ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update.

Browse Source
This commit is contained in:
Christoph 2021-09-05 02:25:16 +02:00
parent 707e261c13
commit 010eba0149
21 changed files with 714 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
group_vars/all/main.yml
View File

@ -83,20 +83,20 @@ copy_plain_files_sysctl:
# /etc/sysctl.d/*.conf
#
- name: dovecot
src_path: etc/sysctl.d/20-dovecot.conf
dest_path: /etc/sysctl.d/20-dovecot.conf
src_path: etc/sysctl.d/50-dovecot.conf
dest_path: /etc/sysctl.d/50-dovecot.conf
- name: redis
src_path: etc/sysctl.d/20-redis.conf
dest_path: /etc/sysctl.d/20-redis.conf
src_path: etc/sysctl.d/50-redis.conf
dest_path: /etc/sysctl.d/50-redis.conf
- name: swappiness
src_path: etc/sysctl.d/20-swappiness.conf
dest_path: /etc/sysctl.d/20-swappiness.conf
src_path: etc/sysctl.d/50-swappiness.conf
dest_path: /etc/sysctl.d/50-swappiness.conf
- name: ddos
src_path: etc/sysctl.d/90-ddos.conf
dest_path: /etc/sysctl.d/90-ddos.conf
src_path: etc/sysctl.d/10-ddos.conf
dest_path: /etc/sysctl.d/10-ddos.conf
@ -358,6 +358,7 @@ apt_initial_install_buster:
- zsh
- lua5.3
- btrfs-tools
- fdisk
apt_initial_install_bullseye:
- apt-transport-https
@ -474,6 +475,7 @@ apt_initial_install_bullseye:
- zsh
- lua5.4
- btrfs-progs
- fdisk
apt_initial_install_xenial:
@ -905,6 +907,7 @@ sshd_listen_address:
sshd_host_keys:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
# only for debian version <= 9

2
host_vars/meet.oopen.de.yml
View File

@ -48,6 +48,8 @@ default_user:
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051

215
host_vars/o21.oopen.de.yml Normal file
View File

@ -0,0 +1,215 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown2
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp0s31f6
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
mode: static
hwaddress ether: 90:1b:0e:fc:ef:06
description: Bridge Interface IPv4 for LXC
address: 46.4.25.231
netmask: 255.255.255.192
gateway: 46.4.25.193
# optional dns settings nameservers: []
# nameservers:
# - "194.150.168.168" # dns.as250.net
# - "91.239.100.100" # anycast.censurfridns.dk
# optional additional subnets/ips subnets: []
# subnets:
# - '192.168.123.0/24'
# - '192.168.124.11/32'
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp0s31f6 # for mor devices support a blan separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
# mode:
# miimon:
# master:
# slaves:
# lacp-rate:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
pre-up: [] # pre-up script lines
up:
- !!str "route add -net 46.4.25.192 netmask 255.255.255.192 gw 46.4.25.193 dev br0" # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
- device: br0
family: inet6
mode: static
description: Bridge Interface IPv6 for LXC
address: 2a01:4f8:221:3b4e::2
netmask: 64
gateway: fe80::1
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

215
host_vars/o23.oopen.de.yml Normal file
View File

@ -0,0 +1,215 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown2
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp6s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
mode: static
hwaddress ether: 88:d7:f6:7d:e6:ef
description: Bridge Interface IPv4 for LXC
address: 159.69.74.150
netmask: 255.255.255.192
gateway: 159.69.74.129
# optional dns settings nameservers: []
# nameservers:
# - "194.150.168.168" # dns.as250.net
# - "91.239.100.100" # anycast.censurfridns.dk
# optional additional subnets/ips subnets: []
# subnets:
# - '192.168.123.0/24'
# - '192.168.124.11/32'
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp6s0 # for mor devices support a blan separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
# mode:
# miimon:
# master:
# slaves:
# lacp-rate:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
pre-up: [] # pre-up script lines
up:
- !!str "route add -net 159.69.74.128 netmask 255.255.255.192 gw 159.69.74.129 dev br0" # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
- device: br0
family: inet6
mode: static
description: Bridge Interface IPv6 for LXC
address: 2a01:4f8:231:19a7::2
netmask: 64
gateway: fe80::1
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

215
host_vars/o24.oopen.de.yml Normal file
View File

@ -0,0 +1,215 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown2
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp7s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
mode: static
hwaddress ether: 7c:10:c9:9e:bd:51
description: Bridge Interface IPv4 for LXC
address: 168.119.70.7
netmask: 255.255.255.192
gateway: 168.119.70.1
# optional dns settings nameservers: []
# nameservers:
# - "194.150.168.168" # dns.as250.net
# - "91.239.100.100" # anycast.censurfridns.dk
# optional additional subnets/ips subnets: []
# subnets:
# - '192.168.123.0/24'
# - '192.168.124.11/32'
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp7s0 # for mor devices support a blan separated list
stp: !!str off
fd: 1
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
# mode:
# miimon:
# master:
# slaves:
# lacp-rate:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
pre-up: [] # pre-up script lines
up:
- !!str "route add -net 168.119.70.0 netmask 255.255.255.192 gw 168.119.70.1 dev br0" # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
- device: br0
family: inet6
mode: static
description: Bridge Interface IPv6 for LXC
address: 2a01:4f8:242:1822::2
netmask: 64
gateway: fe80::1
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

14
host_vars/o25.oopen.de.yml
View File

@ -31,12 +31,11 @@ network_interfaces:
family: inet
mode: static
hwaddress ether: 00:d8:61:0e:b9:1c
description: Bridge Interface IPv4 for LXC
address: '144.76.24.11'
netmask: '255.255.255.224'
network: '144.76.24.0'
broadcast: '144.76.24.31'
gateway: '144.76.24.1'
address: 144.76.24.11
netmask: 255.255.255.224
gateway: 144.76.24.1
# optional dns settings nameservers: []
# nameservers:
@ -60,6 +59,7 @@ network_interfaces:
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
@ -89,6 +89,6 @@ network_interfaces:
family: inet6
mode: static
description: Bridge Interface IPv6 for LXC
address: '2a01:4f8:191:b::2'
address: 2a01:4f8:191:b::2
netmask: 64
gateway: 'fe80::1'
gateway: fe80::1

14
host_vars/o30.oopen.de.yml
View File

@ -31,12 +31,11 @@ network_interfaces:
family: inet
mode: static
hwaddress ether: d0:50:99:f9:1a:da
description: Bridge Interface IPv4 for LXC
address: '148.251.14.157'
netmask: '255.255.255.224'
network: '148.251.14.128'
broadcast: '148.251.14.159'
gateway: '148.251.14.129'
address: 148.251.14.157
netmask: 255.255.255.224
gateway: 148.251.14.129
# optional dns settings nameservers: []
# nameservers:
@ -60,6 +59,7 @@ network_interfaces:
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
@ -90,9 +90,9 @@ network_interfaces:
family: inet6
mode: static
description: Bridge Interface IPv6 for LXC
address: '2a01:4f8:201:7389::2'
address: 2a01:4f8:201:7389::2
netmask: 64
gateway: 'fe80::1'
gateway: fe80::1
# ---

14
host_vars/o35.oopen.de.yml
View File

@ -31,12 +31,11 @@ network_interfaces:
family: inet
mode: static
hwaddress ether: a8:a1:59:0f:29:d9
description: Bridge Interface IPv4 for LXC
address: '95.217.204.218'
netmask: '255.255.255.192'
network: '95.217.204.192'
broadcast: '95.217.204.255'
gateway: '95.217.204.193'
address: 95.217.204.218
netmask: 255.255.255.192
gateway: 95.217.204.193
# optional dns settings nameservers: []
# nameservers:
@ -60,6 +59,7 @@ network_interfaces:
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
@ -90,9 +90,9 @@ network_interfaces:
family: inet6
mode: static
description: Bridge Interface IPv6 for LXC
address: '2a01:4f9:4a:47e5::2'
address: 2a01:4f9:4a:47e5::2
netmask: 64
gateway: 'fe80::1'
gateway: fe80::1
# ---

10
host_vars/o36.oopen.de.yml
View File

@ -31,12 +31,11 @@ network_interfaces:
family: inet
mode: static
hwaddress ether: a8:a1:59:82:34:70
description: Bridge Interface IPv4 for LXC
address: '162.55.82.89'
netmask: '255.255.255.192'
network: '162.55.82.64'
broadcast: '162.55.82.127'
gateway: '162.55.82.65'
address: 162.55.82.89
netmask: 255.255.255.192
gateway: 162.55.82.65
# optional dns settings nameservers: []
# nameservers:
@ -60,6 +59,7 @@ network_interfaces:
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:

5
hosts
View File

@ -151,7 +151,6 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
o33-neu.oopen.de
# Jitsi Meet - AG Beratung
o34.oopen.de
@ -348,7 +347,6 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
o33-neu.oopen.de
# Jitsi Meet - AG Beratung
o34.oopen.de
@ -612,7 +610,6 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
o33-neu.oopen.de
# Jitsi Meet - AG Beratung
o34.oopen.de
@ -1166,7 +1163,6 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
o33-neu.oopen.de
# Jitsi Meet - AG Beratung
o34.oopen.de
@ -1346,7 +1342,6 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
o33-neu.oopen.de
# Jitsi Meet - AG Beratung
o34.oopen.de

0
roles/common/files/etc/sysctl.d/90-ddos.conf → roles/common/files/etc/sysctl.d/10-ddos.conf
View File

1
roles/common/files/etc/sysctl.d/20-swappiness.conf
View File

@ -1 +0,0 @@
vm.swappiness = 0

0
roles/common/files/etc/sysctl.d/20-dovecot.conf → roles/common/files/etc/sysctl.d/50-dovecot.conf
View File

0
roles/common/files/etc/sysctl.d/20-redis.conf → roles/common/files/etc/sysctl.d/50-redis.conf
View File

1
roles/common/files/etc/sysctl.d/50-swappiness.conf Normal file
View File

@ -0,0 +1 @@
vm.swappiness = 5

4
roles/common/tasks/basic.yml
View File

@ -32,6 +32,7 @@
group: root
owner: root
when:
- inventory_hostname not in groups['lxc_guest']
- copy_plain_files_systemd is defined
- copy_plain_files_systemd|length > 0
tags:
@ -48,6 +49,7 @@
loop_control:
label: 'dest: {{ item.name }}'
when:
- inventory_hostname not in groups['lxc_guest']
- copy_plain_files_systemd is defined
- copy_plain_files_systemd|length > 0
tags:
@ -61,6 +63,7 @@
group: root
owner: root
when:
- inventory_hostname not in groups['lxc_guest']
- copy_plain_files_sysctl is defined
- copy_plain_files_sysctl|length > 0
tags:
@ -77,6 +80,7 @@
loop_control:
label: 'dest: {{ item.name }}'
when:
- inventory_hostname not in groups['lxc_guest']
- copy_plain_files_sysctl is defined
- copy_plain_files_sysctl|length > 0
tags:

32
roles/common/tasks/sudoers.yml
View File

@ -25,27 +25,27 @@
tags:
- sudoers-remove
#- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/)
# template:
# src: etc/sudoers.d/50-user.j2
# dest: /etc/sudoers.d/50-user
# #validate: visudo -cf %s
# owner: root
# group: root
# mode: 0440
# tags:
# - sudoers-file-configuration
- name: (sudoers.yml) update global sudoers configuration file
- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/)
template:
src: etc/sudoers.j2
dest: /etc/sudoers
src: etc/sudoers.d/50-user.j2
dest: /etc/sudoers.d/50-user
#validate: visudo -cf %s
owner: root
group: root
mode: 0440
#validate: visudo -cf %s
tags:
- sudoers-global-configuration
- sudoers-file-configuration
#- name: (sudoers.yml) update global sudoers configuration file
# template:
# src: etc/sudoers.j2
# dest: /etc/sudoers
# owner: root
# group: root
# mode: 0440
# #validate: visudo -cf %s
# tags:
# - sudoers-global-configuration
- name: (sudoers.yml) Ensure all sudo_users are in sudo group
user:

4
roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2
View File

@ -1,6 +1,7 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
{%- if groups['gateway_server']|string is search(inventory_hostname) %}
[Unit]
Description=IPv6 Firewall with ip6tables
After=network.target
@ -16,6 +17,7 @@ User=root
[Install]
WantedBy=multi-user.target
{% else %}
[Unit]
Description=IPv6 Firewall with ip6tables
After=network.target

2
roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2
View File

@ -1,4 +1,4 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
{%- if groups['gateway_server']|string is search(inventory_hostname) %}

4
roles/network_interfaces/templates/etc/network/interfaces.d/device.j2
View File

@ -1,4 +1,4 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
{# {% for config in network_interfaces %} #}
{% for config in item.1 %}
@ -18,7 +18,7 @@ allow-{{ stanza }}
{% endfor -%}
iface {{ config.device }} {{ config.family | default('inet', true) }} {{ config.method | default('static', true) }}
{% set iface_keys = ['description', 'address', 'netmask', 'network', 'broadcast', 'gateway'] %}
{% set iface_keys = ['hwaddress ether', 'description', 'address', 'netmask', 'network', 'broadcast', 'gateway'] %}
{% for key in iface_keys %}
{% if key in config %}
{{ key }} {{ config[key] }}

6
roles/network_interfaces/templates/etc/network/interfaces.j2
View File

@ -1,4 +1,6 @@
# {{ ansible_managed }}
{{ ansible_managed | comment }}
source /etc/network/interfaces.d/*
#-----------------------------
# lo: loopback
@ -20,5 +22,3 @@ iface lo inet6 loopback
down /sbin/ip addr del {{ ip }} dev lo
{% endfor %}
{% endif %}
source /etc/network/interfaces.d/*