update..

2024-10-19 10:18:05 +02:00 · 2024-10-19 10:18:05 +02:00 · c771ba2095
commit c771ba2095
parent 134eb18465
6 changed files with 319 additions and 74 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -2082,6 +2082,8 @@ sshd_pubkey_authentication: !!str "yes"

 sshd_password_authentication: !!str "no"

+sshd_kbd_interactive_authentication:
+
 sshd_use_pam: !!str "yes"

 #sshd_allowed_users:
@ -2095,6 +2097,7 @@ sshd_use_dns: !!str "no"

 sshd_gateway_ports: !!str "no"

+sshd_required_rsa_size: 4096

 # sshd_pubkey_accepted_algorithms:
 #
@ -2129,43 +2132,57 @@ sshd_gateway_ports: !!str "no"
 #
 # Example:
 #    sshd_kexalgorithms:
-#      - curve25519-sha256@libssh.org
+#      - ntrup761x25519-sha512@openssh.com
+#      - curve25519-sha256,curve25519-sha256@libssh.org
+#      - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
 #      - diffie-hellman-group-exchange-sha256
-#      - diffie-hellman-group14-sha1
+#      - diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+#      - diffie-hellman-group14-sha256
 #
 #sshd_kexalgorithms: {}

-sshd_hostkeyalgorithms:
-  - ssh-ed25519
-  - ssh-ed25519-cert-v01@openssh.com
-  - rsa-sha2-256
-  - rsa-sha2-512
-  - rsa-sha2-256-cert-v01@openssh.com
-  - rsa-sha2-512-cert-v01@openssh.com
-
-
-# sshd_kexalgorithms
+# sshd__ciphers
 #
 # Example:
 #    sshd_ciphers:
 #      - chacha20-poly1305@openssh.com
-#      - aes256-gcm@openssh.com
+#      - aes128-ctr
+#      - aes192-ctr
 #      - aes256-ctr
-
+#      - aes128-gcm@openssh.com
+#      - aes256-gcm@openssh.com
 #sshd_ciphers: {}
-sshd_ciphers:
-  - chacha20-poly1305@openssh.com
-  - aes256-gcm@openssh.com
-  - aes128-gcm@openssh.com
-  - aes256-ctr
-  - aes192-ctr
-  - aes128-ctr

+# sshd_macs
+#
+# Example:
+#    sshd_macs:
+#      - umac-64-etm@openssh.com,umac-128-etm@openssh.com
+#      - hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+#      - hmac-sha1-etm@openssh.com
+#      - umac-64@openssh.com,umac-128@openssh.com
+#      - hmac-sha2-256,hmac-sha2-512,hmac-sha1
 #sshd_macs: {}
-sshd_macs:
-  - hmac-sha2-256-etm@openssh.com
-  - hmac-sha2-512-etm@openssh.com
-  - umac-128-etm@openssh.com
+
+# sshd_hostkeyalgorithms
+#
+# Example:
+#      - ssh-ed25519-cert-v01@openssh.com
+#      - ecdsa-sha2-nistp256-cert-v01@openssh.com
+#      - ecdsa-sha2-nistp384-cert-v01@openssh.com
+#      - ecdsa-sha2-nistp521-cert-v01@openssh.com
+#      - sk-ssh-ed25519-cert-v01@openssh.com
+#      - sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
+#      - rsa-sha2-512-cert-v01@openssh.com
+#      - rsa-sha2-256-cert-v01@openssh.com
+#      - ssh-ed25519
+#      - ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
+#      - sk-ssh-ed25519@openssh.com
+#      - sk-ecdsa-sha2-nistp256@openssh.com
+#      - rsa-sha2-512
+#      - rsa-sha2-256
+#
+#sshd_hostkeyalgorithms: {}

 # This users are allowed to use password authentification
 #
@ -2222,6 +2239,9 @@ sudoers_file_user_back_privileges:
  - 'ALL=(root) NOPASSWD: /usr/bin/rsync'
  - 'ALL=(root) NOPASSWD: /usr/bin/find'
  - 'ALL=(root) NOPASSWD: /usr/bin/realpath'
+  - 'ALL=(root) NOPASSWD: /root/bin/borg-backup/borg-backup.sh'
+  - 'ALL=(root) NOPASSWD: /root/bin/borg-backup/borg-backup-nc.sh'
+

 sudoers_file_user_back_postgres_privileges:
  - 'ALL=(postgres) NOPASSWD: /usr/bin/psql'
--- a/host_vars/cp-flr.oopen.de.yml
+++ b/host_vars/cp-flr.oopen.de.yml
@ -0,0 +1,203 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+sshd_permit_root_login: !!str "prohibit-password"
+
+# ---
+# vars used by apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 185.12.64.1
+  - 2a01:4ff:ff00::add:2
+  - 185.12.64.2
+  - 2a01:4ff:ff00::add:1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+default_user:
+
+  - name: chris
+    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: sysadm
+
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: localadmin
+
+    user_id: 1051
+    group_id: 1051
+    group: localadmin
+    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: cryptpad
+    user_id: 2010
+    group_id: 2010
+    group: cryptpad
+    home: /var/www/cryptpad
+    password: $y$j9T$TUSURhYNq5B1eWlxis.xy.$YfCpyp24dmaZwiIEMaJvX7u3P.MEdAyz8YXMusM4lu7
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+sudo_users:
+  - chris
+  - sysadm
+  - localadmin
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+sudoers_file_user_privileges:
+  - name: back
+    entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
--- a/host_vars/o26.oopen.de.yml
+++ b/host_vars/o26.oopen.de.yml
@ -359,6 +359,11 @@ cron_user_special_time_entries:

 cron_user_entries:

+  - name: "Renote Borg Backup"
+    minute: '04'
+    hour: '00'
+    job: /root/crontab/backup-rborg/remote-borg-backup.sh
+
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
@ -380,13 +385,13 @@ cron_user_entries:
    job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1

  - name: "Backup internet hosts and then print out hdd-usage for all backuped hosts"
-    minute: '06'
+    minute: '16'
    hour: '00'
    weekday: '1-6'
    job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N

  - name: "On sunday morning also determin diskspace usage"
-    minute: '06'
+    minute: '16'
    hour: '00'
    weekday: 7
    job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup
--- a/host_vars/o40.oopen.de.yml
+++ b/host_vars/o40.oopen.de.yml
@ -242,9 +242,9 @@ cron_user_special_time_entries:
    job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
    insertafter: PATH

-  - name: "Check if postfix mailservice is running. Restart service if needed."
+  - name: "Check if  ntpsec service is running. Restart service if needed."
    special_time: reboot
-    job: "@reboot sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1"
+    job: "sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1"
    insertafter: PATH

 #  - name: "Check if Check if all autostart LX-Container are running."
--- a/host_vars/o42.oopen.de.yml
+++ b/host_vars/o42.oopen.de.yml
@ -32,7 +32,7 @@ network_interfaces:

    family: inet
    method: static
-    hwaddress: 
+    hwaddress: 2c:f0:5d:0d:df:01
    description:
    address: 95.217.194.43
    netmask: 26
--- a/roles/common/templates/etc/ssh/sshd_config.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.j2
@ -30,7 +30,7 @@ ListenAddress {{ item }}
 {% endif %}

 # Specifies the protocol versions sshd(8) supports.
-# The possible values are '1' , `2' and '1,2'.
+# The possible values are '1' , '2' and '1,2'.
 # The default is '2'.
 Protocol 2

@ -89,7 +89,7 @@ UsePrivilegeSeparation {{ sshd_use_privilege_separation }}
 # The server disconnects after this time if the user has not
 # successfully logged in.
 # The default is 120 seconds.
-LoginGraceTime = {{ sshd_login_grace_time | default('120') }}
+LoginGraceTime {{ sshd_login_grace_time | default('120') }}

 # Specifies whether root can log in using ssh(1).
 # The default is "yes".
@ -141,7 +141,7 @@ PasswordAuthentication {{ sshd_password_authentication }}

 # When password authentication is allowed, it specifies whether the
 # server allows login to accounts with empty password strings.
-# The default is “no”.
+# The default is 'no'.
 PermitEmptyPasswords no

 {% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 11) %}
@ -150,7 +150,7 @@ PermitEmptyPasswords no
 KbdInteractiveAuthentication no
 {% else %}
 # Specifies whether challenge-response authentication is allowed (e.g. via PAM).
-# The default is “yes”.
+# The default is 'yes'.
 ChallengeResponseAuthentication no
 {% endif %}

@ -207,6 +207,24 @@ UsePAM {{ sshd_use_pam }}
 #-----------------------------
 # Cryptography
 #-----------------------------
+{% if ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] | int >= 12 %}
+
+# RequiredRSASize
+#
+# Specifies the minimum RSA key size (in bits) that sshd(8) will accept.  User and host-based
+# authentication keys smaller than this limit will be refused.
+#
+# The default is 1024 bits.
+#
+# Note that this limit may only be raised from the default.
+#
+{% if (sshd_required_rsa_size is defined) and sshd_required_rsa_size %}
+RequiredRSASize {{ sshd_required_rsa_size }}
+{% else %}
+# RequiredRSASize 1024
+{% endif %}
+{% endif %}
+{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}

 # PubkeyAcceptedAlgorithms
 #
@ -231,14 +249,12 @@ UsePAM {{ sshd_use_pam }}
 #      sk-ecdsa-sha2-nistp256@openssh.com,
 #      rsa-sha2-512,rsa-sha2-256
 #
-
-{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}
+# The list of available signature algorithms may also be obtained using
+#     "ssh -Q PubkeyAcceptedAlgorithms"
+#
 PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
-{% else %}
-#PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
 {% endif %}

-
 # KexAlgorithms
 #
 # Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.
@ -262,6 +278,7 @@ PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
 #
 # The default is:
 #
+#       sntrup761x25519-sha512@openssh.com,
 #       curve25519-sha256,curve25519-sha256@libssh.org,
 #       ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 #       diffie-hellman-group-exchange-sha256,