update..

2024-09-29 16:04:27 +02:00 · 2024-09-29 16:04:27 +02:00 · 134eb18465
commit 134eb18465
parent 98fbed31b7
28 changed files with 2356 additions and 128 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -25,7 +25,7 @@ apt_ansible_dependencies:
 # vars used by roles/ansible_user
 # ---

-ansible_remote_user: 
+ansible_remote_user:

  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
@ -207,7 +207,7 @@ apt_initial_install_stretch:
  - patch
  - patchutils
  - recode
-  - recode-doc 
+  - recode-doc
  - librecode0
  - librecode-dev
  - sharutils
@ -326,7 +326,7 @@ apt_initial_install_buster:
  - patch
  - patchutils
  - recode
-  - recode-doc 
+  - recode-doc
  - librecode0
  - librecode-dev
  - sharutils
@ -451,7 +451,7 @@ apt_initial_install_bullseye:
  - patch
  - patchutils
  - recode
-  - recode-doc 
+  - recode-doc
  - librecode0
  - librecode-dev
  - sharutils
@ -570,7 +570,7 @@ apt_initial_install_bookworm:
  - patch
  - patchutils
  - recode
-  - recode-doc 
+  - recode-doc
  - librecode0
  - librecode-dev
  - sharutils
@ -1140,7 +1140,7 @@ yum_webserver_pkgs_centos:
  - libdbi-dbd-sqlite
  - libdbi-devel
  - libdbi-drivers
-  - readline 
+  - readline
  - readline-devel
  - ncurses
  - ncurses-devel
@ -1208,7 +1208,7 @@ yum_webserver_pkgs_centos:
  - expect-devel
  - perl-Expect
  - poppler-utils
- 
+
  # - libqdbm-dev
  #- libatm-dev
  #- libc-client2007e-dev
@ -1493,6 +1493,16 @@ apt_bind_pkgs:
 yum_bind_pks:
  - bind

+apt_docker_host_pkgs:
+  - apparmor
+  - apparmor-profiles
+  - apparmor-profiles-extra
+  - libapparmor1
+  - docker.io
+  - docker-clean
+  - docker-compose
+  - docker-doc
+  - docker-registry

 install_lxc_host_pkgs: false
 apt_lxc_host_pkgs:
@ -1554,7 +1564,7 @@ apt_extra_pkgs: []
 apt_install: {}
 apt_install_state: latest

-apt_remove: 
+apt_remove:
  - rpcbind
  - apt-transport-tor
  - tor
@ -1563,7 +1573,7 @@ apt_remove:

 apt_remove_purge: false

-microcode_package: 
+microcode_package:
  - intel-microcode
  - amd64-microcode

@ -1645,16 +1655,16 @@ yum_initial_install_centos_7:
  - recode
  - recode-devel
  - sharutils
-  - perl 
+  - perl
  - perl-devel
-  - readline 
+  - readline
  - readline-devel
-  - libtermkey 
+  - libtermkey
  - libtermkey-devel
  - perl-Time-Duration-Parse
  - perl-DateTime
  - perl-libwww-perl
-  - pcre 
+  - pcre
  - pcre2
  - perl-IO-Compress
  - re2c
@ -1831,8 +1841,8 @@ systemd_resolved: false
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
-#      IPv6: 2606:4700:4700::1001 
-# 
+#      IPv6: 2606:4700:4700::1001
+#
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
@ -1843,20 +1853,20 @@ systemd_resolved: false
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
-#      IPv4: 9.9.9.9  
-#      IPv6: 2620:fe::fe 
+#      IPv4: 9.9.9.9
+#      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
-#      IPv4: 195.10.195.195 - ns31.de 
-#      IPv4: 94.16.114.254  - ns28.de 
-#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 195.10.195.195 - ns31.de
+#      IPv4: 94.16.114.254  - ns28.de
+#      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
-# 
-# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
@ -1870,7 +1880,7 @@ resolved_nameserver:

 # search domains
 #
-# If there are more than one search domains, then specify them here in the order in which 
+# If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
@ -2088,10 +2098,10 @@ sshd_gateway_ports: !!str "no"

 # sshd_pubkey_accepted_algorithms:
 #
-# if the specified list begins with a '+' character, then the specified 
+# if the specified list begins with a '+' character, then the specified
 # algorithms will be appended to the default set instead of replacing them.
 #
-# If the specified list begins with a '-' character, then the specified algorithms 
+# If the specified list begins with a '-' character, then the specified algorithms
 # (including wildcards) will be removed from the default set instead of replacing them.
 #
 # If the specified list begins with a '^' character, then the
@ -2109,8 +2119,8 @@ sshd_gateway_ports: !!str "no"
 #  - ecdh-sha2-nistp256
 #  - ecdh-sha2-nistp384
 #  - ecdh-sha2-nistp521
- 
-#sshd_pubkey_accepted_algorithms: 
+
+#sshd_pubkey_accepted_algorithms:
 #  - +ssh-rsa
 #  - ssh-dss

@ -2364,7 +2374,7 @@ git_warenform_server_repositories:
 # group [lxc_host]
 # ---
 git_lxc_host_repositories:
-  
+
  # LXC
  - name: LXC
    repo: https://git.oopen.de/script/LXC
@ -2453,7 +2463,7 @@ git_mysql_repositories:
  - name: mysql
    repo: https://git.oopen.de/install/mysql
    dest: /usr/local/src/mysql
-    
+

 # ---
 # group [postgresql_server]
@ -2711,7 +2721,7 @@ symlink_files: []

 hostname:
 ipv4_address:
-ipv6_address:
+ipv6_address: ''

 # postfix_db_type
 #
@ -2739,7 +2749,7 @@ sasl_pass:
 db_in_use:
 # postfix_db_type
 #
-# possible values are 
+# possible values are
 #    'PostgreSQL'
 #    'MySQL'
 #
@ -2757,6 +2767,7 @@ mp_receipt_number:

 # si_authorisation_signature
 #
+# O.OPEN/IL -ALT -: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e
 # O.OPEN/IL: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
 #
 # Warenform: 76ed7ca6670dbee497e1a0397a7e178c4caa25888bc26d7327d1eab0195342a4cfa522dcf10382623d57dbc2a79bd37627b9a52def4d4bfe617d26e35405ce3b
@ -2882,7 +2893,7 @@ base_home: /home
 remove_samba_users: []

 # samba_shares
-# 
+#
 # samba_shares:
 #   - name: Arbeitsrechtliches
 #      comment:
@ -2927,7 +2938,7 @@ samba_cronjob_permissions:
 # vars used by roles/common/tasks/systemd-services.yml
 # ==========

-# Take care that if these services are installed, they are running and 
+# Take care that if these services are installed, they are running and
 # start automatically after boot.
 #
 debian_services_active_and_started:
--- a/host_vars/a.mx.oopen.de.yml
+++ b/host_vars/a.mx.oopen.de.yml
@ -227,7 +227,7 @@ postfix_db_pass: FKt4z55FxMZp
 # install_amavis.conf
 #
 mp_receipt_number: 106015125438
-si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
+si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e

 # install_postfixadmin.conf
 # 
--- a/host_vars/b.mx.oopen.de.yml
+++ b/host_vars/b.mx.oopen.de.yml
@ -209,6 +209,11 @@ admin_email: argus@oopen.de
 is_relay_host: !!str "true"
 sasl_auth_enable: !!str "yes"

+# install_amavis.conf
+#
+mp_receipt_number: 106015125438
+si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e
+

 template_files_mailsystem_script:

--- a/host_vars/c.mx.oopen.de.yml
+++ b/host_vars/c.mx.oopen.de.yml
@ -228,7 +228,7 @@ postfix_db_pass: AeB4kohyie5rahJ7
 # install_amavis.conf
 #
 mp_receipt_number: 106015125438
-si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
+si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e

 # install_postfixadmin.conf
 # 
--- a/host_vars/cl-flr.oopen.de.yml
+++ b/host_vars/cl-flr.oopen.de.yml
@ -0,0 +1,181 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+sshd_permit_root_login: !!str "prohibit-password"
+
+# ---
+# vars used by apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 185.12.64.2
+  - 2a01:4ff:ff00::add:1
+  - 185.12.64.1
+  - 2a01:4ff:ff00::add:2
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+default_user:
+
+  - name: chris
+    password: $y$j9T$CmDEzObyDCcl4Assjaqlw1$5wfAVQoNA0jOPCc3H0PaCNVxHW/0D52Rc9hMzASElrD
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: sysadm
+
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+sudo_users:
+  - chris
+  - sysadm
+  - localadmin
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+sudoers_file_user_privileges:
+  - name: back
+    entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
--- a/host_vars/d.mx.oopen.de.yml
+++ b/host_vars/d.mx.oopen.de.yml
@ -193,7 +193,7 @@ is_sympa_list_server: true
 # install_amavis.conf
 #
 mp_receipt_number: 106015125438
-si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
+si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e


 template_files_mailsystem_script:
--- a/host_vars/e.mx.oopen.de.yml
+++ b/host_vars/e.mx.oopen.de.yml
@ -255,7 +255,7 @@ postfix_db_pass: W/w-musi9cr5Gg%U
 # install_amavis.conf
 #
 mp_receipt_number: 106015125438
-si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
+si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e

 # install_postfixadmin.conf
 # 
--- a/host_vars/g.mx.oopen.de.yml
+++ b/host_vars/g.mx.oopen.de.yml
@ -0,0 +1,222 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+install_compiler_pkgs: true
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 127.0.0.1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+#insert_root_ssh_keypair: true
+#
+#root_ssh_keypair:
+#  - name: id-rsa-dehydrated
+#    priv_key_src: b.mx/root/.ssh/b.mx-id_rsa-dehydrated
+#    priv_key_dest: /root/.ssh/id_rsa-dehydrated
+#    pub_key_src: b.mx/root/.ssh/b.mx-id_rsa-dehydrated.pub
+#    pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub
+#  - name: id-rsa-opendkim
+#    priv_key_src: b.mx/root/.ssh/b.mx-id_rsa-opendkim
+#    priv_key_dest: /root/.ssh/id_rsa-opendkim
+#    pub_key_src: b.mx/root/.ssh/b.mx-id_rsa-opendkim.pub
+#    pub_key_dest: /root/.ssh/id_rsa-opendkim.pub
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/copy_files.yml
+# ---
+
+copy_plain_files:
+
+  # /root/bin/monitoring
+  #
+
+  - name: monitoring_check_webservice_load.conf
+    src_path: g.mx/root/bin/monitoring/conf/check_webservice_load.conf
+    dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
+
+  # /root/bin/postfix
+  #
+  - name: postfix_create_opendkim_key.conf
+    src_path: g.mx/root/bin/postfix/conf/create_opendkim_key.conf
+    dest_path: /root/bin/postfix/conf/create_opendkim_key.conf
+
+  - name: postfix_whitelist_mb_sigs.conf
+    src_path: g.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf
+    dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf
+
+
+copy_plain_files_postfix_host_specific:
+
+  - name: relay_domains
+    src_path: g.mx/etc/postfix/relay_domains
+    dest_path: /etc/postfix/relay_domains
+
+
+copy_plain_files_postfwd_host_specific:
+
+  # Postfix Firewall postfwd
+  #
+  - name: postfwd.wl-nets
+    src_path: g.mx/etc/postfix/postfwd.wl-nets
+    dest_path: /etc/postfix/postfwd.wl-nets
+
+
+copy_template_files: []
+#
+#  - name: mailsystem_install_amavis.conf
+#    src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2
+#    dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf
+
+
+
+# ---
+# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml
+# ---
+
+hostname: g.mx.oopen.de
+ipv4_address: 176.9.125.42
+ipv6_address: 2a01:4f8:151:8415::42
+
+admin_email: argus@oopen.de
+is_relay_host: !!str "true"
+sasl_auth_enable: !!str "no"
+
+# install_amavis.conf
+#
+mp_receipt_number: 106015125438
+si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e
+
+
+template_files_mailsystem_script:
+
+  - name: mailsystem_install_amavis.conf
+    src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2
+    dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf
+
+  - name: mailsystem_install_postfix_advanced.conf
+    src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2
+    dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf
--- a/host_vars/ga-st-mail.ga.netz.yml
+++ b/host_vars/ga-st-mail.ga.netz.yml
@ -224,7 +224,7 @@ postfix_db_pass: R_wuKauoTE7+AJg9
 # install_amavis.conf
 #
 mp_receipt_number: 106015125438
-si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
+si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e

 # install_postfixadmin.conf
 # 
--- a/host_vars/mail-neu.cadus.org.yml
+++ b/host_vars/mail-neu.cadus.org.yml
@ -170,7 +170,7 @@ mysql_credentials: !!str "-u root -S /run/mysqld/mysqld.sock"
 # install_amavis.conf
 #
 mp_receipt_number: 106015125438
-si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
+si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e

 # install_postfixadmin.conf
 # 
--- a/host_vars/mail.cadus.org.yml
+++ b/host_vars/mail.cadus.org.yml
@ -239,7 +239,7 @@ postfix_db_pass: T3CJnFMJNX9wmhNs
 # install_amavis.conf
 #
 mp_receipt_number: 106015125438
-si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
+si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e

 # install_postfixadmin.conf
 # 
--- a/host_vars/mail.faire-mobilitaet.de.yml
+++ b/host_vars/mail.faire-mobilitaet.de.yml
@ -223,7 +223,7 @@ postfix_db_pass: sp4xMdnXJkdMXnq9
 # install_amavis.conf
 #
 mp_receipt_number: 106015125438
-si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
+si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e

 # install_postfixadmin.conf
 # 
--- a/host_vars/mm-rav.oopen.de.yml
+++ b/host_vars/mm-rav.oopen.de.yml
@ -0,0 +1,235 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 185.12.64.2
+  - 2a01:4ff:ff00::add:1
+  - 185.12.64.1
+  - 2a01:4ff:ff00::add:2
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_env_entries:
+  - name: PATH
+    job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+  - name: SHELL
+    job: /bin/bash
+    insertafter: PATH
+
+
+cron_user_special_time_entries:
+
+  - name: "Restart DNS Cache service 'systemd-resolved'"
+    special_time: reboot
+    job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+
+  - name: "Check if postfix mailservice is running. Restart service if needed."
+    special_time: reboot
+    job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
+    insertafter: PATH
+
+
+cron_user_entries:
+
+  - name: "Check if mattermost service ist running - Restart Service if needed."
+    minute: '*/6'
+    hour: '*'
+    job: /root/bin/monitoring/check_local_mattermost_service.sh
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if Postfix Mailservice is up and running?"
+    minute: '*/15'
+    hour: '*'
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
+    minute: '01'
+    hour: '05'
+    job: /var/lib/dehydrated/cron/dehydrated_cron.sh
+
+  - name: "Check whether all certificates are included in the VHOST configurations"
+    minute: '33'
+    hour: '05'
+    job: /var/lib/dehydrated/tools/update_ssl_directives.sh
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+default_user:
+
+  - name: chris
+    password: $y$j9T$CmDEzObyDCcl4Assjaqlw1$5wfAVQoNA0jOPCc3H0PaCNVxHW/0D52Rc9hMzASElrD
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: sysadm
+
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+sudo_users:
+  - chris
+  - sysadm
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+git_firewall_repository:
+  name: ipt-server
+  repo: https://git.oopen.de/firewall/ipt-server
+  dest: /usr/local/src/ipt-server
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
+
--- a/host_vars/o40.oopen.de.yml
+++ b/host_vars/o40.oopen.de.yml
@ -0,0 +1,375 @@
+---
+
+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
+network_manage_devices: True
+
+# Should the interfaces be reloaded after config change?
+network_interface_reload: False
+
+network_interface_path: /etc/network/interfaces.d
+network_interface_required_packages:
+  - vlan
+  - bridge-utils
+  - ifmetric
+  - ifupdown
+  - ifenslave
+
+
+network_interfaces:
+
+  - device: br0
+    # use only once per device (for the first device entry)
+    headline: br0 - bridge over device enp5s0
+
+    # auto & allow are only used for the first device entry
+    allow: [] # array of allow-[stanzas] eg. allow-hotplug
+    auto: true
+
+    family: inet
+    method: static
+    hwaddress: 9c:6b:00:0b:fe:2f
+    description:
+    address: 176.9.125.12
+    netmask: 27
+    gateway: 176.9.125.1
+    metric:
+    pointopoint:
+    mtu:
+    scope:
+
+    # additional user by dhcp method
+    #
+    hostname:
+    leasehours:
+    leasetime:
+    vendor:
+    client:
+
+    # additional used by bootp method
+    #
+    bootfile:
+    server:
+    hwaddr:
+
+    # optional dns settings nameservers: []
+    #
+    #    nameservers:
+    #      - 194.150.168.168  # dns.as250.net
+    #      - 91.239.100.100   # anycast.censurfridns.dk
+    #    search: warenform.de
+    #
+    # ** MOVED TO systemd-resolved
+    #
+    nameservers:
+    search:
+
+    # optional bridge parameters bridge: {}
+    # bridge:
+    #   ports:
+    #   stp:
+    #   fd:
+    #   maxwait:
+    #   waitport:
+    bridge:
+      ports: enp5s0 # for mor devices support a blank separated list
+      stp: !!str off
+      fd: 5
+      hello: 2
+      maxage: 12
+
+    #  optional bonding parameters bond: {}
+    #  bond:
+    #    master
+    #    primary
+    #    slave
+    #    method:
+    #    miimon:
+    #    lacp-rate:
+    #    ad-select-rate:
+    #    master:
+    #    slaves:
+    bond: {}
+
+    # optional vlan settings | vlan: {}
+    # vlan: {}
+    #   raw-device: 'eth0'
+    vlan: {}
+
+    # inline hook scripts
+    pre-up: [] # pre-up script lines
+    up:
+      - !!str "route add -net 176.9.125.0 netmask 255.255.255.224 gw 176.9.125.1 dev br0" # up script lines
+    post-up: [] # post-up script lines (alias for up)
+    pre-down: [] # pre-down script lines (alias for down)
+    down: [] # down script lines
+    post-down: [] # post-down script lines
+
+
+
+  - device: br0
+    family: inet6
+    method: static
+    address: '2a01:4f8:151:8415::2'
+    netmask: 64
+    gateway: 'fe80::1'
+
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001
+#
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9
+#      IPv6: 2620:fe::fe
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de
+#      IPv4: 94.16.114.254  - ns28.de
+#      IPv4: 51.254.162.59  - ns9.de
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+#
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 185.12.64.1
+  - 2a01:4ff:ff00::add:2
+  - 185.12.64.2
+  - 2a01:4ff:ff00::add:1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_env_entries:
+  - name: PATH
+    job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+  - name: SHELL
+    job: /bin/bash
+    insertafter: PATH
+
+
+cron_user_special_time_entries:
+
+  - name: "Restart DNS Cache service 'systemd-resolved'"
+    special_time: reboot
+    job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+
+  - name: "Check if postfix mailservice is running. Restart service if needed."
+    special_time: reboot
+    job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
+    insertafter: PATH
+
+  - name: "Check if postfix mailservice is running. Restart service if needed."
+    special_time: reboot
+    job: "@reboot sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1"
+    insertafter: PATH
+
+#  - name: "Check if Check if all autostart LX-Container are running."
+#    special_time: reboot
+#    job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
+#    insertafter: PATH
+
+
+cron_user_entries:
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check connectifity - reboot if needed"
+    minute: '*/10'
+    hour: '*'
+    job: /root/bin/admin-stuff/check-connectivity.sh
+
+  - name: "Check if Postfix Mailservice is up and running?"
+    minute: '*/15'
+    hour: '*'
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check hard disc usage."
+    minute: '43'
+    hour: '6'
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh
+
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+default_user:
+
+  - name: chris
+    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: sysadm
+
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: localadmin
+    user_id: 1051
+    group_id: 1051
+    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+sudo_users:
+  - chris
+  - sysadm
+  - localadmin
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+git_firewall_repository:
+  name: ipt-server
+  repo: https://git.oopen.de/firewall/ipt-server
+  dest: /usr/local/src/ipt-server
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
+
--- a/host_vars/o41.oopen.de.yml
+++ b/host_vars/o41.oopen.de.yml
@ -0,0 +1,251 @@
+---
+
+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: false
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 2a01:4ff:ff00::add:2
+  - 185.12.64.2
+  - 2a01:4ff:ff00::add:1
+  - 185.12.64.1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_env_entries:
+  - name: PATH
+    job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+  - name: SHELL
+    job: /bin/bash
+    insertafter: PATH
+
+
+cron_user_special_time_entries:
+
+  - name: "Restart DNS Cache service 'systemd-resolved'"
+    special_time: reboot
+    job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+
+#  - name: "Check if postfix mailservice is running. Restart service if needed."
+#    special_time: reboot
+#    job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
+#    insertafter: PATH
+#
+#  - name: "Check if Check if all autostart LX-Container are running."
+#    special_time: reboot
+#    job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
+#    insertafter: PATH
+
+
+cron_user_entries:
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+#  - name: "Check connectifity - reboot if needed"
+#    minute: '*/10'
+#    hour: '*'
+#    job: /root/bin/admin-stuff/check-connectivity.sh
+#
+#  - name: "Check if Postfix Mailservice is up and running?"
+#    minute: '*/15'
+#    hour: '*'
+#    job: /root/bin/monitoring/check_postfix.sh
+#
+#  - name: "Check if NTP service 'ntpsec' is up and running?"
+#    minute: '*/30'
+#    hour: '*'
+#    job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
+
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+default_user:
+
+  - name: chris
+    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: sysadm
+
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: localadmin
+    user_id: 1051
+    group_id: 1051
+    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+sudo_users:
+  - chris
+  - sysadm
+  - localadmin
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+git_firewall_repository:
+  name: ipt-server
+  repo: https://git.oopen.de/firewall/ipt-server
+  dest: /usr/local/src/ipt-server
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
+
--- a/host_vars/o42.oopen.de.yml
+++ b/host_vars/o42.oopen.de.yml
@ -0,0 +1,360 @@
+---
+
+# ---
+# vars used by roles/network_interfaces
+# ---
+
+
+# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
+network_manage_devices: True
+
+# Should the interfaces be reloaded after config change?
+network_interface_reload: False
+
+network_interface_path: /etc/network/interfaces.d
+network_interface_required_packages:
+  - vlan
+  - bridge-utils
+  - ifmetric
+  - ifupdown
+  - ifenslave
+
+
+network_interfaces:
+
+  - device: br0
+    # use only once per device (for the first device entry)
+    headline: br0 - bridge over device enp34s0
+
+    # auto & allow are only used for the first device entry
+    allow: [] # array of allow-[stanzas] eg. allow-hotplug
+    auto: true
+
+    family: inet
+    method: static
+    hwaddress: 
+    description:
+    address: 95.217.194.43
+    netmask: 26
+    gateway: 95.217.194.1
+    metric:
+    pointopoint:
+    mtu:
+    scope:
+
+    # additional user by dhcp method
+    #
+    hostname:
+    leasehours:
+    leasetime:
+    vendor:
+    client:
+
+    # additional used by bootp method
+    #
+    bootfile:
+    server:
+    hwaddr:
+
+    # optional dns settings nameservers: []
+    #
+    #    nameservers:
+    #      - 194.150.168.168  # dns.as250.net
+    #      - 91.239.100.100   # anycast.censurfridns.dk
+    #    search: warenform.de
+    #
+    # ** MOVED TO systemd-resolved
+    #
+    nameservers:
+    search:
+
+    # optional bridge parameters bridge: {}
+    # bridge:
+    #   ports:
+    #   stp:
+    #   fd:
+    #   maxwait:
+    #   waitport:
+    bridge:
+      ports: enp34s0 # for mor devices support a blank separated list
+      stp: !!str off
+      fd: 5
+      hello: 2
+      maxage: 12
+
+    #  optional bonding parameters bond: {}
+    #  bond:
+    #    master
+    #    primary
+    #    slave
+    #    method:
+    #    miimon:
+    #    lacp-rate:
+    #    ad-select-rate:
+    #    master:
+    #    slaves:
+    bond: {}
+
+    # optional vlan settings | vlan: {}
+    # vlan: {}
+    #   raw-device: 'eth0'
+    vlan: {}
+
+    # inline hook scripts
+    pre-up: [] # pre-up script lines
+    up: 
+      - !!str "route add -net 95.217.194.0 netmask 255.255.255.192 gw 95.217.194.1 dev br0" # up script lines
+    post-up: [] # post-up script lines (alias for up)
+    pre-down: [] # pre-down script lines (alias for down)
+    down: [] # down script lines
+    post-down: [] # post-down script lines
+
+
+
+  - device: br0
+    family: inet6
+    method: static
+    address: '2a01:4f9:4a:5114::2'
+    netmask: 64
+    gateway: 'fe80::1'
+
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 185.12.64.1
+  - 2a01:4ff:ff00::add:2
+  - 185.12.64.2
+  - 2a01:4ff:ff00::add:1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/cron.yml
+# ---
+
+cron_env_entries:
+  - name: PATH
+    job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+  - name: SHELL
+    job: /bin/bash
+    insertafter: PATH
+
+
+cron_user_special_time_entries:
+
+  - name: "Restart DNS Cache service 'systemd-resolved'"
+    special_time: reboot
+    job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
+    insertafter: PATH
+
+  - name: "Check if postfix mailservice is running. Restart service if needed."
+    special_time: reboot
+    job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
+    insertafter: PATH
+
+  - name: "Check if Check if all autostart LX-Container are running."
+    special_time: reboot
+    job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
+    insertafter: PATH
+
+  - name: "Restart NTP service 'ntpsec'"
+    special_time: reboot
+    job: "sleep 2 ; /bin/systemctl restart ntpsec"
+    insertafter: PATH
+
+
+cron_user_entries:
+
+  - name: "Check if SSH service is running. Restart service if needed."
+    minute: '*/5'
+    hour: '*'
+    job: /root/bin/monitoring/check_ssh.sh
+
+  - name: "Check if Postfix Mailservice is up and running?"
+    minute: '*/15'
+    hour: '*'
+    job: /root/bin/monitoring/check_postfix.sh
+
+  - name: "Check if NTP service 'ntpsec' is up and running?"
+    minute: '*/30'
+    hour: '*'
+    job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
+
+  - name: "Check hard disc usage."
+    minute: '43'
+    hour: '6'
+    job: /root/bin/admin-stuff/check-disc-usage.sh -c 85
+
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+default_user:
+
+  - name: chris
+    password: $y$j9T$CmDEzObyDCcl4Assjaqlw1$5wfAVQoNA0jOPCc3H0PaCNVxHW/0D52Rc9hMzASElrD
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: sysadm
+
+    user_id: 1050
+    group_id: 1050
+    group: sysadm
+    password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+  - name: back
+    user_id: 1060
+    group_id: 1060
+    group: back
+    password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D
+    shell: /bin/bash
+    ssh_keys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
+
+sudo_users:
+  - chris
+  - sysadm
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+git_firewall_repository:
+  name: ipt-server
+  repo: https://git.oopen.de/firewall/ipt-server
+  dest: /usr/local/src/ipt-server
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
+
--- a/98
+++ b/98
@ -232,6 +232,19 @@ web-07.oopen.de
 web-08.oopen.de
 web-09.oopen.de

+# Fluechtlingsrat Berlin
+o40.oopen.de
+g.mx.oopen.de
+cl-flr.oopen.de
+cp-flr.oopen.de
+
+# Kotti-Coop e.V.
+o41.oopen.de
+
+# RAV
+o42.oopen.de
+mm-rav.oopen.de
+

 lxc-host-kb.anw-kb.netz

@ -408,6 +421,19 @@ web-07.oopen.de
 web-08.oopen.de
 web-09.oopen.de

+# Fluechtlingsrat Berlin
+o40.oopen.de
+cl-flr.oopen.de
+cp-flr.oopen.de
+
+# Kotti-Coop e.V.
+o41.oopen.de
+g.mx.oopen.de
+
+# RAV
+o42.oopen.de
+mm-rav.oopen.de
+

 lxc-host-kb.anw-kb.netz

@ -648,7 +674,10 @@ web-07.oopen.de
 web-08.oopen.de
 web-09.oopen.de

-# o39.oopen.de
+# o40.oopen.de
+g.mx.oopen.de
+cl-flr.oopen.de
+

 # ---
 #  O.OPEN office network
@ -791,6 +820,13 @@ web-07.oopen.de
 web-08.oopen.de
 web-09.oopen.de

+# o40 - Flüchtlingsrat Berlin
+cl-flr.oopen.de
+cp-flr.oopen.de
+
+# o42.oopen.de
+mm-rav.oopen.de
+
 # GA - Gemeinschaft Altensclirf
 ga-st-services.ga.netz

@ -833,6 +869,9 @@ a.mx.oopen.de
 web-01.oopen.de
 b.mx.oopen.de

+# o40 - g.mx
+g.mx.oopen.de
+
 # ---
 #  O.OPEN office network
 # ---
@ -875,6 +914,12 @@ o13-board.oopen.de
 o13-staging-board.oopen.de
 o13-mail.oopen.de

+# o23.oopen.de
+mm.oopen.de
+
+# o24.oopen.de
+mm-irights.oopen.de
+
 # o27.oopen.de
 mail.faire-mobilitaet.de

@ -887,6 +932,11 @@ a.mx.oopen.de
 web-01.oopen.de
 web-03.oopen.de

+# o40 - g.mx
+g.mx.oopen.de
+
+# o39.oopen.de
+
 # ---
 #  O.OPEN office network
 # ---
@ -908,6 +958,9 @@ mx.warenform.de
 # server27.warenform.de
 verdi-django.warenform.de

+# o42.oopen.de
+mm-rav.oopen.de
+

 [mysql_server]

@ -998,6 +1051,9 @@ web-07.oopen.de
 web-08.oopen.de
 web-09.oopen.de

+# o40 - Fluechtlingsrat Berlin
+cl-flr.oopen.de
+

 # ---
 # Warenform
@ -1078,6 +1134,9 @@ cl-test.oopen.de
 # o38.oopen.de
 cl-opp.oopen.de

+# 040 - Fluechtlingsrat Berlin
+cl-flr.oopen.de
+
 # ---
 # Warenform
 # ---
@ -1133,6 +1192,9 @@ a.mx.oopen.de
 # o36.oopen.de - b.mx, web-01, web-03
 b.mx.oopen.de

+# o40 - g.mx
+g.mx.oopen.de
+
 # ---
 #  O.OPEN office network
 # ---
@ -1266,6 +1328,12 @@ ga-al-kvm2.ga.netz
 ga-al-kvm3.ga.netz


+[docker_host]
+
+# Kotti-Coop e.V.
+o41.oopen.de
+
+
 [lxc_host]

 # ---
@ -1291,6 +1359,12 @@ o36.oopen.de
 o38.oopen.de
 o39.oopen.de

+# Fluechtlingsrat Berlin
+o40.oopen.de
+
+# RAV
+o42.oopen.de
+
 lxc-host-kb.anw-kb.netz

 # ---
@ -1431,6 +1505,14 @@ web-07.oopen.de
 web-08.oopen.de
 web-09.oopen.de

+# o40 - g.mx
+g.mx.oopen.de
+cl-flr.oopen.de
+cp-flr.oopen.de
+
+# o42.oopen.de
+mm-rav.oopen.de
+
 # ---
 #  O.OPEN office network
 # ---
@ -1634,6 +1716,20 @@ web-07.oopen.de
 web-08.oopen.de
 web-09.oopen.de

+# o40
+o40.oopen.de
+g.mx.oopen.de
+cl-flr.oopen.de
+cp-flr.oopen.de
+
+# Kotti-Coop e.V.
+o41.oopen.de
+
+# RAV
+o42.oopen.de
+mm-rav.oopen.de
+
+

 lxc-host-kb.anw-kb.netz

--- a/roles/common/files/g.mx/etc/postfix/postfwd.wl-nets
+++ b/roles/common/files/g.mx/etc/postfix/postfwd.wl-nets
@ -0,0 +1,19 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# Trusted networks whitelisted by postfwd
+#
+# Example:
+#
+#   # web0.warenform.de
+#   #83.223.86.76
+#   #2a01:30:0:505:286:96ff:fe4a:6ee
+#   #2a01:30:0:13:286:96ff:fe4a:6eee
+#
+# ---
+
+# give truested networrk adresses here
+
+# d.mx.oopen.de (listen server)
+95.217.204.227
+2a01:4f9:4a:47e5::227
--- a/roles/common/files/g.mx/etc/postfix/relay_domains
+++ b/roles/common/files/g.mx/etc/postfix/relay_domains
@ -0,0 +1,10 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+## - a.mx.oopen.de
+## -
+## -    create relay-domain list for host a.mx.oopen.de:
+## -        cd /var/vmail
+## -        for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[a.mx.oopen.de]" ; done
+## -
+anw-nbg.de                             :[a.mx.oopen.de]
+meet.oopen.de                          :[a.mx.oopen.de]
--- a/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated
+++ b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated
@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDFdECCD3L7xf4ctQfGFFiHrSqZWoqGauX4/u0xGg1iZgAAAJA0qaJANKmi
+QAAAAAtzc2gtZWQyNTUxOQAAACDFdECCD3L7xf4ctQfGFFiHrSqZWoqGauX4/u0xGg1iZg
+AAAEBMOuz+phzRVnQYFnaqV4D8Ned91hkkystvPVPm0G/nEMV0QIIPcvvF/hy1B8YUWIet
+KplaioZq5fj+7TEaDWJmAAAABnJvb3RAZwECAwQFBgc=
+-----END OPENSSH PRIVATE KEY-----
--- a/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated.pub
+++ b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMV0QIIPcvvF/hy1B8YUWIetKplaioZq5fj+7TEaDWJm root@g
--- a/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim
+++ b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim
@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBdIacjLHjbnX/g5KYbvXWkCoMv+3VIp77NXmuW4k5RoQAAAJBWLbDTVi2w
+0wAAAAtzc2gtZWQyNTUxOQAAACBdIacjLHjbnX/g5KYbvXWkCoMv+3VIp77NXmuW4k5RoQ
+AAAEChcZYodFiWBZ0F3k5mJW27C19OFqrz14WuBxeQm8vC4l0hpyMseNudf+Dkphu9daQK
+gy/7dUinvs1ea5biTlGhAAAABnJvb3RAZwECAwQFBgc=
+-----END OPENSSH PRIVATE KEY-----
--- a/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim.pub
+++ b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0hpyMseNudf+Dkphu9daQKgy/7dUinvs1ea5biTlGh root@g
--- a/roles/common/files/g.mx/root/bin/monitoring/conf/check_webservice_load.conf
+++ b/roles/common/files/g.mx/root/bin/monitoring/conf/check_webservice_load.conf
@ -0,0 +1,270 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+#---------------------------------------
+#-----------------------------
+# Settings
+#-----------------------------
+#---------------------------------------
+
+
+# ---
+# - LOGGING
+# -
+# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
+# - the output will be verbos. If running as cronjob, output will only be written, if warnings or 
+# - errors occurs.
+# ---
+
+
+# - CONFLICTING_SCRIPTS
+# -
+# - The scripts listed here conflict with this script. If one of these scripts 
+# - is currently running, this script will be stopped.
+# -
+# - In addition to the script, a LOCK directory can also be specified which is 
+# - connected to it. 
+# - 
+# - If no fixed LOCK directory is connected to the script, set 
+# - this value to the constant 'CHECK_PROCESS_LIST'.
+# -
+# - If no value for the LOCK directory is given, the LOCK directory 
+# - '/tmp/<base-script_name>.LOCK' is assumed. 
+# - 
+# - 
+# - Example:
+# -    CONFLICTING_SCRIPTS="
+# -       /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
+# -       /root/bin/monitoring/check_remote_websites.sh
+# -    "
+# -
+# - Defaults to:
+# -    CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
+# -
+#CONFLICTING_SCRIPTS=""
+
+
+# - What to check
+# -
+check_load=true
+check_mysql=false
+check_mariadb=false
+
+# - PostgreSQL
+# -
+# - NOT useful, if more than one PostgreSQL instances are running!
+# -
+check_postgresql=false
+
+check_apache=true
+check_nginx=false
+check_php_fpm=false
+check_redis=false
+check_website=false
+
+
+# TIMEOUT_CHECK_WEBSITE
+#
+# Maximum time in seconds that you allow for the response from the webserver.
+#
+# Defaults to:
+#     TIMEOUT_CHECK_WEBSITE=10
+#
+#TIMEOUT_CHECK_WEBSITE=10
+
+# TIMEOUT_CHECK_PHP
+#
+# Maximum time in seconds that you allow for the response from the webserver.
+#
+# Defaults to:
+#     TIMEOUT_CHECK_PHP=10
+#
+#TIMEOUT_CHECK_PHP=10
+
+
+# - If service is not listen on 127.0.0.1/loclhost, curl check must
+# - be ommited
+# -
+# - Defaults to: ommit_curl_check_nginx=false
+# -
+#ommit_curl_check_nginx=false
+
+# - Is this a vserver guest machine?
+# -
+# - Not VSerber guest host does not support systemd!
+# -
+# - defaults to: vserver_guest=false
+# -
+#vserver_guest=false
+
+
+# - Additional Settings for check_mysql
+# -
+# - MySQL / MariaDB credentials
+# -
+# - Giving password on command line is insecure an sind mysql 5.5
+# - you will get a warning doing so.
+# - 
+# - Reading username/password fro file ist also possible, using MySQL/MariaDB
+# - commandline parameter '--defaults-file'.
+# - 
+# - Since Mysql Version 5.6, you can read username/password from
+# - encrypted file.
+# -
+# -    Create (encrypted) option file:
+# -    $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock  --user=root --password
+# -    $ Password:
+# -
+# -    Use of option file:
+# -    $ mysql --login-path=local ...
+# -
+# - Example
+# -    mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
+# -    mysql_credential_args="--login-path=local"
+# -    mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
+# -    mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
+# -
+# - defaults to: 
+# -    mysql_credential_args="--login-path=local"
+# -
+#mysql_credential_args="--login-path=local"
+
+
+# - Additional Settings for check_mariadb
+# -
+# - MariaDB credentials
+# -
+# - Giving password on command line is insecure an sind mysql 5.5
+# - you will get a warning doing so.
+# - 
+# - Reading username/password fro file ist also possible, using MySQL/MariaDB
+# - commandline parameter '--defaults-file'.
+# - 
+# - Since Mysql Version 5.6, you can read username/password from
+# - encrypted file.
+# -
+# -    Create (encrypted) option file:
+# -    $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock  --user=root --password
+# -    $ Password:
+# -
+# -    Use of option file:
+# -    $ mysql --login-path=local ...
+# -
+# - Example
+# -    mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
+# -    mariadb_credential_args="--login-path=local"
+# -    mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
+# -    mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
+# -
+# - defaults to empty string
+# -    mariadb_credential_args=""
+# -
+#mariadb_credential_args=""
+
+
+# - Port of PostgreSQL Service
+# -
+# - defaults to '5432'
+# -    postgresql_port=5432
+# -
+#postgresql_port=5432
+
+
+# - Additional Settings for check_php_fpm
+# -
+# - On Linux Vserver System set
+# -    curl_check_host=localhost
+# -
+# - On LX-Container set
+# -    curl_check_host=127.0.0.1
+# -
+curl_check_host=127.0.0.1
+
+# - Which PHP versions should be supported by this script. If more than one,
+# - give a blank separated list
+# -
+# - Example:
+# -    php_versions="5.4 5.6 7.0 7.1"
+# -
+php_versions=""
+
+# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
+# - set the value given in your ping.path setting here. Give ping_path also
+# - the concerning php_version in form
+# -    <php-version>:<ping-path>
+# -
+# - Multiple settings are possible, give a blank separated list.
+# -
+# - Example:
+# -
+# -    ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
+# -
+ping_path=""
+
+
+# - Additional Settings for check_website - checking (expected) website response
+# -
+# - example:
+# -    is_working_url="https://www.outoflineshop.de/"
+# -    check_string='ool-account-links'
+# -    include_cleanup_function=true
+# -    extra_alert_address="ilker@so36.net"
+# -    cleanup_function='
+# -    rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
+# -    rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
+# -    /usr/local/bin/redis-cli flushall > /dev/null 2>&1
+# -    if [[ "$?" = "0" ]]; then
+# -       ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
+# -    else
+# -       error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
+# -     fi
+# -    /etc/init.d/redis_6379 restart
+# -    if [[ "$?" = "0" ]]; then
+# -       ok "I restarted the redis service"
+# -       echo -e "\t[ Ok ]:    I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
+# -    else
+# -       error "Restarting the redis server failed!"
+# -       echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
+# -    fi
+# -    '
+# -
+is_working_url=''
+
+check_string=''
+
+include_cleanup_function=true
+
+# - An extra e-mail address, which will be informed, if the given check URL
+# - does not response as expected (check_string) AFTER script checking, restarting
+# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
+# -
+extra_alert_address=''
+
+# - php_version_of_working_url
+# -
+# - If given website (is_working_url) does not response as expected, this PHP FPM
+# - engines will be restarted.
+# -
+# - Type "None" if site does not support php
+# -
+# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
+# - will be restarted
+# -
+php_version_of_working_url=''
+
+# - Notice:
+# - If single qoutes "'" not needed inside cleanup function, then use single quotes
+# - to enclose variable "cleanup_function". Then you don't have do masquerade any 
+# - sign inside.
+# -
+# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
+# -
+cleanup_function='
+'
+
+
+# - E-Mail settings for sending script messages
+# -
+from_address="root@`hostname -f`"
+content_type='Content-Type: text/plain;\n charset="utf-8"'
+to_addresses="root"
+
--- a/roles/common/files/g.mx/root/bin/postfix/conf/create_opendkim_key.conf
+++ b/roles/common/files/g.mx/root/bin/postfix/conf/create_opendkim_key.conf
@ -0,0 +1,177 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---------------------------------------------------------
+# - Parameter Settings for script 'create_opendkim_key.sh'.
+# ---------------------------------------------------------
+ 
+ 
+# ---------- 
+# DNS Server 
+# ---------- 
+ 
+# - dns_dkim_zone_master_server
+# - 
+# - The DNS Server who is serving the update zone and is used 
+# - for the dynamic updates (nsupdate) 
+# - 
+#dns_dkim_zone_master_server=""
+dns_dkim_zone_master_server="b.ns.oopen.de"
+
+# - update_dns
+# -
+# - Possible Values are 'true' or 'false'
+# -
+#update_dns=true
+
+# - update_zone
+# -
+# - Zone containing the DKIM TXT record.
+# -
+# - Defaults to '_domainkey.<dkim_domaini>'
+# -
+# - Note:
+# -    do NOT change/set this option unless you know what you do.
+# -
+#update_zone=""
+
+# - TTL
+# -
+# - TTL for the DKIM TXT Record.
+# -
+# - Defaults to "" if update_dns=false
+# - Defaults to "43200" if update_dns=true
+# -
+#TTL=
+
+
+# ----------
+# TSIG Key
+# ----------
+
+# - key_secret
+# -
+# - Sectret Key used by 'nsupdate' to create/update the
+# - DKIM TXT record.
+# -
+# - Example:
+# -    key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI="
+# -
+#key_secret=""
+key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw="
+
+# - key_algo
+# -
+# - The key algorithm used for key creation. Available choices are: hmac-md5, 
+# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The 
+# - default is hmac-sha256. Options are case-insensitive.
+# -
+# - Example:
+# -    key_algo="hmac-md5"
+# -
+# - Defaults to 'hmac-sha256'
+# -
+#key_algo="hmac-sha256"
+key_algo="hmac-sha256"
+
+# - key_name
+# -
+# - Name of the Key
+# -
+# - Defaults to "$update_zone"
+# -
+#key_name=""
+key_name="update-dkim"
+
+
+# ----------
+# Access Credentials DNS Server
+# ----------
+
+# - dns_ssh_user
+# -
+# - Defaults to 'manage-bind'
+# -
+#dns_ssh_user="manage-bind"
+
+# - dns_ssh_port
+# -
+# - Defaults to '22'
+# -
+#dns_ssh_port=22
+
+# - dns_ssh_key
+# -
+# - Defaults to '/root/.ssh/id_rsa-opendkim'
+# -
+#dns_ssh_key="/root/.ssh/id_rsa-opendkim"
+dns_ssh_key="/root/.ssh/id_ed25519-opendkim"
+
+
+# ----------
+# Scripts envoked at DNS Server
+# ----------
+
+# - set_new_serial_script
+# -
+# - Script increases the serial for a given domain or a given 
+# - hostname's concerning domain.
+# -
+# - Defaults to /root/bin/bind/bind_set_new_serial.sh
+# -
+#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh"
+
+# - create_dkim_delegation_script
+# -
+# - Script adds DKIM subdomain delegation for a given domain
+# -
+# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh'
+# -
+#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh"
+
+# - add_dkim_zone_master_script
+# -
+# - Script adds zone _domainkey.<dkim domain> as master zone
+# -
+# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh'
+# -
+#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh"
+
+# - add_dkim_zone_slave_script
+# -
+# - Script adds zone _domainkey.<dkim domain> as slave zone
+# -
+# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh'
+# -
+#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh"
+
+
+
+# ----------
+# OpenDKIM Installation
+# ----------
+
+# - opendkim_dir
+# -
+# - OpenDKIM's etc-directory
+# -
+# - Defaults to opendkim_dir="/etc/opendkim"
+# -
+#opendkim_dir="/etc/opendkim"
+
+# - key_base_dir
+# -
+# - Defaults to "${opendkim_dir}/keys"
+# -
+#key_base_dir=${opendkim_dir}/keys
+
+# - signing_table_file
+# -
+# - Defaults to "${opendkim_dir}/signing.table"
+# -
+#signing_table_file="${opendkim_dir}/signing.table"
+
+# - key_table_file
+# -
+# - Defaults to "${opendkim_dir}/key.table"
+# -
+#key_table_file="${opendkim_dir}/key.table"
--- a/roles/common/files/g.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf
+++ b/roles/common/files/g.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf
@ -0,0 +1,44 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ======================================================
+# ---
+# Parameter Settings for Script 'whitelist_mb_sigs.conf'
+# ---
+# ======================================================
+
+# QUARANTINE_BASE_DIR
+#
+# Base directory where amavis stores quarantined e-mails, mostly in
+#
+#    virus e-mails:   $QUARANTINE_BASE_DIR/virus
+#    spam emails:     $QUARANTINE_BASE_DIR/spam
+#    ..
+#
+#    Defaults to:
+#       QUARANTINE_BASE_DIR="/var/QUARANTINE"
+#
+#QUARANTINE_BASE_DIR="/var/QUARANTINE"
+
+
+# CLAMAV_VIRUS_WHITE_LIST
+#
+# Full path to clamav's (personal) white list file
+#
+# Defaults to:
+#    CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2"
+#
+#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2"
+
+
+# WHITE_LIST_STRINGS
+#
+# A blank separated list of strings to whitelist.
+#
+# Example:
+#    WHITE_LIST_STRINGS="google.com tinyurl.com"
+#
+# Defaults to:
+#    WHITE_LIST_STRINGS="google.com"
+#
+#WHITE_LIST_STRINGS="google.com"
+WHITE_LIST_STRINGS="google.com tinyurl.com"
--- a/roles/common/tasks/apt.yml
+++ b/roles/common/tasks/apt.yml
@ -218,6 +218,15 @@
  tags:
    - apt-lxc-hosts-pkgs

+- name: (apt.yml) Install docker related packages
+  apt:
+    name: "{{ apt_docker_host_pkgs }}"
+    state: "{{ apt_install_state }}"
+  when: 
+    - groups['docker_host']|string is search(inventory_hostname)
+  tags:
+    - apt-docker-hosts-pkgs
+
 - name: (apt.yml) Install kvm_host related packages
  apt:
    name: "{{ apt_kvm_host_pkgs }}"
--- a/roles/modify-ipt-server/tasks/ipt-server.yml
+++ b/roles/modify-ipt-server/tasks/ipt-server.yml
@ -99,126 +99,73 @@
 # ===

 # ---
-# Wireguard Service
+# LOG CGI script Traffic out
 # ---

- name: Check if String 'wg_ifs=..' is present in interfaces_ipv4.conf
-  shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv4.conf
-  register: wg_ifs_interfaces_ipv4_present
-  when: interfaces_ipv4_exists.stat.exists
-  failed_when: "wg_ifs_interfaces_ipv4_present.rc > 1"
-  changed_when: "wg_ifs_interfaces_ipv4_present.rc > 0"
-
- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs)
-  blockinfile:
-    path: /etc/ipt-firewall/interfaces_ipv4.conf
-    insertafter: '^#?\s*vpn_ifs'
-    block: |
-
-      # - Wireguard Interfaces
-      # -    (comma separated list 'wg+' is also possible)
-      wg_ifs="wg+"
-
-    marker: "# Marker set by modify-ipt-server.yml (wg_ifs)"
-  when:
-    - interfaces_ipv4_exists.stat.exists
-    - wg_ifs_interfaces_ipv4_present is changed
-  notify:
-    - Restart IPv4 Firewall
-
-
- name: Check if String 'wg_ifs=..' is present in interfaces_ipv6.conf
-  shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv6.conf
-  register: wg_ifs_interfaces_ipv6_present
-  when: interfaces_ipv6_exists.stat.exists
-  failed_when: "wg_ifs_interfaces_ipv6_present.rc > 1"
-  changed_when: "wg_ifs_interfaces_ipv6_present.rc > 0"
-
- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs)
-  blockinfile:
-    path: /etc/ipt-firewall/interfaces_ipv6.conf
-    insertafter: '^#?\s*vpn_ifs'
-    block: |
-
-      # - Wireguard Interfaces
-      # -    (comma separated list 'wg+' is also possible)
-      wg_ifs="wg+"
-
-    marker: "# Marker set by modify-ipt-server.yml (wg_ifs)"
-  when:
-    - interfaces_ipv6_exists.stat.exists
-    - wg_ifs_interfaces_ipv6_present is changed
-  notify:
-    - Restart IPv6 Firewall
-
-
-# ---
-# Mattermost (MM) Service (add a block)
-# ---
-
- name: Check if String 'mm_server_ips=..' is present
-  shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv4.conf
-  register: mattermost_service_ipv4_present
+- name: Check if String 'log_cgi_traffic_out=..' is present
+  shell: grep -q -E "^log_cgi_traffic_out=" /etc/ipt-firewall/main_ipv4.conf
+  register: log_cgi_traffic_out_ipv4_present
  when: main_ipv4_exists.stat.exists
-  failed_when: "mattermost_service_ipv4_present.rc > 1"
-  changed_when: "mattermost_service_ipv4_present.rc > 0"
+  failed_when: "log_cgi_traffic_out_ipv4_present.rc > 1"
+  changed_when: "log_cgi_traffic_out_ipv4_present.rc > 0"

- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mattermost_service)
+- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (log_cgi_traffic_out)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv4.conf
    insertafter: '^#?\s*http_ports'
    block: |

-      # - Mattermost (MM) Service
+      # - LOG CGI script Traffic out
      # -
-      mm_server_ips=""
-      forward_mm_server_ips=""
+      log_cgi_traffic_out=false

-      # - UDP Ports IN and OUT used by MM Servive
+      # - cgi_script_users
      # -
-      mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
-      mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
-
-    marker: "# Marker set by modify-ipt-server.yml (mattermost_service)"
+      # - List of CGI script users (suexec user, php-fpm user. ...)
+      # -
+      # - Blank separated list
+      # -
+      cgi_script_users=""
+    marker: "# Marker set by modify-ipt-server.yml (log_cgi_traffic_out)"
  when:
    - main_ipv4_exists.stat.exists
-    - mattermost_service_ipv4_present is changed
+    - log_cgi_traffic_out_ipv4_present is changed
  notify:
    - Restart IPv4 Firewall


- name: Check if String 'mm_server_ips=..' is present
-  shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv6.conf
-  register: mattermost_service_ipv6_present
+- name: Check if String 'log_cgi_traffic_out=..' is present
+  shell: grep -q -E "^log_cgi_traffic_out=" /etc/ipt-firewall/main_ipv6.conf
+  register: log_cgi_traffic_out_ipv6_present
  when: main_ipv6_exists.stat.exists
-  failed_when: "mattermost_service_ipv6_present.rc > 1"
-  changed_when: "mattermost_service_ipv6_present.rc > 0"
+  failed_when: "log_cgi_traffic_out_ipv6_present.rc > 1"
+  changed_when: "log_cgi_traffic_out_ipv6_present.rc > 0"

- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mattermost_service)
+- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (log_cgi_traffic_out)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv6.conf
    insertafter: '^#?\s*http_ports'
    block: |

-      # - Mattermost (MM) Service
+      # - LOG CGI script Traffic out
      # -
-      mm_server_ips=""
-      forward_mm_server_ips=""
+      log_cgi_traffic_out=false

-      # - UDP Ports IN and OUT used by MM Servive
+      # - cgi_script_users
      # -
-      mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
-      mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
-
-    marker: "# Marker set by modify-ipt-server.yml (mattermost_service)"
+      # - List of CGI script users (suexec user, php-fpm user. ...)
+      # -
+      # - Blank separated list
+      # -
+      cgi_script_users=""
+    marker: "# Marker set by modify-ipt-server.yml (log_cgi_traffic_out)"
  when:
    - main_ipv6_exists.stat.exists
-    - mattermost_service_ipv6_present is changed
+    - log_cgi_traffic_out_ipv6_present is changed
  notify:
    - Restart IPv6 Firewall


-
 # ===
 # Remove Marker set by blockinfile
 # ===
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMV0QIIPcvvF/hy1B8YUWIetKplaioZq5fj+7TEaDWJm root@g`
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0hpyMseNudf+Dkphu9daQKgy/7dUinvs1ea5biTlGh root@g`