Add virusfilter support for Samba homes and update AppArmor configuration

Ensures AppArmor profile for ClamAV is reloaded and the ClamAV daemon is restarted when necessary, improving service reliability and reflecting updated security profiles.

group_vars/all/main.yml

@@ -3160,6 +3160,12 @@ apt_install_server_samba:
   - samba
   - nscd
 
+apt_install_server_samba_virusfilter:
+  - clamav
+  - clamav-daemon
+  - clamav-freshclam
+  - samba-vfs-modules
+
 # samba_workgroup
 #
 # example:
@@ -3195,6 +3201,9 @@ samba_user: []
 
 base_home: /home
 
+# include vfs object 'virusfilter' to (private) homes shares
+samba_homes_virusfilter: false
+
 # remove_samba_users:
 #   - name: name1
 #   - name: name2

host_vars/backup.oopen.de.yml

@@ -288,6 +288,7 @@ default_user:
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqqmBWh3qmnx41NiLCn1LhVG0mn4++IUvRNC0OMh6h6 root@gitoea'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICR9o0+6jnfmXKOedKP6IZgt5lRIPFSJJ4FbMjz2SPkH root@gw-campus'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpNZFa+Jp5/8zKmSIZ3LGzuuPxj+QvfF+NYbWtblvTg root@iam-nd'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBYFe6i0UdPRyENvfaJSJVCHtmnlJmhbqGEsdIlTapsj root@initiativenserver'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ54/I+TdZUA+Xc6bixSa3f0hN5y4kWW+xl9kqSZPBYS root@keycloak-nd'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO886BNZ/o9aBwkKqHku+MjS5/GEVRBbXXSF76ry7oZR root@mail-cadus'

host_vars/backup.warenform.de.yml

@@ -255,6 +255,7 @@ default_user:
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICwG3cYT1S5ttaf7OCB2dfBAg4FFA3OO3HPTkiclaVFi root@server22'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyse/Fby2JiHjM10uotVfsBYO0W1EgmtFG2q+Q1xe38 root@server24'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIH9V1aqgZSqu7vfK9e5qGKm+ICHd8VglRr0Brm4kXfu root@server25'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUZHYQRap1XPOBsbtYs1elQMMm1hU1VMr7k2OFfOoi1 root@server18'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOOYhdtNPAQP8BlgSYBaMfWl8Yv4Y9ww7SWeLOn0HXH root@web0'
 
 

host_vars/devel-php.wf.netz.yml

@@ -29,6 +29,13 @@
 # vars used by roles/common/tasks/apt.yml
 # ---
 
+apt_install_extra_pkgs: true
+apt_extra_pkgs:
+  - weasyprint
+  - pdftk
+  - subversion
+  - subversion-tools
+
 
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml

host_vars/file-ah.kanzlei-kiel.netz.yml

@@ -495,6 +495,11 @@ samba_user:
       - gubitz-partner
     password: '20.mal-te/26%'
 
+  - name: jovis
+    groups:
+      - intern
+    password: '20.jo-vis_26!'
+
   - name: hh-lucke
     groups: []
     password: 'Ole20Steffen_17'

host_vars/file-blkr.blkr.netz.yml

@@ -415,6 +415,7 @@ samba_shares:
     group_write_list: buero
     file_create_mask: !!str 664
     dir_create_mask: !!str 2775
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 
@@ -425,6 +426,7 @@ samba_shares:
     group_write_list: verwaltung
     file_create_mask: !!str 664
     dir_create_mask: !!str 2775
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 

host_vars/file-ebs.ebs.netz.yml

@@ -536,6 +536,18 @@ samba_shares:
     guest_ok: !!str yes
     vfs_object_recycle: false
 
+    # ---
+    # - This share contains archived data that has not been backed up
+    # ---
+  - name: Archive-no-Backup
+    comment: Archive - keine Sicherungen
+    path: /data/samba/no-backup-shares/Archive-no-Backup
+    group_valid_users: alle
+    group_write_list: alle
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: false
+
 
 
 # ==============================

host_vars/file-km-neu.anw-km.netz.yml

@@ -93,6 +93,13 @@ network_interfaces:
 # vars used by roles/common/tasks/apt.yml
 # ---
 
+apt_install_extra_pkgs:
+  - lvm2
+  - kpartx
+  - ntfs-3g
+  - swtpm
+  - swtpm-tools
+
 
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
@@ -175,6 +182,44 @@ cron_user_special_time_entries:
     job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
     insertafter: PATH
 
+  - name: "Activate ksm support"
+    special_time: reboot
+    job: "echo 1 > /sys/kernel/mm/ksm/run"
+    insertafter: PATH
+
+
+cron_user_entries:
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if postfix mailservice is running. Restart service if needed."
+    minute: "*/5"
+    hour: "*"
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check Postfix E-Mail LOG file for 'fatal' errors."
+    minute: "*/30"
+    hour: "*"
+    job: /root/bin/postfix/check-postfix-fatal-errors.sh
+
+  - name: "Clean up Samba Trash Dirs"
+    minute: "02"
+    hour: "23"
+    job: /root/bin/samba/clean_samba_trash.sh
+
+  - name: "Set (group and access) Permissons for Samba shares"
+    minute: "14"
+    hour: "23"
+    job: /root/bin/samba/set_permissions_samba_shares.sh
+
+  - name: "Check if ntpsec is running. Restart service if needed."
+    minute: "*/6"
+    hour: "*"
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
 
 
 # ---
@@ -270,9 +315,9 @@ sudoers_file_user_back_mount_privileges:
 samba_server_ip: 192.168.122.210
 samba_server_cidr_prefix: 24
 
-samba_workgroup: WORKGROUP
+samba_workgroup: ANW-KM
 
-samba_netbios_name: FILE-KM
+samba_netbios_name: FILE-KM-01
 
 samba_server_min_protocol: !!str NT1
 
@@ -285,10 +330,12 @@ samba_groups:
     group_id: 1115
   - name: intern
     group_id: 1120
-  - name: aulmann
+  - name: wildvang
     group_id: 1130
-  - name: howe
-    group_id: 1140
+  #- name: aulmann
+  #  group_id: 1130
+  #- name: howe
+  #  group_id: 1140
   - name: stahmann
     group_id: 1150
   - name: traine
@@ -318,8 +365,6 @@ samba_user:
   - name: andrea
     groups:
       - advoware
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -336,8 +381,6 @@ samba_user:
   - name: aphex2
     groups:
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -354,8 +397,6 @@ samba_user:
   - name: beuster
     groups:
       - advoware
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -407,11 +448,11 @@ samba_user:
       - a-jur
       - advoware
       - alle
-      - aulmann
       - intern
       - kanzlei
       - stahmann
       - traine
+      - wildvang
       - public
     password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
@@ -425,8 +466,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -436,8 +475,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -457,7 +494,6 @@ samba_user:
   - name: ho-st1
     groups:
       - alle
-      - howe
       - stahmann
     password: '44-Ro-440'
 
@@ -473,8 +509,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -484,8 +518,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -504,8 +536,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -515,8 +545,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -526,8 +554,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -537,8 +563,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
     password: '66koeln66'
@@ -562,8 +586,6 @@ samba_user:
   - name: rolf
     groups:
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -574,11 +596,11 @@ samba_user:
       - a-jur
       - advoware
       - alle
-      - aulmann
       - intern
       - kanzlei
       - stahmann
       - traine
+      - wildvang
       - public
     password: 'Ax_GSHh5'
 
@@ -595,12 +617,18 @@ samba_user:
       - advoware
       - alle
       - kanzlei
-      - howe
       - stahmann
       - traine
       - public
     password: 'maltzwo2'
 
+  - name: wiebke
+    groups:
+      - alle
+      - wildvang
+      - public
+    password: 'uJ5gF/m53p.P'
+
   - name: winadm
     groups:
       - a-jur
@@ -615,6 +643,8 @@ samba_user:
 
 base_home: /data/home
 
+samba_homes_virusfilter: true
+
 remove_samba_users:
   - name: howe-staff-1
   - name: gerhard
@@ -633,6 +663,7 @@ samba_shares:
     group_write_list: a-jur
     file_create_mask: !!str 664
     dir_create_mask: !!str 2775
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
     vfs_object_recycle_is_visible: true
@@ -644,6 +675,7 @@ samba_shares:
     group_write_list: kanzlei
     file_create_mask: !!str 664
     dir_create_mask: !!str 2775
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
     vfs_object_recycle_is_visible: true
@@ -657,27 +689,41 @@ samba_shares:
     dir_create_mask: !!str 2770
     vfs_object_recycle: false
 
-  - name: aulmann
-    comment: Aulmann auf Fileserver
-    path: /data/samba/Aulmann
-    group_valid_users: aulmann
-    group_write_list: aulmann
+  - name: wildvang
+    comment: Wildvang auf Fileserver
+    path: /data/samba/Wildvang
+    group_valid_users: wildvang
+    group_write_list: wildvang
     file_create_mask: !!str 660
     dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
     vfs_object_recycle_is_visible: true
 
-  - name: howe
-    comment: Howe auf Fileserver
-    path: /data/samba/Howe
-    group_valid_users: howe
-    group_write_list: howe
-    file_create_mask: !!str 660
-    dir_create_mask: !!str 2770
-    vfs_object_recycle: true
-    recycle_path: '@Recycle'
-    vfs_object_recycle_is_visible: true
+#  - name: aulmann
+#    comment: Aulmann auf Fileserver
+#    path: /data/samba/Aulmann
+#    group_valid_users: aulmann
+#    group_write_list: aulmann
+#    file_create_mask: !!str 660
+#    dir_create_mask: !!str 2770
+#    vfs_object_virusfilter: true
+#    vfs_object_recycle: true
+#    recycle_path: '@Recycle'
+#    vfs_object_recycle_is_visible: true
+
+#  - name: howe
+#    comment: Howe auf Fileserver
+#    path: /data/samba/Howe
+#    group_valid_users: howe
+#    group_write_list: howe
+#    file_create_mask: !!str 660
+#    dir_create_mask: !!str 2770
+#    vfs_object_virusfilter: true
+#    vfs_object_recycle: true
+#    recycle_path: '@Recycle'
+#    vfs_object_recycle_is_visible: true
 
   - name: stahmann
     comment: Stahmann auf Fileserver
@@ -686,6 +732,7 @@ samba_shares:
     group_write_list: stahmann
     file_create_mask: !!str 660
     dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
     vfs_object_recycle_is_visible: true
@@ -697,6 +744,7 @@ samba_shares:
     group_write_list: traine
     file_create_mask: !!str 660
     dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
     vfs_object_recycle_is_visible: true
@@ -708,6 +756,7 @@ samba_shares:
     group_write_list: public
     file_create_mask: !!str 660
     dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
     vfs_object_recycle_is_visible: true
@@ -719,6 +768,7 @@ samba_shares:
     group_write_list: advoware
     file_create_mask: !!str 660
     dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
     vfs_object_recycle_is_visible: true
@@ -730,6 +780,7 @@ samba_shares:
     group_write_list: intern
     file_create_mask: !!str 660
     dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
     vfs_object_recycle_is_visible: false
@@ -741,6 +792,7 @@ samba_shares:
     group_write_list: alle
     file_create_mask: !!str 660
     dir_create_mask: !!str 2770
+    vfs_object_virusfilter: true
     vfs_object_recycle: true
     recycle_path: '@Recycle'
     vfs_object_recycle_is_visible: true
@@ -752,6 +804,7 @@ samba_shares:
 #    group_write_list: web
 #    file_create_mask: !!str 660
 #    dir_create_mask: !!str 2770
+#    vfs_object_virusfilter: true
 #    vfs_object_recycle: true
 #    recycle_path: '@Recycle'
 

host_vars/file-km.anw-km.netz.yml

@@ -175,6 +175,44 @@ cron_user_special_time_entries:
     job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
     insertafter: PATH
 
+  - name: "Activate ksm support"
+    special_time: reboot
+    job: "echo 1 > /sys/kernel/mm/ksm/run"
+    insertafter: PATH
+
+
+cron_user_entries:
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if postfix mailservice is running. Restart service if needed."
+    minute: "*/5"
+    hour: "*"
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check Postfix E-Mail LOG file for 'fatal' errors."
+    minute: "*/30"
+    hour: "*"
+    job: /root/bin/postfix/check-postfix-fatal-errors.sh
+
+  - name: "Clean up Samba Trash Dirs"
+    minute: "02"
+    hour: "23"
+    job: /root/bin/samba/clean_samba_trash.sh
+
+  - name: "Set (group and access) Permissons for Samba shares"
+    minute: "14"
+    hour: "23"
+    job: /root/bin/samba/set_permissions_samba_shares.sh
+
+  - name: "Check if ntpsec is running. Restart service if needed."
+    minute: "*/6"
+    hour: "*"
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
 
 
 # ---
@@ -233,10 +271,12 @@ samba_groups:
     group_id: 1110
   - name: intern
     group_id: 1120
-  - name: aulmann
+  - name: wildvang
     group_id: 1130
-  - name: howe
-    group_id: 1140
+  #- name: aulmann
+  #  group_id: 1130
+  #- name: howe
+  #  group_id: 1140
   - name: stahmann
     group_id: 1150
   - name: traine
@@ -266,8 +306,6 @@ samba_user:
   - name: andrea
     groups:
       - advoware
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -284,8 +322,6 @@ samba_user:
   - name: aphex2
     groups:
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -302,8 +338,6 @@ samba_user:
   - name: beuster
     groups:
       - advoware
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -355,11 +389,11 @@ samba_user:
       - a-jur
       - advoware
       - alle
-      - aulmann
       - intern
       - kanzlei
       - stahmann
       - traine
+      - wildvang
       - public
     password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
@@ -373,8 +407,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -384,8 +416,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -405,7 +435,6 @@ samba_user:
   - name: ho-st1
     groups:
       - alle
-      - howe
       - stahmann
     password: '44-Ro-440'
 
@@ -421,8 +450,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -432,8 +459,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -452,8 +477,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -463,8 +486,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -474,8 +495,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -485,8 +504,6 @@ samba_user:
     groups:
       - advoware
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
     password: '66koeln66'
@@ -510,8 +527,6 @@ samba_user:
   - name: rolf
     groups:
       - alle
-      - aulmann
-      - howe
       - stahmann
       - traine
       - public
@@ -522,11 +537,11 @@ samba_user:
       - a-jur
       - advoware
       - alle
-      - aulmann
       - intern
       - kanzlei
       - stahmann
       - traine
+      - wildvang
       - public
     password: 'Ax_GSHh5'
 
@@ -543,12 +558,18 @@ samba_user:
       - advoware
       - alle
       - kanzlei
-      - howe
       - stahmann
       - traine
       - public
     password: 'maltzwo2'
 
+  - name: wiebke
+    groups:
+      - alle
+      - wildvang
+      - public
+    password: 'uJ5gF/m53p.P'
+
   - name: winadm
     groups:
       - a-jur
@@ -605,27 +626,38 @@ samba_shares:
     dir_create_mask: !!str 2770
     vfs_object_recycle: false
 
-  - name: aulmann
-    comment: Aulmann auf Fileserver
-    path: /data/samba/Aulmann
-    group_valid_users: aulmann
-    group_write_list: aulmann
+  - name: wildvang
+    comment: Wildvang auf Fileserver
+    path: /data/samba/Wildvang
+    group_valid_users: wildvang
+    group_write_list: wildvang
     file_create_mask: !!str 660
     dir_create_mask: !!str 2770
     vfs_object_recycle: true
     recycle_path: '@Recycle'
     vfs_object_recycle_is_visible: true
 
-  - name: howe
-    comment: Howe auf Fileserver
-    path: /data/samba/Howe
-    group_valid_users: howe
-    group_write_list: howe
-    file_create_mask: !!str 660
-    dir_create_mask: !!str 2770
-    vfs_object_recycle: true
-    recycle_path: '@Recycle'
-    vfs_object_recycle_is_visible: true
+#  - name: aulmann
+#    comment: Aulmann auf Fileserver
+#    path: /data/samba/Aulmann
+#    group_valid_users: aulmann
+#    group_write_list: aulmann
+#    file_create_mask: !!str 660
+#    dir_create_mask: !!str 2770
+#    vfs_object_recycle: true
+#    recycle_path: '@Recycle'
+#    vfs_object_recycle_is_visible: true
+
+#  - name: howe
+#    comment: Howe auf Fileserver
+#    path: /data/samba/Howe
+#    group_valid_users: howe
+#    group_write_list: howe
+#    file_create_mask: !!str 660
+#    dir_create_mask: !!str 2770
+#    vfs_object_recycle: true
+#    recycle_path: '@Recycle'
+#    vfs_object_recycle_is_visible: true
 
   - name: stahmann
     comment: Stahmann auf Fileserver

host_vars/file-km.anw-km.netz.yml.BAK.2026-04-18-1218

@@ -0,0 +1,774 @@
+---
+
+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
+network_manage_devices: True
+
+# Should the interfaces be reloaded after config change?
+network_interface_reload: False
+
+network_interface_path: /etc/network/interfaces.d
+network_interface_required_packages:
+  - vlan
+  - bridge-utils
+  - ifmetric
+  - ifupdown
+  - ifenslave
+
+
+network_interfaces:
+
+  - device: br0
+    # use only once per device (for the first device entry)
+    headline: br0 - bridge over device enp97s0
+
+    # auto & allow are only used for the first device entry
+    allow: [] # array of allow-[stanzas] eg. allow-hotplug
+    auto: true
+
+    family: inet
+    method: static
+    description:
+    address: 192.168.122.10
+    netmask: 24
+    gateway: 192.168.122.254
+
+    # optional dns settings nameservers: []
+    #
+    #    nameservers:
+    #      - 194.150.168.168  # dns.as250.net
+    #      - 91.239.100.100   # anycast.censurfridns.dk
+    #    search: warenform.de
+    #
+
+    # optional bridge parameters bridge: {}
+    # bridge:
+    #   ports:
+    #   stp:
+    #   fd:
+    #   maxwait:
+    #   waitport:
+    bridge:
+      ports: enp97s0 # for mor devices support a blank separated list
+      stp: !!str off
+      fd: 5
+      hello: 2
+      maxage: 12
+
+    # inline hook scripts
+    pre-up:
+      - !!str "ip link set dev enp97s0 up" # pre-up script lines
+    up: [] #up script lines
+    post-up: [] # post-up script lines (alias for up)
+    pre-down: [] # pre-down script lines (alias for down)
+    down: [] # down script lines
+    post-down: [] # post-down script lines
+
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001
+#
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9
+#      IPv6: 2620:fe::fe
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de
+#      IPv4: 94.16.114.254  - ns28.de
+#      IPv4: 51.254.162.59  - ns9.de
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+#
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 192.168.122.1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - anw-km.netz
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 172.16.122.254
+
+
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_user_special_time_entries:
+
+  - name: "Restart DNS Cache service 'systemd-resolved'"
+    special_time: reboot
+    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+
+  - name: "Activate ksm support"
+    special_time: reboot
+    job: "echo 1 > /sys/kernel/mm/ksm/run"
+    insertafter: PATH
+
+
+cron_user_entries:
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if postfix mailservice is running. Restart service if needed."
+    minute: "*/5"
+    hour: "*"
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check Postfix E-Mail LOG file for 'fatal' errors."
+    minute: "*/30"
+    hour: "*"
+    job: /root/bin/postfix/check-postfix-fatal-errors.sh
+
+  - name: "Clean up Samba Trash Dirs"
+    minute: "02"
+    hour: "23"
+    job: /root/bin/samba/clean_samba_trash.sh
+
+  - name: "Set (group and access) Permissons for Samba shares"
+    minute: "14"
+    hour: "23"
+    job: /root/bin/samba/set_permissions_samba_shares.sh
+
+  - name: "Check if ntpsec is running. Restart service if needed."
+    minute: "*/6"
+    hour: "*"
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+sudoers_file_user_back_mount_privileges:
+  - 'ALL=(root) NOPASSWD: /usr/bin/mount'
+  - 'ALL=(root) NOPASSWD: /usr/bin/umount'
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/samba-config-server.yml
+# vars used by roles/common/tasks/samba-user.yml
+# ---
+
+samba_server_ip: 192.168.122.10
+samba_server_cidr_prefix: 24
+
+samba_workgroup: WORKGROUP
+
+samba_netbios_name: FILE-KM
+
+samba_server_min_protocol: !!str NT1
+
+samba_groups:
+  - name: kanzlei
+    group_id: 1100
+  - name: a-jur
+    group_id: 1110
+  - name: intern
+    group_id: 1120
+  - name: wildvang
+    group_id: 1130
+  #- name: aulmann
+  #  group_id: 1130
+  #- name: howe
+  #  group_id: 1140
+  - name: stahmann
+    group_id: 1150
+  - name: traine
+    group_id: 1160
+  - name: public
+    group_id: 1170
+  - name: alle
+    group_id: 1180
+
+
+
+samba_user:
+
+  - name: advoware
+    groups:
+      - advoware
+    password: '9WNRbc49m3'
+
+  - name: a-jur
+    groups:
+      - a-jur
+      - alle
+      - intern
+      - kanzlei
+    password: 'a-jur'
+
+  - name: andrea
+    groups:
+      - advoware
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: 'fXc3bmK9gj'
+
+  - name: andreas
+    groups:
+      - a-jur
+      - advoware
+      - alle
+      - kanzlei
+    password: 'YKQRa.M9-6rL'
+
+  - name: aphex2
+    groups:
+      - alle
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: 'J3KMRprK9H'
+
+  - name: berenice
+    groups:
+      - advoware
+      - kanzlei
+      - a-jur
+      - alle
+    password: 'berenice'
+
+  - name: beuster
+    groups:
+      - advoware
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+      - alle
+    password: 'zlm17Kx'
+
+  - name: buero
+    groups:
+      - advoware
+      - kanzlei
+      - a-jur
+      - alle
+    password: 'buero'
+
+  - name: buero2
+    groups:
+      - advoware
+      - kanzlei
+      - a-jur
+      - alle
+    password: 'buero2'
+
+  - name: buero3
+    groups:
+      - advoware
+      - kanzlei
+      - a-jur
+      - alle
+    password: 'buero3'
+
+  - name: buero4
+    groups:
+      - advoware
+      - kanzlei
+      - a-jur
+      - alle
+    password: 'buero4'
+
+  - name: buero7
+    groups:
+      - advoware
+      - kanzlei
+      - a-jur
+      - alle
+    password: 'buero7'
+
+  - name: chris
+    groups:
+      - a-jur
+      - advoware
+      - alle
+      - aulmann
+      - intern
+      - kanzlei
+      - stahmann
+      - traine
+      - public
+    password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30383265366434633965346530666535363761396165393434643665393137353765653739636364
+          6330623334353763613065343336306434376335646666380a363030363335656261656236636562
+          63663763616630383264303039336562626537366634303636356237323630666635356130383165
+          3837613337343533650a663061366230353531316535656433643162353063383534323833323138
+          3430
+
+  - name: christina
+    groups:
+      - advoware
+      - alle
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: 'qvR7zX4Lhs'
+
+  - name: federico
+    groups:
+      - advoware
+      - alle
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: 'zHfj9g3NcC'
+
+#  - name: gerhard
+#    groups:
+#      - advoware
+#      - alle
+#      - aulmann
+#      - howe
+#      - stahmann
+#      - traine
+#      - public
+#    password: 'bHdhzWnTj9'
+
+  - name: ho-st1
+    groups:
+      - alle
+      - howe
+      - stahmann
+    password: '44-Ro-440'
+
+#  - name: howe-staff-1
+#    groups:
+#      - advoware
+#      - alle
+#      - aulmann
+#      - howe
+#    password: ''
+
+  - name: irina
+    groups:
+      - advoware
+      - alle
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: 'W9NKv39pXW'
+
+  - name: jessica
+    groups:
+      - advoware
+      - alle
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: 'bV3pjPtjkR'
+
+#  - name: laura
+#    groups:
+#      - alle
+#      - aulmann
+#      - howe
+#      - stahmann
+#      - traine
+#    password: '99-Hamburg-990'
+
+  - name: lenovo3
+    groups:
+      - advoware
+      - alle
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: 'fndvLmrt7W'
+
+  - name: lenovo4
+    groups:
+      - advoware
+      - alle
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: 'tpCMmTKj7H'
+
+  - name: lenovo5
+    groups:
+      - advoware
+      - alle
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: 'L5Hannover51'
+
+  - name: lenovo6
+    groups:
+      - advoware
+      - alle
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+    password: '66koeln66'
+
+  - name: rm-buero1
+    groups:
+      - advoware
+      - alle
+      - a-jur
+      - kanzlei
+    password: ''
+
+  - name: rm-buero2
+    groups:
+      - advoware
+      - alle
+      - a-jur
+      - kanzlei
+    password: ''
+
+  - name: rolf
+    groups:
+      - alle
+      - aulmann
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: '4xNVNFXgP4'
+
+  - name: sysadm
+    groups:
+      - a-jur
+      - advoware
+      - alle
+      - aulmann
+      - intern
+      - kanzlei
+      - stahmann
+      - traine
+      - public
+    password: 'Ax_GSHh5'
+
+  - name: thomas
+    groups:
+      - advoware
+      - alle
+      - traine
+    password: '55-tho-mas-550'
+
+  - name: Tresen
+    groups:
+      - a-jur
+      - advoware
+      - alle
+      - kanzlei
+      - howe
+      - stahmann
+      - traine
+      - public
+    password: 'maltzwo2'
+
+  - name: wiebke
+    groups:
+      - alle
+      - wildvang
+      - public
+    password: '4xNVNFXgP4'
+
+  - name: winadm
+    groups:
+      - a-jur
+      - advoware
+      - alle
+      - intern
+      - kanzlei
+      - public
+    password: 'Ax_GSHh5'
+
+
+
+base_home: /data/home
+
+remove_samba_users:
+  - name: howe-staff-1
+  - name: gerhard
+  - name: laura
+
+#remove_samba_users: []
+#remove_samba_users:
+#  - name: evren
+
+samba_shares:
+
+  - name: a-jur
+    comment: a-jur Dokumente
+    path: /data/samba/a-jur
+    group_valid_users: a-jur
+    group_write_list: a-jur
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+    vfs_object_recycle_is_visible: true
+
+  - name: kanzlei
+    comment: Kanzlei auf Fileserver
+    path: /data/samba/kanzlei
+    group_valid_users: kanzlei
+    group_write_list: kanzlei
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+    vfs_object_recycle_is_visible: true
+
+  - name: install
+    comment: Install auf Fileserver
+    path: /data/samba/no-backup-shares/install
+    group_valid_users: intern
+    group_write_list: intern
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: false
+
+  - name: wildvang
+    comment: Traine auf Fileserver
+    path: /data/samba/Wildvang
+    group_valid_users: wildvang
+    group_write_list: wildvang
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+    vfs_object_recycle_is_visible: true
+
+#  - name: aulmann
+#    comment: Aulmann auf Fileserver
+#    path: /data/samba/Aulmann
+#    group_valid_users: aulmann
+#    group_write_list: aulmann
+#    file_create_mask: !!str 660
+#    dir_create_mask: !!str 2770
+#    vfs_object_recycle: true
+#    recycle_path: '@Recycle'
+#    vfs_object_recycle_is_visible: true
+
+#  - name: howe
+#    comment: Howe auf Fileserver
+#    path: /data/samba/Howe
+#    group_valid_users: howe
+#    group_write_list: howe
+#    file_create_mask: !!str 660
+#    dir_create_mask: !!str 2770
+#    vfs_object_recycle: true
+#    recycle_path: '@Recycle'
+#    vfs_object_recycle_is_visible: true
+
+  - name: stahmann
+    comment: Stahmann auf Fileserver
+    path: /data/samba/Stahmann
+    group_valid_users: stahmann
+    group_write_list: stahmann
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+    vfs_object_recycle_is_visible: true
+
+  - name: traine
+    comment: Traine auf Fileserver
+    path: /data/samba/Traine
+    group_valid_users: traine
+    group_write_list: traine
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+    vfs_object_recycle_is_visible: true
+
+  - name: public
+    comment: Public auf Fileserver
+    path: /data/samba/public
+    group_valid_users: public
+    group_write_list: public
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+    vfs_object_recycle_is_visible: true
+
+  - name: Advoware-Schriftverkehr
+    comment: Advoware Dokumente
+    path: /data/samba/Advoware-Schriftverkehr
+    group_valid_users: advoware
+    group_write_list: advoware
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+    vfs_object_recycle_is_visible: true
+
+  - name: Advoware-Backup
+    comment: Advoware Dokumente
+    path: /data/samba/Advoware-Backup
+    group_valid_users: intern
+    group_write_list: intern
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+    vfs_object_recycle_is_visible: false
+
+  - name: alle
+    comment: Alle auf Fileserver
+    path: /data/samba/Alle
+    group_valid_users: alle
+    group_write_list: alle
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+    vfs_object_recycle_is_visible: true
+
+#  - name: web
+#    comment: Web auf Fileserver
+#    path: /data/samba/Web
+#    group_valid_users: web
+#    group_write_list: web
+#    file_create_mask: !!str 660
+#    dir_create_mask: !!str 2770
+#    vfs_object_recycle: true
+#    recycle_path: '@Recycle'
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

host_vars/gw-campus.oopen.de.yml

@@ -90,8 +90,8 @@ network_interfaces:
       - /sbin/ifconfig eno4 up
 
 
-  - device: eno6
-    headline: eno6 -  Management Network Campus - network 10.72.1.0/24
+  - device: eno6np1
+    headline: eno6np1 -  Management Network Campus - network 10.72.1.0/24
     auto: true
     family: inet
     method: static
@@ -99,8 +99,8 @@ network_interfaces:
     netmask: 24
 
 
-  - device: eno7
-    headline: eno7 - network 192.168.11.0/24 (LAN Stockhausen)
+  - device: eno7np2
+    headline: eno7np2 - network 192.168.11.0/24 (LAN Stockhausen)
     auto: true
     family: inet
     method: static

host_vars/iam-nd.oopen.de.yml

@@ -0,0 +1,225 @@
+---
+
+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 185.12.64.1
+  - 2a01:4ff:ff00::add:2
+  - 185.12.64.2
+  - 2a01:4ff:ff00::add:1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_env_entries:
+  - name: PATH
+    job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+  - name: SHELL
+    job: /bin/bash
+    insertafter: PATH
+
+
+cron_user_special_time_entries:
+
+  - name: "Restart DNS Cache service 'systemd-resolved'"
+    special_time: reboot
+    job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+
+  - name: "Check if postfix mailservice is running. Restart service if needed."
+    special_time: reboot
+    job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
+    insertafter: PATH
+
+
+cron_user_entries:
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if Postfix Mailservice is up and running?"
+    minute: '*/15'
+    hour: '*'
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check if cert for Keycloak service is up-to-date"
+    minute: '51'
+    hour: '05'
+    job: /root/bin/monitoring/check_cert_for_keycloak.sh
+
+  - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
+    minute: '23'
+    hour: '05'
+    job: /var/lib/dehydrated/cron/dehydrated_cron.sh
+
+  - name: "Check whether all certificates are included in the VHOST configurations"
+    minute: '33'
+    hour: '05'
+    job: /var/lib/dehydrated/tools/update_ssl_directives.sh
+
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+extra_user:
+
+  - name: nd-admin
+    user_id: 1045
+    group_id: 1045
+    group: nd-admin
+    password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de'
+
+sudo_users:
+  - chris
+  - sysadm
+  - nd-admin
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+git_firewall_repository:
+  name: ipt-server
+  repo: https://git.oopen.de/firewall/ipt-server
+  dest: /usr/local/src/ipt-server
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
+

host_vars/meet.akweb.de.yml

@@ -100,6 +100,62 @@ resolved_fallback_nameserver:
    - 194.150.168.168
 
 
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_env_entries:
+  - name: PATH
+    job: /root/bin/admin-stuff:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+  - name: SHELL
+    job: /bin/bash
+    insertafter: PATH
+
+
+cron_user_entries:
+
+  - name: "Restart Prosody Servive (used by Jitsi Meet Authentification)"
+    minute: 57
+    hour: 05
+    job: systemctl restart prosody.service
+
+  - name: "Check if cert for coTURN service is up-to-date"
+    minute: 03
+    hour: 05
+    job: /root/bin/monitoring/check_cert_for_service.sh
+
+  - name: "Check if cert(s) for Prosody service are up-to-date"
+    minute: 13
+    hour: 07
+    job: /root/bin/monitoring/check_cert_for_prosody.sh
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if Postfix Mailservice is up and running?"
+    minute: '*/15'
+    hour: '*'
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/postfix/check-postfix-fatal-errors.sh
+
+  - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
+    minute: '23'
+    hour: '05'
+    job: /var/lib/dehydrated/cron/dehydrated_cron.sh
+
+  - name: "Check whether all certificates are included in the VHOST configurations"
+    minute: '33'
+    hour: '05'
+    job: /var/lib/dehydrated/tools/update_ssl_directives.sh
+
+
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---

host_vars/meet.oopen.de.yml

@@ -102,6 +102,63 @@ resolved_fallback_nameserver:
    - 194.150.168.168
 
 
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_env_entries:
+  - name: PATH
+    job: /root/bin/admin-stuff:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+  - name: SHELL
+    job: /bin/bash
+    insertafter: PATH
+
+
+cron_user_entries:
+
+  - name: "Restart Prosody Servive (used by Jitsi Meet Authentification)"
+    minute: 57
+    hour: 05
+    job: systemctl restart prosody.service
+
+  - name: "Check if cert for coTURN service is up-to-date"
+    minute: 03
+    hour: 05
+    job: /root/bin/monitoring/check_cert_for_service.sh
+
+  - name: "Check if cert(s) for Prosody service are up-to-date"
+    minute: 13
+    hour: 07
+    job: /root/bin/monitoring/check_cert_for_prosody.sh
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if Postfix Mailservice is up and running?"
+    minute: '*/15'
+    hour: '*'
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/postfix/check-postfix-fatal-errors.sh
+
+  - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
+    minute: '23'
+    hour: '05'
+    job: /var/lib/dehydrated/cron/dehydrated_cron.sh
+
+  - name: "Check whether all certificates are included in the VHOST configurations"
+    minute: '33'
+    hour: '05'
+    job: /var/lib/dehydrated/tools/update_ssl_directives.sh
+
+
+
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---

host_vars/nd-archiv.warenform.de.yml

@@ -26,7 +26,7 @@
 
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
   - pdftk
   - subversion
   - subversion-tools

host_vars/nd-live.warenform.de.yml

@@ -26,7 +26,8 @@
 
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
+  - pdftk
   - subversion
   - subversion-tools
 

host_vars/nd.warenform.de.yml

@@ -26,7 +26,7 @@
 
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
   - pdftk
   - subversion
   - subversion-tools

host_vars/o12.oopen.de.yml

@@ -243,6 +243,11 @@ cron_user_special_time_entries:
 
 cron_user_entries:
 
+  - name: "Check if webservices sre running. Restart if necessary"
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_webservice_load.sh
+
   - name: "Check if SSH service is running. Restart service if needed."
     minute: '*/5'
     hour: '*'

host_vars/o13.oopen.de.yml

@@ -145,6 +145,11 @@ cron_user_special_time_entries:
 
 cron_user_entries:
 
+  - name: "Check if webservices sre running. Restart if necessary"
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_webservice_load.sh
+
   - name: "Check if SSH service is running. Restart service if needed."
     minute: '*/5'
     hour: '*'

host_vars/o22.oopen.de.yml

@@ -257,6 +257,11 @@ cron_user_special_time_entries:
 
 cron_user_entries:
 
+  - name: "Check if webservices sre running. Restart if necessary"
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_webservice_load.sh
+
   - name: "Check if SSH service is running. Restart service if needed."
     minute: '*/5'
     hour: '*'

host_vars/o26.oopen.de.yml

@@ -262,7 +262,7 @@ root_ssh_keypair:
     priv_key_src: o26.oopen.de/root/.ssh/id_ed25519-backup
     priv_key_dest: /root/.ssh/id_ed25519-backup
     pub_key_src: o26.oopen.de/root/.ssh/id_ed25519-backup.pub
-    pub_key_dest: /root/.ssh/id_ed25519-backup
+    pub_key_dest: /root/.ssh/id_ed25519-backup.pub
 
 
 # ---
@@ -386,7 +386,7 @@ cron_user_entries:
   - name: "Remote Borg Backup"
     minute: '04'
     hour: '00'
-    job: /root/crontab/backup-rborg/rborg.sh
+    job: /root/crontab/backup-rborg2/rborg2.sh
 
   - name: "Check if SSH service is running. Restart service if needed."
     minute: '*/5'

host_vars/o36.oopen.de.yml

@@ -248,6 +248,11 @@ cron_user_special_time_entries:
 
 cron_user_entries:
 
+  - name: "Check if webservices sre running. Restart if necessary"
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_webservice_load.sh
+
   - name: "Check if SSH service is running. Restart service if needed."
     minute: '*/5'
     hour: '*'

host_vars/o39.oopen.de.yml

@@ -250,6 +250,11 @@ cron_user_special_time_entries:
 
 cron_user_entries:
 
+  - name: "Check if webservices sre running. Restart if necessary"
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_webservice_load.sh
+
   - name: "Check if SSH service is running. Restart service if needed."
     minute: '*/5'
     hour: '*'

host_vars/o41.oopen.de.yml

@@ -116,8 +116,8 @@ cron_env_entries:
     insertafter: PATH
 
 
-cron_user_special_time_entries:
-
+#cron_user_special_time_entries:
+#
 #  - name: "Restart DNS Cache service 'systemd-resolved'"
 #    special_time: reboot
 #    job: "sleep 5 ; /bin/systemctl restart systemd-resolved"

host_vars/test.mariadb.oopen.de.yml

@@ -0,0 +1,56 @@
+---
+
+# ---
+# vars used by role 'firewall'
+# ---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by cron.yml
+# ---
+
+#cron_env_entries: []
+cron_env_entries:
+  - name: PATH
+    job: /root/bin/admin-stuff:/root/bin:/usr/local/php/bin:/usr/local/apache2/bin:/sbin:/bin:/usr/local/dovecot/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+  - name: SHELL
+    job: /bin/bash
+
+
+# ---
+# vars used by apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+

host_vars/web0.warenform.de.yml

@@ -26,7 +26,7 @@
 
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
   - pdftk
   - subversion
   - subversion-tools

host_vars/web1.warenform.de.yml

@@ -26,7 +26,8 @@
 
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
+  - pdftk
   - subversion
   - subversion-tools
 

host_vars/web2.warenform.de.yml

@@ -26,7 +26,8 @@
 
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
-  - wkhtmltopdf
+  - weasyprint
+  - pdftk
   - subversion
   - subversion-tools
 

hosts

@@ -163,6 +163,7 @@ o15.oopen.de
 
 o17.oopen.de
 test.mx.oopen.de
+test.mariadb.oopen.de
 
 # Exil e.V.
 o18.oopen.de
@@ -283,6 +284,7 @@ mm-rav.oopen.de
 o43.oopen.de
 formbricks-nd.oopen.de
 keycloak-nd.oopen.de
+iam-nd.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
 test-nd.oopen.de
@@ -500,6 +502,7 @@ mm-rav.oopen.de
 o43.oopen.de
 formbricks-nd.oopen.de
 keycloak-nd.oopen.de
+iam-nd.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
 test-nd.oopen.de
@@ -940,6 +943,7 @@ mm-rav.oopen.de
 
 # o43 - ND prometheus, web
 keycloak-nd.oopen.de
+iam-nd.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
 
@@ -1081,6 +1085,7 @@ mm-rav.oopen.de
 
 # o43 - ND app
 keycloak-nd.oopen.de
+iam-nd.oopen.de
 prometheus-nd.oopen.de
 
 
@@ -1701,6 +1706,7 @@ mm-rav.oopen.de
 
 # o43 - ND 
 keycloak-nd.oopen.de
+iam-nd.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
 test-nd.oopen.de
@@ -1942,6 +1948,7 @@ mm-rav.oopen.de
 o43.oopen.de
 formbricks-nd.oopen.de
 keycloak-nd.oopen.de
+iam-nd.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
 test-nd.oopen.de

roles/ansible_dependencies-bookworm/tasks/main.yml

@@ -19,11 +19,8 @@
   raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
 
 - name: dpkg --configure -a
-  command: >
-    dpkg --configure -a
-  args:
-    warn: false
-  changed_when: _dpkg_configure.stdout_lines | length
+  ansible.builtin.command: dpkg --configure -a
+  changed_when: (_dpkg_configure.stdout | default('')) | length > 0
   register: _dpkg_configure
   when: apt_dpkg_configure|bool
   tags:
@@ -44,4 +41,3 @@
     state: "{{ apt_install_state }}"
   tags:
     - ansible-dependencies
-

roles/common/handlers/main.yml

@@ -112,3 +112,10 @@
     daemon_reload: yes
     state: restarted
 
+- name: Reload AppArmor profile clamd
+  command: apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd
+
+- name: Restart clamav-daemon
+  service:
+    name: clamav-daemon
+    state: restarted

roles/common/tasks/samba-config-server.yml

@@ -1,19 +1,31 @@
 ---
-
 # ---
 # Samba Server
 # ---
 
-
-- name: (samba-install.yml) Ensure samba packages server are installed.
+- name: (samba-config-server.yml) Ensure samba packages server are installed.
   package:
-    pkg: '{{ apt_install_server_samba }}'
+    pkg: "{{ apt_install_server_samba }}"
     state: present
   when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
   tags:
     - samba-server
 
+- name: (samba-config-server.yml) Ensure quarantine directory exists
+  file:
+    path: /data/samba/QUARANTINE
+    owner: root
+    group: root
+    mode: "0750"
+    state: directory
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
 - name: (samba-config-server.yml) Ensure samba share directories exists
   file:
     path: "{{ item.path }}"
@@ -24,12 +36,197 @@
     recurse: no
   with_items: "{{ samba_shares }}"
   loop_control:
-    label: '{{ item.name }}'
+    label: "{{ item.name }}"
   when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
   tags:
     - samba-shares
 
+# ---
+# Virusfilter (ClamAV) - only when at least one share has vfs_object_virusfilter: true
+# ---
+
+- name: (samba-config-server.yml) Ensure virusfilter (ClamAV) packages are installed
+  package:
+    pkg: "{{ apt_install_server_samba_virusfilter }}"
+    state: present
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Check if ClamAV virus databases are present
+  find:
+    paths: /var/lib/clamav
+    patterns:
+      - "*.cvd"
+      - "*.cld"
+  register: clamav_db_files
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Stop clamav-freshclam service before initial database download
+  service:
+    name: clamav-freshclam
+    state: stopped
+  failed_when: false
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+    - clamav_db_files.files | length == 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure clamav-daemon service is started before database update
+  service:
+    name: clamav-daemon
+    state: started
+    enabled: yes
+  failed_when: false
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Download initial ClamAV virus databases via freshclam
+  command: freshclam
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+    - clamav_db_files.files | length == 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure clamav-daemon service is enabled and started
+  service:
+    name: clamav-daemon
+    state: started
+    enabled: yes
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure clamav-freshclam service is enabled and started
+  service:
+    name: clamav-freshclam
+    state: started
+    enabled: yes
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure clamav user is member of all Samba groups
+  user:
+    name: clamav
+    groups: "{{ item.name }}"
+    append: yes
+  loop: "{{ samba_groups }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') |
+      selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+    - samba_groups | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure clamav user is member of all Samba user groups (homes virusfilter)
+  user:
+    name: clamav
+    groups: "{{ item.name }}"
+    append: yes
+  loop: "{{ samba_user }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_homes_virusfilter | default(false) | bool
+    - samba_user | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Get home directories of samba users via getent (homes virusfilter)
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ item.name }}"
+  loop: "{{ samba_user }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: samba_user_getent
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_homes_virusfilter | default(false) | bool
+    - samba_user | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure home directories are group-traversable for clamd (homes virusfilter)
+  file:
+    path: "{{ item.ansible_facts.getent_passwd[item.item.name][4] }}"
+    mode: "0750"
+    state: directory
+  loop: "{{ samba_user_getent.results | default([]) }}"
+  loop_control:
+    label: "{{ item.item.name }}"
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_homes_virusfilter | default(false) | bool
+    - item.ansible_facts is defined
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+
+- name: (samba-config-server.yml) Configure AppArmor local profile for clamd (data paths)
+  template:
+    src: etc/apparmor.d/local/usr.sbin.clamd.j2
+    dest: /etc/apparmor.d/local/usr.sbin.clamd
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload AppArmor profile clamd
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') |
+      selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
+
+- name: (samba-config-server.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
+  lineinfile:
+    path: /etc/clamav/clamd.conf
+    regexp: "^#?\\s*AllowAllMatchScan\\s"
+    line: "AllowAllMatchScan true"
+    state: present
+  notify: Restart clamav-daemon
+  when:
+    - inventory_hostname in groups['samba_server']
+    - samba_shares | selectattr('vfs_object_virusfilter', 'defined') |
+      selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
+  tags:
+    - samba-server
+    - samba-virusfilter
 
 # ---
 # /etc/samba/smb.conf
@@ -40,19 +237,18 @@
     path: /etc/samba/smb.conf.ORIG
   register: smb_conf_exists
   when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
   tags:
     - samba-server
 
 - name: (samba-config-server.yml) Backup existing file /etc/samba/smb.conf
   command: cp -a /etc/samba/smb.conf /etc/samba/smb.conf.ORIG
   when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
     - smb_conf_exists.stat.exists == False
   tags:
     - samba-server
 
-
 - name: (samba-config-server.yml) /etc/samba/smb.conf
   template:
     dest: /etc/samba/smb.conf
@@ -61,16 +257,13 @@
     group: root
     mode: 0644
   when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
-    - samba_user is defined and samba_user|length > 0
-    - samba_shares is defined and samba_shares|length > 0
+    - inventory_hostname in groups['samba_server']
   notify:
     - Restart smbd
     - Restart nmbd
   tags:
     - samba-server
 
-
 - name: (samba-config-server.yml) Ensure file /etc/samba/users.map exists
   copy:
     src: "{{ role_path + '/files/etc/samba/users.map' }}"
@@ -79,14 +272,13 @@
     group: root
     mode: 0644
   when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
   notify:
     - Restart smbd
     - Restart nmbd
   tags:
     - samba-server
 
-
 # ---
 # Cronjob for cleaning up samba trash dirs
 # ---
@@ -97,25 +289,25 @@
   register: clean_samba_trash_exists
   when:
     - inventory_hostname in groups['samba_server']
-  tags: [samba-server, samba-cron]
-
+  tags:
+    - samba-server
+    - samba-cron
 
 - name: (samba-config-server.yml) Adjust configuration for script 'clean_samba_trash.sh'
   template:
     dest: /root/bin/samba/conf/clean_samba_trash.conf
     src: root/bin/samba/conf/clean_samba_trash.conf.j2
   when:
-    - "groups['samba_server']|string is search(inventory_hostname)"
+    - inventory_hostname in groups['samba_server']
     - clean_samba_trash_exists.stat.exists|bool
   tags:
     - samba-server
     - samba-cron
 
-
 - name: (samba-config-server.yml) Check if cleaning up trash dirs is configured
   ansible.builtin.lineinfile:
     path: /root/bin/samba/conf/clean_samba_trash.conf
-    regexp: '^trash_dirs=*'
+    regexp: "^trash_dirs=*"
     state: absent
   check_mode: true
   changed_when: false
@@ -124,7 +316,6 @@
     - inventory_hostname in groups['samba_server']
   tags: [samba-server, samba-cron]
 
-
 - name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs
   ansible.builtin.cron:
     name: "{{ samba_cronjob_trash_dirs.name }}"
@@ -141,7 +332,6 @@
     - (clean_samba_trash_dirs.found | int) > 0
   tags: [samba-server, samba-cron]
 
-
 # ---
 # Cronjob for setting permissions on samba shares
 # ---
@@ -154,7 +344,6 @@
     - inventory_hostname in groups['samba_server']
   tags: [samba-server, samba-cron]
 
-
 - name: (samba-config-server.yml) Adjust configuration for script 'set_permissions_samba_shares.sh'
   ansible.builtin.template:
     dest: /root/bin/samba/conf/set_permissions_samba_shares.conf
@@ -164,7 +353,6 @@
     - set_permissions_on_samba_shares_exists.stat.exists | bool
   tags: [samba-server, samba-cron]
 
-
 - name: (samba-config-server.yml) Creates a cron job for setting permissions to samba dirs
   ansible.builtin.cron:
     name: "{{ samba_cronjob_permissions.name }}"
@@ -177,7 +365,5 @@
     job: "{{ samba_cronjob_permissions.job }}"
   when:
     - inventory_hostname in groups['samba_server']
-    - (clean_samba_trash_dirs.found | int) > 0     # << int -> bool
+    - (clean_samba_trash_dirs.found | int) > 0 # << int -> bool
   tags: [samba-server, samba-cron]
-
-

roles/common/tasks/webadmin-user.yml

@@ -197,7 +197,7 @@
     label: '{{ item.item.name }}'
   when:
     - item.stat.exists
-    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
+    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') != ''
   tags:
     - webadmin
     - bash
@@ -240,7 +240,7 @@
     label: '{{ item.item.name }}'
   when:
     - item.stat.exists
-    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
+    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') != ''
   tags:
     - webadmin
     - profile
@@ -261,7 +261,7 @@
     label: '{{ item.item.name }}'
   when:
     - item.stat.exists
-    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc')
+    - lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc') != ''
   tags:
     - webadmin
     - vim
@@ -288,4 +288,3 @@
   tags:
     - webadmin
     - vim
-

roles/common/templates/etc/apparmor.d/local/usr.sbin.clamd.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+# see: roles/common/tasks/samba-config-server.yml
+
+/data/** r,
+/data/samba/QUARANTINE/** rw,
+{% if samba_homes_virusfilter | default(false) | bool %}
+{{ base_home }}/** r,
+{% if base_home != '/home' %}
+/home/** r,
+{% endif %}
+{% endif %}

roles/common/templates/etc/samba/smb.conf.j2

@@ -305,6 +305,14 @@
 # next parameter to 'no' if you want to be able to write to them.
    read only = no
 
+{% if samba_homes_virusfilter | default(false) | bool %}
+# Virusfilter aktiv: Gruppe benötigt Leserecht, damit clamd (als Gruppenmitglied)
+# Dateien und Verzeichnisse direkt öffnen kann (SCAN-Kommando an clamd).
+   create mask = 0640
+   force create mode = 0040
+   directory mask = 0750
+   force directory mode = 0050
+{% else %}
 # File creation mask is set to 0700 for security reasons. If you want to
 # create files with group=rw permissions, set next parameter to 0775.
    create mask = 0700
@@ -312,6 +320,7 @@
 # Directory creation mask is set to 0700 for security reasons. If you want to
 # create dirs. with group=rw permissions, set next parameter to 0775.
    directory mask = 0700
+{% endif %}
 
 # By default, \\server\username shares can be connected to by anyone
 # with access to the samba server.
@@ -319,6 +328,35 @@
 # to \\server\username
 # This might need tweaking when using external authentication schemes
    valid users = %S
+{% if samba_homes_virusfilter | default(false) | bool %}
+
+   # --- Virusfilter-Einstellungen [homes] ---
+
+   vfs objects = virusfilter
+
+   virusfilter:scanner = clamav
+   virusfilter:socket path = /var/run/clamav/clamd.ctl
+
+   virusfilter:infected file action = delete
+
+   virusfilter:cache entry limit = 1000
+   virusfilter:cache time limit = 60
+
+   virusfilter:max file size = 26214400
+   virusfilter:min file size = 10
+
+   virusfilter:scan on open = yes
+   virusfilter:scan on close = yes
+
+   # Fehlercode bei infizierter Datei (beim Öffnen)
+   virusfilter:infected file errno on open = EACCES
+
+   # Fehlercode beim Schließen
+   virusfilter:infected file errno on close = EACCES
+
+   virusfilter:connect timeout = 30000
+   virusfilter:io timeout = 60000
+{% endif %}
 
 # Un-comment the following and create the netlogon directory for Domain Logons
 # (you need to configure Samba to act as a domain controller too.)
@@ -412,10 +450,19 @@
    #
    wide links = yes
 {%    endif %}
+{%-  set vfs_objects_parts = [] %}
+{%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool and item.recycle_path is defined and item.recycle_path|length > 0 %}
+{%-    set _ = vfs_objects_parts.append('recycle') %}
+{%   endif %}
+{%   if item.vfs_object_virusfilter is defined and item.vfs_object_virusfilter|bool %}
+{%-    set _ = vfs_objects_parts.append('virusfilter') %}
+{%   endif %}
+{%   if vfs_objects_parts | length > 0 %}
+
+   vfs objects = {{ vfs_objects_parts | join(' ') }}
+{%   endif %}
 {%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
 {%      if item.recycle_path is defined and item.recycle_path|length > 0  %}
-
-   vfs objects = recycle
    recycle:keeptree = yes
    # touch access time from this file
    # note: this is not the modified time, which is
@@ -449,11 +496,48 @@
    veto files = /{{ item.recycle_path | default('@Recycle.Bin') }}/.DS_Store/
 {%         endif %}
    delete veto files = yes
-{%      else %}
-
 {%      endif %}
-{%   else %}
+{%   endif %}
+{%   if item.vfs_object_virusfilter is defined and item.vfs_object_virusfilter|bool %}
 
+   # --- Virusfilter-Einstellungen ---
+
+   # Scanner auswählen
+   virusfilter:scanner = clamav
+
+   # Socket-Pfad (Debian-Standard)
+   virusfilter:socket path = /var/run/clamav/clamd.ctl
+
+   # Verhalten bei Fund
+   virusfilter:infected file action = quarantine
+   virusfilter:quarantine directory = /data/samba/QUARANTINE
+
+   # Performance-Tuning: Ergebnis-Cache
+   #virusfilter:cache entry limit = 500
+   #virusfilter:cache time limit = 30
+
+   # Cache großzügig einstellen
+   virusfilter:cache entry limit = 1000
+   virusfilter:cache time limit = 60
+
+   # Dateigröße: Was wird gescannt?
+   #virusfilter:max file size = 52428800   # 50 MB max
+   virusfilter:max file size = 26214400   # 25 MB max
+   virusfilter:min file size = 10         # unter 10 Byte ignorieren
+
+   # Scan-Zeitpunkt: nur beim Öffnen, nicht beim Schließen
+   virusfilter:scan on open = yes
+   virusfilter:scan on close = yes
+
+   # Fehlercode bei infizierter Datei (beim Öffnen)
+   virusfilter:infected file errno on open = EACCES
+
+   # Fehlercode beim Schließen
+   virusfilter:infected file errno on close = EACCES
+
+   # Timeouts (Millisekunden)
+   virusfilter:connect timeout = 30000
+   virusfilter:io timeout = 60000
 {%   endif %}
 
 {% endfor %}