ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ansible:7238579d9c13cabe3f50966c9526973f51c1f5f9
Branches Tags
ansible:master
...
compare: ansible:72d4fae731a147017e9a166d6ff37b833516cb32
Branches Tags
ansible:master

2 Commits
7238579d9c ... 72d4fae731

Author SHA1 Message Date
Christoph
72d4fae731 update.. 2026-03-01 15:23:24 +01:00
Christoph
084a483cf2 update.. 2026-02-22 00:23:30 +01:00
8 changed files with 464 additions and 662 deletions
Expand all files Collapse all files

180
decrypt-vault-strings-from-file.sh
View File

@@ -1,54 +1,190 @@
#!/usr/bin/env bash #!/usr/bin/env bash
#
# decrypt-vault-strings-from-file.sh
#
# Zweck:
# - Entschlüsselt entweder:
# (A) eine komplett mit ansible-vault verschlüsselte Datei (ANSIBLE_VAULT Header)
# (B) einzelne YAML "!vault |" Blöcke in einer Datei (z.B. group_vars/host_vars)
# (C) einen einzelnen verschlüsselten String (Argument, Pipe oder interaktiv)
#
# Erwartet eine Vault-Passwortdatei unter: ~/.vault-pass
#
set -euo pipefail
VAULT_PASS_FILE="${HOME}/.vault-pass"
########################################
# Hilfe anzeigen
########################################
show_help() {
cat <<EOF
Usage:
$(basename "$0") [OPTION] [INPUT]
Decrypt modes:
1) Full vault-encrypted file (ANSIBLE_VAULT header):
$(basename "$0") secrets.vault
2) YAML file containing one or multiple "!vault |" blocks:
$(basename "$0") group_vars/all.yml
3) Encrypted vault string:
$(basename "$0") 'secret: !vault | \$ANSIBLE_VAULT;1.1;AES256 ...'
echo 'secret: !vault | ...' | $(basename "$0")
4) Interactive mode (paste, then Ctrl-D):
$(basename "$0")
Options:
-h, --help Show this help and exit
Notes:
- Vault password file: ${VAULT_PASS_FILE}
- This script prints decrypted values to stdout.
EOF
}
########################################
# Hauptfunktion
########################################
vdecr() { vdecr() {
unset IFS unset IFS
if [[ -n "$1" ]]; then # --- Help Flag innerhalb der Funktion (falls rekursiv aufgerufen) ---
if [[ -f "$1" ]]; then if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
show_help
if [[ $(head -n1 "$1") == "\$ANSIBLE_VAULT;1.1;AES256" ]]; then
cat "$1" | ansible-vault decrypt --vault-password-file ~/.vault-pass 2> /dev/null
return 0 return 0
fi fi
# Prüfen ob ansible-vault existiert
if ! command -v ansible-vault >/dev/null 2>&1; then
echo "Error: ansible-vault not found in PATH." >&2
return 1
fi
# Prüfen ob Vault-Passwortdatei lesbar ist
#if [[ ! -r "$VAULT_PASS_FILE" ]]; then
# echo "Error: vault password file not readable: $VAULT_PASS_FILE" >&2
# return 1
#fi
########################################
# Wenn ein Argument übergeben wurde
########################################
if [[ -n "${1:-}" ]]; then
# --- Fall 1: Argument ist eine Datei ---
if [[ -f "$1" ]]; then
# Wenn Datei eine "komplett verschlüsselte" Vault-Datei ist
# (Header ist die erste Zeile)
if [[ "$(head -n1 "$1")" == "\$ANSIBLE_VAULT;1.1;AES256" ]]; then
# Vollständige Datei entschlüsseln und ausgeben
ansible-vault decrypt --vault-password-file "$VAULT_PASS_FILE" "$1" 2>/dev/null
return 0
fi
# --- Fall 2: Datei enthält einzelne "!vault" Blöcke (z.B. YAML) ---
printf 'Reading vault values from file...\n\n' printf 'Reading vault values from file...\n\n'
# parsing = 0 -> wir sind nicht im Vault-Block
# parsing = 1 -> wir sammeln gerade Vault-Block-Zeilen
local parsing=0 local parsing=0
local result="" local result=""
local name="" local name=""
local blue=$(tput setaf 4)
local discard=$(tput sgr0) # Farbausgabe (blau) für den jeweiligen Key/Name
for line in $(cat $1); do local blue
if [[ $(echo "$line" | grep -c "\!vault") -gt 0 ]] && [[ $parsing -eq 0 ]]; then local discard
blue="$(tput setaf 4 || true)"
discard="$(tput sgr0 || true)"
# Originalscript hat "for line in \$(cat file)" verwendet,
# was nach Whitespace tokenisiert. Um das Verhalten kontrollierter
# beizubehalten, tokenisieren wir hier ebenfalls nach Whitespace:
#
# - Das hilft, wenn Vault-Blöcke eingerückt sind oder YAML Zeichen enthält,
# weil später ohnehin per sed weiter "normalisiert" wird.
#
# WICHTIG: Das ist nicht "echtes" YAML-Parsing, sondern best-effort.
while IFS= read -r token; do
# Start eines vault blocks erkennen (Token enthält "!vault")
if [[ "$(echo "$token" | grep -c "\!vault")" -gt 0 ]] && [[ $parsing -eq 0 ]]; then
parsing=1 parsing=1
elif [[ $parsing -eq 1 ]] && [[ $( echo $line | grep -c ":") -eq 0 ]]; then
result=$(printf "${result}\n${line}") # Im Vault-Block: Token ohne ":" werden gesammelt (Ciphertext-Zeilen)
elif [[ $parsing -eq 1 ]] && [[ "$(echo "$token" | grep -c ":")" -eq 0 ]]; then
result="$(printf "%s\n%s" "$result" "$token")"
# Sonst: Blockende / neuer Bereich
else else
if [[ $result != "" ]]; then # Wenn wir einen gesammelten Block haben -> ausgeben und decrypten
printf "\n\n${blue}$name${discard}\n" if [[ -n "$result" ]]; then
printf "$result" | vdecr printf "\n\n%s%s%s\n" "$blue" "$name" "$discard"
# Rekursiver Aufruf: der gesammelte Block wird wie "Stringinput"
# behandelt und im unteren Abschnitt entschlüsselt
printf "%s" "$result" | vdecr
name="" name=""
result="" result=""
parsing=0 parsing=0
fi fi
fi fi
if [[ $( echo "$line" | grep -c ":") -eq 1 ]]; then
name="$line" # Token mit ":" als "Name" merken (typischerweise YAML key:)
if [[ "$(echo "$token" | grep -c ":")" -eq 1 ]]; then
name="$token"
fi fi
done
# Tokenisierung nach Whitespace (ähnlich dem Original)
done < <(tr -s '[:space:]' '\n' < "$1")
return 0 return 0
fi fi
# --- Fall 3: Argument ist ein String ---
local str="$1" local str="$1"
# --- Fall 4: String kommt per Pipe (stdin ist kein TTY) ---
elif [[ ! -t 0 ]]; then elif [[ ! -t 0 ]]; then
local str=$(cat) local str
str="$(cat)"
# --- Fall 5: Interaktiv ---
else else
printf 'Interactive mode. Paste encrypted string and press Ctrl-D two times to confirm.\n' printf 'Interactive mode. Paste encrypted string and press Ctrl-D two times to confirm.\n'
local str=$(cat) local str
str="$(cat)"
printf '\n' printf '\n'
fi fi
printf -- "$str" | sed 's/ /\n/g' | \ ########################################
# String entschlüsseln
#
# Das Script erwartet, dass der Input evtl. als YAML-Fragment kommt,
# und "normalisiert" ihn so, dass ansible-vault decrypt damit klarkommt:
#
# - ersetzt Spaces durch Newlines
# - entfernt YAML-Deko wie "---", "key:", "!vault", "|", leere Zeilen
# - piped den Rest in "ansible-vault decrypt"
########################################
printf -- "%s" "$str" | \
sed 's/ /\n/g' | \
sed '/---\|^.*:\|\!vault\||\|^$/d' | \ sed '/---\|^.*:\|\!vault\||\|^$/d' | \
ansible-vault decrypt --vault-password-file ~/.vault-pass 2> /dev/null ansible-vault decrypt --vault-password-file "$VAULT_PASS_FILE" 2>/dev/null
printf '\n' printf '\n'
} }
vdecr $1 ########################################
# Main
########################################
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
show_help
exit 0
fi
vdecr "${1:-}"

55
decrypt-vault-strings-from-file.sh.00 Executable file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bash
vdecr() {
unset IFS
if [[ -n "$1" ]]; then
if [[ -f "$1" ]]; then
if [[ $(head -n1 "$1") == "\$ANSIBLE_VAULT;1.1;AES256" ]]; then
cat "$1" | ansible-vault decrypt 2> /dev/null
return 0
fi
printf 'Reading vault values from file...\n\n'
local parsing=0
local result=""
local name=""
local blue=$(tput setaf 4)
local discard=$(tput sgr0)
for line in $(cat $1); do
if [[ $(echo "$line" | grep -c "\!vault") -gt 0 ]] && [[ $parsing -eq 0 ]]; then
parsing=1
elif [[ $parsing -eq 1 ]] && [[ $( echo $line | grep -c ":") -eq 0 ]]; then
result=$(printf "${result}\n${line}")
else
if [[ $result != "" ]]; then
printf "\n\n${blue}$name${discard}\n"
printf "$result" | vdecr
name=""
result=""
parsing=0
fi
fi
if [[ $( echo "$line" | grep -c ":") -eq 1 ]]; then
name="$line"
fi
done
return 0
fi
local str="$1"
elif [[ ! -t 0 ]]; then
local str=$(cat)
else
printf 'Interactive mode. Paste encrypted string and press Ctrl-D two times to confirm.\n'
local str=$(cat)
printf '\n'
fi
printf -- "$str" | sed 's/ /\n/g' | \
sed '/---\|^.*:\|\!vault\||\|^$/d' | \
#ansible-vault decrypt --vault-password-file ~/.vault-pass 2> /dev/null
ansible-vault decrypt 2> /dev/null
printf '\n'
}
vdecr $1

7
encrypt-vault-string.sh Executable file
View File

@@ -0,0 +1,7 @@
!/usr/bin/env bash
set -euo pipefail
read -r -s -p "String zum Verschlüsseln: " PLAINTEXT
echo
printf '%s' "$PLAINTEXT" | ansible-vault encrypt_string --stdin-name 'secret'

205
encrypt-vault-strings-from-file.sh Executable file
View File

@@ -0,0 +1,205 @@
#!/usr/bin/env bash
#
# encrypt-vault-strings-to-file.sh
#
# Gegenstück zu deinem Decrypt-Script.
#
# Funktionen:
# 1. Komplettes File mit ansible-vault encrypt verschlüsseln
# 2. YAML-Datei mit key: value Zeilen in key: !vault | Blöcke umwandeln
# 3. Einzelnen String verschlüsseln (Argument, Pipe oder interaktiv)
#
# Vault-Passwortdatei: ~/.vault-pass
#
set -euo pipefail
VAULT_PASS_FILE="${HOME}/.vault-pass"
########################################
# Hilfe anzeigen
########################################
show_help() {
cat <<EOF
Usage:
$(basename "$0") [OPTION] [INPUT]
Modes:
1) File encrypt (in-place):
$(basename "$0") secrets.txt
2) YAML file (key: value → !vault block):
$(basename "$0") vars.yml
$(basename "$0") -o output.yml vars.yml
3) String encrypt:
$(basename "$0") 'mySecret'
echo 'mySecret' | $(basename "$0")
$(basename "$0") (interactive mode)
Options:
-o FILE Write YAML output to FILE instead of stdout
-h, --help Show this help and exit
Notes:
- Vault password file: ${VAULT_PASS_FILE}
- Simple "key: value" YAML lines will be converted.
- Already encrypted (!vault) entries are preserved.
- Full vault-encrypted files (ANSIBLE_VAULT header) are detected.
EOF
}
########################################
# Hauptfunktion
########################################
vencr() {
unset IFS
# --- Help Flag ---
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
show_help
exit 0
fi
# Prüfen ob Vault-Passwortdatei existiert
if [[ ! -r "$VAULT_PASS_FILE" ]]; then
echo "Vault password file not readable: $VAULT_PASS_FILE" >&2
exit 1
fi
########################################
# Optionales Output-File (-o)
########################################
local out_file=""
if [[ "${1:-}" == "-o" && -n "${2:-}" ]]; then
out_file="$2"
shift 2
fi
########################################
# --- 1) File als Argument ---
########################################
if [[ -n "${1:-}" && -f "$1" ]]; then
local f="$1"
# Fall A: Datei ist bereits vollständig vault-verschlüsselt
if [[ "$(head -n1 "$f")" == "\$ANSIBLE_VAULT;1.1;AES256"* ]]; then
echo "File already encrypted (ANSIBLE_VAULT header found): $f" >&2
return 0
fi
# Fall B: YAML mit key: value Zeilen
if grep -Eq '^[[:space:]]*[A-Za-z0-9_.-]+:[[:space:]]*[^#].*$' "$f"; then
local tmpout
tmpout="$(mktemp)"
# Datei zeilenweise lesen
while IFS= read -r line || [[ -n "$line" ]]; do
# Leere Zeilen oder Kommentare unverändert übernehmen
if [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]]; then
printf '%s\n' "$line" >> "$tmpout"
continue
fi
# Bereits verschlüsselte !vault Einträge nicht verändern
if echo "$line" | grep -q '\!vault'; then
printf '%s\n' "$line" >> "$tmpout"
continue
fi
# Einfache key: value Zeilen erkennen
if [[ "$line" =~ ^([[:space:]]*)([A-Za-z0-9_.-]+):[[:space:]]*(.+)$ ]]; then
local indent="${BASH_REMATCH[1]}"
local key="${BASH_REMATCH[2]}"
local value="${BASH_REMATCH[3]}"
# YAML-Blockindikatoren nicht verändern
if [[ "$value" == "|" || "$value" == ">" || "$value" == "" ]]; then
printf '%s\n' "$line" >> "$tmpout"
continue
fi
# Leichte Bereinigung von Quotes
value="${value%\"}"; value="${value#\"}"
value="${value%\'}"; value="${value#\'}"
# Verschlüsselung via ansible-vault encrypt_string
while IFS= read -r enc_line; do
printf '%s%s\n' "$indent" "$enc_line" >> "$tmpout"
done < <(
printf '%s' "$value" |
ansible-vault encrypt_string \
--stdin-name "$key" \
--vault-password-file "$VAULT_PASS_FILE"
)
else
# Nicht passende Zeilen unverändert übernehmen
printf '%s\n' "$line" >> "$tmpout"
fi
done < "$f"
# Output schreiben
if [[ -n "$out_file" ]]; then
mv "$tmpout" "$out_file"
echo "Encrypted YAML written to: $out_file" >&2
else
cat "$tmpout"
rm -f "$tmpout"
fi
return 0
fi
# Fall C: Normale Datei → komplett verschlüsseln (in-place)
ansible-vault encrypt \
--vault-password-file "$VAULT_PASS_FILE" \
"$f"
echo "Encrypted file in-place: $f" >&2
return 0
fi
########################################
# --- 2) String-Verschlüsselung ---
########################################
local str=""
local name="secret"
# String als Argument
if [[ -n "${1:-}" ]]; then
str="$1"
# String via Pipe
elif [[ ! -t 0 ]]; then
str="$(cat)"
# Interaktiver Modus
else
echo "Interactive mode."
read -r -p "Variable name (default: secret): " name_in
if [[ -n "$name_in" ]]; then
name="$name_in"
fi
echo "Paste plaintext and press Ctrl-D to confirm:"
str="$(cat)"
echo
fi
# Ausgabe als YAML-kompatibler !vault Block
printf '%s' "$str" |
ansible-vault encrypt_string \
--stdin-name "$name" \
--vault-password-file "$VAULT_PASS_FILE"
}
########################################
# Script starten
########################################
vencr "$@"

2
group_vars/all/main.yml
View File

@@ -2238,7 +2238,7 @@ resolved_nameserver:
resolved_domains: resolved_domains:
- oopen.de - oopen.de
resolved_dnssec: true resolved_dnssec: false
# dns.as250.net: 194.150.168.168 # dns.as250.net: 194.150.168.168
# #

626
host_vars/file-ah-alt.kanzlei-kiel.netz.yml
View File

@@ -1,626 +0,0 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp33s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
hwaddress: 0c:c4:7a:ea:dd:56
description:
address: 192.168.100.10
netmask: 24
gateway: 192.168.100.254
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
#nameservers:
# - 192.168.100.1
#search: kanzlei-kiel.netz
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp33s0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# inline hook scripts
pre-up:
- !!str "ip link set dev enp33s0 up" # pre-up script lines
up: [] #up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.100.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- kanzlei-kiel.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users
# ---
default_user:
- name: chris
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
# password: 9xFXkdPR_2
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
# password: Iar-zrq4wG.2
- name: winadm
user_id: 1055
group_id: 1055
group: winadm
append: true
groups:
- sysadm
home: /home/winadm
password: $y$j9T$FIN.5hpIbyFh/zx8a3xVZ.$jn9b12BUW57PEXGp3288t/dVBB7glyTgj/58QyYOG7D
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7MKFmJ2kJrNs5DhlPqfizZgz3wNpzFAITo63p/VBOe root@file-ah'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItQLQ7lhBY2USF4Jcp4teF+1NydI73VeHYbQW8q4Mcw root@gw-ah'
# ---
# vars used by roles/common/tasks/cron.yml
# ---
#cron_user_special_time_entries:
#
# - name: "Restart DNS Cache service 'systemd-resolved'"
# special_time: reboot
# job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
# insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
nfs_server: 192.168.100.10
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.100.10
samba_server_cidr_prefix: 24
samba_workgroup: AH-ALT
samba_netbios_name: FILE-AH-Alt
samba_groups:
- name: verwaltung
group_id: 120
- name: intern
group_id: 121
- name: hoffmann-elberling
group_id: 122
- name: gubitz-partner
group_id: 123
- name: sysadm
group_id: 1050
- name: install
group_id: 1070
samba_user:
- name: chris
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: test
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: buero
groups:
- verwaltung
- intern
- hoffmann-elberling
- gubitz-partner
password: 'buero2011'
- name: axel
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'ah-kiel.2018'
- name: bjoern
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'bjoern2011'
- name: gubitz
groups:
- intern
- verwaltung
- gubitz-partner
password: '20gubitz12'
- name: schaar
groups:
- intern
- verwaltung
- gubitz-partner
password: '20schaar12'
- name: molkentin
groups:
- intern
- verwaltung
- gubitz-partner
password: 20molkentin12
- name: buerooben
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'buero2013'
- name: buchholz
groups:
- buero
- intern
- verwaltung
password: '20-buch_holz-20'
- name: kiel-nb1
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book1-20'
- name: kiel-nb2
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book2-20'
- name: schmidt
groups:
- intern
- verwaltung
- gubitz-partner
password: '20-schmidt_21%'
- name: simone.schnoenmehl
groups:
- intern
- gubitz-partner
password: '20-simone-schnoenmehl-22%'
- name: heckert
groups:
- intern
- verwaltung
- gubitz-partner
password: '0-heckert.22%'
- name: weber
groups:
- intern
- verwaltung
- gubitz-partner
password: '20.ni-klas.weber_26!'
- name: hh-lucke
groups: []
password: 'Ole20Steffen_17'
- name: hh-kanzlei
groups: []
password: '20-HH_18-Kanzlei'
- name: hh-jaenicke
groups: []
password: '20-th.jaenicke_%20'
- name: hh-pueschel
groups: []
password: '20-HH_caro.pueschel-%21'
- name: hh-kell
groups: []
password: '20-an.kell-%24'
- name: hh-neumann
groups: []
password: '20.neu-mann_%24'
# password: Iar-zrq4wG.2
- name: winadm
groups:
- sysadm
- install
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31326630303038396164656266623339353031336434376531383133643266656133363165316532
6364343131656235313432356230646337373362343938660a393031323561326438653935393632
34373464313666343433626635656261323933353631393632626166643738386333636639303334
3661613165626230640a306236363161356239306232633565336131303066383464626164636133
3038
- name: hh-stork
groups: []
password: '20-ni-na.stork_%24'
- name: back
groups: []
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
# password: 9xFXkdPR_2
- name: sysadm
groups:
- buero
- install
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35323634653231353634343232326436393435386366396364373766306135636536323165656362
3138366263316231333038343930313134333565373566640a363932616535343538376333313335
64326566643163366533356464326339653236636562363336633738656631626433306661323835
3337663865333636660a626131366161636433613561613235333831653733383365623564313431
6439
base_home: /home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: []
samba_shares:
- name: Buero
path: /data/samba/shares/Buero
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Verwaltung
path: /data/samba/shares/Verwaltung
group_valid_users: verwaltung
group_write_list: verwaltung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Scans_schnell
path: /data/samba/shares/Scans_schnell
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Hoffmann-Elberling
path: /data/samba/shares/Hoffmann-Elberling
group_valid_users: hoffmann-elberling
group_write_list: hoffmann-elberling
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Gubitz-Partner
path: /data/samba/shares/Gubitz-Partner
group_valid_users: gubitz-partner
group_write_list: gubitz-partner
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Gubitz-Backup
path: /data/samba/non-backup-shares/Gubitz-Backup
group_valid_users: gubitz
group_write_list: gubitz
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Install
path: /data/samba/shares/install
group_valid_users: install
group_write_list: install
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
# ---
# - This share will be written by Windows Server 2016 configured at
# - "Windows Zubehör" -> "Windows Server-Sicherung"
# ---
- name: WinServer2016-Backup
comment: WinServer2016-Backup on Fileserver
path: /data/samba/shares/WinServer2016-Backup
group_valid_users: sysadm
group_write_list: sysadm
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_recycle: false
# ---
# - This share will be written by windows schedulescript 'backup-advoware.bat'
# ---
- name: Advoware-Backup
comment: Advoware-Backup (only read) on Fileserver
path: /data/samba/shares/Advoware-Backup
group_valid_users: back
group_write_list: back
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_recycle: false
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

51
host_vars/file-ah.kanzlei-kiel.netz.yml
View File

@@ -34,7 +34,7 @@ network_interfaces:
method: static method: static
hwaddress: 7c:c2:55:c0:26:74 hwaddress: 7c:c2:55:c0:26:74
description: description:
address: 192.168.100.20 address: 192.168.100.10
netmask: 24 netmask: 24
gateway: 192.168.100.254 gateway: 192.168.100.254
@@ -317,7 +317,7 @@ cron_user_special_time_entries:
# vars used by roles/common/tasks/nfs.yml # vars used by roles/common/tasks/nfs.yml
# --- # ---
nfs_server: 192.168.100.20 nfs_server: 192.168.100.10
# --- # ---
@@ -325,7 +325,7 @@ nfs_server: 192.168.100.20
# vars used by roles/common/tasks/samba-user.yml # vars used by roles/common/tasks/samba-user.yml
# --- # ---
samba_server_ip: 192.168.100.20 samba_server_ip: 192.168.100.10
samba_server_cidr_prefix: 24 samba_server_cidr_prefix: 24
samba_workgroup: AH samba_workgroup: AH
@@ -351,10 +351,11 @@ samba_user:
- name: chris - name: chris
groups: groups:
- buero - buero
- intern
- verwaltung
- gubitz-partner - gubitz-partner
- hoffmann-elberling - hoffmann-elberling
- install
- intern
- verwaltung
password: !vault | password: !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234 63643330373231636537366333326630333265303265653933613835656262323863363038653234
@@ -471,7 +472,14 @@ samba_user:
- intern - intern
- verwaltung - verwaltung
- gubitz-partner - gubitz-partner
password: '0-heckert.22%' password: '20-heckert.22%'
- name: schultheis
groups:
- intern
- verwaltung
- gubitz-partner
password: '20.loui-sa/schultheis-26!'
- name: weber - name: weber
groups: groups:
@@ -521,15 +529,16 @@ samba_user:
groups: [] groups: []
password: '20-ni-na.stork_%24' password: '20-ni-na.stork_%24'
# password: y2F.E-9q-54f
- name: back - name: back
groups: [] groups: []
password: !vault | password: !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234 66613731346331613961353639616537656432373562653939623864613431663637643630613131
3462653135633266373439626263356636646637643035340a653466356235346663626163306363 3264633732633962663330646436623532353834646463330a303037303965343762623332633661
61313164643061306433643738643563303036646334376536626531383965303036386162393832 34313165393831396366393162613166396465383264313831386430313535363832383437373064
6631333038306462610a356535633265633563633962333137326533633834636331343562633765 6231626664316265660a653862386231333465623663633266616663326139356638613034303264
3631 6131
# password: 9xFXkdPR_2 # password: 9xFXkdPR_2
- name: sysadm - name: sysadm
@@ -625,9 +634,23 @@ samba_shares:
# - This share will be written by Windows Server 2016 configured at # - This share will be written by Windows Server 2016 configured at
# - "Windows Zubehör" -> "Windows Server-Sicherung" # - "Windows Zubehör" -> "Windows Server-Sicherung"
# --- # ---
- name: WinServer2016-Backup # - name: WinServer2016-Backup
comment: WinServer2016-Backup on Fileserver # comment: WinServer2016-Backup on Fileserver
path: /data/samba/shares/WinServer2016-Backup # path: /data/samba/shares/WinServer2016-Backup
# group_valid_users: sysadm
# group_write_list: sysadm
# file_create_mask: !!str 664
# dir_create_mask: !!str 2775
# guest_ok: !!str yes
# vfs_object_recycle: false
# ---
# - This share will be written by Windows Server 2016 configured at
# - "Windows Zubehör" -> "Windows Server-Sicherung"
# ---
- name: Windows-Server-2025-Backup
comment: Windows-Server-2025-Backup on Fileserver
path: /data/samba/shares/Windows-Server-2025-Backup
group_valid_users: sysadm group_valid_users: sysadm
group_write_list: sysadm group_write_list: sysadm
file_create_mask: !!str 664 file_create_mask: !!str 664

2
roles/common/tasks/main.yml
View File

@@ -172,6 +172,8 @@
- import_tasks: ntp.yml - import_tasks: ntp.yml
tags: tags:
- ntp - ntp
when:
- "'lxc_guest' not in group_names"
# tags supportetd inside git.yml # tags supportetd inside git.yml