update..

host_vars/file-ah.kanzlei-kiel.netz.yml

@@ -275,49 +275,20 @@ samba_groups:
     group_id: 122
   - name: gubitz-partner
     group_id: 123
+  - name: sysadm
+    group_id: 1050
+  - name: install
+    group_id: 1070
 
 samba_user:
-  - name: buero
+
-    groups:
-      - verwaltung
-      - intern
-    password: 'buero2011'
   - name: axel
     groups:
       - intern
       - verwaltung
       - hoffmann-elberling
     password: 'ah-kiel.2018'
-  - name: bjoern
+
-    groups:
-      - intern
-      - verwaltung
-      - hoffmann-elberling
-    password: 'bjoern2011'
-  - name: gubitz
-    groups:
-      - intern
-      - verwaltung
-      - gubitz-partner
-    password: '20gubitz12'
-  - name: schaar
-    groups:
-      - intern
-      - verwaltung
-      - gubitz-partner
-    password: '20schaar12'
-  - name: molkentin
-    groups:
-      - intern
-      - verwaltung
-      - gubitz-partner
-    password: 20molkentin12
-  - name: buerooben
-    groups:
-      - intern
-      - verwaltung
-      - hoffmann-elberling
-    password: 'buero2013'
   - name: back
     groups: []
     password: !vault |
@@ -327,34 +298,34 @@ samba_user:
           61313164643061306433643738643563303036646334376536626531383965303036386162393832
           6631333038306462610a356535633265633563633962333137326533633834636331343562633765
           3631
+
+  - name: bjoern
+    groups:
+      - intern
+      - verwaltung
+      - hoffmann-elberling
+    password: 'bjoern2011'
+
   - name: buchholz
     groups:
-      - buero
+       - buero
-      - intern
+       - intern
-      - verwaltung
+       - verwaltung
     password: '20-buch_holz-20'
-  - name: schmidt
+
+  - name: buero
+    groups:
+      - verwaltung
+      - intern
+    password: 'buero2011'
+
+  - name: buerooben
     groups:
       - intern
       - verwaltung
-      - gubitz-partner
-    password: '20-schmidt_21%'
-  - name: kiel-nb1
-    groups:
-      - buero
-      - intern
-      - verwaltung
-      - gubitz-partner
       - hoffmann-elberling
-    password: '20-note%book1-20'
+    password: 'buero2013'
-  - name: kiel-nb2
+
-    groups:
-      - buero
-      - intern
-      - verwaltung
-      - gubitz-partner
-      - hoffmann-elberling
-    password: '20-note%book2-20'
   - name: chris
     groups:
       - buero
@@ -370,6 +341,118 @@ samba_user:
           6631333038306462610a356535633265633563633962333137326533633834636331343562633765
           3631
 
+  - name: gubitz
+    groups:
+      - intern
+      - verwaltung
+      - gubitz-partner
+    password: '20gubitz12'
+
+  - name: heckert
+    groups:
+      - intern
+      - gubitz-partner
+    password: '0-heckert.22%'
+
+  - name: hh-jaenicke
+    groups: []
+    password: '20-th.jaenicke_%20'
+
+  - name: hh-kanzlei
+    groups: []
+    password: '20-HH_18-Kanzlei'
+
+  - name: hh-lucke
+    groups: []
+    password: 'Ole20Steffen_17'
+
+  - name: hh-kell
+    groups: []
+    password: '20-an.kell-%24'
+
+  - name: hh-neumann
+    groups: []
+    password: '20.neu-mann_%24'
+
+  - name: hh-pueschel
+    groups: []
+    password: '20-HH_caro.pueschel-%21'
+
+  - name: kiel-nb1
+    groups:
+      - buero
+      - intern
+      - verwaltung
+      - gubitz-partner
+      - hoffmann-elberling
+    password: '20-note%book1-20'
+
+  - name: kiel-nb2
+    groups:
+      - buero
+      - intern
+      - verwaltung
+      - gubitz-partner
+      - hoffmann-elberling
+    password: '20-note%book2-20'
+
+  - name: molkentin
+    groups:
+      - intern
+      - verwaltung
+      - gubitz-partner
+    password: 20molkentin12
+
+  - name: schaar
+    groups:
+      - intern
+      - verwaltung
+      - gubitz-partner
+    password: '20schaar12'
+
+  - name: schmidt
+    groups:
+      - intern
+      - verwaltung
+      - gubitz-partner
+    password: '20-schmidt_21%'
+
+  - name: simone.schnoenmehl
+    groups:
+      - intern
+      - gubitz-partner
+    password: '20-simone-schnoenmehl-22%'
+
+  # password: 9xFXkdPR_2
+  - name: sysadm
+    groups:
+      - buero
+      - install
+      - intern
+      - verwaltung
+      - gubitz-partner
+      - hoffmann-elberling
+    password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35323634653231353634343232326436393435386366396364373766306135636536323165656362
+          3138366263316231333038343930313134333565373566640a363932616535343538376333313335
+          64326566643163366533356464326339653236636562363336633738656631626433306661323835
+          3337663865333636660a626131366161636433613561613235333831653733383365623564313431
+          6439
+
+  # password: Iar-zrq4wG.2
+  - name: winadm
+    groups:
+      - sysadm
+      - install
+    password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31326630303038396164656266623339353031336434376531383133643266656133363165316532
+          6364343131656235313432356230646337373362343938660a393031323561326438653935393632
+          34373464313666343433626635656261323933353631393632626166643738386333636639303334
+          3661613165626230640a306236363161356239306232633565336131303066383464626164636133
+          3038
+
 base_home: /home
 
 # remove_samba_users:
@@ -434,6 +517,15 @@ samba_shares:
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 
+  - name: Install
+    path: /data/samba/shares/install
+    group_valid_users: install
+    group_write_list: install
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+
     # ---
     # - This share will be written by Windows Server 2016 configured at
     # - "Windows Zubehör" -> "Windows Server-Sicherung"
@@ -441,8 +533,8 @@ samba_shares:
   - name: WinServer2016-Backup
     comment: WinServer2016-Backup on Fileserver
     path: /data/samba/shares/WinServer2016-Backup
-    group_valid_users: {}
+    group_valid_users: sysadm
-    group_write_list: {}
+    group_write_list: sysadm
     file_create_mask: !!str 664
     dir_create_mask: !!str 2775
     guest_ok: !!str yes

host_vars/ga-st-mail.ga.netz.yml

@@ -183,13 +183,13 @@ copy_plain_files:
     dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf
 
 
-copy_plain_files_postfwd_host_specific: []
+copy_plain_files_postfwd_host_specific:
 
   # Postfix Firewall postfwd
   #
-  #- name: postfwd.wl-user
+  - name: postfwd.wl-user
-  #  src_path: ga-st-mail/etc/postfix/postfwd.wl-user
+    src_path: ga-st-mail/etc/postfix/postfwd.cf
-  #  dest_path: /etc/postfix/postfwd.wl-user
+    dest_path: /etc/postfix/postfwd.cf
 
 
 #copy_template_files: []

host_vars/gw-ak.oopen.de.yml

@@ -268,15 +268,6 @@ bind9_gateway_listen_on_v6:
 bind9_gateway_listen_on:
   - any
 
-# ---
-# vars used by roles/common/tasks/git.yml
-# ---
-
-git_firewall_repository:
-  name: ipt-gateway
-  repo: https://git.oopen.de/firewall/ipt-gateway
-  dest: /usr/local/src/ipt-gateway
-
 # ==============================
 
 

host_vars/o17.oopen.de.yml

@@ -154,11 +154,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -192,6 +187,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Clean up Samba Trash Dirs"
     minute: '02'
     hour: '23'

host_vars/o20.oopen.de.yml

@@ -141,6 +141,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/postfix/check-postfix-fatal-errors.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Optimize mysql tables"
     minute: '51'
     hour: '04'

host_vars/o21.oopen.de.yml

@@ -237,11 +237,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -280,6 +275,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/postfix/check-postfix-fatal-errors.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Optimize mysql tables"
     minute: '53'
     hour: '04'

host_vars/o22.oopen.de.yml

@@ -234,11 +234,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -249,6 +244,11 @@ cron_user_special_time_entries:
     job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
     insertafter: PATH
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check if Check if all autostart LX-Container are running."
     special_time: reboot
     job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"

host_vars/o23.oopen.de.yml

@@ -235,11 +235,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -278,11 +273,21 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'
     job: /root/bin/admin-stuff/check-disc-usage.sh -c 85
 
+  - name: "Restart Jitsi Meet Service"
+    minute: '51'
+    hour: '6'
+    job: /usr/bin/lxc-stop -n meet ; sleep 5 ; /usr/bin/lxc-start -n meet
+
 
 
 # ---

host_vars/o24.oopen.de.yml

@@ -237,11 +237,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -280,6 +275,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/o25.oopen.de.yml

@@ -345,11 +345,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -378,6 +373,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
     minute: '*/5'
     hour: '*'

host_vars/o27.oopen.de.yml

@@ -237,11 +237,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -280,6 +275,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/o28.oopen.de.yml

@@ -344,11 +344,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -377,6 +372,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Backup internet hosts and then print out hdd-usage for all backuped hosts"
     minute: '06'
     hour: '00'

host_vars/o29.oopen.de.yml

@@ -233,11 +233,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -271,6 +266,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/o30.oopen.de.yml

@@ -223,11 +223,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -266,11 +261,21 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/postfix/check-postfix-fatal-errors.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'
     job: /root/bin/admin-stuff/check-disc-usage.sh -c 85
 
+  - name: "Restart Jitsi Meet Service"
+    minute: '51'
+    hour: '6'
+    job: /usr/bin/lxc-stop -n meet ; sleep 5 ; /usr/bin/lxc-start -n meet
+
 
 # ---
 # vars used by roles/common/tasks/users.yml

host_vars/o31.oopen.de.yml

@@ -236,11 +236,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -279,6 +274,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/postfix/check-postfix-fatal-errors.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/o32.oopen.de.yml

@@ -234,11 +234,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -277,6 +272,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/postfix/check-postfix-fatal-errors.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Optimize mysql tables"
     minute: '53'
     hour: '04'

host_vars/o34.oopen.de.yml

@@ -232,11 +232,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -275,6 +270,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/postfix/check-postfix-fatal-errors.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Optimize mysql tables"
     minute: '53'
     hour: '04'

host_vars/o35.oopen.de.yml

@@ -237,11 +237,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -275,6 +270,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/o36.oopen.de.yml

@@ -230,11 +230,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -268,6 +263,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/o38.oopen.de.yml

@@ -232,11 +232,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -270,6 +265,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/o39.oopen.de.yml

@@ -232,11 +232,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -270,6 +265,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
 
 
 # ---

host_vars/server18.warenform.de.yml

@@ -234,11 +234,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -272,6 +267,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/server22.warenform.de.yml

@@ -221,11 +221,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -259,6 +254,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/server23.warenform.de.yml

@@ -221,11 +221,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -259,6 +254,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/server24.warenform.de.yml

@@ -228,11 +228,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -266,6 +261,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/server25.warenform.de.yml

@@ -229,11 +229,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -267,6 +262,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/server26.warenform.de.yml

@@ -244,11 +244,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -282,6 +277,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/server27.warenform.de.yml

@@ -251,11 +251,6 @@ cron_env_entries:
 
 cron_user_special_time_entries:
 
-  - name: "Restart NTP service 'ntpsec'"
-    special_time: reboot
-    job: "sleep 2 ; /bin/systemctl restart ntpsec"
-    insertafter: PATH
-
   - name: "Restart DNS Cache service 'systemd-resolved'"
     special_time: reboot
     job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -289,6 +284,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'

host_vars/server28.warenform.de.yml

@@ -273,6 +273,11 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/monitoring/check_postfix.sh
 
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
   - name: "Check hard disc usage."
     minute: '43'
     hour: '6'
@@ -281,7 +286,7 @@ cron_user_entries:
   - name: "Check if cert(s) for Prosody service are up-zp-date"
     minute: '13'
     hour: '05'
-    job: /root/bin/monitoring/check_cert_for_service.sh
+    job: /root/bin/monitoring/check_cert_for_prosody.sh
 
   - name: "Check if cert for coTURN service is up-to-date"
     minute: '39'

host_vars/zapata.opp.netz.yml

@@ -435,6 +435,12 @@ samba_user:
       - beratung
     password: '20_martin_18'
 
+  - name: marvin
+    groups:
+      - buero
+      - beratung
+    password: 'm4rv!n*6urg_24'
+
   - name: miriam
     groups:
       - buero

roles/common/files/ga-st-mail/etc/postfix/postfwd.cf

@@ -0,0 +1,177 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+#======= Definitions ============
+
+# Match messages with an associated SASL username
+&&SASL_AUTH {
+    sasl_username!~^$
+}
+
+# Trusted networks
+&&TRUSTED_NETS {
+   client_address==file:/etc/postfix/postfwd.wl-nets
+}
+
+# Trusted hostnames
+#   client_name~=.warenform.de$
+&&TRUSTED_HOSTS {
+   client_name=~file:/etc/postfix/postfwd.wl-hosts
+}
+
+# Trusted users
+&&TRUSTED_USERS {
+    sasl_username==file:/etc/postfix/postfwd.wl-user
+}
+
+# Trusted senders
+&&TRUSTED_SENDERS {
+   sender=~file:/etc/postfix/postfwd.wl-sender
+}
+
+# Blacklist networks
+&&BLOCK_NETS {
+   client_address==file:/etc/postfix/postfwd.bl-nets
+}
+
+# Blacklist hostnames
+&&BLOCK_HOSTS {
+   client_name=~file:/etc/postfix/postfwd.bl-hosts
+}
+
+# Blacklist users
+&&BLOCK_USERS {
+   sasl_username==file:/etc/postfix/postfwd.bl-user
+}
+
+# Blacklist sender adresses
+&&BLOCK_SENDER {
+   # =~
+   # using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
+   sender=~file:/etc/postfix/postfwd.bl-sender
+}
+
+# Inbound emails only
+&&INCOMING {
+    client_address!=127.0.0.1
+}
+
+
+#======= Rule Sets ============
+
+# ---
+#
+# Processing of the Rule Sets
+#
+# The parser checks the elements of a policy delegation request against the postfwd set
+# of rules and, if necessary, triggers the configured action (action=). Similar to a
+# classic firewall, a rule is considered true if every element of the set of rules (or
+# one from every element list) applies to the comparison. I.e. the following rule:
+#
+#    client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT
+#
+# triggers a REJECT if the
+#
+#    Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
+#
+#
+# Note:
+#    If an element occurs more than once, an element list is formed:
+#
+# The following rule set is equivalent to the above:
+#
+#    client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT
+#
+#
+# triggers a REJECT if (as above) the
+#
+#    Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
+#
+# ---
+
+# Whitelists
+
+# Whitelist trusted networks
+id=WHL_NETS
+   &&TRUSTED_NETS
+   action=DUNNO
+
+# Whitelist trusted hostnames
+id=WHL_HOSTS
+   &&TRUSTED_HOSTS
+   action=DUNNO
+
+# Whitelist sasl users
+id=WHL_USERS
+	&&TRUSTED_USERS
+	action=DUNNO
+
+# Whitelist senders
+id=WHL_SENDERS
+   &&INCOMING
+   &&TRUSTED_SENDERS
+   action=DUNNO
+
+
+# Blacklists
+
+# Block networks
+id=BL_NETS
+   &&BLOCK_NETS
+   action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS
+
+# Block hostname
+id=BL_HOSTS
+   &&BLOCK_HOSTS
+   action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS
+
+# Block users
+id=BL_USERS
+   &&BLOCK_USERS
+   action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
+
+# Blacklist sender
+#
+#    Claim successful delivery and silently discard the message.
+#
+id=BL_SENDER
+   &&BLOCK_SENDER
+   #action=DISCARD
+   action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
+
+
+# Rate Limits
+
+# Throttle unknown clients to 5 recipients per 5 minutes:
+id=RATE_UNKNOWN_CLIENT_ADDR
+   sasl_username =~ /^$/
+	client_name==unknown
+	action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed)
+
+# Changed from default 'more than 50 messages per minute' (/50/60/421 421)
+#
+# Block clients (ip-addresses) sending more than 150 messages per minute exceeded. Error:RATE_CLIENT)
+id=RATE_CLIENT_ADDR
+    &&INCOMING
+    action=rate($$client_address/150/60/421 421 4.7.0 Too many connections from $$client_address)
+
+# Block messages with more than 50 recipients
+id=BLOCK_MSG_RCPT
+    &&INCOMING
+    &&SASL_AUTH
+	 recipient_count=50
+    action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
+
+# Changed from default '50 messages/hour' (/50/3600/450)
+#
+# Block users sending more than 200 messages/hour
+id=RATE_MSG
+    &&INCOMING
+    &&SASL_AUTH
+    action=rate($$sasl_username/200/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
+
+# Block users sending more than 250 recipients total/hour
+id=RATE_RCPT
+    &&INCOMING
+    &&SASL_AUTH
+    action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)
+