diff --git a/host_vars/:q b/host_vars/:q deleted file mode 100644 index 14424c2..0000000 --- a/host_vars/:q +++ /dev/null @@ -1,708 +0,0 @@ ---- - -# --- -# vars used by roles/network_interfaces -# --- - - -# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted -network_manage_devices: True - -# Should the interfaces be reloaded after config change? -network_interface_reload: False - -network_interface_path: /etc/network/interfaces.d -network_interface_required_packages: - - vlan - - bridge-utils - - ifmetric - - ifupdown - - ifenslave - - -network_interfaces: - - - device: br0 - # use only once per device (for the first device entry) - headline: br0 - bridge over device enp97s0 - - # auto & allow are only used for the first device entry - allow: [] # array of allow-[stanzas] eg. allow-hotplug - auto: true - - family: inet - method: static - description: - address: 192.168.122.10 - netmask: 24 - gateway: 192.168.122.254 - - # optional dns settings nameservers: [] - # - # nameservers: - # - 194.150.168.168 # dns.as250.net - # - 91.239.100.100 # anycast.censurfridns.dk - # search: warenform.de - # - - # optional bridge parameters bridge: {} - # bridge: - # ports: - # stp: - # fd: - # maxwait: - # waitport: - bridge: - ports: enp97s0 # for mor devices support a blank separated list - stp: !!str off - fd: 5 - hello: 2 - maxage: 12 - - # inline hook scripts - pre-up: - - !!str "ip link set dev enp97s0 up" # pre-up script lines - up: [] #up script lines - post-up: [] # post-up script lines (alias for up) - pre-down: [] # pre-down script lines (alias for down) - down: [] # down script lines - post-down: [] # post-down script lines - - -# --- -# vars used by roles/ansible_dependencies -# --- - - -# --- -# vars used by roles/ansible_user -# --- - - -# --- -# vars used by roles/common/tasks/basic.yml -# --- - - -# --- -# vars used by roles/common/tasks/sshd.yml -# --- - - -# --- -# vars used by roles/common/tasks/apt.yml -# --- - - -# --- -# vars used by roles/common/tasks/systemd-resolved.yml -# --- - -systemd_resolved: true - -# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie -# Primäre DNS-Adresse: 38.132.106.139 -# Sekundäre DNS-Adresse: 194.187.251.67 -# -# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen -# primäre DNS-Adresse -# IPv4: 1.1.1.1 -# IPv6: 2606:4700:4700::1111 -# sekundäre DNS-Adresse -# IPv4: 1.0.0.1 -# IPv6: 2606:4700:4700::1001 -# -# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit -# primäre DNS-Adresse -# IPv4: 8.8.8.8 -# IPv6: 2001:4860:4860::8888 -# sekundäre DNS-Adresse -# IPv4: 8.8.4.4 -# IPv6: 2001:4860:4860::8844 -# -# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug -# primäre DNS-Adresse -# IPv4: 9.9.9.9 -# IPv6: 2620:fe::fe -# sekundäre DNS-Adresse -# IPv4: 149.112.112.112 -# IPv6: 2620:fe::9 -# -# OpenNIC - https://www.opennic.org/ -# IPv4: 195.10.195.195 - ns31.de -# IPv4: 94.16.114.254 - ns28.de -# IPv4: 51.254.162.59 - ns9.de -# IPv4: 194.36.144.87 - ns29.de -# IPv6: 2a00:f826:8:2::195 - ns31.de -# -# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) -# IPv4: 5.1.66.255 -# IPv6: 2001:678:e68:f000:: -# Servername für DNS-over-TLS: dot.ffmuc.net -# IPv4: 185.150.99.255 -# IPv6: 2001:678:ed0:f000:: -# Servername für DNS-over-TLS: dot.ffmuc.net -# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) -resolved_nameserver: - - 192.168.122.1 - -# search domains -# -# If there are more than one search domains, then specify them here in the order in which -# the resolver should also search them -# -#resolved_domains: [] -resolved_domains: - - ~. - - anw-km.netz - -resolved_dnssec: false - -# dns.as250.net: 194.150.168.168 -# -resolved_fallback_nameserver: - - 172.16.122.254 - - -# --- -# vars used by roles/common/tasks/cron.yml -# --- - -cron_user_special_time_entries: - - - name: "Restart DNS Cache service 'systemd-resolved'" - special_time: reboot - job: "sleep 10 ; /bin/systemctl restart systemd-resolved" - insertafter: PATH - - - -# --- -# vars used by roles/common/tasks/users.yml -# --- - -# --- -# vars used by roles/common/tasks/users-systemfiles.yml -# --- - - -# --- -# vars used by roles/common/tasks/webadmin-user.yml -# --- - - -# --- -# vars used by roles/common/tasks/sudoers.yml -# --- -# -# see: roles/common/tasks/vars - -sudoers_file_user_back_mount_privileges: - - 'ALL=(root) NOPASSWD: /usr/bin/mount' - - 'ALL=(root) NOPASSWD: /usr/bin/umount' - - -# --- -# vars used by roles/common/tasks/caching-nameserver.yml -# --- - - -# --- -# vars used by roles/common/tasks/git.yml -# --- - - -# --- -# vars used by roles/common/tasks/samba-config-server.yml -# vars used by roles/common/tasks/samba-user.yml -# --- - -samba_server_ip: 192.168.122.10 -samba_server_cidr_prefix: 24 - -samba_workgroup: WORKGROUP - -samba_netbios_name: FILE-KM - -samba_server_min_protocol: !!str NT1 - -samba_groups: - - name: kanzlei - group_id: 1100 - - name: a-jur - group_id: 1110 - - name: intern - group_id: 1120 - - name: aulmann - group_id: 1130 - - name: howe - group_id: 1140 - - name: stahmann - group_id: 1150 - - name: traine - group_id: 1160 - - name: public - group_id: 1170 - - name: alle - group_id: 1180 - - - -samba_user: - - - name: advoware - groups: - - advoware - password: '9WNRbc49m3' - - - name: a-jur - groups: - - a-jur - - alle - - intern - - kanzlei - password: 'a-jur' - - - name: andrea - groups: - - advoware - - aulmann - - howe - - stahmann - - traine - - public - password: 'fXc3bmK9gj' - - - name: andreas - groups: - - a-jur - - advoware - - alle - - kanzlei - password: 'YKQRa.M9-6rL' - - - name: aphex2 - groups: - - alle - - aulmann - - howe - - stahmann - - traine - - public - password: 'J3KMRprK9H' - - - name: berenice - groups: - - kanzlei - - a-jur - - alle - password: 'berenice' - - - name: beuster - groups: - - advoware - - aulmann - - howe - - stahmann - - traine - - public - - alle - password: 'zlm17Kx' - - - name: buero - groups: - - kanzlei - - a-jur - - alle - password: 'buero' - - - name: buero2 - groups: - - kanzlei - - a-jur - - alle - password: 'buero2' - - - name: buero3 - groups: - - kanzlei - - a-jur - - alle - password: 'buero3' - - - name: buero4 - groups: - - kanzlei - - a-jur - - alle - password: 'buero4' - - - name: buero7 - groups: - - kanzlei - - a-jur - - alle - password: 'buero7' - - - name: chris - groups: - - a-jur - - advoware - - alle - - aulmann - - intern - - kanzlei - - stahmann - - traine - - public - password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 30383265366434633965346530666535363761396165393434643665393137353765653739636364 - 6330623334353763613065343336306434376335646666380a363030363335656261656236636562 - 63663763616630383264303039336562626537366634303636356237323630666635356130383165 - 3837613337343533650a663061366230353531316535656433643162353063383534323833323138 - 3430 - - - name: christina - groups: - - advoware - - alle - - aulmann - - howe - - stahmann - - traine - - public - password: 'qvR7zX4Lhs' - - - name: federico - groups: - - advoware - - alle - - aulmann - - howe - - stahmann - - traine - - public - password: 'zHfj9g3NcC' - -# - name: gerhard -# groups: -# - advoware -# - alle -# - aulmann -# - howe -# - stahmann -# - traine -# - public -# password: 'bHdhzWnTj9' - - - name: ho-st1 - groups: - - alle - - howe - - stahmann - password: '44-Ro-440' - -# - name: howe-staff-1 -# groups: -# - advoware -# - alle -# - aulmann -# - howe -# password: '' - - - name: irina - groups: - - advoware - - alle - - aulmann - - howe - - stahmann - - traine - - public - password: 'W9NKv39pXW' - - - name: jessica - groups: - - advoware - - alle - - aulmann - - howe - - stahmann - - traine - - public - password: 'bV3pjPtjkR' - -# - name: laura -# groups: -# - alle -# - aulmann -# - howe -# - stahmann -# - traine -# password: '99-Hamburg-990' - - - name: lenovo3 - groups: - - advoware - - alle - - aulmann - - howe - - stahmann - - traine - - public - password: 'fndvLmrt7W' - - - name: lenovo4 - groups: - - advoware - - alle - - aulmann - - howe - - stahmann - - traine - - public - password: 'tpCMmTKj7H' - - - name: lenovo5 - groups: - - advoware - - alle - - aulmann - - howe - - stahmann - - traine - - public - password: 'L5Hannover51' - - - name: lenovo6 - groups: - - advoware - - alle - - aulmann - - howe - - stahmann - - traine - password: '66koeln66' - - - name: rm-buero1 - groups: - - alle - - a-jur - - kanzlei - password: '' - - - name: rm-buero2 - groups: - - alle - - a-jur - - kanzlei - password: '' - - - name: rolf - groups: - - alle - - aulmann - - howe - - stahmann - - traine - - public - password: '4xNVNFXgP4' - - - name: sysadm - groups: - - a-jur - - advoware - - alle - - aulmann - - intern - - kanzlei - - stahmann - - traine - - public - password: 'Ax_GSHh5' - - - name: thomas - groups: - - advoware - - alle - - traine - password: '55-tho-mas-550' - - - name: Tresen - groups: - - a-jur - - advoware - - alle - - kanzlei - - howe - - stahmann - - traine - - public - password: 'maltzwo2' - - - name: winadm - groups: - - a-jur - - advoware - - alle - - intern - - kanzlei - - public - password: 'Ax_GSHh5' - - - -base_home: /data/home - -remove_samba_users: - - name: howe-staff-1 - - name: gerhard - - name: laura - -#remove_samba_users: [] -#remove_samba_users: -# - name: evren - -samba_shares: - - - name: a-jur - comment: a-jur Dokumente - path: /data/samba/a-jur - group_valid_users: a-jur - group_write_list: a-jur - file_create_mask: !!str 664 - dir_create_mask: !!str 2775 - vfs_object_recycle: true - recycle_path: '@Recycle' - vfs_object_recycle_is_visible: true - - - name: kanzlei - comment: Kanzlei auf Fileserver - path: /data/samba/kanzlei - group_valid_users: kanzlei - group_write_list: kanzlei - file_create_mask: !!str 664 - dir_create_mask: !!str 2775 - vfs_object_recycle: true - recycle_path: '@Recycle' - vfs_object_recycle_is_visible: true - - - name: install - comment: Install auf Fileserver - path: /data/samba/no-backup-shares/install - group_valid_users: intern - group_write_list: intern - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: false - - - name: aulmann - comment: Aulmann auf Fileserver - path: /data/samba/Aulmann - group_valid_users: aulmann - group_write_list: aulmann - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - vfs_object_recycle_is_visible: true - - - name: howe - comment: Howe auf Fileserver - path: /data/samba/Howe - group_valid_users: howe - group_write_list: howe - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - vfs_object_recycle_is_visible: true - - - name: stahmann - comment: Stahmann auf Fileserver - path: /data/samba/Stahmann - group_valid_users: stahmann - group_write_list: stahmann - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - vfs_object_recycle_is_visible: true - - - name: traine - comment: Traine auf Fileserver - path: /data/samba/Traine - group_valid_users: traine - group_write_list: traine - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - vfs_object_recycle_is_visible: true - - - name: public - comment: Public auf Fileserver - path: /data/samba/public - group_valid_users: public - group_write_list: public - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - vfs_object_recycle_is_visible: true - - - name: Advoware-Schriftverkehr - comment: Advoware Dokumente - path: /data/samba/Advoware-Schriftverkehr - group_valid_users: advoware - group_write_list: advoware - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - vfs_object_recycle_is_visible: true - - - name: Advoware-Backup - comment: Advoware Dokumente - path: /data/samba/Advoware-Backup - group_valid_users: intern - group_write_list: intern - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - vfs_object_recycle_is_visible: false - - - name: alle - comment: Alle auf Fileserver - path: /data/samba/Alle - group_valid_users: alle - group_write_list: alle - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - vfs_object_recycle_is_visible: true - -# - name: web -# comment: Web auf Fileserver -# path: /data/samba/Web -# group_valid_users: web -# group_write_list: web -# file_create_mask: !!str 660 -# dir_create_mask: !!str 2770 -# vfs_object_recycle: true -# recycle_path: '@Recycle' - - -# ============================== - - -# --- -# vars used by scripts/reset_root_passwd.yml -# --- - -root_user: - name: root - password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/host_vars/file-fm.fm.netz.yml b/host_vars/file-fm.fm.netz.yml new file mode 100644 index 0000000..aff27e1 --- /dev/null +++ b/host_vars/file-fm.fm.netz.yml @@ -0,0 +1,462 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + + +network_interfaces: + + - device: eno1np0 + # use only once per device (for the first device entry) + headline: eno1 - LAN + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + method: static + description: + address: 192.168.222.10 + netmask: 24 + gateway: 192.168.222.254 + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + #nameservers: + # - 192.168.222.1 + #search: blkr.netz + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.222.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.132.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.222.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - fm.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users +# --- + +default_user: + + - name: chris + password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$UHsnOrOT5qXnAwrPCzB7A1$jnqz4CHvLEaIke3RxnresjAOS6NfcTxyDH/fbKnXTC/ + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + group: localadmin + home: /home/localadmin + password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/ + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup' + +#extra_user: +# +# - name: borg +# user_id: 1065 +# group_id: 1065 +# group: borg +# home: /home/borg +# password: $y$j9T$SZty9T8ZWbnyHR2S85xaG.$GhxHOKG9fKErT9s5TAehXXyZJSkNaIcXY18Rg1iMyhC +# shell: /bin/bash +# ssh_keys: +# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' +# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de' +# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXrNhcgNtZykTgzcwX/L1cL8qpSyQQy75M01UpjdSmA root@file-dissens' +# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens' + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_entries: + + - name: "Daily Backup " + minute: "03" + hour: "00" + job: /root/crontab/backup-rborg2/rborg2.sh + + - name: "Check if postfix mailservice is running. Restart service if needed." + minute: "*/5" + hour: "*" + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check Postfix E-Mail LOG file for 'fatal' errors." + minute: "*/30" + hour: "*" + job: /root/bin/postfix/check-postfix-fatal-errors.sh + + - name: "Clean up Samba Trash Dirs" + minute: "02" + hour: "23" + job: /root/bin/samba/clean_samba_trash.sh + + - name: "Set (group and access) Permissons for Samba shares" + minute: "14" + hour: "23" + job: /root/bin/samba/set_permissions_samba_shares.sh + + - name: "Check if ntpsec is running. Restart service if needed." + minute: "*/6" + hour: "*" + job: /root/bin/monitoring/check_ntpsec_service.sh + + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_aliases: + - name: MAIN_USER + entry: 'malte.taeubrich, ulla.wittenzellner, sarah.klemm, bernard.koennecke, elenor.faellgren, mario.freidank ' + +sudoers_file_cmnd_aliases: + - name: REBOOT + entry: '/sbin/reboot' + - name: MANAGE_SERVICE + entry: '/usr/bin/systemctl' + + +sudoers_file_user_privileges: + - name: MAIN_USER + entry: ALL = REBOOT + - name: MAIN_USER + entry: ALL = MANAGE_SERVICE + +# - name: julius +# entry: 'ALL=(root) NOPASSWD: /sbin/reboot' +# - name: josephine +# entry: 'ALL=(root) NOPASSWD: /sbin/reboot' +# - name: sebastian +# entry: 'ALL=(root) NOPASSWD: /sbin/reboot' +# - name: julius-e +# entry: 'ALL=(root) NOPASSWD: /sbin/reboot' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + + +# --- +# vars used by roles/common/tasks/ntp.yml +# --- + +local_ntp_service: true + +ntp_server: gw-fm.fm.netz + + +# --- +# vars used by roles/common/tasks/nfs.yml +# --- + +nfs_server: 192.168.222.10 + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +# NOTE !! +# Take car to increase 'fsid' in case of more than one export +# +nfs_exports: + - src: 192.168.222.10:/data/samba/shares + path: /data/samba/shares + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.222.0/24 + - 10.0.222.0/24 + - 10.1.222.0/24 + - 192.168.63.0/24 + use_fsid_option: true + + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + +samba_server_ip: 192.168.222.10 +samba_server_cidr_prefix: 24 + +samba_workgroup: FM + +samba_netbios_name: FILE-FM + +samba_server_min_protocol: !!str NT1 + +samba_groups: + - name: buero + group_id: 1100 + - name: projekte + group_id: 1200 + - name: verwaltung + group_id: 1300 + +samba_user: + - name: sysadm + groups: + - buero + - projekte + - verwaltung + password: 'k6-C5.X-/YGm' + + - name: chris + groups: + - buero + - projekte + - verwaltung + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63643330373231636537366333326630333265303265653933613835656262323863363038653234 + 3462653135633266373439626263356636646637643035340a653466356235346663626163306363 + 61313164643061306433643738643563303036646334376536626531383965303036386162393832 + 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 + 3631 + + - name: anja + groups: + - buero + - projekte + - verwaltung + password: '20-4nj4.m4y3r_25?' + + - name: barbara + groups: + - buero + - projekte + - verwaltung + password: '20.b4rb4r4-25?' + + - name: linda + groups: + - buero + - projekte + - verwaltung + password: '20-l1nda_hu3p3r.25%' + +base_home: /data/home + +# remove_samba_users: +# - name: name1 +# - name: name2 +# +remove_samba_users: [] +#remove_samba_users: +# - name: elenor.faellgrem +# - name: maiken.schiele + +samba_shares: + + - name: Buero + comment: Buero auf Fileserver + path: /data/samba/shares/Buero + group_valid_users: buero + group_write_list: buero + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Projekte + comment: Projekte auf Fileserver + path: /data/samba/shares/Projekte + group_valid_users: projekte + group_write_list: projekte + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Verwaltung + comment: Verwaltung auf Fileserver + path: /data/samba/shares/Verwaltung + group_valid_users: verwaltung + group_write_list: verwaltung + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/host_vars/gw-fm.oopen.de.yml b/host_vars/gw-fm.oopen.de.yml index b298a32..fb3463e 100644 --- a/host_vars/gw-fm.oopen.de.yml +++ b/host_vars/gw-fm.oopen.de.yml @@ -38,6 +38,9 @@ network_interfaces: method: static address: 192.168.222.254 netmask: 24 + post-up: + # VLAN 13 Guest Net + - /sbin/ip link add link eno2 name eno2.13 type vlan id 13 - device: eno2:ns @@ -48,6 +51,24 @@ network_interfaces: address: 192.168.222.1 netmask: 32 + + - device: eno2.13 + headline: eno2.13 - Guest Network + auto: true + family: inet + method: static + address: 192.168.223.254 + netmask: 24 + + - device: eno2.13:ns + headline: eno2.13:ns - alias on eno2.13 (Guest Network) + auto: true + family: inet + method: static + address: 192.168.223.1 + netmask: 32 + + # --- # vars used by roles/ansible_dependencies # --- @@ -157,8 +178,56 @@ resolved_fallback_nameserver: # vars used by roles/common/tasks/cron.yml # --- +cron_user_entries: + + - name: "Check if Postfix Mailservice is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if SSH service is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check if OpenVPN service is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_vpn.sh + + - name: "Check if nameservice (bind) is running?" + minute: '*/10' + hour: '*' + job: /root/bin/monitoring/check_dns.sh + + - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )" + minute: '0-59/2' + hour: '*' + job: /root/bin/monitoring/check_forwarding.sh + +# - name: "Speedtest" +# minute: '17' +# hour: '*0-8' +# job: /root/bin/admin-stuff/speedtest.sh + + - name: "Copy gateway configuration" + minute: '09' + hour: '3' + job: /root/bin/manage-gw-config/copy_gateway-config.sh FM + + cron_user_special_time_entries: + - name: "Check if Postfix Service is running at boot time" + special_time: reboot + job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" + insertafter: PATH + + - name: "Restart Systemd's resolved at boottime." + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + - name: "Restart NTP service 'ntpsec'" special_time: reboot job: "sleep 15 ; /bin/systemctl restart ntpsec"