update..

ansible-dependencies-bookworm-sudo.yml

@@ -0,0 +1,8 @@
+---
+
+- hosts: initial_setup
+  gather_facts: false
+
+  roles:
+     - ansible_dependencies-bookworm
+     - ansible_user_debian

ansible-dependencies-bookworm.yml

@@ -0,0 +1,15 @@
+---
+
+- hosts: initial_setup
+  remote_user: root
+  become: false
+  gather_facts: false
+
+  vars_prompt:
+
+    - name: ansible_ssh_pass
+      prompt: "Give root's password here"
+
+  roles:
+     - ansible_dependencies-bookworm
+     - ansible_user_debian

group_vars/all/main.yml

@@ -511,6 +511,126 @@ apt_initial_install_bullseye:
   - btrfs-progs
   - fdisk
 
+apt_initial_install_bookworm:
+  - apt-transport-https
+  - cryptsetup
+  - dbus
+  - openssh-server
+  - rush
+  - bash
+  - bash-completion
+  - vim
+  - vim-common
+  - vim-doc
+  - mc
+  - screen
+  - tmux
+  - cron
+  - bc
+  - figlet
+  - rcconf
+  - sudo
+  - rsync
+  - dselect
+  - iputils-ping
+  - apt-utils
+  - aptitude
+  - zip
+  - unzip
+  - bzip2
+  - arj
+  - locate
+  - curl
+  - gawk
+  - mawk
+  - lynx
+  - links
+  - w3m
+  - universal-ctags
+  - mime-support
+  - file
+  - coreutils
+  - moreutils
+  - less
+  - sipcalc
+  - psmisc
+  - dnsutils
+  - rblcheck
+  - whois
+  - gettext
+  - gettext-base
+  - gettext-doc
+  - debian-keyring
+  - patch
+  - patchutils
+  - recode
+  - recode-doc 
+  - librecode0
+  - librecode-dev
+  - sharutils
+  - perl
+  - perl-modules-5.32
+  - perl-doc
+  - libperl-dev
+  - libterm-readline-gnu-perl
+  - libterm-readline-perl-perl
+  - libterm-readkey-perl
+  - libmail-imapclient-perl
+  - libtime-duration-perl
+  - libtimedate-perl
+  - libwww-perl
+  - libpcre3
+  - libio-compress-perl
+  - libreadline-dev
+  - re2c
+  - util-linux
+  - parted
+  - lshw
+  - gdisk
+  - smartmontools
+  - tcpdump
+  - telnet
+  - unhide
+  - lsof
+  - hdparm
+  - groff
+  - iproute2
+  - bridge-utils
+  - vlan
+  - ethtool
+  - wipe
+  - iperf
+  - mtr
+  - iptraf
+  - wget
+  - logrotate
+  - rsyslog
+  - haveged
+  - rdate
+  - ntpdate
+  - wipe
+  - man
+  - groff
+  - iptables
+  - shellcheck
+  - ssl-cert
+  - ssl-cert-check
+  - git
+  - ftp
+  - htop
+  - net-tools
+  - lsb-release
+  - attr
+  - acl
+  - quota
+  - quotatool
+  - needrestart
+  - socat
+  - zsh
+  - lua5.4
+  - btrfs-progs
+  - fdisk
+
 
 apt_initial_install_xenial:
   - apt-transport-https

host_vars/zapata.opp.netz.yml

@@ -437,6 +437,12 @@ samba_user:
       - buero
     password: '20_valentina_18!'
 
+  - name: veronika
+    groups:
+      - buero
+      - beratung
+    password: '20_vero_23'
+
   - name: whitney
     groups:
       - buero

roles/ansible_dependencies-bookworm/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+
+- name: re-synchronize the package index files from their sources
+  raw: apt-get update
+  
+- name: Ensure aptitude is present
+  raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
+
+- name: Ensure python3 is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
+
+- name: Ensure python-is-python3 is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python3 && (apt -y update && apt install -y python-is-python3)
+
+- name: Ensure python-apt-common is present (This is necessary for ansible to work properly)
+  raw: test -e  /usr/bin/python && (apt -y update && apt install -y python-apt-common)
+
+- name: Ensure python-apt is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
+
+- name: dpkg --configure -a
+  command: >
+    dpkg --configure -a
+  args:
+    warn: false
+  changed_when: _dpkg_configure.stdout_lines | length
+  register: _dpkg_configure
+  when: apt_dpkg_configure|bool
+  tags:
+    - ansible-dependencies
+
+- name: apt upgrade
+  apt:
+    upgrade: "{{ apt_upgrade_type }}"
+    update_cache: true
+    dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
+  when: apt_upgrade|bool
+  tags:
+    - ansible-dependencies
+
+- name: apt install ansible dependencies
+  apt:
+    name: "{{ apt_ansible_dependencies }}"
+    state: "{{ apt_install_state }}"
+  tags:
+    - ansible-dependencies
+

roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts

@@ -76,3 +76,4 @@ bell\.net$
 beheshtfoundation\.com$
 tohochina\.com$
 mailer-service\.de$
+hunshachang\.com$

roles/common/files/mailserver/etc/postfix/postfwd.bl-nets

@@ -146,3 +146,7 @@
 83.137.158.0/24
 # US (u.a. josephraffael.com / auftrag@v-markt-direkt.com)
 64.188.4.0/22
+# IR (Iran) brute force on SASL Login
+46.148.32.0/20
+# US
+45.15.128.0/22

roles/common/files/mailserver/etc/postfix/postfwd.bl-sender

@@ -102,3 +102,4 @@ josephraffael\.com$
 v-markt-direkt\.com$
 mailer-service\.de$
 swissad\.biz$
+@math-salamanders\.com$

roles/common/tasks/apt.yml

@@ -93,6 +93,18 @@
     - apt-initial-install
 
 
+- name: (apt.yml) Initial install debian packages (bookworm)
+  apt:
+    name: "{{ apt_initial_install_bookworm }}"
+    state: "{{ apt_install_state }}"
+  when:
+    - apt_initial_install_bookworm is defined and apt_initial_install_bookworm|length > 0
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version'] == "12"
+  tags:
+    - apt-initial-install
+
+
 - name: (apt.yml) Initial install ubuntu packages (bionic)
   apt:
     name: "{{ apt_initial_install_bionic }}"
@@ -142,14 +154,14 @@
     - apt-microcode
 
 
-- name: (apt.yml) Install CPU microcode (debian buster/bullseye)
+- name: (apt.yml) Install CPU microcode (debian buster/bullseye/bookworm)
   apt:
     name: "{{ microcode_package }}"
     state: present
     default_release: "{{ ansible_distribution_release }}"
   when:
     - ansible_facts['distribution'] == "Debian"
-    - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11"
+    - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11"  or ansible_facts['distribution_major_version'] == "12"
     - ansible_facts['processor']|string is search("Intel")
   tags:
     - apt-initial-install

roles/common/templates/etc/apt/sources.list.Debian.j2

@@ -3,19 +3,25 @@
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% if not apt_src_enable %}
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 #deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 #deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
 {% endif %}
 {% else %}
-{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
 {% else %}
 deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
@@ -30,15 +36,25 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
 # but have dependencies not in main (possibly packaged for Debian in non-free).
 # Non-free contains software that does not comply with the DFSG.
 {% if apt_debian_contrib_nonfree_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
+{% else %}
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
 {% endif %}
+{% endif %}
 
 # # N.B. software from this repository may not have been tested as
 # # extensively as that contained in the main release, although it includes
 # # newer versions of some applications which may provide useful features.
 {% if apt_backports_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 12 %}
+deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
+{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
+{% else %}
 deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {% endif %}
+{% endif %}
 

roles/modify-ipt-gateway/tasks/main.yml

@@ -122,63 +122,63 @@
 
 
 # ---
-# MAC Address Filtering Gaming Devices
+# IP Address Filtering Gaming Devices
 # ---
 
-- name: Check if String 'gaming_device_mac_addresses..' (IPv4) is present
-  shell: grep -q -E "^#?gaming_device_mac_addresses=" /etc/ipt-firewall/main_ipv4.conf
-  register: gaming_device_mac_addresses_ipv4_present
+- name: Check if String 'gaming_device_ip_addresses..' (IPv4) is present
+  shell: grep -q -E "^#?gaming_device_ip_addresses=" /etc/ipt-firewall/main_ipv4.conf
+  register: gaming_device_ip_addresses_ipv4_present
   when: main_ipv4_exists.stat.exists
-  failed_when: "gaming_device_mac_addresses_ipv4_present.rc > 1"
-  changed_when: "gaming_device_mac_addresses_ipv4_present.rc > 0"
+  failed_when: "gaming_device_ip_addresses_ipv4_present.rc > 1"
+  changed_when: "gaming_device_ip_addresses_ipv4_present.rc > 0"
 
-- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (gaming_device_mac_addresses)
+- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (gaming_device_ip_addresses)
   blockinfile:
     path: /etc/ipt-firewall/main_ipv4.conf
-    insertafter: '^#?\s*allow_remote_mac_src_addresses='
+    insertafter: '^#?\s*gaming_device_mac_addresses='
     block: |
 
       # =============
-      # -  MAC Address Filtering Gaming Devices
+      # -  IP Address Filtering Gaming Devices
       # =============
 
-      # - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks
+      # - IP adresses here are only allowed connect to internet but NOT to loacl services and networks
       # -
       # - Blank separated list
       # -
-      gaming_device_mac_addresses=""
-    marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_mac_addresses)"
+      gaming_device_ip_addresses=""
+    marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_ip_addresses)"
   when: 
     - main_ipv4_exists.stat.exists
-    - gaming_device_mac_addresses_ipv4_present is changed
+    - gaming_device_ip_addresses_ipv4_present is changed
 
 
-- name: Check if String 'gaming_device_mac_addresses..' (IPv6) is present
-  shell: grep -q -E "^#?drop6_syn_flood=" /etc/ipt-firewall/main_ipv6.conf
-  register: gaming_device_mac_addresses_ipv6_present
+- name: Check if String 'gaming_device_ip_addresses..' (IPv6) is present
+  shell: grep -q -E "^#?gaming_device_ip_addresses=" /etc/ipt-firewall/main_ipv6.conf
+  register: gaming_device_ip_addresses_ipv6_present
   when: main_ipv6_exists.stat.exists
-  failed_when: "gaming_device_mac_addresses_ipv6_present.rc > 1"
-  changed_when: "gaming_device_mac_addresses_ipv6_present.rc > 0"
+  failed_when: "gaming_device_ip_addresses_ipv6_present.rc > 1"
+  changed_when: "gaming_device_ip_addresses_ipv6_present.rc > 0"
 
-- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (gaming_device_mac_addresses)
+- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (gaming_device_ip_addresses)
   blockinfile:
     path: /etc/ipt-firewall/main_ipv6.conf
-    insertafter: '^#?\s*allow_remote_mac_src_addresses='
+    insertafter: '^#?\s*gaming_device_mac_addresses='
     block: |
 
       # =============
-      # -  MAC Address Filtering Gaming Devices
+      # -  IP Address Filtering Gaming Devices
       # =============
 
-      # - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks
+      # - IP adresses here are only allowed connect to internet but NOT to loacl services and networks
       # -
       # - Blank separated list
       # -
-      gaming_device_mac_addresses=""
-    marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_mac_addresses)"
+      gaming_device_ip_addresses=""
+    marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_ip_addresses)"
   when: 
     - main_ipv6_exists.stat.exists
-    - gaming_device_mac_addresses_ipv6_present is changed
+    - gaming_device_ip_addresses_ipv6_present is changed
 
 
 # ---