Update..

group_vars/all/main.yml

@@ -722,7 +722,6 @@ sshd_listen_address:
 
 sshd_host_keys:
   - /etc/ssh/ssh_host_rsa_key
-  - /etc/ssh/ssh_host_ecdsa_key
   - /etc/ssh/ssh_host_ed25519_key
 
 # only for debian version <= 9
@@ -749,16 +748,44 @@ sshd_print_motd: !!str "no"
 #      - diffie-hellman-group-exchange-sha256
 #      - diffie-hellman-group14-sha1
 #
-sshd_kexalgorithms: {}
+#sshd_kexalgorithms: {}
+sshd_kexalgorithms:
+  - curve25519-sha256
+  - curve25519-sha256@libssh.org
+  - diffie-hellman-group16-sha512
+  - diffie-hellman-group18-sha512
+  - diffie-hellman-group-exchange-sha256
 
-# sshd_kexalgorithms
+# sshd__ciphers
 #
 # Example:
 #    sshd_ciphers:
 #      - chacha20-poly1305@openssh.com
 #      - aes256-gcm@openssh.com
 #      - aes256-ctr
-sshd_ciphers: {}
+#sshd_ciphers: {}
+sshd_ciphers:
+  - chacha20-poly1305@openssh.com
+  - aes256-gcm@openssh.com
+  - aes128-gcm@openssh.com
+  - aes256-ctr
+  - aes192-ctr
+  - aes128-ctr
+
+#sshd_macs: {}
+sshd_macs:
+  - hmac-sha2-256-etm@openssh.com
+  - hmac-sha2-512-etm@openssh.com
+  - umac-128-etm@openssh.com
+
+#sshd_hostkeyalgorithms: {}
+sshd_hostkeyalgorithms:
+  - ssh-ed25519
+  - ssh-ed25519-cert-v01@openssh.com
+  - rsa-sha2-256
+  - rsa-sha2-512
+  - rsa-sha2-256-cert-v01@openssh.com
+  - rsa-sha2-512-cert-v01@openssh.com
 
 sshd_use_dns: !!str "no"
 

group_vars/all/vars.yml.sample

@@ -15,11 +15,6 @@
 # ---
 
 
-# ---
-# vars used by roles/common/tasks/sshd.yml
-# ---
-
-
 # ---
 # vars used by apt.yml
 # ---
@@ -40,6 +35,11 @@
 # ---
 
 
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---

host_vars/stolpersteine.oopen.de.yml

@@ -0,0 +1,72 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+sudoers_file_user_privileges:
+   - name: eike
+     entry: 'ALL=(www-data) NOPASSWD: ALL'
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+

roles/common/tasks/sshd.yml

@@ -1,5 +1,41 @@
 ---
 
+
+# ---
+# Set some facts
+# ---
+
+- name: (sshd.yml) Set fact_sshd_kexalgorithms (comma separated list)
+  set_fact:
+    fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}"
+  when:
+    - sshd_kexalgorithms is defined and sshd_kexalgorithms | length > 0
+
+- name: (sshd.yml) Set fact_sshd_ciphers (comma separated list)
+  set_fact:
+    fact_sshd_ciphers: "{{ sshd_ciphers | join (',') }}"
+  when:
+    - sshd_ciphers is defined and sshd_ciphers | length > 0
+
+- name: (sshd.yml) Set fact_sshd_macs
+  set_fact:
+    fact_sshd_macs: "{{ sshd_macs | join (',') }}"
+  when:
+    - sshd_macs is defined and sshd_macs | length > 0
+
+- name: (sshd.yml) Set fact_sshd_hostkeyalgorithms (blank separated list)
+  set_fact:
+    fact_sshd_hostkeyalgorithms: "{{ sshd_hostkeyalgorithms | join (',') }}"
+  when:
+    - sshd_hostkeyalgorithms is defined and sshd_hostkeyalgorithms | length > 0
+
+- name: (sshd.yml) Set fact_sshd_allowed_users (blank separated list)
+  set_fact:
+    fact_sshd_allowed_users: "{{ sshd_allowed_users | join (' ') }}"
+  when:
+    - sshd_allowed_users is defined and sshd_allowed_users | length > 0
+
+
 - name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
   stat:
     path: /etc/ssh/sshd_config.ORIG

roles/common/templates/etc/ssh/sshd_config.j2

@@ -52,7 +52,6 @@ HostKey {{ item }}
 # to the SSH daemon. See sshd_config(5) for specifiing the three colon 
 # separated values.
 # The default is 10.
-#MaxStartups 10:30:100
 #MaxStartups 3
 MaxStartups 10:30:100
 
@@ -202,50 +201,140 @@ UsePAM {{ sshd_use_pam }}
 # Cryptography
 #-----------------------------
 
-# Specifies the available KEX (Key Exchange) algorithms.
+# KexAlgorithms
+#
+# Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.
+# Alternately if the specified value begins with a ‘+’ character, then the specified methods will be ap‐
+# pended to the default set instead of replacing them.  If the specified value begins with a ‘-’ charac‐
+# ter, then the specified methods (including wildcards) will be removed from the default set instead of
+# replacing them.  The supported algorithms are:
+# 
+#       curve25519-sha256
+#       curve25519-sha256@libssh.org
+#       diffie-hellman-group1-sha1
+#       diffie-hellman-group14-sha1
+#       diffie-hellman-group14-sha256
+#       diffie-hellman-group16-sha512
+#       diffie-hellman-group18-sha512
+#       diffie-hellman-group-exchange-sha1
+#       diffie-hellman-group-exchange-sha256
+#       ecdh-sha2-nistp256
+#       ecdh-sha2-nistp384
+#       ecdh-sha2-nistp521
+# 
 # The default is:
-## curve25519-sha256@libssh.org,
+# 
-## ecdh-sha2-nistp256,
+#       curve25519-sha256,curve25519-sha256@libssh.org,
-## ecdh-sha2-nistp384,
+#       ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-## ecdh-sha2-nistp521,
+#       diffie-hellman-group-exchange-sha256,
-## diffie-hellman-group-exchange-sha256,
+#       diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-## diffie-hellman-group14-sha1.
+#       diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
+# 
+# The list of available key exchange algorithms may also be obtained using "ssh -Q kex".
+#
 {% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
 KexAlgorithms {{ fact_sshd_kexalgorithms }}
 {% else %}
-#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
 {% endif %}
 
-# Specifies the ciphers allowed for protocol version 2.
+# Ciphers
+#
+# Specifies the ciphers allowed.  Multiple ciphers must be comma-separated.  If the specified value begins
+# with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replac‐
+# ing them.  If the specified value begins with a ‘-’ character, then the specified ciphers (including
+# wildcards) will be removed from the default set instead of replacing them.
+# 
+# The supported ciphers are:
+# 
+#       3des-cbc
+#       aes128-cbc
+#       aes192-cbc
+#       aes256-cbc
+#       aes128-ctr
+#       aes192-ctr
+#       aes256-ctr
+#       aes128-gcm@openssh.com
+#       aes256-gcm@openssh.com
+#       chacha20-poly1305@openssh.com
+# 
 # The default is:
-## aes128-ctr,
+# 
-## aes192-ctr,
+#       chacha20-poly1305@openssh.com,
-## aes256-ctr,
+#       aes128-ctr,aes192-ctr,aes256-ctr,
-## aes128-gcm@openssh.com,
+#       aes128-gcm@openssh.com,aes256-gcm@openssh.com
-## aes256-gcm@openssh.com,
+# 
-## chacha20-poly1305@openssh.com.
+# The list of available ciphers may also be obtained using "ssh -Q cipher".
+# 
 {% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
 Ciphers {{ fact_sshd_ciphers }}
 {% else %}
 #Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 {% endif %}
 
-# Specifies the available MAC (message authentication code) algorithms.
+# MACs
+#
+# Specifies the available MAC (message authentication code) algorithms.  The MAC algorithm is used for
+# data integrity protection.  Multiple algorithms must be comma-separated.  If the specified value begins
+# with a ‘+’ character, then the specified algorithms will be appended to the default set instead of re‐
+# placing them.  If the specified value begins with a ‘-’ character, then the specified algorithms (in‐
+# cluding wildcards) will be removed from the default set instead of replacing them.
+# 
+# The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac).  These are
+# considered safer and their use recommended.  The supported MACs are:
+# 
+#       hmac-md5
+#       hmac-md5-96
+#       hmac-sha1
+#       hmac-sha1-96
+#       hmac-sha2-256
+#       hmac-sha2-512
+#       umac-64@openssh.com
+#       umac-128@openssh.com
+#       hmac-md5-etm@openssh.com
+#       hmac-md5-96-etm@openssh.com
+#       hmac-sha1-etm@openssh.com
+#       hmac-sha1-96-etm@openssh.com
+#       hmac-sha2-256-etm@openssh.com
+#       hmac-sha2-512-etm@openssh.com
+#       umac-64-etm@openssh.com
+#       umac-128-etm@openssh.com
+# 
 # The default is:
-## umac-64-etm@openssh.com,
+# 
-## umac-128-etm@openssh.com,
+#       umac-64-etm@openssh.com,umac-128-etm@openssh.com,
-## hmac-sha2-256-etm@openssh.com,
+#       hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-## hmac-sha2-512-etm@openssh.com,
+#       hmac-sha1-etm@openssh.com,
-## umac-64@openssh.com,
+#       umac-64@openssh.com,umac-128@openssh.com,
-## umac-128@openssh.com,
+#       hmac-sha2-256,hmac-sha2-512,hmac-sha1
-## hmac-sha2-256,
+# 
-## hmac-sha2-512.
+# The list of available MAC algorithms may also be obtained using "ssh -Q mac".
+# 
 {% if (fact_sshd_macs is defined) and fact_sshd_macs %}
 MACs {{ fact_sshd_macs }}
 {% else %}
-#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+#MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,mac-sha2-256,hmac-sha2-512,hmac-sha1
 {% endif %}
 
+# HostKeyAlgorithms
+#
+# Specifies the host key algorithms that the server offers.  The default for this option is:
+# 
+#    ecdsa-sha2-nistp256-cert-v01@openssh.com,
+#    ecdsa-sha2-nistp384-cert-v01@openssh.com,
+#    ecdsa-sha2-nistp521-cert-v01@openssh.com,
+#    ssh-ed25519-cert-v01@openssh.com,
+#    rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+#    ssh-rsa-cert-v01@openssh.com,
+#    ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+#    ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+# 
+# The list of available key types may also be obtained using "ssh -Q key".
+{% if (fact_sshd_hostkeyalgorithms is defined) and fact_sshd_hostkeyalgorithms %}
+HostKeyAlgorithms {{ fact_sshd_hostkeyalgorithms }}
+{% endif %}
+
+
 
 #-----------------------------
 # Logging

rolesset_permissions_samba_shares.conf.j2

@@ -0,0 +1,40 @@
+# {{ ansible_managed }}
+
+# ------------------------------------
+# - Settings for script clean_trash.sh
+# ------------------------------------
+
+# - days
+# -
+# - Files older then 'days' will be deleted.
+# -
+# - Defaults to: days=31
+# -
+#days=31
+
+# - trash_dirs
+# -
+# - Directories where files older than given days will be deleted.
+# -
+# - Example:
+# -    trash_dirs="/data/samba/transfer/.Trash /data/samba/no-backup-share/multimedia/.Trash"
+# -
+#trash_dirs=""
+
+{%- set count = namespace(trash_dirs=0) %}
+
+{%- for item in samba_shares | default([]) %}
+{%    if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %}
+{%       set count.trash_dirs = count.trash_dirs + 1 %}
+{%    endif %}
+{% endfor %}
+
+{% if count.trash_dirs > 0 %}
+trash_dirs="
+{%    for item in samba_shares %}
+{%       if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %}
+   {{ item.path }}/{{ item.recycle_path }}
+{%       endif %}
+{%    endfor %}
+"
+{% endif %}