diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index fb94574..d6e70f9 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -134,7 +134,7 @@ apt_manage_sources_list: true apt_src_enable: true apt_backports_enable: true -apt_debian_mirror: http://ftp.de.debian.org/debian/ +apt_debian_mirror: http://ftp2.de.debian.org/debian/ apt_debian_contrib_nonfree_enable: true # Ubuntu mirror @@ -2083,6 +2083,36 @@ sshd_use_dns: !!str "no" sshd_gateway_ports: !!str "no" + +# sshd_pubkey_accepted_algorithms: +# +# if the specified list begins with a '+' character, then the specified +# algorithms will be appended to the default set instead of replacing them. +# +# If the specified list begins with a '-' character, then the specified algorithms +# (including wildcards) will be removed from the default set instead of replacing them. +# +# If the specified list begins with a '^' character, then the +# specified algorithms will be placed at the head of the default set. + +#sshd_pubkey_accepted_algorithms: +# - curve25519-sha256@libssh.org +# - diffie-hellman-group1-sha1 +# - diffie-hellman-group14-sha1 +# - diffie-hellman-group14-sha256 +# - diffie-hellman-group16-sha512 +# - diffie-hellman-group18-sha512 +# - diffie-hellman-group-exchange-sha1 +# - diffie-hellman-group-exchange-sha256 +# - ecdh-sha2-nistp256 +# - ecdh-sha2-nistp384 +# - ecdh-sha2-nistp521 + +#sshd_pubkey_accepted_algorithms: +# - +ssh-rsa +# - ssh-dss + + # sshd_kexalgorithms # # Example: @@ -2188,6 +2218,8 @@ sudoers_file_user_back_postgres_privileges: sudoers_file_user_back_svn_privileges: [] +sudoers_file_user_back_mount_privileges: [] + sudoers_file_user_back_disk_privileges: - 'ALL=(root) NOPASSWD: /usr/bin/which' - 'ALL=(root) NOPASSWD: /sbin/hdparm -I /dev/*' diff --git a/host_vars/10.221.11.11.yml b/host_vars/10.221.11.11.yml deleted file mode 100644 index 0e69b5e..0000000 --- a/host_vars/10.221.11.11.yml +++ /dev/null @@ -1,198 +0,0 @@ ---- - -# --- -# vars used by roles/ansible_dependencies -# --- - - -# --- -# vars used by roles/ansible_user -# --- - -# --- -# vars used by roles/common/tasks/basic.yml -# --- - -# --- -# vars used by apt.yml -# --- - - -# --- -# vars used by roles/common/tasks/systemd-resolved.yml -# --- - -systemd_resolved: true - -# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie -# Primäre DNS-Adresse: 38.132.106.139 -# Sekundäre DNS-Adresse: 194.187.251.67 -# -# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen -# primäre DNS-Adresse -# IPv4: 1.1.1.1 -# IPv6: 2606:4700:4700::1111 -# sekundäre DNS-Adresse -# IPv4: 1.0.0.1 -# IPv6: 2606:4700:4700::1001 -# -# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit -# primäre DNS-Adresse -# IPv4: 8.8.8.8 -# IPv6: 2001:4860:4860::8888 -# sekundäre DNS-Adresse -# IPv4: 8.8.4.4 -# IPv6: 2001:4860:4860::8844 -# -# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug -# primäre DNS-Adresse -# IPv4: 9.9.9.9 -# IPv6: 2620:fe::fe -# sekundäre DNS-Adresse -# IPv4: 149.112.112.112 -# IPv6: 2620:fe::9 -# -# OpenNIC - https://www.opennic.org/ -# IPv4: 195.10.195.195 - ns31.de -# IPv4: 94.16.114.254 - ns28.de -# IPv4: 51.254.162.59 - ns9.de -# IPv4: 194.36.144.87 - ns29.de -# IPv6: 2a00:f826:8:2::195 - ns31.de -# -# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) -# IPv4: 5.1.66.255 -# IPv6: 2001:678:e68:f000:: -# Servername für DNS-over-TLS: dot.ffmuc.net -# IPv4: 185.150.99.255 -# IPv6: 2001:678:ed0:f000:: -# Servername für DNS-over-TLS: dot.ffmuc.net -# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) -resolved_nameserver: - - 192.168.10.1 - - 192.168.10.3 - -# search domains -# -# If there are more than one search domains, then specify them here in the order in which -# the resolver should also search them -# -#resolved_domains: [] -resolved_domains: - - ~. - - ga.netz - - ga.intra - -resolved_dnssec: false - -# dns.as250.net: 194.150.168.168 -# -resolved_fallback_nameserver: - - 192.168.11.1 - - -# --- -# vars used by roles/common/tasks/users.yml -# --- - - -# --- -# vars used by roles/common/tasks/users-systemfiles.yml -# --- - - -# --- -# vars used by roles/common/tasks/webadmin-user.yml -# --- - -default_user: - - - name: chris - password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - - name: wadmin - password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - - - name: sysadm - user_id: 1050 - group_id: 1050 - group: sysadm - password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - - - name: back - user_id: 1060 - group_id: 1060 - group: back - password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - -sudo_users: - - chris - - sysadm - - wadmin - - -# --- -# vars used by roles/common/tasks/sshd.yml -# --- - -sshd_permit_root_login: !!str "prohibit-password" - - -# --- -# vars used by roles/common/tasks/sudoers.yml -# --- - - -# --- -# vars used by roles/common/tasks/caching-nameserver.yml -# --- - - -# --- -# vars used by roles/common/tasks/git.yml -# --- - -# --- -# vars used by roles/common/tasks/copy_files.yml -# --- - - -# --- -# vars used by roles/common/tasks/symlink_files.yml -# --- - - -# --- -# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml -# --- - - - -# ============================== - - -# --- -# vars used by scripts/reset_root_passwd.yml -# --- - -root_user: {} diff --git a/host_vars/file-km.anw-km.netz.yml b/host_vars/file-km.anw-km.netz.yml index 38fd701..44135c9 100644 --- a/host_vars/file-km.anw-km.netz.yml +++ b/host_vars/file-km.anw-km.netz.yml @@ -231,6 +231,10 @@ sudo_users: # # see: roles/common/tasks/vars +sudoers_file_user_back_mount_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/mount' + - 'ALL=(root) NOPASSWD: /usr/bin/umount' + # --- # vars used by roles/common/tasks/caching-nameserver.yml diff --git a/host_vars/o18.oopen.de.yml b/host_vars/o18.oopen.de.yml deleted file mode 100644 index dccdf31..0000000 --- a/host_vars/o18.oopen.de.yml +++ /dev/null @@ -1,198 +0,0 @@ ---- - -# --- -# vars used by roles/network_interfaces -# --- - - -# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted -network_manage_devices: True - -# Should the interfaces be reloaded after config change? -network_interface_reload: False - -network_interface_path: /etc/network/interfaces.d -network_interface_required_packages: - - vlan - - bridge-utils - - ifmetric - - ifupdown - - ifenslave - - -network_interfaces: - - - device: br0 - # use only once per device (for the first device entry) - headline: br0 - bridge over device eth0 - - # auto & allow are only used for the first device entry - allow: [] # array of allow-[stanzas] eg. allow-hotplug - auto: true - - family: inet - method: static - hwaddress: 90:1b:0e:8d:9b:ed - description: - address: 138.201.17.150 - netmask: 26 - gateway: 138.201.17.129 - - # optional dns settings nameservers: [] - # - # nameservers: - # - 194.150.168.168 # dns.as250.net - # - 91.239.100.100 # anycast.censurfridns.dk - # search: warenform.de - # - nameservers: - - 195.201.179.131 - - 95.217.204.204 - search: - - # optional bridge parameters bridge: {} - # bridge: - # ports: - # stp: - # fd: - # maxwait: - # waitport: - bridge: - ports: eth0 # for mor devices support a blank separated list - stp: !!str off - fd: 5 - hello: 2 - maxage: 12 - - # inline hook scripts - pre-up: [] # pre-up script lines - up: - - !!str "route add -net 138.201.17.128 netmask 255.255.255.192 gw 138.201.17.129 br0" # up script lines - post-up: [] # post-up script lines (alias for up) - pre-down: [] # pre-down script lines (alias for down) - down: [] # down script lines - post-down: [] # post-down script lines - - - - - device: br0 - family: inet6 - method: static - address: '2a01:4f8:171:2895::2' - netmask: 64 - gateway: 'fe80::1' - - up: - - !!str "ip -6 route add 2a01:4f8:171:2895::195/128 dev br0" - - !!str "ip -6 route add 2a01:4f8:171:2895::196/128 dev br0" - - -# --- -# vars used by roles/ansible_dependencies -# --- - - -# --- -# vars used by roles/ansible_user -# --- - - -# --- -# vars used by roles/common/tasks/basic.yml -# --- - - -# --- -# vars used by roles/common/tasks/sshd.yml -# --- - -sshd_ports: - - 22 - - 1036 - -# --- -# vars used by roles/common/tasks/apt.yml -# --- - - -# --- -# vars used by roles/common/tasks/users.yml -# --- - -default_user: - - - name: chris - password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - - name: sysadm - - user_id: 1050 - group_id: 1050 - group: sysadm - password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - - name: back - user_id: 1060 - group_id: 1060 - group: back - password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - -sudo_users: - - chris - - sysadm - - -# --- -# vars used by roles/common/tasks/users-systemfiles.yml -# --- - - -# --- -# vars used by roles/common/tasks/webadmin-user.yml -# --- - - -# --- -# vars used by roles/common/tasks/sudoers.yml -# --- -# -# see: roles/common/tasks/vars - - -# --- -# vars used by roles/common/tasks/caching-nameserver.yml -# --- - - -# --- -# vars used by roles/common/tasks/git.yml -# --- - -git_firewall_repository: - name: ipt-server - repo: https://git.oopen.de/firewall/ipt-server - dest: /usr/local/src/ipt-server - -# ============================== - - -# --- -# vars used by scripts/reset_root_passwd.yml -# --- - -root_user: - name: root - password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. - diff --git a/host_vars/o22.oopen.de.yml b/host_vars/o22.oopen.de.yml index cf106fa..0c494ed 100644 --- a/host_vars/o22.oopen.de.yml +++ b/host_vars/o22.oopen.de.yml @@ -244,11 +244,6 @@ cron_user_special_time_entries: job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" insertafter: PATH - - name: "Check if NTP service 'ntpsec' is up and running?" - minute: '*/30' - hour: '*' - job: /root/bin/monitoring/check_ntpsec_service.sh - - name: "Check if Check if all autostart LX-Container are running." special_time: reboot job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh" @@ -277,6 +272,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/o25.oopen.de.yml b/host_vars/o25.oopen.de.yml index 92f843b..32ea4c3 100644 --- a/host_vars/o25.oopen.de.yml +++ b/host_vars/o25.oopen.de.yml @@ -358,6 +358,11 @@ cron_user_special_time_entries: cron_user_entries: + - name: "Check Server Load - alert if critical" + minute: '*/5' + hour: '*' + job: /root/bin/monitoring/check_webservice_load.sh + - name: "Check if SSH service is running. Restart service if needed." minute: '*/10' hour: '*' diff --git a/host_vars/oolm-shop-dev.oopen.de.yml b/host_vars/oolm-shop-dev.oopen.de.yml index 7556ceb..c934a49 100644 --- a/host_vars/oolm-shop-dev.oopen.de.yml +++ b/host_vars/oolm-shop-dev.oopen.de.yml @@ -24,15 +24,14 @@ sshd_pasword_auth_ip: - 34.107.7.34 +sshd_pubkey_accepted_algorithms: + - +ssh-rsa + # --- # vars used by apt.yml # --- -apt_install_extra_pkgs: true -apt_extra_pkgs: - - wkhtmltopdf - # --- # vars used by roles/common/tasks/systemd-resolved.yml diff --git a/host_vars/oolm-shop.oopen.de.yml b/host_vars/oolm-shop.oopen.de.yml index e70a17d..68cb81f 100644 --- a/host_vars/oolm-shop.oopen.de.yml +++ b/host_vars/oolm-shop.oopen.de.yml @@ -21,6 +21,9 @@ #sshd_password_authentication: !!str "yes" +sshd_pubkey_accepted_algorithms: + - +ssh-rsa + # This users are allowed to use password authentification # #sshd_pasword_auth_user: @@ -33,10 +36,6 @@ sshd_pasword_auth_ip: # vars used by apt.yml # --- -apt_install_extra_pkgs: true -apt_extra_pkgs: - - wkhtmltopdf - # --- # vars used by roles/common/tasks/users.yml diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index 80e7d07..15e7c91 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -404,6 +404,12 @@ samba_user: - beratung password: '20-lorenz-23' + - name: luise + groups: + - buero + - beratung + password: '24_s.l.h._adb' + - name: magdalena groups: - buero diff --git a/hosts b/hosts index 7699aa4..86b4058 100644 --- a/hosts +++ b/hosts @@ -72,7 +72,6 @@ k1371.dyndns.org at-10-neu.ak.netz ga-st-gw-ersatz.ga.netz -ga-st-gw.oopen.de ga-st-gw.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de @@ -81,7 +80,6 @@ ga-st-mail.ga.netz ga-st-kvm1.ga.netz ga-al-kvm2.ga.netz ga-al-kvm3.ga.netz -10.221.11.11 server18.warenform.de piwik.warenform.de @@ -136,8 +134,6 @@ o13-web.oopen.de o17.oopen.de test.mx.oopen.de -o18.oopen.de - o20.oopen.de # o21.oopen.de @@ -306,8 +302,6 @@ o17.oopen.de test.mx.oopen.de test.mariadb.oopen.de -o18.oopen.de - # - o20.oopen.de (srv-cityslang.cityslang.com) o20.oopen.de @@ -485,7 +479,6 @@ gw-d11.oopen.de # - GA - Gemeinschaft Altensclirf ga-st-gw-ersatz.ga.netz -ga-st-gw.oopen.de ga-st-gw.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de @@ -497,7 +490,6 @@ ga-al-ws1.ga.netz ga-st-kvm1.ga.netz ga-al-kvm2.ga.netz ga-al-kvm3.ga.netz -10.221.11.11 # --- @@ -702,7 +694,6 @@ server28.warenform.de stolpersteine.oopen.de # o13.oopen.de -o13-board.oopen.de o13-staging-board.oopen.de o13-pad.oopen.de o13-cryptpad.oopen.de @@ -1202,7 +1193,6 @@ meet.akweb.de ga-st-kvm1.ga.netz ga-al-kvm2.ga.netz ga-al-kvm3.ga.netz -10.221.11.11 [lxc_host] @@ -1214,7 +1204,6 @@ ga-al-kvm3.ga.netz o12.oopen.de o13.oopen.de o17.oopen.de -o18.oopen.de #o20.oopen.de o21.oopen.de o22.oopen.de @@ -1618,7 +1607,6 @@ gw-kb.oopen.de k1371.dyndns.org ga-st-gw-ersatz.ga.netz -ga-st-gw.oopen.de ga-st-gw.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de @@ -1704,7 +1692,6 @@ ga-st-services.ga.netz ga-st-kvm1.ga.netz ga-al-kvm2.ga.netz ga-al-kvm3.ga.netz -10.221.11.11 [o13_server] diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index 8af827d..dcec2b7 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -5,6 +5,14 @@ # Set some facts # --- +- name: (sshd.yml) Set fact_sshd_pubkey_accepted_algorithms (comma separated list) + set_fact: + fact_sshd_pubkey_accepted_algorithms: "{{ sshd_pubkey_accepted_algorithms | join (',') }}" + when: + - sshd_pubkey_accepted_algorithms is defined and sshd_pubkey_accepted_algorithms | length > 0 + tags: + - sshd-config + - name: (sshd.yml) Set fact_sshd_kexalgorithms (comma separated list) set_fact: fact_sshd_kexalgorithms: "{{ sshd_kexalgorithms | join (',') }}" diff --git a/roles/common/templates/etc/apt/sources.list.Debian.j2 b/roles/common/templates/etc/apt/sources.list.Debian.j2 index 5cb85e6..5960a25 100644 --- a/roles/common/templates/etc/apt/sources.list.Debian.j2 +++ b/roles/common/templates/etc/apt/sources.list.Debian.j2 @@ -62,9 +62,12 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free {% if ansible_facts['distribution_major_version'] | int >= 12 %} deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware -{% else %} +{% elif ansible_facts['distribution_major_version'] | int == 11 %} deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free +{% else %} +#deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free +#deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free {% endif %} {% endif %} diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2 index 2b85304..8354d57 100644 --- a/roles/common/templates/etc/ssh/sshd_config.j2 +++ b/roles/common/templates/etc/ssh/sshd_config.j2 @@ -30,8 +30,8 @@ ListenAddress {{ item }} {% endif %} # Specifies the protocol versions sshd(8) supports. -# The possible values are ‘1’ , `2' and ‘1,2’. -# The default is ‘2’. +# The possible values are '1' , `2' and '1,2'. +# The default is '2'. Protocol 2 # HostKeys for protocol version 2 @@ -208,11 +208,42 @@ UsePAM {{ sshd_use_pam }} # Cryptography #----------------------------- +# PubkeyAcceptedAlgorithms +# +# Specifies the signature algorithms that will be accepted for public key authentication as a list of +# comma-separated patterns. Alternately if the specified list begins with a '+' character, then the spec‐ +# ified algorithms will be appended to the default set instead of replacing them. If the specified list +# begins with a '-' character, then the specified algorithms (including wildcards) will be removed from +# the default set instead of replacing them. If the specified list begins with a '^' character, then the +# specified algorithms will be placed at the head of the default set. The default for this option is: +# +# ssh-ed25519-cert-v01@openssh.com, +# ecdsa-sha2-nistp256-cert-v01@openssh.com, +# ecdsa-sha2-nistp384-cert-v01@openssh.com, +# ecdsa-sha2-nistp521-cert-v01@openssh.com, +# sk-ssh-ed25519-cert-v01@openssh.com, +# sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, +# rsa-sha2-512-cert-v01@openssh.com, +# rsa-sha2-256-cert-v01@openssh.com, +# ssh-ed25519, +# ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +# sk-ssh-ed25519@openssh.com, +# sk-ecdsa-sha2-nistp256@openssh.com, +# rsa-sha2-512,rsa-sha2-256 +# + +{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %} +PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }} +{% else %} +#PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 +{% endif %} + + # KexAlgorithms # # Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -# Alternately if the specified value begins with a ‘+’ character, then the specified methods will be ap‐ -# pended to the default set instead of replacing them. If the specified value begins with a ‘-’ charac‐ +# Alternately if the specified value begins with a '+' character, then the specified methods will be ap‐ +# pended to the default set instead of replacing them. If the specified value begins with a '-' charac‐ # ter, then the specified methods (including wildcards) will be removed from the default set instead of # replacing them. The supported algorithms are: # @@ -248,8 +279,8 @@ KexAlgorithms {{ fact_sshd_kexalgorithms }} # Ciphers # # Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins -# with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replac‐ -# ing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including +# with a '+' character, then the specified ciphers will be appended to the default set instead of replac‐ +# ing them. If the specified value begins with a '-' character, then the specified ciphers (including # wildcards) will be removed from the default set instead of replacing them. # # The supported ciphers are: @@ -283,8 +314,8 @@ Ciphers {{ fact_sshd_ciphers }} # # Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for # data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins -# with a ‘+’ character, then the specified algorithms will be appended to the default set instead of re‐ -# placing them. If the specified value begins with a ‘-’ character, then the specified algorithms (in‐ +# with a '+' character, then the specified algorithms will be appended to the default set instead of re‐ +# placing them. If the specified value begins with a '-' character, then the specified algorithms (in‐ # cluding wildcards) will be removed from the default set instead of replacing them. # # The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are diff --git a/roles/common/templates/etc/sudoers.d/50-user.j2 b/roles/common/templates/etc/sudoers.d/50-user.j2 index f07a622..5d1dac3 100644 --- a/roles/common/templates/etc/sudoers.d/50-user.j2 +++ b/roles/common/templates/etc/sudoers.d/50-user.j2 @@ -36,6 +36,11 @@ back {{ item }} {% endfor -%} +{%- for item in sudoers_file_user_back_mount_privileges | default([]) %} +back {{ item }} +{% endfor -%} + + {%- if ansible_virtualization_role == 'host' %} {% for item in sudoers_file_user_back_disk_privileges | default([]) %}