From 06a76ef006f8b0f94adaba19085172979ab4465c Mon Sep 17 00:00:00 2001
From: mg <michael.grote@posteo.de>
Date: Wed, 6 Jan 2021 18:09:09 +0100
Subject: [PATCH] Doku aktualisiert (#27)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bessere erklärung passwörter

doku

Doku zusammengefasst

Housekeeping

Co-authored-by: Michael Grote <38253905+quotengrote@users.noreply.github.com>
Reviewed-on: https://git.mgrote.net/mg/ansible/pulls/27
Co-Authored-By: mg <michael.grote@posteo.de>
Co-Committed-By: mg <michael.grote@posteo.de>
---
 README.md                              |  49 ++++++
 example_cli.txt                        |   1 -
 fix_permissions.sh                     |   4 -
 list_collections.sh                    |   3 -
 roles/mgrote.fileserver_smb/Notizen.md | 207 -------------------------
 vault_infos.md                         |  22 ---
 6 files changed, 49 insertions(+), 237 deletions(-)
 delete mode 100644 example_cli.txt
 delete mode 100644 fix_permissions.sh
 delete mode 100644 list_collections.sh
 delete mode 100644 roles/mgrote.fileserver_smb/Notizen.md
 delete mode 100644 vault_infos.md

diff --git a/README.md b/README.md
index 195fa744..95eec7b1 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,50 @@
 # ansible_heimserver
+
+## example-cli
+ansible-playbook playbooks/base/0_master.yml  -i inventory --limit jenkins-test.grote.lan --key-file id_rsa_ansible_user --vault-pass-file vault-pass.yml
+
+
+## install necessary collections
+`ansible-galaxy collection install -r requirements.yml`
+
+## list installed collections
+`ansible-galaxy collection list -vvv`
+
+## fix ansible vault-permissions
+```
+sudo chmod 400 id_rsa_ansible_user
+sudo chmod 400 vault-pass.yml
+```
+
+## vault + KeePass LookUp-Plugin
+
+### Einrichtung
+Das Plugin wird bei einer Installation mit dem Playbook "ansible" mit eingerichtet.
+
+Die "Secrets" liegen in der KeepassDB die mit dem Kennwort aus "vault-pass.yml" verschlüsselt ist.
+"vault-pass.yml" steht mit in der .gitignore
+Die Variable "vault_password_file" ist mit " ~/ansible/vault-pass.yml" in der ansible.cfg gesetzt.
+Diese Datei enthält das Passwort mit dem die KeePassDb verschlüsselt ist.
+Das vault-secret für die GroupVars wird mit `ansible-vault encrypt_string <password>` erstellt.
+
+### Erklärung
+  keepass_dbx: "./keepass_db.kdbx"
+  keepass_psw: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62383737XXXXXX531
+1. mit vault-pass.yml wird das Kennwort an ansible-vault übergeben
+2. ansible-vault entschlüsselt hiermit die variable "keepass_psw"
+3. der Inhalt der Variable wird dann an das KeePass-Lookup-Plugin übergeben was damit die KeePass-Datei öffnet
+
+
+
+### Abfrage der Secrets in tasks/playbooks
+`restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"`
+
+#### Erklärung
+```
+restic_repository_password:         <-- Ansible Variablen Name
+lookup('keepass'                    <-- Aufruf Keepass-Lookup-Plugin
+restic_repository_password          <-- Titel Eintrag mit Secret
+password                            <-- Feldbzeichner in KeepassDB
+```
diff --git a/example_cli.txt b/example_cli.txt
deleted file mode 100644
index 99b73955..00000000
--- a/example_cli.txt
+++ /dev/null
@@ -1 +0,0 @@
-ansible-playbook playbooks/base/0_master.yml  -i inventory --limit jenkins-test.grote.lan --key-file id_rsa_ansible_user --vault-pass-file vault-pass.yml
diff --git a/fix_permissions.sh b/fix_permissions.sh
deleted file mode 100644
index 4d50fc7c..00000000
--- a/fix_permissions.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/bash
-sudo chmod 400 /home/mg/ansible/id_rsa_ansible_user
-sudo chmod 400 /home/mg/ansible/vault-pass.yml
-# Datei muss Zeilenende LF haben
diff --git a/list_collections.sh b/list_collections.sh
deleted file mode 100644
index acb87be9..00000000
--- a/list_collections.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-ansible-galaxy collection list -vvv
-# Datei muss Zeilenende LF haben
diff --git a/roles/mgrote.fileserver_smb/Notizen.md b/roles/mgrote.fileserver_smb/Notizen.md
deleted file mode 100644
index e1939041..00000000
--- a/roles/mgrote.fileserver_smb/Notizen.md
+++ /dev/null
@@ -1,207 +0,0 @@
-  path = /media/share
-  writeable = yes
-  browseable = yes
-  public = yes
-  create mask = 0644
-  directory mask = 0755
-  force user = shareuser
-  fuer alle
-
-
-
-
-
-
-
-
-
-
-
-
-
-  - name: Erstelle SAMBA-Shares
-    template:
-      src: smb.conf
-      dest: /etc/samba/smb.conf
-      validate: 'testparm -s %s'
-    notify: smbd neustarten
-
-
-
-  - name: Testing Iteration
-    copy:
-      dest: /etc/samba/smb.conf
-      content: |
-        {% for freigaben in [freigaben] %}
-        [{{ item.freigabename }}]
-        read only = no
-        browseable = yes
-        public = yes
-        writable = yes
-        available = yes
-        valid users {{ item.erlaubte_user }}
-        path = /shares/{{ item.ordnername }}
-
-        {% endfor %}
-
-
-
-(% for freigaben in {{ freigaben }} %)
-
-{{ item.freigabename }}
-read only = no
-
-(% endfor %)
-
-
-  valid users {{ item.erlaubte_user }}
-
-
-[mg]
-        path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/mg
-        hide special files = Yes
-        create mask = 0664
-        directory mask = 0775
-        force create mode = 0664
-        force directory mode = 0775
-        inherit acls = Yes
-        read only = No
-        valid users = michaelgrote win10
-        write list = michaelgrote win10
-        vfs objects = recycle
-        recycle:maxsize = 0
-        recycle:exclude_dir =
-        recycle:exclude =
-        recycle:subdir_mode = 0700
-        recycle:directory_mode = 0777
-        recycle:touch = yes
-        recycle:versions = yes
-        recycle:keeptree = yes
-        recycle:repository = .recycle/%U
-
-
-
-[aptcacherng]
-        path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/aptcacherng
-        hide special files = Yes
-        create mask = 0664
-        directory mask = 0775
-        force create mode = 0664
-        force directory mode = 0775
-        inherit permissions = Yes
-        read only = No
-
-
-
-
-[Backup]
-        path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/Backup
-        hide special files = Yes
-        create mask = 0664
-        directory mask = 0775
-        force create mode = 0664
-        force directory mode = 0775
-        inherit acls = Yes
-        read only = No
-        valid users = annemariedroessler michaelgrote restic toolserver win10
-        write list = annemariedroessler michaelgrote restic toolserver win10
-        vfs objects = recycle
-        recycle:maxsize = 0
-        recycle:exclude_dir =
-        recycle:exclude =
-        recycle:subdir_mode = 0700
-        recycle:directory_mode = 0777
-        recycle:touch = yes
-        recycle:versions = yes
-        recycle:keeptree = yes
-        recycle:repository = .recycle/%U
-
-
-[amd]
-        path = /srv/7050c4a3-98ad-41bd-804d-a85c94b16468/amd
-        hide special files = Yes
-        create mask = 0664
-        directory mask = 0775
-        force create mode = 0664
-        force directory mode = 0775
-        inherit acls = Yes
-        read list = michaelgrote win10
-        read only = No
-        valid users = michaelgrote annemariedroessler win10
-        write list = annemariedroessler
-        vfs objects = recycle
-        recycle:maxsize = 0
-        recycle:exclude_dir =
-        recycle:exclude =
-        recycle:subdir_mode = 0700
-        recycle:directory_mode = 0777
-        recycle:touch = yes
-        recycle:versions = yes
-        recycle:keeptree = yes
-        recycle:repository = .recycle/%U
-
-
-
-
-
-
-
-
-
-
-        server string = %h server
-        log file = /var/log/samba/log.%m
-        logging = syslog
-        max log size = 1000
-        panic action = /usr/share/samba/panic-action %d
-        disable spoolss = Yes
-        load printers = No
-        printcap name = /dev/null
-        map to guest = Bad User
-        pam password change = Yes
-        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
-        passwd program = /usr/bin/passwd %u
-        socket options = TCP_NODELAY IPTOS_LOWDELAY
-        dns proxy = No
-        idmap config * : backend = tdb
-        printing = bsd
-        acl allow execute always = Yes
-        create mask = 0777
-        directory mask = 0777
-        aio read size = 16384
-        aio write size = 16384
-        allocation roundup size = 4096
-        use sendfile = Yes
-
-
-
-
-Variable precedence
-docs
-
-From 2.0 on, from lowest priority to highest - in other words, if a variable is defined in two places, the place that’s farther down in this list takes precedence.
-
-role defaults [1]
-inventory file or script group vars [2]
-inventory group_vars/all [3]
-playbook group_vars/all [3]
-inventory group_vars/* [3]
-playbook group_vars/* [3]
-inventory file or script host vars [2]
-inventory host_vars/*
-playbook host_vars/*
-host facts / cached set_facts [4]
-inventory host_vars/* [3]
-playbook host_vars/* [3]
-host facts
-play vars
-play vars_prompt
-play vars_files
-role vars (defined in role/vars/main.yml)
-block vars (only for tasks in block)
-task vars (only for the task)
-include_vars
-set_facts / registered vars
-role (and include_role) params
-include params
-extra vars (defined on command line with -e, always win precedence)
diff --git a/vault_infos.md b/vault_infos.md
deleted file mode 100644
index 7a1baf73..00000000
--- a/vault_infos.md
+++ /dev/null
@@ -1,22 +0,0 @@
-# Ansible Vault + KeePass LookUp-Plugin
-
-# Einrichtung
-Das Plugin wird bei einer Installation mit dem Playbook "ansible" mit eingerichtet.
-
-Die "Secrets" liegen in der KeepassDB die mit dem Kennwort aus "vault-pass.yml" verschlüsselt ist.
-"vault-pass.yml" steht mit in der .gitignore
-Die Variable "vault_password_file" ist mit " ~/ansible/vault-pass.yml" in der ansible.cfg gesetzt.
-Diese Datei enthält das Passwort mit dem die KeePassDb verschlüsselt ist.
-Das vault-secret für die GroupVars wird mit `ansible-vault encrypt_string <password>` erstellt.
-
-
-# Abfrage der Secrets in tasks/playbooks
-`restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"`
-
-## Erklärung
-```
-restic_repository_password:         <-- Ansible Variablen Name
-lookup('keepass'                    <-- Aufruf Keepass-Lookup-Plugin
-restic_repository_password          <-- Titel Eintrag mit Secret
-password                            <-- Feldbzeichner in KeepassDB
-```