From 1c1a5fce4191838af46a2c0d53adb3b64eaabcf3 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 16 May 2020 16:45:17 +0200 Subject: [PATCH] mv firewall scripts to roles. --- hosts | 20 +- modify-ipt-gateway-ro.yml | 6 + modify-ipt-gateway.yml | 6 + modify-ipt-server.yml | 4 +- roles/modify-ipt-gateway-ro/defaults/main.yml | 7 + roles/modify-ipt-gateway-ro/handlers/main.yml | 13 + roles/modify-ipt-gateway-ro/tasks/main.yml | 399 ++++++++++ roles/modify-ipt-gateway/defaults/main.yml | 7 + roles/modify-ipt-gateway/handlers/main.yml | 20 + roles/modify-ipt-gateway/tasks/main.yml | 514 +++++++++++++ roles/modify-ipt-server/tasks/main.yml | 65 ++ scripts/modify-ipt-gateway-ro.yml | 309 -------- scripts/modify-ipt-gateway.yml | 419 ---------- scripts/modify-ipt-server.yml.BAK | 724 ------------------ 14 files changed, 1055 insertions(+), 1458 deletions(-) create mode 100644 modify-ipt-gateway-ro.yml create mode 100644 modify-ipt-gateway.yml create mode 100644 roles/modify-ipt-gateway-ro/defaults/main.yml create mode 100644 roles/modify-ipt-gateway-ro/handlers/main.yml create mode 100644 roles/modify-ipt-gateway-ro/tasks/main.yml create mode 100644 roles/modify-ipt-gateway/defaults/main.yml create mode 100644 roles/modify-ipt-gateway/handlers/main.yml create mode 100644 roles/modify-ipt-gateway/tasks/main.yml delete mode 100644 scripts/modify-ipt-gateway-ro.yml delete mode 100644 scripts/modify-ipt-gateway.yml delete mode 100644 scripts/modify-ipt-server.yml.BAK diff --git a/hosts b/hosts index e965d75..9ce8521 100644 --- a/hosts +++ b/hosts @@ -151,8 +151,8 @@ o29.oopen.de # Jitsi Meet Faire Mobilitaet o30.oopen.de -# Jitsi Meet Faire Mobilitaet -o30.oopen.de +# Jibri - Faire Mobilitaet +o31.oopen.de [initial_setup] @@ -339,6 +339,9 @@ o29.oopen.de # Jitsi Meet Faire Mobilitaet o30.oopen.de +# Jibri - Faire Mobilitaet +o31.oopen.de + # - Vserver von Sinma a.ns.oopen.de @@ -556,6 +559,10 @@ o29.oopen.de # Jitsi Meet Faire Mobilitaet o30.oopen.de +# Jibri - Faire Mobilitaet +o31.oopen.de + + [ftp_server] @@ -756,9 +763,6 @@ cl-fm.oopen.de o26.oopen.de -# Hetzner Cloud CX31 - AK -o26.oopen.de - # --- # Warenform # --- @@ -1072,6 +1076,9 @@ o29.oopen.de # Jitsi Meet Faire Mobilitaet o30.oopen.de +# Jibri - Faire Mobilitaet +o31.oopen.de + # - Vserver von Sinma a.ns.oopen.de @@ -1244,6 +1251,9 @@ o29.oopen.de # Jitsi Meet Faire Mobilitaet o30.oopen.de +# Jibri - Faire Mobilitaet +o31.oopen.de + # - Vserver von Sinma a.ns.oopen.de diff --git a/modify-ipt-gateway-ro.yml b/modify-ipt-gateway-ro.yml new file mode 100644 index 0000000..80b9d00 --- /dev/null +++ b/modify-ipt-gateway-ro.yml @@ -0,0 +1,6 @@ +--- + + +- hosts: gateway_server_ro + roles: + - modify-ipt-gateway-ro diff --git a/modify-ipt-gateway.yml b/modify-ipt-gateway.yml new file mode 100644 index 0000000..274a7db --- /dev/null +++ b/modify-ipt-gateway.yml @@ -0,0 +1,6 @@ +--- + + +- hosts: gateway_server_rw + roles: + - modify-ipt-gateway diff --git a/modify-ipt-server.yml b/modify-ipt-server.yml index 767355c..8056beb 100644 --- a/modify-ipt-server.yml +++ b/modify-ipt-server.yml @@ -1,6 +1,8 @@ --- -- hosts: all +- hosts: + - oopen_server + - warenform_server roles: - modify-ipt-server diff --git a/roles/modify-ipt-gateway-ro/defaults/main.yml b/roles/modify-ipt-gateway-ro/defaults/main.yml new file mode 100644 index 0000000..bafe4fd --- /dev/null +++ b/roles/modify-ipt-gateway-ro/defaults/main.yml @@ -0,0 +1,7 @@ +--- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /ro/usr/local/src/ipt-gateway + diff --git a/roles/modify-ipt-gateway-ro/handlers/main.yml b/roles/modify-ipt-gateway-ro/handlers/main.yml new file mode 100644 index 0000000..3f5552d --- /dev/null +++ b/roles/modify-ipt-gateway-ro/handlers/main.yml @@ -0,0 +1,13 @@ +- name: Restart IPv4 Firewall + service: + name: ipt-firewall + state: restarted + when: + - main_ipv4_exists.stat.exists + +- name: Restart IPv6 Firewall + service: + name: ip6t-firewall + state: restarted + when: + - main_ipv6_exists.stat.exists diff --git a/roles/modify-ipt-gateway-ro/tasks/main.yml b/roles/modify-ipt-gateway-ro/tasks/main.yml new file mode 100644 index 0000000..1c5499c --- /dev/null +++ b/roles/modify-ipt-gateway-ro/tasks/main.yml @@ -0,0 +1,399 @@ +--- + + +# --- +# Remount Filesystem writable +# --- + +- name: Remount "/ro/" writable + shell: remountrw + +# --- +# Install/Uodate git firewall repository +# --- + +- name: Install/update firewall repository + git: + repo: '{{ git_firewall_repository.repo }}' + dest: '{{ git_firewall_repository.dest }}' + when: git_firewall_repository is defined and git_firewall_repository|length > 0 + + +# --- +# Some Checks +# --- + +- name: Check if file '/ro/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /ro/etc/ipt-firewall/main_ipv4.conf + register: main_ipv4_exists + +- name: Check if file '/ro/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /ro/etc/ipt-firewall/main_ipv6.conf + register: main_ipv6_exists + +- name: addjust line 'jitsi_tcp_ports' (IPv4) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_tcp_ports=' + line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + +- name: addjust line 'jitsi_tcp_ports' (IPv6) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_tcp_ports=' + line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + when: + - main_ipv6_exists.stat.exists + +- name: addjust line 'jitsi_udp_ports' (IPv4) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_udp_ports=' + line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + +- name: addjust line 'jitsi_udp_ports' (IPv6) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_udp_ports=' + line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + when: + - main_ipv6_exists.stat.exists + +# --- +# allow_jitsi_video_conference_out +# --- + +- name: Check if String 'allow_jitsi_video_conference_out..' (IPv4) is present + shell: grep -q -E "^allow_jitsi_video_conference_out=" /ro/etc/ipt-firewall/main_ipv4.conf + register: jitsi_video_conference_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_video_conference_out_ipv4_present.rc > 1" + changed_when: "jitsi_video_conference_out_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi) + lineinfile: + dest: /ro/etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_jitsi_video_conference_out' + line: 'allow_jitsi_video_conference_out=true' + insertafter: '^#?\s*allow_mumble_request_out' + when: + - main_ipv4_exists.stat.exists + - jitsi_video_conference_out_ipv4_present is changed + +- name: Check if String 'allow_jitsi_video_conference_out..' (IPv6) is present + shell: grep -q -E "^allow_jitsi_video_conference_out=" /ro/etc/ipt-firewall/main_ipv6.conf + register: jitsi_video_conference_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "jitsi_video_conference_out_ipv6_present.rc > 1" + changed_when: "jitsi_video_conference_out_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi) + lineinfile: + dest: /ro/etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_jitsi_video_conference_out' + line: 'allow_jitsi_video_conference_out=true' + insertafter: '^#?\s*allow_mumble_request_out' + when: + - main_ipv6_exists.stat.exists + - jitsi_video_conference_out_ipv6_present is changed + +# --- +# allow_nc_talk_out +# --- + +- name: Check if String 'allow_nc_talk_out..' (IPv4) is present + shell: grep -q -E "^allow_nc_talk_out=" /ro/etc/ipt-firewall/main_ipv4.conf + register: nc_talk_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_talk_out_ipv4_present.rc > 1" + changed_when: "nc_talk_out_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi) + lineinfile: + dest: /ro/etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_nc_talk_out' + line: 'allow_nc_talk_out=true' + insertafter: '^#?\s*allow_jitsi_video_conference_out' + when: + - main_ipv4_exists.stat.exists + - nc_talk_out_ipv4_present is changed + +- name: Check if String 'allow_nc_talk_out..' (IPv6) is present + shell: grep -q -E "^allow_nc_talk_out=" /ro/etc/ipt-firewall/main_ipv6.conf + register: nc_talk_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "nc_talk_out_ipv6_present.rc > 1" + changed_when: "nc_talk_out_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi) + lineinfile: + dest: /ro/etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_nc_talk_out' + line: 'allow_nc_talk_out=true' + insertafter: '^#?\s*allow_jitsi_video_conference_out' + when: + - main_ipv6_exists.stat.exists + - nc_talk_out_ipv6_present is changed + +# --- +# jitsi video conference service +# --- + +- name: Check if String 'jitsi_tcp_ports=..' (IPv4) is present + shell: grep -q -E "^jitsi_tcp_ports=" /ro/etc/ipt-firewall/main_ipv4.conf + register: jitsi_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_service_ipv4_present.rc > 1" + changed_when: "jitsi_service_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # ====== + # - Jitsi Video Conference Service + # ====== + + # - Jitsi Video Conference Service Gateway + # - + # - NOT YET IMPLEMENTED + # - + local_jitsi_video_conference_service=false + + # - Jitsi Video Conference Service Ports + # - + # - TCP 80: Webinterface. + # - TCP 443: Webinterface (SSL) + # - + # - UDP 10000-20000: Virtual Media for Remote Console + # - + jitsi_tcp_ports="$standard_jitsi_tcp_ports" + jitsi_udp_ports="$standard_jitsi_udp_port_range" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv4_exists.stat.exists + - jitsi_service_ipv4_present is changed + +- name: Check if String 'jitsi_tcp_ports=..' (IPv6) is present + shell: grep -q -E "^jitsi_tcp_ports=" /ro/etc/ipt-firewall/main_ipv6.conf + register: jitsi_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "jitsi_service_ipv6_present.rc > 1" + changed_when: "jitsi_service_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # ====== + # - Jitsi Video Conference Service + # ====== + + # - Jitsi Video Conference Service Gateway + # - + # - NOT YET IMPLEMENTED + # - + local_jitsi_video_conference_service=false + + # - Jitsi Video Conference Service Ports + # - + # - TCP 80: Webinterface. + # - TCP 443: Webinterface (SSL) + # - + # - UDP 10000-20000: Virtual Media for Remote Console + # - + jitsi_tcp_ports="$standard_jitsi_tcp_ports" + jitsi_udp_ports="$standard_jitsi_udp_port_range" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - jitsi_service_ipv6_present is changed + + +# --- +# TURN Server (Stun Server) (for Nextcloud 'talk' app) +# --- + +- name: Check if String 'nc_turn_ports=..' (IPv4) is present + shell: grep -q -E "^nc_turn_ports=" /ro/etc/ipt-firewall/main_ipv4.conf + register: nc_turn_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_turn_service_ipv4_present.rc > 1" + changed_when: "nc_turn_service_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*jitsi_udp_ports' + block: | + + # ====== + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # ====== + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + # - NOT YET IMPLEMENTED + # - + local_nc_turn_service="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="$standard_turn_service_ports" + nc_turn_udp_ports="$standard_turn_service_udp_ports" + marker: "# Marker set by modify-ipt-gateway.yml (nc's turn service)" + when: + - main_ipv4_exists.stat.exists + - nc_turn_service_ipv4_present is changed + +- name: Check if String 'nc_turn_ports=..' (IPv6) is present + shell: grep -q -E "^nc_turn_ports=" /ro/etc/ipt-firewall/main_ipv6.conf + register: nc_turn_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "nc_turn_service_ipv6_present.rc > 1" + changed_when: "nc_turn_service_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*jitsi_udp_ports' + block: | + + # ====== + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # ====== + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + # - NOT YET IMPLEMENTED + # - + local_nc_turn_service="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="$standard_turn_service_ports" + nc_turn_udp_ports="$standard_turn_service_udp_ports" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - nc_turn_service_ipv6_present is changed + + +# --- +# Remove Marker set by blockinfile +# --- + +- name: Remove marker IPv4 + replace : + path: /ro/etc/ipt-firewall/main_ipv4.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - main_ipv4_exists.stat.exists + +- name: Remove marker IPv6 + replace : + path: /ro/etc/ipt-firewall/main_ipv6.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - main_ipv6_exists.stat.exists + +# --- +# Confiuration Files +# --- + +- name: Check if configuration files are latest + shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /ro/etc/ipt-firewall/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - default_ports.conf + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - post_decalrations.conf + register: diff_script_output + +- name: Ensure configuration files are latest + command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /ro/etc/ipt-firewall/{{ item }} + loop: + - default_ports.conf + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - post_decalrations.conf + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + +# --- +# Firewall scripts +# --- + +- name: Check if firewall scripts are latest + shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /ro/usr/local/sbin/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - ipt-firewall-gateway + - ip6t-firewall-gateway + register: diff_script_output + +- name: Ensure firewall scripts are latest + command: cp {{ git_firewall_repository.dest }}/{{ item }} /ro/usr/local/sbin/{{ item }} + loop: + - ipt-firewall-gateway + - ip6t-firewall-gateway + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + +# --- +# Remount Filesystem readonly +# --- + +- name: Remount "/ro/" readonly + shell: remountro + register: remountro_cmd + failed_when: remountro_cmd.rc != 0 and remountro_cmd.rc != 32 diff --git a/roles/modify-ipt-gateway/defaults/main.yml b/roles/modify-ipt-gateway/defaults/main.yml new file mode 100644 index 0000000..53d04ac --- /dev/null +++ b/roles/modify-ipt-gateway/defaults/main.yml @@ -0,0 +1,7 @@ +--- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + diff --git a/roles/modify-ipt-gateway/handlers/main.yml b/roles/modify-ipt-gateway/handlers/main.yml new file mode 100644 index 0000000..2fe81c6 --- /dev/null +++ b/roles/modify-ipt-gateway/handlers/main.yml @@ -0,0 +1,20 @@ +- name: Restart IPv4 Firewall + service: + name: ipt-firewall + state: restarted + when: + - main_ipv4_exists.stat.exists + +- name: Restart IPv6 Firewall + service: + name: ip6t-firewall + state: restarted + when: + - main_ipv6_exists.stat.exists + +- name: Restart Munin Node + service: + name: munin-node + state: restarted + when: + - munin_node_exists.stat.exists diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml new file mode 100644 index 0000000..27d3224 --- /dev/null +++ b/roles/modify-ipt-gateway/tasks/main.yml @@ -0,0 +1,514 @@ +--- + +# --- +# Install/Uodate git firewall repository +# --- + +- name: Install/update firewall repository + git: + repo: '{{ git_firewall_repository.repo }}' + dest: '{{ git_firewall_repository.dest }}' + when: git_firewall_repository is defined and git_firewall_repository|length > 0 + + +# --- +# Some Checks +# --- + +- name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv4.conf + register: main_ipv4_exists + notify: + - Restart IPv4 Firewall + +- name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv6.conf + register: main_ipv6_exists + notify: + - Restart IPv6 Firewall + +- name: addjust line 'jitsi_tcp_ports' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_tcp_ports=' + line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + notify: + - Restart IPv4 Firewall + +- name: addjust line 'jitsi_tcp_ports' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_tcp_ports=' + line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + when: + - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + +- name: addjust line 'jitsi_udp_ports' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_udp_ports=' + line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + notify: + - Restart IPv4 Firewall + +- name: addjust line 'jitsi_udp_ports' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_udp_ports=' + line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' + when: + - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + +# --- +# allow_jitsi_video_conference_out +# --- + +- name: Check if String 'allow_jitsi_video_conference_out..' (IPv4) is present + shell: grep -q -E "^allow_jitsi_video_conference_out=" /etc/ipt-firewall/main_ipv4.conf + register: jitsi_video_conference_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_video_conference_out_ipv4_present.rc > 1" + changed_when: "jitsi_video_conference_out_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi) + lineinfile: + dest: /etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_jitsi_video_conference_out' + line: 'allow_jitsi_video_conference_out=true' + insertafter: '^#?\s*allow_mumble_request_out' + when: + - main_ipv4_exists.stat.exists + - jitsi_video_conference_out_ipv4_present is changed + +- name: Check if String 'allow_jitsi_video_conference_out..' (IPv6) is present + shell: grep -q -E "^allow_jitsi_video_conference_out=" /etc/ipt-firewall/main_ipv6.conf + register: jitsi_video_conference_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "jitsi_video_conference_out_ipv6_present.rc > 1" + changed_when: "jitsi_video_conference_out_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi) + lineinfile: + dest: /etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_jitsi_video_conference_out' + line: 'allow_jitsi_video_conference_out=true' + insertafter: '^#?\s*allow_mumble_request_out' + when: + - main_ipv6_exists.stat.exists + - jitsi_video_conference_out_ipv6_present is changed + notify: + - Restart IPv6 Firewall + +# --- +# allow_nc_talk_out +# --- + +- name: Check if String 'allow_nc_talk_out..' (IPv4) is present + shell: grep -q -E "^allow_nc_talk_out=" /etc/ipt-firewall/main_ipv4.conf + register: nc_talk_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_talk_out_ipv4_present.rc > 1" + changed_when: "nc_talk_out_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi) + lineinfile: + dest: /etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_nc_talk_out' + line: 'allow_nc_talk_out=true' + insertafter: '^#?\s*allow_jitsi_video_conference_out' + when: + - main_ipv4_exists.stat.exists + - nc_talk_out_ipv4_present is changed + +- name: Check if String 'allow_nc_talk_out..' (IPv6) is present + shell: grep -q -E "^allow_nc_talk_out=" /etc/ipt-firewall/main_ipv6.conf + register: nc_talk_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "nc_talk_out_ipv6_present.rc > 1" + changed_when: "nc_talk_out_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi) + lineinfile: + dest: /etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_nc_talk_out' + line: 'allow_nc_talk_out=true' + insertafter: '^#?\s*allow_jitsi_video_conference_out' + when: + - main_ipv6_exists.stat.exists + - nc_talk_out_ipv6_present is changed + +# --- +# allow_bigbluebutton_video_conference_out +# --- + +- name: Check if String 'allow_bigbluebutton_video_conference_out..' (IPv4) is present + shell: grep -q -E "^allow_bigbluebutton_video_conference_out=" /etc/ipt-firewall/main_ipv4.conf + register: bigbluebutton_video_conference_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "bigbluebutton_video_conference_out_ipv4_present.rc > 1" + changed_when: "bigbluebutton_video_conference_out_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (bigbluebutton) + lineinfile: + dest: /etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^allow_bigbluebutton_video_conference_out' + line: 'allow_bigbluebutton_video_conference_out=true' + insertafter: '^#?\s*allow_mumble_request_out' + when: + - main_ipv4_exists.stat.exists + - bigbluebutton_video_conference_out_ipv4_present is changed + +- name: Check if String 'allow_bigbluebutton_video_conference_out..' (IPv6) is present + shell: grep -q -E "^allow_bigbluebutton_video_conference_out=" /etc/ipt-firewall/main_ipv6.conf + register: bigbluebutton_video_conference_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "bigbluebutton_video_conference_out_ipv6_present.rc > 1" + changed_when: "bigbluebutton_video_conference_out_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (bigbluebutton) + lineinfile: + dest: /etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^allow_bigbluebutton_video_conference_out' + line: 'allow_bigbluebutton_video_conference_out=true' + insertafter: '^#?\s*allow_mumble_request_out' + when: + - main_ipv6_exists.stat.exists + - bigbluebutton_video_conference_out_ipv6_present is changed + +# --- +# jitsi video conference service +# --- + +- name: Check if String 'jitsi_tcp_ports=..' (IPv4) is present + shell: grep -q -E "^jitsi_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf + register: jitsi_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_service_ipv4_present.rc > 1" + changed_when: "jitsi_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # ====== + # - Jitsi Video Conference Service + # ====== + + # - Jitsi Video Conference Service Gateway + # - + # - NOT YET IMPLEMENTED + # - + local_jitsi_video_conference_service=false + + # - Jitsi Video Conference Service Ports + # - + # - TCP 80: Webinterface. + # - TCP 443: Webinterface (SSL) + # - + # - UDP 10000-20000: Virtual Media for Remote Console + # - + jitsi_tcp_ports="$standard_jitsi_tcp_ports" + jitsi_udp_ports="$standard_jitsi_udp_port_range" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv4_exists.stat.exists + - jitsi_service_ipv4_present is changed + +- name: Check if String 'jitsi_tcp_ports=..' (IPv6) is present + shell: grep -q -E "^jitsi_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf + register: jitsi_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "jitsi_service_ipv6_present.rc > 1" + changed_when: "jitsi_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # ====== + # - Jitsi Video Conference Service + # ====== + + # - Jitsi Video Conference Service Gateway + # - + # - NOT YET IMPLEMENTED + # - + local_jitsi_video_conference_service=false + + # - Jitsi Video Conference Service Ports + # - + # - TCP 80: Webinterface. + # - TCP 443: Webinterface (SSL) + # - + # - UDP 10000-20000: Virtual Media for Remote Console + # - + jitsi_tcp_ports="$standard_jitsi_tcp_ports" + jitsi_udp_ports="$standard_jitsi_udp_port_range" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - jitsi_service_ipv6_present is changed + + +# --- +# TURN Server (Stun Server) (for Nextcloud 'talk' app) +# --- + +- name: Check if String 'nc_turn_ports=..' (IPv4) is present + shell: grep -q -E "^nc_turn_ports=" /etc/ipt-firewall/main_ipv4.conf + register: nc_turn_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_turn_service_ipv4_present.rc > 1" + changed_when: "nc_turn_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*jitsi_udp_ports' + block: | + + # ====== + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # ====== + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + # - NOT YET IMPLEMENTED + # - + local_nc_turn_service="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="$standard_turn_service_ports" + nc_turn_udp_ports="$standard_turn_service_udp_ports" + marker: "# Marker set by modify-ipt-gateway.yml (nc's turn service)" + when: + - main_ipv4_exists.stat.exists + - nc_turn_service_ipv4_present is changed + +- name: Check if String 'nc_turn_ports=..' (IPv6) is present + shell: grep -q -E "^nc_turn_ports=" /etc/ipt-firewall/main_ipv6.conf + register: nc_turn_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "nc_turn_service_ipv6_present.rc > 1" + changed_when: "nc_turn_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*jitsi_udp_ports' + block: | + + # ====== + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # ====== + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + # - NOT YET IMPLEMENTED + # - + local_nc_turn_service="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="$standard_turn_service_ports" + nc_turn_udp_ports="$standard_turn_service_udp_ports" + marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - nc_turn_service_ipv6_present is changed + +# --- +# BigBlueButton video conference service +# --- + +- name: Check if String 'bigbluebutton_tcp_ports=..' (IPv4) is present + shell: grep -q -E "^bigbluebutton_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf + register: bigbluebutton_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "bigbluebutton_service_ipv4_present.rc > 1" + changed_when: "bigbluebutton_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (bigbluebutton service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # ====== + # - BigBlueButton Video Conference Service + # ====== + + # - BigBlueButton Video Conference Service Gateway + # - + # - NOT YET IMPLEMENTED + # - + local_bigbluebutton_video_conference_service=false + + # - BigBlueButton Video Conference Service Ports + # - + # - TCP 80: Webinterface. + # - TCP 443: Webinterface (SSL) + # - + # - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams + # - + bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports" + bigbluebutton_udp_ports="$standard_bigbluebutton_udp_port_range" + marker: "# Marker set by modify-ipt-gateway.yml (bigbluebutton service)" + when: + - main_ipv4_exists.stat.exists + - bigbluebutton_service_ipv4_present is changed + +- name: Check if String 'bigbluebutton_tcp_ports=..' (IPv6) is present + shell: grep -q -E "^bigbluebutton_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf + register: bigbluebutton_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "bigbluebutton_service_ipv6_present.rc > 1" + changed_when: "bigbluebutton_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (bigbluebutton service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # ====== + # - BigBlueButton Video Conference Service + # ====== + + # - BigBlueButton Video Conference Service Gateway + # - + # - NOT YET IMPLEMENTED + # - + local_bigbluebutton_video_conference_service=false + + # - BigBlueButton Video Conference Service Ports + # - + # - TCP 80: Webinterface. + # - TCP 443: Webinterface (SSL) + # - + # - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams + # - + bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports" + bigbluebutton_udp_ports="$standard_bigbluebutton_udp_port_range" + marker: "# Marker set by modify-ipt-gateway.yml (bigbluebutton service)" + when: + - main_ipv6_exists.stat.exists + - bigbluebutton_service_ipv6_present is changed + + +# --- +# Remove Marker set by blockinfile +# --- + +- name: Remove marker IPv4 + replace : + path: /etc/ipt-firewall/main_ipv4.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - main_ipv4_exists.stat.exists + +- name: Remove marker IPv6 + replace : + path: /etc/ipt-firewall/main_ipv6.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - main_ipv6_exists.stat.exists + +# --- +# Confiuration Files +# --- + +- name: Check if configuration files are latest + shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - default_ports.conf + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - post_decalrations.conf + register: diff_script_output + +- name: Ensure configuration files are latest + command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} + loop: + - default_ports.conf + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - post_decalrations.conf + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + +# --- +# Firewall scripts +# --- + +- name: Check if firewall scripts are latest + shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - ipt-firewall-gateway + - ip6t-firewall-gateway + register: diff_script_output + +- name: Ensure firewall scripts are latest + command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} + loop: + - ipt-firewall-gateway + - ip6t-firewall-gateway + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall diff --git a/roles/modify-ipt-server/tasks/main.yml b/roles/modify-ipt-server/tasks/main.yml index b556b79..733598d 100644 --- a/roles/modify-ipt-server/tasks/main.yml +++ b/roles/modify-ipt-server/tasks/main.yml @@ -715,6 +715,71 @@ - jitsi_dovecot_auth_ipv6_present is changed + + + +- name: Check if String 'jitsi_jibri_remote_auth=..' (IPv4) is present + shell: grep -q -E "^jitsi_jibri_remote_auth=" /etc/ipt-firewall/main_ipv4.conf + register: jitsi_jibri_remote_auth_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_jibri_remote_auth_ipv4_present.rc > 1" + changed_when: "jitsi_jibri_remote_auth_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi dovecot auth) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*jitsi_dovecot_port' + block: | + # - Jibri extern Client Recording / Streamin + # - + jitsi_jibri_remote_auth=false + # - Remote Jibri servers + # - + # - blank separated list of ipv4 addresses + # - + jitsi_jibri_remote_ips="" + jitsi_jibri_remote_auth_port="$default_jibri_out_port" + + + # - Jibri Recording / Streaming Service + # - + # - blank separated list of ipv4 addresse + # - + jibri_server_ips="" + # - blank separated list of ipv4 addresse + # - + forward_jibri_server_ips="" + jibri_remote_jitsi_server="" + jibri_remote_auth_port="$default_jibri_out_port" + marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot auth)" + when: + - main_ipv4_exists.stat.exists + - jitsi_jibri_remote_auth_ipv4_present is changed + +- name: Check if String 'jitsi_jibri_remote_auth=..' (IPv6) is present + shell: grep -q -E "^jitsi_jibri_remote_auth=" /etc/ipt-firewall/main_ipv6.conf + register: jitsi_jibri_remote_auth_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_jibri_remote_auth_ipv6_present.rc > 1" + changed_when: "jitsi_jibri_remote_auth_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi dovecot auth) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*jitsi_dovecot_port' + block: | + # - Jitsi Dovecot Authentication + # - + jitsi_dovecot_auth=false + jitsi_dovecot_host="" + jitsi_dovecot_port="$default_jitsi_dovecout_auth_port" + marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot auth)" + when: + - main_ipv6_exists.stat.exists + - jitsi_jibri_remote_auth_ipv6_present is changed + + + # --- # TURN Server (Stun Server) (for Nextcloud 'talk' app) # --- diff --git a/scripts/modify-ipt-gateway-ro.yml b/scripts/modify-ipt-gateway-ro.yml deleted file mode 100644 index 150cff1..0000000 --- a/scripts/modify-ipt-gateway-ro.yml +++ /dev/null @@ -1,309 +0,0 @@ ---- - -- hosts: gateway_server_ro - - tasks: - - - name: Remount "/ro/" writable - shell: remountrw - - - name: Check if file '/ro/etc/ipt-firewall/main_ipv4.conf' exists - stat: - path: /ro/etc/ipt-firewall/main_ipv4.conf - register: main_ipv4_exists - - - name: Check if file '/ro/etc/ipt-firewall/main_ipv6.conf' exists - stat: - path: /ro/etc/ipt-firewall/main_ipv6.conf - register: main_ipv6_exists - - - name: addjust line 'jitsi_tcp_ports' (IPv4) - lineinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' - - - name: addjust line 'jitsi_tcp_ports' (IPv6) - lineinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' - when: - - main_ipv6_exists.stat.exists - - - name: addjust line 'jitsi_udp_ports' (IPv4) - lineinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_udp_ports=' - line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' - - - name: addjust line 'jitsi_udp_ports' (IPv6) - lineinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_udp_ports=' - line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' - when: - - main_ipv6_exists.stat.exists - - # --- - # allow_jitsi_video_conference_out - # --- - - - name: Check if String 'allow_jitsi_video_conference_out..' (IPv4) is present - shell: grep -q -E "^allow_jitsi_video_conference_out=" /ro/etc/ipt-firewall/main_ipv4.conf - register: jitsi_video_conference_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_video_conference_out_ipv4_present.rc > 1" - changed_when: "jitsi_video_conference_out_ipv4_present.rc > 0" - - - name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_jitsi_video_conference_out' - line: 'allow_jitsi_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv4_exists.stat.exists - - jitsi_video_conference_out_ipv4_present is changed - - - name: Check if String 'allow_jitsi_video_conference_out..' (IPv6) is present - shell: grep -q -E "^allow_jitsi_video_conference_out=" /ro/etc/ipt-firewall/main_ipv6.conf - register: jitsi_video_conference_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "jitsi_video_conference_out_ipv6_present.rc > 1" - changed_when: "jitsi_video_conference_out_ipv6_present.rc > 0" - - - name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_jitsi_video_conference_out' - line: 'allow_jitsi_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv6_exists.stat.exists - - jitsi_video_conference_out_ipv6_present is changed - - # --- - # allow_nc_talk_out - # --- - - - name: Check if String 'allow_nc_talk_out..' (IPv4) is present - shell: grep -q -E "^allow_nc_talk_out=" /ro/etc/ipt-firewall/main_ipv4.conf - register: nc_talk_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_talk_out_ipv4_present.rc > 1" - changed_when: "nc_talk_out_ipv4_present.rc > 0" - - - name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_nc_talk_out' - line: 'allow_nc_talk_out=true' - insertafter: '^#?\s*allow_jitsi_video_conference_out' - when: - - main_ipv4_exists.stat.exists - - nc_talk_out_ipv4_present is changed - - - name: Check if String 'allow_nc_talk_out..' (IPv6) is present - shell: grep -q -E "^allow_nc_talk_out=" /ro/etc/ipt-firewall/main_ipv6.conf - register: nc_talk_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "nc_talk_out_ipv6_present.rc > 1" - changed_when: "nc_talk_out_ipv6_present.rc > 0" - - - name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi) - lineinfile: - dest: /ro/etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_nc_talk_out' - line: 'allow_nc_talk_out=true' - insertafter: '^#?\s*allow_jitsi_video_conference_out' - when: - - main_ipv6_exists.stat.exists - - nc_talk_out_ipv6_present is changed - - # --- - # jitsi video conference service - # --- - - - name: Check if String 'jitsi_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^jitsi_tcp_ports=" /ro/etc/ipt-firewall/main_ipv4.conf - register: jitsi_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_service_ipv4_present.rc > 1" - changed_when: "jitsi_service_ipv4_present.rc > 0" - - - name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (jitsi service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - Jitsi Video Conference Service - # ====== - - # - Jitsi Video Conference Service Gateway - # - - # - NOT YET IMPLEMENTED - # - - local_jitsi_video_conference_service=false - - # - Jitsi Video Conference Service Ports - # - - # - TCP 80: Webinterface. - # - TCP 443: Webinterface (SSL) - # - - # - UDP 10000-20000: Virtual Media for Remote Console - # - - jitsi_tcp_ports="$standard_jitsi_tcp_ports" - jitsi_udp_ports="$standard_jitsi_udp_port_range" - marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" - when: - - main_ipv4_exists.stat.exists - - jitsi_service_ipv4_present is changed - - - name: Check if String 'jitsi_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^jitsi_tcp_ports=" /ro/etc/ipt-firewall/main_ipv6.conf - register: jitsi_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "jitsi_service_ipv6_present.rc > 1" - changed_when: "jitsi_service_ipv6_present.rc > 0" - - - name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - Jitsi Video Conference Service - # ====== - - # - Jitsi Video Conference Service Gateway - # - - # - NOT YET IMPLEMENTED - # - - local_jitsi_video_conference_service=false - - # - Jitsi Video Conference Service Ports - # - - # - TCP 80: Webinterface. - # - TCP 443: Webinterface (SSL) - # - - # - UDP 10000-20000: Virtual Media for Remote Console - # - - jitsi_tcp_ports="$standard_jitsi_tcp_ports" - jitsi_udp_ports="$standard_jitsi_udp_port_range" - marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - jitsi_service_ipv6_present is changed - - - # --- - # TURN Server (Stun Server) (for Nextcloud 'talk' app) - # --- - - - name: Check if String 'nc_turn_ports=..' (IPv4) is present - shell: grep -q -E "^nc_turn_ports=" /ro/etc/ipt-firewall/main_ipv4.conf - register: nc_turn_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_turn_service_ipv4_present.rc > 1" - changed_when: "nc_turn_service_ipv4_present.rc > 0" - - - name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*jitsi_udp_ports' - block: | - - # ====== - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # ====== - - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # - - # - NOT YET IMPLEMENTED - # - - local_nc_turn_service="" - - # - Ports used by local TURN Server (Stun Server) - # - - # - comma separated list - # - - nc_turn_ports="$standard_turn_service_ports" - nc_turn_udp_ports="$standard_turn_service_udp_ports" - marker: "# Marker set by modify-ipt-gateway.yml (nc's turn service)" - when: - - main_ipv4_exists.stat.exists - - nc_turn_service_ipv4_present is changed - - - name: Check if String 'nc_turn_ports=..' (IPv6) is present - shell: grep -q -E "^nc_turn_ports=" /ro/etc/ipt-firewall/main_ipv6.conf - register: nc_turn_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "nc_turn_service_ipv6_present.rc > 1" - changed_when: "nc_turn_service_ipv6_present.rc > 0" - - - name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*jitsi_udp_ports' - block: | - - # ====== - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # ====== - - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # - - # - NOT YET IMPLEMENTED - # - - local_nc_turn_service="" - - # - Ports used by local TURN Server (Stun Server) - # - - # - comma separated list - # - - nc_turn_ports="$standard_turn_service_ports" - nc_turn_udp_ports="$standard_turn_service_udp_ports" - marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - nc_turn_service_ipv6_present is changed - - - # --- - # Remove Marker set by blockinfile - # --- - - - name: Remove marker IPv4 - replace : - path: /ro/etc/ipt-firewall/main_ipv4.conf - regexp: "^# Marker set by modify-ipt-gateway.yml.*$" - replace: "" - register: marker_ipv4_removed - #failed_when: "marker_ipv4_removed.rc > 1" - #changed_when: "marker_ipv4_removed.rc < 1" - when: - - main_ipv4_exists.stat.exists - - - name: Remove marker IPv6 - replace : - path: /ro/etc/ipt-firewall/main_ipv6.conf - regexp: "^# Marker set by modify-ipt-gateway.yml.*$" - replace: "" - register: marker_ipv6_removed - #failed_when: "marker_ipv6_removed.rc > 1" - #changed_when: "marker_ipv6_removed.rc < 1" - when: - - main_ipv6_exists.stat.exists - - - name: Remount "/ro/" readonly - shell: remountro - register: remountro_cmd - failed_when: remountro_cmd.rc != 0 and remountro_cmd.rc != 32 diff --git a/scripts/modify-ipt-gateway.yml b/scripts/modify-ipt-gateway.yml deleted file mode 100644 index 72eefb1..0000000 --- a/scripts/modify-ipt-gateway.yml +++ /dev/null @@ -1,419 +0,0 @@ ---- - -- hosts: gateway_server_rw - - tasks: - - - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv4.conf - register: main_ipv4_exists - - - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv6.conf - register: main_ipv6_exists - - - name: addjust line 'jitsi_tcp_ports' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' - - - name: addjust line 'jitsi_tcp_ports' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' - when: - - main_ipv6_exists.stat.exists - - - name: addjust line 'jitsi_udp_ports' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_udp_ports=' - line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' - - - name: addjust line 'jitsi_udp_ports' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_udp_ports=' - line: 'jitsi_udp_ports="$standard_jitsi_udp_port_range"' - when: - - main_ipv6_exists.stat.exists - - # --- - # allow_jitsi_video_conference_out - # --- - - - name: Check if String 'allow_jitsi_video_conference_out..' (IPv4) is present - shell: grep -q -E "^allow_jitsi_video_conference_out=" /etc/ipt-firewall/main_ipv4.conf - register: jitsi_video_conference_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_video_conference_out_ipv4_present.rc > 1" - changed_when: "jitsi_video_conference_out_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_jitsi_video_conference_out' - line: 'allow_jitsi_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv4_exists.stat.exists - - jitsi_video_conference_out_ipv4_present is changed - - - name: Check if String 'allow_jitsi_video_conference_out..' (IPv6) is present - shell: grep -q -E "^allow_jitsi_video_conference_out=" /etc/ipt-firewall/main_ipv6.conf - register: jitsi_video_conference_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "jitsi_video_conference_out_ipv6_present.rc > 1" - changed_when: "jitsi_video_conference_out_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_jitsi_video_conference_out' - line: 'allow_jitsi_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv6_exists.stat.exists - - jitsi_video_conference_out_ipv6_present is changed - - # --- - # allow_nc_talk_out - # --- - - - name: Check if String 'allow_nc_talk_out..' (IPv4) is present - shell: grep -q -E "^allow_nc_talk_out=" /etc/ipt-firewall/main_ipv4.conf - register: nc_talk_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_talk_out_ipv4_present.rc > 1" - changed_when: "nc_talk_out_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_nc_talk_out' - line: 'allow_nc_talk_out=true' - insertafter: '^#?\s*allow_jitsi_video_conference_out' - when: - - main_ipv4_exists.stat.exists - - nc_talk_out_ipv4_present is changed - - - name: Check if String 'allow_nc_talk_out..' (IPv6) is present - shell: grep -q -E "^allow_nc_talk_out=" /etc/ipt-firewall/main_ipv6.conf - register: nc_talk_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "nc_talk_out_ipv6_present.rc > 1" - changed_when: "nc_talk_out_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_nc_talk_out' - line: 'allow_nc_talk_out=true' - insertafter: '^#?\s*allow_jitsi_video_conference_out' - when: - - main_ipv6_exists.stat.exists - - nc_talk_out_ipv6_present is changed - - # --- - # allow_bigbluebutton_video_conference_out - # --- - - - name: Check if String 'allow_bigbluebutton_video_conference_out..' (IPv4) is present - shell: grep -q -E "^allow_bigbluebutton_video_conference_out=" /etc/ipt-firewall/main_ipv4.conf - register: bigbluebutton_video_conference_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "bigbluebutton_video_conference_out_ipv4_present.rc > 1" - changed_when: "bigbluebutton_video_conference_out_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (bigbluebutton) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^allow_bigbluebutton_video_conference_out' - line: 'allow_bigbluebutton_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv4_exists.stat.exists - - bigbluebutton_video_conference_out_ipv4_present is changed - - - name: Check if String 'allow_bigbluebutton_video_conference_out..' (IPv6) is present - shell: grep -q -E "^allow_bigbluebutton_video_conference_out=" /etc/ipt-firewall/main_ipv6.conf - register: bigbluebutton_video_conference_out_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "bigbluebutton_video_conference_out_ipv6_present.rc > 1" - changed_when: "bigbluebutton_video_conference_out_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (bigbluebutton) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^allow_bigbluebutton_video_conference_out' - line: 'allow_bigbluebutton_video_conference_out=true' - insertafter: '^#?\s*allow_mumble_request_out' - when: - - main_ipv6_exists.stat.exists - - bigbluebutton_video_conference_out_ipv6_present is changed - - # --- - # jitsi video conference service - # --- - - - name: Check if String 'jitsi_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^jitsi_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf - register: jitsi_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_service_ipv4_present.rc > 1" - changed_when: "jitsi_service_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - Jitsi Video Conference Service - # ====== - - # - Jitsi Video Conference Service Gateway - # - - # - NOT YET IMPLEMENTED - # - - local_jitsi_video_conference_service=false - - # - Jitsi Video Conference Service Ports - # - - # - TCP 80: Webinterface. - # - TCP 443: Webinterface (SSL) - # - - # - UDP 10000-20000: Virtual Media for Remote Console - # - - jitsi_tcp_ports="$standard_jitsi_tcp_ports" - jitsi_udp_ports="$standard_jitsi_udp_port_range" - marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" - when: - - main_ipv4_exists.stat.exists - - jitsi_service_ipv4_present is changed - - - name: Check if String 'jitsi_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^jitsi_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf - register: jitsi_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "jitsi_service_ipv6_present.rc > 1" - changed_when: "jitsi_service_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - Jitsi Video Conference Service - # ====== - - # - Jitsi Video Conference Service Gateway - # - - # - NOT YET IMPLEMENTED - # - - local_jitsi_video_conference_service=false - - # - Jitsi Video Conference Service Ports - # - - # - TCP 80: Webinterface. - # - TCP 443: Webinterface (SSL) - # - - # - UDP 10000-20000: Virtual Media for Remote Console - # - - jitsi_tcp_ports="$standard_jitsi_tcp_ports" - jitsi_udp_ports="$standard_jitsi_udp_port_range" - marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - jitsi_service_ipv6_present is changed - - - # --- - # TURN Server (Stun Server) (for Nextcloud 'talk' app) - # --- - - - name: Check if String 'nc_turn_ports=..' (IPv4) is present - shell: grep -q -E "^nc_turn_ports=" /etc/ipt-firewall/main_ipv4.conf - register: nc_turn_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_turn_service_ipv4_present.rc > 1" - changed_when: "nc_turn_service_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*jitsi_udp_ports' - block: | - - # ====== - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # ====== - - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # - - # - NOT YET IMPLEMENTED - # - - local_nc_turn_service="" - - # - Ports used by local TURN Server (Stun Server) - # - - # - comma separated list - # - - nc_turn_ports="$standard_turn_service_ports" - nc_turn_udp_ports="$standard_turn_service_udp_ports" - marker: "# Marker set by modify-ipt-gateway.yml (nc's turn service)" - when: - - main_ipv4_exists.stat.exists - - nc_turn_service_ipv4_present is changed - - - name: Check if String 'nc_turn_ports=..' (IPv6) is present - shell: grep -q -E "^nc_turn_ports=" /etc/ipt-firewall/main_ipv6.conf - register: nc_turn_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "nc_turn_service_ipv6_present.rc > 1" - changed_when: "nc_turn_service_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*jitsi_udp_ports' - block: | - - # ====== - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # ====== - - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # - - # - NOT YET IMPLEMENTED - # - - local_nc_turn_service="" - - # - Ports used by local TURN Server (Stun Server) - # - - # - comma separated list - # - - nc_turn_ports="$standard_turn_service_ports" - nc_turn_udp_ports="$standard_turn_service_udp_ports" - marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - nc_turn_service_ipv6_present is changed - - # --- - # BigBlueButton video conference service - # --- - - - name: Check if String 'bigbluebutton_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^bigbluebutton_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf - register: bigbluebutton_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "bigbluebutton_service_ipv4_present.rc > 1" - changed_when: "bigbluebutton_service_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (bigbluebutton service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - BigBlueButton Video Conference Service - # ====== - - # - BigBlueButton Video Conference Service Gateway - # - - # - NOT YET IMPLEMENTED - # - - local_bigbluebutton_video_conference_service=false - - # - BigBlueButton Video Conference Service Ports - # - - # - TCP 80: Webinterface. - # - TCP 443: Webinterface (SSL) - # - - # - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams - # - - bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports" - bigbluebutton_udp_ports="$standard_bigbluebutton_udp_port_range" - marker: "# Marker set by modify-ipt-gateway.yml (bigbluebutton service)" - when: - - main_ipv4_exists.stat.exists - - bigbluebutton_service_ipv4_present is changed - - - name: Check if String 'bigbluebutton_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^bigbluebutton_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf - register: bigbluebutton_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "bigbluebutton_service_ipv6_present.rc > 1" - changed_when: "bigbluebutton_service_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (bigbluebutton service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - BigBlueButton Video Conference Service - # ====== - - # - BigBlueButton Video Conference Service Gateway - # - - # - NOT YET IMPLEMENTED - # - - local_bigbluebutton_video_conference_service=false - - # - BigBlueButton Video Conference Service Ports - # - - # - TCP 80: Webinterface. - # - TCP 443: Webinterface (SSL) - # - - # - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams - # - - bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports" - bigbluebutton_udp_ports="$standard_bigbluebutton_udp_port_range" - marker: "# Marker set by modify-ipt-gateway.yml (bigbluebutton service)" - when: - - main_ipv6_exists.stat.exists - - bigbluebutton_service_ipv6_present is changed - - - # --- - # Remove Marker set by blockinfile - # --- - - - name: Remove marker IPv4 - replace : - path: /etc/ipt-firewall/main_ipv4.conf - regexp: "^# Marker set by modify-ipt-gateway.yml.*$" - replace: "" - register: marker_ipv4_removed - #failed_when: "marker_ipv4_removed.rc > 1" - #changed_when: "marker_ipv4_removed.rc < 1" - when: - - main_ipv4_exists.stat.exists - - - name: Remove marker IPv6 - replace : - path: /etc/ipt-firewall/main_ipv6.conf - regexp: "^# Marker set by modify-ipt-gateway.yml.*$" - replace: "" - register: marker_ipv6_removed - #failed_when: "marker_ipv6_removed.rc > 1" - #changed_when: "marker_ipv6_removed.rc < 1" - when: - - main_ipv6_exists.stat.exists diff --git a/scripts/modify-ipt-server.yml.BAK b/scripts/modify-ipt-server.yml.BAK deleted file mode 100644 index 6d14f04..0000000 --- a/scripts/modify-ipt-server.yml.BAK +++ /dev/null @@ -1,724 +0,0 @@ ---- - -- hosts: all - - tasks: - - - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv6.conf - register: main_ipv4_exists - - - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists - stat: - path: /etc/ipt-firewall/main_ipv4.conf - register: main_ipv6_exists - - - name: addjust line 'jitsi_tcp_ports' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' - - - name: addjust line 'jitsi_tcp_ports' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' - when: - - main_ipv6_exists.stat.exists - - - name: addjust line 'jitsi_udp_ports' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_udp_port_range=' - line: 'jitsi_udp_port_range="$standard_jitsi_udp_port_range"' - - - name: addjust line 'jitsi_udp_ports' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_udp_port_range=' - line: 'jitsi_udp_port_range="$standard_jitsi_udp_port_range"' - when: - - main_ipv6_exists.stat.exists - - - name: addjust line 'nc_turn_ports' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^nc_turn_ports=' - line: 'nc_turn_ports="$standard_turn_service_ports"' - - - name: addjust line 'nc_turn_ports' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^nc_turn_ports=' - line: 'nc_turn_ports="$standard_turn_service_ports"' - when: - - main_ipv6_exists.stat.exists - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc_turn_udp_ports) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^nc_turn_udp_ports' - line: 'nc_turn_udp_ports="$standard_turn_service_udp_ports"' - insertafter: '^#?\s*nc_turn_ports' - when: - - main_ipv4_exists.stat.exists - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (nc_turn_udp_ports) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^nc_turn_udp_ports' - line: 'nc_turn_udp_ports="$standard_turn_service_udp_ports"' - insertafter: '^#?\s*nc_turn_ports' - when: - - main_ipv4_exists.stat.exists - - # --- - # vpn_ports - # --- - - - name: Check if String 'vpn_ports=..' is present - shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf - register: vpn_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "vpn_ports_ipv4_present.rc > 1" - changed_when: "vpn_ports_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_vpn_server_ips' - block: | - # - VPN Port(s) used by local Services - # - - # - blank separated list - # - - vpn_ports="$standard_vpn_port" - - marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" - when: - - main_ipv4_exists.stat.exists - - vpn_ports_ipv4_present is changed - - - name: Check if String 'vpn_ports=..' is present - shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf - register: vpn_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "vpn_ports_ipv6_present.rc > 1" - changed_when: "vpn_ports_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_vpn_server_ips' - block: | - # - VPN Port(s) used by local Services - # - - # - blank separated list - # - - vpn_ports="$standard_vpn_port" - - marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" - when: - - main_ipv6_exists.stat.exists - - vpn_ports_ipv6_present is changed - - # --- - # ssh_ports - # --- - - - name: Check if String 'ssh_ports=..' is present - shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf - register: ssh_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ssh_ports_ipv4_present.rc > 1" - changed_when: "ssh_ports_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_ssh_server_ips' - block: | - # - SSH Port(s) used by local Services - # - - # - blank separated list - # - - ssh_ports="$standard_ssh_port" - - marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" - when: - - main_ipv4_exists.stat.exists - - ssh_ports_ipv4_present is changed - - - name: Check if String 'ssh_ports=..' is present - shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf - register: ssh_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "ssh_ports_ipv6_present.rc > 1" - changed_when: "ssh_ports_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_ssh_server_ips' - block: | - # - SSH Port(s) used by local Services - # - - # - blank separated list - # - - ssh_ports="$standard_ssh_port" - - marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" - when: - - main_ipv6_exists.stat.exists - - ssh_ports_ipv6_present is changed - - # --- - # http_ports - # --- - - - name: Check if String 'http_ports=..' is present - shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf - register: http_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "http_ports_ipv4_present.rc > 1" - changed_when: "http_ports_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_http_server_ips' - block: | - # - HTTP(S) Ports used by local Services - # - - # - comma separated list - # - - http_ports="$standard_http_ports" - - marker: "# Marker set by modify-ipt-server.yml (http_ports)" - when: - - main_ipv4_exists.stat.exists - - http_ports_ipv4_present is changed - - - name: Check if String 'http_ports=..' is present - shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf - register: http_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "http_ports_ipv6_present.rc > 1" - changed_when: "http_ports_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_http_server_ips' - block: | - # - HTTP(S) Ports used by local Services - # - - # - comma separated list - # - - http_ports="$standard_http_ports" - - marker: "# Marker set by modify-ipt-server.yml (http_ports)" - when: - - main_ipv6_exists.stat.exists - - http_ports_ipv6_present is changed - - # --- - # mail_user_ports - # --- - - - name: Check if String 'mail_user_ports=..' is present - shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf - register: mail_user_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "mail_user_ports_ipv4_present.rc > 1" - changed_when: "mail_user_ports_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_mail_server_ips' - block: | - # - Client Ports used by local Mail Services - # - - # - comma separated list - # - - mail_user_ports="$standard_mailuser_ports" - - marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" - when: - - main_ipv4_exists.stat.exists - - mail_user_ports_ipv4_present is changed - - - name: Check if String 'mail_user_ports=..' is present - shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf - register: mail_user_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "mail_user_ports_ipv6_present.rc > 1" - changed_when: "mail_user_ports_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_mail_server_ips' - block: | - # - Client Ports used by local Mail Services - # - - # - comma separated list - # - - mail_user_ports="$standard_mailuser_ports" - - marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" - when: - - main_ipv6_exists.stat.exists - - mail_user_ports_ipv6_present is changed - - # --- - # ftp_passive_port_range - # --- - - - name: Check if String 'ftp_passive_port_range=..' is present - shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf - register: ftp_passive_port_range_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" - changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_ftp_server_ips' - block: | - # - FTP passive port range use by local ftp service(s) - # - - # - example: ftp_passive_port_range="50000:50400" - # - - ftp_passive_port_range="50000:50400" - - marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" - when: - - main_ipv4_exists.stat.exists - - ftp_passive_port_range_ipv4_present is changed - - - name: Check if String 'ftp_passive_port_range=..' is present - shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf - register: ftp_passive_port_range_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" - changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_ftp_server_ips' - block: | - # - FTP passive port range use by local ftp service(s) - # - - # - example: ftp_passive_port_range="50000:50400" - # - - ftp_passive_port_range="50000:50400" - - marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" - when: - - main_ipv6_exists.stat.exists - - ftp_passive_port_range_ipv6_present is changed - - # --- - # munin_remote_port - # --- - - - name: Check if String 'munin_remote_port=..' is present - shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf - register: munin_remote_port_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "munin_remote_port_ipv4_present.rc > 1" - changed_when: "munin_remote_port_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_munin_server_ips' - block: | - # - Port used by clients hosted on this (local) Munin Services - # - - # - !! Only one port is possible !! - # - - munin_remote_port="$standard_munin_port" - - marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" - when: - - main_ipv4_exists.stat.exists - - munin_remote_port_ipv4_present is changed - - - name: Check if String 'munin_remote_port=..' is present - shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf - register: munin_remote_port_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "munin_remote_port_ipv6_present.rc > 1" - changed_when: "munin_remote_port_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_munin_server_ips' - block: | - # - Ports used by clients hosted on this (local) Munin Services - # - - # - !! Only one port is possible !! - # - - munin_remote_port="$standard_munin_port" - - marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" - when: - - main_ipv6_exists.stat.exists - - munin_remote_port_ipv6_present is changed - - # --- - # xymon_port - # --- - - - name: Check if String 'xymon_port=..' is present - shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf - register: xymon_port_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "xymon_port_ipv4_present.rc > 1" - changed_when: "xymon_port_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*local_xymon_client' - block: | - # - Port used by local Xymon Services - # - - # - !! Only one port is possible !! - # - - xymon_port="$standard_xymon_port" - - marker: "# Marker set by modify-ipt-server.yml (xymon_port)" - when: - - main_ipv4_exists.stat.exists - - xymon_port_ipv4_present is changed - - - name: Check if String 'xymon_port=..' is present - shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf - register: xymon_port_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "xymon_port_ipv6_present.rc > 1" - changed_when: "xymon_port_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*local_xymon_client' - block: | - # - Port used by local Xymon Services - # - - # - !! Only one port is possible !! - # - - xymon_port="$standard_xymon_port" - - marker: "# Marker set by modify-ipt-server.yml (xymon_port)" - when: - - main_ipv6_exists.stat.exists - - xymon_port_ipv6_present is changed - - # --- - # mumble_ports - # --- - - - name: Check if String 'mumble_ports=..' is present - shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf - register: mumble_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "mumble_ports_ipv4_present.rc > 1" - changed_when: "mumble_ports_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_mumble_server_ips' - block: | - # - Ports used by local Mumble Services - # - - # - comma separated list - # - - mumble_ports="$standard_mumble_port" - - marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" - when: - - main_ipv4_exists.stat.exists - - mumble_ports_ipv4_present is changed - - - name: Check if String 'mumble_ports=..' is present - shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf - register: mumble_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "mumble_ports_ipv6_present.rc > 1" - changed_when: "mumble_ports_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_mumble_server_ips' - block: | - # - Ports used by local Mumble Services - # - - # - comma separated list - # - - mumble_ports="$standard_mumble_port" - - marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" - when: - - main_ipv6_exists.stat.exists - - mumble_ports_ipv6_present is changed - - # --- - # jitsi video conference service - # --- - - - name: Check if String 'jitsi_server_ips=..' (IPv4) is present - shell: grep -q -E "^jitsi_server_ips=" /etc/ipt-firewall/main_ipv4.conf - register: jitsi_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_service_ipv4_present.rc > 1" - changed_when: "jitsi_service_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # - Jitsi Video Conferencing Server - # - - jitsi_server_ips="" - forward_jitsi_server_ips="" - - # - Jitsi (incomming) Ports - # - - # - comma separated list of ports/port ranges) - # - - jitsi_tcp_ports="$standard_jitsi_tcp_ports" - jitsi_udp_port_range="$standard_jitsi_udp_port_range" - marker: "# Marker set by modify-ipt-server.yml (jitsi service)" - when: - - main_ipv4_exists.stat.exists - - jitsi_service_ipv4_present is changed - - - name: Check if String 'jitsi_server_ips=..' (IPv6) is present - shell: grep -q -E "^jitsi_server_ips=" /etc/ipt-firewall/main_ipv6.conf - register: jitsi_service_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_service_ipv6_present.rc > 1" - changed_when: "jitsi_service_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # - Jitsi Video Conferencing Server - # - - jitsi_server_ips="" - forward_jitsi_server_ips="" - - # - Jitsi (incomming) Ports - # - - # - comma separated list of ports/port ranges) - # - - jitsi_tcp_ports="$standard_jitsi_tcp_ports" - jitsi_udp_port_range="$standard_jitsi_udp_port_range" - marker: "# Marker set by modify-ipt-server.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - jitsi_service_ipv6_present is changed - - - name: Check if String 'jitsi_tcp_ports_out=..' (IPv4) is present - shell: grep -q -E "^jitsi_tcp_ports_out=" /etc/ipt-firewall/main_ipv4.conf - register: jitsi_tcp_ports_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_tcp_ports_out_ipv4_present.rc > 1" - changed_when: "jitsi_tcp_ports_out_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi outgoing ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*jitsi_udp_port_range' - block: | - - # - Jitsi (outgoing) Ports (STUN Services) - # - - jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446" - jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446" - marker: "# Marker set by modify-ipt-server.yml (jitsi outgoing ports)" - when: - - main_ipv4_exists.stat.exists - - jitsi_tcp_ports_out_ipv4_present is changed - - - name: Check if String 'jitsi_tcp_ports_out=..' (IPv6) is present - shell: grep -q -E "^jitsi_tcp_ports_out=" /etc/ipt-firewall/main_ipv6.conf - register: jitsi_tcp_ports_out_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_tcp_ports_out_ipv6_present.rc > 1" - changed_when: "jitsi_tcp_ports_out_ipv6_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*jitsi_udp_port_range' - block: | - - # - Jitsi (outgoing) Ports (STUN Services) - # - - jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446" - jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446" - marker: "# Marker set by modify-ipt-server.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - jitsi_tcp_ports_out_ipv6_present is changed - - - # --- - # TURN Server (Stun Server) (for Nextcloud 'talk' app) - # --- - - - name: Check if String 'nc_turn_server_ips=..' (IPv4) is present - shell: grep -q -E "^nc_turn_server_ips=" /etc/ipt-firewall/main_ipv4.conf - register: nc_turn_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_turn_service_ipv4_present.rc > 1" - changed_when: "nc_turn_service_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*jitsi_udp_port_range' - block: | - - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # - - nc_turn_server_ips="" - forward_nc_turn_server_ips="" - - # - Ports used by local TURN Server (Stun Server) - # - - # - comma separated list - # - - nc_turn_ports="$standard_turn_service_ports" - nc_turn_udp_ports="$standard_turn_service_udp_ports" - - marker: "# Marker set by modify-ipt-server.yml (nc's turn service)" - when: - - main_ipv4_exists.stat.exists - - nc_turn_service_ipv4_present is changed - - - name: Check if String 'nc_turn_server_ips=..' (IPv6) is present - shell: grep -q -E "^nc_turn_server_ips=" /etc/ipt-firewall/main_ipv6.conf - register: nc_turn_service_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_turn_service_ipv4_present.rc > 1" - changed_when: "nc_turn_service_ipv4_present.rc > 0" - - - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*jitsi_udp_port_range' - block: | - - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # - - nc_turn_server_ips="" - forward_nc_turn_server_ips="" - - # - Ports used by local TURN Server (Stun Server) - # - - # - comma separated list - # - - nc_turn_ports="$standard_turn_service_ports" - nc_turn_udp_ports="$standard_turn_service_udp_ports" - marker: "# Marker set by modify-ipt-server.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - nc_turn_service_ipv6_present is changed - - - # --- - # Remove Marker set by blockinfile - # --- - - - name: Remove marker IPv4 - replace : - path: /etc/ipt-firewall/main_ipv4.conf - regexp: "^# Marker set by modify-ipt-server.yml.*$" - replace: "" - register: marker_ipv4_removed - #failed_when: "marker_ipv4_removed.rc > 1" - #changed_when: "marker_ipv4_removed.rc < 1" - when: - - main_ipv4_exists.stat.exists - - - name: Remove marker IPv6 - replace : - path: /etc/ipt-firewall/main_ipv6.conf - regexp: "^# Marker set by modify-ipt-server.yml.*$" - replace: "" - register: marker_ipv6_removed - #failed_when: "marker_ipv6_removed.rc > 1" - #changed_when: "marker_ipv6_removed.rc < 1" - when: - - main_ipv6_exists.stat.exists - - # --- - # Firewall scripts - # --- - - - name: Check if firewall scripts are latest - shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' - changed_when: "diff_script_output.rc > 0" - # diff_output.rc - # 0 -> unchanged - # 1 -> changed - # 2 -> not present - failed_when: "diff_script_output.rc > 2" - when: git_firewall_repository is defined and git_firewall_repository > 0 - loop: - - ipt-firewall-server - - ip6t-firewall-server - register: diff_script_output - - - name: Ensure firewall scripts are latest - command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} - loop: - - ipt-firewall-server - - ip6t-firewall-server - when: - - git_firewall_repository is defined and git_firewall_repository > 0 - - diff_script_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall - - # === - # Handlers used by this playbook - # === - - handlers: - - name: Restart IPv4 Firewall - service: - name: ipt-firewall - state: restarted - when: - - main_ipv4_exists.stat.exists - - - name: Restart IPv6 Firewall - service: - name: ip6t-firewall - state: restarted - when: - - main_ipv6_exists.stat.exists -