diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index d155100..0653681 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -69,6 +69,8 @@ sshd_pubkey_authentication: !!str "yes" sshd_password_authentication: !!str "no" +sshd_use_pam: !!str "yes" + sshd_print_motd: !!str "no" # sshd_kexalgorithms diff --git a/hosts b/hosts index eabc616..8d3a65a 100644 --- a/hosts +++ b/hosts @@ -7,6 +7,7 @@ a.ns.oopen.de [extra_hosts] +devel-root.wf.netz gw-123.oopen.de gw-ah.kanzlei-kiel.netz @@ -27,6 +28,7 @@ gw-spr.oopen.de gw-replacement.local.netz gw-replacement2.local.netz +gw-replacement3.local.netz gw-replacement.wf.netz @@ -58,6 +60,7 @@ limesurvey.oopen.de o12.oopen.de initiativenserver.oopen.de +stolpersteine.oopen.de c.mx.oopen.de server22.warenform.de @@ -119,10 +122,17 @@ oolm-web.oopen.de o23.oopen.de cl-01.oopen.de cp-01.oopen.de +nc-01-talk.oopen.de o24.oopen.de cl-irights.oopen.de +# - o25.oopen.de +o25.oopen.de +cl-fm.oopen.de +mail.faire-mobilitaet.de +meet.faire-mobilitaet.de + [initial_setup] @@ -148,6 +158,7 @@ gw-ckubu.local.netz gw-replacement.local.netz gw-replacement2.local.netz +gw-replacement3.local.netz gw-replacement.wf.netz @@ -222,6 +233,7 @@ limesurvey.oopen.de o12.oopen.de c.mx.oopen.de initiativenserver.oopen.de +stolpersteine.oopen.de o13.oopen.de o13-board.oopen.de @@ -276,6 +288,7 @@ oolm-web.oopen.de o23.oopen.de cl-01.oopen.de cp-01.oopen.de +nc-01-talk.oopen.de # - o24.oopen.de o24.oopen.de @@ -285,6 +298,7 @@ cl-irights.oopen.de o25.oopen.de cl-fm.oopen.de mail.faire-mobilitaet.de +meet.faire-mobilitaet.de # - Vserver von Sinma a.ns.oopen.de @@ -303,6 +317,7 @@ gw-ah.kanzlei-kiel.netz # - GA - Gemeinschaft Altensclirf ga-st-lxc1.ga.netz ga-st-mail.ga.netz +ga-al-ws1.ga.netz # --- @@ -371,6 +386,7 @@ oolm-web.oopen.de # o23.oopen.de cl-01.oopen.de +nc-01-talk.oopen.de # o24.oopen.de cl-irights.oopen.de @@ -378,6 +394,7 @@ cl-irights.oopen.de # o25.oopen.de cl-fm.oopen.de mail.faire-mobilitaet.de +meet.faire-mobilitaet.de # --- # O.OPEN office network @@ -385,7 +402,7 @@ mail.faire-mobilitaet.de # - GA - Gemeinschaft Altensclirf ga-st-mail.ga.netz - +ga-al-ws1.ga.netz # --- # Warenform server @@ -463,6 +480,7 @@ verdi-django.warenform.de devel-php.wf.netz devel-todo.wf.netz +devel-wiki.wf.netz [nginx_webserver] @@ -470,6 +488,9 @@ devel-todo.wf.netz # o10.oopen.de etherpad.oopen.de +# o12.oopen.de +stolpersteine.oopen.de + # o13.oopen.de o13-board.oopen.de o13-pad.oopen.de @@ -667,7 +688,6 @@ cl-irights.oopen.de # o25.oopen.de cl-fm.oopen.de -cl-fm.oopen.de # --- # Warenform @@ -707,6 +727,10 @@ devel-db.wf.netz devel-wiki.wf.netz +# - GA - Gemeinschaft Altensclirf +ga-al-ws1.ga.netz + + [nextcloud_server] # --- @@ -901,6 +925,7 @@ limesurvey.oopen.de # - o12.oopen.de c.mx.oopen.de initiativenserver.oopen.de +stolpersteine.oopen.de # - o13.oopen.de o13-board.oopen.de @@ -948,6 +973,7 @@ oolm-web.oopen.de # - o23.oopen.de cl-01.oopen.de cp-01.oopen.de +nc-01-talk.oopen.de # - o24.oopen.de cl-irights.oopen.de @@ -955,6 +981,7 @@ cl-irights.oopen.de # - o25.oopen.de cl-fm.oopen.de mail.faire-mobilitaet.de +meet.faire-mobilitaet.de # - Vserver von Sinma a.ns.oopen.de @@ -1038,6 +1065,7 @@ limesurvey.oopen.de o12.oopen.de c.mx.oopen.de initiativenserver.oopen.de +stolpersteine.oopen.de # - o13.oopen.de o13.oopen.de @@ -1096,6 +1124,7 @@ oolm-web.oopen.de o23.oopen.de cl-01.oopen.de cp-01.oopen.de +nc-01-talk.oopen.de # - o24.oopen.de o24.oopen.de @@ -1105,6 +1134,7 @@ cl-irights.oopen.de o25.oopen.de cl-fm.oopen.de mail.faire-mobilitaet.de +meet.faire-mobilitaet.de # - Vserver von Sinma a.ns.oopen.de @@ -1119,13 +1149,10 @@ a.ns.oopen.de # O.OPEN office network # --- -gw-123.oopen.de -gw-akb.akb.netz -gw-ah.kanzlei-kiel.netz -gw-b3.oopen.de -gw-blkr.oopen.de -gw-d11.oopen.de -gw-flr.oopen.de +gw-ah.oopen.de +gw-ak.oopen.de +gw-akb.oopen.de +gw-ckubu.local.netz gw-irights.oopen.de gw-km.oopen.de gw-mbr.oopen.de @@ -1133,15 +1160,47 @@ gw-opp.oopen.de gw-ro.oopen.de gw-spr.oopen.de +ga-st-gw-ersatz.ga.netz +ga-st-gw.ga.netz +ga-al-gw.ga.netz +ga-nh-gw.ga.netz -gw-ckubu.local.netz - +# - readonly gateways +gw-123.oopen.de +gw-b3.oopen.de +gw-blkr.oopen.de +gw-d11.oopen.de +gw-flr.oopen.de gw-replacement.local.netz gw-replacement2.local.netz - +gw-replacement3.local.netz gw-replacement.wf.netz -k1371.dyndns.org + +[gateway_server_ro] + +gw-123.oopen.de +gw-b3.oopen.de +gw-blkr.oopen.de +gw-d11.oopen.de +gw-flr.oopen.de +gw-replacement.local.netz +gw-replacement2.local.netz +gw-replacement3.local.netz +gw-replacement.wf.netz + +[gateway_server_rw] + +gw-ah.oopen.de +gw-ak.oopen.de +gw-akb.oopen.de +gw-ckubu.local.netz +gw-irights.oopen.de +gw-km.oopen.de +gw-mbr.oopen.de +gw-opp.oopen.de +gw-ro.oopen.de +gw-spr.oopen.de ga-st-gw-ersatz.ga.netz ga-st-gw.ga.netz diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2 index bf36834..67cfc8a 100644 --- a/roles/common/templates/etc/ssh/sshd_config.j2 +++ b/roles/common/templates/etc/ssh/sshd_config.j2 @@ -186,7 +186,7 @@ AllowUsers {{ fact_sshd_allowed_users }} # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM yes +UsePAM {{ sshd_use_pam }} # Specifies whether login(1) is used for interactive login sessions. # Note that login(1) is never used for remote command execution. diff --git a/roles/common/templates/var/www/.ssh/config.j2 b/roles/common/templates/var/www/.ssh/config.j2 index a8127c9..e8b9237 100644 --- a/roles/common/templates/var/www/.ssh/config.j2 +++ b/roles/common/templates/var/www/.ssh/config.j2 @@ -5,4 +5,3 @@ Host wf.oopen.de 80.152.216.128 gw-d11.oopen.de d11.warenform.de Port 9998 ForwardAgent yes StrictHostKeyChecking no - diff --git a/scripts/modify-ipt-gateway-ro.yml b/scripts/modify-ipt-gateway-ro.yml new file mode 100644 index 0000000..150cff1 --- /dev/null +++ b/scripts/modify-ipt-gateway-ro.yml @@ -0,0 +1,309 @@ +--- + +- hosts: gateway_server_ro + + tasks: + + - name: Remount "/ro/" writable + shell: remountrw + + - name: Check if file '/ro/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /ro/etc/ipt-firewall/main_ipv4.conf + register: main_ipv4_exists + + - name: Check if file '/ro/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /ro/etc/ipt-firewall/main_ipv6.conf + register: main_ipv6_exists + + - name: addjust line 'jitsi_tcp_ports' (IPv4) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_tcp_ports=' + line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + + - name: addjust line 'jitsi_tcp_ports' (IPv6) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_tcp_ports=' + line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + when: + - main_ipv6_exists.stat.exists + + - name: addjust line 'jitsi_udp_ports' (IPv4) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_udp_ports=' + line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + + - name: addjust line 'jitsi_udp_ports' (IPv6) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_udp_ports=' + line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + when: + - main_ipv6_exists.stat.exists + + # --- + # allow_jitsi_video_conference_out + # --- + + - name: Check if String 'allow_jitsi_video_conference_out..' (IPv4) is present + shell: grep -q -E "^allow_jitsi_video_conference_out=" /ro/etc/ipt-firewall/main_ipv4.conf + register: jitsi_video_conference_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_video_conference_out_ipv4_present.rc > 1" + changed_when: "jitsi_video_conference_out_ipv4_present.rc > 0" + + - name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi) + lineinfile: + dest: /ro/etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_jitsi_video_conference_out' + line: 'allow_jitsi_video_conference_out=true' + insertafter: '^#?\s*allow_mumble_request_out' + when: + - main_ipv4_exists.stat.exists + - jitsi_video_conference_out_ipv4_present is changed + + - name: Check if String 'allow_jitsi_video_conference_out..' (IPv6) is present + shell: grep -q -E "^allow_jitsi_video_conference_out=" /ro/etc/ipt-firewall/main_ipv6.conf + register: jitsi_video_conference_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "jitsi_video_conference_out_ipv6_present.rc > 1" + changed_when: "jitsi_video_conference_out_ipv6_present.rc > 0" + + - name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi) + lineinfile: + dest: /ro/etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_jitsi_video_conference_out' + line: 'allow_jitsi_video_conference_out=true' + insertafter: '^#?\s*allow_mumble_request_out' + when: + - main_ipv6_exists.stat.exists + - jitsi_video_conference_out_ipv6_present is changed + + # --- + # allow_nc_talk_out + # --- + + - name: Check if String 'allow_nc_talk_out..' (IPv4) is present + shell: grep -q -E "^allow_nc_talk_out=" /ro/etc/ipt-firewall/main_ipv4.conf + register: nc_talk_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_talk_out_ipv4_present.rc > 1" + changed_when: "nc_talk_out_ipv4_present.rc > 0" + + - name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi) + lineinfile: + dest: /ro/etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_nc_talk_out' + line: 'allow_nc_talk_out=true' + insertafter: '^#?\s*allow_jitsi_video_conference_out' + when: + - main_ipv4_exists.stat.exists + - nc_talk_out_ipv4_present is changed + + - name: Check if String 'allow_nc_talk_out..' (IPv6) is present + shell: grep -q -E "^allow_nc_talk_out=" /ro/etc/ipt-firewall/main_ipv6.conf + register: nc_talk_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "nc_talk_out_ipv6_present.rc > 1" + changed_when: "nc_talk_out_ipv6_present.rc > 0" + + - name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi) + lineinfile: + dest: /ro/etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_nc_talk_out' + line: 'allow_nc_talk_out=true' + insertafter: '^#?\s*allow_jitsi_video_conference_out' + when: + - main_ipv6_exists.stat.exists + - nc_talk_out_ipv6_present is changed + + # --- + # jitsi video conference service + # --- + + - name: Check if String 'jitsi_tcp_ports=..' (IPv4) is present + shell: grep -q -E "^jitsi_tcp_ports=" /ro/etc/ipt-firewall/main_ipv4.conf + register: jitsi_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_service_ipv4_present.rc > 1" + changed_when: "jitsi_service_ipv4_present.rc > 0" + + - name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # ====== + # - Jitsi Video Conference Service + # ====== + + # - Jitsi Video Conference Service Gateway + # - + # - NOT YET IMPLEMENTED + # - + local_jitsi_video_conference_service=false + + # - Jitsi Video Conference Service Ports + # - + # - TCP 80: Webinterface. + # - TCP 443: Webinterface (SSL) + # - + # - UDP 10000-20000: Virtual Media for Remote Console + # - + jitsi_tcp_ports="$standard_jitsi_tcp_ports" + jitsi_udp_ports="$standard_jitsi_udp_port_range" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv4_exists.stat.exists + - jitsi_service_ipv4_present is changed + + - name: Check if String 'jitsi_tcp_ports=..' (IPv6) is present + shell: grep -q -E "^jitsi_tcp_ports=" /ro/etc/ipt-firewall/main_ipv6.conf + register: jitsi_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "jitsi_service_ipv6_present.rc > 1" + changed_when: "jitsi_service_ipv6_present.rc > 0" + + - name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # ====== + # - Jitsi Video Conference Service + # ====== + + # - Jitsi Video Conference Service Gateway + # - + # - NOT YET IMPLEMENTED + # - + local_jitsi_video_conference_service=false + + # - Jitsi Video Conference Service Ports + # - + # - TCP 80: Webinterface. + # - TCP 443: Webinterface (SSL) + # - + # - UDP 10000-20000: Virtual Media for Remote Console + # - + jitsi_tcp_ports="$standard_jitsi_tcp_ports" + jitsi_udp_ports="$standard_jitsi_udp_port_range" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - jitsi_service_ipv6_present is changed + + + # --- + # TURN Server (Stun Server) (for Nextcloud 'talk' app) + # --- + + - name: Check if String 'nc_turn_ports=..' (IPv4) is present + shell: grep -q -E "^nc_turn_ports=" /ro/etc/ipt-firewall/main_ipv4.conf + register: nc_turn_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_turn_service_ipv4_present.rc > 1" + changed_when: "nc_turn_service_ipv4_present.rc > 0" + + - name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*jitsi_udp_ports' + block: | + + # ====== + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # ====== + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + # - NOT YET IMPLEMENTED + # - + local_nc_turn_service="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="$standard_turn_service_ports" + nc_turn_udp_ports="$standard_turn_service_udp_ports" + marker: "# Marker set by modify-ipt-gateway.yml (nc's turn service)" + when: + - main_ipv4_exists.stat.exists + - nc_turn_service_ipv4_present is changed + + - name: Check if String 'nc_turn_ports=..' (IPv6) is present + shell: grep -q -E "^nc_turn_ports=" /ro/etc/ipt-firewall/main_ipv6.conf + register: nc_turn_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "nc_turn_service_ipv6_present.rc > 1" + changed_when: "nc_turn_service_ipv6_present.rc > 0" + + - name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*jitsi_udp_ports' + block: | + + # ====== + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # ====== + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + # - NOT YET IMPLEMENTED + # - + local_nc_turn_service="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="$standard_turn_service_ports" + nc_turn_udp_ports="$standard_turn_service_udp_ports" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - nc_turn_service_ipv6_present is changed + + + # --- + # Remove Marker set by blockinfile + # --- + + - name: Remove marker IPv4 + replace : + path: /ro/etc/ipt-firewall/main_ipv4.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - main_ipv4_exists.stat.exists + + - name: Remove marker IPv6 + replace : + path: /ro/etc/ipt-firewall/main_ipv6.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - main_ipv6_exists.stat.exists + + - name: Remount "/ro/" readonly + shell: remountro + register: remountro_cmd + failed_when: remountro_cmd.rc != 0 and remountro_cmd.rc != 32 diff --git a/scripts/modify-ipt-gateway.yml b/scripts/modify-ipt-gateway.yml new file mode 100644 index 0000000..6197bb4 --- /dev/null +++ b/scripts/modify-ipt-gateway.yml @@ -0,0 +1,301 @@ +--- + +- hosts: gateway_server_rw + + tasks: + + - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv4.conf + register: main_ipv4_exists + + - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv6.conf + register: main_ipv6_exists + + - name: addjust line 'jitsi_tcp_ports' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_tcp_ports=' + line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + + - name: addjust line 'jitsi_tcp_ports' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_tcp_ports=' + line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + when: + - main_ipv6_exists.stat.exists + + - name: addjust line 'jitsi_udp_ports' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_udp_ports=' + line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + + - name: addjust line 'jitsi_udp_ports' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_udp_ports=' + line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + when: + - main_ipv6_exists.stat.exists + + # --- + # allow_jitsi_video_conference_out + # --- + + - name: Check if String 'allow_jitsi_video_conference_out..' (IPv4) is present + shell: grep -q -E "^allow_jitsi_video_conference_out=" /etc/ipt-firewall/main_ipv4.conf + register: jitsi_video_conference_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_video_conference_out_ipv4_present.rc > 1" + changed_when: "jitsi_video_conference_out_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi) + lineinfile: + dest: /etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_jitsi_video_conference_out' + line: 'allow_jitsi_video_conference_out=true' + insertafter: '^#?\s*allow_mumble_request_out' + when: + - main_ipv4_exists.stat.exists + - jitsi_video_conference_out_ipv4_present is changed + + - name: Check if String 'allow_jitsi_video_conference_out..' (IPv6) is present + shell: grep -q -E "^allow_jitsi_video_conference_out=" /etc/ipt-firewall/main_ipv6.conf + register: jitsi_video_conference_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "jitsi_video_conference_out_ipv6_present.rc > 1" + changed_when: "jitsi_video_conference_out_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi) + lineinfile: + dest: /etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_jitsi_video_conference_out' + line: 'allow_jitsi_video_conference_out=true' + insertafter: '^#?\s*allow_mumble_request_out' + when: + - main_ipv6_exists.stat.exists + - jitsi_video_conference_out_ipv6_present is changed + + # --- + # allow_nc_talk_out + # --- + + - name: Check if String 'allow_nc_talk_out..' (IPv4) is present + shell: grep -q -E "^allow_nc_talk_out=" /etc/ipt-firewall/main_ipv4.conf + register: nc_talk_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_talk_out_ipv4_present.rc > 1" + changed_when: "nc_talk_out_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi) + lineinfile: + dest: /etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_nc_talk_out' + line: 'allow_nc_talk_out=true' + insertafter: '^#?\s*allow_jitsi_video_conference_out' + when: + - main_ipv4_exists.stat.exists + - nc_talk_out_ipv4_present is changed + + - name: Check if String 'allow_nc_talk_out..' (IPv6) is present + shell: grep -q -E "^allow_nc_talk_out=" /etc/ipt-firewall/main_ipv6.conf + register: nc_talk_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "nc_talk_out_ipv6_present.rc > 1" + changed_when: "nc_talk_out_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi) + lineinfile: + dest: /etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_nc_talk_out' + line: 'allow_nc_talk_out=true' + insertafter: '^#?\s*allow_jitsi_video_conference_out' + when: + - main_ipv6_exists.stat.exists + - nc_talk_out_ipv6_present is changed + + # --- + # jitsi video conference service + # --- + + - name: Check if String 'jitsi_tcp_ports=..' (IPv4) is present + shell: grep -q -E "^jitsi_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf + register: jitsi_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_service_ipv4_present.rc > 1" + changed_when: "jitsi_service_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # ====== + # - Jitsi Video Conference Service + # ====== + + # - Jitsi Video Conference Service Gateway + # - + # - NOT YET IMPLEMENTED + # - + local_jitsi_video_conference_service=false + + # - Jitsi Video Conference Service Ports + # - + # - TCP 80: Webinterface. + # - TCP 443: Webinterface (SSL) + # - + # - UDP 10000-20000: Virtual Media for Remote Console + # - + jitsi_tcp_ports="$standard_jitsi_tcp_ports" + jitsi_udp_ports="$standard_jitsi_udp_port_range" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv4_exists.stat.exists + - jitsi_service_ipv4_present is changed + + - name: Check if String 'jitsi_tcp_ports=..' (IPv6) is present + shell: grep -q -E "^jitsi_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf + register: jitsi_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "jitsi_service_ipv6_present.rc > 1" + changed_when: "jitsi_service_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # ====== + # - Jitsi Video Conference Service + # ====== + + # - Jitsi Video Conference Service Gateway + # - + # - NOT YET IMPLEMENTED + # - + local_jitsi_video_conference_service=false + + # - Jitsi Video Conference Service Ports + # - + # - TCP 80: Webinterface. + # - TCP 443: Webinterface (SSL) + # - + # - UDP 10000-20000: Virtual Media for Remote Console + # - + jitsi_tcp_ports="$standard_jitsi_tcp_ports" + jitsi_udp_ports="$standard_jitsi_udp_port_range" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - jitsi_service_ipv6_present is changed + + + # --- + # TURN Server (Stun Server) (for Nextcloud 'talk' app) + # --- + + - name: Check if String 'nc_turn_ports=..' (IPv4) is present + shell: grep -q -E "^nc_turn_ports=" /etc/ipt-firewall/main_ipv4.conf + register: nc_turn_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_turn_service_ipv4_present.rc > 1" + changed_when: "nc_turn_service_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*jitsi_udp_ports' + block: | + + # ====== + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # ====== + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + # - NOT YET IMPLEMENTED + # - + local_nc_turn_service="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="$standard_turn_service_ports" + nc_turn_udp_ports="$standard_turn_service_udp_ports" + marker: "# Marker set by modify-ipt-gateway.yml (nc's turn service)" + when: + - main_ipv4_exists.stat.exists + - nc_turn_service_ipv4_present is changed + + - name: Check if String 'nc_turn_ports=..' (IPv6) is present + shell: grep -q -E "^nc_turn_ports=" /etc/ipt-firewall/main_ipv6.conf + register: nc_turn_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "nc_turn_service_ipv6_present.rc > 1" + changed_when: "nc_turn_service_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*jitsi_udp_ports' + block: | + + # ====== + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # ====== + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + # - NOT YET IMPLEMENTED + # - + local_nc_turn_service="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="$standard_turn_service_ports" + nc_turn_udp_ports="$standard_turn_service_udp_ports" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - nc_turn_service_ipv6_present is changed + + + # --- + # Remove Marker set by blockinfile + # --- + + - name: Remove marker IPv4 + replace : + path: /etc/ipt-firewall/main_ipv4.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - main_ipv4_exists.stat.exists + + - name: Remove marker IPv6 + replace : + path: /etc/ipt-firewall/main_ipv6.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - main_ipv6_exists.stat.exists diff --git a/scripts/modify-ipt-server.yml b/scripts/modify-ipt-server.yml index e9b9e47..8752ff6 100644 --- a/scripts/modify-ipt-server.yml +++ b/scripts/modify-ipt-server.yml @@ -414,6 +414,131 @@ - main_ipv6_exists.stat.exists - mumble_ports_ipv6_present is changed + # --- + # jitsi video conference service + # --- + + - name: Check if String 'jitsi_server_ips=..' (IPv4) is present + shell: grep -q -E "^jitsi_server_ips=" /etc/ipt-firewall/main_ipv4.conf + register: jitsi_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_service_ipv4_present.rc > 1" + changed_when: "jitsi_service_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # - Jitsi Video Conferencing Server + # - + jitsi_server_ips="" + forward_jitsi_server_ips="" + + # - Jitsi (incomming) Ports + # - + # - comma separated list of ports/port ranges) + # - + jitsi_tcp_ports="$standard_http_ports" + jitsi_udp_port_range="10000:20000" + marker: "# Marker set by modify-ipt-server.yml (jitsi service)" + when: + - main_ipv4_exists.stat.exists + - jitsi_service_ipv4_present is changed + + - name: Check if String 'jitsi_server_ips=..' (IPv6) is present + shell: grep -q -E "^jitsi_server_ips=" /etc/ipt-firewall/main_ipv6.conf + register: jitsi_service_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_service_ipv4_present.rc > 1" + changed_when: "jitsi_service_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # - Jitsi Video Conferencing Server + # - + jitsi_server_ips="" + forward_jitsi_server_ips="" + + # - Jitsi (incomming) Ports + # - + # - comma separated list of ports/port ranges) + # - + jitsi_tcp_ports="$standard_http_ports" + jitsi_udp_port_range="10000:20000" + marker: "# Marker set by modify-ipt-server.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - jitsi_service_ipv6_present is changed + + + # --- + # TURN Server (Stun Server) (for Nextcloud 'talk' app) + # --- + + - name: Check if String 'nc_turn_server_ips=..' (IPv4) is present + shell: grep -q -E "^nc_turn_server_ips=" /etc/ipt-firewall/main_ipv4.conf + register: nc_turn_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_turn_service_ipv4_present.rc > 1" + changed_when: "nc_turn_service_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*jitsi_udp_port_range' + block: | + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + nc_turn_server_ips="" + forward_nc_turn_server_ips="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="3478:3479,5349:5350" + + marker: "# Marker set by modify-ipt-server.yml (nc's turn service)" + when: + - main_ipv4_exists.stat.exists + - nc_turn_service_ipv4_present is changed + + - name: Check if String 'nc_turn_server_ips=..' (IPv6) is present + shell: grep -q -E "^nc_turn_server_ips=" /etc/ipt-firewall/main_ipv6.conf + register: nc_turn_service_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_turn_service_ipv4_present.rc > 1" + changed_when: "nc_turn_service_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*jitsi_udp_port_range' + block: | + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + nc_turn_server_ips="" + forward_nc_turn_server_ips="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="3478:3479,5349:5350" + marker: "# Marker set by modify-ipt-server.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - nc_turn_service_ipv6_present is changed + + # --- # Remove Marker set by blockinfile # ---