update..

2024-02-26 00:43:13 +01:00 · 2024-02-26 00:43:13 +01:00 · 1e5274e6e4
commit 1e5274e6e4
parent bf2de2e0f6
17 changed files with 389 additions and 23 deletions
--- a/files/akb.netz/homedirs/root/_bashrc
+++ b/files/akb.netz/homedirs/root/_bashrc
@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
 alias running_services='systemctl list-units  --type=service  --state=running'
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
--- a/files/flr.netz/homedirs/root/_bashrc
+++ b/files/flr.netz/homedirs/root/_bashrc
@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
 alias running_services='systemctl list-units  --type=service  --state=running'
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
--- a/files/mbr-bln.netz/homedirs/root/_bashrc
+++ b/files/mbr-bln.netz/homedirs/root/_bashrc
@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
 alias running_services='systemctl list-units  --type=service  --state=running'
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
--- a/files/sprachenatelier.netz/homedirs/root/_bashrc
+++ b/files/sprachenatelier.netz/homedirs/root/_bashrc
@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS'
 alias ll='ls $LS_OPTIONS -l'
 alias la='ls $LS_OPTIONS -al'
 alias l='ls $LS_OPTIONS -lA'
-#
+
 alias running_services='systemctl list-units  --type=service  --state=running'
 # Some more alias to avoid making mistakes:
 #alias rm='rm -i'
 #alias cp='cp -i'
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -996,7 +996,7 @@ resolved_nameserver:
 resolved_domains:
  - oopen.de
-resolved_dnssec: true
+resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
--- a/group_vars/mbr.yml
+++ b/group_vars/mbr.yml
@ -257,6 +257,12 @@ nis_user:
    is_samba_user: true
    password: '20_axis_16'
  - name: scan
    groups:
      - buero-scan
    is_samba_user: true
    password: '20scan13'
 # ---
 # Technik
 # ---
--- a/group_vars/sprachenatelier.yml
+++ b/group_vars/sprachenatelier.yml
@ -190,6 +190,13 @@ nis_user:
    is_samba_user: true
    password: '270988'
  - name: janet
    groups:
      - intern
      - buero
    is_samba_user: true
    password: '211085 '
  - name: jessica
    groups:
      - intern
--- a/host_vars/file-akb.akb.netz.yml
+++ b/host_vars/file-akb.akb.netz.yml
@ -57,7 +57,6 @@ network_interfaces:
 set_default_limit_nofile: true
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
@ -117,12 +116,13 @@ resolved_nameserver:
 resolved_domains:
  - akb.netz
-resolved_dnssec: true
+resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
-   - 194.150.168.168
+   - 172.16.82.254
 # ---
 # vars used by roles/common/tasks/sshd.yml
--- a/host_vars/file-flr.flr.netz.yml
+++ b/host_vars/file-flr.flr.netz.yml
@ -56,6 +56,74 @@ network_interfaces:
 set_default_limit_nofile: true
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 resolved_nameserver:
  - 192.168.102.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - flr.netz
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 172.16.102.254
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
--- a/host_vars/file-mbr.mbr-bln.netz.yml
+++ b/host_vars/file-mbr.mbr-bln.netz.yml
@ -81,6 +81,75 @@ network_interfaces:
 set_default_limit_nofile: true
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 resolved_nameserver:
  - 192.168.112.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - oopen.de
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 172.16.112.254
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
--- a/host_vars/file-spr.sprachenatelier.netz.yml
+++ b/host_vars/file-spr.sprachenatelier.netz.yml
@ -56,6 +56,74 @@ network_interfaces:
 set_default_limit_nofile: true
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 resolved_nameserver:
  - 192.168.92.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - oopen.de
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 172.16.92.254
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -76,7 +76,13 @@
 - name: Restart ntp
  service:
-    name: ntp
+    name: ntpsec
    daemon_reload: yes
    state: restarted
 - name: Restart ntpsec
  service:
    name: ntpsec
    daemon_reload: yes
    state: restarted
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@ -4,10 +4,10 @@
 # NTP Server
 # ---
- name: (ntp.yml) Ensure ntp package is installed.
+- name: (ntp.yml) Ensure ntpsec package is installed.
  apt:
    name:
-      - ntp
+      - ntpsec
    state: present
  when:
    - ansible_os_family == "Debian"
@ -15,27 +15,39 @@
  tags:
    - ntp-server
- name: (ntp.yml) Check file '/etc/ntp.conf.ORIG' exists
+- name: (ntp.yml) Check file '/etc/ntpsec/ntp.conf.ORIG' exists
  stat:
-    path: /etc/ntp.conf.ORIG
+    path: /etc/ntpsec/ntp.conf.ORIG
-  register: etc_ntp_conf_ORIG
+  register: etc_ntpsec_conf_ORIG
  when:
    - groups['file_server']|string is search(inventory_hostname)
  tags:
    - ntp-server
- name: (ntp.yml) Backup installation version of file '/etc/ntp.conf'
+
-  command: cp -a /etc/ntp.conf /etc/ntp.conf.ORIG
+- name: (ntp.yml) Ensure directory '/var/log/ntpsec' is present
  file:
    path: /var/log/ntpsec
    state: directory
    owner: ntpsec
    group: ntpsec
    mode: '0755'
  when:
    - ansible_distribution == "Debian"
 - name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf'
  command: cp -a /etc/ntpsec/ntp.conf /etc/ntpsec/ntp.conf.ORIG
  when:
    - groups['file_server']|string is search(inventory_hostname)
-    - etc_ntp_conf_ORIG.stat.exists == False
+    - etc_ntpsec_conf_ORIG.stat.exists == False
  tags:
    - ntp-server
- name: (ntp.yml) Update '/etc/ntp.conf'
+- name: (ntp.yml) Update '/etc/ntpsec/ntp.conf'
  template:
-    src: "etc/ntp.conf.j2"
+    src: "etc/ntpsec/ntp.conf.j2"
-    dest: /etc/ntp.conf
+    dest: /etc/ntpsec/ntp.conf
    owner: root
    group: root
    mode: 0644
--- a/roles/common/templates/etc/apt/sources.list.Debian.j2
+++ b/roles/common/templates/etc/apt/sources.list.Debian.j2
@ -3,19 +3,25 @@
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
 deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
 {% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% if not apt_src_enable %}
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
 #deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
 {% elif ansible_facts['distribution_major_version'] | int == 11 %}
 #deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 #deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% else %}
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
 deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
 {% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
@ -30,15 +36,35 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
 # but have dependencies not in main (possibly packaged for Debian in non-free).
 # Non-free contains software that does not comply with the DFSG.
 {% if apt_debian_contrib_nonfree_enable %}
 {% if ansible_facts['distribution_major_version'] | int >= 12 %}
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
 {% else %}
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {% endif %}
 {% endif %}
 {% if apt_debian_contrib_nonfree_enable %}
 {% if ansible_facts['distribution_major_version'] | int >= 12 %}
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware
 {% else %}
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
 {% endif %}
 {% endif %}
 # # N.B. software from this repository may not have been tested as
 # # extensively as that contained in the main release, although it includes
 # # newer versions of some applications which may provide useful features.
 {% if apt_backports_enable %}
 {% if ansible_facts['distribution_major_version'] | int >= 12 %}
 deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
 {% else %}
 deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {% endif %}
 {% endif %}
--- a/roles/common/templates/etc/apt/sources.list.Debian.j2.BAK
+++ b/roles/common/templates/etc/apt/sources.list.Debian.j2.BAK
@ -0,0 +1,44 @@
 # {{ ansible_managed }}
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 {% if ansible_facts['distribution_major_version'] | int >= 11 %}
 deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% if not apt_src_enable %}
 {% if ansible_facts['distribution_major_version'] | int >= 11 %}
 #deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 #deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% else %}
 {% if ansible_facts['distribution_major_version'] | int >= 11 %}
 deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% endif %}
 # {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
 # Contrib packages contain DFSG-compliant software,
 # but have dependencies not in main (possibly packaged for Debian in non-free).
 # Non-free contains software that does not comply with the DFSG.
 {% if apt_debian_contrib_nonfree_enable %}
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {% endif %}
 # # N.B. software from this repository may not have been tested as
 # # extensively as that contained in the main release, although it includes
 # # newer versions of some applications which may provide useful features.
 {% if apt_backports_enable %}
 deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {% endif %}
--- a/roles/common/templates/etc/ntp.conf.j2.BAK
+++ b/roles/common/templates/etc/ntp.conf.j2.BAK
--- a/roles/common/templates/etc/ntpsec/ntp.conf.j2
+++ b/roles/common/templates/etc/ntpsec/ntp.conf.j2
@ -0,0 +1,52 @@
 # {{ ansible_managed }}
 driftfile /var/lib/ntpsec/ntp.drift
 leapfile /usr/share/zoneinfo/leap-seconds.list
 # To enable Network Time Security support as a server, obtain a certificate
 # (e.g. with Let's Encrypt), configure the paths below, and uncomment:
 # nts cert CERT_FILE
 # nts key KEY_FILE
 # nts enable
 # You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
 #statsdir /var/log/ntpsec/
 #statistics loopstats peerstats clockstats
 #filegen loopstats file loopstats type day enable
 #filegen peerstats file peerstats type day enable
 #filegen clockstats file clockstats type day enable
 # This should be maxclock 7, but the pool entries count towards maxclock.
 tos maxclock 11
 # Comment this out if you have a refclock and want it to be able to discipline
 # the clock by itself (e.g. if the system is not connected to the network).
 tos minclock 4 minsane 3
 # Specify one or more NTP servers.
 # Public NTP servers supporting Network Time Security:
 # server time.cloudflare.com nts
 # pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 # pick a different set every time it starts up.  Please consider joining the
 # pool: <https://www.pool.ntp.org/join.html>
 #pool 0.debian.pool.ntp.org iburst
 #pool 1.debian.pool.ntp.org iburst
 #pool 2.debian.pool.ntp.org iburst
 #pool 3.debian.pool.ntp.org iburst
 server {{ ntp_server }}
 # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
 # for details.
 #
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.
 # By default, exchange time with everybody, but don't allow configuration.
 restrict default kod nomodify nopeer noquery limited
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1