diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 16af167..e81f1f4 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -146,6 +146,7 @@ apt_upgrade_dpkg_options: apt_initial_install_stretch: - apt-transport-https + - cryptsetup - dbus - openssh-server - rssh @@ -259,6 +260,7 @@ apt_initial_install_stretch: apt_initial_install_buster: - apt-transport-https + - cryptsetup - dbus - openssh-server - rush @@ -377,6 +379,7 @@ apt_initial_install_buster: apt_initial_install_bullseye: - apt-transport-https + - cryptsetup - dbus - openssh-server - rush @@ -495,6 +498,7 @@ apt_initial_install_bullseye: apt_initial_install_xenial: - apt-transport-https + - cryptsetup - dbus - openssh-server - rush @@ -607,6 +611,7 @@ apt_initial_install_xenial: apt_initial_install_bionic: - apt-transport-https + - cryptsetup - dbus - openssh-server - rush diff --git a/host_vars/file-ah.kanzlei-kiel.netz.yml b/host_vars/file-ah.kanzlei-kiel.netz.yml index 5dd354f..c15637b 100644 --- a/host_vars/file-ah.kanzlei-kiel.netz.yml +++ b/host_vars/file-ah.kanzlei-kiel.netz.yml @@ -308,8 +308,8 @@ samba_shares: path: /data/samba/shares/Buero group_valid_users: intern group_write_list: intern - file_create_mask: 664 - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 vfs_object_recycle: true recycle_path: '@Recycle' @@ -317,8 +317,8 @@ samba_shares: path: /data/samba/shares/Verwaltung group_valid_users: verwaltung group_write_list: verwaltung - file_create_mask: 660 - dir_create_mask: 2770 + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 vfs_object_recycle: true recycle_path: '@Recycle' @@ -326,8 +326,8 @@ samba_shares: path: /data/samba/shares/Scans_schnell group_valid_users: intern group_write_list: intern - file_create_mask: '664' - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 vfs_object_recycle: true recycle_path: '@Recycle' @@ -335,8 +335,8 @@ samba_shares: path: /data/samba/shares/Hoffmann-Elberling group_valid_users: hoffmann-elberling group_write_list: hoffmann-elberling - file_create_mask: '664' - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 vfs_object_recycle: true recycle_path: '@Recycle' @@ -344,8 +344,8 @@ samba_shares: path: /data/samba/shares/Gubitz-Partner group_valid_users: gubitz-partner group_write_list: gubitz-partner - file_create_mask: '664' - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 vfs_object_recycle: true recycle_path: '@Recycle' @@ -353,8 +353,8 @@ samba_shares: path: /data/samba/non-backup-shares/Gubitz-Backup group_valid_users: gubitz group_write_list: gubitz - file_create_mask: 660 - dir_create_mask: 2770 + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 vfs_object_recycle: true recycle_path: '@Recycle' @@ -367,8 +367,8 @@ samba_shares: path: /data/samba/shares/WinServer2016-Backup group_valid_users: {} group_write_list: {} - file_create_mask: 664 - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 guest_ok: !!str yes vfs_object_recycle: false diff --git a/host_vars/file-ebs.ebs.netz.yml b/host_vars/file-ebs.ebs.netz.yml index 050756b..892247d 100644 --- a/host_vars/file-ebs.ebs.netz.yml +++ b/host_vars/file-ebs.ebs.netz.yml @@ -190,8 +190,8 @@ nfs_server: 192.168.182.10 # Take car to increase 'fsid' in case of more than one export # nfs_exports: - - src: 192.168.182.10:/data/samba - path: /data/samba + - src: 192.168.182.10:/data/samba/shares + path: /data/samba/shares mount_opts: users,rsize=8192,wsize=8192,hard,intr export_opt: rw,root_squash,sync,subtree_check export_networks: @@ -334,7 +334,7 @@ samba_shares: - name: 4all comment: 4all auf Fileserver - path: /data/samba/4all + path: /data/samba/shares/4all group_valid_users: alle group_write_list: alle file_create_mask: !!str 660 @@ -344,7 +344,7 @@ samba_shares: - name: Akten comment: Akten auf Fileserver - path: /data/samba/Akten + path: /data/samba/shares/Akten group_valid_users: akten group_write_list: akten file_create_mask: !!str 660 @@ -354,7 +354,7 @@ samba_shares: - name: Archiv comment: Archiv auf Fileserver - path: /data/samba/Archiv + path: /data/samba/shares/Archiv group_valid_users: archiv group_write_list: archiv file_create_mask: !!str 660 @@ -364,7 +364,7 @@ samba_shares: - name: Kanzlei comment: Kanzlei auf Fileserver - path: /data/samba/Kanzlei + path: /data/samba/shares/Kanzlei group_valid_users: kanzlei group_write_list: kanzlei file_create_mask: !!str 660 @@ -374,7 +374,7 @@ samba_shares: - name: Recherche comment: Recherche auf Fileserver - path: /data/samba/Recherche + path: /data/samba/shares/Recherche group_valid_users: recherche group_write_list: recherche file_create_mask: !!str 660 @@ -384,7 +384,7 @@ samba_shares: - name: Install comment: Install auf Fileserver - path: /data/samba/Install + path: /data/samba/shares/Install group_valid_users: admin group_write_list: admin file_create_mask: !!str 660 @@ -392,6 +392,19 @@ samba_shares: vfs_object_recycle: true recycle_path: '@Recycle.Bin' + # --- + # - This share will be written by windows schedulescript 'backup-advoware.bat' + # --- + - name: Advoware-Backup + comment: Advoware-Backup (only read) on Fileserver + path: /data/samba/shares/Advoware-Backup + group_valid_users: back + group_write_list: back + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 + guest_ok: !!str yes + vfs_object_recycle: false + # ============================== diff --git a/host_vars/gw-flr.oopen.de.yml b/host_vars/gw-flr.oopen.de.yml new file mode 100644 index 0000000..c54578b --- /dev/null +++ b/host_vars/gw-flr.oopen.de.yml @@ -0,0 +1,243 @@ +--- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + - resolvconf + +network_interfaces: + + - device: eno1 + headline: eno1 - Uplink DSL via Fritz!Box + auto: true + family: inet + method: static + address: 172.16.102.1 + netmask: 24 + gateway: 172.16.102.254 + nameservers: + - 127.0.0.1 + - 172.16.102.254 + search: flr.netz + + + - device: eno2 + headline: eno2 - LAN + auto: true + family: inet + method: static + address: 192.168.102.254 + netmask: 24 + + + - device: eno2:ns + headline: eno2:ns - Alias on eno2 (Nameserver) + auto: true + family: inet + method: static + address: 192.168.102.1 + netmask: 32 + + + - device: eno3 + headline: eno3 - WLAN + auto: true + family: inet + method: static + address: 192.168.103.254 + netmask: 24 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + +cron_user_entries: + + - name: "Check if Postfix Mailservice is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if SSH service is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check if OpenVPN service is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_vpn.sh + + - name: "Check if nameservice (bind) is running?" + minute: '*/10' + hour: '*' + job: /root/bin/monitoring/check_dns.sh + + - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )" + minute: '0-59/2' + hour: '*' + job: /root/bin/monitoring/check_forwarding.sh + + - name: "Copy gateway configuration" + minute: '09' + hour: '3' + job: /root/bin/manage-gw-config/copy_gateway-config.sh FLR-BRB + + +#cron_user_special_time_entries: [] +cron_user_special_time_entries: + + - name: "Check if Postfix Service is running at boot time" + special_time: reboot + job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" + insertafter: PATH + + - name: "Restart Systemd's resolved at boottime." + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - ecdsa-sha2-nistp256 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +apt_install_bind9_packages: true + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts index 73a0765..75db440 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -64,3 +64,5 @@ kitchenfaucetcenter\.com$ fqmeta\.net$ kitchenespial\.com$ owboyhardware\.com$ +comicartcollective\.com$ +fesg56wesg\.xyz$ diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets index 21e3b64..36193e1 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -123,3 +123,5 @@ 104.161.0.0/17 158.51.124.0/22 193.42.38.0/24 +# US (u.a. pro-versender.com) +173.254.192.0/18 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender index 8bf75f0..7940eea 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender @@ -82,6 +82,7 @@ firmen-infos\.com$ @corvsport\.com$ @echtzeit-video\.com$ @cortlandparkcashmere\.com$ +@pro-versender\.com$ # annoying spammer addresses ^error@mailfrom\.com$