From 3699bcc0e1cafddac03386ad45b414726b3c8c1d Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Mon, 28 Feb 2022 16:15:45 +0100
Subject: [PATCH] update..

---
 group_vars/all/main.yml                      |   4 +
 host_vars/file-blkr.blkr.netz.yml            |   8 +
 host_vars/o18.oopen.de.yml                   | 199 +++++++++++++++++++
 host_vars/zapata.opp.netz.yml                |  18 +-
 hosts                                        |   4 +
 roles/common/tasks/samba-user.yml            |  19 ++
 roles/common/templates/etc/samba/smb.conf.j2 |  16 ++
 7 files changed, 261 insertions(+), 7 deletions(-)
 create mode 100644 host_vars/o18.oopen.de.yml

diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index 672faf7..59a518d 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -1662,6 +1662,10 @@ samba_workgroup: {}
 #
 samba_netbios_name: {}
 
+# samba_server_min_protocol
+#
+samba_server_min_protocol: {}
+
 samba_groups: []
 
 # samba_user:
diff --git a/host_vars/file-blkr.blkr.netz.yml b/host_vars/file-blkr.blkr.netz.yml
index 465ca22..b145d32 100644
--- a/host_vars/file-blkr.blkr.netz.yml
+++ b/host_vars/file-blkr.blkr.netz.yml
@@ -69,6 +69,12 @@ network_interfaces:
 # vars used by roles/common/tasks/sshd.yml
 # ---
 
+sshd_macs:
+  - hmac-sha1
+  - hmac-sha2-256-etm@openssh.com
+  - hmac-sha2-512-etm@openssh.com
+  - umac-128-etm@openssh.com
+
 
 # ---
 # vars used by roles/common/tasks/apt.yml
@@ -163,6 +169,8 @@ samba_workgroup: BLKR
 
 samba_netbios_name: FILE-BLKR
 
+samba_server_min_protocol: !!str NT1
+
 samba_groups:
   - name: buero
     group_id: 1100
diff --git a/host_vars/o18.oopen.de.yml b/host_vars/o18.oopen.de.yml
new file mode 100644
index 0000000..c7515ba
--- /dev/null
+++ b/host_vars/o18.oopen.de.yml
@@ -0,0 +1,199 @@
+---
+
+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
+network_manage_devices: True
+
+# Should the interfaces be reloaded after config change?
+network_interface_reload: False
+
+network_interface_path: /etc/network/interfaces.d
+network_interface_required_packages:
+  - vlan
+  - bridge-utils
+  - ifmetric
+  - ifupdown
+  - ifenslave
+  - resolvconf
+
+
+network_interfaces:
+
+  - device: br0
+    # use only once per device (for the first device entry)
+    headline: br0 - bridge over device eth0
+
+    # auto & allow are only used for the first device entry
+    allow: [] # array of allow-[stanzas] eg. allow-hotplug
+    auto: true
+
+    family: inet
+    method: static
+    hwaddress: 90:1b:0e:8d:9b:ed
+    description:
+    address: 138.201.17.150
+    netmask: 26
+    gateway: 138.201.17.129
+
+    # optional dns settings nameservers: []
+    #
+    #    nameservers:
+    #      - 194.150.168.168  # dns.as250.net
+    #      - 91.239.100.100   # anycast.censurfridns.dk
+    #    search: warenform.de
+    #
+    nameservers:
+      - 195.201.179.131
+      - 95.217.204.204
+    search:
+
+    # optional bridge parameters bridge: {}
+    # bridge:
+    #   ports:
+    #   stp:
+    #   fd:
+    #   maxwait:
+    #   waitport:
+    bridge:
+      ports: eth0 # for mor devices support a blank separated list
+      stp: !!str off
+      fd: 5
+      hello: 2
+      maxage: 12
+
+    # inline hook scripts
+    pre-up: [] # pre-up script lines
+    up: 
+      - !!str "route add -net 138.201.17.128 netmask 255.255.255.192 gw 138.201.17.129 br0" # up script lines
+    post-up: [] # post-up script lines (alias for up)
+    pre-down: [] # pre-down script lines (alias for down)
+    down: [] # down script lines
+    post-down: [] # post-down script lines
+
+
+
+  - device: br0
+    family: inet6
+    method: static
+    address: '2a01:4f8:171:2895::2'
+    netmask: 64
+    gateway: 'fe80::1'
+
+    up:
+      - !!str "ip -6 route add 2a01:4f8:171:2895::195/128 dev br0"
+      - !!str "ip -6 route add 2a01:4f8:171:2895::196/128 dev br0"
+
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+sshd_ports:
+  - 22
+  - 1036
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+default_user:
+
+  - name: chris
+    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: sysadm
+
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+sudo_users:
+  - chris
+  - sysadm
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+git_firewall_repository:
+  name: ipt-server
+  repo: https://git.oopen.de/firewall/ipt-server
+  dest: /usr/local/src/ipt-server
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
+
diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml
index 48db083..af47d43 100644
--- a/host_vars/zapata.opp.netz.yml
+++ b/host_vars/zapata.opp.netz.yml
@@ -163,6 +163,8 @@ samba_workgroup: OPP
 
 samba_netbios_name: ZAPATA
 
+samba_server_min_protocol: !!str NT1
+
 samba_groups:
   - name: buero
     group_id: 1100
@@ -181,6 +183,12 @@ samba_user:
       - verwaltung
     password: '20_opp6_15!'
 
+  - name: anastasia
+    groups:
+      - buero
+      - beratung
+    password: '20anastas1a*22'
+
   - name: andi
     groups:
       - buero
@@ -240,12 +248,6 @@ samba_user:
       - beratung
     password: '20_elisabeth_18!'
 
-  - name: evren
-    groups:
-      - buero
-      - beratung
-    password: '3v*ren_2020'
-
   - name: gudrun
     groups:
       - buero
@@ -403,7 +405,9 @@ base_home: /home
 #   - name: name1
 #   - name: name2
 #
-remove_samba_users: []
+#remove_samba_users: []
+remove_samba_users:
+  - name: evren
 
 samba_shares:
 
diff --git a/hosts b/hosts
index bdbb530..0358c29 100644
--- a/hosts
+++ b/hosts
@@ -122,6 +122,8 @@ o17.oopen.de
 test.mx.oopen.de
 meet2.oopen.de
 
+o18.oopen.de
+
 o20.oopen.de
 
 o21.oopen.de
@@ -316,6 +318,8 @@ test.mx.oopen.de
 test.mariadb.oopen.de
 meet2.oopen.de
 
+o18.oopen.de
+
 # - o20.oopen.de (srv-cityslang.cityslang.com)
 o20.oopen.de
 
diff --git a/roles/common/tasks/samba-user.yml b/roles/common/tasks/samba-user.yml
index 1e310a3..31545c1 100644
--- a/roles/common/tasks/samba-user.yml
+++ b/roles/common/tasks/samba-user.yml
@@ -48,6 +48,25 @@
     - samba-user
     - system-user
 
+- name: (samba_user.yml) Ensure samba users exists with given group membership
+  user:
+    name: '{{ item.name }}'
+    state: present
+    uid: '{{ item.user_id | default(omit) }}'
+    #group: '{{ item.0.name | default(omit) }}'
+    groups: "{{ item.groups|join(', ') }}"
+    password: "{{ item.password | password_hash('sha512') }}"
+    update_password: on_create
+    append: yes
+  loop: "{{ samba_user }}"
+  loop_control:
+    label: '{{ item.name }}'
+  tags:
+    - samba-server
+    - samba-user
+    - system-user
+
+
 
 - name: (samba-user.yml) Check if samba user exists
   shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2
index 5cc82ae..595989b 100644
--- a/roles/common/templates/etc/samba/smb.conf.j2
+++ b/roles/common/templates/etc/samba/smb.conf.j2
@@ -44,6 +44,22 @@
 ;   netbios name = FILE
    netbios name = {{ samba_netbios_name|default('FILE') }}
 
+{% if samba_server_min_protocol is defined and samba_server_min_protocol|length > 0 %}
+
+# This setting controls the minimum protocol version that the server will allow 
+# the client to use. Normally this option should not be set as the automatic 
+# negotiation phase in the SMB protocol takes care of choosing the appropriate 
+# protocol unless you have legacy clients which are SMB1 capable only.
+#
+# See Related command: server max protocol for a full list of available protocols.
+#
+#   Default: server min protocol = SMB2_02
+#
+#   Example: server min protocol = NT1
+#
+   server min protocol = {{ samba_server_min_protocol }}
+
+{% endif %}
 
 #### Networking ####