From 1d7ebc52cd6eb86a2a6e18211796d98ee4fc2138 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 28 Jan 2025 00:17:15 +0100 Subject: [PATCH] update.. --- host_vars/formbricks-nd.oopen.de.yml | 182 +++++++++++++++ .../shop-dev.aufstehen-gegen-rassismus.de.yml | 207 ++++++++++++++++++ host_vars/verdi-django.warenform.de.yml | 165 ++++++++++++++ hosts | 23 ++ roles/modify-ipt-gateway/tasks/main.yml | 189 +++------------- roles/modify-ipt-server/tasks/ipt-server.yml | 114 ++++------ 6 files changed, 646 insertions(+), 234 deletions(-) create mode 100644 host_vars/formbricks-nd.oopen.de.yml create mode 100644 host_vars/shop-dev.aufstehen-gegen-rassismus.de.yml create mode 100644 host_vars/verdi-django.warenform.de.yml diff --git a/host_vars/formbricks-nd.oopen.de.yml b/host_vars/formbricks-nd.oopen.de.yml new file mode 100644 index 0000000..283e594 --- /dev/null +++ b/host_vars/formbricks-nd.oopen.de.yml @@ -0,0 +1,182 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_env_entries: + - name: PATH + job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + + - name: SHELL + job: /bin/bash + insertafter: PATH + + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 5 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + +cron_user_entries: + + - name: "Check if SSH service is running. Restart service if needed." + minute: '*/5' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/shop-dev.aufstehen-gegen-rassismus.de.yml b/host_vars/shop-dev.aufstehen-gegen-rassismus.de.yml new file mode 100644 index 0000000..dc5cfce --- /dev/null +++ b/host_vars/shop-dev.aufstehen-gegen-rassismus.de.yml @@ -0,0 +1,207 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: false + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 2a01:4ff:ff00::add:2 + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + - 185.12.64.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_env_entries: + - name: PATH + job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + + - name: SHELL + job: /bin/bash + insertafter: PATH + + +#cron_user_special_time_entries: +# +# - name: "Restart DNS Cache service 'systemd-resolved'" +# special_time: reboot +# job: "sleep 5 ; /bin/systemctl restart systemd-resolved" +# insertafter: PATH +# +# - name: "Check if postfix mailservice is running. Restart service if needed." +# special_time: reboot +# job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" +# insertafter: PATH +# +# - name: "Check if Check if all autostart LX-Container are running." +# special_time: reboot +# job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh" +# insertafter: PATH + + +cron_user_entries: + + - name: "Check if SSH service is running. Restart service if needed." + minute: '*/5' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + +# - name: "Check connectifity - reboot if needed" +# minute: '*/10' +# hour: '*' +# job: /root/bin/admin-stuff/check-connectivity.sh +# +# - name: "Check if Postfix Mailservice is up and running?" +# minute: '*/15' +# hour: '*' +# job: /root/bin/monitoring/check_postfix.sh +# +# - name: "Check if NTP service 'ntpsec' is up and running?" +# minute: '*/30' +# hour: '*' +# job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1 + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/verdi-django.warenform.de.yml b/host_vars/verdi-django.warenform.de.yml new file mode 100644 index 0000000..0e8d69c --- /dev/null +++ b/host_vars/verdi-django.warenform.de.yml @@ -0,0 +1,165 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +apt_install_extra_pkgs: true +apt_extra_pkgs: + - subversion + - subversion-tools + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 213.133.100.100 + - 2a01:4f8:0:1::add:9898 + - 213.133.99.99 + - 2a01:4f8:0:1::add:1010 + - 213.133.98.98 + - 2a01:4f8:0:1::add:9999 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - warenform.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/hosts b/hosts index 9c94c04..8a660fc 100644 --- a/hosts +++ b/hosts @@ -22,6 +22,8 @@ o33.oopen.de o41.oopen.de dc-opp.oopen.de discourse.oopen.de +test-nd.oopen.de +formbricks-nd.oopen.de [dns_sinma] @@ -246,14 +248,19 @@ cp-flr.oopen.de # Kotti-Coop e.V. o41.oopen.de +# AgR - Shop +shop-dev.aufstehen-gegen-rassismus.de + # RAV o42.oopen.de mm-rav.oopen.de # ND - prometheus, web o43.oopen.de +formbricks-nd.oopen.de prometheus-nd.oopen.de web-nd.oopen.de +test-nd.oopen.de lxc-host-kb.anw-kb.netz @@ -447,12 +454,16 @@ cp-flr.oopen.de o41.oopen.de g.mx.oopen.de +# AgR - Shop +shop-dev.aufstehen-gegen-rassismus.de + # RAV o42.oopen.de mm-rav.oopen.de # ND - prometheus, web o43.oopen.de +formbricks-nd.oopen.de prometheus-nd.oopen.de web-nd.oopen.de test-nd.oopen.de @@ -1389,6 +1400,12 @@ ga-al-kvm3.ga.netz # Kotti-Coop e.V. o41.oopen.de +# AgR - Shop +shop-dev.aufstehen-gegen-rassismus.de + +# o43 - ND App +formbricks-nd.oopen.de +test-nd.oopen.de [lxc_host] @@ -1585,6 +1602,7 @@ mm-rav.oopen.de # o43 - ND prometheus-nd.oopen.de web-nd.oopen.de +test-nd.oopen.de # --- # O.OPEN office network @@ -1803,14 +1821,19 @@ cp-flr.oopen.de # Kotti-Coop e.V. o41.oopen.de +# AgR - Shop +shop-dev.aufstehen-gegen-rassismus.de + # RAV o42.oopen.de mm-rav.oopen.de # ND - prometheus, web o43.oopen.de +formbricks-nd.oopen.de prometheus-nd.oopen.de web-nd.oopen.de +test-nd.oopen.de diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml index 7fc5ee7..e9d956b 100644 --- a/roles/modify-ipt-gateway/tasks/main.yml +++ b/roles/modify-ipt-gateway/tasks/main.yml @@ -132,190 +132,61 @@ - Restart IPv4 Firewall +# === +# Add some Code Block. +# === + + # --- -# FreeIPA Service +# Add additional SMTP ports OUT # --- -- name: Check if String 'freeipa_udp_in_ports..' (IPv4) is present - shell: grep -q -E "^#?freeipa_udp_in_ports=" /etc/ipt-firewall/main_ipv4.conf - register: freeipa_udp_in_ports_ipv4_present +- name: Check if String 'smtpd_additional_outgoung_ports..' (IPv4) is present + shell: grep -q -E "^#?smtpd_additional_outgoung_ports=" /etc/ipt-firewall/main_ipv4.conf + register: smtpd_additional_outgoung_ports_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "freeipa_udp_in_ports_ipv4_present.rc > 1" - changed_when: "freeipa_udp_in_ports_ipv4_present.rc > 0" + failed_when: "smtpd_additional_outgoung_ports_ipv4_present.rc > 1" + changed_when: "smtpd_additional_outgoung_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (FreeIPA Service) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*snmp_trap_port' + insertafter: '^#?\s*mail_user_ports' block: | - # ====== - # - FreeIPA Service - # ====== - - # - FreeIPA services local Networks - # - - freeipa_server_ips="" - - # - FreeIPA (in) Ports - # - - freeipa_tcp_in_ports="$standard_freeipa_tcp_in_ports" - freeipa_udp_in_ports="$standard_freeipa_udp_in_ports" + # Additional Ports for outgoing smtp traffic + # + # blank separated list of ports + # + smtpd_additional_outgoung_ports="" marker: "# Marker set by modify-ipt-gateway.yml (FreeIPA Service)" when: - main_ipv4_exists.stat.exists - - freeipa_udp_in_ports_ipv4_present is changed + - smtpd_additional_outgoung_ports_ipv4_present is changed -- name: Check if String 'freeipa_udp_in_ports..' (IPv6) is present - shell: grep -q -E "^#?freeipa_udp_in_ports=" /etc/ipt-firewall/main_ipv6.conf - register: freeipa_udp_in_ports_ipv6_present +- name: Check if String 'smtpd_additional_outgoung_ports..' (IPv6) is present + shell: grep -q -E "^#?smtpd_additional_outgoung_ports=" /etc/ipt-firewall/main_ipv6.conf + register: smtpd_additional_outgoung_ports_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "freeipa_udp_in_ports_ipv6_present.rc > 1" - changed_when: "freeipa_udp_in_ports_ipv6_present.rc > 0" + failed_when: "smtpd_additional_outgoung_ports_ipv6_present.rc > 1" + changed_when: "smtpd_additional_outgoung_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (FreeIPA Service) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*vpn_out_ports=' + insertafter: '^#?\s*mail_user_ports=' block: | - # ====== - # - FreeIPA Service - # ====== - - # - FreeIPA services local Networks - # - - freeipa_server_ips="" - - # - FreeIPA (in) Ports - # - - freeipa_tcp_in_ports="$standard_freeipa_tcp_in_ports" - freeipa_udp_in_ports="$standard_freeipa_udp_in_ports" + # Additional Ports for outgoing smtp traffic + # + # blank separated list of ports + # + smtpd_additional_outgoung_ports="" marker: "# Marker set by modify-ipt-gateway.yml (FreeIPA Service)" when: - main_ipv6_exists.stat.exists - - freeipa_udp_in_ports_ipv6_present is changed - - -# --- -# Restrict VPN Networks -# --- - -- name: Check if String 'restrict_vpn_net_to_local_service..' (IPv4) is present - shell: grep -q -E "^#?restrict_vpn_net_to_local_service=" /etc/ipt-firewall/main_ipv4.conf - register: restrict_vpn_net_to_local_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "restrict_vpn_net_to_local_service_ipv4_present.rc > 1" - changed_when: "restrict_vpn_net_to_local_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (restrict_vpn_net_to_local_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*vpn_out_ports=' - block: | - - # ----- - # - Restrict VPN Network to local Service - # -----# - - # - restrict_vpn_net_to_local_service - # - - # - allow_ext_net_to_local_service="vpn-net:local-address:port:protocol [vpn-net:local-address:port:protocol] [..]" - # - - # - Note: - # - ===== - # - - Only 'tcp' and 'udp' are allowed valuse for protocol. - # - - # - Example: - # - restrict_vpn_net_to_local_service=" - # - 10.100.112.0/24:192.168.112.192/27:80:tcp - # - 10.100.112.0/24:192.168.112.192/27:443:tcp - # - " - # - - # - Blank separated list - # - - restrict_vpn_net_to_local_service="" - - - # ----- - # - Restrict VPN Network to local (Sub) network - # ----- - - # - restrict_vpn_net_to_local_subnet - # - - # - restrict_vpn_net_to_local_subnet=": [:} [..] - # - - # - Example: - # - restrict_vpn_net_to_local_subnet=" - # - 10.100.112.0/24:192.168.112.192/27 - # - " - # - - # - Blank separated list - # - - restrict_vpn_net_to_local_subnet="" - marker: "# Marker set by modify-ipt-gateway.yml (restrict_vpn_net_to_local_service)" - when: - - main_ipv4_exists.stat.exists - - restrict_vpn_net_to_local_service_ipv4_present is changed - - -- name: Check if String 'restrict_vpn_net_to_local_service..' (IPv6) is present - shell: grep -q -E "^#?restrict_vpn_net_to_local_service=" /etc/ipt-firewall/main_ipv6.conf - register: restrict_vpn_net_to_local_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "restrict_vpn_net_to_local_service_ipv6_present.rc > 1" - changed_when: "restrict_vpn_net_to_local_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (restrict_vpn_net_to_local_service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*vpn_out_ports=' - block: | - - # ----- - # - Restrict VPN Network to local Service - # -----# - - # - restrict_vpn_net_to_local_service - # - - # - allow_ext_net_to_local_service="vpn-net,local-address,port,protocol [vpn-net,local-address,port,protocol] [..]" - # - - # - Note: - # - ===== - # - - Only 'tcp' and 'udp' are allowed valuse for protocol. - # - - # - Example: - # - restrict_vpn_net_to_local_service=" - # - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,80,tcp - # - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,443,tcp - # - " - # - - # - Blank separated list - # - - restrict_vpn_net_to_local_service="" - - - # ----- - # - Restrict VPN Network to local (Sub) network - # ----- - - # - restrict_vpn_net_to_local_subnet - # - - # - restrict_vpn_net_to_local_subnet=", [,} [..] - # - - # - Example: - # - restrict_vpn_net_to_local_subnet=" - # - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64 - # - " - # - - # - Blank separated list - # - - restrict_vpn_net_to_local_subnet="" - marker: "# Marker set by modify-ipt-gateway.yml (restrict_vpn_net_to_local_service)" - when: - - main_ipv6_exists.stat.exists - - restrict_vpn_net_to_local_service_ipv6_present is changed + - smtpd_additional_outgoung_ports_ipv6_present is changed # --- diff --git a/roles/modify-ipt-server/tasks/ipt-server.yml b/roles/modify-ipt-server/tasks/ipt-server.yml index babe88d..2be0c17 100644 --- a/roles/modify-ipt-server/tasks/ipt-server.yml +++ b/roles/modify-ipt-server/tasks/ipt-server.yml @@ -99,103 +99,67 @@ # === # --- -# Add Prometheus Services +# Add additional SMTP ports (OUT and IN) # --- -- name: Check if String 'prometheus_local_server_ips=..' is present - shell: grep -q -E "^prometheus_local_server_ips=" /etc/ipt-firewall/main_ipv4.conf - register: prometheus_local_server_ips_ipv4_present +- name: Check if String 'smtpd_additional_listen_ports=..' is present + shell: grep -q -E "^smtpd_additional_listen_ports=" /etc/ipt-firewall/main_ipv4.conf + register: smtpd_additional_listen_ports_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "prometheus_local_server_ips_ipv4_present.rc > 1" - changed_when: "prometheus_local_server_ips_ipv4_present.rc > 0" + failed_when: "smtpd_additional_listen_ports_ipv4_present.rc > 1" + changed_when: "smtpd_additional_listen_ports_ipv4_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (prometheus_local_server_ips) +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (smtpd_additional_listen_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*tftp_server_ips' + insertafter: '^#?\s*forward_smtpd_ips' block: | + # Additional Ports on which SMTP Service should lsiten + # + # blank separated list of ports + # + smtpd_additional_listen_ports="" - # - Prometheus Monitoring - local Server - # - - # - blank separated list of IPv4 addresses - # - - prometheus_local_server_ips="" - - # - (Remote) prometheus ports - # - - # - !! comma separated list of ports - # - - prometheus_remote_client_ports="$standard_prometheus_ports" - - - # - Prometheus Monitoring - local Client - # - - # - blank separated list of IPv4 addresses - # - - prometheus_local_client_ips="" - - # - Local prometheus ports - # - - # - !! comma separated list of ports - # - - prometheus_local_client_ports="$standard_prometheus_ports" - - # - blank separated list of IPv4 addresses - # - - prometheus_remote_server_ips="" - marker: "# Marker set by modify-ipt-server.yml (prometheus_local_server_ips)" + # Additional Ports for outgoing smtp traffic + # + # blank separated list of ports + # + smtpd_additional_outgoung_ports="" + marker: "# Marker set by modify-ipt-server.yml (smtpd_additional_listen_ports)" when: - main_ipv4_exists.stat.exists - - prometheus_local_server_ips_ipv4_present is changed + - smtpd_additional_listen_ports_ipv4_present is changed notify: - Restart IPv4 Firewall -- name: Check if String 'prometheus_local_server_ips=..' is present - shell: grep -q -E "^prometheus_local_server_ips=" /etc/ipt-firewall/main_ipv6.conf - register: prometheus_local_server_ips_ipv6_present +- name: Check if String 'smtpd_additional_listen_ports=..' is present + shell: grep -q -E "^smtpd_additional_listen_ports=" /etc/ipt-firewall/main_ipv6.conf + register: smtpd_additional_listen_ports_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "prometheus_local_server_ips_ipv6_present.rc > 1" - changed_when: "prometheus_local_server_ips_ipv6_present.rc > 0" + failed_when: "smtpd_additional_listen_ports_ipv6_present.rc > 1" + changed_when: "smtpd_additional_listen_ports_ipv6_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (prometheus_local_server_ips) +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (smtpd_additional_listen_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*tftp_server_ips' + insertafter: '^#?\s*forward_smtpd_ips' block: | + # Additional Ports on which SMTP Service should lsiten + # + # blank separated list of ports + # + smtpd_additional_listen_ports="" - # - Prometheus Monitoring - local Server - # - - # - blank separated list of IPv6 addresses - # - - prometheus_local_server_ips="" - - # - (Remote) prometheus ports - # - - # - !! comma separated list of ports - # - - prometheus_remote_client_ports="$standard_prometheus_ports" - - - # - Prometheus Monitoring - local Client - # - - # - blank separated list of IPv6 addresses - # - - prometheus_local_client_ips="" - - # - Local prometheus ports - # - - # - !! comma separated list of ports - # - - prometheus_local_client_ports="$standard_prometheus_ports" - - # - blank separated list of IPv6 addresses - # - - prometheus_remote_server_ips="" - marker: "# Marker set by modify-ipt-server.yml (prometheus_local_server_ips)" + # Additional Ports for outgoing smtp traffic + # + # blank separated list of ports + # + smtpd_additional_outgoung_ports="" + marker: "# Marker set by modify-ipt-server.yml (smtpd_additional_listen_ports)" when: - main_ipv6_exists.stat.exists - - prometheus_local_server_ips_ipv6_present is changed + - smtpd_additional_listen_ports_ipv6_present is changed notify: - Restart IPv6 Firewall