diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index bcd8f65..84f41f4 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1820,7 +1820,7 @@ samba_netbios_name: # samba_server_min_protocol: -samba_groups: ([]) +samba_groups: [] # samba_user: # - name: chris @@ -1829,7 +1829,7 @@ samba_groups: ([]) # - group2 # password: 'H-.T/TvN5S9J' # -samba_user: ([]) +samba_user: [] base_home: /home @@ -1837,7 +1837,7 @@ base_home: /home # - name: name1 # - name: name2 # -remove_samba_users: ([]) +remove_samba_users: [] # samba_shares # diff --git a/host_vars/file-ebs.ebs.netz.yml b/host_vars/file-ebs.ebs.netz.yml new file mode 100644 index 0000000..12dce89 --- /dev/null +++ b/host_vars/file-ebs.ebs.netz.yml @@ -0,0 +1,306 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + - resolvconf + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device eno1 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + method: static + hwaddress: 3c:ec:ef:96:ab:f6 + description: + address: 192.168.182.10 + netmask: 24 + gateway: 192.168.182.254 + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + nameservers: + - 192.168.182.1 + search: ebs.netz + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: eno1 # for mor devices support a blank separated list + stp: !!str off + fd: 5 + hello: 2 + maxage: 12 + + # inline hook scripts + pre-up: + - !!str "ip link set dev eno1 up" # pre-up script lines + up: [] #up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$XI.g9q9bTmzqe35q$tDrpoJFBGsHrmy/mtOAQfrstgIhZEaYGt6hxfTCXI0YvAAUiHT4cJOLR6ivN0CPVNtkv8IFe7dk8NXR/1yScm. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$8v0PKesHmS2Z1xIO$n2a19e2GawIvHNi9U.W4nTxjJCTDtO5AlEP082PnCdp.fw5vIMv1AA.i2RMbXH2XuMdphXU6srSV/wFmp0e0q. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + + +# --- +# vars used by roles/common/tasks/nfs.yml +# --- + +nfs_server: 192.168.182.10 + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +# NOTE !! +# Take car to increase 'fsid' in case of more than one export +# +nfs_exports: + - src: 192.168.182.10:/data/samba + path: /data/samba + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.182.0/24 + - 10.0.192.0/24 + - 10.1.192.0/24 + - 192.168.63.0/24 + use_fsid_option: true + + + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + +samba_server_ip: 192.168.182.10 +samba_server_cidr_prefix: 24 + +samba_workgroup: EBS + +samba_netbios_name: FILE-EBS + +#samba_server_min_protocol: !!str NT1 + +samba_groups: + + - name: alle + group_id: 1110 + + +samba_user: + + - name: chris + groups: + - alle + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63643330373231636537366333326630333265303265653933613835656262323863363038653234 + 3462653135633266373439626263356636646637643035340a653466356235346663626163306363 + 61313164643061306433643738643563303036646334376536626531383965303036386162393832 + 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 + 3631 + + - name: sysadm + groups: + - alle + password: 'IrcR3uo-QJ.5' + + - name: buero + groups: + - alle + password: 'buero-ebs/2022.%' + + - name: axel + groups: + - alle + password: 'ah-ebs.2022-!' + + - name: bjoern + groups: + - alle + password: 'be-ebs-2022/%' + + - name: christoph + groups: + - alle + password: 'ck-ebs-2022.%' + + - name: kristin + groups: + - alle + password: 'kp-ebs.2022_%' + + - name: maik + groups: + - alle + password: 'me-ebs_2022.!' + + + +base_home: /data/home + +# remove_samba_users: +# - name: name1 +# - name: name2 +# +remove_samba_users: [] + +samba_shares: + + - name: 4all + comment: 4all auf Fileserver + path: /data/samba/4all + group_valid_users: alle + group_write_list: alle + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/host_vars/file-fhxb.fhxb.netz b/host_vars/file-fhxb.fhxb.netz.yml similarity index 100% rename from host_vars/file-fhxb.fhxb.netz rename to host_vars/file-fhxb.fhxb.netz.yml diff --git a/host_vars/gw-ebs.oopen.de.yml b/host_vars/gw-ebs.oopen.de.yml index 3e28d4c..7ed5956 100644 --- a/host_vars/gw-ebs.oopen.de.yml +++ b/host_vars/gw-ebs.oopen.de.yml @@ -122,6 +122,8 @@ bind9_gateway_acl: entries: - '# Nameserver Kanzlei Kiel' - 192.168.100.1 + - '# Nameserver Kanzlei Elster' + - 192.168.202.1 bind9_gateway_listen_on_v6: - none diff --git a/host_vars/gw-fhxb.oopen.de.yml b/host_vars/gw-elster.oopen.de.yml similarity index 92% rename from host_vars/gw-fhxb.oopen.de.yml rename to host_vars/gw-elster.oopen.de.yml index 86e2102..b52cd35 100644 --- a/host_vars/gw-fhxb.oopen.de.yml +++ b/host_vars/gw-elster.oopen.de.yml @@ -26,13 +26,13 @@ network_interfaces: auto: true family: inet method: static - address: 172.16.192.1 + address: 192.168.1.253 netmask: 24 - gateway: 172.16.192.254 + gateway: 192.168.1.1 nameservers: - 127.0.0.1 - - 192.168.192.1 - search: fhxb.netz + - 192.168.1.253 + search: elster.netz - device: eno2 @@ -40,7 +40,7 @@ network_interfaces: auto: true family: inet method: static - address: 192.168.192.254 + address: 192.168.202.254 netmask: 23 @@ -49,7 +49,7 @@ network_interfaces: auto: true family: inet method: static - address: 192.168.192.1 + address: 192.168.202.1 netmask: 32 @@ -58,16 +58,7 @@ network_interfaces: auto: true family: inet method: static - address: 192.168.194.254 - netmask: 24 - - - - device: eno4 - headline: eno4 - OLD LAN - auto: true - family: inet - method: static - address: 192.168.178.254 + address: 192.168.203.254 netmask: 24 @@ -115,7 +106,7 @@ cron_user_entries: - name: "Copy gateway configuration" minute: '09' hour: '3' - job: /root/bin/manage-gw-config/copy_gateway-config.sh FHXB + job: /root/bin/manage-gw-config/copy_gateway-config.sh ELSTER #cron_user_special_time_entries: [] @@ -231,6 +222,11 @@ bind9_gateway_acl: - fc00::/7 - fe80::/10 - ::1/128 + - internaldns: + name: internaldns + entries: + - '# Nameserver Kanzlei EBS' + - 192.168.182.1 bind9_gateway_listen_on_v6: - none @@ -240,7 +236,10 @@ bind9_gateway_listen_on: #bind9_gateway_allow_transfer: {} bind9_gateway_allow_transfer: - - none + - internaldns + +bind9_transfer_source: !!str "192.168.202.1" +bind9_notify_source: !!str "192.168.202.1" #bind9_gateway_allow_query: {} bind9_gateway_allow_query: diff --git a/hosts b/hosts index 416991c..a483441 100644 --- a/hosts +++ b/hosts @@ -29,6 +29,7 @@ gw-ah.oopen.de gw-ak.oopen.de gw-akb.akb.netz gw-ebs.oopen.de +gw-elster.oopen.de gw-fhxb.oopen.de gw-ckubu.local.netz gw-b3.oopen.de @@ -44,6 +45,7 @@ gw-kb.oopen.de bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz @@ -207,45 +209,6 @@ lxc-host-kb.anw-kb.netz [initial_setup] -gw-123.oopen.de -gw-fhxb.oopen.de -gw-ah.oopen.de -gw-ak.oopen.de -gw-ebs.oopen.de -gw-akb.akb.netz -gw-b3.oopen.de -gw-blkr.oopen.de -gw-d11.oopen.de -gw-flr.oopen.de -gw-km.oopen.de -gw-irights.irights.netz -gw-mbr.oopen.de -gw-opp.oopen.de -gw-km.oopen.de -gw-spr.oopen.de - -gw-kb.oopen.de - -bbb-server.b3-bornim.netz -file-ah.kanzlei-kiel.netz -file-fhxb.fhxb.netz -file-km.anw-km.netz -file-blkr.blkr.netz -zapata.opp.netz - -gw-ckubu.local.netz - -gw-replacement.local.netz -gw-replacement2.local.netz -gw-replacement3.local.netz - -k1371.dyndns.org - -ga-st-gw-ersatz.ga.netz -ga-st-gw-surf1.oopen.de -ga-al-gw.oopen.de -ga-nh-gw.oopen.de - # --- # - Warenform Server # --- @@ -418,31 +381,76 @@ lxc-host-kb.anw-kb.netz # - local network ckubu gw-ckubu.local.netz +gw-replacement.local.netz +gw-replacement2.local.netz +gw-replacement3.local.netz + + +# 123Comics +gw-123.oopen.de + +# AK +k1371.dyndns.org +gw-ak.oopen.de + +# AKB gw-akb.akb.netz -# - AK -gw-ak.oopen.de +# B3 Bornim +gw-b3.oopen.de +bbb-server.b3-bornim.netz + +# - FHXB Museum Friedrichshain Kreuzberg +gw-fhxb.oopen.de +file-fhxb.fhxb.netz + +# Fluechtlingsrat BRB +gw-flr.oopen.de + +# iRights +gw-irights.irights.netz + +# - Kanzlei Berenice +gw-km.oopen.de +file-km.anw-km.netz + +# - Kanzlei BLKR +gw-blkr.oopen.de +file-blkr.blkr.netz + +# - Kanzlei EBS Leipzig +gw-ebs.oopen.de +file-ebs.ebs.netz + +# Kanzlei Elster Jena +gw-elster.oopen.de # - Kanzlei Kiel gw-ah.oopen.de file-ah.kanzlei-kiel.netz -# - FHXB Museum Friedrichshain Kreuzberg -file-fhxb.fhxb.netz +# Kanzlei Kreuzbergstraße +gw-kb.oopen.de -# - Kanzlei Berenice -file-km.anw-km.netz - -# - Kanzlei BLKR -file-blkr.blkr.netz +# MBR / VDK +gw-mbr.oopen.de # OPP +gw-opp.oopen.de zapata.opp.netz -# - Kanzlei EBS Leipzig -gw-ebs.oopen.de +# Sprachenatelier +gw-spr.oopen.de + +# Warenform +gw-d11.oopen.de # - GA - Gemeinschaft Altensclirf +ga-st-gw-ersatz.ga.netz +ga-st-gw-surf1.oopen.de +ga-al-gw.oopen.de +ga-nh-gw.oopen.de + ga-st-lxc1.ga.netz ga-st-mail.ga.netz ga-al-ws1.ga.netz @@ -688,8 +696,6 @@ cl-test.oopen.de file-ah.kanzlei-kiel.netz -file-fhxb.fhxb.netz - [ftp_server] @@ -939,6 +945,9 @@ web0.warenform.de web1.warenform.de web2.warenform.de +# server26.warenform.de +backup.warenform.de + # --- # - Warenform Office # --- @@ -1114,6 +1123,7 @@ o17.oopen.de # --- bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz @@ -1122,6 +1132,7 @@ zapata.opp.netz [nfs_server] +file-ebs.ebs.netz file-fhxb.fhxb.netz @@ -1328,6 +1339,7 @@ cl-test.oopen.de bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz @@ -1546,6 +1558,7 @@ gw-ak.oopen.de gw-b3.oopen.de gw-d11.oopen.de gw-ebs.oopen.de +gw-elster.oopen.de gw-ak.oopen.de gw-akb.oopen.de gw-ckubu.local.netz diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts index 8fa1ffa..10b47fa 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -38,20 +38,15 @@ thecaffeinatedquilter\.com$ rea\.realflightshop\.com$ tetontimberlinetrading\.com$ walelaber\.shop$ -couetsart\.xyz$ technedigitale\.com$ dia-two-2\.de$ surlumice\.store$ -hecnvoipl\.xyz$ -viastarco\.xyz$ mail\.notistall\.balashov\.su$ mail\.batistase\.hz\.cz$ mail\.lorinsales\.de\.fr$ mail\.jostalles\.azerbaijan\.su$ mail\.batistase\.hz\.cz$ -wulprobot\.xyz$ circuitlogix\.com$ -anelpones\.xyz$ a27-10\.smtp-out.us-west-2\.amazonses\.com$ relay01\.cne\.gob\.ve$ mta01\.cne\.gob\.ve$ @@ -61,7 +56,11 @@ berligpot\.quest$ chwestinstrumentalmusic\.com$ nrgroekle\.site$ classyak\.com$ -homrondea\.xyz$ childswork\.com$ ywgf\.net$ alnweohct\.online$ +kitchenfantasy\.com$ +kitchenfaucetcenter\.com$ +fqmeta\.net$ +kitchenespial\.com$ + diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets index 0821552..edbea79 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -107,4 +107,13 @@ # US u.a.(liefer-experten.com) 69.12.79.32/27 207.167.64.0/23 - +# US (u.a. premiumversender.com) +192.161.172.0/23 +# LIR (u.a. premiumversender.com) +185.101.92.0/22 +# US (u.a. d-logistik.com) +216.144.236.224/28 +# GB + 146.59.88.240/29 +# UA (Ukraine) +193.3.23.0/24 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender index c6077e8..0f64d43 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender @@ -76,6 +76,9 @@ firmen-infos\.com$ @profiverkauf\.com$ @liefer-experten\.com$ +@premiumversender\.com$ +@longhornvapor\.com$ +@d-logistik\.com$ # annoying spammer addresses ^error@mailfrom\.com$ diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2 index 4c5bcd0..c238e0d 100644 --- a/roles/common/templates/etc/samba/smb.conf.j2 +++ b/roles/common/templates/etc/samba/smb.conf.j2 @@ -57,7 +57,7 @@ # # Example: server min protocol = NT1 # - server min protocol = {{ samba_server_min_protocol }} + server min protocol = {{ samba_server_min_protocol|default('SMB2_02') }} {% endif %}