diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index e590493..a24f834 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -83,20 +83,20 @@ copy_plain_files_sysctl: # /etc/sysctl.d/*.conf # - name: dovecot - src_path: etc/sysctl.d/20-dovecot.conf - dest_path: /etc/sysctl.d/20-dovecot.conf + src_path: etc/sysctl.d/50-dovecot.conf + dest_path: /etc/sysctl.d/50-dovecot.conf - name: redis - src_path: etc/sysctl.d/20-redis.conf - dest_path: /etc/sysctl.d/20-redis.conf + src_path: etc/sysctl.d/50-redis.conf + dest_path: /etc/sysctl.d/50-redis.conf - name: swappiness - src_path: etc/sysctl.d/20-swappiness.conf - dest_path: /etc/sysctl.d/20-swappiness.conf + src_path: etc/sysctl.d/50-swappiness.conf + dest_path: /etc/sysctl.d/50-swappiness.conf - name: ddos - src_path: etc/sysctl.d/90-ddos.conf - dest_path: /etc/sysctl.d/90-ddos.conf + src_path: etc/sysctl.d/10-ddos.conf + dest_path: /etc/sysctl.d/10-ddos.conf @@ -358,6 +358,7 @@ apt_initial_install_buster: - zsh - lua5.3 - btrfs-tools + - fdisk apt_initial_install_bullseye: - apt-transport-https @@ -474,6 +475,7 @@ apt_initial_install_bullseye: - zsh - lua5.4 - btrfs-progs + - fdisk apt_initial_install_xenial: @@ -905,6 +907,7 @@ sshd_listen_address: sshd_host_keys: - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ed25519_key # only for debian version <= 9 diff --git a/host_vars/meet.oopen.de.yml b/host_vars/meet.oopen.de.yml index f75019e..b61d320 100644 --- a/host_vars/meet.oopen.de.yml +++ b/host_vars/meet.oopen.de.yml @@ -48,6 +48,8 @@ default_user: password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 shell: /bin/bash ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: localadmin user_id: 1051 diff --git a/host_vars/o21.oopen.de.yml b/host_vars/o21.oopen.de.yml new file mode 100644 index 0000000..b73ceb5 --- /dev/null +++ b/host_vars/o21.oopen.de.yml @@ -0,0 +1,215 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown2 + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device enp0s31f6 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + mode: static + hwaddress ether: 90:1b:0e:fc:ef:06 + description: Bridge Interface IPv4 for LXC + address: 46.4.25.231 + netmask: 255.255.255.192 + gateway: 46.4.25.193 + + # optional dns settings nameservers: [] + # nameservers: + # - "194.150.168.168" # dns.as250.net + # - "91.239.100.100" # anycast.censurfridns.dk + + # optional additional subnets/ips subnets: [] + # subnets: + # - '192.168.123.0/24' + # - '192.168.124.11/32' + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: enp0s31f6 # for mor devices support a blan separated list + stp: !!str off + fd: 5 + hello: 2 + maxage: 12 + + # optional bonding parameters bond: {} + # bond: + # mode: + # miimon: + # master: + # slaves: + # lacp-rate: + bond: {} + + # optional vlan settings | vlan: {} + # vlan: {} + # raw-device: 'eth0' + vlan: {} + + # inline hook scripts + pre-up: [] # pre-up script lines + up: + - !!str "route add -net 46.4.25.192 netmask 255.255.255.192 gw 46.4.25.193 dev br0" # up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + + + - device: br0 + family: inet6 + mode: static + description: Bridge Interface IPv6 for LXC + address: 2a01:4f8:221:3b4e::2 + netmask: 64 + gateway: fe80::1 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o23.oopen.de.yml b/host_vars/o23.oopen.de.yml new file mode 100644 index 0000000..f9a10e3 --- /dev/null +++ b/host_vars/o23.oopen.de.yml @@ -0,0 +1,215 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown2 + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device enp6s0 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + mode: static + hwaddress ether: 88:d7:f6:7d:e6:ef + description: Bridge Interface IPv4 for LXC + address: 159.69.74.150 + netmask: 255.255.255.192 + gateway: 159.69.74.129 + + # optional dns settings nameservers: [] + # nameservers: + # - "194.150.168.168" # dns.as250.net + # - "91.239.100.100" # anycast.censurfridns.dk + + # optional additional subnets/ips subnets: [] + # subnets: + # - '192.168.123.0/24' + # - '192.168.124.11/32' + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: enp6s0 # for mor devices support a blan separated list + stp: !!str off + fd: 5 + hello: 2 + maxage: 12 + + # optional bonding parameters bond: {} + # bond: + # mode: + # miimon: + # master: + # slaves: + # lacp-rate: + bond: {} + + # optional vlan settings | vlan: {} + # vlan: {} + # raw-device: 'eth0' + vlan: {} + + # inline hook scripts + pre-up: [] # pre-up script lines + up: + - !!str "route add -net 159.69.74.128 netmask 255.255.255.192 gw 159.69.74.129 dev br0" # up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + + + - device: br0 + family: inet6 + mode: static + description: Bridge Interface IPv6 for LXC + address: 2a01:4f8:231:19a7::2 + netmask: 64 + gateway: fe80::1 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o24.oopen.de.yml b/host_vars/o24.oopen.de.yml new file mode 100644 index 0000000..9aa6b97 --- /dev/null +++ b/host_vars/o24.oopen.de.yml @@ -0,0 +1,215 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown2 + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device enp7s0 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + mode: static + hwaddress ether: 7c:10:c9:9e:bd:51 + description: Bridge Interface IPv4 for LXC + address: 168.119.70.7 + netmask: 255.255.255.192 + gateway: 168.119.70.1 + + # optional dns settings nameservers: [] + # nameservers: + # - "194.150.168.168" # dns.as250.net + # - "91.239.100.100" # anycast.censurfridns.dk + + # optional additional subnets/ips subnets: [] + # subnets: + # - '192.168.123.0/24' + # - '192.168.124.11/32' + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: enp7s0 # for mor devices support a blan separated list + stp: !!str off + fd: 1 + hello: 2 + maxage: 12 + + # optional bonding parameters bond: {} + # bond: + # mode: + # miimon: + # master: + # slaves: + # lacp-rate: + bond: {} + + # optional vlan settings | vlan: {} + # vlan: {} + # raw-device: 'eth0' + vlan: {} + + # inline hook scripts + pre-up: [] # pre-up script lines + up: + - !!str "route add -net 168.119.70.0 netmask 255.255.255.192 gw 168.119.70.1 dev br0" # up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + + + - device: br0 + family: inet6 + mode: static + description: Bridge Interface IPv6 for LXC + address: 2a01:4f8:242:1822::2 + netmask: 64 + gateway: fe80::1 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o25.oopen.de.yml b/host_vars/o25.oopen.de.yml index af64e14..706717b 100644 --- a/host_vars/o25.oopen.de.yml +++ b/host_vars/o25.oopen.de.yml @@ -31,12 +31,11 @@ network_interfaces: family: inet mode: static + hwaddress ether: 00:d8:61:0e:b9:1c description: Bridge Interface IPv4 for LXC - address: '144.76.24.11' - netmask: '255.255.255.224' - network: '144.76.24.0' - broadcast: '144.76.24.31' - gateway: '144.76.24.1' + address: 144.76.24.11 + netmask: 255.255.255.224 + gateway: 144.76.24.1 # optional dns settings nameservers: [] # nameservers: @@ -60,6 +59,7 @@ network_interfaces: stp: !!str off fd: 5 hello: 2 + maxage: 12 # optional bonding parameters bond: {} # bond: @@ -89,6 +89,6 @@ network_interfaces: family: inet6 mode: static description: Bridge Interface IPv6 for LXC - address: '2a01:4f8:191:b::2' + address: 2a01:4f8:191:b::2 netmask: 64 - gateway: 'fe80::1' + gateway: fe80::1 diff --git a/host_vars/o30.oopen.de.yml b/host_vars/o30.oopen.de.yml index cdff4d3..cf32038 100644 --- a/host_vars/o30.oopen.de.yml +++ b/host_vars/o30.oopen.de.yml @@ -31,12 +31,11 @@ network_interfaces: family: inet mode: static + hwaddress ether: d0:50:99:f9:1a:da description: Bridge Interface IPv4 for LXC - address: '148.251.14.157' - netmask: '255.255.255.224' - network: '148.251.14.128' - broadcast: '148.251.14.159' - gateway: '148.251.14.129' + address: 148.251.14.157 + netmask: 255.255.255.224 + gateway: 148.251.14.129 # optional dns settings nameservers: [] # nameservers: @@ -60,6 +59,7 @@ network_interfaces: stp: !!str off fd: 5 hello: 2 + maxage: 12 # optional bonding parameters bond: {} # bond: @@ -90,9 +90,9 @@ network_interfaces: family: inet6 mode: static description: Bridge Interface IPv6 for LXC - address: '2a01:4f8:201:7389::2' + address: 2a01:4f8:201:7389::2 netmask: 64 - gateway: 'fe80::1' + gateway: fe80::1 # --- diff --git a/host_vars/o35.oopen.de.yml b/host_vars/o35.oopen.de.yml index 312658c..2d49a65 100644 --- a/host_vars/o35.oopen.de.yml +++ b/host_vars/o35.oopen.de.yml @@ -31,12 +31,11 @@ network_interfaces: family: inet mode: static + hwaddress ether: a8:a1:59:0f:29:d9 description: Bridge Interface IPv4 for LXC - address: '95.217.204.218' - netmask: '255.255.255.192' - network: '95.217.204.192' - broadcast: '95.217.204.255' - gateway: '95.217.204.193' + address: 95.217.204.218 + netmask: 255.255.255.192 + gateway: 95.217.204.193 # optional dns settings nameservers: [] # nameservers: @@ -60,6 +59,7 @@ network_interfaces: stp: !!str off fd: 5 hello: 2 + maxage: 12 # optional bonding parameters bond: {} # bond: @@ -90,9 +90,9 @@ network_interfaces: family: inet6 mode: static description: Bridge Interface IPv6 for LXC - address: '2a01:4f9:4a:47e5::2' + address: 2a01:4f9:4a:47e5::2 netmask: 64 - gateway: 'fe80::1' + gateway: fe80::1 # --- diff --git a/host_vars/o36.oopen.de.yml b/host_vars/o36.oopen.de.yml index e305dee..df97039 100644 --- a/host_vars/o36.oopen.de.yml +++ b/host_vars/o36.oopen.de.yml @@ -31,12 +31,11 @@ network_interfaces: family: inet mode: static + hwaddress ether: a8:a1:59:82:34:70 description: Bridge Interface IPv4 for LXC - address: '162.55.82.89' - netmask: '255.255.255.192' - network: '162.55.82.64' - broadcast: '162.55.82.127' - gateway: '162.55.82.65' + address: 162.55.82.89 + netmask: 255.255.255.192 + gateway: 162.55.82.65 # optional dns settings nameservers: [] # nameservers: @@ -60,6 +59,7 @@ network_interfaces: stp: !!str off fd: 5 hello: 2 + maxage: 12 # optional bonding parameters bond: {} # bond: diff --git a/hosts b/hosts index 89ffa7d..cc91153 100644 --- a/hosts +++ b/hosts @@ -151,7 +151,6 @@ o32.oopen.de # BigBlueButton - O.OPEN o33.oopen.de -o33-neu.oopen.de # Jitsi Meet - AG Beratung o34.oopen.de @@ -348,7 +347,6 @@ o32.oopen.de # BigBlueButton - O.OPEN o33.oopen.de -o33-neu.oopen.de # Jitsi Meet - AG Beratung o34.oopen.de @@ -612,7 +610,6 @@ o32.oopen.de # BigBlueButton - O.OPEN o33.oopen.de -o33-neu.oopen.de # Jitsi Meet - AG Beratung o34.oopen.de @@ -1166,7 +1163,6 @@ o32.oopen.de # BigBlueButton - O.OPEN o33.oopen.de -o33-neu.oopen.de # Jitsi Meet - AG Beratung o34.oopen.de @@ -1346,7 +1342,6 @@ o32.oopen.de # BigBlueButton - O.OPEN o33.oopen.de -o33-neu.oopen.de # Jitsi Meet - AG Beratung o34.oopen.de diff --git a/roles/common/files/etc/sysctl.d/90-ddos.conf b/roles/common/files/etc/sysctl.d/10-ddos.conf similarity index 100% rename from roles/common/files/etc/sysctl.d/90-ddos.conf rename to roles/common/files/etc/sysctl.d/10-ddos.conf diff --git a/roles/common/files/etc/sysctl.d/20-swappiness.conf b/roles/common/files/etc/sysctl.d/20-swappiness.conf deleted file mode 100644 index 69e3b4d..0000000 --- a/roles/common/files/etc/sysctl.d/20-swappiness.conf +++ /dev/null @@ -1 +0,0 @@ -vm.swappiness = 0 diff --git a/roles/common/files/etc/sysctl.d/20-dovecot.conf b/roles/common/files/etc/sysctl.d/50-dovecot.conf similarity index 100% rename from roles/common/files/etc/sysctl.d/20-dovecot.conf rename to roles/common/files/etc/sysctl.d/50-dovecot.conf diff --git a/roles/common/files/etc/sysctl.d/20-redis.conf b/roles/common/files/etc/sysctl.d/50-redis.conf similarity index 100% rename from roles/common/files/etc/sysctl.d/20-redis.conf rename to roles/common/files/etc/sysctl.d/50-redis.conf diff --git a/roles/common/files/etc/sysctl.d/50-swappiness.conf b/roles/common/files/etc/sysctl.d/50-swappiness.conf new file mode 100644 index 0000000..95f8990 --- /dev/null +++ b/roles/common/files/etc/sysctl.d/50-swappiness.conf @@ -0,0 +1 @@ +vm.swappiness = 5 diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml index 5237b6b..d693a1f 100644 --- a/roles/common/tasks/basic.yml +++ b/roles/common/tasks/basic.yml @@ -32,6 +32,7 @@ group: root owner: root when: + - inventory_hostname not in groups['lxc_guest'] - copy_plain_files_systemd is defined - copy_plain_files_systemd|length > 0 tags: @@ -48,6 +49,7 @@ loop_control: label: 'dest: {{ item.name }}' when: + - inventory_hostname not in groups['lxc_guest'] - copy_plain_files_systemd is defined - copy_plain_files_systemd|length > 0 tags: @@ -61,6 +63,7 @@ group: root owner: root when: + - inventory_hostname not in groups['lxc_guest'] - copy_plain_files_sysctl is defined - copy_plain_files_sysctl|length > 0 tags: @@ -77,6 +80,7 @@ loop_control: label: 'dest: {{ item.name }}' when: + - inventory_hostname not in groups['lxc_guest'] - copy_plain_files_sysctl is defined - copy_plain_files_sysctl|length > 0 tags: diff --git a/roles/common/tasks/sudoers.yml b/roles/common/tasks/sudoers.yml index 43a39a4..dfabfed 100644 --- a/roles/common/tasks/sudoers.yml +++ b/roles/common/tasks/sudoers.yml @@ -25,27 +25,27 @@ tags: - sudoers-remove -#- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/) -# template: -# src: etc/sudoers.d/50-user.j2 -# dest: /etc/sudoers.d/50-user -# #validate: visudo -cf %s -# owner: root -# group: root -# mode: 0440 -# tags: -# - sudoers-file-configuration - -- name: (sudoers.yml) update global sudoers configuration file +- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/) template: - src: etc/sudoers.j2 - dest: /etc/sudoers + src: etc/sudoers.d/50-user.j2 + dest: /etc/sudoers.d/50-user + #validate: visudo -cf %s owner: root group: root mode: 0440 - #validate: visudo -cf %s tags: - - sudoers-global-configuration + - sudoers-file-configuration + +#- name: (sudoers.yml) update global sudoers configuration file +# template: +# src: etc/sudoers.j2 +# dest: /etc/sudoers +# owner: root +# group: root +# mode: 0440 +# #validate: visudo -cf %s +# tags: +# - sudoers-global-configuration - name: (sudoers.yml) Ensure all sudo_users are in sudo group user: diff --git a/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 b/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 index bf4c372..1f1dde7 100644 --- a/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 +++ b/roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 @@ -1,6 +1,7 @@ -# {{ ansible_managed }} +{{ ansible_managed | comment }} {%- if groups['gateway_server']|string is search(inventory_hostname) %} + [Unit] Description=IPv6 Firewall with ip6tables After=network.target @@ -16,6 +17,7 @@ User=root [Install] WantedBy=multi-user.target {% else %} + [Unit] Description=IPv6 Firewall with ip6tables After=network.target diff --git a/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 b/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 index 5651238..fc7a6af 100644 --- a/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 +++ b/roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 @@ -1,4 +1,4 @@ -# {{ ansible_managed }} +{{ ansible_managed | comment }} {%- if groups['gateway_server']|string is search(inventory_hostname) %} diff --git a/roles/network_interfaces/templates/etc/network/interfaces.d/device.j2 b/roles/network_interfaces/templates/etc/network/interfaces.d/device.j2 index 9f8e7ab..b9fe9d2 100644 --- a/roles/network_interfaces/templates/etc/network/interfaces.d/device.j2 +++ b/roles/network_interfaces/templates/etc/network/interfaces.d/device.j2 @@ -1,4 +1,4 @@ -# {{ ansible_managed }} +{{ ansible_managed | comment }} {# {% for config in network_interfaces %} #} {% for config in item.1 %} @@ -18,7 +18,7 @@ allow-{{ stanza }} {% endfor -%} iface {{ config.device }} {{ config.family | default('inet', true) }} {{ config.method | default('static', true) }} -{% set iface_keys = ['description', 'address', 'netmask', 'network', 'broadcast', 'gateway'] %} +{% set iface_keys = ['hwaddress ether', 'description', 'address', 'netmask', 'network', 'broadcast', 'gateway'] %} {% for key in iface_keys %} {% if key in config %} {{ key }} {{ config[key] }} diff --git a/roles/network_interfaces/templates/etc/network/interfaces.j2 b/roles/network_interfaces/templates/etc/network/interfaces.j2 index 489979c..37f4300 100644 --- a/roles/network_interfaces/templates/etc/network/interfaces.j2 +++ b/roles/network_interfaces/templates/etc/network/interfaces.j2 @@ -1,4 +1,6 @@ -# {{ ansible_managed }} +{{ ansible_managed | comment }} + +source /etc/network/interfaces.d/* #----------------------------- # lo: loopback @@ -20,5 +22,3 @@ iface lo inet6 loopback down /sbin/ip addr del {{ ip }} dev lo {% endfor %} {% endif %} - -source /etc/network/interfaces.d/*