ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph 2022-02-19 02:20:05 +01:00
parent 9fadd0642d
commit 526f7e919a
15 changed files with 1607 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
group_vars/all/main.yml
View File

@ -1640,6 +1640,90 @@ roundcube_2_support_url:
roundcube_2_skin_logo: roundcube_2_skin_logo:
# ==========
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ==========
apt_install_server_samba:
- samba
- nscd
# samba_workgroup
#
# example:
# samba_workgroup: MBR
#
samba_workgroup: {}
# samba_netbios_name
#
# example:
# samba_netbios_name: FILE-MBR
#
samba_netbios_name: {}
samba_groups: []
# samba_user:
# - name: chris
# groups:
# - group1
# - group2
# password: 'H-.T/TvN5S9J'
#
samba_user: []
base_home: /home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: []
# samba_shares
#
# samba_shares:
# - name: Arbeitsrechtliches
# comment:
# path: /data/shares/Arbeitsrechtliches
# browseable: !!str yes
# read_only: !!str no
# writeable: !!str yes
# guest_ok: !!str no
# file_create_mask: !!str 0660
# dir_create_mask: !!str 2770
# valid_users: '%S'
# group_valid_users: mbr-finanzen
# group_write_list: mbr-finanzen
# vfs_object_recycle: true
# recycle_path: '@Recycle.Bin'
#
samba_shares: []
samba_cronjob_trash_dirs:
name: Clean up Samba Trash Dirs
minute: "02"
hour: "23"
day: "*"
month: "*"
weekday: '*'
user: root
job: "/root/bin/samba/clean_samba_trash.sh"
samba_cronjob_permissions:
name: Set (group and access) Permissons for Samba shares
minute: "14"
hour: "23"
day: "*"
month: "*"
weekday: '*'
user: root
job: "/root/bin/samba/set_permissions_samba_shares.sh"
# ============================== # ==============================

406
host_vars/file-ah.kanzlei-kiel.netz.yml Normal file
View File

@ -0,0 +1,406 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
- resolvconf
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp33s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
hwaddress: 0c:c4:7a:ea:dd:56
description:
address: 192.168.100.10
netmask: 24
gateway: 192.168.100.254
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
nameservers:
- 192.168.100.1
search: kanzlei-kiel.netz
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp33s0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# inline hook scripts
pre-up:
- !!str "ip link set dev enp33s0 up" # pre-up script lines
up: [] #up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_workgroup: AH
samba_netbios_name: FILE-AH
samba_groups:
- name: verwaltung
group_id: 120
- name: intern
group_id: 121
- name: hoffmann-elberling
group_id: 122
- name: gubitz-partner
group_id: 123
samba_user:
- name: buero
groups:
- verwaltung
- intern
password: 'buero2011'
- name: axel
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'ah-kiel.2018'
- name: bjoern
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'bjoern2011'
- name: gubitz
groups:
- intern
- verwaltung
- gubitz-partner
password: '20gubitz12'
- name: schaar
groups:
- intern
- verwaltung
- gubitz-partner
password: '20schaar12'
- name: molkentin
groups:
- intern
- verwaltung
- gubitz-partner
password: 20molkentin12
- name: buerooben
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'buero2013'
- name: back
groups: []
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: buchholz
groups:
- buero
- intern
- verwaltung
password:
- name: schmidt
groups:
- intern
- verwaltung
- gubitz-partner
password: '20-schmidt_21%'
- name: kiel-nb1
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book1-20'
- name: kiel-nb2
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book2-20'
- name: chris
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
base_home: /home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: []
samba_shares:
- name: Buero
path: /data/samba/shares/Buero
group_valid_users: intern
group_write_list: intern
file_create_mask: 664
dir_create_mask: 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Verwaltung
path: /data/samba/shares/Verwaltung
group_valid_users: verwaltung
group_write_list: verwaltung
file_create_mask: 660
dir_create_mask: 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Scans_schnell
path: /data/samba/shares/Scans_schnell
group_valid_users: intern
group_write_list: intern
file_create_mask: '664'
dir_create_mask: 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Hoffmann-Elberling
path: /data/samba/shares/Hoffmann-Elberling
group_valid_users: hoffmann-elberling
group_write_list: hoffmann-elberling
file_create_mask: '664'
dir_create_mask: 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Gubitz-Partner
path: /data/samba/shares/Gubitz-Partner
group_valid_users: gubitz-partner
group_write_list: gubitz-partner
file_create_mask: '664'
dir_create_mask: 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Gubitz-Backup
path: /data/samba/non-backup-shares/Gubitz-Backup
group_valid_users: gubitz
group_write_list: gubitz
file_create_mask: 660
dir_create_mask: 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
# ---
# - This share will be written by Windows Server 2016 configured at
# - "Windows Zubehör" -> "Windows Server-Sicherung"
# ---
- name: WinServer2016-Backup
comment: WinServer2016-Backup on Fileserver
path: /data/samba/shares/WinServer2016-Backup
group_valid_users: {}
group_write_list: {}
file_create_mask: 664
dir_create_mask: 2775
guest_ok: !!str yes
vfs_object_recycle: false
# ---
# - This share will be written by windows schedulescript 'backup-advoware.bat'
# ---
- name: Advoware-Backup
comment: Advoware-Backup (only read) on Fileserver
path: /data/samba/shares/Advoware-Backup
group_valid_users: back
group_write_list: back
file_create_mask: 664
dir_create_mask: 2775
guest_ok: !!str yes
vfs_object_recycle: false
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

210
host_vars/o17.oopen.de.yml
View File

@ -193,7 +193,6 @@ default_user:
sudo_users: sudo_users:
- chris - chris
- o13-pad
- sysadm - sysadm
- localadmin - localadmin
@ -229,6 +228,215 @@ git_firewall_repository:
repo: https://git.oopen.de/firewall/ipt-server repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server dest: /usr/local/src/ipt-server
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_workgroup: AH
samba_netbios_name: FILE-AH
samba_groups:
- name: verwaltung
group_id: 1200
- name: intern
group_id: 1210
- name: hoffmann-elberling
group_id: 1220
- name: gubitz-partner
group_id: 1230
samba_user:
- name: buero
groups:
- verwaltung
- intern
password: 'buero2011'
- name: axel
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'ah-kiel.2018'
- name: bjoern
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'bjoern2011'
- name: gubitz
groups:
- intern
- verwaltung
- gubitz-partner
password: '20gubitz12'
- name: schaar
groups:
- intern
- verwaltung
- gubitz-partner
password: '20schaar12'
- name: molkentin
groups:
- intern
- verwaltung
- gubitz-partner
password: 20molkentin12
- name: buerooben
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'buero2013'
- name: back
groups: []
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: buchholz
groups:
- buero
- intern
- verwaltung
password:
- name: schmidt
groups:
- intern
- verwaltung
- gubitz-partner
password: '20-schmidt_21%'
- name: kiel-nb1
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book1-20'
- name: kiel-nb2
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book2-20'
- name: chris
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
base_home: /home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: []
samba_shares:
- name: profiles-RDP
comment: Users profiles RDP
path: /data/samba/profiles-RDP
guest_ok: !!str no
browseable: !!str no
valid_users: '%S'
file_create_mask: '600'
dir_create_mask: '700'
- name: Buero
path: /data/samba/shares/Buero
group_valid_users: intern
group_write_list: intern
file_create_mask: 664
dir_create_mask: 2775
vfs_object_recycle: true
recycle_path: recycle
- name: Verwaltung
path: /data/samba/shares/Verwaltung
group_valid_users: verwaltung
group_write_list: verwaltung
file_create_mask: 660
dir_create_mask: 2770
vfs_object_recycle: true
recycle_path: recycle
- name: Scans_schnell
path: /data/samba/shares/Scans_schnell
group_valid_users: intern
group_write_list: intern
file_create_mask: '664'
dir_create_mask: 2775
vfs_object_recycle: true
recycle_path: recycle
- name: Hoffmann-Elberling
path: /data/samba/shares/Hoffmann-Elberling
group_valid_users: hoffmann-elberling
group_write_list: hoffmann-elberling
file_create_mask: '664'
dir_create_mask: 2775
vfs_object_recycle: true
recycle_path: recycle
- name: Gubitz-Partner
path: /data/samba/shares/Gubitz-Partner
group_valid_users: gubitz-partner
group_write_list: gubitz-partner
file_create_mask: '664'
dir_create_mask: 2775
vfs_object_recycle: true
recycle_path: recycle
- name: Gubitz-Backup
path: /data/samba/shares/Gubitz-Backup
group_valid_users: gubitz
group_write_list: gubitz
file_create_mask: 660
dir_create_mask: 2770
vfs_object_recycle: true
recycle_path: recycle
- name: WinServer2016-Backup
comment: WinServer2016-Backup on Fileserver
path: /data/samba/shares/WinServer2016-Backup
group_valid_users: {}
group_write_list: {}
file_create_mask: 664
dir_create_mask: 2775
guest_ok: !!str yes
vfs_object_recycle: true
recycle_path: {}
- name: Advoware-Backup
comment: Advoware-Backup (only read) on Fileserver
path: /data/samba/shares/Advoware-Backup
group_valid_users: back
group_write_list: back
file_create_mask: 664
dir_create_mask: 2775
guest_ok: !!str yes
vfs_object_recycle: true
# ============================== # ==============================

15
hosts
View File

@ -26,6 +26,7 @@ devel-root.wf.netz
gw-123.oopen.de gw-123.oopen.de
gw-ah.oopen.de gw-ah.oopen.de
gw-ak.oopen.de
gw-ebs.oopen.de gw-ebs.oopen.de
gw-akb.akb.netz gw-akb.akb.netz
gw-ckubu.local.netz gw-ckubu.local.netz
@ -42,6 +43,7 @@ gw-kb.oopen.de
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-km.anw-km.netz
gw-replacement.local.netz gw-replacement.local.netz
gw-replacement2.local.netz gw-replacement2.local.netz
@ -200,6 +202,7 @@ lxc-host-kb.anw-kb.netz
gw-123.oopen.de gw-123.oopen.de
gw-ah.oopen.de gw-ah.oopen.de
gw-ak.oopen.de
gw-ebs.oopen.de gw-ebs.oopen.de
gw-akb.akb.netz gw-akb.akb.netz
gw-b3.oopen.de gw-b3.oopen.de
@ -217,6 +220,7 @@ gw-kb.oopen.de
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-km.anw-km.netz
gw-ckubu.local.netz gw-ckubu.local.netz
@ -402,9 +406,13 @@ lxc-host-kb.anw-kb.netz
gw-ckubu.local.netz gw-ckubu.local.netz
gw-akb.akb.netz gw-akb.akb.netz
# - AK
gw-ak.oopen.de
# - Kanzlei Kiel # - Kanzlei Kiel
gw-ah.oopen.de gw-ah.oopen.de
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-km.anw-km.netz
# - Kanzlei EBS Leipzig # - Kanzlei EBS Leipzig
gw-ebs.oopen.de gw-ebs.oopen.de
@ -656,6 +664,7 @@ cl-test.oopen.de
# --- # ---
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-km.anw-km.netz
[ftp_server] [ftp_server]
@ -1058,6 +1067,8 @@ backup.warenform.de
[samba_server] [samba_server]
o17.oopen.de
# --- # ---
# Warenform # Warenform
# --- # ---
@ -1068,6 +1079,7 @@ anita.wf.netz
# --- # ---
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-km.anw-km.netz
[mumble_server] [mumble_server]
@ -1149,6 +1161,7 @@ lxc-host-kb.anw-kb.netz
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-km.anw-km.netz
# - GA - Gemeinschaft Altensclirf # - GA - Gemeinschaft Altensclirf
ga-st-lxc1.ga.netz ga-st-lxc1.ga.netz
@ -1277,6 +1290,7 @@ cl-test.oopen.de
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-km.anw-km.netz
# - GA - Gemeinschaft Altensclirf # - GA - Gemeinschaft Altensclirf
ga-st-mail.ga.netz ga-st-mail.ga.netz
@ -1486,6 +1500,7 @@ gw-replacement2.local.netz
[gateway_server_rw] [gateway_server_rw]
gw-ah.oopen.de gw-ah.oopen.de
gw-ak.oopen.de
gw-b3.oopen.de gw-b3.oopen.de
gw-d11.oopen.de gw-d11.oopen.de
gw-ebs.oopen.de gw-ebs.oopen.de

18
roles/common/files/etc/samba/users.map Normal file
View File

@ -0,0 +1,18 @@
# ############################################ #
# -------------------------- #
# ** DO NOT EDIT DIRECTLY ** #
# -------------------------- #
# Ansible managed file #
# ############################################ #
# This file allows you to map usernames from the clients to the server.
# Unix_name = SMB_name1 SMB_name2 ...
#
# See section 'username map' in the manual page of smb.conf for more
# information.
#
# This file is _not_ included in the default configuration as it makes the
# usage of an user named administrator impossible.
root = admin administrator

18
roles/common/handlers/main.yml
View File

@ -30,3 +30,21 @@
name: bind9 name: bind9
state: reloaded state: reloaded
enabled: yes enabled: yes
- name: Restart smbd
service:
name: smbd
daemon_reload: yes
state: restarted
- name: Restart nmbd
service:
name: nmbd
daemon_reload: yes
state: restarted
- name: Reload samba config
shell: smbcontrol all reload-config
when:
- inventory_hostname in groups['samba_server']

9
roles/common/tasks/apt.yml
View File

@ -226,6 +226,15 @@
tags: tags:
- apt-webserver-pkgs - apt-webserver-pkgs
- name: (apt.yml) Install samba related packages
package:
pkg: '{{ apt_install_server_samba }}'
state: present
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- name: (apt.yml) Install extra packages - name: (apt.yml) Install extra packages
apt: apt:
name: "{{ apt_extra_pkgs }}" name: "{{ apt_extra_pkgs }}"

6
roles/common/tasks/cron.yml
View File

@ -4,7 +4,7 @@
cron: cron:
name: '{{ item.name }}' name: '{{ item.name }}'
env: 'yes' env: 'yes'
user: '{{ item.user | default(omit) }}' user: '{{ item.user | default("root", true) }}'
job: '{{ item.job }}' job: '{{ item.job }}'
insertafter: '{{ item.insertafter | default(omit) }}' insertafter: '{{ item.insertafter | default(omit) }}'
loop: "{{ cron_env_entries }}" loop: "{{ cron_env_entries }}"
@ -19,7 +19,7 @@
cron: cron:
name: '{{ item.name }}' name: '{{ item.name }}'
special_time: '{{ item.special_time }}' special_time: '{{ item.special_time }}'
user: '{{ item.user | default(omit) }}' user: '{{ item.user | default("root", true) }}'
job: '{{ item.job }}' job: '{{ item.job }}'
state: present state: present
loop: "{{ cron_user_special_time_entries }}" loop: "{{ cron_user_special_time_entries }}"
@ -34,7 +34,7 @@
cron: cron:
name: '{{ item.name }}' name: '{{ item.name }}'
minute: '{{ item.minute | default(omit) }}' minute: '{{ item.minute | default(omit) }}'
hour: '{{ item.hour | default(omit) }}' hour: '{{ item.hour | default("root", true) }}'
day: '{{ day | default(omit) }}' day: '{{ day | default(omit) }}'
weekday: '{{ item.weekday | default(omit) }}' weekday: '{{ item.weekday | default(omit) }}'
month: '{{ item.month | default(omit) }}' month: '{{ item.month | default(omit) }}'

34
roles/common/tasks/main.yml
View File

@ -148,6 +148,40 @@
tags: tags:
- config-files-mailsystem - config-files-mailsystem
# tags supported inside samba-user.yml:
#
# samba-server
# samba-user
# system-user
#
- import_tasks: samba-user.yml
when: inventory_hostname in groups['samba_server']
tags:
- samba-server
# tags supported inside samba-config-server.yml:
#
# samba-server
# samba-shares
# samba-server
# samba-cron
#
- import_tasks: samba-config-server.yml
when: inventory_hostname in groups['samba_server']
tags:
- samba-server
# tags supported inside samba-remove-user.yml:
#
# samba-server
# samba-user
# system-user
#
- import_tasks: samba-remove-user.yml
when: inventory_hostname in groups['samba_server']
tags:
- samba-server
# tags supportetd inside caching-nameserver.yml # tags supportetd inside caching-nameserver.yml
# #
# apt-caching-nameserver # apt-caching-nameserver

181
roles/common/tasks/samba-config-server.yml Normal file
View File

@ -0,0 +1,181 @@
---
# ---
# Samba Server
# ---
- name: (samba-config-server.yml) Ensure samba share directories exists
file:
path: "{{ item.path }}"
owner: "root"
group: "{{ item.group_write_list | default('root', true) }}"
mode: '2770'
state: directory
recurse: yes
with_items: "{{ samba_shares }}"
loop_control:
label: '{{ item.name }}'
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-shares
# ---
# /etc/samba/smb.conf
# ---
- name: (samba-config-server.yml) Check if file '/etc/samba/smb.conf.ORIG exists'
stat:
path: /etc/samba/smb.conf.ORIG
register: smb_conf_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- name: (samba-config-server.yml) Backup existing file /etc/samba/smb.conf
command: cp -a /etc/samba/smb.conf /etc/samba/smb.conf.ORIG
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- smb_conf_exists.stat.exists == False
tags:
- samba-server
- name: (samba-config-server.yml) /etc/samba/smb.conf
template:
dest: /etc/samba/smb.conf
src: etc/samba/smb.conf.j2
owner: root
group: root
mode: 0644
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- samba_user is defined and samba_user|length > 0
- samba_shares is defined and samba_shares|length > 0
notify:
- Restart smbd
- Restart nmbd
tags:
- samba-server
- name: (samba-config-server.yml) Ensure file /etc/samba/users.map exists
copy:
src: "{{ role_path + '/files/etc/samba/users.map' }}"
dest: /etc/samba/users.map
owner: root
group: root
mode: 0644
when:
- "groups['samba_server']|string is search(inventory_hostname)"
notify:
- Restart smbd
- Restart nmbd
tags:
- samba-server
# ---
# Cronjob for cleaning up samba trash dirs
# ---
- name: (samba-config-server.yml) Check if file '/root/bin/samba/clean_samba_trash.sh' exists
stat:
path: /root/bin/samba/clean_samba_trash.sh
register: clean_samba_trash_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- samba-cron
- name: (samba-config-server.yml) Adjust configuration for script 'clean_samba_trash.sh'
template:
dest: /root/bin/samba/conf/clean_samba_trash.conf
src: root/bin/samba/conf/clean_samba_trash.conf.j2
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_exists.stat.exists|bool
tags:
- samba-server
- samba-cron
- name: (samba-config-server.yml) Check if cleaning up trash dirs is configured
lineinfile:
path: /root/bin/samba/conf/clean_samba_trash.conf
regexp: "^trash_dirs=*"
state: absent
check_mode: yes
changed_when: false
register: clean_samba_trash_dirs
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- samba-cron
- name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs
cron:
name: '{{ samba_cronjob_trash_dirs.name }}'
minute: '{{ samba_cronjob_trash_dirs.minute }}'
hour: "{{ samba_cronjob_trash_dirs.hour | default('*') }}"
day: "{{ samba_cronjob_trash_dirs.hour.day | default('*') }}"
month: "{{ samba_cronjob_trash_dirs.hour.month| default('*') }}"
weekday: "{{ samba_cronjob_trash_dirs.hour.weekday| default('*') }}"
user: "{{ samba_cronjob_trash_dirs.user | default('root') }}"
job: "{{ samba_cronjob_trash_dirs.job }}"
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_exists.stat.exists|bool and clean_samba_trash_dirs.found
tags:
- samba-server
- samba-cron
# ---
# Cronjob for setting permissions on samba shares
# ---
- name: (samba-config-server.yml) Check if file '/root/bin/samba/set_permissions_samba_shares.sh' exists
stat:
path: /root/bin/samba/set_permissions_samba_shares.sh
register: set_permissions_on_samba_shares_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- samba-cron
- name: (samba-config-server.yml) Adjust configuration for script 'set_permissions_samba_shares.sh'
template:
dest: /root/bin/samba/conf/set_permissions_samba_shares.conf
src: root/bin/samba/conf/set_permissions_samba_shares.conf.j2
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- set_permissions_on_samba_shares_exists.stat.exists|bool
tags:
- samba-server
- samba-cron
- name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs
cron:
name: '{{ samba_cronjob_permissions.name }}'
minute: '{{ samba_cronjob_permissions.minute }}'
hour: "{{ samba_cronjob_permissions.hour | default('*') }}"
day: "{{ samba_cronjob_permissions.day | default('*') }}"
month: "{{ samba_cronjob_permissions.month| default('*') }}"
weekday: "{{ samba_cronjob_permissions.weekday| default('*') }}"
user: "{{ samba_cronjob_permissions.user | default('root') }}"
job: "{{ samba_cronjob_permissions.job }}"
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_dirs.found
tags:
- samba-server
- samba-cron

58
roles/common/tasks/samba-remove-user.yml Normal file
View File

@ -0,0 +1,58 @@
---
# ---
# - Remove unwanted users
# ---
- name: (samba-remove-user.yml) Check if samba user exists for removable system user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_remove_system_users_present
changed_when: "samba_remove_system_users_present.rc == 0"
failed_when: "samba_remove_system_users_present.rc > 1"
with_items:
- "{{ remove_samba_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- system-user
- samba-user
- name: (samba-remove-user.yml) Remove (old) system users from samba
shell: >
smbpasswd -s -x {{ item.item.name }}
with_items:
- "{{ samba_remove_system_users_present.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.changed
tags:
- system-user
- samba-user
- name: (samba-remove-user.yml) Remove users from system
user:
name: '{{ item.name }}'
state: absent
with_items:
- "{{ remove_samba_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- system-user
- samba-user
- name: (samba-remove-user.yml) Remove home directory from deleted users
file:
path: "{{ base_home | default('/home', true) }}/{{ item.name }}"
state: absent
with_items:
- "{{ remove_samba_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- system-user
- samba-user

75
roles/common/tasks/samba-user.yml Normal file
View File

@ -0,0 +1,75 @@
---
# ---
# - default user/groups
# ---
# To be precise, samba groups are system groups.
#
- name: (samba-user.yml) Ensure samba groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
loop: "{{ samba_groups }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
tags:
- samba-server
- samba-group
- system-group
# get all user of the system
#
# Note:
# the result ist avalable in variable getent_passwd
#
- name: (samba_user.yml) Get database of (system) users
getent:
database: passwd
tags:
- samba-server
- samba-user
- system-user
# Samba users mut be also system users
#
- name: (samba_user.yml) Add (system) users if not yet exists..
shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'"
loop: "{{ samba_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.name not in getent_passwd
tags:
- samba-server
- samba-user
- system-user
- name: (samba-user.yml) Check if samba user exists
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_user_present
changed_when: "samba_user_present.rc == 1"
failed_when: "samba_user_present.rc > 1"
loop: "{{ samba_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-server
- samba-user
- name: (samba-user.yml) Add user to samba (with system users password)
shell: >
(echo '{{ item.item.password }}'; echo '{{ item.item.password }}')
| smbpasswd -s -a {{ item.item.name }}
loop: "{{ samba_user_present.results }}"
when: item.changed
loop_control:
label: '{{ item.item.name }}'
tags:
- samba-server
- samba-user

420
roles/common/templates/etc/samba/smb.conf.j2 Normal file
View File

@ -0,0 +1,420 @@
# {{ ansible_managed }}
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
; workgroup = WORKGROUP
workgroup = {{ samba_workgroup|default('WORKGROUP') }}
# Option 'netbios name' added to debian's default smb.conf
#
# This sets the NetBIOS name by which a Samba server is known. By default it
# is the same as the first component of the host's DNS name. If a machine is
# a browse server or logon server this name (or the first component of the
# hosts DNS name) will be the name that these services are advertised under.
#
# Note that the maximum length for a NetBIOS name is 15 characters.
#
# Default: netbios name = # machine DNS name
; netbios name = FILE
netbios name = {{ samba_netbios_name|default('FILE') }}
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
interfaces = {{ ansible_default_ipv4.address }}/24 127.0.0.1/8
# Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf
hosts deny = 0.0.0.0/0
hosts allow = 192.168.0.0/16 10.0.0.0/8 127.0.0.0/8
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
#
# Notice:
# If bind interfaces only is set and the network address 127.0.0.1 is not added to the
# interfaces parameter list smbpasswd(8) may not work as expected due to the reasons
# covered below.
#
# Default: bind interfaces only = no
bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
; log file = /var/log/samba/log.%m
log file = /var/log/samba/%I.log
# Cap the size of the individual log files (in KiB).
; max log size = 1000
max log size = 10000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file
# Option 'log level' added to debian's default smb.conf
#
# The value of the parameter (a astring) allows the debug level (logging level) to be
# specified in the smb.conf file.
#
# This parameter has been extended since the 2.2.x series, now it allows one to specify
# the debug level for multiple debug classes. This is to give greater flexibility in
# the configuration of the system.
#
# See manpage for implemented debug classes
#
# Default: log level = 0
#
# Example: log level = 3 passdb:5 auth:10 winbind:2
log level = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Option 'ntlm auth' added to debian's default smb.conf
#
# This parameter determines whether or not smbd(8) will attempt to authenticate
# users using the NTLM encrypted password response for this local passdb (SAM
# or account database).
#
# If disabled, both NTLM and LanMan authencication against the local passdb is
# disabled.
#
# Note that these settings apply only to local users, authentication will still
# be forwarded to and NTLM authentication accepted against any domain we are
# joined to, and any trusted domain, even if disabled or if NTLMv2-only is
# enforced here. To control NTLM authentiation for domain users, this must option
# must be configured on each DC.
#
# By default with lanman auth set to no and ntlm auth set to ntlmv2-only only
# NTLMv2 logins will be permited. Most clients support NTLMv2 by default, but some
# older clients will require special configuration to use it.
#
# The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
#
# The available settings are:
#
# ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients.
#
# ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2.
#
# mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that
# it is providing MSCHAPv2 authentication (such as the ntlm_auth tool).
#
# disabled - Do not accept NTLM (or LanMan) authentication of any level, nor
# permit NTLM password changes.
#
# The default changed from yes to no with Samba 4.5. The default chagned again to
# ntlmv2-only with Samba 4.7, however the behaviour is unchanged.
#
# Default: ntlm auth = ntlmv2-only
ntlm auth = ntlmv1-permitted
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
# Option 'username map' added to debian's default smb.conf
#
username map = /etc/samba/users.map
########## Domains ###########
#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
# {{ ansible_managed }}
[homes]
comment = Home Directories
browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = no
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
{% for item in samba_shares | default([]) %}
[{{ item.name }}]
{% if item.comment is defined and item.comment|length > 0 %}
comment = {{ item.comment }}
{% else %}
comment = {{ item.name }}
{% endif %}
path = {{ item.path }}
{% if item.browseable is defined and item.browseable|length > 0 %}
browseable = {{ item.browseable|string }}
{% else %}
browseable = yes
{% endif %}
{% if item.read_only is defined and item.read_only|length > 0 %}
read only = {{ item.read_only|string }}
{% else %}
read only = no
{% endif %}
{% if item.writeable is defined and item.writeable |length > 0 %}
writeable = {{ item.writeable }}
{% else %}
writeable = yes
{% endif %}
{% if item.guest_ok is defined and item.guest_ok|length > 0 %}
guest ok = {{ item.guest_ok }}
{% endif %}
create mask = {{ item.file_create_mask | default('0660') }}
force create mode = {{ item.file_create_mask | default('0660') }}
directory mask = {{ item.dir_create_mask | default('2770') }}
force directory mode = {{ item.dir_create_mask | default('2770') }}
{%- if item.valid_users is defined and item.valid_users|length > 0 %}
# can login into that share
valid users = {{ item.valid_users }}
{% elif item.group_valid_users is defined and item.group_valid_users|length > 0 %}
# can login into that share
valid users = @{{ item.group_valid_users }}
{% endif %}
{%- if item.group_write_list is defined and item.group_write_list|length > 0 %}
# allow to write
write list = @{{ item.group_write_list }}
force group = +{{ item.group_write_list }}
{% endif %}
{% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
{% if item.recycle_path is defined and item.recycle_path|length > 0 %}
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:directory_mode = 2770
# - Dateien gößer als 10MB werden nicht
#recycle:maxsize = 10485760 # around 10MB
# - Keine Begrenzung der Dateigröße.
recycle:maxsize = 0
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = {{ item.recycle_path | default('@Recycle.Bin') }}
# - This is a list of files and directories that are neither visible nor accessible.
# - Each entry in the list must be separated by a '/', which allows spaces to be
# - included in the entry. '*' and '?' can be used to specify multiple files or
# - directories as in DOS wildcards.
# -
veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/
delete veto files = yes
{% else %}
{% endif %}
{% else %}
{% endif %}
{% endfor %}
;[printers]
; comment = All Printers
; browseable = no
; path = /var/spool/samba
; printable = yes
; guest ok = no
; read only = yes
; create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
;[print$]
; comment = Printer Drivers
; path = /var/lib/samba/printers
; browseable = yes
; read only = yes
; guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin

44
roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 Normal file
View File

@ -0,0 +1,44 @@
# {{ ansible_managed }}
# ------------------------------------
# - Settings for script clean_trash.sh
# ------------------------------------
# - days
# -
# - Files older then 'days' will be deleted.
# -
# - Defaults to: days=31
# -
#days=31
# - trash_dirs
# -
# - Directories where files older than given days will be deleted.
# -
# - Example:
# - trash_dirs="/data/samba/transfer/.Trash /data/samba/no-backup-share/multimedia/.Trash"
# -
#trash_dirs=""
{%- set count = namespace(trash_dirs=0) %}
{%- for item in samba_shares | default([]) %}
{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %}
{% if item.recycle_path is defined and item.recycle_path|length > 0 %}
{% set count.trash_dirs = count.trash_dirs + 1 %}
{% endif %}
{% endif %}
{% endfor %}
{% if count.trash_dirs > 0 %}
trash_dirs="
{% for item in samba_shares %}
{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %}
{% if item.recycle_path is defined and item.recycle_path|length > 0 %}
{{ item.path }}/{{ item.recycle_path }}
{% endif %}
{% endif %}
{% endfor %}
"
{% endif %}

33
roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 Normal file
View File

@ -0,0 +1,33 @@
# {{ ansible_managed }}
# -----------------------------------------------------
# - Settings for script set_permissions_samba_shares.sh
# -----------------------------------------------------
# - dir_permissions
# -
# - Recursive set Permissions (group and file- and directory-mode)
# -
# - Multiple options are possible. Use semicolon separated list.
# -
# - Usage:
# - dir_permissions="<directory>:<group>:<file-mod>:<dir-mod>;[<directory>:<group>:<file-mod>:<dir-mod>];[.."
# -
# - Example:
# - dir_permissions="/data/samba/transfer:buero:664:2775;/data/samba/verwaltung:intern:660:2770"
# -
#dir_permissions=""
{%- set count = namespace(samba_shares=0) %}
{%- for item in samba_shares | default([]) %}
{% set count.samba_shares = count.samba_shares + 1 %}
{% endfor %}
{% if count.samba_shares > 0 %}
dir_permissions="
{% for item in samba_shares | default([]) %}
{{ item.path }}:{{ item.group_write_list | default('root', true) }}:{{ item.file_create_mask|string | default('660', true) }}:{{ item.dir_create_mask | default('2770', true) }};
{% endfor %}
"
{% endif %}