update..

2024-10-19 10:18:05 +02:00 · 2024-10-19 10:18:05 +02:00 · c771ba2095
commit c771ba2095
parent 134eb18465
6 changed files with 319 additions and 74 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -2082,6 +2082,8 @@ sshd_pubkey_authentication: !!str "yes"
 sshd_password_authentication: !!str "no"
 sshd_kbd_interactive_authentication:
 sshd_use_pam: !!str "yes"
 #sshd_allowed_users:
@ -2095,6 +2097,7 @@ sshd_use_dns: !!str "no"
 sshd_gateway_ports: !!str "no"
 sshd_required_rsa_size: 4096
 # sshd_pubkey_accepted_algorithms:
 #
@ -2129,43 +2132,57 @@ sshd_gateway_ports: !!str "no"
 #
 # Example:
 #    sshd_kexalgorithms:
-#      - curve25519-sha256@libssh.org
+#      - ntrup761x25519-sha512@openssh.com
 #      - curve25519-sha256,curve25519-sha256@libssh.org
 #      - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
 #      - diffie-hellman-group-exchange-sha256
-#      - diffie-hellman-group14-sha1
+#      - diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
 #      - diffie-hellman-group14-sha256
 #
 #sshd_kexalgorithms: {}
-sshd_hostkeyalgorithms:
+# sshd__ciphers
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # sshd_kexalgorithms
 #
 # Example:
 #    sshd_ciphers:
 #      - chacha20-poly1305@openssh.com
-#      - aes256-gcm@openssh.com
+#      - aes128-ctr
 #      - aes192-ctr
 #      - aes256-ctr
-
+#      - aes128-gcm@openssh.com
 #      - aes256-gcm@openssh.com
 #sshd_ciphers: {}
 sshd_ciphers:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr
 # sshd_macs
 #
 # Example:
 #    sshd_macs:
 #      - umac-64-etm@openssh.com,umac-128-etm@openssh.com
 #      - hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
 #      - hmac-sha1-etm@openssh.com
 #      - umac-64@openssh.com,umac-128@openssh.com
 #      - hmac-sha2-256,hmac-sha2-512,hmac-sha1
 #sshd_macs: {}
-sshd_macs:
+
-  - hmac-sha2-256-etm@openssh.com
+# sshd_hostkeyalgorithms
-  - hmac-sha2-512-etm@openssh.com
+#
-  - umac-128-etm@openssh.com
+# Example:
 #      - ssh-ed25519-cert-v01@openssh.com
 #      - ecdsa-sha2-nistp256-cert-v01@openssh.com
 #      - ecdsa-sha2-nistp384-cert-v01@openssh.com
 #      - ecdsa-sha2-nistp521-cert-v01@openssh.com
 #      - sk-ssh-ed25519-cert-v01@openssh.com
 #      - sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
 #      - rsa-sha2-512-cert-v01@openssh.com
 #      - rsa-sha2-256-cert-v01@openssh.com
 #      - ssh-ed25519
 #      - ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
 #      - sk-ssh-ed25519@openssh.com
 #      - sk-ecdsa-sha2-nistp256@openssh.com
 #      - rsa-sha2-512
 #      - rsa-sha2-256
 #
 #sshd_hostkeyalgorithms: {}
 # This users are allowed to use password authentification
 #
@ -2222,6 +2239,9 @@ sudoers_file_user_back_privileges:
  - 'ALL=(root) NOPASSWD: /usr/bin/rsync'
  - 'ALL=(root) NOPASSWD: /usr/bin/find'
  - 'ALL=(root) NOPASSWD: /usr/bin/realpath'
  - 'ALL=(root) NOPASSWD: /root/bin/borg-backup/borg-backup.sh'
  - 'ALL=(root) NOPASSWD: /root/bin/borg-backup/borg-backup-nc.sh'
 sudoers_file_user_back_postgres_privileges:
  - 'ALL=(postgres) NOPASSWD: /usr/bin/psql'
--- a/host_vars/cp-flr.oopen.de.yml
+++ b/host_vars/cp-flr.oopen.de.yml
@ -0,0 +1,203 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_permit_root_login: !!str "prohibit-password"
 # ---
 # vars used by apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.1
  - 2a01:4ff:ff00::add:2
  - 185.12.64.2
  - 2a01:4ff:ff00::add:1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    group: localadmin
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: cryptpad
    user_id: 2010
    group_id: 2010
    group: cryptpad
    home: /var/www/cryptpad
    password: $y$j9T$TUSURhYNq5B1eWlxis.xy.$YfCpyp24dmaZwiIEMaJvX7u3P.MEdAyz8YXMusM4lu7
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 sudoers_file_user_privileges:
  - name: back
    entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
--- a/host_vars/o26.oopen.de.yml
+++ b/host_vars/o26.oopen.de.yml
@ -359,6 +359,11 @@ cron_user_special_time_entries:
 cron_user_entries:
  - name: "Renote Borg Backup"
    minute: '04'
    hour: '00'
    job: /root/crontab/backup-rborg/remote-borg-backup.sh
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
@ -380,13 +385,13 @@ cron_user_entries:
    job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
  - name: "Backup internet hosts and then print out hdd-usage for all backuped hosts"
-    minute: '06'
+    minute: '16'
    hour: '00'
    weekday: '1-6'
    job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N
  - name: "On sunday morning also determin diskspace usage"
-    minute: '06'
+    minute: '16'
    hour: '00'
    weekday: 7
    job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup
--- a/host_vars/o40.oopen.de.yml
+++ b/host_vars/o40.oopen.de.yml
@ -242,9 +242,9 @@ cron_user_special_time_entries:
    job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
    insertafter: PATH
-  - name: "Check if postfix mailservice is running. Restart service if needed."
+  - name: "Check if  ntpsec service is running. Restart service if needed."
    special_time: reboot
-    job: "@reboot sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1"
+    job: "sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1"
    insertafter: PATH
 #  - name: "Check if Check if all autostart LX-Container are running."
--- a/host_vars/o42.oopen.de.yml
+++ b/host_vars/o42.oopen.de.yml
@ -32,7 +32,7 @@ network_interfaces:
    family: inet
    method: static
-    hwaddress: 
+    hwaddress: 2c:f0:5d:0d:df:01
    description:
    address: 95.217.194.43
    netmask: 26
--- a/roles/common/templates/etc/ssh/sshd_config.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.j2
@ -30,7 +30,7 @@ ListenAddress {{ item }}
 {% endif %}
 # Specifies the protocol versions sshd(8) supports.
-# The possible values are '1' , `2' and '1,2'.
+# The possible values are '1' , '2' and '1,2'.
 # The default is '2'.
 Protocol 2
@ -89,7 +89,7 @@ UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
 # The server disconnects after this time if the user has not
 # successfully logged in.
 # The default is 120 seconds.
-LoginGraceTime = {{ sshd_login_grace_time | default('120') }}
+LoginGraceTime {{ sshd_login_grace_time | default('120') }}
 # Specifies whether root can log in using ssh(1).
 # The default is "yes".
@ -141,7 +141,7 @@ PasswordAuthentication {{ sshd_password_authentication }}
 # When password authentication is allowed, it specifies whether the
 # server allows login to accounts with empty password strings.
-# The default is “no”.
+# The default is 'no'.
 PermitEmptyPasswords no
 {% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %}
@ -150,7 +150,7 @@ PermitEmptyPasswords no
 KbdInteractiveAuthentication no
 {% else %}
 # Specifies whether challenge-response authentication is allowed (e.g. via PAM).
-# The default is “yes”.
+# The default is 'yes'.
 ChallengeResponseAuthentication no
 {% endif %}
@ -207,6 +207,24 @@ UsePAM {{ sshd_use_pam }}
 #-----------------------------
 # Cryptography
 #-----------------------------
 {% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 12 %}
 # RequiredRSASize
 #
 # Specifies the minimum RSA key size (in bits) that sshd(8) will accept.  User and host-based
 # authentication keys smaller than this limit will be refused.
 #
 # The default is 1024 bits.
 #
 # Note that this limit may only be raised from the default.
 #
 {% if (sshd_required_rsa_size is defined) and sshd_required_rsa_size %}
 RequiredRSASize {{ sshd_required_rsa_size }}
 {% else %}
 # RequiredRSASize 1024
 {% endif %}
 {% endif %}
 {% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}
 # PubkeyAcceptedAlgorithms
 #
@ -231,14 +249,12 @@ UsePAM {{ sshd_use_pam }}
 #      sk-ecdsa-sha2-nistp256@openssh.com,
 #      rsa-sha2-512,rsa-sha2-256
 #
-
+# The list of available signature algorithms may also be obtained using
-{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}
+#     "ssh -Q PubkeyAcceptedAlgorithms"
 #
 PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
 {% else %}
 #PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
 {% endif %}
 # KexAlgorithms
 #
 # Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.
@ -262,6 +278,7 @@ PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
 #
 # The default is:
 #
 #       sntrup761x25519-sha512@openssh.com,
 #       curve25519-sha256,curve25519-sha256@libssh.org,
 #       ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 #       diffie-hellman-group-exchange-sha256,