diff --git a/host_vars/file-fhxb.fhxb.netz b/host_vars/file-fhxb.fhxb.netz new file mode 100644 index 0000000..65a94c2 --- /dev/null +++ b/host_vars/file-fhxb.fhxb.netz @@ -0,0 +1,503 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + - resolvconf + + +network_interfaces: + + - device: eno1 + # use only once per device (for the first device entry) + headline: eno1 - The primary network interface + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + method: static + description: + address: 192.168.192.10 + netmask: 24 + gateway: 192.168.192.254 + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + nameservers: + - 192.168.192.1 + search: fhxb.netz + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$2aYNjVAaYCJ7KuKYMjX3o1$M7E8/NkOHJnmmVcx0zD27oYExIf2aEergJ1KBnVbn92 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + +samba_workgroup: OPP + +samba_netbios_name: ZAPATA + +samba_server_min_protocol: !!str NT1 + +samba_groups: + + - name: fhxb-bildarchiv + group_id: 1110 + + - name: fhxb-sammlungen + group_id: 1210 + + - name: archiv + group_id: 1310 + - name: ausstellungen + group_id: 1320 + - name: forschung + group_id: 1330 + - name: gedenken-im-stadtraum + group_id: 1340 + - name: projekte + group_id: 1350 + - name: publikationen + group_id: 1360 + - name: stolpersteine + group_id: 1370 + - name: veranstaltungen + group_id: 1380 + - name: vze + group_id: 1390 + + - name: buero + group_id: 1410 + - name: intern + group_id: 1420 + - name: leitung + group_id: 1430 + - name: museum-organisation + group_id: 1440 + - name: presse-orga-oeffentlichkeit + group_id: 1450 + - name: team + group_id: 1460 + - name: technik + group_id: 1470 + - name: vermietung + group_id: 1480 + - name: vermittlung + group_id: 1490 + + +samba_user: + + - name: chris + groups: + + - FHXB-Bildarchiv + + - FHXB-Sammlungen + + - Archiv + - Ausstellungen + - Forschung + - Gedenken-im-Stadtraum + - Projekte + - Publikationen + - Stolpersteine + - Veranstaltungen + + - Buero + - Intern + - Museum-Organisation + - Presse-Orga-Oeffentlichkeit + - Team + - Technik + - Vermietung + - Vermittlung + - Leitung + + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63643330373231636537366333326630333265303265653933613835656262323863363038653234 + 3462653135633266373439626263356636646637643035340a653466356235346663626163306363 + 61313164643061306433643738643563303036646334376536626531383965303036386162393832 + 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 + 3631 + + - name: sysadm + groups: + + - FHXB-Bildarchiv + + - FHXB-Sammlungen + + - Archiv + - Ausstellungen + - Forschung + - Gedenken-im-Stadtraum + - Projekte + - Publikationen + - Stolpersteine + - Veranstaltungen + + - Buero + - Intern + - Museum-Organisation + - Presse-Orga-Oeffentlichkeit + - Team + - Technik + - Vermietung + - Vermittlung + - Leitung + + password: '5hE-7n.JRQ9Y' + +base_home: /home + +# remove_samba_users: +# - name: name1 +# - name: name2 +# +#remove_samba_users: [] +remove_samba_users: + - name: evren + +samba_shares: + + - name: FHXB-Bildarchiv + comment: Bildarchiv auf Fileserver + path: /data/samba/FHXB-Bildarchiv/Bildarchiv + group_valid_users: fhxb-bildarchiv + group_write_list: fhxb-bildarchiv + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: FHXB-Sammlungen + comment: FHXB-Sammlungen auf Fileserver + path: /data/samba/Darchim2/Bildarchiv + group_valid_users: fhxb-sammlungen + group_write_list: fhxb-sammlungen + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Archiv + comment: Archiv auf Fileserver + path: /data/samba/FHXB-Server/Archiv + group_valid_users: archiv + group_write_list: archiv + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Ausstellungen + comment: Ausstellungen auf Fileserver + path: /data/samba/FHXB-Server/Ausstellungen + group_valid_users: ausstellungen + group_write_list: ausstellungen + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Forschung + comment: Forschung auf Fileserver + path: /data/samba/FHXB-Server/Forschung + group_valid_users: forschung + group_write_list: forschung + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Gedenken-im-Stadtraum + comment: Gedenken-im-Stadtraum auf Fileserver + path: /data/samba/FHXB-Server/Gedenken-im-Stadtraum + group_valid_users: gedenken-im-stadtraum + group_write_list: gedenken-im-stadtraum + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Projekte + comment: Projekte auf Fileserver + path: /data/samba/FHXB-Server/Projekte + group_valid_users: projekte + group_write_list: projekte + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Publikationen + comment: Publikationen auf Fileserver + path: /data/samba/FHXB-Server/Publikationen + group_valid_users: publikationen + group_write_list: publikationen + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Stolpersteine + comment: Stolpersteine auf Fileserver + path: /data/samba/FHXB-Server/Stolpersteine + group_valid_users: stolpersteine + group_write_list: stolpersteine + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Veranstaltungen + comment: Veranstaltungen auf Fileserver + path: /data/samba/FHXB-Server/Veranstaltungen + group_valid_users: Veranstaltungen + group_write_list: Veranstaltungen + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: VZE + comment: VZE auf Fileserver + path: /data/samba/FHXB-Server/VZE + group_valid_users: vze + group_write_list: vze + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + + - name: Buero + comment: Buero auf Fileserver + path: /data/samba/FHXB-Server/Buero + group_valid_users: buero + group_write_list: buero + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Intern + comment: Intern auf Fileserver + path: /data/samba/FHXB-Server/Intern + group_valid_users: intern + group_write_list: intern + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Leitung + comment: Leitung auf Fileserver + path: /data/samba/FHXB-Server/Leitung + group_valid_users: leitung + group_write_list: leitung + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Museum-Organisation + comment: Museum-Organisation auf Fileserver + path: /data/samba/FHXB-Server/Museum-Organisation + group_valid_users: museum-organisation + group_write_list: museum-organisation + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Presse-Orga-Oeffentlichkeit + comment: Presse-Orga-Oeffentlichkeit auf Fileserver + path: /data/samba/FHXB-Server/Presse-Orga-Oeffentlichkeit + group_valid_users: presse-orga-oeffentlichkeit + group_write_list: presse-orga-oeffentlichkeit + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Team + comment: Team auf Fileserver + path: /data/samba/FHXB-Server/Team + group_valid_users: team + group_write_list: team + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Technik + comment: Technik auf Fileserver + path: /data/samba/FHXB-Server/Technik + group_valid_users: technik + group_write_list: technik + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Vermietung + comment: Vermietung auf Fileserver + path: /data/samba/FHXB-Server/Vermietung + group_valid_users: vermietung + group_write_list: vermietung + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Vermittlung + comment: Vermittlung auf Fileserver + path: /data/samba/FHXB-Server/Vermittlung + group_valid_users: vermittlung + group_write_list: vermittlung + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/roles/modify-ipt-server/tasks/main.yml b/roles/modify-ipt-server/tasks/main.yml index 15dd686..8880aee 100644 --- a/roles/modify-ipt-server/tasks/main.yml +++ b/roles/modify-ipt-server/tasks/main.yml @@ -1,8 +1,8 @@ --- -# --- +# === # Install/Uodate git firewall repository -# --- +# === - meta: end_play when: git_firewall_repository is not defined or git_firewall_repository|length < 1 @@ -15,9 +15,9 @@ when: git_firewall_repository is defined and git_firewall_repository|length > 0 -# --- +# === # Some Checks -# --- +# === - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists stat: @@ -29,15 +29,25 @@ path: /etc/ipt-firewall/main_ipv4.conf register: main_ipv4_exists +- name: Check if file '/etc/ipt-firewall/interfaces_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/interfaces_ipv6.conf + register: interfaces_ipv6_exists + +- name: Check if file '/etc/ipt-firewall/interfaces_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/interfaces_ipv4.conf + register: interfaces_ipv4_exists + - name: Check if file '/etc/munin/munin-node.conf' exists stat: path: /etc/munin/munin-node.conf register: munin_node_exists -# --- +# === # Adjust/Correct some values.. -# --- +# === - name: addjust line 'munin_remote_ip' (IPv4) lineinfile: @@ -59,878 +69,148 @@ notify: - Restart IPv6 Firewall -- name: addjust line 'allow ^138..' file '/etc/munin/munin-node.conf' +- name: addjust line 'vpn_ifs' (IPv4) lineinfile: - path: /etc/munin/munin-node.conf - regexp: '^allow \^138' - line: 'allow ^95\.217\.64\.122$' + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: '^vpn_ifs=' + line: 'vpn_ifs="tun+"' when: - - munin_node_exists.stat.exists - notify: - - Restart Munin Node + - interfaces_ipv4_exists.stat.exists -- name: addjust line 'allow ^.2a01.' file '/etc/munin/munin-node.conf' +- name: addjust line 'vpn_ifs' (IPv6) lineinfile: - path: /etc/munin/munin-node.conf - regexp: '^allow \^2a01' - line: 'allow ^2a01:4f9:4a:2b57::122$' + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: '^vpn_ifs=' + line: 'vpn_ifs="tun+"' when: - - munin_node_exists.stat.exists - notify: - - Restart Munin Node + - interfaces_ipv6_exists.stat.exists -- name: addjust line 'dovecot_auth_port' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^dovecot_auth_port=' - line: 'dovecot_auth_port="$dovecot_external_auth_port"' - when: - - main_ipv4_exists.stat.exists - -- name: addjust line 'dovecot_auth_port' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^dovecot_auth_port=' - line: 'dovecot_auth_port="$dovecot_external_auth_port"' - when: - - main_ipv6_exists.stat.exists - -- name: addjust line 'jitsi_tcp_ports' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' - when: - - main_ipv4_exists.stat.exists - -- name: addjust line 'jitsi_tcp_ports' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_tcp_ports=' - line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' - when: - - main_ipv6_exists.stat.exists - -- name: addjust line 'jitsi_udp_ports' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_udp_port_range=' - line: 'jitsi_udp_port_range="$standard_jitsi_udp_port_range"' - when: - - main_ipv4_exists.stat.exists - -- name: addjust line 'jitsi_udp_ports' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_udp_port_range=' - line: 'jitsi_udp_port_range="$standard_jitsi_udp_port_range"' - when: - - main_ipv6_exists.stat.exists - -- name: addjust line 'jitsi_dovecot_port' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^jitsi_dovecot_port=' - line: 'jitsi_dovecot_port="$default_jitsi_dovecout_auth_port"' - when: - - main_ipv4_exists.stat.exists - -- name: addjust line 'jitsi_dovecot_port' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^jitsi_dovecot_port=' - line: 'jitsi_dovecot_port="$default_jitsi_dovecout_auth_port"' - when: - - main_ipv6_exists.stat.exists - -- name: addjust line 'nc_turn_ports' (IPv4) - lineinfile: - path: /etc/ipt-firewall/main_ipv4.conf - regexp: '^nc_turn_ports=' - line: 'nc_turn_ports="$standard_turn_service_ports"' - when: - - main_ipv4_exists.stat.exists - -- name: addjust line 'nc_turn_ports' (IPv6) - lineinfile: - path: /etc/ipt-firewall/main_ipv6.conf - regexp: '^nc_turn_ports=' - line: 'nc_turn_ports="$standard_turn_service_ports"' - when: - - main_ipv6_exists.stat.exists - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc_turn_udp_ports) - lineinfile: - dest: /etc/ipt-firewall/main_ipv4.conf - state: present - regexp: '^nc_turn_udp_ports' - line: 'nc_turn_udp_ports="$standard_turn_service_udp_ports"' - insertafter: '^#?\s*nc_turn_ports' - when: - - main_ipv4_exists.stat.exists - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (nc_turn_udp_ports) - lineinfile: - dest: /etc/ipt-firewall/main_ipv6.conf - state: present - regexp: '^nc_turn_udp_ports' - line: 'nc_turn_udp_ports="$standard_turn_service_udp_ports"' - insertafter: '^#?\s*nc_turn_ports' - when: - - main_ipv4_exists.stat.exists +# === +# Add some Code Block. +# === # --- -# vpn_ports +# Wireguard Service # --- -- name: Check if String 'vpn_ports=..' is present - shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf - register: vpn_ports_ipv4_present +- name: Check if String 'wg_ifs=..' is present in interfaces_ipv4.conf + shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv4.conf + register: wg_ifs_interfaces_ipv4_present + when: interfaces_ipv4_exists.stat.exists + failed_when: "wg_ifs_interfaces_ipv4_present.rc > 1" + changed_when: "wg_ifs_interfaces_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs) + blockinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + insertafter: '^#?\s*vpn_ifs' + block: | + + # - Wireguard Interfaces + # - (comma separated list 'wg+' is also possible) + wg_ifs="wg+" + + marker: "# Marker set by modify-ipt-server.yml (wg_ifs)" + when: + - interfaces_ipv4_exists.stat.exists + - wg_ifs_interfaces_ipv4_present is changed + + +- name: Check if String 'wg_ifs=..' is present in interfaces_ipv6.conf + shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv6.conf + register: wg_ifs_interfaces_ipv6_present + when: interfaces_ipv6_exists.stat.exists + failed_when: "wg_ifs_interfaces_ipv6_present.rc > 1" + changed_when: "wg_ifs_interfaces_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs) + blockinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + insertafter: '^#?\s*vpn_ifs' + block: | + + # - Wireguard Interfaces + # - (comma separated list 'wg+' is also possible) + wg_ifs="wg+" + + marker: "# Marker set by modify-ipt-server.yml (wg_ifs)" + when: + - interfaces_ipv6_exists.stat.exists + - wg_ifs_interfaces_ipv6_present is changed + + +- name: Check if String 'wireguard_server_ips=..' is present + shell: grep -q -E "^wireguard_server_ips=" /etc/ipt-firewall/main_ipv4.conf + register: wireguard_service_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "vpn_ports_ipv4_present.rc > 1" - changed_when: "vpn_ports_ipv4_present.rc > 0" + failed_when: "wireguard_service_ipv4_present.rc > 1" + changed_when: "wireguard_service_ipv4_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (wireguard_service) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_vpn_server_ips' + insertafter: '^#?\s*vpn_ports' block: | - # - VPN Port(s) used by local Services - # - - # - blank separated list + + # - WireGuard Service # - - vpn_ports="$standard_vpn_port" + wireguard_server_ips="" + forward_wireguard_server_ips="" - marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" - when: + # - WireGuard Ports used by local Service + # - + # - Blank separated list + # - + wireguard_server_ports="$standard_wireguard_port" + + # - Remote WireGuard Ports + # - + wireguard_out_ports="$standard_wireguard_port" + + marker: "# Marker set by modify-ipt-server.yml (wireguard_service)" + when: - main_ipv4_exists.stat.exists - - vpn_ports_ipv4_present is changed + - wireguard_service_ipv4_present is changed -- name: Check if String 'vpn_ports=..' is present - shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf - register: vpn_ports_ipv6_present + +- name: Check if String 'wireguard_server_ips=..' is present + shell: grep -q -E "^wireguard_server_ips=" /etc/ipt-firewall/main_ipv6.conf + register: wireguard_service_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "vpn_ports_ipv6_present.rc > 1" - changed_when: "vpn_ports_ipv6_present.rc > 0" + failed_when: "wireguard_service_ipv6_present.rc > 1" + changed_when: "wireguard_service_ipv6_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (wireguard_service) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_vpn_server_ips' + insertafter: '^#?\s*vpn_ports' block: | - # - VPN Port(s) used by local Services - # - - # - blank separated list - # - - vpn_ports="$standard_vpn_port" - marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" - when: + # - WireGuard Service + # - + wireguard_server_ips="" + forward_wireguard_server_ips="" + + # - WireGuard Ports used by local Service + # - + # - Blank separated list + # - + wireguard_server_ports="$standard_wireguard_port" + + # - Remote WireGuard Ports + # - + wireguard_out_ports="$standard_wireguard_port" + + marker: "# Marker set by modify-ipt-server.yml (wireguard_service)" + when: - main_ipv6_exists.stat.exists - - vpn_ports_ipv6_present is changed + - wireguard_service_ipv6_present is changed -# --- -# ssh_ports -# --- -- name: Check if String 'ssh_ports=..' is present - shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf - register: ssh_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ssh_ports_ipv4_present.rc > 1" - changed_when: "ssh_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_ssh_server_ips' - block: | - # - SSH Port(s) used by local Services - # - - # - blank separated list - # - - ssh_ports="$standard_ssh_port" - - marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" - when: - - main_ipv4_exists.stat.exists - - ssh_ports_ipv4_present is changed - -- name: Check if String 'ssh_ports=..' is present - shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf - register: ssh_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "ssh_ports_ipv6_present.rc > 1" - changed_when: "ssh_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_ssh_server_ips' - block: | - # - SSH Port(s) used by local Services - # - - # - blank separated list - # - - ssh_ports="$standard_ssh_port" - - marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" - when: - - main_ipv6_exists.stat.exists - - ssh_ports_ipv6_present is changed - -# --- -# http_ports -# --- - -- name: Check if String 'http_ports=..' is present - shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf - register: http_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "http_ports_ipv4_present.rc > 1" - changed_when: "http_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_http_server_ips' - block: | - # - HTTP(S) Ports used by local Services - # - - # - comma separated list - # - - http_ports="$standard_http_ports" - - marker: "# Marker set by modify-ipt-server.yml (http_ports)" - when: - - main_ipv4_exists.stat.exists - - http_ports_ipv4_present is changed - -- name: Check if String 'http_ports=..' is present - shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf - register: http_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "http_ports_ipv6_present.rc > 1" - changed_when: "http_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_http_server_ips' - block: | - # - HTTP(S) Ports used by local Services - # - - # - comma separated list - # - - http_ports="$standard_http_ports" - - marker: "# Marker set by modify-ipt-server.yml (http_ports)" - when: - - main_ipv6_exists.stat.exists - - http_ports_ipv6_present is changed - -# --- -# mail_user_ports -# --- - -- name: Check if String 'mail_user_ports=..' is present - shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf - register: mail_user_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "mail_user_ports_ipv4_present.rc > 1" - changed_when: "mail_user_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_mail_server_ips' - block: | - # - Client Ports used by local Mail Services - # - - # - comma separated list - # - - mail_user_ports="$standard_mailuser_ports" - - marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" - when: - - main_ipv4_exists.stat.exists - - mail_user_ports_ipv4_present is changed - -- name: Check if String 'mail_user_ports=..' is present - shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf - register: mail_user_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "mail_user_ports_ipv6_present.rc > 1" - changed_when: "mail_user_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_mail_server_ips' - block: | - # - Client Ports used by local Mail Services - # - - # - comma separated list - # - - mail_user_ports="$standard_mailuser_ports" - - marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" - when: - - main_ipv6_exists.stat.exists - - mail_user_ports_ipv6_present is changed - -# --- -# ftp_passive_port_range -# --- - -- name: Check if String 'ftp_passive_port_range=..' is present - shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf - register: ftp_passive_port_range_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" - changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_ftp_server_ips' - block: | - # - FTP passive port range use by local ftp service(s) - # - - # - example: ftp_passive_port_range="50000:50400" - # - - ftp_passive_port_range="50000:50400" - - marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" - when: - - main_ipv4_exists.stat.exists - - ftp_passive_port_range_ipv4_present is changed - -- name: Check if String 'ftp_passive_port_range=..' is present - shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf - register: ftp_passive_port_range_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" - changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_ftp_server_ips' - block: | - # - FTP passive port range use by local ftp service(s) - # - - # - example: ftp_passive_port_range="50000:50400" - # - - ftp_passive_port_range="50000:50400" - - marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" - when: - - main_ipv6_exists.stat.exists - - ftp_passive_port_range_ipv6_present is changed - -# --- -# munin_remote_port -# --- - -- name: Check if String 'munin_remote_port=..' is present - shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf - register: munin_remote_port_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "munin_remote_port_ipv4_present.rc > 1" - changed_when: "munin_remote_port_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_munin_server_ips' - block: | - # - Port used by clients hosted on this (local) Munin Services - # - - # - !! Only one port is possible !! - # - - munin_remote_port="$standard_munin_port" - - marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" - when: - - main_ipv4_exists.stat.exists - - munin_remote_port_ipv4_present is changed - -- name: Check if String 'munin_remote_port=..' is present - shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf - register: munin_remote_port_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "munin_remote_port_ipv6_present.rc > 1" - changed_when: "munin_remote_port_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_munin_server_ips' - block: | - # - Ports used by clients hosted on this (local) Munin Services - # - - # - !! Only one port is possible !! - # - - munin_remote_port="$standard_munin_port" - - marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" - when: - - main_ipv6_exists.stat.exists - - munin_remote_port_ipv6_present is changed - -# --- -# xymon_port -# --- - -- name: Check if String 'xymon_port=..' is present - shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf - register: xymon_port_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "xymon_port_ipv4_present.rc > 1" - changed_when: "xymon_port_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*local_xymon_client' - block: | - # - Port used by local Xymon Services - # - - # - !! Only one port is possible !! - # - - xymon_port="$standard_xymon_port" - - marker: "# Marker set by modify-ipt-server.yml (xymon_port)" - when: - - main_ipv4_exists.stat.exists - - xymon_port_ipv4_present is changed - -- name: Check if String 'xymon_port=..' is present - shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf - register: xymon_port_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "xymon_port_ipv6_present.rc > 1" - changed_when: "xymon_port_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*local_xymon_client' - block: | - # - Port used by local Xymon Services - # - - # - !! Only one port is possible !! - # - - xymon_port="$standard_xymon_port" - - marker: "# Marker set by modify-ipt-server.yml (xymon_port)" - when: - - main_ipv6_exists.stat.exists - - xymon_port_ipv6_present is changed - -# --- -# mumble_ports -# --- - -- name: Check if String 'mumble_ports=..' is present - shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf - register: mumble_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "mumble_ports_ipv4_present.rc > 1" - changed_when: "mumble_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_mumble_server_ips' - block: | - # - Ports used by local Mumble Services - # - - # - comma separated list - # - - mumble_ports="$standard_mumble_port" - - marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" - when: - - main_ipv4_exists.stat.exists - - mumble_ports_ipv4_present is changed - -- name: Check if String 'mumble_ports=..' is present - shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf - register: mumble_ports_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "mumble_ports_ipv6_present.rc > 1" - changed_when: "mumble_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_mumble_server_ips' - block: | - # - Ports used by local Mumble Services - # - - # - comma separated list - # - - mumble_ports="$standard_mumble_port" - - marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" - when: - - main_ipv6_exists.stat.exists - - mumble_ports_ipv6_present is changed - -# --- -# jitsi video conference service -# --- - -- name: Check if String 'jitsi_server_ips=..' (IPv4) is present - shell: grep -q -E "^jitsi_server_ips=" /etc/ipt-firewall/main_ipv4.conf - register: jitsi_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_service_ipv4_present.rc > 1" - changed_when: "jitsi_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # - Jitsi Video Conferencing Server - # - - jitsi_server_ips="" - forward_jitsi_server_ips="" - - # - Jitsi (incomming) Ports - # - - # - comma separated list of ports/port ranges) - # - - jitsi_tcp_ports="$standard_jitsi_tcp_ports" - jitsi_udp_port_range="$standard_jitsi_udp_port_range" - marker: "# Marker set by modify-ipt-server.yml (jitsi service)" - when: - - main_ipv4_exists.stat.exists - - jitsi_service_ipv4_present is changed - -- name: Check if String 'jitsi_server_ips=..' (IPv6) is present - shell: grep -q -E "^jitsi_server_ips=" /etc/ipt-firewall/main_ipv6.conf - register: jitsi_service_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_service_ipv6_present.rc > 1" - changed_when: "jitsi_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # - Jitsi Video Conferencing Server - # - - jitsi_server_ips="" - forward_jitsi_server_ips="" - - # - Jitsi (incomming) Ports - # - - # - comma separated list of ports/port ranges) - # - - jitsi_tcp_ports="$standard_jitsi_tcp_ports" - jitsi_udp_port_range="$standard_jitsi_udp_port_range" - marker: "# Marker set by modify-ipt-server.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - jitsi_service_ipv6_present is changed - -- name: Check if String 'jitsi_tcp_ports_out=..' (IPv4) is present - shell: grep -q -E "^jitsi_tcp_ports_out=" /etc/ipt-firewall/main_ipv4.conf - register: jitsi_tcp_ports_out_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_tcp_ports_out_ipv4_present.rc > 1" - changed_when: "jitsi_tcp_ports_out_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi outgoing ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*jitsi_udp_port_range' - block: | - # - Jitsi (outgoing) Ports (STUN Services) - # - - jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446" - jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446" - marker: "# Marker set by modify-ipt-server.yml (jitsi outgoing ports)" - when: - - main_ipv4_exists.stat.exists - - jitsi_tcp_ports_out_ipv4_present is changed - -- name: Check if String 'jitsi_tcp_ports_out=..' (IPv6) is present - shell: grep -q -E "^jitsi_tcp_ports_out=" /etc/ipt-firewall/main_ipv6.conf - register: jitsi_tcp_ports_out_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_tcp_ports_out_ipv6_present.rc > 1" - changed_when: "jitsi_tcp_ports_out_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*jitsi_udp_port_range' - block: | - # - Jitsi (outgoing) Ports (STUN Services) - # - - jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446" - jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446" - marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot)" - when: - - main_ipv6_exists.stat.exists - - jitsi_tcp_ports_out_ipv6_present is changed - -- name: Check if String 'jitsi_dovecot_auth=..' (IPv4) is present - shell: grep -q -E "^jitsi_dovecot_auth=" /etc/ipt-firewall/main_ipv4.conf - register: jitsi_dovecot_auth_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_dovecot_auth_ipv4_present.rc > 1" - changed_when: "jitsi_dovecot_auth_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi dovecot auth) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*jitsi_udp_ports_out' - block: | - # - Jitsi Dovecot Authentication - # - - jitsi_dovecot_auth=false - jitsi_dovecot_host="" - jitsi_dovecot_port="$default_jitsi_dovecout_auth_port" - marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot auth)" - when: - - main_ipv4_exists.stat.exists - - jitsi_dovecot_auth_ipv4_present is changed - -- name: Check if String 'jitsi_dovecot_auth=..' (IPv6) is present - shell: grep -q -E "^jitsi_dovecot_auth=" /etc/ipt-firewall/main_ipv6.conf - register: jitsi_dovecot_auth_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_dovecot_auth_ipv6_present.rc > 1" - changed_when: "jitsi_dovecot_auth_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi dovecot auth) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*jitsi_udp_ports_out' - block: | - # - Jitsi Dovecot Authentication - # - - jitsi_dovecot_auth=false - jitsi_dovecot_host="" - jitsi_dovecot_port="$default_jitsi_dovecout_auth_port" - marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot auth)" - when: - - main_ipv6_exists.stat.exists - - jitsi_dovecot_auth_ipv6_present is changed - - - - - -- name: Check if String 'jitsi_jibri_remote_auth=..' (IPv4) is present - shell: grep -q -E "^jitsi_jibri_remote_auth=" /etc/ipt-firewall/main_ipv4.conf - register: jitsi_jibri_remote_auth_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_jibri_remote_auth_ipv4_present.rc > 1" - changed_when: "jitsi_jibri_remote_auth_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jibri streamin/recording) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*jitsi_dovecot_port' - block: | - # - Jibri extern Client Recording / Streamin - # - - jitsi_jibri_remote_auth=false - # - Remote Jibri servers - # - - # - blank separated list of ipv4 addresses - # - - jitsi_jibri_remote_ips="" - jitsi_jibri_remote_auth_port="$default_jibri_out_port" - - - # - Jibri Recording / Streaming Service - # - - # - blank separated list of ipv4 addresse - # - - jibri_server_ips="" - # - blank separated list of ipv4 addresse - # - - forward_jibri_server_ips="" - jibri_remote_jitsi_server="" - jibri_remote_auth_port="$default_jibri_out_port" - marker: "# Marker set by modify-ipt-server.yml (jibri streamin/recording)" - when: - - main_ipv4_exists.stat.exists - - jitsi_jibri_remote_auth_ipv4_present is changed - -- name: Check if String 'jitsi_jibri_remote_auth=..' (IPv6) is present - shell: grep -q -E "^jitsi_jibri_remote_auth=" /etc/ipt-firewall/main_ipv6.conf - register: jitsi_jibri_remote_auth_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "jitsi_jibri_remote_auth_ipv6_present.rc > 1" - changed_when: "jitsi_jibri_remote_auth_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jibri streamin/recording) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*jitsi_dovecot_port' - block: | - # - Jibri extern Client Recording / Streamin - # - - jitsi_jibri_remote_auth=false - # - Remote Jibri servers - # - - # - colon separated list of ipv6 addresses - # - - jitsi_jibri_remote_ips="" - jitsi_jibri_remote_auth_port="$default_jibri_out_port" - - - # - Jibri Recording / Streaming Service - # - - # - colon separated list of ipv6 addresses - # - - jibri_server_ips="" - # - colon separated list of ipv6 addresses - # - - forward_jibri_server_ips="" - jibri_remote_jitsi_server="" - jibri_remote_auth_port="$default_jibri_out_port" - marker: "# Marker set by modify-ipt-server.yml (jibri streamin/recording)" - when: - - main_ipv6_exists.stat.exists - - jitsi_jibri_remote_auth_ipv6_present is changed - - - -# --- -# TURN Server (Stun Server) (for Nextcloud 'talk' app) -# --- - -- name: Check if String 'nc_turn_server_ips=..' (IPv4) is present - shell: grep -q -E "^nc_turn_server_ips=" /etc/ipt-firewall/main_ipv4.conf - register: nc_turn_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_turn_service_ipv4_present.rc > 1" - changed_when: "nc_turn_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*jitsi_dovecot_port' - block: | - - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # - - nc_turn_server_ips="" - forward_nc_turn_server_ips="" - - # - Ports used by local TURN Server (Stun Server) - # - - # - comma separated list - # - - nc_turn_ports="$standard_turn_service_ports" - nc_turn_udp_ports="$standard_turn_service_udp_ports" - - marker: "# Marker set by modify-ipt-server.yml (nc's turn service)" - when: - - main_ipv4_exists.stat.exists - - nc_turn_service_ipv4_present is changed - -- name: Check if String 'nc_turn_server_ips=..' (IPv6) is present - shell: grep -q -E "^nc_turn_server_ips=" /etc/ipt-firewall/main_ipv6.conf - register: nc_turn_service_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_turn_service_ipv6_present.rc > 1" - changed_when: "nc_turn_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*jitsi_dovecot_port' - block: | - - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # - - nc_turn_server_ips="" - forward_nc_turn_server_ips="" - - # - Ports used by local TURN Server (Stun Server) - # - - # - comma separated list - # - - nc_turn_ports="$standard_turn_service_ports" - nc_turn_udp_ports="$standard_turn_service_udp_ports" - marker: "# Marker set by modify-ipt-server.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - nc_turn_service_ipv6_present is changed - - - -# --- -# DHCP Client -# --- - -- name: Check if String 'dhcp_client_ifs=..' (IPv4) is present - shell: grep -q -E "^dhcp_client_ifs=" /etc/ipt-firewall/main_ipv4.conf - register: dhcp_client_ifs_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "dhcp_client_ifs_ipv4_present.rc > 1" - changed_when: "dhcp_client_ifs_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (dhclient service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*dhcp_server_ifs' - block: | - - # DHCP Client - # - # Comma seperated list of Interface, which are dhcp clients - # - dhcp_client_ifs="" - - marker: "# Marker set by modify-ipt-server.yml ( dhclient service)" - when: - - main_ipv4_exists.stat.exists - - dhcp_client_ifs_ipv4_present is changed - -- name: Check if String 'dhcp_client_ifs=..' (IPv6) is present - shell: grep -q -E "^dhcp_client_ifs=" /etc/ipt-firewall/main_ipv6.conf - register: dhcp_client_ifs_ipv6_present - when: main_ipv4_exists.stat.exists - failed_when: "dhcp_client_ifs_ipv6_present.rc > 1" - changed_when: "dhcp_client_ifs_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (dhclient service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*dhcp_server_ifs' - block: | - - # DHCP Client - # - # Comma seperated list of Interface, which are dhcp clients - # - dhcp_client_ifs="" - - marker: "# Marker set by modify-ipt-server.yml (dhclient service)" - when: - - main_ipv6_exists.stat.exists - - dhcp_client_ifs_ipv6_present is changed - - -# --- +# === # Remove Marker set by blockinfile -# --- +# === - name: Remove marker IPv4 replace : @@ -954,9 +234,25 @@ when: - main_ipv6_exists.stat.exists -# --- +- name: Remove marker IPv4 from interfaces_ipv4.conf + replace : + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + when: + - interfaces_ipv4_exists.stat.exists + +- name: Remove marker IPv6 from interfaces_ipv6.conf + replace : + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + when: + - interfaces_ipv6_exists.stat.exists + +# === # Confiuration Files -# --- +# === - name: Check if configuration files are latest shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' @@ -995,9 +291,9 @@ - Restart IPv4 Firewall - Restart IPv6 Firewall -# --- +# === # Firewall scripts -# --- +# === - name: Check if firewall scripts are latest shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1'