From 526f7e919a6db135b7531e24de874a33ab235473 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 19 Feb 2022 02:20:05 +0100 Subject: [PATCH] update.. --- group_vars/all/main.yml | 84 ++++ host_vars/file-ah.kanzlei-kiel.netz.yml | 406 +++++++++++++++++ host_vars/o17.oopen.de.yml | 210 ++++++++- hosts | 15 + roles/common/files/etc/samba/users.map | 18 + roles/common/handlers/main.yml | 18 + roles/common/tasks/apt.yml | 9 + roles/common/tasks/cron.yml | 6 +- roles/common/tasks/main.yml | 34 ++ roles/common/tasks/samba-config-server.yml | 181 ++++++++ roles/common/tasks/samba-remove-user.yml | 58 +++ roles/common/tasks/samba-user.yml | 75 ++++ roles/common/templates/etc/samba/smb.conf.j2 | 420 ++++++++++++++++++ .../bin/samba/conf/clean_samba_trash.conf.j2 | 44 ++ .../conf/set_permissions_samba_shares.conf.j2 | 33 ++ 15 files changed, 1607 insertions(+), 4 deletions(-) create mode 100644 host_vars/file-ah.kanzlei-kiel.netz.yml create mode 100644 roles/common/files/etc/samba/users.map create mode 100644 roles/common/tasks/samba-config-server.yml create mode 100644 roles/common/tasks/samba-remove-user.yml create mode 100644 roles/common/tasks/samba-user.yml create mode 100644 roles/common/templates/etc/samba/smb.conf.j2 create mode 100644 roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 create mode 100644 roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 712b330..c9f745e 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1640,6 +1640,90 @@ roundcube_2_support_url: roundcube_2_skin_logo: +# ========== +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# ========== + +apt_install_server_samba: + - samba + - nscd + +# samba_workgroup +# +# example: +# samba_workgroup: MBR +# +samba_workgroup: {} + +# samba_netbios_name +# +# example: +# samba_netbios_name: FILE-MBR +# +samba_netbios_name: {} + +samba_groups: [] + +# samba_user: +# - name: chris +# groups: +# - group1 +# - group2 +# password: 'H-.T/TvN5S9J' +# +samba_user: [] + +base_home: /home + +# remove_samba_users: +# - name: name1 +# - name: name2 +# +remove_samba_users: [] + +# samba_shares +# +# samba_shares: +# - name: Arbeitsrechtliches +# comment: +# path: /data/shares/Arbeitsrechtliches +# browseable: !!str yes +# read_only: !!str no +# writeable: !!str yes +# guest_ok: !!str no +# file_create_mask: !!str 0660 +# dir_create_mask: !!str 2770 +# valid_users: '%S' +# group_valid_users: mbr-finanzen +# group_write_list: mbr-finanzen +# vfs_object_recycle: true +# recycle_path: '@Recycle.Bin' +# +samba_shares: [] + +samba_cronjob_trash_dirs: + name: Clean up Samba Trash Dirs + minute: "02" + hour: "23" + day: "*" + month: "*" + weekday: '*' + user: root + job: "/root/bin/samba/clean_samba_trash.sh" + +samba_cronjob_permissions: + name: Set (group and access) Permissons for Samba shares + minute: "14" + hour: "23" + day: "*" + month: "*" + weekday: '*' + user: root + job: "/root/bin/samba/set_permissions_samba_shares.sh" + + + # ============================== diff --git a/host_vars/file-ah.kanzlei-kiel.netz.yml b/host_vars/file-ah.kanzlei-kiel.netz.yml new file mode 100644 index 0000000..2bd872a --- /dev/null +++ b/host_vars/file-ah.kanzlei-kiel.netz.yml @@ -0,0 +1,406 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + - resolvconf + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device enp33s0 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + method: static + hwaddress: 0c:c4:7a:ea:dd:56 + description: + address: 192.168.100.10 + netmask: 24 + gateway: 192.168.100.254 + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + nameservers: + - 192.168.100.1 + search: kanzlei-kiel.netz + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: enp33s0 # for mor devices support a blank separated list + stp: !!str off + fd: 5 + hello: 2 + maxage: 12 + + # inline hook scripts + pre-up: + - !!str "ip link set dev enp33s0 up" # pre-up script lines + up: [] #up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + +samba_workgroup: AH + +samba_netbios_name: FILE-AH + +samba_groups: + - name: verwaltung + group_id: 120 + - name: intern + group_id: 121 + - name: hoffmann-elberling + group_id: 122 + - name: gubitz-partner + group_id: 123 + +samba_user: + - name: buero + groups: + - verwaltung + - intern + password: 'buero2011' + - name: axel + groups: + - intern + - verwaltung + - hoffmann-elberling + password: 'ah-kiel.2018' + - name: bjoern + groups: + - intern + - verwaltung + - hoffmann-elberling + password: 'bjoern2011' + - name: gubitz + groups: + - intern + - verwaltung + - gubitz-partner + password: '20gubitz12' + - name: schaar + groups: + - intern + - verwaltung + - gubitz-partner + password: '20schaar12' + - name: molkentin + groups: + - intern + - verwaltung + - gubitz-partner + password: 20molkentin12 + - name: buerooben + groups: + - intern + - verwaltung + - hoffmann-elberling + password: 'buero2013' + - name: back + groups: [] + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63643330373231636537366333326630333265303265653933613835656262323863363038653234 + 3462653135633266373439626263356636646637643035340a653466356235346663626163306363 + 61313164643061306433643738643563303036646334376536626531383965303036386162393832 + 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 + 3631 + - name: buchholz + groups: + - buero + - intern + - verwaltung + password: + - name: schmidt + groups: + - intern + - verwaltung + - gubitz-partner + password: '20-schmidt_21%' + - name: kiel-nb1 + groups: + - buero + - intern + - verwaltung + - gubitz-partner + - hoffmann-elberling + password: '20-note%book1-20' + - name: kiel-nb2 + groups: + - buero + - intern + - verwaltung + - gubitz-partner + - hoffmann-elberling + password: '20-note%book2-20' + - name: chris + groups: + - buero + - intern + - verwaltung + - gubitz-partner + - hoffmann-elberling + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63643330373231636537366333326630333265303265653933613835656262323863363038653234 + 3462653135633266373439626263356636646637643035340a653466356235346663626163306363 + 61313164643061306433643738643563303036646334376536626531383965303036386162393832 + 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 + 3631 + +base_home: /home + +# remove_samba_users: +# - name: name1 +# - name: name2 +# +remove_samba_users: [] + +samba_shares: + + - name: Buero + path: /data/samba/shares/Buero + group_valid_users: intern + group_write_list: intern + file_create_mask: 664 + dir_create_mask: 2775 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Verwaltung + path: /data/samba/shares/Verwaltung + group_valid_users: verwaltung + group_write_list: verwaltung + file_create_mask: 660 + dir_create_mask: 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Scans_schnell + path: /data/samba/shares/Scans_schnell + group_valid_users: intern + group_write_list: intern + file_create_mask: '664' + dir_create_mask: 2775 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Hoffmann-Elberling + path: /data/samba/shares/Hoffmann-Elberling + group_valid_users: hoffmann-elberling + group_write_list: hoffmann-elberling + file_create_mask: '664' + dir_create_mask: 2775 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Gubitz-Partner + path: /data/samba/shares/Gubitz-Partner + group_valid_users: gubitz-partner + group_write_list: gubitz-partner + file_create_mask: '664' + dir_create_mask: 2775 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Gubitz-Backup + path: /data/samba/non-backup-shares/Gubitz-Backup + group_valid_users: gubitz + group_write_list: gubitz + file_create_mask: 660 + dir_create_mask: 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + # --- + # - This share will be written by Windows Server 2016 configured at + # - "Windows Zubehör" -> "Windows Server-Sicherung" + # --- + - name: WinServer2016-Backup + comment: WinServer2016-Backup on Fileserver + path: /data/samba/shares/WinServer2016-Backup + group_valid_users: {} + group_write_list: {} + file_create_mask: 664 + dir_create_mask: 2775 + guest_ok: !!str yes + vfs_object_recycle: false + + # --- + # - This share will be written by windows schedulescript 'backup-advoware.bat' + # --- + - name: Advoware-Backup + comment: Advoware-Backup (only read) on Fileserver + path: /data/samba/shares/Advoware-Backup + group_valid_users: back + group_write_list: back + file_create_mask: 664 + dir_create_mask: 2775 + guest_ok: !!str yes + vfs_object_recycle: false + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/host_vars/o17.oopen.de.yml b/host_vars/o17.oopen.de.yml index 25c1955..c58eac7 100644 --- a/host_vars/o17.oopen.de.yml +++ b/host_vars/o17.oopen.de.yml @@ -193,7 +193,6 @@ default_user: sudo_users: - chris - - o13-pad - sysadm - localadmin @@ -229,6 +228,215 @@ git_firewall_repository: repo: https://git.oopen.de/firewall/ipt-server dest: /usr/local/src/ipt-server + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + +samba_workgroup: AH + +samba_netbios_name: FILE-AH + +samba_groups: + - name: verwaltung + group_id: 1200 + - name: intern + group_id: 1210 + - name: hoffmann-elberling + group_id: 1220 + - name: gubitz-partner + group_id: 1230 + +samba_user: + - name: buero + groups: + - verwaltung + - intern + password: 'buero2011' + - name: axel + groups: + - intern + - verwaltung + - hoffmann-elberling + password: 'ah-kiel.2018' + - name: bjoern + groups: + - intern + - verwaltung + - hoffmann-elberling + password: 'bjoern2011' + - name: gubitz + groups: + - intern + - verwaltung + - gubitz-partner + password: '20gubitz12' + - name: schaar + groups: + - intern + - verwaltung + - gubitz-partner + password: '20schaar12' + - name: molkentin + groups: + - intern + - verwaltung + - gubitz-partner + password: 20molkentin12 + - name: buerooben + groups: + - intern + - verwaltung + - hoffmann-elberling + password: 'buero2013' + - name: back + groups: [] + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63643330373231636537366333326630333265303265653933613835656262323863363038653234 + 3462653135633266373439626263356636646637643035340a653466356235346663626163306363 + 61313164643061306433643738643563303036646334376536626531383965303036386162393832 + 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 + 3631 + - name: buchholz + groups: + - buero + - intern + - verwaltung + password: + - name: schmidt + groups: + - intern + - verwaltung + - gubitz-partner + password: '20-schmidt_21%' + - name: kiel-nb1 + groups: + - buero + - intern + - verwaltung + - gubitz-partner + - hoffmann-elberling + password: '20-note%book1-20' + - name: kiel-nb2 + groups: + - buero + - intern + - verwaltung + - gubitz-partner + - hoffmann-elberling + password: '20-note%book2-20' + - name: chris + groups: + - buero + - intern + - verwaltung + - gubitz-partner + - hoffmann-elberling + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63643330373231636537366333326630333265303265653933613835656262323863363038653234 + 3462653135633266373439626263356636646637643035340a653466356235346663626163306363 + 61313164643061306433643738643563303036646334376536626531383965303036386162393832 + 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 + 3631 + +base_home: /home + +# remove_samba_users: +# - name: name1 +# - name: name2 +# +remove_samba_users: [] + +samba_shares: + - name: profiles-RDP + comment: Users profiles RDP + path: /data/samba/profiles-RDP + guest_ok: !!str no + browseable: !!str no + valid_users: '%S' + file_create_mask: '600' + dir_create_mask: '700' + + - name: Buero + path: /data/samba/shares/Buero + group_valid_users: intern + group_write_list: intern + file_create_mask: 664 + dir_create_mask: 2775 + vfs_object_recycle: true + recycle_path: recycle + + - name: Verwaltung + path: /data/samba/shares/Verwaltung + group_valid_users: verwaltung + group_write_list: verwaltung + file_create_mask: 660 + dir_create_mask: 2770 + vfs_object_recycle: true + recycle_path: recycle + + - name: Scans_schnell + path: /data/samba/shares/Scans_schnell + group_valid_users: intern + group_write_list: intern + file_create_mask: '664' + dir_create_mask: 2775 + vfs_object_recycle: true + recycle_path: recycle + + - name: Hoffmann-Elberling + path: /data/samba/shares/Hoffmann-Elberling + group_valid_users: hoffmann-elberling + group_write_list: hoffmann-elberling + file_create_mask: '664' + dir_create_mask: 2775 + vfs_object_recycle: true + recycle_path: recycle + + - name: Gubitz-Partner + path: /data/samba/shares/Gubitz-Partner + group_valid_users: gubitz-partner + group_write_list: gubitz-partner + file_create_mask: '664' + dir_create_mask: 2775 + vfs_object_recycle: true + recycle_path: recycle + + - name: Gubitz-Backup + path: /data/samba/shares/Gubitz-Backup + group_valid_users: gubitz + group_write_list: gubitz + file_create_mask: 660 + dir_create_mask: 2770 + vfs_object_recycle: true + recycle_path: recycle + + - name: WinServer2016-Backup + comment: WinServer2016-Backup on Fileserver + path: /data/samba/shares/WinServer2016-Backup + group_valid_users: {} + group_write_list: {} + file_create_mask: 664 + dir_create_mask: 2775 + guest_ok: !!str yes + vfs_object_recycle: true + recycle_path: {} + + - name: Advoware-Backup + comment: Advoware-Backup (only read) on Fileserver + path: /data/samba/shares/Advoware-Backup + group_valid_users: back + group_write_list: back + file_create_mask: 664 + dir_create_mask: 2775 + guest_ok: !!str yes + vfs_object_recycle: true + + + # ============================== diff --git a/hosts b/hosts index 2620067..350a919 100644 --- a/hosts +++ b/hosts @@ -26,6 +26,7 @@ devel-root.wf.netz gw-123.oopen.de gw-ah.oopen.de +gw-ak.oopen.de gw-ebs.oopen.de gw-akb.akb.netz gw-ckubu.local.netz @@ -42,6 +43,7 @@ gw-kb.oopen.de bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-km.anw-km.netz gw-replacement.local.netz gw-replacement2.local.netz @@ -200,6 +202,7 @@ lxc-host-kb.anw-kb.netz gw-123.oopen.de gw-ah.oopen.de +gw-ak.oopen.de gw-ebs.oopen.de gw-akb.akb.netz gw-b3.oopen.de @@ -217,6 +220,7 @@ gw-kb.oopen.de bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-km.anw-km.netz gw-ckubu.local.netz @@ -402,9 +406,13 @@ lxc-host-kb.anw-kb.netz gw-ckubu.local.netz gw-akb.akb.netz +# - AK +gw-ak.oopen.de + # - Kanzlei Kiel gw-ah.oopen.de file-ah.kanzlei-kiel.netz +file-km.anw-km.netz # - Kanzlei EBS Leipzig gw-ebs.oopen.de @@ -656,6 +664,7 @@ cl-test.oopen.de # --- file-ah.kanzlei-kiel.netz +file-km.anw-km.netz [ftp_server] @@ -1058,6 +1067,8 @@ backup.warenform.de [samba_server] +o17.oopen.de + # --- # Warenform # --- @@ -1068,6 +1079,7 @@ anita.wf.netz # --- bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-km.anw-km.netz [mumble_server] @@ -1149,6 +1161,7 @@ lxc-host-kb.anw-kb.netz bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-km.anw-km.netz # - GA - Gemeinschaft Altensclirf ga-st-lxc1.ga.netz @@ -1277,6 +1290,7 @@ cl-test.oopen.de bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-km.anw-km.netz # - GA - Gemeinschaft Altensclirf ga-st-mail.ga.netz @@ -1486,6 +1500,7 @@ gw-replacement2.local.netz [gateway_server_rw] gw-ah.oopen.de +gw-ak.oopen.de gw-b3.oopen.de gw-d11.oopen.de gw-ebs.oopen.de diff --git a/roles/common/files/etc/samba/users.map b/roles/common/files/etc/samba/users.map new file mode 100644 index 0000000..60ce62e --- /dev/null +++ b/roles/common/files/etc/samba/users.map @@ -0,0 +1,18 @@ +# ############################################ # +# -------------------------- # +# ** DO NOT EDIT DIRECTLY ** # +# -------------------------- # +# Ansible managed file # +# ############################################ # + +# This file allows you to map usernames from the clients to the server. +# Unix_name = SMB_name1 SMB_name2 ... +# +# See section 'username map' in the manual page of smb.conf for more +# information. +# +# This file is _not_ included in the default configuration as it makes the +# usage of an user named administrator impossible. + +root = admin administrator + diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index dae36cb..3c072c8 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -30,3 +30,21 @@ name: bind9 state: reloaded enabled: yes + + +- name: Restart smbd + service: + name: smbd + daemon_reload: yes + state: restarted + +- name: Restart nmbd + service: + name: nmbd + daemon_reload: yes + state: restarted + +- name: Reload samba config + shell: smbcontrol all reload-config + when: + - inventory_hostname in groups['samba_server'] diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml index d88336d..5c707e4 100644 --- a/roles/common/tasks/apt.yml +++ b/roles/common/tasks/apt.yml @@ -226,6 +226,15 @@ tags: - apt-webserver-pkgs +- name: (apt.yml) Install samba related packages + package: + pkg: '{{ apt_install_server_samba }}' + state: present + when: + - "groups['samba_server']|string is search(inventory_hostname)" + tags: + - samba-server + - name: (apt.yml) Install extra packages apt: name: "{{ apt_extra_pkgs }}" diff --git a/roles/common/tasks/cron.yml b/roles/common/tasks/cron.yml index 35a46f2..2c9d1d5 100644 --- a/roles/common/tasks/cron.yml +++ b/roles/common/tasks/cron.yml @@ -4,7 +4,7 @@ cron: name: '{{ item.name }}' env: 'yes' - user: '{{ item.user | default(omit) }}' + user: '{{ item.user | default("root", true) }}' job: '{{ item.job }}' insertafter: '{{ item.insertafter | default(omit) }}' loop: "{{ cron_env_entries }}" @@ -19,7 +19,7 @@ cron: name: '{{ item.name }}' special_time: '{{ item.special_time }}' - user: '{{ item.user | default(omit) }}' + user: '{{ item.user | default("root", true) }}' job: '{{ item.job }}' state: present loop: "{{ cron_user_special_time_entries }}" @@ -34,7 +34,7 @@ cron: name: '{{ item.name }}' minute: '{{ item.minute | default(omit) }}' - hour: '{{ item.hour | default(omit) }}' + hour: '{{ item.hour | default("root", true) }}' day: '{{ day | default(omit) }}' weekday: '{{ item.weekday | default(omit) }}' month: '{{ item.month | default(omit) }}' diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 623e0d6..5d2379d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -148,6 +148,40 @@ tags: - config-files-mailsystem +# tags supported inside samba-user.yml: +# +# samba-server +# samba-user +# system-user +# +- import_tasks: samba-user.yml + when: inventory_hostname in groups['samba_server'] + tags: + - samba-server + +# tags supported inside samba-config-server.yml: +# +# samba-server +# samba-shares +# samba-server +# samba-cron +# +- import_tasks: samba-config-server.yml + when: inventory_hostname in groups['samba_server'] + tags: + - samba-server + +# tags supported inside samba-remove-user.yml: +# +# samba-server +# samba-user +# system-user +# +- import_tasks: samba-remove-user.yml + when: inventory_hostname in groups['samba_server'] + tags: + - samba-server + # tags supportetd inside caching-nameserver.yml # # apt-caching-nameserver diff --git a/roles/common/tasks/samba-config-server.yml b/roles/common/tasks/samba-config-server.yml new file mode 100644 index 0000000..0fa32a3 --- /dev/null +++ b/roles/common/tasks/samba-config-server.yml @@ -0,0 +1,181 @@ +--- + +# --- +# Samba Server +# --- + +- name: (samba-config-server.yml) Ensure samba share directories exists + file: + path: "{{ item.path }}" + owner: "root" + group: "{{ item.group_write_list | default('root', true) }}" + mode: '2770' + state: directory + recurse: yes + with_items: "{{ samba_shares }}" + loop_control: + label: '{{ item.name }}' + when: + - "groups['samba_server']|string is search(inventory_hostname)" + tags: + - samba-shares + + +# --- +# /etc/samba/smb.conf +# --- + +- name: (samba-config-server.yml) Check if file '/etc/samba/smb.conf.ORIG exists' + stat: + path: /etc/samba/smb.conf.ORIG + register: smb_conf_exists + when: + - "groups['samba_server']|string is search(inventory_hostname)" + tags: + - samba-server + +- name: (samba-config-server.yml) Backup existing file /etc/samba/smb.conf + command: cp -a /etc/samba/smb.conf /etc/samba/smb.conf.ORIG + when: + - "groups['samba_server']|string is search(inventory_hostname)" + - smb_conf_exists.stat.exists == False + tags: + - samba-server + + +- name: (samba-config-server.yml) /etc/samba/smb.conf + template: + dest: /etc/samba/smb.conf + src: etc/samba/smb.conf.j2 + owner: root + group: root + mode: 0644 + when: + - "groups['samba_server']|string is search(inventory_hostname)" + - samba_user is defined and samba_user|length > 0 + - samba_shares is defined and samba_shares|length > 0 + notify: + - Restart smbd + - Restart nmbd + tags: + - samba-server + + +- name: (samba-config-server.yml) Ensure file /etc/samba/users.map exists + copy: + src: "{{ role_path + '/files/etc/samba/users.map' }}" + dest: /etc/samba/users.map + owner: root + group: root + mode: 0644 + when: + - "groups['samba_server']|string is search(inventory_hostname)" + notify: + - Restart smbd + - Restart nmbd + tags: + - samba-server + + +# --- +# Cronjob for cleaning up samba trash dirs +# --- + +- name: (samba-config-server.yml) Check if file '/root/bin/samba/clean_samba_trash.sh' exists + stat: + path: /root/bin/samba/clean_samba_trash.sh + register: clean_samba_trash_exists + when: + - "groups['samba_server']|string is search(inventory_hostname)" + tags: + - samba-server + - samba-cron + +- name: (samba-config-server.yml) Adjust configuration for script 'clean_samba_trash.sh' + template: + dest: /root/bin/samba/conf/clean_samba_trash.conf + src: root/bin/samba/conf/clean_samba_trash.conf.j2 + when: + - "groups['samba_server']|string is search(inventory_hostname)" + - clean_samba_trash_exists.stat.exists|bool + tags: + - samba-server + - samba-cron + + +- name: (samba-config-server.yml) Check if cleaning up trash dirs is configured + lineinfile: + path: /root/bin/samba/conf/clean_samba_trash.conf + regexp: "^trash_dirs=*" + state: absent + check_mode: yes + changed_when: false + register: clean_samba_trash_dirs + when: + - "groups['samba_server']|string is search(inventory_hostname)" + tags: + - samba-server + - samba-cron + + +- name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs + cron: + name: '{{ samba_cronjob_trash_dirs.name }}' + minute: '{{ samba_cronjob_trash_dirs.minute }}' + hour: "{{ samba_cronjob_trash_dirs.hour | default('*') }}" + day: "{{ samba_cronjob_trash_dirs.hour.day | default('*') }}" + month: "{{ samba_cronjob_trash_dirs.hour.month| default('*') }}" + weekday: "{{ samba_cronjob_trash_dirs.hour.weekday| default('*') }}" + user: "{{ samba_cronjob_trash_dirs.user | default('root') }}" + job: "{{ samba_cronjob_trash_dirs.job }}" + when: + - "groups['samba_server']|string is search(inventory_hostname)" + - clean_samba_trash_exists.stat.exists|bool and clean_samba_trash_dirs.found + tags: + - samba-server + - samba-cron + + +# --- +# Cronjob for setting permissions on samba shares +# --- + +- name: (samba-config-server.yml) Check if file '/root/bin/samba/set_permissions_samba_shares.sh' exists + stat: + path: /root/bin/samba/set_permissions_samba_shares.sh + register: set_permissions_on_samba_shares_exists + when: + - "groups['samba_server']|string is search(inventory_hostname)" + tags: + - samba-server + - samba-cron + +- name: (samba-config-server.yml) Adjust configuration for script 'set_permissions_samba_shares.sh' + template: + dest: /root/bin/samba/conf/set_permissions_samba_shares.conf + src: root/bin/samba/conf/set_permissions_samba_shares.conf.j2 + when: + - "groups['samba_server']|string is search(inventory_hostname)" + - set_permissions_on_samba_shares_exists.stat.exists|bool + tags: + - samba-server + - samba-cron + + +- name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs + cron: + name: '{{ samba_cronjob_permissions.name }}' + minute: '{{ samba_cronjob_permissions.minute }}' + hour: "{{ samba_cronjob_permissions.hour | default('*') }}" + day: "{{ samba_cronjob_permissions.day | default('*') }}" + month: "{{ samba_cronjob_permissions.month| default('*') }}" + weekday: "{{ samba_cronjob_permissions.weekday| default('*') }}" + user: "{{ samba_cronjob_permissions.user | default('root') }}" + job: "{{ samba_cronjob_permissions.job }}" + when: + - "groups['samba_server']|string is search(inventory_hostname)" + - clean_samba_trash_dirs.found + tags: + - samba-server + - samba-cron + diff --git a/roles/common/tasks/samba-remove-user.yml b/roles/common/tasks/samba-remove-user.yml new file mode 100644 index 0000000..fdd9d6b --- /dev/null +++ b/roles/common/tasks/samba-remove-user.yml @@ -0,0 +1,58 @@ +--- + +# --- +# - Remove unwanted users +# --- + + +- name: (samba-remove-user.yml) Check if samba user exists for removable system user + shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' + register: samba_remove_system_users_present + changed_when: "samba_remove_system_users_present.rc == 0" + failed_when: "samba_remove_system_users_present.rc > 1" + with_items: + - "{{ remove_samba_users }}" + loop_control: + label: '{{ item.name }}' + tags: + - system-user + - samba-user + + +- name: (samba-remove-user.yml) Remove (old) system users from samba + shell: > + smbpasswd -s -x {{ item.item.name }} + with_items: + - "{{ samba_remove_system_users_present.results }}" + loop_control: + label: '{{ item.item.name }}' + when: + - item.changed + tags: + - system-user + - samba-user + +- name: (samba-remove-user.yml) Remove users from system + user: + name: '{{ item.name }}' + state: absent + with_items: + - "{{ remove_samba_users }}" + loop_control: + label: '{{ item.name }}' + tags: + - system-user + - samba-user + +- name: (samba-remove-user.yml) Remove home directory from deleted users + file: + path: "{{ base_home | default('/home', true) }}/{{ item.name }}" + state: absent + with_items: + - "{{ remove_samba_users }}" + loop_control: + label: '{{ item.name }}' + tags: + - system-user + - samba-user + diff --git a/roles/common/tasks/samba-user.yml b/roles/common/tasks/samba-user.yml new file mode 100644 index 0000000..1e310a3 --- /dev/null +++ b/roles/common/tasks/samba-user.yml @@ -0,0 +1,75 @@ +--- + +# --- +# - default user/groups +# --- + +# To be precise, samba groups are system groups. +# +- name: (samba-user.yml) Ensure samba groups exists + group: + name: '{{ item.name }}' + state: present + gid: '{{ item.group_id | default(omit) }}' + loop: "{{ samba_groups }}" + loop_control: + label: '{{ item.name }}' + when: item.group_id is defined + tags: + - samba-server + - samba-group + - system-group + +# get all user of the system +# +# Note: +# the result ist avalable in variable getent_passwd +# +- name: (samba_user.yml) Get database of (system) users + getent: + database: passwd + tags: + - samba-server + - samba-user + - system-user + + +# Samba users mut be also system users +# +- name: (samba_user.yml) Add (system) users if not yet exists.. + shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'" + loop: "{{ samba_user }}" + loop_control: + label: '{{ item.name }}' + when: + - item.name not in getent_passwd + tags: + - samba-server + - samba-user + - system-user + + +- name: (samba-user.yml) Check if samba user exists + shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}' + register: samba_user_present + changed_when: "samba_user_present.rc == 1" + failed_when: "samba_user_present.rc > 1" + loop: "{{ samba_user }}" + loop_control: + label: '{{ item.name }}' + tags: + - samba-server + - samba-user + +- name: (samba-user.yml) Add user to samba (with system users password) + shell: > + (echo '{{ item.item.password }}'; echo '{{ item.item.password }}') + | smbpasswd -s -a {{ item.item.name }} + loop: "{{ samba_user_present.results }}" + when: item.changed + loop_control: + label: '{{ item.item.name }}' + tags: + - samba-server + - samba-user + diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2 new file mode 100644 index 0000000..3e7ed65 --- /dev/null +++ b/roles/common/templates/etc/samba/smb.conf.j2 @@ -0,0 +1,420 @@ +# {{ ansible_managed }} + +# +# Sample configuration file for the Samba suite for Debian GNU/Linux. +# +# +# This is the main Samba configuration file. You should read the +# smb.conf(5) manual page in order to understand the options listed +# here. Samba has a huge number of configurable options most of which +# are not shown in this example +# +# Some options that are often worth tuning have been included as +# commented-out examples in this file. +# - When such options are commented with ";", the proposed setting +# differs from the default Samba behaviour +# - When commented with "#", the proposed setting is the default +# behaviour of Samba but the option is considered important +# enough to be mentioned here +# +# NOTE: Whenever you modify this file you should run the command +# "testparm" to check that you have not made any basic syntactic +# errors. + +#======================= Global Settings ======================= + +[global] + +## Browsing/Identification ### + +# Change this to the workgroup/NT-domain name your Samba server will part of +; workgroup = WORKGROUP + workgroup = {{ samba_workgroup|default('WORKGROUP') }} + +# Option 'netbios name' added to debian's default smb.conf +# +# This sets the NetBIOS name by which a Samba server is known. By default it +# is the same as the first component of the host's DNS name. If a machine is +# a browse server or logon server this name (or the first component of the +# hosts DNS name) will be the name that these services are advertised under. +# +# Note that the maximum length for a NetBIOS name is 15 characters. +# +# Default: netbios name = # machine DNS name +; netbios name = FILE + netbios name = {{ samba_netbios_name|default('FILE') }} + + +#### Networking #### + +# The specific set of interfaces / networks to bind to +# This can be either the interface name or an IP address/netmask; +# interface names are normally preferred +; interfaces = 127.0.0.0/8 eth0 + interfaces = {{ ansible_default_ipv4.address }}/24 127.0.0.1/8 + +# Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf + hosts deny = 0.0.0.0/0 + hosts allow = 192.168.0.0/16 10.0.0.0/8 127.0.0.0/8 + +# Only bind to the named interfaces and/or networks; you must use the +# 'interfaces' option above to use this. +# It is recommended that you enable this feature if your Samba machine is +# not protected by a firewall or is a firewall itself. However, this +# option cannot handle dynamic or non-broadcast interfaces correctly. +# +# Notice: +# If bind interfaces only is set and the network address 127.0.0.1 is not added to the +# interfaces parameter list smbpasswd(8) may not work as expected due to the reasons +# covered below. +# +# Default: bind interfaces only = no + bind interfaces only = yes + + +#### Debugging/Accounting #### + +# This tells Samba to use a separate log file for each machine +# that connects +; log file = /var/log/samba/log.%m + log file = /var/log/samba/%I.log + +# Cap the size of the individual log files (in KiB). +; max log size = 1000 + max log size = 10000 + +# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}. +# Append syslog@1 if you want important messages to be sent to syslog too. + logging = file + +# Option 'log level' added to debian's default smb.conf +# +# The value of the parameter (a astring) allows the debug level (logging level) to be +# specified in the smb.conf file. +# +# This parameter has been extended since the 2.2.x series, now it allows one to specify +# the debug level for multiple debug classes. This is to give greater flexibility in +# the configuration of the system. +# +# See manpage for implemented debug classes +# +# Default: log level = 0 +# +# Example: log level = 3 passdb:5 auth:10 winbind:2 + log level = 0 + +# Do something sensible when Samba crashes: mail the admin a backtrace + panic action = /usr/share/samba/panic-action %d + + +####### Authentication ####### + +# Option 'ntlm auth' added to debian's default smb.conf +# +# This parameter determines whether or not smbd(8) will attempt to authenticate +# users using the NTLM encrypted password response for this local passdb (SAM +# or account database). +# +# If disabled, both NTLM and LanMan authencication against the local passdb is +# disabled. +# +# Note that these settings apply only to local users, authentication will still +# be forwarded to and NTLM authentication accepted against any domain we are +# joined to, and any trusted domain, even if disabled or if NTLMv2-only is +# enforced here. To control NTLM authentiation for domain users, this must option +# must be configured on each DC. +# +# By default with lanman auth set to no and ntlm auth set to ntlmv2-only only +# NTLMv2 logins will be permited. Most clients support NTLMv2 by default, but some +# older clients will require special configuration to use it. +# +# The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. +# +# The available settings are: +# +# ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients. +# +# ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2. +# +# mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that +# it is providing MSCHAPv2 authentication (such as the ntlm_auth tool). +# +# disabled - Do not accept NTLM (or LanMan) authentication of any level, nor +# permit NTLM password changes. +# +# The default changed from yes to no with Samba 4.5. The default chagned again to +# ntlmv2-only with Samba 4.7, however the behaviour is unchanged. +# +# Default: ntlm auth = ntlmv2-only + ntlm auth = ntlmv1-permitted + +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone server" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + + obey pam restrictions = yes + +# This boolean parameter controls whether Samba attempts to sync the Unix +# password with the SMB password when the encrypted SMB password in the +# passdb is changed. + unix password sync = yes + +# For Unix password sync to work on a Debian GNU/Linux system, the following +# parameters must be set (thanks to Ian Kahan < for +# sending the correct chat script for the passwd program in Debian Sarge). + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + +# This boolean controls whether PAM will be used for password changes +# when requested by an SMB client instead of the program listed in +# 'passwd program'. The default is 'no'. + pam password change = yes + +# This option controls how unsuccessful authentication attempts are mapped +# to anonymous connections + map to guest = bad user + +# Option 'username map' added to debian's default smb.conf +# + username map = /etc/samba/users.map + +########## Domains ########### + +# +# The following settings only takes effect if 'server role = primary +# classic domain controller', 'server role = backup domain controller' +# or 'domain logons' is set +# + +# It specifies the location of the user's +# profile directory from the client point of view) The following +# required a [profiles] share to be setup on the samba server (see +# below) +; logon path = \\%N\profiles\%U +# Another common choice is storing the profile in the user's home directory +# (this is Samba's default) +# logon path = \\%N\%U\profile + +# The following setting only takes effect if 'domain logons' is set +# It specifies the location of a user's home directory (from the client +# point of view) +; logon drive = H: +# logon home = \\%N\%U + +# The following setting only takes effect if 'domain logons' is set +# It specifies the script to run during logon. The script must be stored +# in the [netlogon] share +# NOTE: Must be store in 'DOS' file format convention +; logon script = logon.cmd + +# This allows Unix users to be created on the domain controller via the SAMR +# RPC pipe. The example command creates a user account with a disabled Unix +# password; please adapt to your needs +; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u + +# This allows machine accounts to be created on the domain controller via the +# SAMR RPC pipe. +# The following assumes a "machines" group exists on the system +; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u + +# This allows Unix groups to be created on the domain controller via the SAMR +# RPC pipe. +; add group script = /usr/sbin/addgroup --force-badname %g + +############ Misc ############ + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting +; include = /home/samba/etc/smb.conf.%m + +# Some defaults for winbind (make sure you're not using the ranges +# for something else.) +; idmap config * : backend = tdb +; idmap config * : range = 3000-7999 +; idmap config YOURDOMAINHERE : backend = tdb +; idmap config YOURDOMAINHERE : range = 100000-999999 +; template shell = /bin/bash + +# Setup usershare options to enable non-root users to share folders +# with the net usershare command. + +# Maximum number of usershare. 0 means that usershare is disabled. +# usershare max shares = 100 + +# Allow users who've been granted usershare privileges to create +# public shares, not just authenticated ones + usershare allow guests = yes + +#======================= Share Definitions ======================= + +# {{ ansible_managed }} + +[homes] + comment = Home Directories + browseable = no + +# By default, the home directories are exported read-only. Change the +# next parameter to 'no' if you want to be able to write to them. + read only = no + +# File creation mask is set to 0700 for security reasons. If you want to +# create files with group=rw permissions, set next parameter to 0775. + create mask = 0700 + +# Directory creation mask is set to 0700 for security reasons. If you want to +# create dirs. with group=rw permissions, set next parameter to 0775. + directory mask = 0700 + +# By default, \\server\username shares can be connected to by anyone +# with access to the samba server. +# The following parameter makes sure that only "username" can connect +# to \\server\username +# This might need tweaking when using external authentication schemes + valid users = %S + +# Un-comment the following and create the netlogon directory for Domain Logons +# (you need to configure Samba to act as a domain controller too.) +;[netlogon] +; comment = Network Logon Service +; path = /home/samba/netlogon +; guest ok = yes +; read only = yes + +# Un-comment the following and create the profiles directory to store +# users profiles (see the "logon path" option above) +# (you need to configure Samba to act as a domain controller too.) +# The path below should be writable by all users so that their +# profile directory may be created the first time they log on +;[profiles] +; comment = Users profiles +; path = /home/samba/profiles +; guest ok = no +; browseable = no +; create mask = 0600 +; directory mask = 0700 + +{% for item in samba_shares | default([]) %} + +[{{ item.name }}] +{% if item.comment is defined and item.comment|length > 0 %} + comment = {{ item.comment }} +{% else %} + comment = {{ item.name }} +{% endif %} + path = {{ item.path }} + +{% if item.browseable is defined and item.browseable|length > 0 %} + browseable = {{ item.browseable|string }} +{% else %} + browseable = yes +{% endif %} +{% if item.read_only is defined and item.read_only|length > 0 %} + read only = {{ item.read_only|string }} +{% else %} + read only = no +{% endif %} +{% if item.writeable is defined and item.writeable |length > 0 %} + writeable = {{ item.writeable }} +{% else %} + writeable = yes +{% endif %} + +{% if item.guest_ok is defined and item.guest_ok|length > 0 %} + guest ok = {{ item.guest_ok }} + +{% endif %} + create mask = {{ item.file_create_mask | default('0660') }} + force create mode = {{ item.file_create_mask | default('0660') }} + directory mask = {{ item.dir_create_mask | default('2770') }} + force directory mode = {{ item.dir_create_mask | default('2770') }} + +{%- if item.valid_users is defined and item.valid_users|length > 0 %} + + # can login into that share + valid users = {{ item.valid_users }} +{% elif item.group_valid_users is defined and item.group_valid_users|length > 0 %} + + # can login into that share + valid users = @{{ item.group_valid_users }} +{% endif %} +{%- if item.group_write_list is defined and item.group_write_list|length > 0 %} + + # allow to write + write list = @{{ item.group_write_list }} + + force group = +{{ item.group_write_list }} +{% endif %} +{% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %} +{% if item.recycle_path is defined and item.recycle_path|length > 0 %} + + vfs objects = recycle + recycle:keeptree = yes + # touch access time from this file + # note: this is not the modified time, which is + # outdatet by ls-command + # so yo can delete files older then n day with the following command: + # find /data/samba/share//.Trash -atime + -exec rm -rf {} \; + # + recycle:touch = yes + recycle:touch_mtime = no + recycle:versions = yes + recycle:directory_mode = 2770 + + # - Dateien gößer als 10MB werden nicht + #recycle:maxsize = 10485760 # around 10MB + + # - Keine Begrenzung der Dateigröße. + recycle:maxsize = 0 + + recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~?? + recycle:excludedir = /tmp,/temp,/cache,.Trash + recycle:repository = {{ item.recycle_path | default('@Recycle.Bin') }} + + # - This is a list of files and directories that are neither visible nor accessible. + # - Each entry in the list must be separated by a '/', which allows spaces to be + # - included in the entry. '*' and '?' can be used to specify multiple files or + # - directories as in DOS wildcards. + # - + veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/ + delete veto files = yes +{% else %} + +{% endif %} +{% else %} + +{% endif %} + +{% endfor %} + +;[printers] +; comment = All Printers +; browseable = no +; path = /var/spool/samba +; printable = yes +; guest ok = no +; read only = yes +; create mask = 0700 + +# Windows clients look for this share name as a source of downloadable +# printer drivers +;[print$] +; comment = Printer Drivers +; path = /var/lib/samba/printers +; browseable = yes +; read only = yes +; guest ok = no +# Uncomment to allow remote administration of Windows print drivers. +# You may need to replace 'lpadmin' with the name of the group your +# admin users are members of. +# Please note that you also need to set appropriate Unix permissions +# to the drivers directory for these users to have write rights in it +; write list = root, @lpadmin + diff --git a/roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 b/roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 new file mode 100644 index 0000000..1fb3b14 --- /dev/null +++ b/roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 @@ -0,0 +1,44 @@ +# {{ ansible_managed }} + +# ------------------------------------ +# - Settings for script clean_trash.sh +# ------------------------------------ + +# - days +# - +# - Files older then 'days' will be deleted. +# - +# - Defaults to: days=31 +# - +#days=31 + +# - trash_dirs +# - +# - Directories where files older than given days will be deleted. +# - +# - Example: +# - trash_dirs="/data/samba/transfer/.Trash /data/samba/no-backup-share/multimedia/.Trash" +# - +#trash_dirs="" + +{%- set count = namespace(trash_dirs=0) %} + +{%- for item in samba_shares | default([]) %} +{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %} +{% if item.recycle_path is defined and item.recycle_path|length > 0 %} +{% set count.trash_dirs = count.trash_dirs + 1 %} +{% endif %} +{% endif %} +{% endfor %} + +{% if count.trash_dirs > 0 %} +trash_dirs=" +{% for item in samba_shares %} +{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %} +{% if item.recycle_path is defined and item.recycle_path|length > 0 %} + {{ item.path }}/{{ item.recycle_path }} +{% endif %} +{% endif %} +{% endfor %} +" +{% endif %} diff --git a/roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 b/roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 new file mode 100644 index 0000000..94165be --- /dev/null +++ b/roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 @@ -0,0 +1,33 @@ +# {{ ansible_managed }} + +# ----------------------------------------------------- +# - Settings for script set_permissions_samba_shares.sh +# ----------------------------------------------------- + +# - dir_permissions +# - +# - Recursive set Permissions (group and file- and directory-mode) +# - +# - Multiple options are possible. Use semicolon separated list. +# - +# - Usage: +# - dir_permissions=":::;[:::];[.." +# - +# - Example: +# - dir_permissions="/data/samba/transfer:buero:664:2775;/data/samba/verwaltung:intern:660:2770" +# - +#dir_permissions="" + +{%- set count = namespace(samba_shares=0) %} + +{%- for item in samba_shares | default([]) %} +{% set count.samba_shares = count.samba_shares + 1 %} +{% endfor %} + +{% if count.samba_shares > 0 %} +dir_permissions=" +{% for item in samba_shares | default([]) %} + {{ item.path }}:{{ item.group_write_list | default('root', true) }}:{{ item.file_create_mask|string | default('660', true) }}:{{ item.dir_create_mask | default('2770', true) }}; +{% endfor %} +" +{% endif %}