update..

decrypt-vault-strings-from-file.sh

@@ -1,54 +1,190 @@
 #!/usr/bin/env bash
+#
+# decrypt-vault-strings-from-file.sh
+#
+# Zweck:
+#   - Entschlüsselt entweder:
+#       (A) eine komplett mit ansible-vault verschlüsselte Datei (ANSIBLE_VAULT Header)
+#       (B) einzelne YAML "!vault |" Blöcke in einer Datei (z.B. group_vars/host_vars)
+#       (C) einen einzelnen verschlüsselten String (Argument, Pipe oder interaktiv)
+#
+# Erwartet eine Vault-Passwortdatei unter: ~/.vault-pass
+#
 
+set -euo pipefail
+
+VAULT_PASS_FILE="${HOME}/.vault-pass"
+
+########################################
+# Hilfe anzeigen
+########################################
+show_help() {
+  cat <<EOF
+Usage:
+  $(basename "$0") [OPTION] [INPUT]
+
+Decrypt modes:
+
+  1) Full vault-encrypted file (ANSIBLE_VAULT header):
+     $(basename "$0") secrets.vault
+
+  2) YAML file containing one or multiple "!vault |" blocks:
+     $(basename "$0") group_vars/all.yml
+
+  3) Encrypted vault string:
+     $(basename "$0") 'secret: !vault | \$ANSIBLE_VAULT;1.1;AES256 ...'
+     echo 'secret: !vault | ...' | $(basename "$0")
+
+  4) Interactive mode (paste, then Ctrl-D):
+     $(basename "$0")
+
+Options:
+  -h, --help   Show this help and exit
+
+Notes:
+  - Vault password file: ${VAULT_PASS_FILE}
+  - This script prints decrypted values to stdout.
+EOF
+}
+
+########################################
+# Hauptfunktion
+########################################
 vdecr() {
   unset IFS
 
-  if [[ -n "$1" ]]; then
+  # --- Help Flag innerhalb der Funktion (falls rekursiv aufgerufen) ---
+  if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
+    show_help
+    return 0
+  fi
+
+  # Prüfen ob ansible-vault existiert
+  if ! command -v ansible-vault >/dev/null 2>&1; then
+    echo "Error: ansible-vault not found in PATH." >&2
+    return 1
+  fi
+
+  # Prüfen ob Vault-Passwortdatei lesbar ist
+  #if [[ ! -r "$VAULT_PASS_FILE" ]]; then
+  #  echo "Error: vault password file not readable: $VAULT_PASS_FILE" >&2
+  #  return 1
+  #fi
+
+  ########################################
+  # Wenn ein Argument übergeben wurde
+  ########################################
+  if [[ -n "${1:-}" ]]; then
+
+    # --- Fall 1: Argument ist eine Datei ---
     if [[ -f "$1" ]]; then
 
-      if [[ $(head -n1 "$1") == "\$ANSIBLE_VAULT;1.1;AES256" ]]; then
-        cat "$1" | ansible-vault decrypt --vault-password-file ~/.vault-pass 2> /dev/null
+      # Wenn Datei eine "komplett verschlüsselte" Vault-Datei ist
+      # (Header ist die erste Zeile)
+      if [[ "$(head -n1 "$1")" == "\$ANSIBLE_VAULT;1.1;AES256" ]]; then
+        # Vollständige Datei entschlüsseln und ausgeben
+        ansible-vault decrypt --vault-password-file "$VAULT_PASS_FILE" "$1" 2>/dev/null
         return 0
       fi
+
+      # --- Fall 2: Datei enthält einzelne "!vault" Blöcke (z.B. YAML) ---
       printf 'Reading vault values from file...\n\n'
+
+      # parsing = 0 -> wir sind nicht im Vault-Block
+      # parsing = 1 -> wir sammeln gerade Vault-Block-Zeilen
       local parsing=0
       local result=""
       local name=""
-      local blue=$(tput setaf 4)
-      local discard=$(tput sgr0)
-      for line in $(cat $1); do
-        if [[ $(echo "$line" | grep -c "\!vault") -gt 0 ]] && [[ $parsing -eq 0 ]]; then
+
+      # Farbausgabe (blau) für den jeweiligen Key/Name
+      local blue
+      local discard
+      blue="$(tput setaf 4 || true)"
+      discard="$(tput sgr0 || true)"
+
+      # Originalscript hat "for line in \$(cat file)" verwendet,
+      # was nach Whitespace tokenisiert. Um das Verhalten kontrollierter
+      # beizubehalten, tokenisieren wir hier ebenfalls nach Whitespace:
+      #
+      # - Das hilft, wenn Vault-Blöcke eingerückt sind oder YAML Zeichen enthält,
+      #   weil später ohnehin per sed weiter "normalisiert" wird.
+      #
+      # WICHTIG: Das ist nicht "echtes" YAML-Parsing, sondern best-effort.
+      while IFS= read -r token; do
+
+        # Start eines vault blocks erkennen (Token enthält "!vault")
+        if [[ "$(echo "$token" | grep -c "\!vault")" -gt 0 ]] && [[ $parsing -eq 0 ]]; then
           parsing=1
-        elif [[ $parsing -eq 1 ]] && [[ $( echo $line | grep -c ":") -eq 0 ]]; then
-          result=$(printf "${result}\n${line}")
+
+        # Im Vault-Block: Token ohne ":" werden gesammelt (Ciphertext-Zeilen)
+        elif [[ $parsing -eq 1 ]] && [[ "$(echo "$token" | grep -c ":")" -eq 0 ]]; then
+          result="$(printf "%s\n%s" "$result" "$token")"
+
+        # Sonst: Blockende / neuer Bereich
         else
-          if [[ $result != "" ]]; then
-            printf "\n\n${blue}$name${discard}\n"
-            printf "$result" | vdecr
+          # Wenn wir einen gesammelten Block haben -> ausgeben und decrypten
+          if [[ -n "$result" ]]; then
+            printf "\n\n%s%s%s\n" "$blue" "$name" "$discard"
+            # Rekursiver Aufruf: der gesammelte Block wird wie "Stringinput"
+            # behandelt und im unteren Abschnitt entschlüsselt
+            printf "%s" "$result" | vdecr
             name=""
             result=""
             parsing=0
           fi
         fi
-        if  [[ $( echo "$line" | grep -c ":") -eq 1 ]]; then
-          name="$line"
+
+        # Token mit ":" als "Name" merken (typischerweise YAML key:)
+        if [[ "$(echo "$token" | grep -c ":")" -eq 1 ]]; then
+          name="$token"
         fi
-      done
+
+      # Tokenisierung nach Whitespace (ähnlich dem Original)
+      done < <(tr -s '[:space:]' '\n' < "$1")
+
       return 0
     fi
+
+    # --- Fall 3: Argument ist ein String ---
     local str="$1"
+
+  # --- Fall 4: String kommt per Pipe (stdin ist kein TTY) ---
   elif [[ ! -t 0 ]]; then
-    local str=$(cat)
+    local str
+    str="$(cat)"
+
+  # --- Fall 5: Interaktiv ---
   else
     printf 'Interactive mode. Paste encrypted string and press Ctrl-D two times to confirm.\n'
-    local str=$(cat)
+    local str
+    str="$(cat)"
     printf '\n'
   fi
 
-  printf -- "$str" | sed 's/ /\n/g' | \
-  sed '/---\|^.*:\|\!vault\||\|^$/d' | \
-  ansible-vault decrypt --vault-password-file ~/.vault-pass 2> /dev/null
+  ########################################
+  # String entschlüsseln
+  #
+  # Das Script erwartet, dass der Input evtl. als YAML-Fragment kommt,
+  # und "normalisiert" ihn so, dass ansible-vault decrypt damit klarkommt:
+  #
+  # - ersetzt Spaces durch Newlines
+  # - entfernt YAML-Deko wie "---", "key:", "!vault", "|", leere Zeilen
+  # - piped den Rest in "ansible-vault decrypt"
+  ########################################
+  printf -- "%s" "$str" | \
+    sed 's/ /\n/g' | \
+    sed '/---\|^.*:\|\!vault\||\|^$/d' | \
+    ansible-vault decrypt --vault-password-file "$VAULT_PASS_FILE" 2>/dev/null
+
   printf '\n'
 }
 
-vdecr $1
+########################################
+# Main
+########################################
+if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
+  show_help
+  exit 0
+fi
+
+vdecr "${1:-}"

decrypt-vault-strings-from-file.sh.00

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+vdecr() {
+  unset IFS
+
+  if [[ -n "$1" ]]; then
+    if [[ -f "$1" ]]; then
+
+      if [[ $(head -n1 "$1") == "\$ANSIBLE_VAULT;1.1;AES256" ]]; then
+        cat "$1" | ansible-vault decrypt 2> /dev/null
+        return 0
+      fi
+      printf 'Reading vault values from file...\n\n'
+      local parsing=0
+      local result=""
+      local name=""
+      local blue=$(tput setaf 4)
+      local discard=$(tput sgr0)
+      for line in $(cat $1); do
+        if [[ $(echo "$line" | grep -c "\!vault") -gt 0 ]] && [[ $parsing -eq 0 ]]; then
+          parsing=1
+        elif [[ $parsing -eq 1 ]] && [[ $( echo $line | grep -c ":") -eq 0 ]]; then
+          result=$(printf "${result}\n${line}")
+        else
+          if [[ $result != "" ]]; then
+            printf "\n\n${blue}$name${discard}\n"
+            printf "$result" | vdecr
+            name=""
+            result=""
+            parsing=0
+          fi
+        fi
+        if  [[ $( echo "$line" | grep -c ":") -eq 1 ]]; then
+          name="$line"
+        fi
+      done
+      return 0
+    fi
+    local str="$1"
+  elif [[ ! -t 0 ]]; then
+    local str=$(cat)
+  else
+    printf 'Interactive mode. Paste encrypted string and press Ctrl-D two times to confirm.\n'
+    local str=$(cat)
+    printf '\n'
+  fi
+
+  printf -- "$str" | sed 's/ /\n/g' | \
+  sed '/---\|^.*:\|\!vault\||\|^$/d' | \
+  #ansible-vault decrypt --vault-password-file ~/.vault-pass 2> /dev/null
+  ansible-vault decrypt 2> /dev/null
+  printf '\n'
+}
+
+vdecr $1

encrypt-vault-string.sh

@@ -0,0 +1,7 @@
+!/usr/bin/env bash
+set -euo pipefail
+
+read -r -s -p "String zum Verschlüsseln: " PLAINTEXT
+echo
+
+printf '%s' "$PLAINTEXT" | ansible-vault encrypt_string --stdin-name 'secret' 

encrypt-vault-strings-from-file.sh

@@ -0,0 +1,205 @@
+#!/usr/bin/env bash
+#
+# encrypt-vault-strings-to-file.sh
+#
+# Gegenstück zu deinem Decrypt-Script.
+#
+# Funktionen:
+#   1. Komplettes File mit ansible-vault encrypt verschlüsseln
+#   2. YAML-Datei mit key: value Zeilen in key: !vault | Blöcke umwandeln
+#   3. Einzelnen String verschlüsseln (Argument, Pipe oder interaktiv)
+#
+# Vault-Passwortdatei: ~/.vault-pass
+#
+
+set -euo pipefail
+
+VAULT_PASS_FILE="${HOME}/.vault-pass"
+
+########################################
+# Hilfe anzeigen
+########################################
+show_help() {
+cat <<EOF
+Usage:
+  $(basename "$0") [OPTION] [INPUT]
+
+Modes:
+
+  1) File encrypt (in-place):
+     $(basename "$0") secrets.txt
+
+  2) YAML file (key: value → !vault block):
+     $(basename "$0") vars.yml
+     $(basename "$0") -o output.yml vars.yml
+
+  3) String encrypt:
+     $(basename "$0") 'mySecret'
+     echo 'mySecret' | $(basename "$0")
+     $(basename "$0")        (interactive mode)
+
+Options:
+  -o FILE     Write YAML output to FILE instead of stdout
+  -h, --help  Show this help and exit
+
+Notes:
+  - Vault password file: ${VAULT_PASS_FILE}
+  - Simple "key: value" YAML lines will be converted.
+  - Already encrypted (!vault) entries are preserved.
+  - Full vault-encrypted files (ANSIBLE_VAULT header) are detected.
+
+EOF
+}
+
+########################################
+# Hauptfunktion
+########################################
+vencr() {
+
+  unset IFS
+
+  # --- Help Flag ---
+  if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
+    show_help
+    exit 0
+  fi
+
+  # Prüfen ob Vault-Passwortdatei existiert
+  if [[ ! -r "$VAULT_PASS_FILE" ]]; then
+    echo "Vault password file not readable: $VAULT_PASS_FILE" >&2
+    exit 1
+  fi
+
+  ########################################
+  # Optionales Output-File (-o)
+  ########################################
+  local out_file=""
+  if [[ "${1:-}" == "-o" && -n "${2:-}" ]]; then
+    out_file="$2"
+    shift 2
+  fi
+
+  ########################################
+  # --- 1) File als Argument ---
+  ########################################
+  if [[ -n "${1:-}" && -f "$1" ]]; then
+    local f="$1"
+
+    # Fall A: Datei ist bereits vollständig vault-verschlüsselt
+    if [[ "$(head -n1 "$f")" == "\$ANSIBLE_VAULT;1.1;AES256"* ]]; then
+      echo "File already encrypted (ANSIBLE_VAULT header found): $f" >&2
+      return 0
+    fi
+
+    # Fall B: YAML mit key: value Zeilen
+    if grep -Eq '^[[:space:]]*[A-Za-z0-9_.-]+:[[:space:]]*[^#].*$' "$f"; then
+      local tmpout
+      tmpout="$(mktemp)"
+
+      # Datei zeilenweise lesen
+      while IFS= read -r line || [[ -n "$line" ]]; do
+
+        # Leere Zeilen oder Kommentare unverändert übernehmen
+        if [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]]; then
+          printf '%s\n' "$line" >> "$tmpout"
+          continue
+        fi
+
+        # Bereits verschlüsselte !vault Einträge nicht verändern
+        if echo "$line" | grep -q '\!vault'; then
+          printf '%s\n' "$line" >> "$tmpout"
+          continue
+        fi
+
+        # Einfache key: value Zeilen erkennen
+        if [[ "$line" =~ ^([[:space:]]*)([A-Za-z0-9_.-]+):[[:space:]]*(.+)$ ]]; then
+          local indent="${BASH_REMATCH[1]}"
+          local key="${BASH_REMATCH[2]}"
+          local value="${BASH_REMATCH[3]}"
+
+          # YAML-Blockindikatoren nicht verändern
+          if [[ "$value" == "|" || "$value" == ">" || "$value" == "" ]]; then
+            printf '%s\n' "$line" >> "$tmpout"
+            continue
+          fi
+
+          # Leichte Bereinigung von Quotes
+          value="${value%\"}"; value="${value#\"}"
+          value="${value%\'}"; value="${value#\'}"
+
+          # Verschlüsselung via ansible-vault encrypt_string
+          while IFS= read -r enc_line; do
+            printf '%s%s\n' "$indent" "$enc_line" >> "$tmpout"
+          done < <(
+            printf '%s' "$value" |
+            ansible-vault encrypt_string \
+              --stdin-name "$key" \
+              --vault-password-file "$VAULT_PASS_FILE"
+          )
+
+        else
+          # Nicht passende Zeilen unverändert übernehmen
+          printf '%s\n' "$line" >> "$tmpout"
+        fi
+
+      done < "$f"
+
+      # Output schreiben
+      if [[ -n "$out_file" ]]; then
+        mv "$tmpout" "$out_file"
+        echo "Encrypted YAML written to: $out_file" >&2
+      else
+        cat "$tmpout"
+        rm -f "$tmpout"
+      fi
+
+      return 0
+    fi
+
+    # Fall C: Normale Datei → komplett verschlüsseln (in-place)
+    ansible-vault encrypt \
+      --vault-password-file "$VAULT_PASS_FILE" \
+      "$f"
+
+    echo "Encrypted file in-place: $f" >&2
+    return 0
+  fi
+
+  ########################################
+  # --- 2) String-Verschlüsselung ---
+  ########################################
+  local str=""
+  local name="secret"
+
+  # String als Argument
+  if [[ -n "${1:-}" ]]; then
+    str="$1"
+
+  # String via Pipe
+  elif [[ ! -t 0 ]]; then
+    str="$(cat)"
+
+  # Interaktiver Modus
+  else
+    echo "Interactive mode."
+    read -r -p "Variable name (default: secret): " name_in
+    if [[ -n "$name_in" ]]; then
+      name="$name_in"
+    fi
+
+    echo "Paste plaintext and press Ctrl-D to confirm:"
+    str="$(cat)"
+    echo
+  fi
+
+  # Ausgabe als YAML-kompatibler !vault Block
+  printf '%s' "$str" |
+  ansible-vault encrypt_string \
+    --stdin-name "$name" \
+    --vault-password-file "$VAULT_PASS_FILE"
+}
+
+########################################
+# Script starten
+########################################
+vencr "$@"

group_vars/all/main.yml

@@ -2238,7 +2238,7 @@ resolved_nameserver:
 resolved_domains:
   - oopen.de
 
-resolved_dnssec: true
+resolved_dnssec: false
 
 # dns.as250.net: 194.150.168.168
 #

host_vars/file-ah-alt.kanzlei-kiel.netz.yml

@@ -1,626 +0,0 @@
----
-
-# ---
-# vars used by roles/network_interfaces
-# ---
-
-
-# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
-network_manage_devices: True
-
-# Should the interfaces be reloaded after config change?
-network_interface_reload: False
-
-network_interface_path: /etc/network/interfaces.d
-network_interface_required_packages:
-  - vlan
-  - bridge-utils
-  - ifmetric
-  - ifupdown
-  - ifenslave
-
-
-network_interfaces:
-
-  - device: br0
-    # use only once per device (for the first device entry)
-    headline: br0 - bridge over device enp33s0
-
-    # auto & allow are only used for the first device entry
-    allow: [] # array of allow-[stanzas] eg. allow-hotplug
-    auto: true
-
-    family: inet
-    method: static
-    hwaddress: 0c:c4:7a:ea:dd:56
-    description:
-    address: 192.168.100.10
-    netmask: 24
-    gateway: 192.168.100.254
-
-    # optional dns settings nameservers: []
-    #
-    #    nameservers:
-    #      - 194.150.168.168  # dns.as250.net
-    #      - 91.239.100.100   # anycast.censurfridns.dk
-    #    search: warenform.de
-    #
-    #nameservers:
-    #  - 192.168.100.1
-    #search: kanzlei-kiel.netz
-
-    # optional bridge parameters bridge: {}
-    # bridge:
-    #   ports:
-    #   stp:
-    #   fd:
-    #   maxwait:
-    #   waitport:
-    bridge:
-      ports: enp33s0 # for mor devices support a blank separated list
-      stp: !!str off
-      fd: 5
-      hello: 2
-      maxage: 12
-
-    # inline hook scripts
-    pre-up:
-      - !!str "ip link set dev enp33s0 up" # pre-up script lines
-    up: [] #up script lines
-    post-up: [] # post-up script lines (alias for up)
-    pre-down: [] # pre-down script lines (alias for down)
-    down: [] # down script lines
-    post-down: [] # post-down script lines
-
-
-# ---
-# vars used by roles/ansible_dependencies
-# ---
-
-
-# ---
-# vars used by roles/ansible_user
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/basic.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/sshd.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/apt.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/systemd-resolved.yml
-# ---
-
-systemd_resolved: true
-
-# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
-#   Primäre DNS-Adresse: 38.132.106.139
-#   Sekundäre DNS-Adresse: 194.187.251.67
-#
-# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
-#   primäre DNS-Adresse
-#      IPv4: 1.1.1.1
-#      IPv6: 2606:4700:4700::1111
-#   sekundäre DNS-Adresse
-#      IPv4: 1.0.0.1
-#      IPv6: 2606:4700:4700::1001
-#
-# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
-#   primäre DNS-Adresse
-#      IPv4: 8.8.8.8
-#      IPv6: 2001:4860:4860::8888
-#   sekundäre DNS-Adresse
-#      IPv4: 8.8.4.4
-#      IPv6: 2001:4860:4860::8844
-#
-# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
-#   primäre DNS-Adresse
-#      IPv4: 9.9.9.9
-#      IPv6: 2620:fe::fe
-#   sekundäre DNS-Adresse
-#      IPv4: 149.112.112.112
-#      IPv6: 2620:fe::9
-#
-# OpenNIC - https://www.opennic.org/
-#      IPv4: 195.10.195.195 - ns31.de
-#      IPv4: 94.16.114.254  - ns28.de
-#      IPv4: 51.254.162.59  - ns9.de
-#      IPv4: 194.36.144.87  - ns29.de
-#      IPv6: 2a00:f826:8:2::195 - ns31.de
-#
-# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
-#    IPv4: 5.1.66.255
-#    IPv6: 2001:678:e68:f000::
-#    Servername für DNS-over-TLS: dot.ffmuc.net
-#    IPv4: 185.150.99.255
-#    IPv6: 2001:678:ed0:f000::
-#    Servername für DNS-over-TLS: dot.ffmuc.net
-#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
-resolved_nameserver:
-  - 192.168.100.1
-
-# search domains
-#
-# If there are more than one search domains, then specify them here in the order in which
-# the resolver should also search them
-#
-#resolved_domains: []
-resolved_domains:
-  - ~.
-  - kanzlei-kiel.netz
-
-resolved_dnssec: false
-
-# dns.as250.net: 194.150.168.168
-#
-resolved_fallback_nameserver:
-   - 194.150.168.168
-
-
-# ---
-# vars used by roles/common/tasks/users
-# ---
-
-default_user:
-
-  - name: chris
-    password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
-    shell: /bin/bash
-    ssh_keys:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
-
-  # password: 9xFXkdPR_2
-  - name: sysadm
-    user_id: 1050
-    group_id: 1050
-    group: sysadm
-    password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8
-    shell: /bin/bash
-    ssh_keys:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
-
-  # password: Iar-zrq4wG.2
-  - name: winadm
-    user_id: 1055
-    group_id: 1055
-    group: winadm
-    append: true
-    groups:
-      - sysadm
-    home: /home/winadm
-    password: $y$j9T$FIN.5hpIbyFh/zx8a3xVZ.$jn9b12BUW57PEXGp3288t/dVBB7glyTgj/58QyYOG7D
-    shell: /bin/bash
-    ssh_keys:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
-
-  - name: back
-    user_id: 1060
-    group_id: 1060
-    group: back
-    password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
-    shell: /bin/bash
-    ssh_keys:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
-
-  - name: borg
-    user_id: 1065
-    group_id: 1065
-    group: borg
-    home: /home/borg
-    password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
-    shell: /bin/bash
-    ssh_keys:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7MKFmJ2kJrNs5DhlPqfizZgz3wNpzFAITo63p/VBOe root@file-ah'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItQLQ7lhBY2USF4Jcp4teF+1NydI73VeHYbQW8q4Mcw root@gw-ah'
-
-
-
-# ---
-# vars used by roles/common/tasks/cron.yml
-# ---
-
-#cron_user_special_time_entries:
-#
-#  - name: "Restart DNS Cache service 'systemd-resolved'"
-#    special_time: reboot
-#    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
-#    insertafter: PATH
-
-
-
-# ---
-# vars used by roles/common/tasks/users.yml
-# ---
-
-# ---
-# vars used by roles/common/tasks/users-systemfiles.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/webadmin-user.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/sudoers.yml
-# ---
-#
-# see: roles/common/tasks/vars
-
-
-# ---
-# vars used by roles/common/tasks/caching-nameserver.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/git.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/nfs.yml
-# ---
-
-nfs_server: 192.168.100.10
-
-
-# ---
-# vars used by roles/common/tasks/samba-config-server.yml
-# vars used by roles/common/tasks/samba-user.yml
-# ---
-
-samba_server_ip: 192.168.100.10
-samba_server_cidr_prefix: 24
-
-samba_workgroup: AH-ALT
-
-samba_netbios_name: FILE-AH-Alt
-
-samba_groups:
-  - name: verwaltung
-    group_id: 120
-  - name: intern
-    group_id: 121
-  - name: hoffmann-elberling
-    group_id: 122
-  - name: gubitz-partner
-    group_id: 123
-  - name: sysadm
-    group_id: 1050
-  - name: install
-    group_id: 1070
-
-samba_user:
-
-  - name: chris
-    groups:
-      - buero
-      - intern
-      - verwaltung
-      - gubitz-partner
-      - hoffmann-elberling
-    password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          63643330373231636537366333326630333265303265653933613835656262323863363038653234
-          3462653135633266373439626263356636646637643035340a653466356235346663626163306363
-          61313164643061306433643738643563303036646334376536626531383965303036386162393832
-          6631333038306462610a356535633265633563633962333137326533633834636331343562633765
-          3631
-
-  - name: test
-    groups:
-      - buero
-      - intern
-      - verwaltung
-      - gubitz-partner
-      - hoffmann-elberling
-    password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          63643330373231636537366333326630333265303265653933613835656262323863363038653234
-          3462653135633266373439626263356636646637643035340a653466356235346663626163306363
-          61313164643061306433643738643563303036646334376536626531383965303036386162393832
-          6631333038306462610a356535633265633563633962333137326533633834636331343562633765
-          3631
-
-  - name: buero
-    groups:
-      - verwaltung
-      - intern
-      - hoffmann-elberling
-      - gubitz-partner
-    password: 'buero2011'
-
-  - name: axel
-    groups:
-      - intern
-      - verwaltung
-      - hoffmann-elberling
-    password: 'ah-kiel.2018'
-
-  - name: bjoern
-    groups:
-      - intern
-      - verwaltung
-      - hoffmann-elberling
-    password: 'bjoern2011'
-
-  - name: gubitz
-    groups:
-      - intern
-      - verwaltung
-      - gubitz-partner
-    password: '20gubitz12'
-
-  - name: schaar
-    groups:
-      - intern
-      - verwaltung
-      - gubitz-partner
-    password: '20schaar12'
-
-  - name: molkentin
-    groups:
-      - intern
-      - verwaltung
-      - gubitz-partner
-    password: 20molkentin12
-
-  - name: buerooben
-    groups:
-      - intern
-      - verwaltung
-      - hoffmann-elberling
-    password: 'buero2013'
-
-  - name: buchholz
-    groups:
-       - buero
-       - intern
-       - verwaltung
-    password: '20-buch_holz-20'
-
-  - name: kiel-nb1
-    groups:
-      - buero
-      - intern
-      - verwaltung
-      - gubitz-partner
-      - hoffmann-elberling
-    password: '20-note%book1-20'
-
-  - name: kiel-nb2
-    groups:
-      - buero
-      - intern
-      - verwaltung
-      - gubitz-partner
-      - hoffmann-elberling
-    password: '20-note%book2-20'
-
-  - name: schmidt
-    groups:
-      - intern
-      - verwaltung
-      - gubitz-partner
-    password: '20-schmidt_21%'
-
-  - name: simone.schnoenmehl
-    groups:
-      - intern
-      - gubitz-partner
-    password: '20-simone-schnoenmehl-22%'
-
-  - name: heckert
-    groups:
-      - intern
-      - verwaltung
-      - gubitz-partner
-    password: '0-heckert.22%'
-
-  - name: weber
-    groups:
-      - intern
-      - verwaltung
-      - gubitz-partner
-    password: '20.ni-klas.weber_26!'
-
-  - name: hh-lucke
-    groups: []
-    password: 'Ole20Steffen_17'
-
-  - name: hh-kanzlei
-    groups: []
-    password: '20-HH_18-Kanzlei'
-
-  - name: hh-jaenicke
-    groups: []
-    password: '20-th.jaenicke_%20'
-
-  - name: hh-pueschel
-    groups: []
-    password: '20-HH_caro.pueschel-%21'
-
-  - name: hh-kell
-    groups: []
-    password: '20-an.kell-%24'
-
-  - name: hh-neumann
-    groups: []
-    password: '20.neu-mann_%24'
-
-  # password: Iar-zrq4wG.2
-  - name: winadm
-    groups:
-      - sysadm
-      - install
-    password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          31326630303038396164656266623339353031336434376531383133643266656133363165316532
-          6364343131656235313432356230646337373362343938660a393031323561326438653935393632
-          34373464313666343433626635656261323933353631393632626166643738386333636639303334
-          3661613165626230640a306236363161356239306232633565336131303066383464626164636133
-          3038
-
-  - name: hh-stork
-    groups: []
-    password: '20-ni-na.stork_%24'
-
-  - name: back
-    groups: []
-    password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          63643330373231636537366333326630333265303265653933613835656262323863363038653234
-          3462653135633266373439626263356636646637643035340a653466356235346663626163306363
-          61313164643061306433643738643563303036646334376536626531383965303036386162393832
-          6631333038306462610a356535633265633563633962333137326533633834636331343562633765
-          3631
-
-  # password: 9xFXkdPR_2
-  - name: sysadm
-    groups:
-      - buero
-      - install
-      - intern
-      - verwaltung
-      - gubitz-partner
-      - hoffmann-elberling
-    password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          35323634653231353634343232326436393435386366396364373766306135636536323165656362
-          3138366263316231333038343930313134333565373566640a363932616535343538376333313335
-          64326566643163366533356464326339653236636562363336633738656631626433306661323835
-          3337663865333636660a626131366161636433613561613235333831653733383365623564313431
-          6439
-
-base_home: /home
-
-# remove_samba_users:
-#   - name: name1
-#   - name: name2
-#
-remove_samba_users: []
-
-samba_shares:
-
-  - name: Buero
-    path: /data/samba/shares/Buero
-    group_valid_users: intern
-    group_write_list: intern
-    file_create_mask: !!str 664
-    dir_create_mask: !!str 2775
-    vfs_object_recycle: true
-    recycle_path: '@Recycle'
-
-  - name: Verwaltung
-    path: /data/samba/shares/Verwaltung
-    group_valid_users: verwaltung
-    group_write_list: verwaltung
-    file_create_mask: !!str 660
-    dir_create_mask: !!str 2770
-    vfs_object_recycle: true
-    recycle_path: '@Recycle'
-
-  - name: Scans_schnell
-    path: /data/samba/shares/Scans_schnell
-    group_valid_users: intern
-    group_write_list: intern
-    file_create_mask: !!str 664
-    dir_create_mask: !!str 2775
-    vfs_object_recycle: true
-    recycle_path: '@Recycle'
-
-  - name: Hoffmann-Elberling
-    path: /data/samba/shares/Hoffmann-Elberling
-    group_valid_users: hoffmann-elberling
-    group_write_list: hoffmann-elberling
-    file_create_mask: !!str 664
-    dir_create_mask: !!str 2775
-    vfs_object_recycle: true
-    recycle_path: '@Recycle'
-
-  - name: Gubitz-Partner
-    path: /data/samba/shares/Gubitz-Partner
-    group_valid_users: gubitz-partner
-    group_write_list: gubitz-partner
-    file_create_mask: !!str 664
-    dir_create_mask: !!str 2775
-    vfs_object_recycle: true
-    recycle_path: '@Recycle'
-
-  - name: Gubitz-Backup
-    path: /data/samba/non-backup-shares/Gubitz-Backup
-    group_valid_users: gubitz
-    group_write_list: gubitz
-    file_create_mask: !!str 660
-    dir_create_mask: !!str 2770
-    vfs_object_recycle: true
-    recycle_path: '@Recycle'
-
-  - name: Install
-    path: /data/samba/shares/install
-    group_valid_users: install
-    group_write_list: install
-    file_create_mask: !!str 660
-    dir_create_mask: !!str 2770
-    vfs_object_recycle: true
-    recycle_path: '@Recycle'
-
-    # ---
-    # - This share will be written by Windows Server 2016 configured at
-    # - "Windows Zubehör" -> "Windows Server-Sicherung"
-    # ---
-  - name: WinServer2016-Backup
-    comment: WinServer2016-Backup on Fileserver
-    path: /data/samba/shares/WinServer2016-Backup
-    group_valid_users: sysadm
-    group_write_list: sysadm
-    file_create_mask: !!str 664
-    dir_create_mask: !!str 2775
-    guest_ok: !!str yes
-    vfs_object_recycle: false
-
-    # ---
-    # - This share will be written by windows schedulescript 'backup-advoware.bat'
-    # ---
-  - name: Advoware-Backup
-    comment: Advoware-Backup (only read) on Fileserver
-    path: /data/samba/shares/Advoware-Backup
-    group_valid_users: back
-    group_write_list: back
-    file_create_mask: !!str 664
-    dir_create_mask: !!str 2775
-    guest_ok: !!str yes
-    vfs_object_recycle: false
-
-
-# ==============================
-
-
-# ---
-# vars used by scripts/reset_root_passwd.yml
-# ---
-
-root_user:
-  name: root
-  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

host_vars/file-ah.kanzlei-kiel.netz.yml

@@ -34,7 +34,7 @@ network_interfaces:
     method: static
     hwaddress: 7c:c2:55:c0:26:74
     description:
-    address: 192.168.100.20
+    address: 192.168.100.10
     netmask: 24
     gateway: 192.168.100.254
 
@@ -317,7 +317,7 @@ cron_user_special_time_entries:
 # vars used by roles/common/tasks/nfs.yml
 # ---
 
-nfs_server: 192.168.100.20
+nfs_server: 192.168.100.10
 
 
 # ---
@@ -325,7 +325,7 @@ nfs_server: 192.168.100.20
 # vars used by roles/common/tasks/samba-user.yml
 # ---
 
-samba_server_ip: 192.168.100.20
+samba_server_ip: 192.168.100.10
 samba_server_cidr_prefix: 24
 
 samba_workgroup: AH
@@ -351,10 +351,11 @@ samba_user:
   - name: chris
     groups:
       - buero
-      - intern
-      - verwaltung
       - gubitz-partner
       - hoffmann-elberling
+      - install
+      - intern
+      - verwaltung
     password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           63643330373231636537366333326630333265303265653933613835656262323863363038653234
@@ -471,7 +472,14 @@ samba_user:
       - intern
       - verwaltung
       - gubitz-partner
-    password: '0-heckert.22%'
+    password: '20-heckert.22%'
+
+  - name: schultheis
+    groups:
+      - intern
+      - verwaltung
+      - gubitz-partner
+    password: '20.loui-sa/schultheis-26!'
 
   - name: weber
     groups:
@@ -521,15 +529,16 @@ samba_user:
     groups: []
     password: '20-ni-na.stork_%24'
 
+    # password: y2F.E-9q-54f
   - name: back
     groups: []
     password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
-          63643330373231636537366333326630333265303265653933613835656262323863363038653234
-          3462653135633266373439626263356636646637643035340a653466356235346663626163306363
-          61313164643061306433643738643563303036646334376536626531383965303036386162393832
-          6631333038306462610a356535633265633563633962333137326533633834636331343562633765
-          3631
+          66613731346331613961353639616537656432373562653939623864613431663637643630613131
+          3264633732633962663330646436623532353834646463330a303037303965343762623332633661
+          34313165393831396366393162613166396465383264313831386430313535363832383437373064
+          6231626664316265660a653862386231333465623663633266616663326139356638613034303264
+          6131
 
   # password: 9xFXkdPR_2
   - name: sysadm
@@ -625,9 +634,23 @@ samba_shares:
     # - This share will be written by Windows Server 2016 configured at
     # - "Windows Zubehör" -> "Windows Server-Sicherung"
     # ---
-  - name: WinServer2016-Backup
-    comment: WinServer2016-Backup on Fileserver
-    path: /data/samba/shares/WinServer2016-Backup
+#  - name: WinServer2016-Backup
+#    comment: WinServer2016-Backup on Fileserver
+#    path: /data/samba/shares/WinServer2016-Backup
+#    group_valid_users: sysadm
+#    group_write_list: sysadm
+#    file_create_mask: !!str 664
+#    dir_create_mask: !!str 2775
+#    guest_ok: !!str yes
+#    vfs_object_recycle: false
+
+    # ---
+    # - This share will be written by Windows Server 2016 configured at
+    # - "Windows Zubehör" -> "Windows Server-Sicherung"
+    # ---
+  - name: Windows-Server-2025-Backup
+    comment: Windows-Server-2025-Backup  on Fileserver
+    path: /data/samba/shares/Windows-Server-2025-Backup
     group_valid_users: sysadm
     group_write_list: sysadm
     file_create_mask: !!str 664

roles/common/tasks/main.yml

@@ -172,6 +172,8 @@
 - import_tasks: ntp.yml
   tags:
     - ntp
+  when:
+    - "'lxc_guest' not in group_names"
 
 
 # tags supportetd inside git.yml