Add virusfilter support for Samba homes and update AppArmor configuration

Add virusfilter support to Samba shares and configure ClamAV database checks
Adds handlers to reload AppArmor and restart ClamAV
2026-05-29 18:43:06 +02:00 · 2026-05-26 14:18:36 +02:00 · 2026-05-26 14:16:45 +02:00 · 2026-05-26 13:43:27 +02:00 · 2026-05-26 13:42:56 +02:00 · 2026-05-26 13:39:43 +02:00
35 changed files with 1787 additions and 179 deletions
@@ -3160,6 +3160,12 @@ apt_install_server_samba:
  - samba
  - nscd
 apt_install_server_samba_virusfilter:
  - clamav
  - clamav-daemon
  - clamav-freshclam
  - samba-vfs-modules
 # samba_workgroup
 #
 # example:
@@ -3195,6 +3201,9 @@ samba_user: []
 base_home: /home
 # include vfs object 'virusfilter' to (private) homes shares
 samba_homes_virusfilter: false
 # remove_samba_users:
 #   - name: name1
 #   - name: name2
@@ -288,6 +288,7 @@ default_user:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqqmBWh3qmnx41NiLCn1LhVG0mn4++IUvRNC0OMh6h6 root@gitoea'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICR9o0+6jnfmXKOedKP6IZgt5lRIPFSJJ4FbMjz2SPkH root@gw-campus'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpNZFa+Jp5/8zKmSIZ3LGzuuPxj+QvfF+NYbWtblvTg root@iam-nd'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBYFe6i0UdPRyENvfaJSJVCHtmnlJmhbqGEsdIlTapsj root@initiativenserver'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ54/I+TdZUA+Xc6bixSa3f0hN5y4kWW+xl9kqSZPBYS root@keycloak-nd'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO886BNZ/o9aBwkKqHku+MjS5/GEVRBbXXSF76ry7oZR root@mail-cadus'
@@ -255,6 +255,7 @@ default_user:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICwG3cYT1S5ttaf7OCB2dfBAg4FFA3OO3HPTkiclaVFi root@server22'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyse/Fby2JiHjM10uotVfsBYO0W1EgmtFG2q+Q1xe38 root@server24'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIH9V1aqgZSqu7vfK9e5qGKm+ICHd8VglRr0Brm4kXfu root@server25'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUZHYQRap1XPOBsbtYs1elQMMm1hU1VMr7k2OFfOoi1 root@server18'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOOYhdtNPAQP8BlgSYBaMfWl8Yv4Y9ww7SWeLOn0HXH root@web0'
@@ -29,6 +29,13 @@
 # vars used by roles/common/tasks/apt.yml
 # ---
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
  - weasyprint
  - pdftk
  - subversion
  - subversion-tools
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
@@ -495,6 +495,11 @@ samba_user:
      - gubitz-partner
    password: '20.mal-te/26%'
  - name: jovis
    groups:
      - intern
    password: '20.jo-vis_26!'
  - name: hh-lucke
    groups: []
    password: 'Ole20Steffen_17'
@@ -415,6 +415,7 @@ samba_shares:
    group_write_list: buero
    file_create_mask: !!str 664
    dir_create_mask: !!str 2775
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
@@ -425,6 +426,7 @@ samba_shares:
    group_write_list: verwaltung
    file_create_mask: !!str 664
    dir_create_mask: !!str 2775
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
@@ -536,6 +536,18 @@ samba_shares:
    guest_ok: !!str yes
    vfs_object_recycle: false
    # ---
    # - This share contains archived data that has not been backed up
    # ---
  - name: Archive-no-Backup
    comment: Archive - keine Sicherungen
    path: /data/samba/no-backup-shares/Archive-no-Backup
    group_valid_users: alle
    group_write_list: alle
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_recycle: false
 # ==============================
@@ -60,7 +60,7 @@ network_interfaces:
      maxage: 12
    # inline hook scripts
-    pre-up: 
+    pre-up:
      - !!str "ip link set dev eno1np0 up" # pre-up script lines
    up: [] #up script lines
    post-up: [] # post-up script lines (alias for up)
@@ -93,6 +93,13 @@ network_interfaces:
 # vars used by roles/common/tasks/apt.yml
 # ---
 apt_install_extra_pkgs:
  - lvm2
  - kpartx
  - ntfs-3g
  - swtpm
  - swtpm-tools
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
@@ -175,6 +182,44 @@ cron_user_special_time_entries:
    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
    insertafter: PATH
  - name: "Activate ksm support"
    special_time: reboot
    job: "echo 1 > /sys/kernel/mm/ksm/run"
    insertafter: PATH
 cron_user_entries:
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_ssh.sh
  - name: "Check if postfix mailservice is running. Restart service if needed."
    minute: "*/5"
    hour: "*"
    job: /root/bin/monitoring/check_postfix.sh
  - name: "Check Postfix E-Mail LOG file for 'fatal' errors."
    minute: "*/30"
    hour: "*"
    job: /root/bin/postfix/check-postfix-fatal-errors.sh
  - name: "Clean up Samba Trash Dirs"
    minute: "02"
    hour: "23"
    job: /root/bin/samba/clean_samba_trash.sh
  - name: "Set (group and access) Permissons for Samba shares"
    minute: "14"
    hour: "23"
    job: /root/bin/samba/set_permissions_samba_shares.sh
  - name: "Check if ntpsec is running. Restart service if needed."
    minute: "*/6"
    hour: "*"
    job: /root/bin/monitoring/check_ntpsec_service.sh
 # ---
@@ -270,9 +315,9 @@ sudoers_file_user_back_mount_privileges:
 samba_server_ip: 192.168.122.210
 samba_server_cidr_prefix: 24
-samba_workgroup: WORKGROUP
+samba_workgroup: ANW-KM
-samba_netbios_name: FILE-KM
+samba_netbios_name: FILE-KM-01
 samba_server_min_protocol: !!str NT1
@@ -285,10 +330,12 @@ samba_groups:
    group_id: 1115
  - name: intern
    group_id: 1120
-  - name: aulmann
+  - name: wildvang
    group_id: 1130
-  - name: howe
+  #- name: aulmann
-    group_id: 1140
+  #  group_id: 1130
  #- name: howe
  #  group_id: 1140
  - name: stahmann
    group_id: 1150
  - name: traine
@@ -318,8 +365,6 @@ samba_user:
  - name: andrea
    groups:
      - advoware
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -336,8 +381,6 @@ samba_user:
  - name: aphex2
    groups:
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -354,8 +397,6 @@ samba_user:
  - name: beuster
    groups:
      - advoware
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -407,11 +448,11 @@ samba_user:
      - a-jur
      - advoware
      - alle
      - aulmann
      - intern
      - kanzlei
      - stahmann
      - traine
      - wildvang
      - public
    password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
@@ -425,8 +466,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -436,8 +475,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -457,7 +494,6 @@ samba_user:
  - name: ho-st1
    groups:
      - alle
      - howe
      - stahmann
    password: '44-Ro-440'
@@ -473,8 +509,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -484,8 +518,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -504,8 +536,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -515,8 +545,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -526,8 +554,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -537,8 +563,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
    password: '66koeln66'
@@ -562,8 +586,6 @@ samba_user:
  - name: rolf
    groups:
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -574,11 +596,11 @@ samba_user:
      - a-jur
      - advoware
      - alle
      - aulmann
      - intern
      - kanzlei
      - stahmann
      - traine
      - wildvang
      - public
    password: 'Ax_GSHh5'
@@ -595,12 +617,18 @@ samba_user:
      - advoware
      - alle
      - kanzlei
      - howe
      - stahmann
      - traine
      - public
    password: 'maltzwo2'
  - name: wiebke
    groups:
      - alle
      - wildvang
      - public
    password: 'uJ5gF/m53p.P'
  - name: winadm
    groups:
      - a-jur
@@ -615,6 +643,8 @@ samba_user:
 base_home: /data/home
 samba_homes_virusfilter: true
 remove_samba_users:
  - name: howe-staff-1
  - name: gerhard
@@ -633,6 +663,7 @@ samba_shares:
    group_write_list: a-jur
    file_create_mask: !!str 664
    dir_create_mask: !!str 2775
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -644,6 +675,7 @@ samba_shares:
    group_write_list: kanzlei
    file_create_mask: !!str 664
    dir_create_mask: !!str 2775
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -657,27 +689,41 @@ samba_shares:
    dir_create_mask: !!str 2770
    vfs_object_recycle: false
-  - name: aulmann
+  - name: wildvang
-    comment: Aulmann auf Fileserver
+    comment: Wildvang auf Fileserver
-    path: /data/samba/Aulmann
+    path: /data/samba/Wildvang
-    group_valid_users: aulmann
+    group_valid_users: wildvang
-    group_write_list: aulmann
+    group_write_list: wildvang
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
-  - name: howe
+#  - name: aulmann
-    comment: Howe auf Fileserver
+#    comment: Aulmann auf Fileserver
-    path: /data/samba/Howe
+#    path: /data/samba/Aulmann
-    group_valid_users: howe
+#    group_valid_users: aulmann
-    group_write_list: howe
+#    group_write_list: aulmann
-    file_create_mask: !!str 660
+#    file_create_mask: !!str 660
-    dir_create_mask: !!str 2770
+#    dir_create_mask: !!str 2770
-    vfs_object_recycle: true
+#    vfs_object_virusfilter: true
-    recycle_path: '@Recycle'
+#    vfs_object_recycle: true
-    vfs_object_recycle_is_visible: true
+#    recycle_path: '@Recycle'
 #    vfs_object_recycle_is_visible: true
 #  - name: howe
 #    comment: Howe auf Fileserver
 #    path: /data/samba/Howe
 #    group_valid_users: howe
 #    group_write_list: howe
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
 #    vfs_object_virusfilter: true
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
 #    vfs_object_recycle_is_visible: true
  - name: stahmann
    comment: Stahmann auf Fileserver
@@ -686,6 +732,7 @@ samba_shares:
    group_write_list: stahmann
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -697,6 +744,7 @@ samba_shares:
    group_write_list: traine
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -708,6 +756,7 @@ samba_shares:
    group_write_list: public
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -719,6 +768,7 @@ samba_shares:
    group_write_list: advoware
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -730,6 +780,7 @@ samba_shares:
    group_write_list: intern
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: false
@@ -741,6 +792,7 @@ samba_shares:
    group_write_list: alle
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_virusfilter: true
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
@@ -752,6 +804,7 @@ samba_shares:
 #    group_write_list: web
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
 #    vfs_object_virusfilter: true
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
@@ -60,7 +60,7 @@ network_interfaces:
      maxage: 12
    # inline hook scripts
-    pre-up: 
+    pre-up:
      - !!str "ip link set dev enp97s0 up" # pre-up script lines
    up: [] #up script lines
    post-up: [] # post-up script lines (alias for up)
@@ -175,6 +175,44 @@ cron_user_special_time_entries:
    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
    insertafter: PATH
  - name: "Activate ksm support"
    special_time: reboot
    job: "echo 1 > /sys/kernel/mm/ksm/run"
    insertafter: PATH
 cron_user_entries:
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_ssh.sh
  - name: "Check if postfix mailservice is running. Restart service if needed."
    minute: "*/5"
    hour: "*"
    job: /root/bin/monitoring/check_postfix.sh
  - name: "Check Postfix E-Mail LOG file for 'fatal' errors."
    minute: "*/30"
    hour: "*"
    job: /root/bin/postfix/check-postfix-fatal-errors.sh
  - name: "Clean up Samba Trash Dirs"
    minute: "02"
    hour: "23"
    job: /root/bin/samba/clean_samba_trash.sh
  - name: "Set (group and access) Permissons for Samba shares"
    minute: "14"
    hour: "23"
    job: /root/bin/samba/set_permissions_samba_shares.sh
  - name: "Check if ntpsec is running. Restart service if needed."
    minute: "*/6"
    hour: "*"
    job: /root/bin/monitoring/check_ntpsec_service.sh
 # ---
@@ -233,10 +271,12 @@ samba_groups:
    group_id: 1110
  - name: intern
    group_id: 1120
-  - name: aulmann
+  - name: wildvang
    group_id: 1130
-  - name: howe
+  #- name: aulmann
-    group_id: 1140
+  #  group_id: 1130
  #- name: howe
  #  group_id: 1140
  - name: stahmann
    group_id: 1150
  - name: traine
@@ -266,8 +306,6 @@ samba_user:
  - name: andrea
    groups:
      - advoware
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -284,8 +322,6 @@ samba_user:
  - name: aphex2
    groups:
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -302,8 +338,6 @@ samba_user:
  - name: beuster
    groups:
      - advoware
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -355,11 +389,11 @@ samba_user:
      - a-jur
      - advoware
      - alle
      - aulmann
      - intern
      - kanzlei
      - stahmann
      - traine
      - wildvang
      - public
    password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
@@ -373,8 +407,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -384,8 +416,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -405,7 +435,6 @@ samba_user:
  - name: ho-st1
    groups:
      - alle
      - howe
      - stahmann
    password: '44-Ro-440'
@@ -421,8 +450,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -432,8 +459,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -452,8 +477,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -463,8 +486,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -474,8 +495,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -485,8 +504,6 @@ samba_user:
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
    password: '66koeln66'
@@ -510,8 +527,6 @@ samba_user:
  - name: rolf
    groups:
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
@@ -522,11 +537,11 @@ samba_user:
      - a-jur
      - advoware
      - alle
      - aulmann
      - intern
      - kanzlei
      - stahmann
      - traine
      - wildvang
      - public
    password: 'Ax_GSHh5'
@@ -543,12 +558,18 @@ samba_user:
      - advoware
      - alle
      - kanzlei
      - howe
      - stahmann
      - traine
      - public
    password: 'maltzwo2'
  - name: wiebke
    groups:
      - alle
      - wildvang
      - public
    password: 'uJ5gF/m53p.P'
  - name: winadm
    groups:
      - a-jur
@@ -605,27 +626,38 @@ samba_shares:
    dir_create_mask: !!str 2770
    vfs_object_recycle: false
-  - name: aulmann
+  - name: wildvang
-    comment: Aulmann auf Fileserver
+    comment: Wildvang auf Fileserver
-    path: /data/samba/Aulmann
+    path: /data/samba/Wildvang
-    group_valid_users: aulmann
+    group_valid_users: wildvang
-    group_write_list: aulmann
+    group_write_list: wildvang
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
-  - name: howe
+#  - name: aulmann
-    comment: Howe auf Fileserver
+#    comment: Aulmann auf Fileserver
-    path: /data/samba/Howe
+#    path: /data/samba/Aulmann
-    group_valid_users: howe
+#    group_valid_users: aulmann
-    group_write_list: howe
+#    group_write_list: aulmann
-    file_create_mask: !!str 660
+#    file_create_mask: !!str 660
-    dir_create_mask: !!str 2770
+#    dir_create_mask: !!str 2770
-    vfs_object_recycle: true
+#    vfs_object_recycle: true
-    recycle_path: '@Recycle'
+#    recycle_path: '@Recycle'
-    vfs_object_recycle_is_visible: true
+#    vfs_object_recycle_is_visible: true
 #  - name: howe
 #    comment: Howe auf Fileserver
 #    path: /data/samba/Howe
 #    group_valid_users: howe
 #    group_write_list: howe
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
 #    vfs_object_recycle_is_visible: true
  - name: stahmann
    comment: Stahmann auf Fileserver
@@ -0,0 +1,774 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
 network_manage_devices: True
 # Should the interfaces be reloaded after config change?
 network_interface_reload: False
 network_interface_path: /etc/network/interfaces.d
 network_interface_required_packages:
  - vlan
  - bridge-utils
  - ifmetric
  - ifupdown
  - ifenslave
 network_interfaces:
  - device: br0
    # use only once per device (for the first device entry)
    headline: br0 - bridge over device enp97s0
    # auto & allow are only used for the first device entry
    allow: [] # array of allow-[stanzas] eg. allow-hotplug
    auto: true
    family: inet
    method: static
    description:
    address: 192.168.122.10
    netmask: 24
    gateway: 192.168.122.254
    # optional dns settings nameservers: []
    #
    #    nameservers:
    #      - 194.150.168.168  # dns.as250.net
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
    # optional bridge parameters bridge: {}
    # bridge:
    #   ports:
    #   stp:
    #   fd:
    #   maxwait:
    #   waitport:
    bridge:
      ports: enp97s0 # for mor devices support a blank separated list
      stp: !!str off
      fd: 5
      hello: 2
      maxage: 12
    # inline hook scripts
    pre-up:
      - !!str "ip link set dev enp97s0 up" # pre-up script lines
    up: [] #up script lines
    post-up: [] # post-up script lines (alias for up)
    pre-down: [] # pre-down script lines (alias for down)
    down: [] # down script lines
    post-down: [] # post-down script lines
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 192.168.122.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - anw-km.netz
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 172.16.122.254
 # ---
 # vars used by roles/common/tasks/cron.yml
 # ---
 cron_user_special_time_entries:
  - name: "Restart DNS Cache service 'systemd-resolved'"
    special_time: reboot
    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
    insertafter: PATH
  - name: "Activate ksm support"
    special_time: reboot
    job: "echo 1 > /sys/kernel/mm/ksm/run"
    insertafter: PATH
 cron_user_entries:
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_ssh.sh
  - name: "Check if postfix mailservice is running. Restart service if needed."
    minute: "*/5"
    hour: "*"
    job: /root/bin/monitoring/check_postfix.sh
  - name: "Check Postfix E-Mail LOG file for 'fatal' errors."
    minute: "*/30"
    hour: "*"
    job: /root/bin/postfix/check-postfix-fatal-errors.sh
  - name: "Clean up Samba Trash Dirs"
    minute: "02"
    hour: "23"
    job: /root/bin/samba/clean_samba_trash.sh
  - name: "Set (group and access) Permissons for Samba shares"
    minute: "14"
    hour: "23"
    job: /root/bin/samba/set_permissions_samba_shares.sh
  - name: "Check if ntpsec is running. Restart service if needed."
    minute: "*/6"
    hour: "*"
    job: /root/bin/monitoring/check_ntpsec_service.sh
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 sudoers_file_user_back_mount_privileges:
  - 'ALL=(root) NOPASSWD: /usr/bin/mount'
  - 'ALL=(root) NOPASSWD: /usr/bin/umount'
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 # ---
 # vars used by roles/common/tasks/samba-config-server.yml
 # vars used by roles/common/tasks/samba-user.yml
 # ---
 samba_server_ip: 192.168.122.10
 samba_server_cidr_prefix: 24
 samba_workgroup: WORKGROUP
 samba_netbios_name: FILE-KM
 samba_server_min_protocol: !!str NT1
 samba_groups:
  - name: kanzlei
    group_id: 1100
  - name: a-jur
    group_id: 1110
  - name: intern
    group_id: 1120
  - name: wildvang
    group_id: 1130
  #- name: aulmann
  #  group_id: 1130
  #- name: howe
  #  group_id: 1140
  - name: stahmann
    group_id: 1150
  - name: traine
    group_id: 1160
  - name: public
    group_id: 1170
  - name: alle
    group_id: 1180
 samba_user:
  - name: advoware
    groups:
      - advoware
    password: '9WNRbc49m3'
  - name: a-jur
    groups:
      - a-jur
      - alle
      - intern
      - kanzlei
    password: 'a-jur'
  - name: andrea
    groups:
      - advoware
      - aulmann
      - howe
      - stahmann
      - traine
      - public
    password: 'fXc3bmK9gj'
  - name: andreas
    groups:
      - a-jur
      - advoware
      - alle
      - kanzlei
    password: 'YKQRa.M9-6rL'
  - name: aphex2
    groups:
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
    password: 'J3KMRprK9H'
  - name: berenice
    groups:
      - advoware
      - kanzlei
      - a-jur
      - alle
    password: 'berenice'
  - name: beuster
    groups:
      - advoware
      - aulmann
      - howe
      - stahmann
      - traine
      - public
      - alle
    password: 'zlm17Kx'
  - name: buero
    groups:
      - advoware
      - kanzlei
      - a-jur
      - alle
    password: 'buero'
  - name: buero2
    groups:
      - advoware
      - kanzlei
      - a-jur
      - alle
    password: 'buero2'
  - name: buero3
    groups:
      - advoware
      - kanzlei
      - a-jur
      - alle
    password: 'buero3'
  - name: buero4
    groups:
      - advoware
      - kanzlei
      - a-jur
      - alle
    password: 'buero4'
  - name: buero7
    groups:
      - advoware
      - kanzlei
      - a-jur
      - alle
    password: 'buero7'
  - name: chris
    groups:
      - a-jur
      - advoware
      - alle
      - aulmann
      - intern
      - kanzlei
      - stahmann
      - traine
      - public
    password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          30383265366434633965346530666535363761396165393434643665393137353765653739636364
          6330623334353763613065343336306434376335646666380a363030363335656261656236636562
          63663763616630383264303039336562626537366634303636356237323630666635356130383165
          3837613337343533650a663061366230353531316535656433643162353063383534323833323138
          3430
  - name: christina
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
    password: 'qvR7zX4Lhs'
  - name: federico
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
    password: 'zHfj9g3NcC'
 #  - name: gerhard
 #    groups:
 #      - advoware
 #      - alle
 #      - aulmann
 #      - howe
 #      - stahmann
 #      - traine
 #      - public
 #    password: 'bHdhzWnTj9'
  - name: ho-st1
    groups:
      - alle
      - howe
      - stahmann
    password: '44-Ro-440'
 #  - name: howe-staff-1
 #    groups:
 #      - advoware
 #      - alle
 #      - aulmann
 #      - howe
 #    password: ''
  - name: irina
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
    password: 'W9NKv39pXW'
  - name: jessica
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
    password: 'bV3pjPtjkR'
 #  - name: laura
 #    groups:
 #      - alle
 #      - aulmann
 #      - howe
 #      - stahmann
 #      - traine
 #    password: '99-Hamburg-990'
  - name: lenovo3
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
    password: 'fndvLmrt7W'
  - name: lenovo4
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
    password: 'tpCMmTKj7H'
  - name: lenovo5
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
    password: 'L5Hannover51'
  - name: lenovo6
    groups:
      - advoware
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
    password: '66koeln66'
  - name: rm-buero1
    groups:
      - advoware
      - alle
      - a-jur
      - kanzlei
    password: ''
  - name: rm-buero2
    groups:
      - advoware
      - alle
      - a-jur
      - kanzlei
    password: ''
  - name: rolf
    groups:
      - alle
      - aulmann
      - howe
      - stahmann
      - traine
      - public
    password: '4xNVNFXgP4'
  - name: sysadm
    groups:
      - a-jur
      - advoware
      - alle
      - aulmann
      - intern
      - kanzlei
      - stahmann
      - traine
      - public
    password: 'Ax_GSHh5'
  - name: thomas
    groups:
      - advoware
      - alle
      - traine
    password: '55-tho-mas-550'
  - name: Tresen
    groups:
      - a-jur
      - advoware
      - alle
      - kanzlei
      - howe
      - stahmann
      - traine
      - public
    password: 'maltzwo2'
  - name: wiebke
    groups:
      - alle
      - wildvang
      - public
    password: '4xNVNFXgP4'
  - name: winadm
    groups:
      - a-jur
      - advoware
      - alle
      - intern
      - kanzlei
      - public
    password: 'Ax_GSHh5'
 base_home: /data/home
 remove_samba_users:
  - name: howe-staff-1
  - name: gerhard
  - name: laura
 #remove_samba_users: []
 #remove_samba_users:
 #  - name: evren
 samba_shares:
  - name: a-jur
    comment: a-jur Dokumente
    path: /data/samba/a-jur
    group_valid_users: a-jur
    group_write_list: a-jur
    file_create_mask: !!str 664
    dir_create_mask: !!str 2775
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
  - name: kanzlei
    comment: Kanzlei auf Fileserver
    path: /data/samba/kanzlei
    group_valid_users: kanzlei
    group_write_list: kanzlei
    file_create_mask: !!str 664
    dir_create_mask: !!str 2775
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
  - name: install
    comment: Install auf Fileserver
    path: /data/samba/no-backup-shares/install
    group_valid_users: intern
    group_write_list: intern
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_recycle: false
  - name: wildvang
    comment: Traine auf Fileserver
    path: /data/samba/Wildvang
    group_valid_users: wildvang
    group_write_list: wildvang
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
 #  - name: aulmann
 #    comment: Aulmann auf Fileserver
 #    path: /data/samba/Aulmann
 #    group_valid_users: aulmann
 #    group_write_list: aulmann
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
 #    vfs_object_recycle_is_visible: true
 #  - name: howe
 #    comment: Howe auf Fileserver
 #    path: /data/samba/Howe
 #    group_valid_users: howe
 #    group_write_list: howe
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
 #    vfs_object_recycle_is_visible: true
  - name: stahmann
    comment: Stahmann auf Fileserver
    path: /data/samba/Stahmann
    group_valid_users: stahmann
    group_write_list: stahmann
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
  - name: traine
    comment: Traine auf Fileserver
    path: /data/samba/Traine
    group_valid_users: traine
    group_write_list: traine
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
  - name: public
    comment: Public auf Fileserver
    path: /data/samba/public
    group_valid_users: public
    group_write_list: public
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
  - name: Advoware-Schriftverkehr
    comment: Advoware Dokumente
    path: /data/samba/Advoware-Schriftverkehr
    group_valid_users: advoware
    group_write_list: advoware
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
  - name: Advoware-Backup
    comment: Advoware Dokumente
    path: /data/samba/Advoware-Backup
    group_valid_users: intern
    group_write_list: intern
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: false
  - name: alle
    comment: Alle auf Fileserver
    path: /data/samba/Alle
    group_valid_users: alle
    group_write_list: alle
    file_create_mask: !!str 660
    dir_create_mask: !!str 2770
    vfs_object_recycle: true
    recycle_path: '@Recycle'
    vfs_object_recycle_is_visible: true
 #  - name: web
 #    comment: Web auf Fileserver
 #    path: /data/samba/Web
 #    group_valid_users: web
 #    group_write_list: web
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
@@ -90,8 +90,8 @@ network_interfaces:
      - /sbin/ifconfig eno4 up
-  - device: eno6
+  - device: eno6np1
-    headline: eno6 -  Management Network Campus - network 10.72.1.0/24
+    headline: eno6np1 -  Management Network Campus - network 10.72.1.0/24
    auto: true
    family: inet
    method: static
@@ -99,8 +99,8 @@ network_interfaces:
    netmask: 24
-  - device: eno7
+  - device: eno7np2
-    headline: eno7 - network 192.168.11.0/24 (LAN Stockhausen)
+    headline: eno7np2 - network 192.168.11.0/24 (LAN Stockhausen)
    auto: true
    family: inet
    method: static
@@ -0,0 +1,225 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.1
  - 2a01:4ff:ff00::add:2
  - 185.12.64.2
  - 2a01:4ff:ff00::add:1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/cron.yml
 # ---
 cron_env_entries:
  - name: PATH
    job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  - name: SHELL
    job: /bin/bash
    insertafter: PATH
 cron_user_special_time_entries:
  - name: "Restart DNS Cache service 'systemd-resolved'"
    special_time: reboot
    job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
    insertafter: PATH
  - name: "Check if postfix mailservice is running. Restart service if needed."
    special_time: reboot
    job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
    insertafter: PATH
 cron_user_entries:
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_ssh.sh
  - name: "Check if Postfix Mailservice is up and running?"
    minute: '*/15'
    hour: '*'
    job: /root/bin/monitoring/check_postfix.sh
  - name: "Check if cert for Keycloak service is up-to-date"
    minute: '51'
    hour: '05'
    job: /root/bin/monitoring/check_cert_for_keycloak.sh
  - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
    minute: '23'
    hour: '05'
    job: /var/lib/dehydrated/cron/dehydrated_cron.sh
  - name: "Check whether all certificates are included in the VHOST configurations"
    minute: '33'
    hour: '05'
    job: /var/lib/dehydrated/tools/update_ssl_directives.sh
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 extra_user:
  - name: nd-admin
    user_id: 1045
    group_id: 1045
    group: nd-admin
    password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de'
 sudo_users:
  - chris
  - sysadm
  - nd-admin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-server
  repo: https://git.oopen.de/firewall/ipt-server
  dest: /usr/local/src/ipt-server
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
@@ -100,6 +100,62 @@ resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/cron.yml
 # ---
 cron_env_entries:
  - name: PATH
    job: /root/bin/admin-stuff:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  - name: SHELL
    job: /bin/bash
    insertafter: PATH
 cron_user_entries:
  - name: "Restart Prosody Servive (used by Jitsi Meet Authentification)"
    minute: 57
    hour: 05
    job: systemctl restart prosody.service
  - name: "Check if cert for coTURN service is up-to-date"
    minute: 03
    hour: 05
    job: /root/bin/monitoring/check_cert_for_service.sh
  - name: "Check if cert(s) for Prosody service are up-to-date"
    minute: 13
    hour: 07
    job: /root/bin/monitoring/check_cert_for_prosody.sh
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_ssh.sh
  - name: "Check if Postfix Mailservice is up and running?"
    minute: '*/15'
    hour: '*'
    job: /root/bin/monitoring/check_postfix.sh
  - name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
    minute: '*/5'
    hour: '*'
    job: /root/bin/postfix/check-postfix-fatal-errors.sh
  - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
    minute: '23'
    hour: '05'
    job: /var/lib/dehydrated/cron/dehydrated_cron.sh
  - name: "Check whether all certificates are included in the VHOST configurations"
    minute: '33'
    hour: '05'
    job: /var/lib/dehydrated/tools/update_ssl_directives.sh
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@@ -102,6 +102,63 @@ resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/cron.yml
 # ---
 cron_env_entries:
  - name: PATH
    job: /root/bin/admin-stuff:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  - name: SHELL
    job: /bin/bash
    insertafter: PATH
 cron_user_entries:
  - name: "Restart Prosody Servive (used by Jitsi Meet Authentification)"
    minute: 57
    hour: 05
    job: systemctl restart prosody.service
  - name: "Check if cert for coTURN service is up-to-date"
    minute: 03
    hour: 05
    job: /root/bin/monitoring/check_cert_for_service.sh
  - name: "Check if cert(s) for Prosody service are up-to-date"
    minute: 13
    hour: 07
    job: /root/bin/monitoring/check_cert_for_prosody.sh
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_ssh.sh
  - name: "Check if Postfix Mailservice is up and running?"
    minute: '*/15'
    hour: '*'
    job: /root/bin/monitoring/check_postfix.sh
  - name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
    minute: '*/5'
    hour: '*'
    job: /root/bin/postfix/check-postfix-fatal-errors.sh
  - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
    minute: '23'
    hour: '05'
    job: /var/lib/dehydrated/cron/dehydrated_cron.sh
  - name: "Check whether all certificates are included in the VHOST configurations"
    minute: '33'
    hour: '05'
    job: /var/lib/dehydrated/tools/update_ssl_directives.sh
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@@ -26,7 +26,7 @@
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
  - pdftk
  - subversion
  - subversion-tools
@@ -26,7 +26,8 @@
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
  - pdftk
  - subversion
  - subversion-tools
@@ -26,7 +26,7 @@
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
  - pdftk
  - subversion
  - subversion-tools
@@ -243,6 +243,11 @@ cron_user_special_time_entries:
 cron_user_entries:
  - name: "Check if webservices sre running. Restart if necessary"
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_webservice_load.sh
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
@@ -145,6 +145,11 @@ cron_user_special_time_entries:
 cron_user_entries:
  - name: "Check if webservices sre running. Restart if necessary"
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_webservice_load.sh
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
@@ -257,6 +257,11 @@ cron_user_special_time_entries:
 cron_user_entries:
  - name: "Check if webservices sre running. Restart if necessary"
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_webservice_load.sh
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
@@ -262,7 +262,7 @@ root_ssh_keypair:
    priv_key_src: o26.oopen.de/root/.ssh/id_ed25519-backup
    priv_key_dest: /root/.ssh/id_ed25519-backup
    pub_key_src: o26.oopen.de/root/.ssh/id_ed25519-backup.pub
-    pub_key_dest: /root/.ssh/id_ed25519-backup
+    pub_key_dest: /root/.ssh/id_ed25519-backup.pub
 # ---
@@ -386,7 +386,7 @@ cron_user_entries:
  - name: "Remote Borg Backup"
    minute: '04'
    hour: '00'
-    job: /root/crontab/backup-rborg/rborg.sh
+    job: /root/crontab/backup-rborg2/rborg2.sh
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
@@ -248,6 +248,11 @@ cron_user_special_time_entries:
 cron_user_entries:
  - name: "Check if webservices sre running. Restart if necessary"
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_webservice_load.sh
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
@@ -250,6 +250,11 @@ cron_user_special_time_entries:
 cron_user_entries:
  - name: "Check if webservices sre running. Restart if necessary"
    minute: '*/5'
    hour: '*'
    job: /root/bin/monitoring/check_webservice_load.sh
  - name: "Check if SSH service is running. Restart service if needed."
    minute: '*/5'
    hour: '*'
@@ -116,8 +116,8 @@ cron_env_entries:
    insertafter: PATH
-cron_user_special_time_entries:
+#cron_user_special_time_entries:
-
+#
 #  - name: "Restart DNS Cache service 'systemd-resolved'"
 #    special_time: reboot
 #    job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
@@ -0,0 +1,56 @@
 ---
 # ---
 # vars used by role 'firewall'
 # ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by cron.yml
 # ---
 #cron_env_entries: []
 cron_env_entries:
  - name: PATH
    job: /root/bin/admin-stuff:/root/bin:/usr/local/php/bin:/usr/local/apache2/bin:/sbin:/bin:/usr/local/dovecot/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  - name: SHELL
    job: /bin/bash
 # ---
 # vars used by apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
@@ -26,7 +26,7 @@
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
  - pdftk
  - subversion
  - subversion-tools
@@ -26,7 +26,8 @@
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
  - pdftk
  - subversion
  - subversion-tools
@@ -26,7 +26,8 @@
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
  - pdftk
  - subversion
  - subversion-tools
@@ -163,6 +163,7 @@ o15.oopen.de
 o17.oopen.de
 test.mx.oopen.de
 test.mariadb.oopen.de
 # Exil e.V.
 o18.oopen.de
@@ -283,6 +284,7 @@ mm-rav.oopen.de
 o43.oopen.de
 formbricks-nd.oopen.de
 keycloak-nd.oopen.de
 iam-nd.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
 test-nd.oopen.de
@@ -500,6 +502,7 @@ mm-rav.oopen.de
 o43.oopen.de
 formbricks-nd.oopen.de
 keycloak-nd.oopen.de
 iam-nd.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
 test-nd.oopen.de
@@ -940,6 +943,7 @@ mm-rav.oopen.de
 # o43 - ND prometheus, web
 keycloak-nd.oopen.de
 iam-nd.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
@@ -1081,6 +1085,7 @@ mm-rav.oopen.de
 # o43 - ND app
 keycloak-nd.oopen.de
 iam-nd.oopen.de
 prometheus-nd.oopen.de
@@ -1701,6 +1706,7 @@ mm-rav.oopen.de
 # o43 - ND 
 keycloak-nd.oopen.de
 iam-nd.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
 test-nd.oopen.de
@@ -1942,6 +1948,7 @@ mm-rav.oopen.de
 o43.oopen.de
 formbricks-nd.oopen.de
 keycloak-nd.oopen.de
 iam-nd.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
 test-nd.oopen.de
@@ -19,11 +19,8 @@
  raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
 - name: dpkg --configure -a
-  command: >
+  ansible.builtin.command: dpkg --configure -a
-    dpkg --configure -a
+  changed_when: (_dpkg_configure.stdout | default('')) | length > 0
  args:
    warn: false
  changed_when: _dpkg_configure.stdout_lines | length
  register: _dpkg_configure
  when: apt_dpkg_configure|bool
  tags:
@@ -44,4 +41,3 @@
    state: "{{ apt_install_state }}"
  tags:
    - ansible-dependencies
@@ -112,3 +112,10 @@
    daemon_reload: yes
    state: restarted
 - name: Reload AppArmor profile clamd
  command: apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd
 - name: Restart clamav-daemon
  service:
    name: clamav-daemon
    state: restarted
@@ -1,19 +1,31 @@
 ---
 # ---
 # Samba Server
 # ---
-
+- name: (samba-config-server.yml) Ensure samba packages server are installed.
 - name: (samba-install.yml) Ensure samba packages server are installed.
  package:
-    pkg: '{{ apt_install_server_samba }}'
+    pkg: "{{ apt_install_server_samba }}"
    state: present
  when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
  tags:
    - samba-server
 - name: (samba-config-server.yml) Ensure quarantine directory exists
  file:
    path: /data/samba/QUARANTINE
    owner: root
    group: root
    mode: "0750"
    state: directory
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure samba share directories exists
  file:
    path: "{{ item.path }}"
@@ -24,12 +36,197 @@
    recurse: no
  with_items: "{{ samba_shares }}"
  loop_control:
-    label: '{{ item.name }}'
+    label: "{{ item.name }}"
  when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
  tags:
    - samba-shares
 # ---
 # Virusfilter (ClamAV) - only when at least one share has vfs_object_virusfilter: true
 # ---
 - name: (samba-config-server.yml) Ensure virusfilter (ClamAV) packages are installed
  package:
    pkg: "{{ apt_install_server_samba_virusfilter }}"
    state: present
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Check if ClamAV virus databases are present
  find:
    paths: /var/lib/clamav
    patterns:
      - "*.cvd"
      - "*.cld"
  register: clamav_db_files
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Stop clamav-freshclam service before initial database download
  service:
    name: clamav-freshclam
    state: stopped
  failed_when: false
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
    - clamav_db_files.files | length == 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure clamav-daemon service is started before database update
  service:
    name: clamav-daemon
    state: started
    enabled: yes
  failed_when: false
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Download initial ClamAV virus databases via freshclam
  command: freshclam
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
    - clamav_db_files.files | length == 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure clamav-daemon service is enabled and started
  service:
    name: clamav-daemon
    state: started
    enabled: yes
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure clamav-freshclam service is enabled and started
  service:
    name: clamav-freshclam
    state: started
    enabled: yes
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure clamav user is member of all Samba groups
  user:
    name: clamav
    groups: "{{ item.name }}"
    append: yes
  loop: "{{ samba_groups }}"
  loop_control:
    label: "{{ item.name }}"
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') |
      selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
    - samba_groups | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure clamav user is member of all Samba user groups (homes virusfilter)
  user:
    name: clamav
    groups: "{{ item.name }}"
    append: yes
  loop: "{{ samba_user }}"
  loop_control:
    label: "{{ item.name }}"
  when:
    - inventory_hostname in groups['samba_server']
    - samba_homes_virusfilter | default(false) | bool
    - samba_user | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Get home directories of samba users via getent (homes virusfilter)
  ansible.builtin.getent:
    database: passwd
    key: "{{ item.name }}"
  loop: "{{ samba_user }}"
  loop_control:
    label: "{{ item.name }}"
  register: samba_user_getent
  when:
    - inventory_hostname in groups['samba_server']
    - samba_homes_virusfilter | default(false) | bool
    - samba_user | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure home directories are group-traversable for clamd (homes virusfilter)
  file:
    path: "{{ item.ansible_facts.getent_passwd[item.item.name][4] }}"
    mode: "0750"
    state: directory
  loop: "{{ samba_user_getent.results | default([]) }}"
  loop_control:
    label: "{{ item.item.name }}"
  when:
    - inventory_hostname in groups['samba_server']
    - samba_homes_virusfilter | default(false) | bool
    - item.ansible_facts is defined
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Configure AppArmor local profile for clamd (data paths)
  template:
    src: etc/apparmor.d/local/usr.sbin.clamd.j2
    dest: /etc/apparmor.d/local/usr.sbin.clamd
    owner: root
    group: root
    mode: "0644"
  notify: Reload AppArmor profile clamd
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') |
      selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 - name: (samba-config-server.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
  lineinfile:
    path: /etc/clamav/clamd.conf
    regexp: "^#?\\s*AllowAllMatchScan\\s"
    line: "AllowAllMatchScan true"
    state: present
  notify: Restart clamav-daemon
  when:
    - inventory_hostname in groups['samba_server']
    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') |
      selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
  tags:
    - samba-server
    - samba-virusfilter
 # ---
 # /etc/samba/smb.conf
@@ -40,19 +237,18 @@
    path: /etc/samba/smb.conf.ORIG
  register: smb_conf_exists
  when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
  tags:
    - samba-server
 - name: (samba-config-server.yml) Backup existing file /etc/samba/smb.conf
  command: cp -a /etc/samba/smb.conf /etc/samba/smb.conf.ORIG
  when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
    - smb_conf_exists.stat.exists == False
  tags:
    - samba-server
 - name: (samba-config-server.yml) /etc/samba/smb.conf
  template:
    dest: /etc/samba/smb.conf
@@ -61,16 +257,13 @@
    group: root
    mode: 0644
  when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
    - samba_user is defined and samba_user|length > 0
    - samba_shares is defined and samba_shares|length > 0
  notify:
    - Restart smbd
    - Restart nmbd
  tags:
    - samba-server
 - name: (samba-config-server.yml) Ensure file /etc/samba/users.map exists
  copy:
    src: "{{ role_path + '/files/etc/samba/users.map' }}"
@@ -79,14 +272,13 @@
    group: root
    mode: 0644
  when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
  notify:
    - Restart smbd
    - Restart nmbd
  tags:
    - samba-server
 # ---
 # Cronjob for cleaning up samba trash dirs
 # ---
@@ -97,25 +289,25 @@
  register: clean_samba_trash_exists
  when:
    - inventory_hostname in groups['samba_server']
-  tags: [samba-server, samba-cron]
+  tags:
-
+    - samba-server
    - samba-cron
 - name: (samba-config-server.yml) Adjust configuration for script 'clean_samba_trash.sh'
-  template: 
+  template:
    dest: /root/bin/samba/conf/clean_samba_trash.conf
    src: root/bin/samba/conf/clean_samba_trash.conf.j2
  when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
    - clean_samba_trash_exists.stat.exists|bool
  tags:
    - samba-server
    - samba-cron
 - name: (samba-config-server.yml) Check if cleaning up trash dirs is configured
  ansible.builtin.lineinfile:
    path: /root/bin/samba/conf/clean_samba_trash.conf
-    regexp: '^trash_dirs=*'
+    regexp: "^trash_dirs=*"
    state: absent
  check_mode: true
  changed_when: false
@@ -124,7 +316,6 @@
    - inventory_hostname in groups['samba_server']
  tags: [samba-server, samba-cron]
 - name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs
  ansible.builtin.cron:
    name: "{{ samba_cronjob_trash_dirs.name }}"
@@ -141,7 +332,6 @@
    - (clean_samba_trash_dirs.found | int) > 0
  tags: [samba-server, samba-cron]
 # ---
 # Cronjob for setting permissions on samba shares
 # ---
@@ -154,7 +344,6 @@
    - inventory_hostname in groups['samba_server']
  tags: [samba-server, samba-cron]
 - name: (samba-config-server.yml) Adjust configuration for script 'set_permissions_samba_shares.sh'
  ansible.builtin.template:
    dest: /root/bin/samba/conf/set_permissions_samba_shares.conf
@@ -164,7 +353,6 @@
    - set_permissions_on_samba_shares_exists.stat.exists | bool
  tags: [samba-server, samba-cron]
 - name: (samba-config-server.yml) Creates a cron job for setting permissions to samba dirs
  ansible.builtin.cron:
    name: "{{ samba_cronjob_permissions.name }}"
@@ -177,7 +365,5 @@
    job: "{{ samba_cronjob_permissions.job }}"
  when:
    - inventory_hostname in groups['samba_server']
-    - (clean_samba_trash_dirs.found | int) > 0     # << int -> bool
+    - (clean_samba_trash_dirs.found | int) > 0 # << int -> bool
  tags: [samba-server, samba-cron]
@@ -196,8 +196,8 @@
  loop_control:
    label: '{{ item.item.name }}'
  when:
-    - item.stat.exists 
+    - item.stat.exists
-    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
+    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') != ''
  tags:
    - webadmin
    - bash
@@ -240,7 +240,7 @@
    label: '{{ item.item.name }}'
  when:
    - item.stat.exists
-    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
+    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') != ''
  tags:
    - webadmin
    - profile
@@ -261,7 +261,7 @@
    label: '{{ item.item.name }}'
  when:
    - item.stat.exists
-    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc')
+    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc') != ''
  tags:
    - webadmin
    - vim
@@ -288,4 +288,3 @@
  tags:
    - webadmin
    - vim
@@ -0,0 +1,11 @@
 # {{ ansible_managed }}
 # see: roles/common/tasks/samba-config-server.yml
 /data/** r,
 /data/samba/QUARANTINE/** rw,
 {% if samba_homes_virusfilter | default(false) | bool %}
 {{ base_home }}/** r,
 {% if base_home != '/home' %}
 /home/** r,
 {% endif %}
 {% endif %}
@@ -6,7 +6,7 @@
 #
 # This is the main Samba configuration file. You should read the
 # smb.conf(5) manual page in order to understand the options listed
-# here. Samba has a huge number of configurable options most of which 
+# here. Samba has a huge number of configurable options most of which
 # are not shown in this example
 #
 # Some options that are often worth tuning have been included as
@@ -18,8 +18,8 @@
 #    enough to be mentioned here
 #
 # NOTE: Whenever you modify this file you should run the command
-# "testparm" to check that you have not made any basic syntactic 
+# "testparm" to check that you have not made any basic syntactic
-# errors. 
+# errors.
 #======================= Global Settings =======================
@@ -31,11 +31,11 @@
 ;   workgroup = WORKGROUP
   workgroup = {{ samba_workgroup|default('WORKGROUP') }}
-# Option 'netbios name' added to debian's default smb.conf 
+# Option 'netbios name' added to debian's default smb.conf
 #
 # This sets the NetBIOS name by which a Samba server is known. By default it
 # is the same as the first component of the host's DNS name. If a machine is
-# a browse server or logon server this name (or the first component of the 
+# a browse server or logon server this name (or the first component of the
 # hosts DNS name) will be the name that these services are advertised under.
 #
 # Note that the maximum length for a NetBIOS name is 15 characters.
@@ -46,9 +46,9 @@
 {% if samba_server_min_protocol is defined and samba_server_min_protocol|length > 0 %}
-# This setting controls the minimum protocol version that the server will allow 
+# This setting controls the minimum protocol version that the server will allow
-# the client to use. Normally this option should not be set as the automatic 
+# the client to use. Normally this option should not be set as the automatic
-# negotiation phase in the SMB protocol takes care of choosing the appropriate 
+# negotiation phase in the SMB protocol takes care of choosing the appropriate
 # protocol unless you have legacy clients which are SMB1 capable only.
 #
 # See Related command: server max protocol for a full list of available protocols.
@@ -69,7 +69,7 @@
 ;   interfaces = 127.0.0.0/8 eth0
   interfaces =  {{ samba_server_ip }}/{{ samba_server_cidr_prefix }}  127.0.0.1/8
-# Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf 
+# Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf
   hosts deny = 0.0.0.0/0
   hosts allow = 192.168.0.0/16 10.0.0.0/8 127.0.0.0/8
@@ -80,8 +80,8 @@
 # option cannot handle dynamic or non-broadcast interfaces correctly.
 #
 # Notice:
-# If bind interfaces only is set and the network address 127.0.0.1 is not added to the 
+# If bind interfaces only is set and the network address 127.0.0.1 is not added to the
-# interfaces parameter list smbpasswd(8) may not work as expected due to the reasons 
+# interfaces parameter list smbpasswd(8) may not work as expected due to the reasons
 # covered below.
 #
 # Default: bind interfaces only = no
@@ -103,13 +103,13 @@
 # Append syslog@1 if you want important messages to be sent to syslog too.
   logging = file
-# Option 'log level' added to debian's default smb.conf 
+# Option 'log level' added to debian's default smb.conf
 #
-# The value of the parameter (a astring) allows the debug level (logging level) to be 
+# The value of the parameter (a astring) allows the debug level (logging level) to be
 # specified in the smb.conf file.
 #
-# This parameter has been extended since the 2.2.x series, now it allows one to specify 
+# This parameter has been extended since the 2.2.x series, now it allows one to specify
-# the debug level for multiple debug classes. This is to give greater flexibility in 
+# the debug level for multiple debug classes. This is to give greater flexibility in
 # the configuration of the system.
 #
 # See manpage for implemented debug classes
@@ -125,7 +125,7 @@
 ####### Authentication #######
-# Option 'ntlm auth' added to debian's default smb.conf 
+# Option 'ntlm auth' added to debian's default smb.conf
 #
 # This parameter determines whether or not smbd(8) will attempt to authenticate
 # users using the NTLM encrypted password response for this local passdb (SAM
@@ -167,7 +167,7 @@
 # Server role. Defines in which mode Samba will operate. Possible
 # values are "standalone server", "member server", "classic primary
 # domain controller", "classic backup domain controller", "active
-# directory domain controller". 
+# directory domain controller".
 #
 # Most people will want "standalone server" or "member server".
 # Running as "active directory domain controller" will require first
@@ -197,7 +197,7 @@
 # to anonymous connections
   map to guest = bad user
-# Option 'username map' added to debian's default smb.conf 
+# Option 'username map' added to debian's default smb.conf
 #
   username map = /etc/samba/users.map
@@ -206,7 +206,7 @@
 #
 # The following settings only takes effect if 'server role = primary
 # classic domain controller', 'server role = backup domain controller'
-# or 'domain logons' is set 
+# or 'domain logons' is set
 #
 # It specifies the location of the user's
@@ -235,13 +235,13 @@
 # password; please adapt to your needs
 ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
-# This allows machine accounts to be created on the domain controller via the 
+# This allows machine accounts to be created on the domain controller via the
-# SAMR RPC pipe.  
+# SAMR RPC pipe.
 # The following assumes a "machines" group exists on the system
 ; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
 # This allows Unix groups to be created on the domain controller via the SAMR
-# RPC pipe.  
+# RPC pipe.
 ; add group script = /usr/sbin/addgroup --force-badname %g
 ############ Misc ############
@@ -305,6 +305,14 @@
 # next parameter to 'no' if you want to be able to write to them.
   read only = no
 {% if samba_homes_virusfilter | default(false) | bool %}
 # Virusfilter aktiv: Gruppe benötigt Leserecht, damit clamd (als Gruppenmitglied)
 # Dateien und Verzeichnisse direkt öffnen kann (SCAN-Kommando an clamd).
   create mask = 0640
   force create mode = 0040
   directory mask = 0750
   force directory mode = 0050
 {% else %}
 # File creation mask is set to 0700 for security reasons. If you want to
 # create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700
@@ -312,6 +320,7 @@
 # Directory creation mask is set to 0700 for security reasons. If you want to
 # create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700
 {% endif %}
 # By default, \\server\username shares can be connected to by anyone
 # with access to the samba server.
@@ -319,6 +328,35 @@
 # to \\server\username
 # This might need tweaking when using external authentication schemes
   valid users = %S
 {% if samba_homes_virusfilter | default(false) | bool %}
   # --- Virusfilter-Einstellungen [homes] ---
   vfs objects = virusfilter
   virusfilter:scanner = clamav
   virusfilter:socket path = /var/run/clamav/clamd.ctl
   virusfilter:infected file action = delete
   virusfilter:cache entry limit = 1000
   virusfilter:cache time limit = 60
   virusfilter:max file size = 26214400
   virusfilter:min file size = 10
   virusfilter:scan on open = yes
   virusfilter:scan on close = yes
   # Fehlercode bei infizierter Datei (beim Öffnen)
   virusfilter:infected file errno on open = EACCES
   # Fehlercode beim Schließen
   virusfilter:infected file errno on close = EACCES
   virusfilter:connect timeout = 30000
   virusfilter:io timeout = 60000
 {% endif %}
 # Un-comment the following and create the netlogon directory for Domain Logons
 # (you need to configure Samba to act as a domain controller too.)
@@ -412,10 +450,19 @@
   #
   wide links = yes
 {%    endif %}
 {%-  set vfs_objects_parts = [] %}
 {%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool and item.recycle_path is defined and item.recycle_path|length > 0 %}
 {%-    set _ = vfs_objects_parts.append('recycle') %}
 {%   endif %}
 {%   if item.vfs_object_virusfilter is defined and item.vfs_object_virusfilter|bool %}
 {%-    set _ = vfs_objects_parts.append('virusfilter') %}
 {%   endif %}
 {%   if vfs_objects_parts | length > 0 %}
   vfs objects = {{ vfs_objects_parts | join(' ') }}
 {%   endif %}
 {%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
 {%      if item.recycle_path is defined and item.recycle_path|length > 0  %}
   vfs objects = recycle
   recycle:keeptree = yes
   # touch access time from this file
   # note: this is not the modified time, which is
@@ -438,8 +485,8 @@
   recycle:excludedir = /tmp,/temp,/cache,.Trash
   recycle:repository = {{ item.recycle_path | default('@Recycle.Bin') }}
-   # - This is a list of files and directories that are neither visible nor accessible. 
+   # - This is a list of files and directories that are neither visible nor accessible.
-   # - Each entry in the list must be separated by a '/', which allows spaces to be 
+   # - Each entry in the list must be separated by a '/', which allows spaces to be
   # - included in the entry. '*' and '?' can be used to  specify multiple files or
   # - directories as in DOS wildcards.
   # -
@@ -449,11 +496,48 @@
   veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/.DS_Store/
 {%         endif %}
   delete veto files = yes
 {%      else %}
 {%      endif %}
-{%   else %}
+{%   endif %}
 {%   if item.vfs_object_virusfilter is defined and item.vfs_object_virusfilter|bool %}
   # --- Virusfilter-Einstellungen ---
   # Scanner auswählen
   virusfilter:scanner = clamav
   # Socket-Pfad (Debian-Standard)
   virusfilter:socket path = /var/run/clamav/clamd.ctl
   # Verhalten bei Fund
   virusfilter:infected file action = quarantine
   virusfilter:quarantine directory = /data/samba/QUARANTINE
   # Performance-Tuning: Ergebnis-Cache
   #virusfilter:cache entry limit = 500
   #virusfilter:cache time limit = 30
   # Cache großzügig einstellen
   virusfilter:cache entry limit = 1000
   virusfilter:cache time limit = 60
   # Dateigröße: Was wird gescannt?
   #virusfilter:max file size = 52428800   # 50 MB max
   virusfilter:max file size = 26214400   # 25 MB max
   virusfilter:min file size = 10         # unter 10 Byte ignorieren
   # Scan-Zeitpunkt: nur beim Öffnen, nicht beim Schließen
   virusfilter:scan on open = yes
   virusfilter:scan on close = yes
   # Fehlercode bei infizierter Datei (beim Öffnen)
   virusfilter:infected file errno on open = EACCES
   # Fehlercode beim Schließen
   virusfilter:infected file errno on close = EACCES
   # Timeouts (Millisekunden)
   virusfilter:connect timeout = 30000
   virusfilter:io timeout = 60000
 {%   endif %}
 {% endfor %}
Author	SHA1	Message	Date
chris	6e086dbac0	Add virusfilter support for Samba homes and update AppArmor configuration	2026-05-29 18:43:06 +02:00
chris	56a2c8464f	Add virusfilter support to Samba shares and configure ClamAV database checks	2026-05-26 14:18:36 +02:00
chris	1f78326503	Adds handlers to reload AppArmor and restart ClamAV Ensures AppArmor profile for ClamAV is reloaded and the ClamAV daemon is restarted when necessary, improving service reliability and reflecting updated security profiles.	2026-05-26 14:16:45 +02:00
chris	f1f169d3aa	Comment out cron job entries for DNS cache service restart	2026-05-26 13:43:27 +02:00
chris	3c0a252ecc	Add virusfilter support to Samba shares configuration	2026-05-26 13:42:56 +02:00
chris	5b3b68b134	Add ClamAV virusfilter support to Samba configuration and tasks	2026-05-26 13:39:43 +02:00
chris	d1444e1507	Add cron job to monitor web services and restart if necessary	2026-05-06 15:57:11 +02:00
chris	b0dd95318a	Add and update host variable files for various servers - Created new host variable file for `iam-nd.oopen.de` with network and cron configurations. - Created new host variable file for `test.mariadb.oopen.de` with cron environment entries. - Updated `file-km.anw-km.netz.yml.BAK.2026-04-18-1218` with network interface configurations and DNS settings. - Modified `gw-campus.oopen.de.yml` to change device names for network interfaces. - Updated `nd-archiv.warenform.de.yml`, `nd-live.warenform.de.yml`, `nd.warenform.de.yml`, `web0.warenform.de.yml`, `web1.warenform.de.yml`, and `web2.warenform.de.yml` to replace `wkhtmltopdf` with `weasyprint` in the list of extra packages. - Updated `o26.oopen.de.yml` to correct SSH key destination and change backup job script path. - Added `iam-nd.oopen.de` to the hosts file for server management.	2026-05-01 02:30:31 +02:00
chris	7d5640f3bd	Refactor dpkg command task for improved clarity and reliability	2026-05-01 02:29:53 +02:00
chris	c6a760e26e	Update conditions for checking user configuration files in webadmin-user.yml	2026-05-01 02:29:27 +02:00