 10:30:100 @@ -202,50 +201,140 @@ UsePAM {{ sshd_use_pam }} # Cryptography #----------------------------- -# Specifies the available KEX (Key Exchange) algorithms. +# KexAlgorithms +# +# Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. +# Alternately if the specified value begins with a ‘+’ character, then the specified methods will be ap‐ +# pended to the default set instead of replacing them. If the specified value begins with a ‘-’ charac‐ +# ter, then the specified methods (including wildcards) will be removed from the default set instead of +# replacing them. The supported algorithms are: +# +# curve25519-sha256 +# curve25519-sha256@libssh.org +# diffie-hellman-group1-sha1 +# diffie-hellman-group14-sha1 +# diffie-hellman-group14-sha256 +# diffie-hellman-group16-sha512 +# diffie-hellman-group18-sha512 +# diffie-hellman-group-exchange-sha1 +# diffie-hellman-group-exchange-sha256 +# ecdh-sha2-nistp256 +# ecdh-sha2-nistp384 +# ecdh-sha2-nistp521 +# # The default is: -## curve25519-sha256@libssh.org, -## ecdh-sha2-nistp256, -## ecdh-sha2-nistp384, -## ecdh-sha2-nistp521, -## diffie-hellman-group-exchange-sha256, -## diffie-hellman-group14-sha1. +# +# curve25519-sha256,curve25519-sha256@libssh.org, +# ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +# diffie-hellman-group-exchange-sha256, +# diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, +# diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 +# +# The list of available key exchange algorithms may also be obtained using "ssh -Q kex". +# {% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %} KexAlgorithms {{ fact_sshd_kexalgorithms }} {% else %} -#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 {% endif %} -# Specifies the ciphers allowed for protocol version 2. +# Ciphers +# +# Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins +# with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replac‐ +# ing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including +# wildcards) will be removed from the default set instead of replacing them. +# +# The supported ciphers are: +# +# 3des-cbc +# aes128-cbc +# aes192-cbc +# aes256-cbc +# aes128-ctr +# aes192-ctr +# aes256-ctr +# aes128-gcm@openssh.com +# aes256-gcm@openssh.com +# chacha20-poly1305@openssh.com +# # The default is: -## aes128-ctr, -## aes192-ctr, -## aes256-ctr, -## aes128-gcm@openssh.com, -## aes256-gcm@openssh.com, -## chacha20-poly1305@openssh.com. +# +# chacha20-poly1305@openssh.com, +# aes128-ctr,aes192-ctr,aes256-ctr, +# aes128-gcm@openssh.com,aes256-gcm@openssh.com +# +# The list of available ciphers may also be obtained using "ssh -Q cipher". +# {% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %} Ciphers {{ fact_sshd_ciphers }} {% else %} #Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr {% endif %} -# Specifies the available MAC (message authentication code) algorithms. +# MACs +# +# Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for +# data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins +# with a ‘+’ character, then the specified algorithms will be appended to the default set instead of re‐ +# placing them. If the specified value begins with a ‘-’ character, then the specified algorithms (in‐ +# cluding wildcards) will be removed from the default set instead of replacing them. +# +# The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are +# considered safer and their use recommended. The supported MACs are: +# +# hmac-md5 +# hmac-md5-96 +# hmac-sha1 +# hmac-sha1-96 +# hmac-sha2-256 +# hmac-sha2-512 +# umac-64@openssh.com +# umac-128@openssh.com +# hmac-md5-etm@openssh.com +# hmac-md5-96-etm@openssh.com +# hmac-sha1-etm@openssh.com +# hmac-sha1-96-etm@openssh.com +# hmac-sha2-256-etm@openssh.com +# hmac-sha2-512-etm@openssh.com +# umac-64-etm@openssh.com +# umac-128-etm@openssh.com +# # The default is: -## umac-64-etm@openssh.com, -## umac-128-etm@openssh.com, -## hmac-sha2-256-etm@openssh.com, -## hmac-sha2-512-etm@openssh.com, -## umac-64@openssh.com, -## umac-128@openssh.com, -## hmac-sha2-256, -## hmac-sha2-512. +# +# umac-64-etm@openssh.com,umac-128-etm@openssh.com, +# hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +# hmac-sha1-etm@openssh.com, +# umac-64@openssh.com,umac-128@openssh.com, +# hmac-sha2-256,hmac-sha2-512,hmac-sha1 +# +# The list of available MAC algorithms may also be obtained using "ssh -Q mac". +# {% if (fact_sshd_macs is defined) and fact_sshd_macs %} MACs {{ fact_sshd_macs }} {% else %} -#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +#MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,mac-sha2-256,hmac-sha2-512,hmac-sha1 {% endif %} +# HostKeyAlgorithms +# +# Specifies the host key algorithms that the server offers. The default for this option is: +# +# ecdsa-sha2-nistp256-cert-v01@openssh.com, +# ecdsa-sha2-nistp384-cert-v01@openssh.com, +# ecdsa-sha2-nistp521-cert-v01@openssh.com, +# ssh-ed25519-cert-v01@openssh.com, +# rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +# ssh-rsa-cert-v01@openssh.com, +# ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +# ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +# +# The list of available key types may also be obtained using "ssh -Q key". +{% if (fact_sshd_hostkeyalgorithms is defined) and fact_sshd_hostkeyalgorithms %} +HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }} +{% endif %} + + #----------------------------- # Logging diff --git a/rolesset_permissions_samba_shares.conf.j2 b/rolesset_permissions_samba_shares.conf.j2 new file mode 100644 index 0000000..040981e --- /dev/null +++ b/rolesset_permissions_samba_shares.conf.j2 @@ -0,0 +1,40 @@ +# {{ ansible_managed }} + +# ------------------------------------ +# - Settings for script clean_trash.sh +# ------------------------------------ + +# - days +# - +# - Files older then 'days' will be deleted. +# - +# - Defaults to: days=31 +# - +#days=31 + +# - trash_dirs +# - +# - Directories where files older than given days will be deleted. +# - +# - Example: +# - trash_dirs="/data/samba/transfer/.Trash /data/samba/no-backup-share/multimedia/.Trash" +# - +#trash_dirs="" + +{%- set count = namespace(trash_dirs=0) %} + +{%- for item in samba_shares | default([]) %} +{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %} +{% set count.trash_dirs = count.trash_dirs + 1 %} +{% endif %} +{% endfor %} + +{% if count.trash_dirs > 0 %} +trash_dirs=" +{% for item in samba_shares %} +{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %} + {{ item.path }}/{{ item.recycle_path }} +{% endif %} +{% endfor %} +" +{% endif %}