diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index e1ca084..2658d02 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -876,6 +876,75 @@ apt_remove_jammy: [] apt_remove_purge: false + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: false + + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +resolved_nameserver: + - 195.10.195.195 + - 1.1.1.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - oopen.de + +resolved_dnssec: true + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # ========== # vars used by roles/common/tasks/git.yml # ========== diff --git a/group_vars/mbr.yml b/group_vars/mbr.yml index 44efc7f..bbd7ba4 100644 --- a/group_vars/mbr.yml +++ b/group_vars/mbr.yml @@ -427,6 +427,14 @@ nis_user: is_samba_user: true password: 'frueh_FREI_22!' + - name: karim.kahn + groups: + - all-users + - buero-scan + - bgn + is_samba_user: true + password: 'g6Gb/J.fZU9F' + - name: laura.berner groups: - all-users diff --git a/group_vars/sprachenatelier.yml b/group_vars/sprachenatelier.yml index adef597..ce3ceae 100644 --- a/group_vars/sprachenatelier.yml +++ b/group_vars/sprachenatelier.yml @@ -204,6 +204,13 @@ nis_user: is_samba_user: true password: '100978' + - name: lena + groups: + - no-backup + - buero + is_samba_user: true + password: '6-uXi-wc/CM3' + - name: lara groups: - intern @@ -456,6 +463,7 @@ samba_shares: - jessica - konstantin - lara + - lena - linda - margit - mariam diff --git a/host_vars/file-akb.akb.netz.yml b/host_vars/file-akb.akb.netz.yml index a9976a4..fd3b920 100644 --- a/host_vars/file-akb.akb.netz.yml +++ b/host_vars/file-akb.akb.netz.yml @@ -56,6 +56,74 @@ network_interfaces: set_default_limit_nofile: true + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +resolved_nameserver: + - 192.168.82.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - akb.netz + +resolved_dnssec: true + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + # --- # vars used by roles/common/tasks/sshd.yml # --- diff --git a/host_vars/gw-akb.oopen.de.yml b/host_vars/gw-akb.oopen.de.yml new file mode 100644 index 0000000..d348d8e --- /dev/null +++ b/host_vars/gw-akb.oopen.de.yml @@ -0,0 +1,79 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + +set_default_limit_nofile: true + + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - akb.netz + +resolved_dnssec: true + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index ea27b07..097b0c5 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -89,4 +89,7 @@ name: pure-ftpd state: restarted - +- name: Restart systemd-resolved + service: + name: systemd-resolved + state: restarted diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index d5df914..3e27109 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -31,6 +31,18 @@ tags: apt +# tags supported inside systemd-resolved.yml +# +# systemd-resolved +- import_tasks: systemd-resolved.yml + tags: + - systemd-resolved + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] > "11" + - systemd_resolved is defined and systemd_resolved|bool + + # tags supportetd inside git.yml # # git-default-repositories diff --git a/roles/common/tasks/systemd-resolved.yml b/roles/common/tasks/systemd-resolved.yml new file mode 100644 index 0000000..bc6504f --- /dev/null +++ b/roles/common/tasks/systemd-resolved.yml @@ -0,0 +1,76 @@ +--- + +# --- +# Set some facts +# --- + +- name: (systemd-resolved.yml) Set fact_resolved_nameserver (blank separated list) + set_fact: + fact_resolved_nameserver: "{{ resolved_nameserver | join (' ') }}" + when: + - resolved_nameserver is defined and resolved_nameserver | length > 0 + tags: + - systemd-resolved + +- name: (systemd-resolved.yml) Set fact_resolved_fallback_nameserver (blank separated list) + set_fact: + fact_resolved_fallback_nameserver: "{{ resolved_fallback_nameserver | join (' ') }}" + when: + - resolved_fallback_nameserver is defined and resolved_fallback_nameserver | length > 0 + tags: + - systemd-resolved + +- name: (systemd-resolved.yml) Set fact_resolved_domains (blank separated list) + set_fact: + fact_resolved_domains: "{{ resolved_domains | join (' ') }}" + when: + - resolved_domains is defined and resolved_domains | length > 0 + tags: + - systemd-resolved + + + +# --- +# Install/Enable systemd-resolved package +# --- + +- name: (systemd-resolved.yml) Ensure systemd-resolved package is installed. + package: + pkg: systemd-resolved + state: present + when: + - systemd_resolved is defined and systemd_resolved|bool + tags: + - systemd-resolved + +- name: (systemd-services.yml) Enable service + systemd: + name: systemd-resolved + enabled: true + when: + - systemd_resolved is defined and systemd_resolved|bool + tags: + - systemd-resolved + + + +# --- +# Create configuration for systemd-resolved +# --- + +- name: (systemd-resolved.yml) Ensure directory '/etc/systemd/resolved.conf.d' exists + file: + path: /etc/systemd/resolved.conf.d + state: directory + mode: 0755 + group: root + owner: root + +- name: (systemd-resolved.yml) Create/Update file '/etc/systemd/resolved.conf.d/50-resolved-local.conf' from template sshd_config.j2 + template: + src: etc/systemd/resolved.conf.d/50-resolved-local.conf + dest: /etc/systemd/resolved.conf.d/50-resolved-local.conf + owner: root + group: root + mode: 0644 + notify: "Restart systemd-resolved" diff --git a/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf b/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf new file mode 100644 index 0000000..f5167c5 --- /dev/null +++ b/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf @@ -0,0 +1,30 @@ +# *** ---------------------------------------------- *** +# *** *** +# {{ ansible_managed }} +# *** *** +# *** ---------------------------------------------- *** + +[Resolve] +{% if (fact_resolved_nameserver is defined) and fact_resolved_nameserver %} +DNS={{ fact_resolved_nameserver}} +{% else %} +#DNS= +{% endif -%} + +{% if (fact_resolved_fallback_nameserver is defined) and fact_resolved_fallback_nameserver %} +FallbackDNS={{ fact_resolved_fallback_nameserver }} +{% else %} +#FallbackDNS= +{% endif -%} + +{% if (fact_resolved_domains is defined) and fact_resolved_domains %} +Domains={{ fact_resolved_domains }} +{% else %} +#Domains= +{% endif -%} + +{% if (resolved_dnssec is defined) and resolved_dnssec %} +DNSSEC={{ resolved_dnssec }} +{% else %} +#Domains= +{% endif %}