ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph 2024-05-03 14:06:06 +02:00
parent 65f6725f19
commit eedc62c8a3
14 changed files with 115 additions and 432 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
group_vars/all/main.yml
View File

@ -134,7 +134,7 @@ apt_manage_sources_list: true
apt_src_enable: true
apt_backports_enable: true
apt_debian_mirror: http://ftp.de.debian.org/debian/
apt_debian_mirror: http://ftp2.de.debian.org/debian/
apt_debian_contrib_nonfree_enable: true
# Ubuntu mirror
@ -2083,6 +2083,36 @@ sshd_use_dns: !!str "no"
sshd_gateway_ports: !!str "no"
# sshd_pubkey_accepted_algorithms:
#
# if the specified list begins with a '+' character, then the specified
# algorithms will be appended to the default set instead of replacing them.
#
# If the specified list begins with a '-' character, then the specified algorithms
# (including wildcards) will be removed from the default set instead of replacing them.
#
# If the specified list begins with a '^' character, then the
# specified algorithms will be placed at the head of the default set.
#sshd_pubkey_accepted_algorithms:
# - curve25519-sha256@libssh.org
# - diffie-hellman-group1-sha1
# - diffie-hellman-group14-sha1
# - diffie-hellman-group14-sha256
# - diffie-hellman-group16-sha512
# - diffie-hellman-group18-sha512
# - diffie-hellman-group-exchange-sha1
# - diffie-hellman-group-exchange-sha256
# - ecdh-sha2-nistp256
# - ecdh-sha2-nistp384
# - ecdh-sha2-nistp521
#sshd_pubkey_accepted_algorithms:
# - +ssh-rsa
# - ssh-dss
# sshd_kexalgorithms
#
# Example:
@ -2188,6 +2218,8 @@ sudoers_file_user_back_postgres_privileges:
sudoers_file_user_back_svn_privileges: []
sudoers_file_user_back_mount_privileges: []
sudoers_file_user_back_disk_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/which'
- 'ALL=(root) NOPASSWD: /sbin/hdparm -I /dev/*'

198
host_vars/10.221.11.11.yml
View File

@ -1,198 +0,0 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.10.1
- 192.168.10.3
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 192.168.11.1
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- wadmin
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/copy_files.yml
# ---
# ---
# vars used by roles/common/tasks/symlink_files.yml
# ---
# ---
# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user: {}

4
host_vars/file-km.anw-km.netz.yml
View File

@ -231,6 +231,10 @@ sudo_users:
#
# see: roles/common/tasks/vars
sudoers_file_user_back_mount_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/mount'
- 'ALL=(root) NOPASSWD: /usr/bin/umount'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml

198
host_vars/o18.oopen.de.yml
View File

@ -1,198 +0,0 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device eth0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
hwaddress: 90:1b:0e:8d:9b:ed
description:
address: 138.201.17.150
netmask: 26
gateway: 138.201.17.129
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
nameservers:
- 195.201.179.131
- 95.217.204.204
search:
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: eth0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# inline hook scripts
pre-up: [] # pre-up script lines
up:
- !!str "route add -net 138.201.17.128 netmask 255.255.255.192 gw 138.201.17.129 br0" # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
- device: br0
family: inet6
method: static
address: '2a01:4f8:171:2895::2'
netmask: 64
gateway: 'fe80::1'
up:
- !!str "ip -6 route add 2a01:4f8:171:2895::195/128 dev br0"
- !!str "ip -6 route add 2a01:4f8:171:2895::196/128 dev br0"
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_ports:
- 22
- 1036
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
sudo_users:
- chris
- sysadm
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

10
host_vars/o22.oopen.de.yml
View File

@ -244,11 +244,6 @@ cron_user_special_time_entries:
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
- name: "Check if NTP service 'ntpsec' is up and running?"
minute: '*/30'
hour: '*'
job: /root/bin/monitoring/check_ntpsec_service.sh
- name: "Check if Check if all autostart LX-Container are running."
special_time: reboot
job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
@ -277,6 +272,11 @@ cron_user_entries:
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if NTP service 'ntpsec' is up and running?"
minute: '*/30'
hour: '*'
job: /root/bin/monitoring/check_ntpsec_service.sh
- name: "Check hard disc usage."
minute: '43'
hour: '6'

5
host_vars/o25.oopen.de.yml
View File

@ -358,6 +358,11 @@ cron_user_special_time_entries:
cron_user_entries:
- name: "Check Server Load - alert if critical"
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_webservice_load.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/10'
hour: '*'

7
host_vars/oolm-shop-dev.oopen.de.yml
View File

@ -24,15 +24,14 @@
sshd_pasword_auth_ip:
- 34.107.7.34
sshd_pubkey_accepted_algorithms:
- +ssh-rsa
# ---
# vars used by apt.yml
# ---
apt_install_extra_pkgs: true
apt_extra_pkgs:
- wkhtmltopdf
# ---
# vars used by roles/common/tasks/systemd-resolved.yml

7
host_vars/oolm-shop.oopen.de.yml
View File

@ -21,6 +21,9 @@
#sshd_password_authentication: !!str "yes"
sshd_pubkey_accepted_algorithms:
- +ssh-rsa
# This users are allowed to use password authentification
#
#sshd_pasword_auth_user:
@ -33,10 +36,6 @@ sshd_pasword_auth_ip:
# vars used by apt.yml
# ---
apt_install_extra_pkgs: true
apt_extra_pkgs:
- wkhtmltopdf
# ---
# vars used by roles/common/tasks/users.yml

6
host_vars/zapata.opp.netz.yml
View File

@ -404,6 +404,12 @@ samba_user:
- beratung
password: '20-lorenz-23'
- name: luise
groups:
- buero
- beratung
password: '24_s.l.h._adb'
- name: magdalena
groups:
- buero

13
hosts
View File

@ -72,7 +72,6 @@ k1371.dyndns.org
at-10-neu.ak.netz
ga-st-gw-ersatz.ga.netz
ga-st-gw.oopen.de
ga-st-gw.ga.netz
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
@ -81,7 +80,6 @@ ga-st-mail.ga.netz
ga-st-kvm1.ga.netz
ga-al-kvm2.ga.netz
ga-al-kvm3.ga.netz
10.221.11.11
server18.warenform.de
piwik.warenform.de
@ -136,8 +134,6 @@ o13-web.oopen.de
o17.oopen.de
test.mx.oopen.de
o18.oopen.de
o20.oopen.de
# o21.oopen.de
@ -306,8 +302,6 @@ o17.oopen.de
test.mx.oopen.de
test.mariadb.oopen.de
o18.oopen.de
# - o20.oopen.de (srv-cityslang.cityslang.com)
o20.oopen.de
@ -485,7 +479,6 @@ gw-d11.oopen.de
# - GA - Gemeinschaft Altensclirf
ga-st-gw-ersatz.ga.netz
ga-st-gw.oopen.de
ga-st-gw.ga.netz
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
@ -497,7 +490,6 @@ ga-al-ws1.ga.netz
ga-st-kvm1.ga.netz
ga-al-kvm2.ga.netz
ga-al-kvm3.ga.netz
10.221.11.11
# ---
@ -702,7 +694,6 @@ server28.warenform.de
stolpersteine.oopen.de
# o13.oopen.de
o13-board.oopen.de
o13-staging-board.oopen.de
o13-pad.oopen.de
o13-cryptpad.oopen.de
@ -1202,7 +1193,6 @@ meet.akweb.de
ga-st-kvm1.ga.netz
ga-al-kvm2.ga.netz
ga-al-kvm3.ga.netz
10.221.11.11
[lxc_host]
@ -1214,7 +1204,6 @@ ga-al-kvm3.ga.netz
o12.oopen.de
o13.oopen.de
o17.oopen.de
o18.oopen.de
#o20.oopen.de
o21.oopen.de
o22.oopen.de
@ -1618,7 +1607,6 @@ gw-kb.oopen.de
k1371.dyndns.org
ga-st-gw-ersatz.ga.netz
ga-st-gw.oopen.de
ga-st-gw.ga.netz
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
@ -1704,7 +1692,6 @@ ga-st-services.ga.netz
ga-st-kvm1.ga.netz
ga-al-kvm2.ga.netz
ga-al-kvm3.ga.netz
10.221.11.11
[o13_server]

8
roles/common/tasks/sshd.yml
View File

@ -5,6 +5,14 @@
# Set some facts
# ---
- name: (sshd.yml) Set fact_sshd_pubkey_accepted_algorithms (comma separated list)
set_fact:
fact_sshd_pubkey_accepted_algorithms: "{{ sshd_pubkey_accepted_algorithms | join (',') }}"
when:
- sshd_pubkey_accepted_algorithms is defined and sshd_pubkey_accepted_algorithms | length > 0
tags:
- sshd-config
- name: (sshd.yml) Set fact_sshd_kexalgorithms (comma separated list)
set_fact:
fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}"

5
roles/common/templates/etc/apt/sources.list.Debian.j2
View File

@ -62,9 +62,12 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
{% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
{% else %}
{% elif ansible_facts['distribution_major_version'] | int == 11 %}
deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
{% else %}
#deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
#deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
{% endif %}
{% endif %}

47
roles/common/templates/etc/ssh/sshd_config.j2
View File

@ -30,8 +30,8 @@ ListenAddress {{ item }}
{% endif %}
# Specifies the protocol versions sshd(8) supports.
# The possible values are 1 , `2' and 1,2.
# The default is 2.
# The possible values are '1' , `2' and '1,2'.
# The default is '2'.
Protocol 2
# HostKeys for protocol version 2
@ -208,11 +208,42 @@ UsePAM {{ sshd_use_pam }}
# Cryptography
#-----------------------------
# PubkeyAcceptedAlgorithms
#
# Specifies the signature algorithms that will be accepted for public key authentication as a list of
# comma-separated patterns. Alternately if the specified list begins with a '+' character, then the spec
# ified algorithms will be appended to the default set instead of replacing them. If the specified list
# begins with a '-' character, then the specified algorithms (including wildcards) will be removed from
# the default set instead of replacing them. If the specified list begins with a '^' character, then the
# specified algorithms will be placed at the head of the default set. The default for this option is:
#
# ssh-ed25519-cert-v01@openssh.com,
# ecdsa-sha2-nistp256-cert-v01@openssh.com,
# ecdsa-sha2-nistp384-cert-v01@openssh.com,
# ecdsa-sha2-nistp521-cert-v01@openssh.com,
# sk-ssh-ed25519-cert-v01@openssh.com,
# sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
# rsa-sha2-512-cert-v01@openssh.com,
# rsa-sha2-256-cert-v01@openssh.com,
# ssh-ed25519,
# ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
# sk-ssh-ed25519@openssh.com,
# sk-ecdsa-sha2-nistp256@openssh.com,
# rsa-sha2-512,rsa-sha2-256
#
{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}
PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
{% else %}
#PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
{% endif %}
# KexAlgorithms
#
# Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated.
# Alternately if the specified value begins with a + character, then the specified methods will be ap
# pended to the default set instead of replacing them. If the specified value begins with a - charac
# Alternately if the specified value begins with a '+' character, then the specified methods will be ap
# pended to the default set instead of replacing them. If the specified value begins with a '-' charac
# ter, then the specified methods (including wildcards) will be removed from the default set instead of
# replacing them. The supported algorithms are:
#
@ -248,8 +279,8 @@ KexAlgorithms {{ fact_sshd_kexalgorithms }}
# Ciphers
#
# Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins
# with a + character, then the specified ciphers will be appended to the default set instead of replac
# ing them. If the specified value begins with a - character, then the specified ciphers (including
# with a '+' character, then the specified ciphers will be appended to the default set instead of replac
# ing them. If the specified value begins with a '-' character, then the specified ciphers (including
# wildcards) will be removed from the default set instead of replacing them.
#
# The supported ciphers are:
@ -283,8 +314,8 @@ Ciphers {{ fact_sshd_ciphers }}
#
# Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for
# data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins
# with a + character, then the specified algorithms will be appended to the default set instead of re
# placing them. If the specified value begins with a - character, then the specified algorithms (in
# with a '+' character, then the specified algorithms will be appended to the default set instead of re
# placing them. If the specified value begins with a '-' character, then the specified algorithms (in
# cluding wildcards) will be removed from the default set instead of replacing them.
#
# The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are

5
roles/common/templates/etc/sudoers.d/50-user.j2
View File

@ -36,6 +36,11 @@ back {{ item }}
{% endfor -%}
{%- for item in sudoers_file_user_back_mount_privileges | default([]) %}
back {{ item }}
{% endfor -%}
{%- if ansible_virtualization_role == 'host' %}
{% for item in sudoers_file_user_back_disk_privileges | default([]) %}