update..

roles/common/files/g.mx/etc/postfix/postfwd.wl-nets

@@ -0,0 +1,19 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# Trusted networks whitelisted by postfwd
+#
+# Example:
+#
+#   # web0.warenform.de
+#   #83.223.86.76
+#   #2a01:30:0:505:286:96ff:fe4a:6ee
+#   #2a01:30:0:13:286:96ff:fe4a:6eee
+#
+# ---
+
+# give truested networrk adresses here
+
+# d.mx.oopen.de (listen server)
+95.217.204.227
+2a01:4f9:4a:47e5::227

roles/common/files/g.mx/etc/postfix/relay_domains

@@ -0,0 +1,10 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+## - a.mx.oopen.de
+## -
+## -    create relay-domain list for host a.mx.oopen.de:
+## -        cd /var/vmail
+## -        for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[a.mx.oopen.de]" ; done
+## -
+anw-nbg.de                             :[a.mx.oopen.de]
+meet.oopen.de                          :[a.mx.oopen.de]

roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDFdECCD3L7xf4ctQfGFFiHrSqZWoqGauX4/u0xGg1iZgAAAJA0qaJANKmi
+QAAAAAtzc2gtZWQyNTUxOQAAACDFdECCD3L7xf4ctQfGFFiHrSqZWoqGauX4/u0xGg1iZg
+AAAEBMOuz+phzRVnQYFnaqV4D8Ned91hkkystvPVPm0G/nEMV0QIIPcvvF/hy1B8YUWIet
+KplaioZq5fj+7TEaDWJmAAAABnJvb3RAZwECAwQFBgc=
+-----END OPENSSH PRIVATE KEY-----

roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-dehydrated.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMV0QIIPcvvF/hy1B8YUWIetKplaioZq5fj+7TEaDWJm root@g

roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBdIacjLHjbnX/g5KYbvXWkCoMv+3VIp77NXmuW4k5RoQAAAJBWLbDTVi2w
+0wAAAAtzc2gtZWQyNTUxOQAAACBdIacjLHjbnX/g5KYbvXWkCoMv+3VIp77NXmuW4k5RoQ
+AAAEChcZYodFiWBZ0F3k5mJW27C19OFqrz14WuBxeQm8vC4l0hpyMseNudf+Dkphu9daQK
+gy/7dUinvs1ea5biTlGhAAAABnJvb3RAZwECAwQFBgc=
+-----END OPENSSH PRIVATE KEY-----

roles/common/files/g.mx/root/.ssh/g.mx-id_ed25519-opendkim.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0hpyMseNudf+Dkphu9daQKgy/7dUinvs1ea5biTlGh root@g

roles/common/files/g.mx/root/bin/monitoring/conf/check_webservice_load.conf

@@ -0,0 +1,270 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+#---------------------------------------
+#-----------------------------
+# Settings
+#-----------------------------
+#---------------------------------------
+
+
+# ---
+# - LOGGING
+# -
+# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
+# - the output will be verbos. If running as cronjob, output will only be written, if warnings or 
+# - errors occurs.
+# ---
+
+
+# - CONFLICTING_SCRIPTS
+# -
+# - The scripts listed here conflict with this script. If one of these scripts 
+# - is currently running, this script will be stopped.
+# -
+# - In addition to the script, a LOCK directory can also be specified which is 
+# - connected to it. 
+# - 
+# - If no fixed LOCK directory is connected to the script, set 
+# - this value to the constant 'CHECK_PROCESS_LIST'.
+# -
+# - If no value for the LOCK directory is given, the LOCK directory 
+# - '/tmp/<base-script_name>.LOCK' is assumed. 
+# - 
+# - 
+# - Example:
+# -    CONFLICTING_SCRIPTS="
+# -       /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
+# -       /root/bin/monitoring/check_remote_websites.sh
+# -    "
+# -
+# - Defaults to:
+# -    CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
+# -
+#CONFLICTING_SCRIPTS=""
+
+
+# - What to check
+# -
+check_load=true
+check_mysql=false
+check_mariadb=false
+
+# - PostgreSQL
+# -
+# - NOT useful, if more than one PostgreSQL instances are running!
+# -
+check_postgresql=false
+
+check_apache=true
+check_nginx=false
+check_php_fpm=false
+check_redis=false
+check_website=false
+
+
+# TIMEOUT_CHECK_WEBSITE
+#
+# Maximum time in seconds that you allow for the response from the webserver.
+#
+# Defaults to:
+#     TIMEOUT_CHECK_WEBSITE=10
+#
+#TIMEOUT_CHECK_WEBSITE=10
+
+# TIMEOUT_CHECK_PHP
+#
+# Maximum time in seconds that you allow for the response from the webserver.
+#
+# Defaults to:
+#     TIMEOUT_CHECK_PHP=10
+#
+#TIMEOUT_CHECK_PHP=10
+
+
+# - If service is not listen on 127.0.0.1/loclhost, curl check must
+# - be ommited
+# -
+# - Defaults to: ommit_curl_check_nginx=false
+# -
+#ommit_curl_check_nginx=false
+
+# - Is this a vserver guest machine?
+# -
+# - Not VSerber guest host does not support systemd!
+# -
+# - defaults to: vserver_guest=false
+# -
+#vserver_guest=false
+
+
+# - Additional Settings for check_mysql
+# -
+# - MySQL / MariaDB credentials
+# -
+# - Giving password on command line is insecure an sind mysql 5.5
+# - you will get a warning doing so.
+# - 
+# - Reading username/password fro file ist also possible, using MySQL/MariaDB
+# - commandline parameter '--defaults-file'.
+# - 
+# - Since Mysql Version 5.6, you can read username/password from
+# - encrypted file.
+# -
+# -    Create (encrypted) option file:
+# -    $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock  --user=root --password
+# -    $ Password:
+# -
+# -    Use of option file:
+# -    $ mysql --login-path=local ...
+# -
+# - Example
+# -    mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
+# -    mysql_credential_args="--login-path=local"
+# -    mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
+# -    mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
+# -
+# - defaults to: 
+# -    mysql_credential_args="--login-path=local"
+# -
+#mysql_credential_args="--login-path=local"
+
+
+# - Additional Settings for check_mariadb
+# -
+# - MariaDB credentials
+# -
+# - Giving password on command line is insecure an sind mysql 5.5
+# - you will get a warning doing so.
+# - 
+# - Reading username/password fro file ist also possible, using MySQL/MariaDB
+# - commandline parameter '--defaults-file'.
+# - 
+# - Since Mysql Version 5.6, you can read username/password from
+# - encrypted file.
+# -
+# -    Create (encrypted) option file:
+# -    $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock  --user=root --password
+# -    $ Password:
+# -
+# -    Use of option file:
+# -    $ mysql --login-path=local ...
+# -
+# - Example
+# -    mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
+# -    mariadb_credential_args="--login-path=local"
+# -    mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
+# -    mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
+# -
+# - defaults to empty string
+# -    mariadb_credential_args=""
+# -
+#mariadb_credential_args=""
+
+
+# - Port of PostgreSQL Service
+# -
+# - defaults to '5432'
+# -    postgresql_port=5432
+# -
+#postgresql_port=5432
+
+
+# - Additional Settings for check_php_fpm
+# -
+# - On Linux Vserver System set
+# -    curl_check_host=localhost
+# -
+# - On LX-Container set
+# -    curl_check_host=127.0.0.1
+# -
+curl_check_host=127.0.0.1
+
+# - Which PHP versions should be supported by this script. If more than one,
+# - give a blank separated list
+# -
+# - Example:
+# -    php_versions="5.4 5.6 7.0 7.1"
+# -
+php_versions=""
+
+# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
+# - set the value given in your ping.path setting here. Give ping_path also
+# - the concerning php_version in form
+# -    <php-version>:<ping-path>
+# -
+# - Multiple settings are possible, give a blank separated list.
+# -
+# - Example:
+# -
+# -    ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
+# -
+ping_path=""
+
+
+# - Additional Settings for check_website - checking (expected) website response
+# -
+# - example:
+# -    is_working_url="https://www.outoflineshop.de/"
+# -    check_string='ool-account-links'
+# -    include_cleanup_function=true
+# -    extra_alert_address="ilker@so36.net"
+# -    cleanup_function='
+# -    rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
+# -    rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
+# -    /usr/local/bin/redis-cli flushall > /dev/null 2>&1
+# -    if [[ "$?" = "0" ]]; then
+# -       ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
+# -    else
+# -       error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
+# -     fi
+# -    /etc/init.d/redis_6379 restart
+# -    if [[ "$?" = "0" ]]; then
+# -       ok "I restarted the redis service"
+# -       echo -e "\t[ Ok ]:    I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
+# -    else
+# -       error "Restarting the redis server failed!"
+# -       echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
+# -    fi
+# -    '
+# -
+is_working_url=''
+
+check_string=''
+
+include_cleanup_function=true
+
+# - An extra e-mail address, which will be informed, if the given check URL
+# - does not response as expected (check_string) AFTER script checking, restarting
+# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
+# -
+extra_alert_address=''
+
+# - php_version_of_working_url
+# -
+# - If given website (is_working_url) does not response as expected, this PHP FPM
+# - engines will be restarted.
+# -
+# - Type "None" if site does not support php
+# -
+# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
+# - will be restarted
+# -
+php_version_of_working_url=''
+
+# - Notice:
+# - If single qoutes "'" not needed inside cleanup function, then use single quotes
+# - to enclose variable "cleanup_function". Then you don't have do masquerade any 
+# - sign inside.
+# -
+# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
+# -
+cleanup_function='
+'
+
+
+# - E-Mail settings for sending script messages
+# -
+from_address="root@`hostname -f`"
+content_type='Content-Type: text/plain;\n charset="utf-8"'
+to_addresses="root"
+

roles/common/files/g.mx/root/bin/postfix/conf/create_opendkim_key.conf

@@ -0,0 +1,177 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---------------------------------------------------------
+# - Parameter Settings for script 'create_opendkim_key.sh'.
+# ---------------------------------------------------------
+ 
+ 
+# ---------- 
+# DNS Server 
+# ---------- 
+ 
+# - dns_dkim_zone_master_server
+# - 
+# - The DNS Server who is serving the update zone and is used 
+# - for the dynamic updates (nsupdate) 
+# - 
+#dns_dkim_zone_master_server=""
+dns_dkim_zone_master_server="b.ns.oopen.de"
+
+# - update_dns
+# -
+# - Possible Values are 'true' or 'false'
+# -
+#update_dns=true
+
+# - update_zone
+# -
+# - Zone containing the DKIM TXT record.
+# -
+# - Defaults to '_domainkey.<dkim_domaini>'
+# -
+# - Note:
+# -    do NOT change/set this option unless you know what you do.
+# -
+#update_zone=""
+
+# - TTL
+# -
+# - TTL for the DKIM TXT Record.
+# -
+# - Defaults to "" if update_dns=false
+# - Defaults to "43200" if update_dns=true
+# -
+#TTL=
+
+
+# ----------
+# TSIG Key
+# ----------
+
+# - key_secret
+# -
+# - Sectret Key used by 'nsupdate' to create/update the
+# - DKIM TXT record.
+# -
+# - Example:
+# -    key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI="
+# -
+#key_secret=""
+key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw="
+
+# - key_algo
+# -
+# - The key algorithm used for key creation. Available choices are: hmac-md5, 
+# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The 
+# - default is hmac-sha256. Options are case-insensitive.
+# -
+# - Example:
+# -    key_algo="hmac-md5"
+# -
+# - Defaults to 'hmac-sha256'
+# -
+#key_algo="hmac-sha256"
+key_algo="hmac-sha256"
+
+# - key_name
+# -
+# - Name of the Key
+# -
+# - Defaults to "$update_zone"
+# -
+#key_name=""
+key_name="update-dkim"
+
+
+# ----------
+# Access Credentials DNS Server
+# ----------
+
+# - dns_ssh_user
+# -
+# - Defaults to 'manage-bind'
+# -
+#dns_ssh_user="manage-bind"
+
+# - dns_ssh_port
+# -
+# - Defaults to '22'
+# -
+#dns_ssh_port=22
+
+# - dns_ssh_key
+# -
+# - Defaults to '/root/.ssh/id_rsa-opendkim'
+# -
+#dns_ssh_key="/root/.ssh/id_rsa-opendkim"
+dns_ssh_key="/root/.ssh/id_ed25519-opendkim"
+
+
+# ----------
+# Scripts envoked at DNS Server
+# ----------
+
+# - set_new_serial_script
+# -
+# - Script increases the serial for a given domain or a given 
+# - hostname's concerning domain.
+# -
+# - Defaults to /root/bin/bind/bind_set_new_serial.sh
+# -
+#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh"
+
+# - create_dkim_delegation_script
+# -
+# - Script adds DKIM subdomain delegation for a given domain
+# -
+# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh'
+# -
+#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh"
+
+# - add_dkim_zone_master_script
+# -
+# - Script adds zone _domainkey.<dkim domain> as master zone
+# -
+# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh'
+# -
+#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh"
+
+# - add_dkim_zone_slave_script
+# -
+# - Script adds zone _domainkey.<dkim domain> as slave zone
+# -
+# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh'
+# -
+#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh"
+
+
+
+# ----------
+# OpenDKIM Installation
+# ----------
+
+# - opendkim_dir
+# -
+# - OpenDKIM's etc-directory
+# -
+# - Defaults to opendkim_dir="/etc/opendkim"
+# -
+#opendkim_dir="/etc/opendkim"
+
+# - key_base_dir
+# -
+# - Defaults to "${opendkim_dir}/keys"
+# -
+#key_base_dir=${opendkim_dir}/keys
+
+# - signing_table_file
+# -
+# - Defaults to "${opendkim_dir}/signing.table"
+# -
+#signing_table_file="${opendkim_dir}/signing.table"
+
+# - key_table_file
+# -
+# - Defaults to "${opendkim_dir}/key.table"
+# -
+#key_table_file="${opendkim_dir}/key.table"

roles/common/files/g.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf

@@ -0,0 +1,44 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ======================================================
+# ---
+# Parameter Settings for Script 'whitelist_mb_sigs.conf'
+# ---
+# ======================================================
+
+# QUARANTINE_BASE_DIR
+#
+# Base directory where amavis stores quarantined e-mails, mostly in
+#
+#    virus e-mails:   $QUARANTINE_BASE_DIR/virus
+#    spam emails:     $QUARANTINE_BASE_DIR/spam
+#    ..
+#
+#    Defaults to:
+#       QUARANTINE_BASE_DIR="/var/QUARANTINE"
+#
+#QUARANTINE_BASE_DIR="/var/QUARANTINE"
+
+
+# CLAMAV_VIRUS_WHITE_LIST
+#
+# Full path to clamav's (personal) white list file
+#
+# Defaults to:
+#    CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2"
+#
+#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2"
+
+
+# WHITE_LIST_STRINGS
+#
+# A blank separated list of strings to whitelist.
+#
+# Example:
+#    WHITE_LIST_STRINGS="google.com tinyurl.com"
+#
+# Defaults to:
+#    WHITE_LIST_STRINGS="google.com"
+#
+#WHITE_LIST_STRINGS="google.com"
+WHITE_LIST_STRINGS="google.com tinyurl.com"

roles/common/tasks/apt.yml

@@ -218,6 +218,15 @@
   tags:
     - apt-lxc-hosts-pkgs
 
+- name: (apt.yml) Install docker related packages
+  apt:
+    name: "{{ apt_docker_host_pkgs }}"
+    state: "{{ apt_install_state }}"
+  when: 
+    - groups['docker_host']|string is search(inventory_hostname)
+  tags:
+    - apt-docker-hosts-pkgs
+
 - name: (apt.yml) Install kvm_host related packages
   apt:
     name: "{{ apt_kvm_host_pkgs }}"