ansible/sprachenatelier
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

redisign ..

Browse Source
This commit is contained in:
Christoph
2021-06-02 23:43:02 +02:00
parent ec20eeb8aa
commit 9a6acd6230
79 changed files with 24372 additions and 234 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
roles/common/files/USER_HOME/.config/autostart/x11vnc.desktop Normal file
View File

@ -0,0 +1,10 @@
[Desktop Entry]
Type=Application
Exec=x11vnc -rfbport 5901 -rfbauth /etc/x11vnc.pass
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name[de_DE]=X11VNC User-Service
Name=X11VNC User-Service
Comment[de_DE]=
Comment=

18
roles/common/files/etc/samba/users.map Normal file
View File

@ -0,0 +1,18 @@
# ############################################ #
# -------------------------- #
# ** DO NOT EDIT DIRECTLY ** #
# -------------------------- #
# Ansible managed file #
# ############################################ #
# This file allows you to map usernames from the clients to the server.
# Unix_name = SMB_name1 SMB_name2 ...
#
# See section 'username map' in the manual page of smb.conf for more
# information.
#
# This file is _not_ included in the default configuration as it makes the
# usage of an user named administrator impossible.
root = admin administrator

50
roles/common/handlers/main.yml
View File

@ -1,10 +1,21 @@
---
- name: Update timezone
command: dpkg-reconfigure --frontend noninteractive tzdata
- name: Restart ssh
service:
name: ssh
state: restarted
- name: Renew nis databases
shell: make -C /var/yp
when:
- "groups['nis_server']|string is search(inventory_hostname)"
- name: Reload nfs
service:
name: nfs-kernel-server
@ -24,3 +35,42 @@
name: rpcbind
daemon_reload: yes
state: restarted
- name: Restart smbd
service:
name: smbd
daemon_reload: yes
state: restarted
- name: Restart nmbd
service:
name: nmbd
daemon_reload: yes
state: restarted
- name: Reload samba config
shell: smbcontrol all reload-config
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- name: Restart cups
service:
name: cups
daemon_reload: yes
state: restarted
- name: Restart ntp
service:
name: ntp
daemon_reload: yes
state: restarted
- name: Restart cups-browsed
service:
name: cups-browsed
daemon_reload: yes
state: restarted

320
roles/common/tasks/apt.yml Normal file
View File

@ -0,0 +1,320 @@
---
- name: (apt.yml) update configuration file - /etc/apt/sources.list
template:
src: "etc/apt/sources.list.{{ ansible_distribution }}.j2"
dest: /etc/apt/sources.list
owner: root
group: root
mode: 0644
register: apt_config_updated
when:
- ansible_facts['distribution'] == "Debian"
- apt_manage_sources_list|bool
tags:
- apt-configuration
- name: (apt.yml) apt update
apt:
update_cache: true
cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
when: apt_update|bool
tags:
- apt-update
- apt-upgrade
- apt-dpkg-configure
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) dpkg --configure
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
tags:
- apt-dpkg-configure
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) apt upgrade
apt:
upgrade: "{{ apt_upgrade_type }}"
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade|bool
tags:
- apt-upgrade
- apt-initial-install
- apt-microcode
- apt-compiler-pkgs
- apt-webserver-pkgs
- name: (apt.yml) Initial install debian packages (stretch)
apt:
name: "{{ apt_initial_install_stretch }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
tags:
- apt-initial-install
- name: (apt.yml) Initial install debian packages (buster)
apt:
name: "{{ apt_initial_install_buster }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
tags:
- apt-initial-install
- name: (apt.yml) Initial install ubuntu packages (bionic)
apt:
name: "{{ apt_initial_install_bionic }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
tags:
- apt-initial-install
- name: (apt.yml) Initial install ubuntu packages (xenial)
apt:
name: "{{ apt_initial_install_xenial }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
tags:
- apt-initial-install
# ---
# Microcode
# ---
- name: (apt.yml) Ensure we have CPU microcode from backports for Intel CPU (debian stretch)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}-backports"
when:
- apt_backports_enable
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Ensure we have CPU microcode from backports for AMD CPU (debian stretch)
apt:
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}-backports"
when:
- apt_backports_enable
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel CPU (debian buster)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for AMD CPU (debian buster)
apt:
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu bionic)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for AMD CPU (ubuntu bionic)
apt:
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel CPU (ubuntu xenial)
apt:
name: "{{ microcode_intel_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
- ansible_facts['processor']|string is search("Intel")
tags:
- apt-initial-install
- apt-microcode
- name: (apt.yml) Install CPU microcode for Intel AMD (ubuntu xenial)
apt:
name: "{{ microcode_amd_package }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- apt_debian_contrib_nonfree_enable
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
- ansible_facts['processor']|string is search("AMD")
tags:
- apt-initial-install
- apt-microcode
# ---
# Firmware
# ---
- name: (apt.yml) Install Firmware packages (Ubuntu)
apt:
name: "{{ firmware_packages_ubuntu }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
tags:
- apt-initial-install
- apt-firmware
- name: (apt.yml) Install Firmware packages (Debian)
apt:
name: "{{ firmware_packages_debian }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Debian"
tags:
- apt-initial-install
- apt-firmware
- name: (apt.yml) Install non-free Firmware packages (Debian)
apt:
name: "{{ firmware_non_free_packages_debian }}"
state: present
default_release: "{{ ansible_distribution_release }}"
when:
- ansible_facts['distribution'] == "Debian"
- apt_debian_contrib_nonfree_enable
tags:
- apt-initial-install
- apt-firmware
# ---
# unwanted packages
# ---
- name: (apt.yml) Remove unwanted packages
apt:
name: "{{ apt_remove }}"
state: absent
purge: "{{ apt_remove_purge }}"
tags:
- apt-remove
- name: (apt.yml) Remove unwanted packages Ubuntu bionic
apt:
name: "{{ apt_remove_bionic }}"
state: absent
purge: "{{ apt_remove_purge }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic"
tags:
- apt-remove
- name: (apt.yml) Remove unwanted packages Ubuntu xenial
apt:
name: "{{ apt_remove_xenial }}"
state: absent
purge: "{{ apt_remove_purge }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial"
tags:
- apt-remove
- name: (apt.yml) autoremove
apt:
autoremove: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_autoremove|bool
tags:
- apt-autoremove
- apt-initial-install
- apt-microcode
- name: (apt.yml) clean
command: apt-get -y clean
args:
warn: false
changed_when: false
when: apt_clean|bool
tags:
- apt-clean
- apt-initial-install
- apt-microcode

105
roles/common/tasks/basic.yml Normal file
View File

@ -0,0 +1,105 @@
---
- name: (basic.yml) Ensure timezone is is correct
timezone: name={{ time_zone }}
tags:
- timezone
- name: (basic.yml) Ensure locales are present
locale_gen:
name: "{{ item }}"
state: present
with_items: "{{ locales }}"
tags:
- locales
- name: (basic.yml) Create a symbolic link /bin/sh -> bash
file:
src: bash
dest: /bin/sh
owner: root
group: root
state: link
when:
- "groups['file_server']|string is search(inventory_hostname)"
tags:
- symlink-sh
- name: (basic.yml) Check file '/etc/systemd/system.conf' exists
stat:
path: /etc/systemd/system
register: etc_systemd_system_conf
when:
- set_default_limit_nofile|bool == true
- name: (basic.yml) Change DefaultLimitNOFILE to 1048576
lineinfile:
dest: /etc/systemd/system.conf
state: present
regexp: '^DefaultLimitNOFILE'
line: 'DefaultLimitNOFILE=1048576'
insertafter: '^#DefaultLimitNOFILE'
when:
- set_default_limit_nofile|bool == true
- etc_systemd_system_conf.stat.exists == true
tags:
- systemd-nofiles
- name: (basic.yml) Check file '/etc/security/limits.conf.ORIG' exists
stat:
path: /etc/security/limits.conf.ORIG
register: etc_security_limits_conf_ORIG
tags:
- limits-conf
- name: (basic.yml) Backup installation version of file '/etc/security/limits.conf'
command: cp -a /etc/security/limits.conf /etc/security/limits.conf.ORIG
when: etc_security_limits_conf_ORIG.stat.exists == False
tags:
- limits-conf
- name: (basic.yml) Create new sshd_config from template limits.conf.j2
template:
src: etc/security/limits.conf.j2
dest: /etc/security/limits.conf
owner: root
group: root
mode: 0644
tags:
- limits-conf
# - /etc/hosts
- name: (basic.yml) Check file '/etc/hosts.ORIG' exists
stat:
path: /etc/hosts.ORIG
register: etc_hosts_ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
tags:
- etc_hosts
- name: (basic.yml) Backup installation version of file '/etc/hosts'
command: cp -a /etc/hosts /etc/hosts.ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
- etc_hosts_ORIG.stat.exists == False
tags:
- etc_hosts
- name: (basic.yml) addjust '/etc/hosts' add nis-server ..
lineinfile:
path: /etc/hosts
regexp: '^192\.168\.'
line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[0] }}'
when:
- "groups['nis_server']|string is search(inventory_hostname)"
tags:
- etc_hosts

152
roles/common/tasks/cups-install.yml Normal file
View File

@ -0,0 +1,152 @@
---
# ---
# Cups Server
# ---
- name: (cups-install.yml) Ensure CUPS packages server (buster) are installed.
package:
pkg: '{{ apt_install_server_cups_buster }}'
state: present
when:
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10"
tags:
- cups-server
# ---
# Cups clients
# ---
- name: (cups.yml) Ensure CUPS packages clients are installed.
package:
pkg: "{{ apt_install_client_cups }}"
state: present
when:
- ansible_distribution_version == "18.04"
- ansible_architecture == "x86_64"
tags:
- cups-client
# -- file /etc/cups/cups-browsed.conf
- name: (cups.yml) Check if file '/etc/cups/cups-browsed.conf.ORIGi' exists
stat:
path: /etc/cups/cups-browsed.conf.ORIG
register: cups_browsed_conf_orig_exists
tags:
- cups-server
- cups-client
- name: (cups.yml) Backup /etc/cups/cups-browsed.conf file
command: cp /etc/cups/cups-browsed.conf /etc/cups/cups-browsed.conf.ORIG
when: cups_browsed_conf_orig_exists.stat.exists == False
tags:
- cups-server
- cups-client
- name: (cups.yml) update configuration file server - /etc/cups/cups-browsed.conf
template:
src: "etc/cups/cups-browsed.conf.server.j2"
dest: /etc/cups/cups-browsed.conf
owner: root
group: root
mode: 0644
notify:
Restart cups-browsed
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- cups-server
- name: (cups.yml) update configuration file client - /etc/cups/cups-browsed.conf
template:
src: "etc/cups/cups-browsed.conf.client.j2"
dest: /etc/cups/cups-browsed.conf
owner: root
group: root
mode: 0644
notify:
Restart cups-browsed
when:
- groups['client_pc']|string is search(inventory_hostname)
tags:
- cups-client
# -- file /etc/cups/cupsd.conf
- name: (cups.yml) Check if file '/etc/cups/cupsd.conf.ORIG' exists
stat:
path: /etc/cups/cupsd.conf.ORIG
register: cupsd_conf_orig_exists
tags:
- cups-server
- cups-client
- name: (cups.yml) Backup /etc/cups/cupsd.conf file
command: cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.ORIG
when: cupsd_conf_orig_exists.stat.exists == False
tags:
- cups-server
- cups-client
- name: (cups.yml) update configuration file server - /etc/cups/cupsd.conf
template:
src: "etc/cups/cupsd.conf.server.j2"
dest: /etc/cups/cupsd.conf
owner: root
group: root
mode: 0644
notify:
Restart cups
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- cups-server
- name: (cups.yml) update configuration file client - /etc/cups/cupsd.conf
template:
src: "etc/cups/cupsd.conf.client.j2"
dest: /etc/cups/cupsd.conf
owner: root
group: root
mode: 0644
notify:
Restart cups
when:
- groups['client_pc']|string is search(inventory_hostname)
tags:
- cups-server
# -- file /etc/cups/cups-files.conf
- name: (cups.yml) Check if file '/etc/cups/cups-files.conf.ORIGi' exists
stat:
path: /etc/cups/cups-files.conf.ORIG
register: cups_files_conf_orig_exists
tags:
- cups-server
- cups-client
- name: (cups.yml) Backup /etc/cups/cups-files.conf file
command: cp /etc/cups/cups-files.conf /etc/cups/cups-files.conf.ORIG
when: cups_files_conf_orig_exists.stat.exists == False
tags:
- cups-server
- cups-client
- name: (cups.yml) update configuration file server - /etc/cups/cups-files.conf
template:
src: "etc/cups/cups-files.conf.j2"
dest: /etc/cups/cups-files.conf
owner: root
group: root
mode: 0644
notify:
Restart cups
tags:
- cups-server
- cups-client

66
roles/common/tasks/git.yml Normal file
View File

@ -0,0 +1,66 @@
---
# ---
# Default reposotories
# ---
- name: (git.yml) Install/Update default repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_default_repositories }}'
loop_control:
label: "{{ item.name }}"
tags:
- git-default-repositories
# ---
# Group [file_server] reposotories
# ---
- name: (git.yml) Install/Update file_server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_oopen_server_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- git-file-server-repositories
# ---
# Group [samba_server] reposotories
# ---
- name: (git.yml) Install/Update samba server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_samba_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['samba_server']|string is search(inventory_hostname)"
ignore_errors: True
tags:
- git-samba-server-repositories
# ---
# Group [gateway_server] reposotories
# ---
- name: (git.yml) Install/Update gateway repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_gateway_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['gateway_server']|string is search(inventory_hostname)"
tags:
- git-gateway-server-repositories

197
roles/common/tasks/main.yml
View File

@ -1,5 +1,79 @@
---
# tags supported inside basic.yml
#
# timezone
# locales
# systemd-nofiles
- import_tasks: basic.yml
tags:
- basic
# tags supported inside sshd.yml
#
# sshd-config
- import_tasks: sshd.yml
tags: sshd
# tags supported inside apt.yml
#
# apt-update
# apt-upgrade
# apt-dpkg-configure
# apt-initial-install
# apt-microcode
# apt-remove
# apt-autoremove
# apt-clean
- import_tasks: apt.yml
tags: apt
# tags supportetd inside git.yml
#
# git-default-repositories
# git-file-server-repositories
# git-gateway-server-repositories
- import_tasks: git.yml
tags: git
# tags supported inside nis_user.yml:
#
# nis-user
# system-user
- import_tasks: nis-user.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-user
# tags supported inside ntp.yml:
#
# ntp-server
- import_tasks: ntp.yml
tags:
- ntp
# tags supported inside cups-install.yml:
#
# cups-server
# cups-client
- import_tasks: cups-install.yml
tags:
- cups
## tags supported inside pure-ftpd-install.yml:
##
#- import_tasks: pure-ftpd-install.yml
# when:
# - groups['ftp_server']|string is search(inventory_hostname)
# tags:
# - pure-ftpd
# tags supported inside nfs.yml:
#
@ -9,6 +83,33 @@
tags:
- nfs
# tags supported inside samba-install.yml:
#
# samba-server
# samba-client
- import_tasks: samba-install.yml
tags:
- samba-install
- samba
# tags supported inside samba-remove-user.yml:
#
- import_tasks: samba-remove-user.yml
tags:
- samba-remove-user
# tags supported inside system-user.yml:
#
# system-user
- import_tasks: system-user.yml
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- system-user
# tags supported inside nfs.yml:
#
# nis-install-server
@ -16,6 +117,7 @@
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-server
# tags supported inside nfs.yml:
#
@ -24,34 +126,91 @@
when: "groups['nis_client']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-client
# tags supported inside nis_samba_user.yml:
# tags supported inside samba_user.yml:
#
# samba-user
# nis-user
# system-user
- import_tasks: nis_samba_user.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
- import_tasks: samba-user.yml
when: "groups['samba_server']|string is search(inventory_hostname)"
tags:
- nis-samba-user
- import_tasks: user-systemfiles.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- user-systemfiles
# tags supported inside sudoers.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- sudoers
- import_tasks: mount_samba_shares.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- samba-shares
- import_tasks: mount_samba_shares.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- samba-shares
# tags supported system-user-systemfiles.yml:
#
# profile
# bashrc
# vimrc
- import_tasks: system-user-systemfiles.yml
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- user-systemfiles
# tags supported nis-user-systemfiles.yml:
#
# profile
# bashrc
# vimrc
- import_tasks: nis-user-systemfiles.yml
when: "groups['nis_server']|string is search(inventory_hostname)"
tags:
- user-systemfiles
- nis-user-systemfiles
# tags supported root-files-scripts.yml:
# wakeup_lan
- import_tasks: root-files-scripts.yml
tags:
- root-files-scripts
# tags supported inside sudoers-pc.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers-pc.yml
when: "groups['client_pc']|string is search(inventory_hostname)"
tags:
- sudoers
# tags supported inside sudoers-server.yml:
#
# sudoers-remove
# sudoers-file-configuration
# sudoers-global-configuration
- import_tasks: sudoers-server.yml
when: "groups['file_server']|string is search(inventory_hostname)"
tags:
- sudoers

6
roles/common/tasks/nis-install-client.yml
View File

@ -145,7 +145,7 @@
- name: (nis-install-client.yml) Add nis-server to file /etc/hosts
lineinfile:
path: /etc/hosts
line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[1] }}'
line: '{{ nis_server_address }} {{ nis_server_name }} {{ nis_server_name.split(".")[0] }}'
insertafter: EOF
state: present
owner: root
@ -160,7 +160,7 @@
# /etc/nsswitch.conf
# ---
- name: (nis.yml) Check if file '/etc/nsswitch.conf.ORIG' exists
- name: (nis-install-client.yml) Check if file '/etc/nsswitch.conf.ORIG' exists
stat:
path: /etc/nsswitch.conf.ORIG
register: nsswitch_conf_orig_exists
@ -168,7 +168,7 @@
- nis-install
- nis-install-client
- name: (nis.yml) Backup existing file /etc/nsswitch.conf
- name: (nis-install-client.yml) Backup existing file /etc/nsswitch.conf
command: cp -a /etc/nsswitch.conf /etc/nsswitch.conf.ORIG
when:
- nsswitch_conf_orig_exists.stat.exists == False

35
roles/common/tasks/nis-install-server.yml
View File

@ -4,6 +4,16 @@
# Install nis
# ---
- name: (nis-install-server.yml) Install nis common packages
package:
name: "{{ item }}"
state: present
with_items: "{{ nis_common_packages }}"
register: nis_installed
tags:
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Set (nis) default domain (/etc/defaultdomain)
template:
dest: /etc/defaultdomain
@ -15,15 +25,16 @@
- nis-install
- nis-install-server
- name: (nis-install-server.yml) Install nis common packages
package:
name: "{{ item }}"
state: present
with_items: "{{ nis_common_packages }}"
register: nis_installed
- name: (nis-install-server.yml) Create preconfigured /etc/yp.conf on nis clients
template:
dest: /etc/yp.conf
src: etc/yp.conf.j2
owner: root
group: root
mode: 0644
tags:
- nis-install
- nis-install-server
- nis-install-client
# ---
@ -85,14 +96,14 @@
- nis-install
- nis-install-server
- name: (nis-install-client.yml) Comment line like '0.0.0.0 ..' to file /etc/ypserv.securenets
- name: (nis-install-server.yml) Comment line like '0.0.0.0 ..' to file /etc/ypserv.securenets
replace:
path: /etc/ypserv.securenets
regexp: '^(0.0.0.0\s+.*)'
replace: '#\1'
tags:
- nis-install
- nis-install-client
- nis-install-server
- name: (nis-install-server.yml) Add '255.255.0.0 192.168.0.0' to file /etc/ypserv.securenets
lineinfile:
@ -105,7 +116,7 @@
mode: '0644'
tags:
- nis-install
- nis-install-client
- nis-install-server
- name: (nis-install-server.yml) Add '255.0.0.0 10.0.0.0' to file /etc/ypserv.securenets
lineinfile:
@ -134,13 +145,13 @@
- name: (nis-install-server.yml) Ensure directoriy 'nis_base_home' (usually /data/home) exists
file:
path: '{{ nis_base_home}}'
path: '{{ nis_base_home }}'
owner: root
group: root
mode: '0755'
state: directory
when:
- "groups['nfs_server']|string is search(inventory_hostname)"
- "groups['nis_server']|string is search(inventory_hostname)"
tags:
- nis-install
- nis-install-server

183
roles/common/tasks/nis-user-systemfiles.yml Normal file
View File

@ -0,0 +1,183 @@
---
# ---
# Check if local template directories exists
# ---
# nis_users
- name: (nis-user-systemfiles.yml) Check if local template directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}
with_items: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_nis_user
# --
# Copy .profile
# ---
- name: (nis-user-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- profile
- name: (nis-user-systemfiles.yml) Backup existing users .profile file
command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == False
tags:
- profile
- name: (nis-user-systemfiles.yml) copy .profile if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') }}"
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
tags:
- profile
- name: (nis-user-systemfiles.yml) copy default .profile if it exists
template:
src: files/homedirs/DEFAULT/_profile.j2
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- profile
# --
# Copy .bashrc
# ---
- name: (nis-user-systemfiles.yml) Check if users file '.bashrc.ORIG' exists
stat:
path: "~{{ item.name }}/.bashrc.ORIG"
register: bashrc_user_orig_exists
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- bashrc
- name: (nis-user-systemfiles.yml) Backup existing users .bashrc file
command: cp -a ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG
loop: "{{ bashrc_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when: item.stat.exists == False
tags:
- bashrc
- name: (nis-user-systemfiles.yml) copy .bashrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') }}"
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
tags:
- bashrc
- name: (nis-user-systemfiles.yml) copy default .bashrc if it exists
copy:
src: files/homedirs/DEFAULT/_bashrc
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- bashrc
# --
# Copy .vimrc
# ---
- name: (nis-user-systemfiles.yml) copy .vimrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc') }}"
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc')
tags:
- vimrc
- name: (nis-user-systemfiles.yml) Check if .vim directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim
with_items: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_dotvim_default_user
- name: (nis-user-systemfiles.yml) copy .vim directory if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/' + item.item.name + '/.vim' }}"
dest: "~{{ item.item.name }}"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
with_items: "{{ local_template_dir_dotvim_default_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
tags:
- vimrc
- name: (nis-user-systemfiles.yml) copy default .vimrc if it exists
copy:
src: files/homedirs/DEFAULT/_vimrc
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_nis_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- vimrc

175
roles/common/tasks/nis-user.yml Normal file
View File

@ -0,0 +1,175 @@
---
# ---
# - Remove unwanted users
# ---
- name: (nis_user.yml) Remove (old) users from system
user:
name: '{{ item.name }}'
state: absent
with_items:
- "{{ remove_nis_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
- name: (nis_user.yml) Remove home directory from deleted users
file:
path: '{{ nis_base_home }}/{{ item.name }}'
state: absent
with_items:
- "{{ remove_nis_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- nis-user
- system-user
# ---
# - default user/groups
# ---
- name: (nis_user.yml) Ensure nis groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
loop: "{{ nis_groups }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
notify: Renew nis databases
tags:
- nis-user
- system-user
#- meta: end_host
- name: (nis_user.yml) Get database of nis (system) users
getent:
database: passwd
tags:
- nis-user
- system-user
- name: (nis_user.yml) Add nis (system) users if not yet exists..
shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.name not in getent_passwd
notify: Renew nis databases
tags:
- nis-user
- system-user
- name: (nis_user.yml) Ensure nis users exists
user:
name: '{{ item.name }}'
state: present
uid: '{{ item.user_id | default(omit) }}'
#group: '{{ item.0.name | default(omit) }}'
groups: "{{ item.groups|join(', ') }}"
home: '{{ nis_base_home }}/{{ item.name }}'
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password | password_hash('sha512') }}"
update_password: on_create
append: yes
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
notify: Renew nis databases
tags:
- nis-user
- system-user
- name: (nis_user.yml) Check if directory ~/.config/autostart exists
stat:
path: '{{ nis_base_home }}/{{ item.name }}/.config/autostart'
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
register: home_config_autostart
tags:
- nis-user
- x11vnc
- name: (nis_user.yml) Ensure directory ~/.config/autostart if not exists
file:
path: '{{ nis_base_home }}/{{ item.item.name }}/.config/autostart'
state: directory
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0700
recurse: yes
loop: "{{ home_config_autostart.results }}"
loop_control:
label: '{{ item.item.name }}'
when : not item.stat.exists|bool
tags:
- nis-user
- x11vnc
#- name: (nis_user.yml) Ensure directory ~/.config/autostart if not exists
# file:
# path: '{{ nis_base_home }}/{{ item.name }}/.config/autostart'
# state: directory
# owner: "{{ item.name }}"
# group: "{{ item.name }}"
# mode: 0700
# recurse: yes
# loop: "{{ nis_user }}"
# loop_control:
# label: '{{ item.name }}'
# tags:
# - nis-user
# - x11vnc
- name: (nis_user.yml) Check if file ~/.config/autostart/x11vnc.desktop exists
stat:
path: '{{ nis_base_home }}/{{ item.name }}/.config/autostart/x11vnc.desktop'
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
register: home_config_autostart_x11vnc
tags:
- nis-user
- x11vnc
- name: (nis_user.yml) Ensure file ~/.config/autostart/x11vnc.desktop exists
copy:
src: "{{ role_path + '/files/USER_HOME/.config/autostart/x11vnc.desktop' }}"
dest: '{{ nis_base_home }}/{{ item.item.name }}/.config/autostart/x11vnc.desktop'
owner: '{{ item.item.name }}'
group: '{{ item.item.name }}'
mode: 0600
loop: "{{ home_config_autostart_x11vnc.results }}"
loop_control:
label: '{{ item.item.name }}'
tags:
- nis-user
- x11vnc
#- name: (nis_user.yml) Ensure file ~/.config/autostart/x11vnc.desktop exists
# copy:
# src: "{{ role_path + '/files/USER_HOME/.config/autostart/x11vnc.desktop' }}"
# dest: '{{ nis_base_home }}/{{ item.name }}/.config/autostart/x11vnc.desktop'
# owner: '{{ item.name }}'
# group: '{{ item.name }}'
# mode: 0600
# loop: "{{ nis_user }}"
# loop_control:
# label: '{{ item.name }}'
# tags:
# - nis-user
# - x11vnc

47
roles/common/tasks/ntp.yml Normal file
View File

@ -0,0 +1,47 @@
---
# ---
# NTP Server
# ---
- name: (ntp.yml) Ensure ntp package is installed.
apt:
name:
- ntp
state: present
when:
- ansible_os_family == "Debian"
- groups['file_server']|string is search(inventory_hostname)
tags:
- ntp-server
- name: (ntp.yml) Check file '/etc/ntp.conf.ORIG' exists
stat:
path: /etc/ntp.conf.ORIG
register: etc_ntp_conf_ORIG
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- ntp-server
- name: (ntp.yml) Backup installation version of file '/etc/ntp.conf'
command: cp -a /etc/ntp.conf /etc/ntp.conf.ORIG
when:
- groups['file_server']|string is search(inventory_hostname)
- etc_ntp_conf_ORIG.stat.exists == False
tags:
- ntp-server
- name: (ntp.yml) Update '/etc/ntp.conf'
template:
src: "etc/ntp.conf.j2"
dest: /etc/ntp.conf
owner: root
group: root
mode: 0644
notify: Restart ntp
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- ntp-server

51
roles/common/tasks/root-files-scripts.yml Normal file
View File

@ -0,0 +1,51 @@
---
- name: (root_files_scripts.yml) Ensure directory /root/bin exists
file:
path: /root/bin
owner: root
group: root
mode: '0700'
state: directory
when:
- groups['file_server']|string is search(inventory_hostname)
- name: (root_files_scripts.yml) Ensure script 'wakeup_lan.sh' is present
template:
src: "root/bin/wakeup_lan.sh.j2"
dest: /root/bin/wakeup_lan.sh
owner: root
group: root
mode: 0755
when:
- groups['file_server']|string is search(inventory_hostname)
tags:
- wakeup_lan
- name: (root_files_scripts.yml) Check file '/etc/motd.ORIG' exists
stat:
path: /etc/motd.ORIG
register: etc_motd_ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
tags:
- etc_motd
- name: (basic.yml) Backup installation version of file '/etc/motd'
command: cp -a /etc/motd /etc/motd.ORIG
when:
- "groups['file_server']|string is search(inventory_hostname)"
- etc_motd_ORIG.stat.exists == False
tags:
- etc_motd
- name: (root_files_scripts.yml) Write new '/etc/motd' file..
shell: >
figlet '{{ nis_server_name.split(".")[0] }}' > /etc/motd
when:
- "groups['file_server']|string is search(inventory_hostname)"
- etc_motd_ORIG.stat.exists == False
tags:
- etc_motd

185
roles/common/tasks/samba-install.yml Normal file
View File

@ -0,0 +1,185 @@
---
# ---
# Samba Server
# ---
- name: (samba-install.yml) Ensure samba packages server (buster) are installed.
package:
pkg: '{{ apt_install_server_samba }}'
state: present
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- name: (samba-install.yml) Ensure samba share directories exists
file:
path: "{{ item.path }}"
owner: "root"
group: "{{ item.group_write_list }}"
mode: '2770'
state: directory
with_items: "{{ samba_shares }}"
loop_control:
label: '{{ item.name }}'
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-shares
# ---
# /etc/samba/smb.conf
# ---
- name: (samba-install.yml) Check if file '/etc/samba/smb.conf.ORIG exists'
stat:
path: /etc/samba/smb.conf.ORIG
register: smb_conf_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- name: (samba-install.yml) Backup existing file /etc/samba/smb.conf
command: cp -a /etc/samba/smb.conf /etc/samba/smb.conf.ORIG
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- smb_conf_exists.stat.exists == False
tags:
- samba-server
- name: (samba-install.yml) /etc/samba/smb.conf
template:
dest: /etc/samba/smb.conf
src: etc/samba/smb.conf.j2
owner: root
group: root
mode: 0644
when:
- "groups['samba_server']|string is search(inventory_hostname)"
notify:
- Restart smbd
- Restart nmbd
tags:
- samba-server
- name: (samba-install.yml) Ensure file /etc/samba/users.map exists
copy:
src: "{{ role_path + '/files/etc/samba/users.map' }}"
dest: /etc/samba/users.map
owner: root
group: root
mode: 0644
when:
- "groups['samba_server']|string is search(inventory_hostname)"
notify:
- Restart smbd
- Restart nmbd
tags:
- samba-server
# ---
# Cronjob for cleaning up samba trash dirs
# ---
- name: (samba-install.yml) Check if file '/root/bin/samba/clean_samba_trash.sh' exists
stat:
path: /root/bin/samba/clean_samba_trash.sh
register: clean_samba_trash_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- name: (samba-install.yml) Adjust configuration for script 'clean_samba_trash.sh'
template:
dest: /root/bin/samba/conf/clean_samba_trash.conf
src: root/bin/samba/conf/clean_samba_trash.conf.j2
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_exists.stat.exists|bool
tags:
- samba-server
- name: Check if cleaning up trash dirs is configured
lineinfile:
path: /root/bin/samba/conf/clean_samba_trash.conf
regexp: "^trash_dirs=*"
state: absent
check_mode: yes
changed_when: false
register: clean_samba_trash_dirs
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- name: Creates a cron job for cleaning up samba trash dirs
cron:
name: '{{ samba_cronjob_trash_dirs.name }}'
minute: '{{ samba_cronjob_trash_dirs.minute }}'
hour: "{{ samba_cronjob_trash_dirs.hour | default('*') }}"
day: "{{ samba_cronjob_trash_dirs.hour.day | default('*') }}"
month: "{{ samba_cronjob_trash_dirs.hour.month| default('*') }}"
weekday: "{{ samba_cronjob_trash_dirs.hour.weekday| default('*') }}"
user: "{{ samba_cronjob_trash_dirs.user | default('root') }}"
job: "{{ samba_cronjob_trash_dirs.job }}"
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_dirs.found
# ---
# Cronjob for setting permissions on samba shares
# ---
- name: (samba-install.yml) Check if file '/root/bin/samba/set_permissions_samba_shares.sh' exists
stat:
path: /root/bin/samba/set_permissions_samba_shares.sh
register: set_permissions_on_samba_shares_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- name: (samba-install.yml) Adjust configuration for script 'set_permissions_samba_shares.sh'
template:
dest: /root/bin/samba/conf/set_permissions_samba_shares.conf
src: root/bin/samba/conf/set_permissions_samba_shares.conf.j2
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- set_permissions_on_samba_shares_exists.stat.exists|bool
tags:
- samba-server
- name: Creates a cron job for cleaning up samba trash dirs
cron:
name: '{{ samba_cronjob_permissions.name }}'
minute: '{{ samba_cronjob_permissions.minute }}'
hour: "{{ samba_cronjob_permissions.hour | default('*') }}"
day: "{{ samba_cronjob_permissions.day | default('*') }}"
month: "{{ samba_cronjob_permissions.month| default('*') }}"
weekday: "{{ samba_cronjob_permissions.weekday| default('*') }}"
user: "{{ samba_cronjob_permissions.user | default('root') }}"
job: "{{ samba_cronjob_permissions.job }}"
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_dirs.found
# ---
# Samba clients
# ---
- name: (samba-install.yml) Ensure samba packages clients are installed.
package:
pkg: "{{ apt_install_client_samba }}"
state: present
when:
- "groups['nis_client']|string is search(inventory_hostname)"
- ansible_distribution == "Ubuntu"
tags:
- samba-client

57
roles/common/tasks/samba-remove-user.yml Normal file
View File

@ -0,0 +1,57 @@
---
# ---
# - Remove unwanted users
# ---
- name: (samba-remove-user.yml) Check if samba user exists for removable system user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_remove_system_users_present
changed_when: "samba_remove_system_users_present.rc == 0"
failed_when: "samba_remove_system_users_present.rc > 1"
with_items:
- "{{ remove_system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (samba-remove-user.yml) Remove (old) system users from samba
shell: >
smbpasswd -s -x {{ item.item.name }}
with_items:
- "{{ samba_remove_system_users_present.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.changed
tags:
- samba-user
- name: (samba-remove-user.yml) Check if samba user exists for removable nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_remove_nis_users_present
changed_when: "samba_remove_nis_users_present.rc == 0"
failed_when: "samba_remove_nis_users_present.rc > 1"
with_items:
- "{{ remove_nis_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- samba-user
- name: (samba-remove-user.yml) Remove (old) nis users from samba
shell: >
smbpasswd -s -x {{ item.item.name }}
with_items:
- "{{ samba_remove_nis_users_present.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.changed
tags:
- samba-user

30
roles/common/tasks/samba-user.yml Normal file
View File

@ -0,0 +1,30 @@
---
# ---
# - default user/groups
# ---
- name: (samba-user.yml) Check if samba user exists for nis user
shell: pdbedit -w -L | awk -F":" '{ print $1 }' | grep '{{ item.name }}'
register: samba_nis_user_present
changed_when: "samba_nis_user_present.rc == 1"
failed_when: "samba_nis_user_present.rc > 1"
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- samba-user
- name: (samba-user.yml) Add nis user to samba (with nis users password)
shell: >
(echo '{{ item.item.password }}'; echo '{{ item.item.password }}')
| smbpasswd -s -a {{ item.item.name }}
loop: "{{ samba_nis_user_present.results }}"
when: item.changed
loop_control:
label: '{{ item.item.name }}'
tags:
- samba-user

29
roles/common/tasks/sshd.yml Normal file
View File

@ -0,0 +1,29 @@
---
- name: (sshd.yml) Check file '/etc/ssh/sshd_config.ORIG' exists
stat:
path: /etc/ssh/sshd_config.ORIG
register: etc_sshd_sshd_config_ORIG
tags:
- sshd-config
- name: (sshd.yml) Backup installation version of file '/etc/ssh/sshd_config'
command: cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
when: etc_sshd_sshd_config_ORIG.stat.exists == False
tags:
- sshd-config
- name: (sshd.yml) Create new sshd_config from template sshd_config.j2
template:
src: etc/ssh/sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
validate: 'sshd -f %s -T'
#backup: yes
notify: "Restart ssh"
tags:
- sshd-config

12
roles/common/tasks/sudoers.yml → roles/common/tasks/sudoers-pc.yml
View File

@ -1,8 +1,8 @@
---
- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/)
- name: (sudoers-pc.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.d/50-user.j2
src: etc/sudoers.d/50-user.pc.j2
dest: /etc/sudoers.d/50-user
validate: visudo -cf %s
owner: root
@ -11,9 +11,9 @@
tags:
- sudoers-file-configuration
- name: (sudoers.yml) update global sudoers configuration file
- name: (sudoers-pc.yml) update global sudoers configuration file
template:
src: etc/sudoers.j2
src: etc/sudoers.pc.j2
dest: /etc/sudoers
owner: root
group: root
@ -22,11 +22,11 @@
tags:
- sudoers-global-configuration
- name: (sudoers.yml) Ensure all sudo_users are in sudo group
- name: (sudoers-pc.yml) Ensure all sudo_users are in sudo group
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudo_users }}"
with_items: "{{ sudo_pc_users }}"
tags:
- sudo-users

57
roles/common/tasks/sudoers-server.yml Normal file
View File

@ -0,0 +1,57 @@
---
#- name: (sudoers-server.yml) include variables
# include_vars: "{{ item }}"
# with_first_found:
# - "sudoers-{{ inventory_hostname }}.yml"
# - "sudoers-{{ ansible_distribution_release }}.yml"
# - "sudoers-{{ ansible_distribution | lower }}.yml"
# - "sudoers-default.yml"
# tags:
# - sudoers-remove
# - sudoers-file-configuration
# - sudoers-global-configuration
- name: (sudoers-server.yml) Remove user entries in file /etc/sudoers
lineinfile:
dest: /etc/sudoers
state: absent
regexp: '^{{ item }}'
owner: root
group: root
mode: 0440
validate: visudo -cf %s
with_items: '{{ sudoers_server_remove_user }}'
tags:
- sudoers-remove
- name: (sudoers-server.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.d/50-user.server.j2
dest: /etc/sudoers.d/50-user
#validate: visudo -cf %s
owner: root
group: root
mode: 0440
tags:
- sudoers-file-configuration
- name: (sudoers-server.yml) update global sudoers configuration file
template:
src: etc/sudoers.server.j2
dest: /etc/sudoers
owner: root
group: root
mode: 0440
#validate: visudo -cf %s
tags:
- sudoers-global-configuration
- name: (sudoers-server.yml) Ensure all sudo_users are in sudo group
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudo_server_users }}"
tags:
- sudo-users

278
roles/common/tasks/system-user-systemfiles.yml Normal file
View File

@ -0,0 +1,278 @@
---
# ---
# Check if local template directories exists
# ---
# system_user
- name: (system-user-systemfiles.yml) Check if local template directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}
with_items: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_system_users
# root
- name: (system-user-systemfiles.yml) Check if local template directory exists for root
local_action: stat path={{ inventory_dir }}/files/homedirs/root
register: local_template_dir_root
# --
# Copy .profile
# ---
- name: (user-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
loop: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- profile
- name: (user-systemfiles.yml) Backup existing users .profile file
command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == False
tags:
- profile
- name: (system-user-systemfiles.yml) copy .profile if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') }}"
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
tags:
- profile
- name: (system-user-systemfiles.yml) copy default .profile if it exists
template:
src: files/homedirs/DEFAULT/_profile
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
- lookup('fileglob', inventory_dir + '/files/homedirs/DEFAULT/_profile')
tags:
- profile
# -- root user
- name: (system-user-systemfiles.yml) Check if file '/root/.profile.ORIG' exists
stat:
path: /root/.profile.ORIG
register: profile_root_orig_exists
tags:
- profile
- name: (system-user-systemfiles.yml) Backup existing users .profile file
command: cp -a /root/.profile /root/.profile.ORIG
when: profile_root_orig_exists.stat.exists == False
tags:
- profile
- name: (system-user-systemfiles.yml) copy .profile for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile') }}"
dest: "/root/.profile"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile')
tags:
- profile
# --
# Copy .bashrc
# ---
- name: (system-user-systemfiles.yml) Check if users file '.bashrc.ORIG' exists
stat:
path: "~{{ item.name }}/.bashrc.ORIG"
register: bashrc_user_orig_exists
loop: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- bashrc
- name: (system-user-systemfiles.yml) Backup existing users .bashrc file
command: cp -a ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG
loop: "{{ bashrc_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when: item.stat.exists == False
tags:
- bashrc
- name: (system-user-systemfiles.yml) copy .bashrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') }}"
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
tags:
- bashrc
- name: (system-user-systemfiles.yml) copy default .bashrc if it exists
copy:
src: files/homedirs/DEFAULT/_bashrc
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- bashrc
# -- root user
- name: (system-user-systemfiles.yml) Check if file '/root/.bashrc.ORIG' exists
stat:
path: /root/.bashrc.ORIG
register: bashrc_root_orig_exists
tags:
- bash
- name: (system-user-systemfiles.yml) Backup /root/.bashrc file
command: cp /root/.bashrc /root/.bashrc.ORIG
when: bashrc_root_orig_exists.stat.exists == False
tags:
- bash
- name: (system-user-systemfiles.yml) copy .bashrc for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc') }}"
dest: "/root/.bashrc"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc')
tags:
- bash
# --
# Copy .vimrc
# ---
- name: (system-user-systemfiles.yml) copy .vimrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc') }}"
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc')
tags:
- vimrc
- name: (system-user-systemfiles.yml) Check if .vim directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim
with_items: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
register: local_template_dir_dotvim_default_user
- name: (system-user-systemfiles.yml) copy .vim directory if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/' + item.item.name + '/.vim' }}"
dest: "~{{ item.item.name }}"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
with_items: "{{ local_template_dir_dotvim_default_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
tags:
- vimrc
- name: (system-user-systemfiles.yml) copy default .vimrc if it exists
copy:
src: files/homedirs/DEFAULT/_vimrc
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_system_users.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists == false
tags:
- vimrc
- name: (system-user-systemfiles.yml) copy .vimrc for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc') }}"
dest: "/root/.vimrc"
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc')
tags:
- vimrc
- name: (system-user-systemfiles.yml) Check if local template directory .vim exists for user root
local_action: stat path={{ inventory_dir }}/files/homedirs/root/.vim
register: local_template_dir_vim_root
with_items: 'root'
loop_control:
label: 'root'
- name: (system-user-systemfiles.yml) copy .vim directory for user root if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/root/.vim' }}"
dest: "/root"
owner: "root"
group: "root"
mode: 0644
with_items: "{{ local_template_dir_vim_root.results }}"
loop_control:
label: 'root'
when:
- item.stat.exists
tags:
- vim

64
roles/common/tasks/system-user.yml Normal file
View File

@ -0,0 +1,64 @@
---
# ---
# - Remove unwanted users
# ---
- name: (user.yml) Remove (old) users from system
user:
name: '{{ item.name }}'
state: absent
with_items:
- "{{ remove_system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- system-user
- name: (user.yml) Remove home directory from deleted users
file:
path: '{{ base_home }}/{{ item.name }}'
state: absent
with_items:
- "{{ remove_system_users }}"
loop_control:
label: '{{ item.name }}'
tags:
- system-user
# ---
# - default user/groups
# ---
- name: (user.yml) Ensure system groups exists
group:
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
loop: "{{ system_groups }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
notify: Renew nis databases
tags:
- system-user
#- meta: end_host
- name: (system-user.yml) Get database of nis (system) users
getent:
database: passwd
tags:
- system-user
- name: (system-user.yml) Add (system) users if not yet exists..
shell: "/root/bin/admin-stuff/add_new_user.sh {{ item.name }} '{{ item.password }}'"
loop: "{{ system_users }}"
loop_control:
label: '{{ item.name }}'
when:
- item.name not in getent_passwd
notify: Renew nis databases
tags:
- system-user

39
roles/common/tasks/user-systemfiles.yml
View File

@ -1,39 +0,0 @@
---
- name: (user-systemfiles.yml) Check if users file '.profile.ORIG' exists
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- profile
- name: (user-systemfiles.yml) Backup existing users .profile file
command: cp -a ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
- item.stat.exists == False
tags:
- profile
- name: (user-systemfiles.yml) Create new users .profile file
template:
src: user_homedirs/dot.profile.j2
dest: "~{{ item.name }}/.profile"
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
loop: "{{ nis_user }}"
loop_control:
label: '{{ item.name }}'
when:
- item.is_samba_user is defined and item.is_samba_user|bool
tags:
- profile

28
roles/common/templates/etc/apt/sources.list.Debian.j2 Normal file
View File

@ -0,0 +1,28 @@
# {{ ansible_managed }}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
{{ '# ' if not apt_src_enable else '' }}deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
# {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
# Contrib packages contain DFSG-compliant software,
# but have dependencies not in main (possibly packaged for Debian in non-free).
# Non-free contains software that does not comply with the DFSG.
{% if apt_debian_contrib_nonfree_enable %}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
{% endif %}
# # N.B. software from this repository may not have been tested as
# # extensively as that contained in the main release, although it includes
# # newer versions of some applications which may provide useful features.
{% if apt_backports_enable %}
deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
{% endif %}

746
roles/common/templates/etc/cups/cups-browsed.conf.client.j2 Normal file
View File

@ -0,0 +1,746 @@
# {{ ansible_managed }}
# All configuration options described here can also be supplied on the
# command line of cups-browsed via the "-o" option. In case of
# contradicting settings the setting defined in the configuration file
# will get used.
# Unknown directives are ignored, also unknown values.
# Where should cups-browsed save information about the print queues it had
# generated when shutting down, like whether one of these queues was the
# default printer, or default option settings of the queues?
# CacheDir /var/cache/cups
# Where should cups-browsed create its debug log file (if "DebugLogging file"
# is set)?
# LogDir /var/log/cups
# How should debug logging be done? Into the file
# /var/log/cups/cups-browsed_log ('file'), to stderr ('stderr'), or
# not at all ('none')?
# Note that if cups-browsed is running as a system service (for
# example via systemd) logging to stderr makes the log output going to
# the journal or syslog. Only if you run cups-browsed from the command
# line (for development or debugging) it will actually appear on
# stderr.
# DebugLogging file
# DebugLogging stderr
# DebugLogging file stderr
# DebugLogging none
# Which protocols will we use to discover printers on the network?
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
#BrowseRemoteProtocols dnssd cups
BrowseRemoteProtocols CUPS
# Which protocols will we use to broadcast shared local printers to the network?
# Can use DNSSD and/or CUPS, or 'none' for neither.
# Only CUPS is actually supported, as DNSSD is done by CUPS itself (we ignore
# DNSSD in this directive).
# BrowseLocalProtocols none
# Settings of this directive apply to both BrowseRemoteProtocols and
# BrowseLocalProtocols.
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
# BrowseProtocols none
# Only browse remote printers (via DNS-SD or CUPS browsing) from
# selected servers using the "BrowseAllow", "BrowseDeny", and
# "BrowseOrder" directives
# This serves for restricting the choice of printers in print dialogs
# to trusted servers or to reduce the number of listed printers in the
# print dialogs to a more user-friendly amount in large networks with
# very many shared printers.
# This only filters the selection of remote printers for which
# cups-browsed creates local queues. If the print dialog uses other
# mechanisms to list remote printers as for example direct DNS-SD
# access, cups-browsed has no influence. cups-browsed also does not
# prevent the user from manually accessing non-listed printers.
# "BrowseAllow": Accept printers from these hosts or networks. If
# there are only "BrowseAllow" lines and no "BrowseOrder" and/or
# "BrowseDeny" lines, only servers matching at last one "BrowseAllow"
# line are accepted.
# "BrowseDeny": Deny printers from these hosts or networks. If there
# are only "BrowseDeny" lines and no "BrowseOrder" and/or
# "BrowseAllow" lines, all servers NOT matching any of the
# "BrowseDeny" lines are accepted.
# "BrowseOrder": Determine the order in which "BrowseAllow" and
# "BrowseDeny" lines are applied. With "BrowseOrder Deny,Allow" in the
# beginning all servers are accepted, then the "BrowseDeny" lines are
# applied to exclude unwished servers or networks and after that the
# "BrowseAllow" lines to re-include servers or networks. With
# "BrowseOrder Allow,Deny" we start with denying all servers, then
# applying the "BrowseAllow" lines and afterwards the "BrowseDeny"
# lines.
# Default for "BrowseOrder" is "Deny.Allow" if there are both
# "BrowseAllow" and "BrowseDeny" lines.
# If there are no "Browse..." lines at all, all servers are accepted.
# BrowseAllow All
# BrowseAllow cups.example.com
# BrowseAllow 192.168.1.12
# BrowseAllow 192.168.1.0/24
# BrowseAllow 192.168.1.0/255.255.255.0
# BrowseDeny All
# BrowseDeny printserver.example.com
# BrowseDeny 192.168.1.13
# BrowseDeny 192.168.3.0/24
# BrowseDeny 192.168.3.0/255.255.255.0
# BrowseOrder Deny,Allow
# BrowseOrder Allow,Deny
# The interval between browsing/broadcasting cycles, local and/or
# remote, can be adjusted with the BrowseInterval directive.
# BrowseInterval 60
# Browsing-related operations such as adding or removing printer queues
# and broadcasting are each allowed to take up to a given amount of time.
# It can be configured, in seconds, with the BrowseTimeout directive.
# Especially queues discovered by CUPS broadcasts will be removed after
# this timeout if no further broadcast from the server happens.
# BrowseTimeout 300
# Filtering of remote printers by other properties than IP addresses
# of their servers
# Often the desired selection of printers cannot be reached by only
# taking into account the IP addresses of the servers. For these cases
# there is the BrowseFilter directive to filter by most of the known
# properties of the printer.
# By default there is no BrowseFilter line meaning that no filtering
# is applied.
# To do filtering one can supply one or more BrowseFilter directives
# like this:
# BrowseFilter [NOT] [EXACT] <FIELD> [<VALUE>]
# The BrowseFilter directive always starts with the word
# "BrowseFilter" and it must at least contain the name of the data
# field (<FIELD>) of the printer's properties to which it should
# apply.
# Available field names are:
# name: Name of the local print queue to be created
# host: Host name of the remote print server
# port: Port through which the printer is accessed on the server
# service: DNS/SD service name of the remote printer
# domain: Domain of the remote print server
# Also all field names in the TXT records of DNS-SD-advertised printers
# are valid, like "color", "duplex", "pdl", ... If the field name of
# the filter rule does not exist for the printer, the rule is skipped.
# The optional <VALUE> field is either the exact value (when the
# option EXACT is supplied) or a regular expression (Run "man 7 regex"
# in a terminal window) to be matched with the data field.
# If no <VALUE> filed is supplied, rules with field names of the TXT
# record are considered for boolean matching (true/false) of boolean
# field (like duplex, which can have the values "T" for true and "F"
# for false).
# If the option NOT is supplied, the filter rule is fulfilled if the
# regular expression or the exact value DOES NOT match the content of
# the data field. In a boolean rule (without <VALUE>) the rule matches
# false.
# Regular expressions are always considered case-insensitive and
# extended POSIX regular expressions. Field names and options (NOT,
# EXACT) are all evaluated case-insensitive. If there is an error in a
# regular expression, the BrowseFilter line gets ignored.
# Especially to note is that supplying any simple string consisting of
# only letters, numbers, spaces, and some basic special characters as
# a regular expression matches if it is contained somewhere in the
# data field.
# If there is more than one BrowseFilter directive, ALL the directives
# need to be fulfilled for the remote printer to be accepted. If one
# is not fulfilled, the printer will get ignored.
# Examples:
# Rules for standard data items which are supplied with any remote
# printer advertised via DNS-SD:
# Print queue name must contain "hum_res_", this matches
# "hum_res_mono" or "hum_res_color" but also "old_hum_res_mono":
# BrowseFilter name hum_res_
# This matches if the remote host name contains "printserver", like
# "printserver.local", "printserver2.example.com", "newprintserver":
# BrowseFilter host printserver
# This matches all ports with 631 int its number, for example 631,
# 8631, 10631,...:
# BrowseFilter port 631
# This rule matches if the DNS-SD service name contains "@ printserver":
# Browsefilter service @ printserver
# Matches all domains with "local" in their names, not only "local" but
# also things like "printlocally.com":
# BrowseFilter domain local
# Examples for rules applying to items of the TXT record:
# This rule selects PostScript printers, as the "PDL" field in the TXT
# record contains "postscript" then. This includes also remote CUPS
# queues which accept PostScript, independent of whether the physical
# printer behind the CUPS queue accepts PostScript or not.
# BrowseFilter pdl postscript
# Color printers usually contain a "Color" entry set to "T" (for true)
# in the TXT record. This rule selects them:
# BrowseFilter color
# This is a similar rule to select only duplex (automatic double-sided
# printing) printers:
# BrowseFilter duplex
# Rules with the NOT option:
# This rule EXCLUDES printers from all hosts containing "financial" in
# their names, nice to get rid of the 100s of printers of the
# financial department:
# BrowseFilter NOT host financial
# Get only monochrome printers ("Color" set to "F", meaning false, in
# the TXT record):
# BrowseFilter NOT color
# Rules with more advanced use of regular expressions:
# Only queue names which BEGIN WITH "hum_res_" are accepted now, so we
# still get "hum_res_mono" or "hum_res_color" but not
# "old_hum_res_mono" any more:
# BrowseFilter name ^hum_res_
# Server names is accepted if it contains "print_server" OR
# "graphics_dep_server":
# BrowseFilter host print_server|graphics_dep_server
# "printserver1", "printserver2", and "printserver3", nothing else:
# BrowseFilter host ^printserver[1-3]$
# Printers understanding at least one of PostScript, PCL, or PDF:
# BrowseFilter pdl postscript|pcl|pdf
# Examples for the EXACT option:
# Only printers from "printserver.local" are accepted:
# BrowseFilter EXACT host printserver.local
# Printers from all servers except "prinserver2.local" are accepted:
# BrowseFilter NOT EXACT host prinserver2.local
# Use BrowsePoll to poll a particular CUPS server
# BrowsePoll cups.example.com
# BrowsePoll cups.example.com:631
# BrowsePoll cups.example.com:631/version=1.1
# LDAP browsing configuration
# The default value for all options is an empty string. Example configuration:
# BrowseLDAPBindDN cn=cups-browsed,dc=domain,dc=tld
# BrowseLDAPCACertFile /path/to/server/certificate.pem
# BrowseLDAPDN ou=printers,dc=domain,dc=tld
# BrowseLDAPFilter (printerLocation=/Office 1/*)
# BrowseLDAPPassword s3cret
# BrowseLDAPServer ldaps://ldap.domain.tld
# Use DomainSocket to access the local CUPS daemon via another than the
# default domain socket. "None" or "Off" lets cups-browsed not use CUPS'
# domain socket.
# DomainSocket /var/run/cups/cups.sock
# DomainSocket None
# DomainSocket Off
# Set HTTP timeout (in seconds) for requests sent to local/remote
# resources Note that too short timeouts can make services getting
# missed when they are present and operations be unneccessarily
# repeated and too long timeouts can make operations take too long
# when the server does not respond.
# HttpLocalTimeout 5
# HttpRemoteTimeout 10
# Set how many retries (N) should cups-browsed do for creating print
# queues for remote printers which receive timeouts during print queue
# creation. The printers which are not successfuly set up even after
# N retries, are skipped until the next restart of the service. Note
# that too many retries can cause high CPU load.
# HttpMaxRetries 5
# Set OnlyUnsupportedByCUPS to "Yes" will make cups-browsed not create
# local queues for remote printers for which CUPS creates queues by
# itself. These printers are printers advertised via DNS-SD and doing
# CUPS-supported (currently PWG Raster and Apple Raster) driverless
# printing, including remote CUPS queues. Queues for other printers
# (like for legacy PostScript/PCL printers) are always created
# (depending on the other configuration settings of cups-browsed).
# With OnlyUnsupportedByCUPS set to "No", cups-browsed creates queues
# for all printers which it supports, including printers for which
# CUPS would create queues by itself. Temporary queues created by CUPS
# will get overwritten. This way it is assured that any extra
# functionality of cups-browsed will apply to these queues. As queues
# created by cups-browsed are permanent CUPS queues this setting is
# also recommended if applications/print dialogs which do not support
# temporary CUPS queues are installed. This setting is the default.
# OnlyUnsupportedByCUPS Yes
# With UseCUPSGeneratedPPDs set to "Yes" cups-browsed creates queues
# for IPP printers with PPDs generated by the PPD generator of CUPS
# and not with the one of cups-browsed. So any new development in
# CUPS' PPD generator gets available. As CUPS' PPD generator is not
# directly accessible, we need to make CUPS generate a temporary print
# queue with the desired PPD. Therefore we can only use these PPDs
# when our queue replaces a temporary CUPS queue, meaning that the
# queue is for a printer on which CUPS supports driverless printing
# (IPP 2.x, PDLs: PDF, PWG Raster, and/or Apple Raster) and that its
# name is the same as CUPS uses for the temporary queue
# ("LocalQueueNamingIPPPrinter DNS-SD" must be set). The directive
# applies only to IPP printers, not to remote CUPS queues, to not
# break clustering. Setting this directive to "No" lets cups-browsed
# generate the PPD file. Default setting is "No".
# UseCUPSGeneratedPPDs No
# With the directives LocalQueueNamingRemoteCUPS and
# LocalQueueNamingIPPPrinter you can determine how the names for local
# queues generated by cups-browsed are generated, separately for
# remote CUPS printers and IPP printers.
# DNS-SD (the default in both cases) bases the naming on the service
# name of the printer's advertised DNS-SD record. This is exactly the
# same naming scheme as CUPS uses for its temporary queues, so the
# local queue from cups-browsed prevents CUPS from listing and
# creating an additional queue. As DNS-SD service names have to be
# unique, queue names of printers from different servers will also be
# unique and so there is no automatic clustering for load-balanced
# printing.
# MakeModel bases the queue name on the printer's manufacturer and
# model names. This scheme cups-browsed used formerly for IPP
# printers.
# RemoteName is only available for remote CUPS queues and uses the
# name of the queue on the remote CUPS server as the local queue's
# name. This makes printers on different CUPS servers with equal queue
# names automatically forming a load-balancing cluster as CUPS did
# formerly (CUPS 1.5.x and older) with CUPS-broadcasted remote
# printers. This scheme cups-browsed used formerly for remote CUPS
# printers.
# LocalQueueNamingRemoteCUPS DNS-SD
# LocalQueueNamingRemoteCUPS MakeModel
# LocalQueueNamingRemoteCUPS RemoteName
# LocalQueueNamingIPPPrinter DNS-SD
# LocalQueueNamingIPPPrinter MakeModel
# Set DNSSDBasedDeviceURIs to "Yes" if cups-browsed should use
# DNS-SD-service-name-based device URIs for its local queues, as CUPS
# also does. These queues use the DNS-SD service name of the
# discovered printer. With this the URI is independent of network
# interfaces and ports, giving reliable connections to always the same
# physical device. This setting is the default.
# Set DNSSDBasedDeviceURIs to "No" if cups-browsed should use the
# conventional host-name/IP-based URIs.
# Note that this option has only influence on URIs for printers
# discovered via DNS-SD, not via legacy CUPS broewsing or LDAP.
# Those printers get always assigned the conventional URIs.
# DNSSDBasedDeviceURIs Yes
# Set IPBasedDeviceURIs to "Yes" if cups-browsed should create its
# local queues with device URIs with the IP addresses instead of the
# host names of the remote servers. This mode is there for any
# problems with host name resolution in the network, especially also
# if avahi-daemon is only run for printer discovery and already
# stopped while still printing. By default this mode is turned off,
# meaning that we use URIs with host names.
# Note that the IP addresses depend on the network interface through
# which the printer is accessed. So do not use IP-based URIs on systems
# with many network interfaces and where interfaces can appear and
# disappear frequently.
# This mode could also be useful for development and debugging.
# If you prefer IPv4 or IPv6 IP addresses in the URIs, you can set
# IPBasedDeviceURIs to "IPv4" to only get IPv4 IP addresses or
# IPBasedDeviceURIs to "IPv6" to only get IPv6 IP addresses.
# IPBasedDeviceURIs No
# IPBasedDeviceURIs Yes
# IPBasedDeviceURIs IPv4
# IPBasedDeviceURIs IPv6
# The AllowResharingRemoteCUPSPrinters directive determines whether a
# print queue pointing to a remote CUPS queue will be re-shared to the
# local network or not. Since the queues generated using the BrowsePoll
# directive are also pointing to remote queues, they are also shared
# automatically if the following option is set. Default is not to share
# remote printers.
# AllowResharingRemoteCUPSPrinters Yes
# The NewBrowsePollQueuesShared directive determines whether a print
# queue for a newly discovered printer (discovered by the BrowsePoll directive)
# will be shared to the local network or not. This directive will only work
# if AllowResharingRemoteCUPSPrinters is set to yes. Default is
# not to share printers discovered using BrowsePoll.
# NewBrowsePollQueuesShared Yes
# Set CreateRemoteRawPrinterQueues to "Yes" to let cups-browsed also
# create local queues pointing to remote raw CUPS queues. Normally,
# only queues pointing to remote queues with PPD/driver are created
# as we do not use drivers on the client side, but in some cases
# accessing a remote raw queue can make sense, for example if the
# queue forwards the jobs by a special backend like Tea4CUPS.
# CreateRemoteRawPrinterQueues Yes
# cups-browsed by default creates local print queues for each shared
# CUPS print queue which it discovers on remote machines in the local
# network(s). Set CreateRemoteCUPSPrinterQueues to "No" if you do not
# want cups-browsed to do this. For example you can set cups-browsed
# to only create queues for IPP network printers setting
# CreateIPPPrinterQueues not to "No" and CreateRemoteCUPSPrinterQueues
# to "No".
# CreateRemoteCUPSPrinterQueues No
# Set CreateIPPPrinterQueues to "All" to let cups-browsed discover IPP
# network printers (native printers, not CUPS queues) with known page
# description languages (PWG Raster, PDF, PostScript, PCL XL, PCL
# 5c/e) in the local network and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "Everywhere" to let cups-browsed
# discover IPP Everywhere printers in the local network (native
# printers, not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "AppleRaster" to let cups-browsed
# discover Apple Raster printers in the local network (native
# printers, not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "Driverless" to let cups-browsed
# discover printers designed for driverless use (currently IPP
# Everywhere and Apple Raster) in the local network (native printers,
# not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "LocalOnly" to auto-create print
# queues only for local printers made available as IPP printers. These
# are for example IPP-over-USB printers, made available via
# ippusbxd. This is the default.
# Set CreateIPPPrinterQueues to "No" to not auto-create print queues
# for IPP network printers.
# If queues with PPD file are created (see IPPPrinterQueueType
# directive below) the PPDs are auto-generated by cups-browsed based
# on properties of the printer polled via IPP. In case of missing
# information, info from the Bonjour record is used asd as last mean
# default values.
# If queues without PPD (see IPPPrinterQueueType directive below) are
# created clients have to IPP-poll the capabilities of the printer and
# send option settings as standard IPP attributes. Then we do not poll
# the capabilities by ourselves to not wake up the printer from
# power-saving mode when creating the queues. Jobs have to be sent in
# one of PDF, PWG Raster, or JPEG format. Other formats are not
# accepted.
# This functionality is primarily for mobile devices running
# CUPS to not need a printer setup tool nor a collection of printer
# drivers and PPDs.
# CreateIPPPrinterQueues No
# CreateIPPPrinterQueues LocalOnly
# CreateIPPPrinterQueues Everywhere
# CreateIPPPrinterQueues AppleRaster
# CreateIPPPrinterQueues Everywhere AppleRaster
# CreateIPPPrinterQueues Driverless
# CreateIPPPrinterQueues All
# If cups-browsed is automatically creating print queues for native
# IPP network printers ("CreateIPPPrinterQueues Yes"), the type of
# queue to be created can be selected by the "IPPPrinterQueueType"
# directive. The "PPD" (default) setting makes queues with PPD file
# being created. With "Interface" or "NoPPD" the queue is created with
# a System V interface script (Not supported with CUPS 2.2.x or
# later). "Auto" is for backward compatibility and also lets queues
# with PPD get created.
# IPPPrinterQueueType PPD
# IPPPrinterQueueType NoPPD
# IPPPrinterQueueType Interface
# IPPPrinterQueueType Auto
# The NewIPPPrinterQueuesShared directive determines whether a print
# queue for a newly discovered IPP network printer (not remote CUPS
# queue) will be shared to the local network or not. This is only
# valid for newly discovered printers. For printers discovered in an
# earlier cups-browsed session, cups-browsed will remember whether the
# printer was shared, so changes by the user get conserved. Default is
# not to share newly discovered IPP printers.
# NewIPPPrinterQueuesShared Yes
# If there is more than one remote CUPS printer whose local queue
# would get the same name and AutoClustering is set to "Yes" (the
# default) only one local queue is created which makes up a
# load-balancing cluster of the remote printers which would get this
# queue name (implicit class). This means that when several jobs are
# sent to this queue they get distributed between the printers, using
# the method chosen by the LoadBalancing directive.
# Note that the forming of clusters depends on the naming scheme for
# local queues created by cups-browsed. If you have set
# LocalQueueNamingRemoteCUPS to "DNSSD" you will not get automatic
# clustering as the DNS-SD service names are always unique. With
# LocalQueueNamingRemoteCUPS set to "RemoteName" local queues are
# named as the CUPS queues on the remote servers are named and so
# equally named queues on different servers get clustered (this is how
# CUPS did it in version 1.5.x or older). LocalQueueNamingRemoteCUPS
# set to "MakeModel" makes remote printers of the same model get
# clustered. Note that then a cluster can contain more than one queue
# of the same server.
# With AutoClustering set to "No", for each remote CUPS printer an
# individual local queue is created, and to avoid name clashes when
# using the LocalQueueNamingRemoteCUPS settings "RemoteName" or
# "MakeModel" "@<server name>" is added to the local queue name.
# Only remote CUPS printers get clustered, not IPP network printers or
# IPP-over-USB printers.
# AutoClustering Yes
# AutoClustering No
# Load-balancing printer cluster formation can also be manually
# controlled by defining explicitly which remote CUPS printers should
# get clustered together.
# This is done by the "Cluster" directive:
# Cluster <QUEUENAME>: <EXPRESSION1> <EXPRESSION2> ...
# Cluster <QUEUENAME>
# If no expressions are given, <QUEUENAME> is used as the first and
# only expression for this cluster.
# Discovered printers are matched against all the expressions of all
# defined clusters. The first expression which matches the discovered
# printer determines to which cluster it belongs. Note that this way a
# printer can only belong to one cluster. Once matched, further
# cluster definitions will not checked any more.
# With the first printer matching a cluster's expression a local queue
# with the name <QUEUENAME> is created. If more printers are
# discovered and match this cluster, they join the cluster. Printing
# to this queue prints to all these printers in a load-balancing
# manner, according to to the setting of the LoadBalancing directive.
# Each expression must be a string of characters without spaces. If
# spaces are needed, replace them by underscores ('_').
# An expression can be matched in three ways:
# 1. By the name of the CUPS queue on the remote server
# 2. By make and model name of the remote printer
# 3. By the DNS-SD service name of the remote printer
# Note that the matching is done case-insensitively and any group of
# non-alphanumerical characters is replaced by a single underscore.
# So if an expression is "HP_DeskJet_2540" and the remote server
# reports "hp Deskjet-2540" the printer gets matched to this cluster.
# If "AutoClustering" is not set to "No" both your manual cluster
# definitions will be followed and automatic clustering of
# equally-named remote queues will be performed. If a printer matches
# in both categories the match to the manually defined cluster has
# priority. Automatic clustering of equally-named remote printers is
# not performed if there is a manually defined cluster with this name
# (at least as the printers do not match this cluster).
# Examples:
# To cluster all remote CUPS queues named "laserprinter" in your local
# network but not cluster any other equally-named remote CUPS printers
# use (Local queue will get named "laserprinter"):
# AutoClustering No
# Cluster laserprinter
# To cluster all remote CUPS queues of HP LaserJet 4050 printers in a
# local queue named "LJ4050":
# Cluster LJ4050: HP_LaserJet_4050
# As DNS-SD service names are unique in a network you can create a
# cluster from exactly specified printers (spaces replaced by
# underscors):
# Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2
# The LoadBalancing directive switches between two methods of handling
# load balancing between equally-named remote queues which are
# represented by one local print queue making up a cluster of them
# (implicit class).
# The two methods are:
# Queuing of jobs on the client (LoadBalancing QueueOnClient):
# Here we queue up the jobs on the client and regularly check the
# clustered remote print queues. If we find an idle queue, we pass
# on a job to it.
# This is also the method which CUPS uses for classes. Advantage is a
# more even distribution of the job workload on the servers
# (especially if the printing speed of the servers is very different),
# and if a server fails, there are not several jobs stuck or
# lost. Disadvantage is that if one takes the client (laptop, mobile
# phone, ...) out of the local network, printing stops with the jobs
# waiting in the local queue.
# Queuing of jobs on the servers (LoadBalancing QueueOnServers):
# Here we check the number of jobs on each of the clustered remote
# printers and send an incoming job immediately to the remote printer
# with the lowest amount of jobs in its queue. This way no jobs queue
# up locally, all jobs which are waiting are waiting on one of the
# remote servers.
# Not having jobs waiting locally has the advantage that we can take
# the local machine from the network and all jobs get printed.
# Disadvantage is that if a server with a full queue of jobs goes
# away, the jobs go away, too.
# Default is queuing the jobs on the client as this is what CUPS does
# with classes.
# LoadBalancing QueueOnClient
# LoadBalancing QueueOnServers
# With the DefaultOptions directive one or more option settings can be
# defined to be applied to every print queue newly created by
# cups-browsed. Each option is supplied as one supplies options with
# the "-o" command line argument to the "lpadmin" command (Run "man
# lpadmin" for more details). More than one option can be supplied
# separating the options by spaces. By default no option settings are
# pre-defined.
# Note that print queues which cups-browsed already created before
# remember their previous settings and so these settings do not get
# applied.
# DefaultOptions Option1=Value1 Option2=Value2 Option3 noOption4
# The AutoShutdown directive specifies whether cups-browsed should
# automatically terminate when it has no local raw queues set up
# pointing to any discovered remote printers or no jobs on such queues
# depending on AutoShutdownOn setting (auto shutdown mode). Setting it
# to "On" activates the auto-shutdown mode, setting it to "Off"
# deactiivates it (the default). The special mode "avahi" turns auto
# shutdown off while avahi-daemon is running and on when avahi-daemon
# stops. This allows running cups-browsed on-demand when avahi-daemon
# is run on-demand.
# AutoShutdown Off
# AutoShutdown On
# AutoShutdown avahi
# The AutoShutdownOn directive determines what event cups-browsed
# considers as inactivity in auto shutdown mode. "NoQueues" (the
# default) means that auto shutdown is initiated when there are no
# queues for discovered remote printers generated by cups-browsed any
# more. "NoJobs" means that all queues generated by cups-browsed are
# without jobs.
# AutoShutdownOn NoQueues
# AutoShutdownOn NoJobs
# The AutoShutdownTimeout directive specifies after how many seconds
# without local raw queues set up pointing to any discovered remote
# printers or jobs on these queues cups-browsed should actually shut
# down in auto shutdown mode. Default is 30 seconds, 0 means immediate
# shutdown.
# AutoShutdownTimeout 30

747
roles/common/templates/etc/cups/cups-browsed.conf.server.j2 Normal file
View File

@ -0,0 +1,747 @@
# {{ ansible_managed }}
# All configuration options described here can also be supplied on the
# command line of cups-browsed via the "-o" option. In case of
# contradicting settings the setting defined in the configuration file
# will get used.
# Unknown directives are ignored, also unknown values.
# Where should cups-browsed save information about the print queues it had
# generated when shutting down, like whether one of these queues was the
# default printer, or default option settings of the queues?
# CacheDir /var/cache/cups
# Where should cups-browsed create its debug log file (if "DebugLogging file"
# is set)?
# LogDir /var/log/cups
# How should debug logging be done? Into the file
# /var/log/cups/cups-browsed_log ('file'), to stderr ('stderr'), or
# not at all ('none')?
# Note that if cups-browsed is running as a system service (for
# example via systemd) logging to stderr makes the log output going to
# the journal or syslog. Only if you run cups-browsed from the command
# line (for development or debugging) it will actually appear on
# stderr.
# DebugLogging file
# DebugLogging stderr
# DebugLogging file stderr
# DebugLogging none
# Which protocols will we use to discover printers on the network?
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
#BrowseRemoteProtocols dnssd cups
BrowseRemoteProtocols none
# Which protocols will we use to broadcast shared local printers to the network?
# Can use DNSSD and/or CUPS, or 'none' for neither.
# Only CUPS is actually supported, as DNSSD is done by CUPS itself (we ignore
# DNSSD in this directive).
# BrowseLocalProtocols none
BrowseLocalProtocols CUPS
# Settings of this directive apply to both BrowseRemoteProtocols and
# BrowseLocalProtocols.
# Can use DNSSD and/or CUPS and/or LDAP, or 'none' for neither.
# BrowseProtocols none
# Only browse remote printers (via DNS-SD or CUPS browsing) from
# selected servers using the "BrowseAllow", "BrowseDeny", and
# "BrowseOrder" directives
# This serves for restricting the choice of printers in print dialogs
# to trusted servers or to reduce the number of listed printers in the
# print dialogs to a more user-friendly amount in large networks with
# very many shared printers.
# This only filters the selection of remote printers for which
# cups-browsed creates local queues. If the print dialog uses other
# mechanisms to list remote printers as for example direct DNS-SD
# access, cups-browsed has no influence. cups-browsed also does not
# prevent the user from manually accessing non-listed printers.
# "BrowseAllow": Accept printers from these hosts or networks. If
# there are only "BrowseAllow" lines and no "BrowseOrder" and/or
# "BrowseDeny" lines, only servers matching at last one "BrowseAllow"
# line are accepted.
# "BrowseDeny": Deny printers from these hosts or networks. If there
# are only "BrowseDeny" lines and no "BrowseOrder" and/or
# "BrowseAllow" lines, all servers NOT matching any of the
# "BrowseDeny" lines are accepted.
# "BrowseOrder": Determine the order in which "BrowseAllow" and
# "BrowseDeny" lines are applied. With "BrowseOrder Deny,Allow" in the
# beginning all servers are accepted, then the "BrowseDeny" lines are
# applied to exclude unwished servers or networks and after that the
# "BrowseAllow" lines to re-include servers or networks. With
# "BrowseOrder Allow,Deny" we start with denying all servers, then
# applying the "BrowseAllow" lines and afterwards the "BrowseDeny"
# lines.
# Default for "BrowseOrder" is "Deny.Allow" if there are both
# "BrowseAllow" and "BrowseDeny" lines.
# If there are no "Browse..." lines at all, all servers are accepted.
# BrowseAllow All
# BrowseAllow cups.example.com
# BrowseAllow 192.168.1.12
# BrowseAllow 192.168.1.0/24
# BrowseAllow 192.168.1.0/255.255.255.0
# BrowseDeny All
# BrowseDeny printserver.example.com
# BrowseDeny 192.168.1.13
# BrowseDeny 192.168.3.0/24
# BrowseDeny 192.168.3.0/255.255.255.0
# BrowseOrder Deny,Allow
# BrowseOrder Allow,Deny
# The interval between browsing/broadcasting cycles, local and/or
# remote, can be adjusted with the BrowseInterval directive.
# BrowseInterval 60
# Browsing-related operations such as adding or removing printer queues
# and broadcasting are each allowed to take up to a given amount of time.
# It can be configured, in seconds, with the BrowseTimeout directive.
# Especially queues discovered by CUPS broadcasts will be removed after
# this timeout if no further broadcast from the server happens.
# BrowseTimeout 300
# Filtering of remote printers by other properties than IP addresses
# of their servers
# Often the desired selection of printers cannot be reached by only
# taking into account the IP addresses of the servers. For these cases
# there is the BrowseFilter directive to filter by most of the known
# properties of the printer.
# By default there is no BrowseFilter line meaning that no filtering
# is applied.
# To do filtering one can supply one or more BrowseFilter directives
# like this:
# BrowseFilter [NOT] [EXACT] <FIELD> [<VALUE>]
# The BrowseFilter directive always starts with the word
# "BrowseFilter" and it must at least contain the name of the data
# field (<FIELD>) of the printer's properties to which it should
# apply.
# Available field names are:
# name: Name of the local print queue to be created
# host: Host name of the remote print server
# port: Port through which the printer is accessed on the server
# service: DNS/SD service name of the remote printer
# domain: Domain of the remote print server
# Also all field names in the TXT records of DNS-SD-advertised printers
# are valid, like "color", "duplex", "pdl", ... If the field name of
# the filter rule does not exist for the printer, the rule is skipped.
# The optional <VALUE> field is either the exact value (when the
# option EXACT is supplied) or a regular expression (Run "man 7 regex"
# in a terminal window) to be matched with the data field.
# If no <VALUE> filed is supplied, rules with field names of the TXT
# record are considered for boolean matching (true/false) of boolean
# field (like duplex, which can have the values "T" for true and "F"
# for false).
# If the option NOT is supplied, the filter rule is fulfilled if the
# regular expression or the exact value DOES NOT match the content of
# the data field. In a boolean rule (without <VALUE>) the rule matches
# false.
# Regular expressions are always considered case-insensitive and
# extended POSIX regular expressions. Field names and options (NOT,
# EXACT) are all evaluated case-insensitive. If there is an error in a
# regular expression, the BrowseFilter line gets ignored.
# Especially to note is that supplying any simple string consisting of
# only letters, numbers, spaces, and some basic special characters as
# a regular expression matches if it is contained somewhere in the
# data field.
# If there is more than one BrowseFilter directive, ALL the directives
# need to be fulfilled for the remote printer to be accepted. If one
# is not fulfilled, the printer will get ignored.
# Examples:
# Rules for standard data items which are supplied with any remote
# printer advertised via DNS-SD:
# Print queue name must contain "hum_res_", this matches
# "hum_res_mono" or "hum_res_color" but also "old_hum_res_mono":
# BrowseFilter name hum_res_
# This matches if the remote host name contains "printserver", like
# "printserver.local", "printserver2.example.com", "newprintserver":
# BrowseFilter host printserver
# This matches all ports with 631 int its number, for example 631,
# 8631, 10631,...:
# BrowseFilter port 631
# This rule matches if the DNS-SD service name contains "@ printserver":
# Browsefilter service @ printserver
# Matches all domains with "local" in their names, not only "local" but
# also things like "printlocally.com":
# BrowseFilter domain local
# Examples for rules applying to items of the TXT record:
# This rule selects PostScript printers, as the "PDL" field in the TXT
# record contains "postscript" then. This includes also remote CUPS
# queues which accept PostScript, independent of whether the physical
# printer behind the CUPS queue accepts PostScript or not.
# BrowseFilter pdl postscript
# Color printers usually contain a "Color" entry set to "T" (for true)
# in the TXT record. This rule selects them:
# BrowseFilter color
# This is a similar rule to select only duplex (automatic double-sided
# printing) printers:
# BrowseFilter duplex
# Rules with the NOT option:
# This rule EXCLUDES printers from all hosts containing "financial" in
# their names, nice to get rid of the 100s of printers of the
# financial department:
# BrowseFilter NOT host financial
# Get only monochrome printers ("Color" set to "F", meaning false, in
# the TXT record):
# BrowseFilter NOT color
# Rules with more advanced use of regular expressions:
# Only queue names which BEGIN WITH "hum_res_" are accepted now, so we
# still get "hum_res_mono" or "hum_res_color" but not
# "old_hum_res_mono" any more:
# BrowseFilter name ^hum_res_
# Server names is accepted if it contains "print_server" OR
# "graphics_dep_server":
# BrowseFilter host print_server|graphics_dep_server
# "printserver1", "printserver2", and "printserver3", nothing else:
# BrowseFilter host ^printserver[1-3]$
# Printers understanding at least one of PostScript, PCL, or PDF:
# BrowseFilter pdl postscript|pcl|pdf
# Examples for the EXACT option:
# Only printers from "printserver.local" are accepted:
# BrowseFilter EXACT host printserver.local
# Printers from all servers except "prinserver2.local" are accepted:
# BrowseFilter NOT EXACT host prinserver2.local
# Use BrowsePoll to poll a particular CUPS server
# BrowsePoll cups.example.com
# BrowsePoll cups.example.com:631
# BrowsePoll cups.example.com:631/version=1.1
# LDAP browsing configuration
# The default value for all options is an empty string. Example configuration:
# BrowseLDAPBindDN cn=cups-browsed,dc=domain,dc=tld
# BrowseLDAPCACertFile /path/to/server/certificate.pem
# BrowseLDAPDN ou=printers,dc=domain,dc=tld
# BrowseLDAPFilter (printerLocation=/Office 1/*)
# BrowseLDAPPassword s3cret
# BrowseLDAPServer ldaps://ldap.domain.tld
# Use DomainSocket to access the local CUPS daemon via another than the
# default domain socket. "None" or "Off" lets cups-browsed not use CUPS'
# domain socket.
# DomainSocket /var/run/cups/cups.sock
# DomainSocket None
# DomainSocket Off
# Set HTTP timeout (in seconds) for requests sent to local/remote
# resources Note that too short timeouts can make services getting
# missed when they are present and operations be unneccessarily
# repeated and too long timeouts can make operations take too long
# when the server does not respond.
# HttpLocalTimeout 5
# HttpRemoteTimeout 10
# Set how many retries (N) should cups-browsed do for creating print
# queues for remote printers which receive timeouts during print queue
# creation. The printers which are not successfuly set up even after
# N retries, are skipped until the next restart of the service. Note
# that too many retries can cause high CPU load.
# HttpMaxRetries 5
# Set OnlyUnsupportedByCUPS to "Yes" will make cups-browsed not create
# local queues for remote printers for which CUPS creates queues by
# itself. These printers are printers advertised via DNS-SD and doing
# CUPS-supported (currently PWG Raster and Apple Raster) driverless
# printing, including remote CUPS queues. Queues for other printers
# (like for legacy PostScript/PCL printers) are always created
# (depending on the other configuration settings of cups-browsed).
# With OnlyUnsupportedByCUPS set to "No", cups-browsed creates queues
# for all printers which it supports, including printers for which
# CUPS would create queues by itself. Temporary queues created by CUPS
# will get overwritten. This way it is assured that any extra
# functionality of cups-browsed will apply to these queues. As queues
# created by cups-browsed are permanent CUPS queues this setting is
# also recommended if applications/print dialogs which do not support
# temporary CUPS queues are installed. This setting is the default.
# OnlyUnsupportedByCUPS Yes
# With UseCUPSGeneratedPPDs set to "Yes" cups-browsed creates queues
# for IPP printers with PPDs generated by the PPD generator of CUPS
# and not with the one of cups-browsed. So any new development in
# CUPS' PPD generator gets available. As CUPS' PPD generator is not
# directly accessible, we need to make CUPS generate a temporary print
# queue with the desired PPD. Therefore we can only use these PPDs
# when our queue replaces a temporary CUPS queue, meaning that the
# queue is for a printer on which CUPS supports driverless printing
# (IPP 2.x, PDLs: PDF, PWG Raster, and/or Apple Raster) and that its
# name is the same as CUPS uses for the temporary queue
# ("LocalQueueNamingIPPPrinter DNS-SD" must be set). The directive
# applies only to IPP printers, not to remote CUPS queues, to not
# break clustering. Setting this directive to "No" lets cups-browsed
# generate the PPD file. Default setting is "No".
# UseCUPSGeneratedPPDs No
# With the directives LocalQueueNamingRemoteCUPS and
# LocalQueueNamingIPPPrinter you can determine how the names for local
# queues generated by cups-browsed are generated, separately for
# remote CUPS printers and IPP printers.
# DNS-SD (the default in both cases) bases the naming on the service
# name of the printer's advertised DNS-SD record. This is exactly the
# same naming scheme as CUPS uses for its temporary queues, so the
# local queue from cups-browsed prevents CUPS from listing and
# creating an additional queue. As DNS-SD service names have to be
# unique, queue names of printers from different servers will also be
# unique and so there is no automatic clustering for load-balanced
# printing.
# MakeModel bases the queue name on the printer's manufacturer and
# model names. This scheme cups-browsed used formerly for IPP
# printers.
# RemoteName is only available for remote CUPS queues and uses the
# name of the queue on the remote CUPS server as the local queue's
# name. This makes printers on different CUPS servers with equal queue
# names automatically forming a load-balancing cluster as CUPS did
# formerly (CUPS 1.5.x and older) with CUPS-broadcasted remote
# printers. This scheme cups-browsed used formerly for remote CUPS
# printers.
# LocalQueueNamingRemoteCUPS DNS-SD
# LocalQueueNamingRemoteCUPS MakeModel
# LocalQueueNamingRemoteCUPS RemoteName
# LocalQueueNamingIPPPrinter DNS-SD
# LocalQueueNamingIPPPrinter MakeModel
# Set DNSSDBasedDeviceURIs to "Yes" if cups-browsed should use
# DNS-SD-service-name-based device URIs for its local queues, as CUPS
# also does. These queues use the DNS-SD service name of the
# discovered printer. With this the URI is independent of network
# interfaces and ports, giving reliable connections to always the same
# physical device. This setting is the default.
# Set DNSSDBasedDeviceURIs to "No" if cups-browsed should use the
# conventional host-name/IP-based URIs.
# Note that this option has only influence on URIs for printers
# discovered via DNS-SD, not via legacy CUPS broewsing or LDAP.
# Those printers get always assigned the conventional URIs.
# DNSSDBasedDeviceURIs Yes
# Set IPBasedDeviceURIs to "Yes" if cups-browsed should create its
# local queues with device URIs with the IP addresses instead of the
# host names of the remote servers. This mode is there for any
# problems with host name resolution in the network, especially also
# if avahi-daemon is only run for printer discovery and already
# stopped while still printing. By default this mode is turned off,
# meaning that we use URIs with host names.
# Note that the IP addresses depend on the network interface through
# which the printer is accessed. So do not use IP-based URIs on systems
# with many network interfaces and where interfaces can appear and
# disappear frequently.
# This mode could also be useful for development and debugging.
# If you prefer IPv4 or IPv6 IP addresses in the URIs, you can set
# IPBasedDeviceURIs to "IPv4" to only get IPv4 IP addresses or
# IPBasedDeviceURIs to "IPv6" to only get IPv6 IP addresses.
# IPBasedDeviceURIs No
# IPBasedDeviceURIs Yes
# IPBasedDeviceURIs IPv4
# IPBasedDeviceURIs IPv6
# The AllowResharingRemoteCUPSPrinters directive determines whether a
# print queue pointing to a remote CUPS queue will be re-shared to the
# local network or not. Since the queues generated using the BrowsePoll
# directive are also pointing to remote queues, they are also shared
# automatically if the following option is set. Default is not to share
# remote printers.
# AllowResharingRemoteCUPSPrinters Yes
# The NewBrowsePollQueuesShared directive determines whether a print
# queue for a newly discovered printer (discovered by the BrowsePoll directive)
# will be shared to the local network or not. This directive will only work
# if AllowResharingRemoteCUPSPrinters is set to yes. Default is
# not to share printers discovered using BrowsePoll.
# NewBrowsePollQueuesShared Yes
# Set CreateRemoteRawPrinterQueues to "Yes" to let cups-browsed also
# create local queues pointing to remote raw CUPS queues. Normally,
# only queues pointing to remote queues with PPD/driver are created
# as we do not use drivers on the client side, but in some cases
# accessing a remote raw queue can make sense, for example if the
# queue forwards the jobs by a special backend like Tea4CUPS.
# CreateRemoteRawPrinterQueues Yes
# cups-browsed by default creates local print queues for each shared
# CUPS print queue which it discovers on remote machines in the local
# network(s). Set CreateRemoteCUPSPrinterQueues to "No" if you do not
# want cups-browsed to do this. For example you can set cups-browsed
# to only create queues for IPP network printers setting
# CreateIPPPrinterQueues not to "No" and CreateRemoteCUPSPrinterQueues
# to "No".
# CreateRemoteCUPSPrinterQueues No
# Set CreateIPPPrinterQueues to "All" to let cups-browsed discover IPP
# network printers (native printers, not CUPS queues) with known page
# description languages (PWG Raster, PDF, PostScript, PCL XL, PCL
# 5c/e) in the local network and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "Everywhere" to let cups-browsed
# discover IPP Everywhere printers in the local network (native
# printers, not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "AppleRaster" to let cups-browsed
# discover Apple Raster printers in the local network (native
# printers, not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "Driverless" to let cups-browsed
# discover printers designed for driverless use (currently IPP
# Everywhere and Apple Raster) in the local network (native printers,
# not CUPS queues) and auto-create print queues for them.
# Set CreateIPPPrinterQueues to "LocalOnly" to auto-create print
# queues only for local printers made available as IPP printers. These
# are for example IPP-over-USB printers, made available via
# ippusbxd. This is the default.
# Set CreateIPPPrinterQueues to "No" to not auto-create print queues
# for IPP network printers.
# If queues with PPD file are created (see IPPPrinterQueueType
# directive below) the PPDs are auto-generated by cups-browsed based
# on properties of the printer polled via IPP. In case of missing
# information, info from the Bonjour record is used asd as last mean
# default values.
# If queues without PPD (see IPPPrinterQueueType directive below) are
# created clients have to IPP-poll the capabilities of the printer and
# send option settings as standard IPP attributes. Then we do not poll
# the capabilities by ourselves to not wake up the printer from
# power-saving mode when creating the queues. Jobs have to be sent in
# one of PDF, PWG Raster, or JPEG format. Other formats are not
# accepted.
# This functionality is primarily for mobile devices running
# CUPS to not need a printer setup tool nor a collection of printer
# drivers and PPDs.
# CreateIPPPrinterQueues No
# CreateIPPPrinterQueues LocalOnly
# CreateIPPPrinterQueues Everywhere
# CreateIPPPrinterQueues AppleRaster
# CreateIPPPrinterQueues Everywhere AppleRaster
# CreateIPPPrinterQueues Driverless
# CreateIPPPrinterQueues All
# If cups-browsed is automatically creating print queues for native
# IPP network printers ("CreateIPPPrinterQueues Yes"), the type of
# queue to be created can be selected by the "IPPPrinterQueueType"
# directive. The "PPD" (default) setting makes queues with PPD file
# being created. With "Interface" or "NoPPD" the queue is created with
# a System V interface script (Not supported with CUPS 2.2.x or
# later). "Auto" is for backward compatibility and also lets queues
# with PPD get created.
# IPPPrinterQueueType PPD
# IPPPrinterQueueType NoPPD
# IPPPrinterQueueType Interface
# IPPPrinterQueueType Auto
# The NewIPPPrinterQueuesShared directive determines whether a print
# queue for a newly discovered IPP network printer (not remote CUPS
# queue) will be shared to the local network or not. This is only
# valid for newly discovered printers. For printers discovered in an
# earlier cups-browsed session, cups-browsed will remember whether the
# printer was shared, so changes by the user get conserved. Default is
# not to share newly discovered IPP printers.
# NewIPPPrinterQueuesShared Yes
# If there is more than one remote CUPS printer whose local queue
# would get the same name and AutoClustering is set to "Yes" (the
# default) only one local queue is created which makes up a
# load-balancing cluster of the remote printers which would get this
# queue name (implicit class). This means that when several jobs are
# sent to this queue they get distributed between the printers, using
# the method chosen by the LoadBalancing directive.
# Note that the forming of clusters depends on the naming scheme for
# local queues created by cups-browsed. If you have set
# LocalQueueNamingRemoteCUPS to "DNSSD" you will not get automatic
# clustering as the DNS-SD service names are always unique. With
# LocalQueueNamingRemoteCUPS set to "RemoteName" local queues are
# named as the CUPS queues on the remote servers are named and so
# equally named queues on different servers get clustered (this is how
# CUPS did it in version 1.5.x or older). LocalQueueNamingRemoteCUPS
# set to "MakeModel" makes remote printers of the same model get
# clustered. Note that then a cluster can contain more than one queue
# of the same server.
# With AutoClustering set to "No", for each remote CUPS printer an
# individual local queue is created, and to avoid name clashes when
# using the LocalQueueNamingRemoteCUPS settings "RemoteName" or
# "MakeModel" "@<server name>" is added to the local queue name.
# Only remote CUPS printers get clustered, not IPP network printers or
# IPP-over-USB printers.
# AutoClustering Yes
# AutoClustering No
# Load-balancing printer cluster formation can also be manually
# controlled by defining explicitly which remote CUPS printers should
# get clustered together.
# This is done by the "Cluster" directive:
# Cluster <QUEUENAME>: <EXPRESSION1> <EXPRESSION2> ...
# Cluster <QUEUENAME>
# If no expressions are given, <QUEUENAME> is used as the first and
# only expression for this cluster.
# Discovered printers are matched against all the expressions of all
# defined clusters. The first expression which matches the discovered
# printer determines to which cluster it belongs. Note that this way a
# printer can only belong to one cluster. Once matched, further
# cluster definitions will not checked any more.
# With the first printer matching a cluster's expression a local queue
# with the name <QUEUENAME> is created. If more printers are
# discovered and match this cluster, they join the cluster. Printing
# to this queue prints to all these printers in a load-balancing
# manner, according to to the setting of the LoadBalancing directive.
# Each expression must be a string of characters without spaces. If
# spaces are needed, replace them by underscores ('_').
# An expression can be matched in three ways:
# 1. By the name of the CUPS queue on the remote server
# 2. By make and model name of the remote printer
# 3. By the DNS-SD service name of the remote printer
# Note that the matching is done case-insensitively and any group of
# non-alphanumerical characters is replaced by a single underscore.
# So if an expression is "HP_DeskJet_2540" and the remote server
# reports "hp Deskjet-2540" the printer gets matched to this cluster.
# If "AutoClustering" is not set to "No" both your manual cluster
# definitions will be followed and automatic clustering of
# equally-named remote queues will be performed. If a printer matches
# in both categories the match to the manually defined cluster has
# priority. Automatic clustering of equally-named remote printers is
# not performed if there is a manually defined cluster with this name
# (at least as the printers do not match this cluster).
# Examples:
# To cluster all remote CUPS queues named "laserprinter" in your local
# network but not cluster any other equally-named remote CUPS printers
# use (Local queue will get named "laserprinter"):
# AutoClustering No
# Cluster laserprinter
# To cluster all remote CUPS queues of HP LaserJet 4050 printers in a
# local queue named "LJ4050":
# Cluster LJ4050: HP_LaserJet_4050
# As DNS-SD service names are unique in a network you can create a
# cluster from exactly specified printers (spaces replaced by
# underscors):
# Cluster hrdep: oldlaser_@_hr-server1 newlaser_@_hr-server2
# The LoadBalancing directive switches between two methods of handling
# load balancing between equally-named remote queues which are
# represented by one local print queue making up a cluster of them
# (implicit class).
# The two methods are:
# Queuing of jobs on the client (LoadBalancing QueueOnClient):
# Here we queue up the jobs on the client and regularly check the
# clustered remote print queues. If we find an idle queue, we pass
# on a job to it.
# This is also the method which CUPS uses for classes. Advantage is a
# more even distribution of the job workload on the servers
# (especially if the printing speed of the servers is very different),
# and if a server fails, there are not several jobs stuck or
# lost. Disadvantage is that if one takes the client (laptop, mobile
# phone, ...) out of the local network, printing stops with the jobs
# waiting in the local queue.
# Queuing of jobs on the servers (LoadBalancing QueueOnServers):
# Here we check the number of jobs on each of the clustered remote
# printers and send an incoming job immediately to the remote printer
# with the lowest amount of jobs in its queue. This way no jobs queue
# up locally, all jobs which are waiting are waiting on one of the
# remote servers.
# Not having jobs waiting locally has the advantage that we can take
# the local machine from the network and all jobs get printed.
# Disadvantage is that if a server with a full queue of jobs goes
# away, the jobs go away, too.
# Default is queuing the jobs on the client as this is what CUPS does
# with classes.
# LoadBalancing QueueOnClient
# LoadBalancing QueueOnServers
# With the DefaultOptions directive one or more option settings can be
# defined to be applied to every print queue newly created by
# cups-browsed. Each option is supplied as one supplies options with
# the "-o" command line argument to the "lpadmin" command (Run "man
# lpadmin" for more details). More than one option can be supplied
# separating the options by spaces. By default no option settings are
# pre-defined.
# Note that print queues which cups-browsed already created before
# remember their previous settings and so these settings do not get
# applied.
# DefaultOptions Option1=Value1 Option2=Value2 Option3 noOption4
# The AutoShutdown directive specifies whether cups-browsed should
# automatically terminate when it has no local raw queues set up
# pointing to any discovered remote printers or no jobs on such queues
# depending on AutoShutdownOn setting (auto shutdown mode). Setting it
# to "On" activates the auto-shutdown mode, setting it to "Off"
# deactiivates it (the default). The special mode "avahi" turns auto
# shutdown off while avahi-daemon is running and on when avahi-daemon
# stops. This allows running cups-browsed on-demand when avahi-daemon
# is run on-demand.
# AutoShutdown Off
# AutoShutdown On
# AutoShutdown avahi
# The AutoShutdownOn directive determines what event cups-browsed
# considers as inactivity in auto shutdown mode. "NoQueues" (the
# default) means that auto shutdown is initiated when there are no
# queues for discovered remote printers generated by cups-browsed any
# more. "NoJobs" means that all queues generated by cups-browsed are
# without jobs.
# AutoShutdownOn NoQueues
# AutoShutdownOn NoJobs
# The AutoShutdownTimeout directive specifies after how many seconds
# without local raw queues set up pointing to any discovered remote
# printers or jobs on these queues cups-browsed should actually shut
# down in auto shutdown mode. Default is 30 seconds, 0 means immediate
# shutdown.
# AutoShutdownTimeout 30

95
roles/common/templates/etc/cups/cups-files.conf.j2 Normal file
View File

@ -0,0 +1,95 @@
# {{ ansible_managed }}
#
# File/directory/user/group configuration file for the CUPS scheduler.
# See "man cups-files.conf" for a complete description of this file.
#
# List of events that are considered fatal errors for the scheduler...
#FatalErrors config
# Do we call fsync() after writing configuration or status files?
#SyncOnClose Yes
# Default user and group for filters/backends/helper programs; this cannot be
# any user or group that resolves to ID 0 for security reasons...
#User lp
#Group lp
# Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
# This cannot contain the Group value for security reasons...
SystemGroup lpadmin
# User that is substituted for unauthenticated (remote) root accesses...
#RemoteRoot remroot
# Do we allow file: device URIs other than to /dev/null?
#FileDevice No
# Permissions for configuration and log files...
#ConfigFilePerm 0640
#LogFilePerm 00640
# Location of the file logging all access to the scheduler; may be the name
# "syslog". If not an absolute path, the value of ServerRoot is used as the
# root directory. Also see the "AccessLogLevel" directive in cupsd.conf.
AccessLog /var/log/cups/access_log
# Location of cache files used by the scheduler...
#CacheDir /var/cache/cups
# Location of data files used by the scheduler...
#DataDir /usr/share/cups
# Location of the static web content served by the scheduler...
#DocumentRoot /usr/share/cups/doc-root
# Location of the file logging all messages produced by the scheduler and any
# helper programs; may be the name "syslog". If not an absolute path, the value
# of ServerRoot is used as the root directory. Also see the "LogLevel"
# directive in cupsd.conf.
ErrorLog /var/log/cups/error_log
# Location of fonts used by older print filters...
#FontPath /usr/share/cups/fonts
# Location of LPD configuration
#LPDConfigFile
# Location of the file logging all pages printed by the scheduler and any
# helper programs; may be the name "syslog". If not an absolute path, the value
# of ServerRoot is used as the root directory. Also see the "PageLogFormat"
# directive in cupsd.conf.
PageLog /var/log/cups/page_log
# Location of the file listing all of the local printers...
#Printcap /run/cups/printcap
# Format of the Printcap file...
#PrintcapFormat bsd
#PrintcapFormat plist
#PrintcapFormat solaris
# Location of all spool files...
#RequestRoot /var/spool/cups
# Location of helper programs...
#ServerBin /usr/lib/cups
# SSL/TLS keychain for the scheduler...
#ServerKeychain ssl
# Location of other configuration files...
#ServerRoot /etc/cups
# Location of Samba configuration file...
#SMBConfigFile
# Location of scheduler state files...
#StateDir /run/cups
# Location of scheduler/helper temporary files. This directory is emptied on
# scheduler startup and cannot be one of the standard (public) temporary
# directory locations for security reasons...
#TempDir /var/spool/cups/tmp

307
roles/common/templates/etc/cups/cupsd.conf.client.j2 Normal file
View File

@ -0,0 +1,307 @@
# {{ ansible_managed }}
#
# Configuration file for the CUPS scheduler. See "man cupsd.conf" for a
# complete description of this file.
#
# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn
PageLogFormat
# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0
# Only listen for connections from the local machine.
#Listen localhost:631
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
ServerAlias *
HostNameLookups Off
## - Show shared printers on the local network.
Browsing Off
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Web interface setting...
WebInterface Yes
# Restrict access to the server...
<Location />
# Allow remote administration...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to the admin pages...
<Location /admin>
# Allow remote administration...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to log files...
<Location /admin/log>
AuthType Default
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Set the default printer/job policies...
<Policy default>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>
# Set the authenticated printer/job policies...
<Policy authenticated>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>
# Set the kerberized printer/job policies...
<Policy kerberos>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Negotiate
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Negotiate
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Negotiate
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>

307
roles/common/templates/etc/cups/cupsd.conf.server.j2 Normal file
View File

@ -0,0 +1,307 @@
# {{ ansible_managed }}
#
# Configuration file for the CUPS scheduler. See "man cupsd.conf" for a
# complete description of this file.
#
# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn
PageLogFormat
# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0
# Only listen for connections from the local machine.
#Listen localhost:631
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
ServerAlias *
HostNameLookups Off
# - Show shared printers on the local network.
Browsing On
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Web interface setting...
WebInterface Yes
# Restrict access to the server...
<Location />
# Allow remote administration...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to the admin pages...
<Location /admin>
# Allow remote administration...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Restrict access to log files...
<Location /admin/log>
AuthType Default
Require user @SYSTEM
# Allow remote access to the configuration files...
Order allow,deny
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Location>
# Set the default printer/job policies...
<Policy default>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>
# Set the authenticated printer/job policies...
<Policy authenticated>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>
# Set the kerberized printer/job policies...
<Policy kerberos>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Negotiate
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Negotiate
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Negotiate
Require user @OWNER @SYSTEM
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
<Limit All>
Order deny,allow
Allow @LOCAL
Allow 127.0.0.0/8
Allow 192.168.0.0/16
Allow 172.16.0.0/16
Allow 10.0.0.0/8
</Limit>
</Policy>

2
roles/common/templates/etc/exports.j2
View File

@ -18,7 +18,7 @@
{% set count.nfs_exports = count.nfs_exports + 10 %}
{% for network in export.export_networks %}
{% if export.fs_encrypted is defined and export.fs_encrypted is sameas true %}
{% if export.use_fsid_option is defined and export.use_fsid_option is sameas true %}
{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~",fsid="~count.nfs_exports~")" %}
#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }},fsid={{ count.nfs_exports }})
{% else %}

64
roles/common/templates/etc/ntp.conf.j2 Normal file
View File

@ -0,0 +1,64 @@
# {{ ansible_managed }}
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Leap seconds definition provided by tzdata
leapfile /usr/share/zoneinfo/leap-seconds.list
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
server {{ ntp_server }}
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Needed for adding pool entries
restrict source notrap nomodify noquery
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

384
roles/common/templates/etc/samba/smb.conf.j2 Normal file
View File

@ -0,0 +1,384 @@
# {{ ansible_managed }}
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
; workgroup = WORKGROUP
workgroup = {{ samba_workgroup|default('WORKGROUP') }}
# Option 'netbios name' added to debian's default smb.conf
#
# This sets the NetBIOS name by which a Samba server is known. By default it
# is the same as the first component of the host's DNS name. If a machine is
# a browse server or logon server this name (or the first component of the
# hosts DNS name) will be the name that these services are advertised under.
#
# Note that the maximum length for a NetBIOS name is 15 characters.
#
# Default: netbios name = # machine DNS name
; netbios name = FILE
netbios name = {{ samba_netbios_name|default('FILE') }}
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
interfaces = {{ ansible_default_ipv4.address }}/24 127.0.0.1/8
# Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf
hosts deny = 0.0.0.0/0
hosts allow = 192.168.0.0/16 10.0.0.0/8 127.0.0.0/8
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
#
# Notice:
# If bind interfaces only is set and the network address 127.0.0.1 is not added to the
# interfaces parameter list smbpasswd(8) may not work as expected due to the reasons
# covered below.
#
# Default: bind interfaces only = no
bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
; log file = /var/log/samba/log.%m
log file = /var/log/samba/%I.log
# Cap the size of the individual log files (in KiB).
; max log size = 1000
max log size = 10000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file
# Option 'log level' added to debian's default smb.conf
#
# The value of the parameter (a astring) allows the debug level (logging level) to be
# specified in the smb.conf file.
#
# This parameter has been extended since the 2.2.x series, now it allows one to specify
# the debug level for multiple debug classes. This is to give greater flexibility in
# the configuration of the system.
#
# See manpage for implemented debug classes
#
# Default: log level = 0
#
# Example: log level = 3 passdb:5 auth:10 winbind:2
log level = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Option 'ntlm auth' added to debian's default smb.conf
#
# This parameter determines whether or not smbd(8) will attempt to authenticate
# users using the NTLM encrypted password response for this local passdb (SAM
# or account database).
#
# If disabled, both NTLM and LanMan authencication against the local passdb is
# disabled.
#
# Note that these settings apply only to local users, authentication will still
# be forwarded to and NTLM authentication accepted against any domain we are
# joined to, and any trusted domain, even if disabled or if NTLMv2-only is
# enforced here. To control NTLM authentiation for domain users, this must option
# must be configured on each DC.
#
# By default with lanman auth set to no and ntlm auth set to ntlmv2-only only
# NTLMv2 logins will be permited. Most clients support NTLMv2 by default, but some
# older clients will require special configuration to use it.
#
# The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
#
# The available settings are:
#
# ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients.
#
# ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2.
#
# mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that
# it is providing MSCHAPv2 authentication (such as the ntlm_auth tool).
#
# disabled - Do not accept NTLM (or LanMan) authentication of any level, nor
# permit NTLM password changes.
#
# The default changed from yes to no with Samba 4.5. The default chagned again to
# ntlmv2-only with Samba 4.7, however the behaviour is unchanged.
#
# Default: ntlm auth = ntlmv2-only
ntlm auth = ntlmv1-permitted
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
# Option 'username map' added to debian's default smb.conf
#
username map = /etc/samba/users.map
########## Domains ###########
#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
# {{ ansible_managed }}
[homes]
comment = Home Directories
browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
{% for item in samba_shares | default([]) %}
[{{ item.name }}]
comment = {{ item.name }}
path = {{ item.path }}
browseable = yes
read only = no
writeable = Yes
create mask = {{ item.file_create_mask | default('0660') }}
force create mode = {{ item.file_create_mask | default('0660') }}
directory mask = {{ item.dir_create_mask | default('2770') }}
force directory mode = {{ item.dir_create_mask | default('2770') }}
# can login into that share
valid users = @{{ item.group_valid_users }}
# allow to write
write list = @{{ item.group_write_list }}
force group = +{{ item.group_write_list }}
{% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
vfs objects = recycle
recycle:keeptree = yes
# touch access time from this file
# note: this is not the modified time, which is
# outdatet by ls-command
# so yo can delete files older then n day with the following command:
# find /data/samba/share/<share>/.Trash -atime +<n> -exec rm -rf {} \;
#
recycle:touch = yes
recycle:touch_mtime = no
recycle:versions = yes
recycle:directory_mode = 2770
# - Dateien gößer als 10MB werden nicht
#recycle:maxsize = 10485760 # around 10MB
# - Keine Begrenzung der Dateigröße.
recycle:maxsize = 0
recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??
recycle:excludedir = /tmp,/temp,/cache,.Trash
recycle:repository = {{ item.recycle_path | default('@Recycle.Bin') }}
# - This is a list of files and directories that are neither visible nor accessible.
# - Each entry in the list must be separated by a '/', which allows spaces to be
# - included in the entry. '*' and '?' can be used to specify multiple files or
# - directories as in DOS wildcards.
# -
veto files = /.Trash/
delete veto files = yes
{% endif %}
{% endfor %}
;[printers]
; comment = All Printers
; browseable = no
; path = /var/spool/samba
; printable = yes
; guest ok = no
; read only = yes
; create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
;[print$]
; comment = Printer Drivers
; path = /var/lib/samba/printers
; browseable = yes
; read only = yes
; guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin

62
roles/common/templates/etc/security/limits.conf.j2 Normal file
View File

@ -0,0 +1,62 @@
# {{ ansible_managed }}
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
# - NOTE: group and wildcard limits are not applied to root.
# To apply a limit to the root user, <domain> must be
# the literal username root.
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open file descriptors
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
# - chroot - change root to directory (Debian-specific)
#
#<domain> <type> <item> <value>
#
#* soft core 0
#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#ftp - chroot /ftp
#@student - maxlogins 4
* - nofile 1048576
root - nofile 1048576
# End of file

349
roles/common/templates/etc/ssh/sshd_config.j2 Normal file
View File

@ -0,0 +1,349 @@
# {{ ansible_managed }}
#-----------------------------
# Daemon
#-----------------------------
# What ports, IPs and protocols we listen for
{% for item in sshd_ports %}
Port {{ item }}
{% endfor %}
# Specifies the local addresses sshd(8) should listen on. The following forms may be used:
#
# ListenAddress host|IPv4_addr|IPv6_addr
# ListenAddress host|IPv4_addr:port
# ListenAddress [host|IPv6_addr]:port
#
# If port is not specified, sshd will listen on the address and all Port options specified. The default
# is to listen on all local addresses. Multiple ListenAddress options are permitted.
#
# ListenAddress ::
# ListenAddress 0.0.0.0
# ListenAddress 159.69.72.24
# ListenAddress 2a01:4f8:231:171f::2
#
{% if (sshd_listen_address is defined) and sshd_listen_address %}
{% for item in sshd_listen_address %}
ListenAddress {{ item }}
{% endfor %}
{% endif %}
# Specifies the protocol versions sshd(8) supports.
# The possible values are 1 , `2' and 1,2.
# The default is 2.
Protocol 2
# HostKeys for protocol version 2
{% for item in sshd_host_keys %}
HostKey {{ item }}
{% endfor %}
# Lifetime and size of ephemeral version 1 server key
#
# Note:
# Deprecated option KeyRegenerationInterval
# Deprecated option ServerKeyBits
#
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
# separated values.
# The default is 10.
#MaxStartups 10:30:100
#MaxStartups 3
MaxStartups {{ sshd_max_startups }}
# Specifies the maximum number of authentication attempts permitted per
# connection.
# The default is 6.
MaxAuthTries {{ sshd_max_auth_tries }}
# Specifies the maximum number of open sessions permitted per network
# connection.
# The default is 10.
MaxSessions {{ sshd_max_sessions }}
#-----------------------------
# Authentication
#-----------------------------
# Specifies whether sshd(8) separates privileges by creating an unprivileged
# child process to deal with incoming network traffic.
# The default is "yes" (for security).
{% if (ansible_facts['distribution'] == "Debian") and (ansible_facts['distribution_major_version']|int > 9) %}
#
# Note: (Release 7.5)
# Deprecated option UsePrivilegeSeparation
# Privilege separation has been on by default for almost 15 years
# sandboxing has been on by default for almost the last five
#
#UsePrivilegeSeparation sandbox
{% else %}
UsePrivilegeSeparation sandbox
{% endif %}
# The server disconnects after this time if the user has not
# successfully logged in.
# The default is 120 seconds.
LoginGraceTime 120
# Specifies whether root can log in using ssh(1).
# The default is "yes".
# Possible values: yes, no, prohibit-password (or teh older one: without-password)
#PermitRootLogin yes
PermitRootLogin {{ sshd_permit_root_login }}
# Specifies whether sshd(8) should check file modes and ownership of the
# user's files and home directory before accepting login. This is normally
# desirable because novices sometimes accidentally leave their directory or
# files world-writable. Note that this does not apply to ChrootDirectory,
# whose permissions and ownership are checked unconditionally.
# The default is “yes”.
StrictModes yes
# Specifies whether pure RSA authentication is allowed. This option
# applies to protocol version 1 only.
# The default is “yes”.
#
# Note:
# Deprecated option RSAAuthentication
#
#RSAAuthentication yes
# Specifies whether public key authentication is allowed. Note that this
# option applies to protocol version 2 only.
# The default is “yes”.
PubkeyAuthentication {{ sshd_pubkey_authentication }}
# Specifies the file that contains the public keys that can be used for
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
# FORMAT section of sshd(8).
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
# during connection setup. The following tokens are defined: %% is replaced
# by a literal '%', %h is replaced by the home directory of the user being
# authenticated, and %u is replaced by the username of that user. After
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
# to the user's home directory. Multiple files may be listed, separated by
# whitespace.
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysFile {{ sshd_authorized_keys_file }}
# Specifies whether password authentication is allowed.
# Change to no to disable tunnelled clear text passwords
# The default is "yes".
#PasswordAuthentication yes
PasswordAuthentication {{ sshd_password_authentication }}
# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings.
# The default is “no”.
PermitEmptyPasswords no
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is “yes”.
ChallengeResponseAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
# Note:
# Deprecated option RhostsRSAAuthentication
#
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
# during RhostsRSAAuthentication or HostbasedAuthentication.
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
AllowUsers {{ fact_sshd_allowed_users }}
{% else %}
#AllowUsers back chris sysadm cityslang christoph
{% endif %}
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM {{ sshd_use_pam }}
# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution.
# Note also, that if this is enabled, X11Forwarding will be disabled
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after
# authentication.
# The default is “no”.
#UseLogin no
#-----------------------------
# Cryptography
#-----------------------------
# Specifies the available KEX (Key Exchange) algorithms.
# The default is:
## curve25519-sha256@libssh.org,
## ecdh-sha2-nistp256,
## ecdh-sha2-nistp384,
## ecdh-sha2-nistp521,
## diffie-hellman-group-exchange-sha256,
## diffie-hellman-group14-sha1.
{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
KexAlgorithms {{ fact_sshd_kexalgorithms }}
{% else %}
#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
{% endif %}
# Specifies the ciphers allowed for protocol version 2.
# The default is:
## aes128-ctr,
## aes192-ctr,
## aes256-ctr,
## aes128-gcm@openssh.com,
## aes256-gcm@openssh.com,
## chacha20-poly1305@openssh.com.
{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
Ciphers {{ fact_sshd_ciphers }}
{% else %}
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
{% endif %}
# Specifies the available MAC (message authentication code) algorithms.
# The default is:
## umac-64-etm@openssh.com,
## umac-128-etm@openssh.com,
## hmac-sha2-256-etm@openssh.com,
## hmac-sha2-512-etm@openssh.com,
## umac-64@openssh.com,
## umac-128@openssh.com,
## hmac-sha2-256,
## hmac-sha2-512.
{% if (fact_sshd_macs is defined) and fact_sshd_macs %}
MACs {{ fact_sshd_macs }}
{% else %}
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
{% endif %}
#-----------------------------
# Logging
#-----------------------------
# Gives the facility code that is used when logging messages from sshd(8).
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
# The default is AUTH.
SyslogFacility AUTH
# Gives the verbosity level that is used when logging messages from
# sshd(8).
# The default is INFO.
LogLevel INFO
#-----------------------------
# Behavior
#-----------------------------
# Specifies whether the distribution-specified extra version suffix is included
# during initial protocol handshake.
# The default is "yes".
DebianBanner no
# The contents of the specified file are sent to the remote user before
# authentication is allowed.
# By default, no banner is displayed.
#Banner /etc/issue.net
# Specifies whether sshd(8) should print /etc/motd when a user logs in
# interactively. (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.)
# The default is “yes”.
PrintMotd {{ sshd_print_motd }}
# Specifies what environment variables sent by the client will be copied
# into the session's environ(7).
# The default is not to accept any environment variables.
AcceptEnv LANG LC_*
# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
Subsystem sftp /usr/lib/openssh/sftp-server
# Specifies whether sshd(8) should look up the remote host name and check
# that the resolved host name for the remote IP address maps back to the
# very same IP address.
# The default is “yes”.
UseDNS {{ sshd_use_dns }}
# Specifies whether X11 forwarding is permitted. The argument must be
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes
# Specifies the first display number available for sshd(8)'s X11
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10
# Specifies whether the system should send TCP keepalive messages to the
# other side. If they are sent, death of the connection or crash of one
# of the machines will be properly noticed. However, this means
# that connections will die if the route is down temporarily, and some
# people find it annoying. On the other hand, if TCP keepalives are not
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server
# will notice if the network goes down or the client host crashes. This
# avoids infinitely hanging sessions.
TCPKeepAlive yes
#Specifies whether sshd(8) should print the date and time of the last
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes
#-----------------------------
# Kerberos options
#-----------------------------
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#-----------------------------
# GSSAPI options
#-----------------------------
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

0
roles/common/templates/etc/sudoers.d/50-user.j2 → roles/common/templates/etc/sudoers.d/50-user.j2.BAK
View File

34
roles/common/templates/etc/sudoers.d/50-user.pc.j2 Normal file
View File

@ -0,0 +1,34 @@
# {{ ansible_managed }}
{% for item in sudoers_pc_file_defaults | default([]) %}
Defaults {{ item }}
{% endfor %}
# Host alias specification
{% for item in sudoers_pc_file_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_pc_file_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_pc_file_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_pc_file_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{# rules for nis users #}
{% for item in nis_user | default([]) %}
{{ item.name }} ALL=(root)NOPASSWD: MOUNT
{% endfor %}
# Group privilege specification

53
roles/common/templates/etc/sudoers.d/50-user.server.j2 Normal file
View File

@ -0,0 +1,53 @@
# {{ ansible_managed }}
{% for item in sudoers_server_file_defaults | default([]) %}
Defaults {{ item }}
{% endfor %}
# Host alias specification
{% for item in sudoers_server_file_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_server_file_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_server_file_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_server_file_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{# rule for user 'back' #}
{% for item in sudoers_server_file_user_back_privileges | default([]) %}
back {{ item }}
{% endfor -%}
{%- if ansible_virtualization_role == 'host' %}
{% for item in sudoers_server_file_user_back_disk_privileges | default([]) %}
back {{ item }}
{% endfor %}
{% endif -%}
{# other (host specific) rules #}
{%- if (sudoers_server_file_user_privileges is defined and sudoers_server_file_user_privileges) %}
{% for item in sudoers_server_file_user_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
{% endif %}
# Group privilege specification
{% for item in sudoers_server_file_group_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor -%}

14
roles/common/templates/etc/sudoers.j2 → roles/common/templates/etc/sudoers.pc.j2
View File

@ -7,34 +7,34 @@
#
# See the man page for details on how to write a sudoers file.
#
{% for item in sudoers_defaults %}
{% for item in sudoers_pc_defaults %}
{% if item != '' %}
Defaults {{ item }}
{% endif %}
{% endfor %}
# Host alias specification
{% for item in sudoers_host_aliases | default([]) %}
{% for item in sudoers_pc_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_user_aliases | default([]) %}
{% for item in sudoers_pc_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_cmnd_aliases | default([]) %}
{% for item in sudoers_pc_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_runas_aliases | default([]) %}
{% for item in sudoers_pc_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{% for item in sudoers_user_privileges | default([]) %}
{% for item in sudoers_pc_user_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
@ -46,7 +46,7 @@ Runas_Alias {{ item.name }} = {{ item.entry }}
# Group privilege specification
{% for item in sudoers_group_privileges | default([]) %}
{% for item in sudoers_pc_group_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}

53
roles/common/templates/etc/sudoers.server.j2 Normal file
View File

@ -0,0 +1,53 @@
# {{ ansible_managed }}
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
{% for item in sudoers_server_defaults %}
{% if item != '' %}
Defaults {{ item }}
{% endif %}
{% endfor %}
# Host alias specification
{% for item in sudoers_server_host_aliases | default([]) %}
Host_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User alias specification
{% for item in sudoers_server_user_aliases | default([]) %}
User_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Cmnd alias specification
{% for item in sudoers_server_cmnd_aliases | default([]) %}
Cmnd_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# Runas alias specification
{% for item in sudoers_server_runas_aliases | default([]) %}
Runas_Alias {{ item.name }} = {{ item.entry }}
{% endfor %}
# User privilege specification
{% for item in sudoers_server_user_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Group privilege specification
{% for item in sudoers_server_group_privileges | default([]) %}
{{ item.name }} {{ item.entry }}
{% endfor %}
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

40
roles/common/templates/root/bin/samba/conf/clean_samba_trash.conf.j2 Normal file
View File

@ -0,0 +1,40 @@
# {{ ansible_managed }}
# ------------------------------------
# - Settings for script clean_trash.sh
# ------------------------------------
# - days
# -
# - Files older then 'days' will be deleted.
# -
# - Defaults to: days=31
# -
#days=31
# - trash_dirs
# -
# - Directories where files older than given days will be deleted.
# -
# - Example:
# - trash_dirs="/data/samba/transfer/.Trash /data/samba/no-backup-share/multimedia/.Trash"
# -
#trash_dirs=""
{%- set count = namespace(trash_dirs=0) %}
{%- for item in samba_shares | default([]) %}
{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %}
{% set count.trash_dirs = count.trash_dirs + 1 %}
{% endif %}
{% endfor %}
{% if count.trash_dirs > 0 %}
trash_dirs="
{% for item in samba_shares %}
{% if (item.vfs_object_recycle is defined and item.vfs_object_recycle|bool) %}
{{ item.path }}/{{ item.recycle_path }}
{% endif %}
{% endfor %}
"
{% endif %}

33
roles/common/templates/root/bin/samba/conf/set_permissions_samba_shares.conf.j2 Normal file
View File

@ -0,0 +1,33 @@
# {{ ansible_managed }}
# -----------------------------------------------------
# - Settings for script set_permissions_samba_shares.sh
# -----------------------------------------------------
# - dir_permissions
# -
# - Recursive set Permissions (group and file- and directory-mode)
# -
# - Multiple options are possible. Use semicolon separated list.
# -
# - Usage:
# - dir_permissions="<directory>:<group>:<file-mod>:<dir-mod>;[<directory>:<group>:<file-mod>:<dir-mod>];[.."
# -
# - Example:
# - dir_permissions="/data/samba/transfer:buero:664:2775;/data/samba/verwaltung:intern:660:2770"
# -
#dir_permissions=""
{%- set count = namespace(samba_shares=0) %}
{%- for item in samba_shares | default([]) %}
{% set count.samba_shares = count.samba_shares + 1 %}
{% endfor %}
{% if count.samba_shares > 0 %}
dir_permissions="
{% for item in samba_shares | default([]) %}
{{ item.path }}:{{ item.group_write_list }}:{{ item.file_create_mask | default('0660') }}:{{ item.dir_create_mask | default('2770') }};
{% endfor %}
"
{% endif %}

62
roles/common/templates/root/bin/wakeup_lan.sh.j2 Executable file
View File

@ -0,0 +1,62 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
cl101="80:ee:73:c5:e9:b9"
cl101_alt="70:71:bc:72:25:98"
cl102="80:ee:73:c5:d3:87"
cl103="80:ee:73:bb:da:93"
cl103_alt="70:71:bc:72:24:cc"
cl104="74:d4:35:ac:78:19"
cl105_alt="70:71:bc:72:25:93"
cl105="80:ee:73:c5:2c:97"
cl106_alt="70:71:bc:72:26:e4"
cl106="80:ee:73:c5:2d:8d"
cl107_alt="e0:69:95:45:71:4b"
cl107="80:ee:73:c5:2e:83"
cl108_alt="70:71:bc:72:25:85"
cl108="80:ee:73:d0:a3:30"
cl109="38:60:77:39:f2:49"
cl110="38:60:77:4e:34:fe"
if [ $# = "1" ]; then
_nic=`eval eval echo '$'$1`
wakeonlan $_nic
else
wakeonlan $cl101
sleep 2
wakeonlan $cl101_alt
sleep 2
wakeonlan $cl102
sleep 2
wakeonlan $cl103
sleep 2
wakeonlan $cl103_alt
sleep 2
wakeonlan $cl104
sleep 2
wakeonlan $cl105
sleep 2
wakeonlan $cl105_alt
sleep 2
wakeonlan $cl106
sleep 2
wakeonlan $cl106_alt
sleep 2
wakeonlan $cl107
sleep 2
wakeonlan $cl107_alt
sleep 2
wakeonlan $cl108
sleep 2
wakeonlan $cl108_alt
sleep 2
wakeonlan $cl109
sleep 2
wakeonlan $cl110
sleep 2
fi
exit 0

0
roles/common/templates/user_homedirs/dot.profile.j2 → roles/common/templates/user_homedirs.BAK/dot.profile.j2
View File