diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 0173bf9..bcd8f65 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1109,6 +1109,14 @@ sshd_macs: - hmac-sha2-512-etm@openssh.com - umac-128-etm@openssh.com +# This users are allowed to use password authentification +# +sshd_pasword_auth_user: + +# This IP-Addresses are allowed to use password authentification +# +sshd_pasword_auth_ip: + # --- # vars used by roles/common/tasks/sudoers.yml @@ -1787,6 +1795,9 @@ roundcube_2_skin_logo: # vars used by roles/common/tasks/samba-user.yml # ========== +samba_server_ip: +samba_server_cidr_prefix: 24 + apt_install_server_samba: - samba - nscd @@ -1796,20 +1807,20 @@ apt_install_server_samba: # example: # samba_workgroup: MBR # -samba_workgroup: {} +samba_workgroup: # samba_netbios_name # # example: # samba_netbios_name: FILE-MBR # -samba_netbios_name: {} +samba_netbios_name: # samba_server_min_protocol # -samba_server_min_protocol: {} +samba_server_min_protocol: -samba_groups: [] +samba_groups: ([]) # samba_user: # - name: chris @@ -1818,7 +1829,7 @@ samba_groups: [] # - group2 # password: 'H-.T/TvN5S9J' # -samba_user: [] +samba_user: ([]) base_home: /home @@ -1826,7 +1837,7 @@ base_home: /home # - name: name1 # - name: name2 # -remove_samba_users: [] +remove_samba_users: ([]) # samba_shares # diff --git a/host_vars/bbb-server.b3-bornim.netz.yml b/host_vars/bbb-server.b3-bornim.netz.yml index 8b47ce3..02b43ba 100644 --- a/host_vars/bbb-server.b3-bornim.netz.yml +++ b/host_vars/bbb-server.b3-bornim.netz.yml @@ -159,6 +159,9 @@ sudo_users: # vars used by roles/common/tasks/samba-user.yml # --- +samba_server_ip: 192.168.42.10 +samba_server_cidr_prefix: 24 + samba_workgroup: B3-BORNIM samba_netbios_name: BBB-SERVER diff --git a/host_vars/file-ah.kanzlei-kiel.netz.yml b/host_vars/file-ah.kanzlei-kiel.netz.yml index 2bd872a..ef78faf 100644 --- a/host_vars/file-ah.kanzlei-kiel.netz.yml +++ b/host_vars/file-ah.kanzlei-kiel.netz.yml @@ -194,6 +194,9 @@ sudo_users: # vars used by roles/common/tasks/samba-user.yml # --- +samba_server_ip: 192.168.100.10 +samba_server_cidr_prefix: 24 + samba_workgroup: AH samba_netbios_name: FILE-AH diff --git a/host_vars/file-blkr.blkr.netz.yml b/host_vars/file-blkr.blkr.netz.yml index fa86bd3..ac42fdb 100644 --- a/host_vars/file-blkr.blkr.netz.yml +++ b/host_vars/file-blkr.blkr.netz.yml @@ -180,6 +180,9 @@ sudo_users: # vars used by roles/common/tasks/samba-user.yml # --- +samba_server_ip: 192.168.162.10 +samba_server_cidr_prefix: 24 + samba_workgroup: BLKR samba_netbios_name: FILE-BLKR diff --git a/host_vars/file-fhxb.fhxb.netz b/host_vars/file-fhxb.fhxb.netz index a99706a..7157606 100644 --- a/host_vars/file-fhxb.fhxb.netz +++ b/host_vars/file-fhxb.fhxb.netz @@ -35,7 +35,7 @@ network_interfaces: method: static description: address: 192.168.192.10 - netmask: 24 + netmask: 23 gateway: 192.168.192.254 # optional dns settings nameservers: [] @@ -172,7 +172,7 @@ nfs_exports: mount_opts: users,rsize=8192,wsize=8192,hard,intr export_opt: rw,root_squash,sync,subtree_check export_networks: - - 192.168.192.0/24 + - 192.168.192.0/23 - 10.0.192.0/24 - 10.1.192.0/24 - 192.168.63.0/24 @@ -183,7 +183,7 @@ nfs_exports: mount_opts: users,rsize=8192,wsize=8192,hard,intr export_opt: rw,root_squash,sync,subtree_check export_networks: - - 192.168.192.0/24 + - 192.168.192.0/23 - 10.0.192.0/24 - 10.1.192.0/24 - 192.168.63.0/24 @@ -196,6 +196,9 @@ nfs_exports: # vars used by roles/common/tasks/samba-user.yml # --- +samba_server_ip: 192.168.192.10 +samba_server_cidr_prefix: 23 + samba_workgroup: FHXB samba_netbios_name: FILE-FHXB @@ -247,6 +250,9 @@ samba_groups: group_id: 1480 - name: vermittlung group_id: 1490 + + - name: altlasten + group_id: 1510 samba_user: @@ -278,6 +284,8 @@ samba_user: - vermittlung - leitung + - altlasten + password: !vault | $ANSIBLE_VAULT;1.1;AES256 63643330373231636537366333326630333265303265653933613835656262323863363038653234 @@ -288,6 +296,7 @@ samba_user: - name: sysadm groups: + - altlasten - archiv - ausstellungen - buero @@ -380,6 +389,7 @@ samba_user: # Florian Helm - name : f.helm groups: + - altlasten - archiv - ausstellungen - buero @@ -480,6 +490,7 @@ samba_user: # Natalie Bayer - name : n.bayer groups: + - altlasten - archiv - ausstellungen - buero @@ -612,6 +623,15 @@ remove_samba_users: samba_shares: + - name: Altlasten + comment: Altlasten auf Fileserver + path: /data/samba/FHXB-Server/Altlasten + group_valid_users: altlasten + group_write_list: altlasten + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + - name: Archiv comment: Archiv auf Fileserver path: /data/samba/FHXB-Server/Archiv @@ -804,7 +824,7 @@ samba_shares: - name: FHXB-Sammlungen comment: FHXB-Sammlungen auf Fileserver - path: /data/samba/Darchim2/Bildarchiv + path: /data/samba/Darchim2/FHXB-Sammlungen group_valid_users: fhxb-sammlungen group_write_list: fhxb-sammlungen file_create_mask: !!str 660 diff --git a/host_vars/gw-fhxb.oopen.de.yml b/host_vars/gw-fhxb.oopen.de.yml index d8021db..86e2102 100644 --- a/host_vars/gw-fhxb.oopen.de.yml +++ b/host_vars/gw-fhxb.oopen.de.yml @@ -26,9 +26,9 @@ network_interfaces: auto: true family: inet method: static - address: 192.168.178.254 + address: 172.16.192.1 netmask: 24 - gateway: 192.168.178.1 + gateway: 172.16.192.254 nameservers: - 127.0.0.1 - 192.168.192.1 @@ -41,7 +41,7 @@ network_interfaces: family: inet method: static address: 192.168.192.254 - netmask: 24 + netmask: 23 - device: eno2:ns @@ -54,11 +54,11 @@ network_interfaces: - device: eno3 - headline: eno3 - LAN + headline: eno3 - WLAN auto: true family: inet method: static - address: 192.168.193.254 + address: 192.168.194.254 netmask: 24 diff --git a/host_vars/o17.oopen.de.yml b/host_vars/o17.oopen.de.yml index c58eac7..067e31a 100644 --- a/host_vars/o17.oopen.de.yml +++ b/host_vars/o17.oopen.de.yml @@ -234,6 +234,9 @@ git_firewall_repository: # vars used by roles/common/tasks/samba-user.yml # --- +samba_server_ip: 83.223.85.203 +samba_server_cidr_prefix: 24 + samba_workgroup: AH samba_netbios_name: FILE-AH diff --git a/host_vars/oolm-db.oopen.de.yml b/host_vars/oolm-db.oopen.de.yml new file mode 100644 index 0000000..3197b71 --- /dev/null +++ b/host_vars/oolm-db.oopen.de.yml @@ -0,0 +1,73 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +#sshd_pasword_auth_user: +# - chris + +#sshd_pasword_auth_ip: +# - 2003:ec:df0c:e7fe:ebb:d93b:1d33:3918 +# - 2003:ec:df0c:e7fe:4b3a:a5ba:c661:f7f6 + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/host_vars/oolm-shop.oopen.de.yml b/host_vars/oolm-shop.oopen.de.yml index 4526ab8..dceba70 100644 --- a/host_vars/oolm-shop.oopen.de.yml +++ b/host_vars/oolm-shop.oopen.de.yml @@ -21,6 +21,13 @@ #sshd_password_authentication: !!str "yes" +# This users are allowed to use password authentification +# +#sshd_pasword_auth_user: +# - nordkurier_live + +sshd_pasword_auth_ip: + - 34.107.7.34 # --- # vars used by apt.yml diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index e2e05c8..506b18d 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -159,6 +159,9 @@ sudo_users: # vars used by roles/common/tasks/samba-user.yml # --- +samba_server_ip: 192.168.62.10 +samba_server_cidr_prefix: 24 + samba_workgroup: OPP samba_netbios_name: ZAPATA diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts index 17e36b5..e32ab48 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -44,3 +44,16 @@ dia-two-2\.de$ surlumice\.store$ hecnvoipl\.xyz$ viastarco\.xyz$ +mail\.notistall\.balashov\.su$ +mail\.batistase\.hz\.cz$ +mail\.lorinsales\.de\.fr$ +mail\.jostalles\.azerbaijan\.su$ +mail\.batistase\.hz\.cz$ +wulprobot\.xyz$ +circuitlogix\.com$ +anelpones\.xyz$ +a27-10\.smtp-out.us-west-2\.amazonses\.com$ +relay01\.cne\.gob\.ve$ +mta01\.cne\.gob\.ve$ +news1\.worldnews\.hair$ +ritechager\.info$ diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets index 5c8c043..acb5d33 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -70,3 +70,31 @@ 217.199.96.0/19 # viastarco.xyz (eur-versand.com) 163.123.180.214 +# RU (u.a lorinsales.de.fr) +185.31.160.0/22 +# RU (batistase.hz.cz) +93.189.42.0/23 +# RU (notistall.balashov.su) +77.87.212.0/24 +# RU (jostalles.azerbaijan.su) +62.173.128.0/19 +# RU ( u.a. batistase.hz.cz ) +62.76.184.0/21 +# US (u.a. premiumofen.com) +172.93.96.0/20 +# US (u.a. premiumofen.com) +108.171.192.0/19 +# US () +54.240.0.0/18 +# VE ( u.a. cne.gob.ve) +201.130.82.0/23 +# mx1.privateemail.com mx2.privateemail.com +198.54.122.250 +198.54.122.240 +# US (u.a. direktpaket.com>) +198.54.112.0/20 +# classic-british-motorcycles.com +172.67.189.127 +104.21.33.94 +# (u.a. direktpaket.com) +194.116.228.0/24 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender index a3faea1..8303d6c 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender @@ -69,6 +69,10 @@ firmen-infos\.com$ @podiumskate\.\S+$ @ppe-healthcare-europe\.\S+$ +@direktpaket\.com$ +@revzilla\.com$ +@christopherhinz\.com$ + # annoying spammer addresses ^error@mailfrom\.com$ diff --git a/roles/common/tasks/redis-server.yml b/roles/common/tasks/redis-server.yml index 7f77929..c50daf9 100644 --- a/roles/common/tasks/redis-server.yml +++ b/roles/common/tasks/redis-server.yml @@ -91,7 +91,7 @@ when: - redis_conf_exists.stat.exists == False tags: - - samba-server + - redis-server - name: (redis-server.yml) adjust configuration '/etc/redis/redis.conf' lineinfile: diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2 index 595989b..4c5bcd0 100644 --- a/roles/common/templates/etc/samba/smb.conf.j2 +++ b/roles/common/templates/etc/samba/smb.conf.j2 @@ -67,7 +67,7 @@ # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ; interfaces = 127.0.0.0/8 eth0 - interfaces = {{ ansible_default_ipv4.address }}/24 127.0.0.1/8 + interfaces = {{ samba_server_ip }}/{{ samba_server_cidr_prefix }} 127.0.0.1/8 # Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf hosts deny = 0.0.0.0/0 diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2 index 8743694..96bc005 100644 --- a/roles/common/templates/etc/ssh/sshd_config.j2 +++ b/roles/common/templates/etc/ssh/sshd_config.j2 @@ -466,4 +466,36 @@ Match group sftp_users ChrootDirectory %h ForceCommand internal-sftp +Match all + {% endif -%} + +{% if (sshd_pasword_auth_user is defined) and sshd_pasword_auth_user %} + +#----------------------------- +# Match User for PasswordAuthentication +#----------------------------- +{% for item in sshd_pasword_auth_user %} + +Match User {{ item }} + PasswordAuthentication yes + +Match all + +{% endfor %} +{% endif %} + +{% if (sshd_pasword_auth_ip is defined) and sshd_pasword_auth_ip %} + +#----------------------------- +# Match IP Address for PasswordAuthentication +#----------------------------- +{% for item in sshd_pasword_auth_ip %} + +Match Address {{ item }} + PasswordAuthentication yes + +Match all + +{% endfor %} +{% endif %}