diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index aef67f7..5bc05b7 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -25,7 +25,7 @@ apt_ansible_dependencies: # vars used by roles/ansible_user # --- -ansible_remote_user: +ansible_remote_user: - name: chris password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. @@ -207,7 +207,7 @@ apt_initial_install_stretch: - patch - patchutils - recode - - recode-doc + - recode-doc - librecode0 - librecode-dev - sharutils @@ -326,7 +326,7 @@ apt_initial_install_buster: - patch - patchutils - recode - - recode-doc + - recode-doc - librecode0 - librecode-dev - sharutils @@ -451,7 +451,7 @@ apt_initial_install_bullseye: - patch - patchutils - recode - - recode-doc + - recode-doc - librecode0 - librecode-dev - sharutils @@ -570,7 +570,7 @@ apt_initial_install_bookworm: - patch - patchutils - recode - - recode-doc + - recode-doc - librecode0 - librecode-dev - sharutils @@ -1140,7 +1140,7 @@ yum_webserver_pkgs_centos: - libdbi-dbd-sqlite - libdbi-devel - libdbi-drivers - - readline + - readline - readline-devel - ncurses - ncurses-devel @@ -1208,7 +1208,7 @@ yum_webserver_pkgs_centos: - expect-devel - perl-Expect - poppler-utils - + # - libqdbm-dev #- libatm-dev #- libc-client2007e-dev @@ -1493,6 +1493,16 @@ apt_bind_pkgs: yum_bind_pks: - bind +apt_docker_host_pkgs: + - apparmor + - apparmor-profiles + - apparmor-profiles-extra + - libapparmor1 + - docker.io + - docker-clean + - docker-compose + - docker-doc + - docker-registry install_lxc_host_pkgs: false apt_lxc_host_pkgs: @@ -1554,7 +1564,7 @@ apt_extra_pkgs: [] apt_install: {} apt_install_state: latest -apt_remove: +apt_remove: - rpcbind - apt-transport-tor - tor @@ -1563,7 +1573,7 @@ apt_remove: apt_remove_purge: false -microcode_package: +microcode_package: - intel-microcode - amd64-microcode @@ -1645,16 +1655,16 @@ yum_initial_install_centos_7: - recode - recode-devel - sharutils - - perl + - perl - perl-devel - - readline + - readline - readline-devel - - libtermkey + - libtermkey - libtermkey-devel - perl-Time-Duration-Parse - perl-DateTime - perl-libwww-perl - - pcre + - pcre - pcre2 - perl-IO-Compress - re2c @@ -1831,8 +1841,8 @@ systemd_resolved: false # IPv6: 2606:4700:4700::1111 # sekundäre DNS-Adresse # IPv4: 1.0.0.1 -# IPv6: 2606:4700:4700::1001 -# +# IPv6: 2606:4700:4700::1001 +# # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit # primäre DNS-Adresse # IPv4: 8.8.8.8 @@ -1843,20 +1853,20 @@ systemd_resolved: false # # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug # primäre DNS-Adresse -# IPv4: 9.9.9.9 -# IPv6: 2620:fe::fe +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe # sekundäre DNS-Adresse # IPv4: 149.112.112.112 # IPv6: 2620:fe::9 # # OpenNIC - https://www.opennic.org/ -# IPv4: 195.10.195.195 - ns31.de -# IPv4: 94.16.114.254 - ns28.de -# IPv4: 51.254.162.59 - ns9.de +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de # IPv4: 194.36.144.87 - ns29.de # IPv6: 2a00:f826:8:2::195 - ns31.de -# -# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) # IPv4: 5.1.66.255 # IPv6: 2001:678:e68:f000:: # Servername für DNS-over-TLS: dot.ffmuc.net @@ -1870,7 +1880,7 @@ resolved_nameserver: # search domains # -# If there are more than one search domains, then specify them here in the order in which +# If there are more than one search domains, then specify them here in the order in which # the resolver should also search them # #resolved_domains: [] @@ -2088,10 +2098,10 @@ sshd_gateway_ports: !!str "no" # sshd_pubkey_accepted_algorithms: # -# if the specified list begins with a '+' character, then the specified +# if the specified list begins with a '+' character, then the specified # algorithms will be appended to the default set instead of replacing them. # -# If the specified list begins with a '-' character, then the specified algorithms +# If the specified list begins with a '-' character, then the specified algorithms # (including wildcards) will be removed from the default set instead of replacing them. # # If the specified list begins with a '^' character, then the @@ -2109,8 +2119,8 @@ sshd_gateway_ports: !!str "no" # - ecdh-sha2-nistp256 # - ecdh-sha2-nistp384 # - ecdh-sha2-nistp521 - -#sshd_pubkey_accepted_algorithms: + +#sshd_pubkey_accepted_algorithms: # - +ssh-rsa # - ssh-dss @@ -2364,7 +2374,7 @@ git_warenform_server_repositories: # group [lxc_host] # --- git_lxc_host_repositories: - + # LXC - name: LXC repo: https://git.oopen.de/script/LXC @@ -2453,7 +2463,7 @@ git_mysql_repositories: - name: mysql repo: https://git.oopen.de/install/mysql dest: /usr/local/src/mysql - + # --- # group [postgresql_server] @@ -2711,7 +2721,7 @@ symlink_files: [] hostname: ipv4_address: -ipv6_address: +ipv6_address: '' # postfix_db_type # @@ -2739,7 +2749,7 @@ sasl_pass: db_in_use: # postfix_db_type # -# possible values are +# possible values are # 'PostgreSQL' # 'MySQL' # @@ -2757,6 +2767,7 @@ mp_receipt_number: # si_authorisation_signature # +# O.OPEN/IL -ALT -: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e # O.OPEN/IL: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 # # Warenform: 76ed7ca6670dbee497e1a0397a7e178c4caa25888bc26d7327d1eab0195342a4cfa522dcf10382623d57dbc2a79bd37627b9a52def4d4bfe617d26e35405ce3b @@ -2882,7 +2893,7 @@ base_home: /home remove_samba_users: [] # samba_shares -# +# # samba_shares: # - name: Arbeitsrechtliches # comment: @@ -2927,7 +2938,7 @@ samba_cronjob_permissions: # vars used by roles/common/tasks/systemd-services.yml # ========== -# Take care that if these services are installed, they are running and +# Take care that if these services are installed, they are running and # start automatically after boot. # debian_services_active_and_started: diff --git a/host_vars/a.mx.oopen.de.yml b/host_vars/a.mx.oopen.de.yml index 652d1e2..7a2c914 100644 --- a/host_vars/a.mx.oopen.de.yml +++ b/host_vars/a.mx.oopen.de.yml @@ -227,7 +227,7 @@ postfix_db_pass: FKt4z55FxMZp # install_amavis.conf # mp_receipt_number: 106015125438 -si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 +si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e # install_postfixadmin.conf # diff --git a/host_vars/b.mx.oopen.de.yml b/host_vars/b.mx.oopen.de.yml index 5a17264..c598015 100644 --- a/host_vars/b.mx.oopen.de.yml +++ b/host_vars/b.mx.oopen.de.yml @@ -209,6 +209,11 @@ admin_email: argus@oopen.de is_relay_host: !!str "true" sasl_auth_enable: !!str "yes" +# install_amavis.conf +# +mp_receipt_number: 106015125438 +si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e + template_files_mailsystem_script: diff --git a/host_vars/c.mx.oopen.de.yml b/host_vars/c.mx.oopen.de.yml index eceef9d..903c4fb 100644 --- a/host_vars/c.mx.oopen.de.yml +++ b/host_vars/c.mx.oopen.de.yml @@ -228,7 +228,7 @@ postfix_db_pass: AeB4kohyie5rahJ7 # install_amavis.conf # mp_receipt_number: 106015125438 -si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 +si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e # install_postfixadmin.conf # diff --git a/host_vars/cl-flr.oopen.de.yml b/host_vars/cl-flr.oopen.de.yml new file mode 100644 index 0000000..7f3b762 --- /dev/null +++ b/host_vars/cl-flr.oopen.de.yml @@ -0,0 +1,181 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_permit_root_login: !!str "prohibit-password" + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $y$j9T$CmDEzObyDCcl4Assjaqlw1$5wfAVQoNA0jOPCc3H0PaCNVxHW/0D52Rc9hMzASElrD + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_privileges: + - name: back + entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/host_vars/d.mx.oopen.de.yml b/host_vars/d.mx.oopen.de.yml index 5aee3be..f01e82e 100644 --- a/host_vars/d.mx.oopen.de.yml +++ b/host_vars/d.mx.oopen.de.yml @@ -193,7 +193,7 @@ is_sympa_list_server: true # install_amavis.conf # mp_receipt_number: 106015125438 -si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 +si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e template_files_mailsystem_script: diff --git a/host_vars/e.mx.oopen.de.yml b/host_vars/e.mx.oopen.de.yml index ee04bf4..1a94285 100644 --- a/host_vars/e.mx.oopen.de.yml +++ b/host_vars/e.mx.oopen.de.yml @@ -255,7 +255,7 @@ postfix_db_pass: W/w-musi9cr5Gg%U # install_amavis.conf # mp_receipt_number: 106015125438 -si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 +si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e # install_postfixadmin.conf # diff --git a/host_vars/g.mx.oopen.de.yml b/host_vars/g.mx.oopen.de.yml new file mode 100644 index 0000000..c7e852b --- /dev/null +++ b/host_vars/g.mx.oopen.de.yml @@ -0,0 +1,222 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +install_compiler_pkgs: true + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +#insert_root_ssh_keypair: true +# +#root_ssh_keypair: +# - name: id-rsa-dehydrated +# priv_key_src: b.mx/root/.ssh/b.mx-id_rsa-dehydrated +# priv_key_dest: /root/.ssh/id_rsa-dehydrated +# pub_key_src: b.mx/root/.ssh/b.mx-id_rsa-dehydrated.pub +# pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub +# - name: id-rsa-opendkim +# priv_key_src: b.mx/root/.ssh/b.mx-id_rsa-opendkim +# priv_key_dest: /root/.ssh/id_rsa-opendkim +# pub_key_src: b.mx/root/.ssh/b.mx-id_rsa-opendkim.pub +# pub_key_dest: /root/.ssh/id_rsa-opendkim.pub + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + +copy_plain_files: + + # /root/bin/monitoring + # + + - name: monitoring_check_webservice_load.conf + src_path: g.mx/root/bin/monitoring/conf/check_webservice_load.conf + dest_path: /root/bin/monitoring/conf/check_webservice_load.conf + + # /root/bin/postfix + # + - name: postfix_create_opendkim_key.conf + src_path: g.mx/root/bin/postfix/conf/create_opendkim_key.conf + dest_path: /root/bin/postfix/conf/create_opendkim_key.conf + + - name: postfix_whitelist_mb_sigs.conf + src_path: g.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf + dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf + + +copy_plain_files_postfix_host_specific: + + - name: relay_domains + src_path: g.mx/etc/postfix/relay_domains + dest_path: /etc/postfix/relay_domains + + +copy_plain_files_postfwd_host_specific: + + # Postfix Firewall postfwd + # + - name: postfwd.wl-nets + src_path: g.mx/etc/postfix/postfwd.wl-nets + dest_path: /etc/postfix/postfwd.wl-nets + + +copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- + +hostname: g.mx.oopen.de +ipv4_address: 176.9.125.42 +ipv6_address: 2a01:4f8:151:8415::42 + +admin_email: argus@oopen.de +is_relay_host: !!str "true" +sasl_auth_enable: !!str "no" + +# install_amavis.conf +# +mp_receipt_number: 106015125438 +si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e + + +template_files_mailsystem_script: + + - name: mailsystem_install_amavis.conf + src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + - name: mailsystem_install_postfix_advanced.conf + src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf diff --git a/host_vars/ga-st-mail.ga.netz.yml b/host_vars/ga-st-mail.ga.netz.yml index 5e00f2f..8cb1a7b 100644 --- a/host_vars/ga-st-mail.ga.netz.yml +++ b/host_vars/ga-st-mail.ga.netz.yml @@ -224,7 +224,7 @@ postfix_db_pass: R_wuKauoTE7+AJg9 # install_amavis.conf # mp_receipt_number: 106015125438 -si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 +si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e # install_postfixadmin.conf # diff --git a/host_vars/mail-neu.cadus.org.yml b/host_vars/mail-neu.cadus.org.yml index 09b9fa5..a3a17ef 100644 --- a/host_vars/mail-neu.cadus.org.yml +++ b/host_vars/mail-neu.cadus.org.yml @@ -170,7 +170,7 @@ mysql_credentials: !!str "-u root -S /run/mysqld/mysqld.sock" # install_amavis.conf # mp_receipt_number: 106015125438 -si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 +si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e # install_postfixadmin.conf # diff --git a/host_vars/mail.cadus.org.yml b/host_vars/mail.cadus.org.yml index a36cd59..19d439a 100644 --- a/host_vars/mail.cadus.org.yml +++ b/host_vars/mail.cadus.org.yml @@ -239,7 +239,7 @@ postfix_db_pass: T3CJnFMJNX9wmhNs # install_amavis.conf # mp_receipt_number: 106015125438 -si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 +si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e # install_postfixadmin.conf # diff --git a/host_vars/mail.faire-mobilitaet.de.yml b/host_vars/mail.faire-mobilitaet.de.yml index 01459ff..a9a7342 100644 --- a/host_vars/mail.faire-mobilitaet.de.yml +++ b/host_vars/mail.faire-mobilitaet.de.yml @@ -223,7 +223,7 @@ postfix_db_pass: sp4xMdnXJkdMXnq9 # install_amavis.conf # mp_receipt_number: 106015125438 -si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 +si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e # install_postfixadmin.conf # diff --git a/host_vars/mm-rav.oopen.de.yml b/host_vars/mm-rav.oopen.de.yml new file mode 100644 index 0000000..b07d0b2 --- /dev/null +++ b/host_vars/mm-rav.oopen.de.yml @@ -0,0 +1,235 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_env_entries: + - name: PATH + job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + + - name: SHELL + job: /bin/bash + insertafter: PATH + + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 5 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + - name: "Check if postfix mailservice is running. Restart service if needed." + special_time: reboot + job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" + insertafter: PATH + + +cron_user_entries: + + - name: "Check if mattermost service ist running - Restart Service if needed." + minute: '*/6' + hour: '*' + job: /root/bin/monitoring/check_local_mattermost_service.sh + + - name: "Check if SSH service is running. Restart service if needed." + minute: '*/5' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check if Postfix Mailservice is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)" + minute: '01' + hour: '05' + job: /var/lib/dehydrated/cron/dehydrated_cron.sh + + - name: "Check whether all certificates are included in the VHOST configurations" + minute: '33' + hour: '05' + job: /var/lib/dehydrated/tools/update_ssl_directives.sh + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $y$j9T$CmDEzObyDCcl4Assjaqlw1$5wfAVQoNA0jOPCc3H0PaCNVxHW/0D52Rc9hMzASElrD + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o40.oopen.de.yml b/host_vars/o40.oopen.de.yml new file mode 100644 index 0000000..d90d1af --- /dev/null +++ b/host_vars/o40.oopen.de.yml @@ -0,0 +1,375 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device enp5s0 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + method: static + hwaddress: 9c:6b:00:0b:fe:2f + description: + address: 176.9.125.12 + netmask: 27 + gateway: 176.9.125.1 + metric: + pointopoint: + mtu: + scope: + + # additional user by dhcp method + # + hostname: + leasehours: + leasetime: + vendor: + client: + + # additional used by bootp method + # + bootfile: + server: + hwaddr: + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + # ** MOVED TO systemd-resolved + # + nameservers: + search: + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: enp5s0 # for mor devices support a blank separated list + stp: !!str off + fd: 5 + hello: 2 + maxage: 12 + + # optional bonding parameters bond: {} + # bond: + # master + # primary + # slave + # method: + # miimon: + # lacp-rate: + # ad-select-rate: + # master: + # slaves: + bond: {} + + # optional vlan settings | vlan: {} + # vlan: {} + # raw-device: 'eth0' + vlan: {} + + # inline hook scripts + pre-up: [] # pre-up script lines + up: + - !!str "route add -net 176.9.125.0 netmask 255.255.255.224 gw 176.9.125.1 dev br0" # up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + + + - device: br0 + family: inet6 + method: static + address: '2a01:4f8:151:8415::2' + netmask: 64 + gateway: 'fe80::1' + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_env_entries: + - name: PATH + job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + + - name: SHELL + job: /bin/bash + insertafter: PATH + + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 5 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + - name: "Check if postfix mailservice is running. Restart service if needed." + special_time: reboot + job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" + insertafter: PATH + + - name: "Check if postfix mailservice is running. Restart service if needed." + special_time: reboot + job: "@reboot sleep 20 ; /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1" + insertafter: PATH + +# - name: "Check if Check if all autostart LX-Container are running." +# special_time: reboot +# job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh" +# insertafter: PATH + + +cron_user_entries: + + - name: "Check if SSH service is running. Restart service if needed." + minute: '*/5' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check connectifity - reboot if needed" + minute: '*/10' + hour: '*' + job: /root/bin/admin-stuff/check-connectivity.sh + + - name: "Check if Postfix Mailservice is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check hard disc usage." + minute: '43' + hour: '6' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o41.oopen.de.yml b/host_vars/o41.oopen.de.yml new file mode 100644 index 0000000..0a7264e --- /dev/null +++ b/host_vars/o41.oopen.de.yml @@ -0,0 +1,251 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: false + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 2a01:4ff:ff00::add:2 + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + - 185.12.64.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_env_entries: + - name: PATH + job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + + - name: SHELL + job: /bin/bash + insertafter: PATH + + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 5 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + +# - name: "Check if postfix mailservice is running. Restart service if needed." +# special_time: reboot +# job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" +# insertafter: PATH +# +# - name: "Check if Check if all autostart LX-Container are running." +# special_time: reboot +# job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh" +# insertafter: PATH + + +cron_user_entries: + + - name: "Check if SSH service is running. Restart service if needed." + minute: '*/5' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + +# - name: "Check connectifity - reboot if needed" +# minute: '*/10' +# hour: '*' +# job: /root/bin/admin-stuff/check-connectivity.sh +# +# - name: "Check if Postfix Mailservice is up and running?" +# minute: '*/15' +# hour: '*' +# job: /root/bin/monitoring/check_postfix.sh +# +# - name: "Check if NTP service 'ntpsec' is up and running?" +# minute: '*/30' +# hour: '*' +# job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1 + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o42.oopen.de.yml b/host_vars/o42.oopen.de.yml new file mode 100644 index 0000000..efd5b90 --- /dev/null +++ b/host_vars/o42.oopen.de.yml @@ -0,0 +1,360 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device enp34s0 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + method: static + hwaddress: + description: + address: 95.217.194.43 + netmask: 26 + gateway: 95.217.194.1 + metric: + pointopoint: + mtu: + scope: + + # additional user by dhcp method + # + hostname: + leasehours: + leasetime: + vendor: + client: + + # additional used by bootp method + # + bootfile: + server: + hwaddr: + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + # ** MOVED TO systemd-resolved + # + nameservers: + search: + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: enp34s0 # for mor devices support a blank separated list + stp: !!str off + fd: 5 + hello: 2 + maxage: 12 + + # optional bonding parameters bond: {} + # bond: + # master + # primary + # slave + # method: + # miimon: + # lacp-rate: + # ad-select-rate: + # master: + # slaves: + bond: {} + + # optional vlan settings | vlan: {} + # vlan: {} + # raw-device: 'eth0' + vlan: {} + + # inline hook scripts + pre-up: [] # pre-up script lines + up: + - !!str "route add -net 95.217.194.0 netmask 255.255.255.192 gw 95.217.194.1 dev br0" # up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + + + - device: br0 + family: inet6 + method: static + address: '2a01:4f9:4a:5114::2' + netmask: 64 + gateway: 'fe80::1' + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_env_entries: + - name: PATH + job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + + - name: SHELL + job: /bin/bash + insertafter: PATH + + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 5 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + - name: "Check if postfix mailservice is running. Restart service if needed." + special_time: reboot + job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" + insertafter: PATH + + - name: "Check if Check if all autostart LX-Container are running." + special_time: reboot + job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh" + insertafter: PATH + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 2 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + +cron_user_entries: + + - name: "Check if SSH service is running. Restart service if needed." + minute: '*/5' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check if Postfix Mailservice is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1 + + - name: "Check hard disc usage." + minute: '43' + hour: '6' + job: /root/bin/admin-stuff/check-disc-usage.sh -c 85 + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $y$j9T$CmDEzObyDCcl4Assjaqlw1$5wfAVQoNA0jOPCc3H0PaCNVxHW/0D52Rc9hMzASElrD + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$bBB2QdnooT7rbIYZ0LK730$vDNyiWPZ2x2GmgeYq652MSIxaoyfBjD2Zn1v6asV62D + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/hosts b/hosts index 794fd03..376b512 100644 --- a/hosts +++ b/hosts @@ -232,6 +232,19 @@ web-07.oopen.de web-08.oopen.de web-09.oopen.de +# Fluechtlingsrat Berlin +o40.oopen.de +g.mx.oopen.de +cl-flr.oopen.de +cp-flr.oopen.de + +# Kotti-Coop e.V. +o41.oopen.de + +# RAV +o42.oopen.de +mm-rav.oopen.de + lxc-host-kb.anw-kb.netz @@ -408,6 +421,19 @@ web-07.oopen.de web-08.oopen.de web-09.oopen.de +# Fluechtlingsrat Berlin +o40.oopen.de +cl-flr.oopen.de +cp-flr.oopen.de + +# Kotti-Coop e.V. +o41.oopen.de +g.mx.oopen.de + +# RAV +o42.oopen.de +mm-rav.oopen.de + lxc-host-kb.anw-kb.netz @@ -648,7 +674,10 @@ web-07.oopen.de web-08.oopen.de web-09.oopen.de -# o39.oopen.de +# o40.oopen.de +g.mx.oopen.de +cl-flr.oopen.de + # --- # O.OPEN office network @@ -791,6 +820,13 @@ web-07.oopen.de web-08.oopen.de web-09.oopen.de +# o40 - Flüchtlingsrat Berlin +cl-flr.oopen.de +cp-flr.oopen.de + +# o42.oopen.de +mm-rav.oopen.de + # GA - Gemeinschaft Altensclirf ga-st-services.ga.netz @@ -833,6 +869,9 @@ a.mx.oopen.de web-01.oopen.de b.mx.oopen.de +# o40 - g.mx +g.mx.oopen.de + # --- # O.OPEN office network # --- @@ -875,6 +914,12 @@ o13-board.oopen.de o13-staging-board.oopen.de o13-mail.oopen.de +# o23.oopen.de +mm.oopen.de + +# o24.oopen.de +mm-irights.oopen.de + # o27.oopen.de mail.faire-mobilitaet.de @@ -887,6 +932,11 @@ a.mx.oopen.de web-01.oopen.de web-03.oopen.de +# o40 - g.mx +g.mx.oopen.de + +# o39.oopen.de + # --- # O.OPEN office network # --- @@ -908,6 +958,9 @@ mx.warenform.de # server27.warenform.de verdi-django.warenform.de +# o42.oopen.de +mm-rav.oopen.de + [mysql_server] @@ -998,6 +1051,9 @@ web-07.oopen.de web-08.oopen.de web-09.oopen.de +# o40 - Fluechtlingsrat Berlin +cl-flr.oopen.de + # --- # Warenform @@ -1078,6 +1134,9 @@ cl-test.oopen.de # o38.oopen.de cl-opp.oopen.de +# 040 - Fluechtlingsrat Berlin +cl-flr.oopen.de + # --- # Warenform # --- @@ -1133,6 +1192,9 @@ a.mx.oopen.de # o36.oopen.de - b.mx, web-01, web-03 b.mx.oopen.de +# o40 - g.mx +g.mx.oopen.de + # --- # O.OPEN office network # --- @@ -1266,6 +1328,12 @@ ga-al-kvm2.ga.netz ga-al-kvm3.ga.netz +[docker_host] + +# Kotti-Coop e.V. +o41.oopen.de + + [lxc_host] # --- @@ -1291,6 +1359,12 @@ o36.oopen.de o38.oopen.de o39.oopen.de +# Fluechtlingsrat Berlin +o40.oopen.de + +# RAV +o42.oopen.de + lxc-host-kb.anw-kb.netz # --- @@ -1431,6 +1505,14 @@ web-07.oopen.de web-08.oopen.de web-09.oopen.de +# o40 - g.mx +g.mx.oopen.de +cl-flr.oopen.de +cp-flr.oopen.de + +# o42.oopen.de +mm-rav.oopen.de + # --- # O.OPEN office network # --- @@ -1634,6 +1716,20 @@ web-07.oopen.de web-08.oopen.de web-09.oopen.de +# o40 +o40.oopen.de +g.mx.oopen.de +cl-flr.oopen.de +cp-flr.oopen.de + +# Kotti-Coop e.V. +o41.oopen.de + +# RAV +o42.oopen.de +mm-rav.oopen.de + + lxc-host-kb.anw-kb.netz diff --git a/roles/common/files/g.mx/etc/postfix/postfwd.wl-nets b/roles/common/files/g.mx/etc/postfix/postfwd.wl-nets new file mode 100644 index 0000000..7ed94f9 --- /dev/null +++ b/roles/common/files/g.mx/etc/postfix/postfwd.wl-nets @@ -0,0 +1,19 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# Trusted networks whitelisted by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give truested networrk adresses here + +# d.mx.oopen.de (listen server) +95.217.204.227 +2a01:4f9:4a:47e5::227 diff --git a/roles/common/files/g.mx/etc/postfix/relay_domains b/roles/common/files/g.mx/etc/postfix/relay_domains new file mode 100644 index 0000000..e0e6286 --- /dev/null +++ b/roles/common/files/g.mx/etc/postfix/relay_domains @@ -0,0 +1,10 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +## - a.mx.oopen.de +## - +## - create relay-domain list for host a.mx.oopen.de: +## - cd /var/vmail +## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[a.mx.oopen.de]" ; done +## - +anw-nbg.de :[a.mx.oopen.de] +meet.oopen.de :[a.mx.oopen.de] diff --git a/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated new file mode 100644 index 0000000..dd45a47 --- /dev/null +++ b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACDFdECCD3L7xf4ctQfGFFiHrSqZWoqGauX4/u0xGg1iZgAAAJA0qaJANKmi +QAAAAAtzc2gtZWQyNTUxOQAAACDFdECCD3L7xf4ctQfGFFiHrSqZWoqGauX4/u0xGg1iZg +AAAEBMOuz+phzRVnQYFnaqV4D8Ned91hkkystvPVPm0G/nEMV0QIIPcvvF/hy1B8YUWIet +KplaioZq5fj+7TEaDWJmAAAABnJvb3RAZwECAwQFBgc= +-----END OPENSSH PRIVATE KEY----- diff --git a/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated.pub b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated.pub new file mode 100644 index 0000000..6b8767c --- /dev/null +++ b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMV0QIIPcvvF/hy1B8YUWIetKplaioZq5fj+7TEaDWJm root@g diff --git a/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim new file mode 100644 index 0000000..f25172e --- /dev/null +++ b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBdIacjLHjbnX/g5KYbvXWkCoMv+3VIp77NXmuW4k5RoQAAAJBWLbDTVi2w +0wAAAAtzc2gtZWQyNTUxOQAAACBdIacjLHjbnX/g5KYbvXWkCoMv+3VIp77NXmuW4k5RoQ +AAAEChcZYodFiWBZ0F3k5mJW27C19OFqrz14WuBxeQm8vC4l0hpyMseNudf+Dkphu9daQK +gy/7dUinvs1ea5biTlGhAAAABnJvb3RAZwECAwQFBgc= +-----END OPENSSH PRIVATE KEY----- diff --git a/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim.pub b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim.pub new file mode 100644 index 0000000..4d6cc11 --- /dev/null +++ b/roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0hpyMseNudf+Dkphu9daQKgy/7dUinvs1ea5biTlGh root@g diff --git a/roles/common/files/g.mx/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/g.mx/root/bin/monitoring/conf/check_webservice_load.conf new file mode 100644 index 0000000..c7f227f --- /dev/null +++ b/roles/common/files/g.mx/root/bin/monitoring/conf/check_webservice_load.conf @@ -0,0 +1,270 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings +#----------------------------- +#--------------------------------------- + + +# --- +# - LOGGING +# - +# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - errors occurs. +# --- + + +# - CONFLICTING_SCRIPTS +# - +# - The scripts listed here conflict with this script. If one of these scripts +# - is currently running, this script will be stopped. +# - +# - In addition to the script, a LOCK directory can also be specified which is +# - connected to it. +# - +# - If no fixed LOCK directory is connected to the script, set +# - this value to the constant 'CHECK_PROCESS_LIST'. +# - +# - If no value for the LOCK directory is given, the LOCK directory +# - '/tmp/.LOCK' is assumed. +# - +# - +# - Example: +# - CONFLICTING_SCRIPTS=" +# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST +# - /root/bin/monitoring/check_remote_websites.sh +# - " +# - +# - Defaults to: +# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK" +# - +#CONFLICTING_SCRIPTS="" + + +# - What to check +# - +check_load=true +check_mysql=false +check_mariadb=false + +# - PostgreSQL +# - +# - NOT useful, if more than one PostgreSQL instances are running! +# - +check_postgresql=false + +check_apache=true +check_nginx=false +check_php_fpm=false +check_redis=false +check_website=false + + +# TIMEOUT_CHECK_WEBSITE +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_WEBSITE=10 +# +#TIMEOUT_CHECK_WEBSITE=10 + +# TIMEOUT_CHECK_PHP +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_PHP=10 +# +#TIMEOUT_CHECK_PHP=10 + + +# - If service is not listen on 127.0.0.1/loclhost, curl check must +# - be ommited +# - +# - Defaults to: ommit_curl_check_nginx=false +# - +#ommit_curl_check_nginx=false + +# - Is this a vserver guest machine? +# - +# - Not VSerber guest host does not support systemd! +# - +# - defaults to: vserver_guest=false +# - +#vserver_guest=false + + +# - Additional Settings for check_mysql +# - +# - MySQL / MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock" +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - defaults to: +# - mysql_credential_args="--login-path=local" +# - +#mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_mariadb +# - +# - MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock" +# - mariadb_credential_args="--login-path=local" +# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - defaults to empty string +# - mariadb_credential_args="" +# - +#mariadb_credential_args="" + + +# - Port of PostgreSQL Service +# - +# - defaults to '5432' +# - postgresql_port=5432 +# - +#postgresql_port=5432 + + +# - Additional Settings for check_php_fpm +# - +# - On Linux Vserver System set +# - curl_check_host=localhost +# - +# - On LX-Container set +# - curl_check_host=127.0.0.1 +# - +curl_check_host=127.0.0.1 + +# - Which PHP versions should be supported by this script. If more than one, +# - give a blank separated list +# - +# - Example: +# - php_versions="5.4 5.6 7.0 7.1" +# - +php_versions="" + +# - If PHP-FPM's ping.path setting does not match ping-$php_major_version, +# - set the value given in your ping.path setting here. Give ping_path also +# - the concerning php_version in form +# - : +# - +# - Multiple settings are possible, give a blank separated list. +# - +# - Example: +# - +# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de" +# - +ping_path="" + + +# - Additional Settings for check_website - checking (expected) website response +# - +# - example: +# - is_working_url="https://www.outoflineshop.de/" +# - check_string='ool-account-links' +# - include_cleanup_function=true +# - extra_alert_address="ilker@so36.net" +# - cleanup_function=' +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/* +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/* +# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1 +# - if [[ "$?" = "0" ]]; then +# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\"" +# - else +# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!" +# - fi +# - /etc/init.d/redis_6379 restart +# - if [[ "$?" = "0" ]]; then +# - ok "I restarted the redis service" +# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt +# - else +# - error "Restarting the redis server failed!" +# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt +# - fi +# - ' +# - +is_working_url='' + +check_string='' + +include_cleanup_function=true + +# - An extra e-mail address, which will be informed, if the given check URL +# - does not response as expected (check_string) AFTER script checking, restarting +# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done. +# - +extra_alert_address='' + +# - php_version_of_working_url +# - +# - If given website (is_working_url) does not response as expected, this PHP FPM +# - engines will be restarted. +# - +# - Type "None" if site does not support php +# - +# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions) +# - will be restarted +# - +php_version_of_working_url='' + +# - Notice: +# - If single qoutes "'" not needed inside cleanup function, then use single quotes +# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - sign inside. +# - +# - Otherwise use double quotes and masq any sign to prevent bash from interpreting. +# - +cleanup_function=' +' + + +# - E-Mail settings for sending script messages +# - +from_address="root@`hostname -f`" +content_type='Content-Type: text/plain;\n charset="utf-8"' +to_addresses="root" + diff --git a/roles/common/files/g.mx/root/bin/postfix/conf/create_opendkim_key.conf b/roles/common/files/g.mx/root/bin/postfix/conf/create_opendkim_key.conf new file mode 100644 index 0000000..4508720 --- /dev/null +++ b/roles/common/files/g.mx/root/bin/postfix/conf/create_opendkim_key.conf @@ -0,0 +1,177 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --------------------------------------------------------- +# - Parameter Settings for script 'create_opendkim_key.sh'. +# --------------------------------------------------------- + + +# ---------- +# DNS Server +# ---------- + +# - dns_dkim_zone_master_server +# - +# - The DNS Server who is serving the update zone and is used +# - for the dynamic updates (nsupdate) +# - +#dns_dkim_zone_master_server="" +dns_dkim_zone_master_server="b.ns.oopen.de" + +# - update_dns +# - +# - Possible Values are 'true' or 'false' +# - +#update_dns=true + +# - update_zone +# - +# - Zone containing the DKIM TXT record. +# - +# - Defaults to '_domainkey.' +# - +# - Note: +# - do NOT change/set this option unless you know what you do. +# - +#update_zone="" + +# - TTL +# - +# - TTL for the DKIM TXT Record. +# - +# - Defaults to "" if update_dns=false +# - Defaults to "43200" if update_dns=true +# - +#TTL= + + +# ---------- +# TSIG Key +# ---------- + +# - key_secret +# - +# - Sectret Key used by 'nsupdate' to create/update the +# - DKIM TXT record. +# - +# - Example: +# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI=" +# - +#key_secret="" +key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw=" + +# - key_algo +# - +# - The key algorithm used for key creation. Available choices are: hmac-md5, +# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The +# - default is hmac-sha256. Options are case-insensitive. +# - +# - Example: +# - key_algo="hmac-md5" +# - +# - Defaults to 'hmac-sha256' +# - +#key_algo="hmac-sha256" +key_algo="hmac-sha256" + +# - key_name +# - +# - Name of the Key +# - +# - Defaults to "$update_zone" +# - +#key_name="" +key_name="update-dkim" + + +# ---------- +# Access Credentials DNS Server +# ---------- + +# - dns_ssh_user +# - +# - Defaults to 'manage-bind' +# - +#dns_ssh_user="manage-bind" + +# - dns_ssh_port +# - +# - Defaults to '22' +# - +#dns_ssh_port=22 + +# - dns_ssh_key +# - +# - Defaults to '/root/.ssh/id_rsa-opendkim' +# - +#dns_ssh_key="/root/.ssh/id_rsa-opendkim" +dns_ssh_key="/root/.ssh/id_ed25519-opendkim" + + +# ---------- +# Scripts envoked at DNS Server +# ---------- + +# - set_new_serial_script +# - +# - Script increases the serial for a given domain or a given +# - hostname's concerning domain. +# - +# - Defaults to /root/bin/bind/bind_set_new_serial.sh +# - +#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh" + +# - create_dkim_delegation_script +# - +# - Script adds DKIM subdomain delegation for a given domain +# - +# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh' +# - +#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh" + +# - add_dkim_zone_master_script +# - +# - Script adds zone _domainkey. as master zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh' +# - +#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh" + +# - add_dkim_zone_slave_script +# - +# - Script adds zone _domainkey. as slave zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh' +# - +#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh" + + + +# ---------- +# OpenDKIM Installation +# ---------- + +# - opendkim_dir +# - +# - OpenDKIM's etc-directory +# - +# - Defaults to opendkim_dir="/etc/opendkim" +# - +#opendkim_dir="/etc/opendkim" + +# - key_base_dir +# - +# - Defaults to "${opendkim_dir}/keys" +# - +#key_base_dir=${opendkim_dir}/keys + +# - signing_table_file +# - +# - Defaults to "${opendkim_dir}/signing.table" +# - +#signing_table_file="${opendkim_dir}/signing.table" + +# - key_table_file +# - +# - Defaults to "${opendkim_dir}/key.table" +# - +#key_table_file="${opendkim_dir}/key.table" diff --git a/roles/common/files/g.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf b/roles/common/files/g.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf new file mode 100644 index 0000000..11c60fa --- /dev/null +++ b/roles/common/files/g.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf @@ -0,0 +1,44 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ====================================================== +# --- +# Parameter Settings for Script 'whitelist_mb_sigs.conf' +# --- +# ====================================================== + +# QUARANTINE_BASE_DIR +# +# Base directory where amavis stores quarantined e-mails, mostly in +# +# virus e-mails: $QUARANTINE_BASE_DIR/virus +# spam emails: $QUARANTINE_BASE_DIR/spam +# .. +# +# Defaults to: +# QUARANTINE_BASE_DIR="/var/QUARANTINE" +# +#QUARANTINE_BASE_DIR="/var/QUARANTINE" + + +# CLAMAV_VIRUS_WHITE_LIST +# +# Full path to clamav's (personal) white list file +# +# Defaults to: +# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" +# +#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" + + +# WHITE_LIST_STRINGS +# +# A blank separated list of strings to whitelist. +# +# Example: +# WHITE_LIST_STRINGS="google.com tinyurl.com" +# +# Defaults to: +# WHITE_LIST_STRINGS="google.com" +# +#WHITE_LIST_STRINGS="google.com" +WHITE_LIST_STRINGS="google.com tinyurl.com" diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml index 1cc5237..71d82a5 100644 --- a/roles/common/tasks/apt.yml +++ b/roles/common/tasks/apt.yml @@ -218,6 +218,15 @@ tags: - apt-lxc-hosts-pkgs +- name: (apt.yml) Install docker related packages + apt: + name: "{{ apt_docker_host_pkgs }}" + state: "{{ apt_install_state }}" + when: + - groups['docker_host']|string is search(inventory_hostname) + tags: + - apt-docker-hosts-pkgs + - name: (apt.yml) Install kvm_host related packages apt: name: "{{ apt_kvm_host_pkgs }}" diff --git a/roles/modify-ipt-server/tasks/ipt-server.yml b/roles/modify-ipt-server/tasks/ipt-server.yml index 432f8ef..85e4180 100644 --- a/roles/modify-ipt-server/tasks/ipt-server.yml +++ b/roles/modify-ipt-server/tasks/ipt-server.yml @@ -99,126 +99,73 @@ # === # --- -# Wireguard Service +# LOG CGI script Traffic out # --- -- name: Check if String 'wg_ifs=..' is present in interfaces_ipv4.conf - shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv4.conf - register: wg_ifs_interfaces_ipv4_present - when: interfaces_ipv4_exists.stat.exists - failed_when: "wg_ifs_interfaces_ipv4_present.rc > 1" - changed_when: "wg_ifs_interfaces_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs) - blockinfile: - path: /etc/ipt-firewall/interfaces_ipv4.conf - insertafter: '^#?\s*vpn_ifs' - block: | - - # - Wireguard Interfaces - # - (comma separated list 'wg+' is also possible) - wg_ifs="wg+" - - marker: "# Marker set by modify-ipt-server.yml (wg_ifs)" - when: - - interfaces_ipv4_exists.stat.exists - - wg_ifs_interfaces_ipv4_present is changed - notify: - - Restart IPv4 Firewall - - -- name: Check if String 'wg_ifs=..' is present in interfaces_ipv6.conf - shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv6.conf - register: wg_ifs_interfaces_ipv6_present - when: interfaces_ipv6_exists.stat.exists - failed_when: "wg_ifs_interfaces_ipv6_present.rc > 1" - changed_when: "wg_ifs_interfaces_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs) - blockinfile: - path: /etc/ipt-firewall/interfaces_ipv6.conf - insertafter: '^#?\s*vpn_ifs' - block: | - - # - Wireguard Interfaces - # - (comma separated list 'wg+' is also possible) - wg_ifs="wg+" - - marker: "# Marker set by modify-ipt-server.yml (wg_ifs)" - when: - - interfaces_ipv6_exists.stat.exists - - wg_ifs_interfaces_ipv6_present is changed - notify: - - Restart IPv6 Firewall - - -# --- -# Mattermost (MM) Service (add a block) -# --- - -- name: Check if String 'mm_server_ips=..' is present - shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv4.conf - register: mattermost_service_ipv4_present +- name: Check if String 'log_cgi_traffic_out=..' is present + shell: grep -q -E "^log_cgi_traffic_out=" /etc/ipt-firewall/main_ipv4.conf + register: log_cgi_traffic_out_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "mattermost_service_ipv4_present.rc > 1" - changed_when: "mattermost_service_ipv4_present.rc > 0" + failed_when: "log_cgi_traffic_out_ipv4_present.rc > 1" + changed_when: "log_cgi_traffic_out_ipv4_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mattermost_service) +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (log_cgi_traffic_out) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*http_ports' block: | - # - Mattermost (MM) Service + # - LOG CGI script Traffic out # - - mm_server_ips="" - forward_mm_server_ips="" + log_cgi_traffic_out=false - # - UDP Ports IN and OUT used by MM Servive + # - cgi_script_users # - - mm_udp_ports_in="$stansard_mattermost_udp_ports_in" - mm_udp_ports_out="$stansard_mattermost_udp_ports_out" - - marker: "# Marker set by modify-ipt-server.yml (mattermost_service)" + # - List of CGI script users (suexec user, php-fpm user. ...) + # - + # - Blank separated list + # - + cgi_script_users="" + marker: "# Marker set by modify-ipt-server.yml (log_cgi_traffic_out)" when: - main_ipv4_exists.stat.exists - - mattermost_service_ipv4_present is changed + - log_cgi_traffic_out_ipv4_present is changed notify: - Restart IPv4 Firewall -- name: Check if String 'mm_server_ips=..' is present - shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv6.conf - register: mattermost_service_ipv6_present +- name: Check if String 'log_cgi_traffic_out=..' is present + shell: grep -q -E "^log_cgi_traffic_out=" /etc/ipt-firewall/main_ipv6.conf + register: log_cgi_traffic_out_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "mattermost_service_ipv6_present.rc > 1" - changed_when: "mattermost_service_ipv6_present.rc > 0" + failed_when: "log_cgi_traffic_out_ipv6_present.rc > 1" + changed_when: "log_cgi_traffic_out_ipv6_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mattermost_service) +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (log_cgi_traffic_out) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*http_ports' block: | - # - Mattermost (MM) Service + # - LOG CGI script Traffic out # - - mm_server_ips="" - forward_mm_server_ips="" + log_cgi_traffic_out=false - # - UDP Ports IN and OUT used by MM Servive + # - cgi_script_users # - - mm_udp_ports_in="$stansard_mattermost_udp_ports_in" - mm_udp_ports_out="$stansard_mattermost_udp_ports_out" - - marker: "# Marker set by modify-ipt-server.yml (mattermost_service)" + # - List of CGI script users (suexec user, php-fpm user. ...) + # - + # - Blank separated list + # - + cgi_script_users="" + marker: "# Marker set by modify-ipt-server.yml (log_cgi_traffic_out)" when: - main_ipv6_exists.stat.exists - - mattermost_service_ipv6_present is changed + - log_cgi_traffic_out_ipv6_present is changed notify: - Restart IPv6 Firewall - # === # Remove Marker set by blockinfile # ===