diff --git a/ansible-dependencies-bookworm-sudo.yml b/ansible-dependencies-bookworm-sudo.yml new file mode 100644 index 0000000..409a2a9 --- /dev/null +++ b/ansible-dependencies-bookworm-sudo.yml @@ -0,0 +1,8 @@ +--- + +- hosts: initial_setup + gather_facts: false + + roles: + - ansible_dependencies-bookworm + - ansible_user_debian diff --git a/ansible-dependencies-bookworm.yml b/ansible-dependencies-bookworm.yml new file mode 100644 index 0000000..9b946e5 --- /dev/null +++ b/ansible-dependencies-bookworm.yml @@ -0,0 +1,15 @@ +--- + +- hosts: initial_setup + remote_user: root + become: false + gather_facts: false + + vars_prompt: + + - name: ansible_ssh_pass + prompt: "Give root's password here" + + roles: + - ansible_dependencies-bookworm + - ansible_user_debian diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index c209865..1a16109 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -511,6 +511,126 @@ apt_initial_install_bullseye: - btrfs-progs - fdisk +apt_initial_install_bookworm: + - apt-transport-https + - cryptsetup + - dbus + - openssh-server + - rush + - bash + - bash-completion + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - cron + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - universal-ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.32 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - libreadline-dev + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + - lua5.4 + - btrfs-progs + - fdisk + apt_initial_install_xenial: - apt-transport-https diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index c402235..4c9f2bb 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -437,6 +437,12 @@ samba_user: - buero password: '20_valentina_18!' + - name: veronika + groups: + - buero + - beratung + password: '20_vero_23' + - name: whitney groups: - buero diff --git a/roles/ansible_dependencies-bookworm/tasks/main.yml b/roles/ansible_dependencies-bookworm/tasks/main.yml new file mode 100644 index 0000000..e01ece5 --- /dev/null +++ b/roles/ansible_dependencies-bookworm/tasks/main.yml @@ -0,0 +1,47 @@ +--- + +- name: re-synchronize the package index files from their sources + raw: apt-get update + +- name: Ensure aptitude is present + raw: test -e /usr/bin/aptitude || apt-get install aptitude -y + +- name: Ensure python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3) + +- name: Ensure python-is-python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 && (apt -y update && apt install -y python-is-python3) + +- name: Ensure python-apt-common is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python && (apt -y update && apt install -y python-apt-common) + +- name: Ensure python-apt is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt) + +- name: dpkg --configure -a + command: > + dpkg --configure -a + args: + warn: false + changed_when: _dpkg_configure.stdout_lines | length + register: _dpkg_configure + when: apt_dpkg_configure|bool + tags: + - ansible-dependencies + +- name: apt upgrade + apt: + upgrade: "{{ apt_upgrade_type }}" + update_cache: true + dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" + when: apt_upgrade|bool + tags: + - ansible-dependencies + +- name: apt install ansible dependencies + apt: + name: "{{ apt_ansible_dependencies }}" + state: "{{ apt_install_state }}" + tags: + - ansible-dependencies + diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts index 77bcedb..befe33d 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -76,3 +76,4 @@ bell\.net$ beheshtfoundation\.com$ tohochina\.com$ mailer-service\.de$ +hunshachang\.com$ diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets index 1e7f476..44c315a 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -146,3 +146,7 @@ 83.137.158.0/24 # US (u.a. josephraffael.com / auftrag@v-markt-direkt.com) 64.188.4.0/22 +# IR (Iran) brute force on SASL Login +46.148.32.0/20 +# US +45.15.128.0/22 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender index 0b32035..b0f482e 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender @@ -102,3 +102,4 @@ josephraffael\.com$ v-markt-direkt\.com$ mailer-service\.de$ swissad\.biz$ +@math-salamanders\.com$ diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml index c684596..1cc5237 100644 --- a/roles/common/tasks/apt.yml +++ b/roles/common/tasks/apt.yml @@ -93,6 +93,18 @@ - apt-initial-install +- name: (apt.yml) Initial install debian packages (bookworm) + apt: + name: "{{ apt_initial_install_bookworm }}" + state: "{{ apt_install_state }}" + when: + - apt_initial_install_bookworm is defined and apt_initial_install_bookworm|length > 0 + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] == "12" + tags: + - apt-initial-install + + - name: (apt.yml) Initial install ubuntu packages (bionic) apt: name: "{{ apt_initial_install_bionic }}" @@ -142,14 +154,14 @@ - apt-microcode -- name: (apt.yml) Install CPU microcode (debian buster/bullseye) +- name: (apt.yml) Install CPU microcode (debian buster/bullseye/bookworm) apt: name: "{{ microcode_package }}" state: present default_release: "{{ ansible_distribution_release }}" when: - ansible_facts['distribution'] == "Debian" - - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" + - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" or ansible_facts['distribution_major_version'] == "12" - ansible_facts['processor']|string is search("Intel") tags: - apt-initial-install diff --git a/roles/common/templates/etc/apt/sources.list.Debian.j2 b/roles/common/templates/etc/apt/sources.list.Debian.j2 index 5284dbb..a778aa8 100644 --- a/roles/common/templates/etc/apt/sources.list.Debian.j2 +++ b/roles/common/templates/etc/apt/sources.list.Debian.j2 @@ -3,19 +3,25 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main -{% if ansible_facts['distribution_major_version'] | int >= 11 %} +{% if ansible_facts['distribution_major_version'] | int >= 12 %} +deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware +{% elif ansible_facts['distribution_major_version'] | int == 11 %} deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free {% else %} deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free {% endif %} {% if not apt_src_enable %} -{% if ansible_facts['distribution_major_version'] | int >= 11 %} +{% if ansible_facts['distribution_major_version'] | int >= 12 %} +#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware +{% elif ansible_facts['distribution_major_version'] | int == 11 %} #deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free {% else %} #deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free {% endif %} {% else %} -{% if ansible_facts['distribution_major_version'] | int >= 11 %} +{% if ansible_facts['distribution_major_version'] | int >= 12 %} +deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware +{% elif ansible_facts['distribution_major_version'] | int == 11 %} deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free {% else %} deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free @@ -30,15 +36,25 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main # but have dependencies not in main (possibly packaged for Debian in non-free). # Non-free contains software that does not comply with the DFSG. {% if apt_debian_contrib_nonfree_enable %} +{% if ansible_facts['distribution_major_version'] | int >= 12 %} +deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware +{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware +{% else %} deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free {% endif %} +{% endif %} # # N.B. software from this repository may not have been tested as # # extensively as that contained in the main release, although it includes # # newer versions of some applications which may provide useful features. {% if apt_backports_enable %} +{% if ansible_facts['distribution_major_version'] | int >= 12 %} +deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware +{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware +{% else %} deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free {% endif %} +{% endif %} diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml index 643f7c8..1e24f64 100644 --- a/roles/modify-ipt-gateway/tasks/main.yml +++ b/roles/modify-ipt-gateway/tasks/main.yml @@ -122,63 +122,63 @@ # --- -# MAC Address Filtering Gaming Devices +# IP Address Filtering Gaming Devices # --- -- name: Check if String 'gaming_device_mac_addresses..' (IPv4) is present - shell: grep -q -E "^#?gaming_device_mac_addresses=" /etc/ipt-firewall/main_ipv4.conf - register: gaming_device_mac_addresses_ipv4_present +- name: Check if String 'gaming_device_ip_addresses..' (IPv4) is present + shell: grep -q -E "^#?gaming_device_ip_addresses=" /etc/ipt-firewall/main_ipv4.conf + register: gaming_device_ip_addresses_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "gaming_device_mac_addresses_ipv4_present.rc > 1" - changed_when: "gaming_device_mac_addresses_ipv4_present.rc > 0" + failed_when: "gaming_device_ip_addresses_ipv4_present.rc > 1" + changed_when: "gaming_device_ip_addresses_ipv4_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (gaming_device_mac_addresses) +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (gaming_device_ip_addresses) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*allow_remote_mac_src_addresses=' + insertafter: '^#?\s*gaming_device_mac_addresses=' block: | # ============= - # - MAC Address Filtering Gaming Devices + # - IP Address Filtering Gaming Devices # ============= - # - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks + # - IP adresses here are only allowed connect to internet but NOT to loacl services and networks # - # - Blank separated list # - - gaming_device_mac_addresses="" - marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_mac_addresses)" + gaming_device_ip_addresses="" + marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_ip_addresses)" when: - main_ipv4_exists.stat.exists - - gaming_device_mac_addresses_ipv4_present is changed + - gaming_device_ip_addresses_ipv4_present is changed -- name: Check if String 'gaming_device_mac_addresses..' (IPv6) is present - shell: grep -q -E "^#?drop6_syn_flood=" /etc/ipt-firewall/main_ipv6.conf - register: gaming_device_mac_addresses_ipv6_present +- name: Check if String 'gaming_device_ip_addresses..' (IPv6) is present + shell: grep -q -E "^#?gaming_device_ip_addresses=" /etc/ipt-firewall/main_ipv6.conf + register: gaming_device_ip_addresses_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "gaming_device_mac_addresses_ipv6_present.rc > 1" - changed_when: "gaming_device_mac_addresses_ipv6_present.rc > 0" + failed_when: "gaming_device_ip_addresses_ipv6_present.rc > 1" + changed_when: "gaming_device_ip_addresses_ipv6_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (gaming_device_mac_addresses) +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (gaming_device_ip_addresses) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*allow_remote_mac_src_addresses=' + insertafter: '^#?\s*gaming_device_mac_addresses=' block: | # ============= - # - MAC Address Filtering Gaming Devices + # - IP Address Filtering Gaming Devices # ============= - # - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks + # - IP adresses here are only allowed connect to internet but NOT to loacl services and networks # - # - Blank separated list # - - gaming_device_mac_addresses="" - marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_mac_addresses)" + gaming_device_ip_addresses="" + marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_ip_addresses)" when: - main_ipv6_exists.stat.exists - - gaming_device_mac_addresses_ipv6_present is changed + - gaming_device_ip_addresses_ipv6_present is changed # ---