ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph 2025-01-28 00:17:15 +01:00
parent 5fe32c6473
commit 1d7ebc52cd
6 changed files with 646 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
host_vars/formbricks-nd.oopen.de.yml Normal file
View File

@ -0,0 +1,182 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 185.12.64.2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
cron_user_entries:
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

207
host_vars/shop-dev.aufstehen-gegen-rassismus.de.yml Normal file
View File

@ -0,0 +1,207 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: false
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 2a01:4ff:ff00::add:2
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 185.12.64.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
#cron_user_special_time_entries:
#
# - name: "Restart DNS Cache service 'systemd-resolved'"
# special_time: reboot
# job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
# insertafter: PATH
#
# - name: "Check if postfix mailservice is running. Restart service if needed."
# special_time: reboot
# job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
# insertafter: PATH
#
# - name: "Check if Check if all autostart LX-Container are running."
# special_time: reboot
# job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
# insertafter: PATH
cron_user_entries:
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
# - name: "Check connectifity - reboot if needed"
# minute: '*/10'
# hour: '*'
# job: /root/bin/admin-stuff/check-connectivity.sh
#
# - name: "Check if Postfix Mailservice is up and running?"
# minute: '*/15'
# hour: '*'
# job: /root/bin/monitoring/check_postfix.sh
#
# - name: "Check if NTP service 'ntpsec' is up and running?"
# minute: '*/30'
# hour: '*'
# job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

165
host_vars/verdi-django.warenform.de.yml Normal file
View File

@ -0,0 +1,165 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
apt_install_extra_pkgs: true
apt_extra_pkgs:
- subversion
- subversion-tools
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 213.133.100.100
- 2a01:4f8:0:1::add:9898
- 213.133.99.99
- 2a01:4f8:0:1::add:1010
- 213.133.98.98
- 2a01:4f8:0:1::add:9999
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- warenform.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/copy_files.yml
# ---
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

23
hosts
View File

@ -22,6 +22,8 @@ o33.oopen.de
o41.oopen.de o41.oopen.de
dc-opp.oopen.de dc-opp.oopen.de
discourse.oopen.de discourse.oopen.de
test-nd.oopen.de
formbricks-nd.oopen.de
[dns_sinma] [dns_sinma]
@ -246,14 +248,19 @@ cp-flr.oopen.de
# Kotti-Coop e.V. # Kotti-Coop e.V.
o41.oopen.de o41.oopen.de
# AgR - Shop
shop-dev.aufstehen-gegen-rassismus.de
# RAV # RAV
o42.oopen.de o42.oopen.de
mm-rav.oopen.de mm-rav.oopen.de
# ND - prometheus, web # ND - prometheus, web
o43.oopen.de o43.oopen.de
formbricks-nd.oopen.de
prometheus-nd.oopen.de prometheus-nd.oopen.de
web-nd.oopen.de web-nd.oopen.de
test-nd.oopen.de
lxc-host-kb.anw-kb.netz lxc-host-kb.anw-kb.netz
@ -447,12 +454,16 @@ cp-flr.oopen.de
o41.oopen.de o41.oopen.de
g.mx.oopen.de g.mx.oopen.de
# AgR - Shop
shop-dev.aufstehen-gegen-rassismus.de
# RAV # RAV
o42.oopen.de o42.oopen.de
mm-rav.oopen.de mm-rav.oopen.de
# ND - prometheus, web # ND - prometheus, web
o43.oopen.de o43.oopen.de
formbricks-nd.oopen.de
prometheus-nd.oopen.de prometheus-nd.oopen.de
web-nd.oopen.de web-nd.oopen.de
test-nd.oopen.de test-nd.oopen.de
@ -1389,6 +1400,12 @@ ga-al-kvm3.ga.netz
# Kotti-Coop e.V. # Kotti-Coop e.V.
o41.oopen.de o41.oopen.de
# AgR - Shop
shop-dev.aufstehen-gegen-rassismus.de
# o43 - ND App
formbricks-nd.oopen.de
test-nd.oopen.de
[lxc_host] [lxc_host]
@ -1585,6 +1602,7 @@ mm-rav.oopen.de
# o43 - ND # o43 - ND
prometheus-nd.oopen.de prometheus-nd.oopen.de
web-nd.oopen.de web-nd.oopen.de
test-nd.oopen.de
# --- # ---
# O.OPEN office network # O.OPEN office network
@ -1803,14 +1821,19 @@ cp-flr.oopen.de
# Kotti-Coop e.V. # Kotti-Coop e.V.
o41.oopen.de o41.oopen.de
# AgR - Shop
shop-dev.aufstehen-gegen-rassismus.de
# RAV # RAV
o42.oopen.de o42.oopen.de
mm-rav.oopen.de mm-rav.oopen.de
# ND - prometheus, web # ND - prometheus, web
o43.oopen.de o43.oopen.de
formbricks-nd.oopen.de
prometheus-nd.oopen.de prometheus-nd.oopen.de
web-nd.oopen.de web-nd.oopen.de
test-nd.oopen.de

189
roles/modify-ipt-gateway/tasks/main.yml
View File

@ -132,190 +132,61 @@
- Restart IPv4 Firewall - Restart IPv4 Firewall
# ===
# Add some Code Block.
# ===
# --- # ---
# FreeIPA Service # Add additional SMTP ports OUT
# --- # ---
- name: Check if String 'freeipa_udp_in_ports..' (IPv4) is present - name: Check if String 'smtpd_additional_outgoung_ports..' (IPv4) is present
shell: grep -q -E "^#?freeipa_udp_in_ports=" /etc/ipt-firewall/main_ipv4.conf shell: grep -q -E "^#?smtpd_additional_outgoung_ports=" /etc/ipt-firewall/main_ipv4.conf
register: freeipa_udp_in_ports_ipv4_present register: smtpd_additional_outgoung_ports_ipv4_present
when: main_ipv4_exists.stat.exists when: main_ipv4_exists.stat.exists
failed_when: "freeipa_udp_in_ports_ipv4_present.rc > 1" failed_when: "smtpd_additional_outgoung_ports_ipv4_present.rc > 1"
changed_when: "freeipa_udp_in_ports_ipv4_present.rc > 0" changed_when: "smtpd_additional_outgoung_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (FreeIPA Service) - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (FreeIPA Service)
blockinfile: blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*snmp_trap_port' insertafter: '^#?\s*mail_user_ports'
block: | block: |
# ====== # Additional Ports for outgoing smtp traffic
# - FreeIPA Service #
# ====== # blank separated list of ports
#
# - FreeIPA services local Networks smtpd_additional_outgoung_ports=""
# -
freeipa_server_ips=""
# - FreeIPA (in) Ports
# -
freeipa_tcp_in_ports="$standard_freeipa_tcp_in_ports"
freeipa_udp_in_ports="$standard_freeipa_udp_in_ports"
marker: "# Marker set by modify-ipt-gateway.yml (FreeIPA Service)" marker: "# Marker set by modify-ipt-gateway.yml (FreeIPA Service)"
when: when:
- main_ipv4_exists.stat.exists - main_ipv4_exists.stat.exists
- freeipa_udp_in_ports_ipv4_present is changed - smtpd_additional_outgoung_ports_ipv4_present is changed
- name: Check if String 'freeipa_udp_in_ports..' (IPv6) is present - name: Check if String 'smtpd_additional_outgoung_ports..' (IPv6) is present
shell: grep -q -E "^#?freeipa_udp_in_ports=" /etc/ipt-firewall/main_ipv6.conf shell: grep -q -E "^#?smtpd_additional_outgoung_ports=" /etc/ipt-firewall/main_ipv6.conf
register: freeipa_udp_in_ports_ipv6_present register: smtpd_additional_outgoung_ports_ipv6_present
when: main_ipv6_exists.stat.exists when: main_ipv6_exists.stat.exists
failed_when: "freeipa_udp_in_ports_ipv6_present.rc > 1" failed_when: "smtpd_additional_outgoung_ports_ipv6_present.rc > 1"
changed_when: "freeipa_udp_in_ports_ipv6_present.rc > 0" changed_when: "smtpd_additional_outgoung_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (FreeIPA Service) - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (FreeIPA Service)
blockinfile: blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*vpn_out_ports=' insertafter: '^#?\s*mail_user_ports='
block: | block: |
# ====== # Additional Ports for outgoing smtp traffic
# - FreeIPA Service #
# ====== # blank separated list of ports
#
# - FreeIPA services local Networks smtpd_additional_outgoung_ports=""
# -
freeipa_server_ips=""
# - FreeIPA (in) Ports
# -
freeipa_tcp_in_ports="$standard_freeipa_tcp_in_ports"
freeipa_udp_in_ports="$standard_freeipa_udp_in_ports"
marker: "# Marker set by modify-ipt-gateway.yml (FreeIPA Service)" marker: "# Marker set by modify-ipt-gateway.yml (FreeIPA Service)"
when: when:
- main_ipv6_exists.stat.exists - main_ipv6_exists.stat.exists
- freeipa_udp_in_ports_ipv6_present is changed - smtpd_additional_outgoung_ports_ipv6_present is changed
# ---
# Restrict VPN Networks
# ---
- name: Check if String 'restrict_vpn_net_to_local_service..' (IPv4) is present
shell: grep -q -E "^#?restrict_vpn_net_to_local_service=" /etc/ipt-firewall/main_ipv4.conf
register: restrict_vpn_net_to_local_service_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "restrict_vpn_net_to_local_service_ipv4_present.rc > 1"
changed_when: "restrict_vpn_net_to_local_service_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (restrict_vpn_net_to_local_service)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*vpn_out_ports='
block: |
# -----
# - Restrict VPN Network to local Service
# -----#
# - restrict_vpn_net_to_local_service
# -
# - allow_ext_net_to_local_service="vpn-net:local-address:port:protocol [vpn-net:local-address:port:protocol] [..]"
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -
# - Example:
# - restrict_vpn_net_to_local_service="
# - 10.100.112.0/24:192.168.112.192/27:80:tcp
# - 10.100.112.0/24:192.168.112.192/27:443:tcp
# - "
# -
# - Blank separated list
# -
restrict_vpn_net_to_local_service=""
# -----
# - Restrict VPN Network to local (Sub) network
# -----
# - restrict_vpn_net_to_local_subnet
# -
# - restrict_vpn_net_to_local_subnet="<src-vpn-net>:<dst-local-net> [<src-vpn-net>:<dst-local-net>} [..]
# -
# - Example:
# - restrict_vpn_net_to_local_subnet="
# - 10.100.112.0/24:192.168.112.192/27
# - "
# -
# - Blank separated list
# -
restrict_vpn_net_to_local_subnet=""
marker: "# Marker set by modify-ipt-gateway.yml (restrict_vpn_net_to_local_service)"
when:
- main_ipv4_exists.stat.exists
- restrict_vpn_net_to_local_service_ipv4_present is changed
- name: Check if String 'restrict_vpn_net_to_local_service..' (IPv6) is present
shell: grep -q -E "^#?restrict_vpn_net_to_local_service=" /etc/ipt-firewall/main_ipv6.conf
register: restrict_vpn_net_to_local_service_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "restrict_vpn_net_to_local_service_ipv6_present.rc > 1"
changed_when: "restrict_vpn_net_to_local_service_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (restrict_vpn_net_to_local_service)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*vpn_out_ports='
block: |
# -----
# - Restrict VPN Network to local Service
# -----#
# - restrict_vpn_net_to_local_service
# -
# - allow_ext_net_to_local_service="vpn-net,local-address,port,protocol [vpn-net,local-address,port,protocol] [..]"
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -
# - Example:
# - restrict_vpn_net_to_local_service="
# - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,80,tcp
# - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,443,tcp
# - "
# -
# - Blank separated list
# -
restrict_vpn_net_to_local_service=""
# -----
# - Restrict VPN Network to local (Sub) network
# -----
# - restrict_vpn_net_to_local_subnet
# -
# - restrict_vpn_net_to_local_subnet="<src-vpn-net>,<dst-local-net> [<src-vpn-net>,<dst-local-net>} [..]
# -
# - Example:
# - restrict_vpn_net_to_local_subnet="
# - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64
# - "
# -
# - Blank separated list
# -
restrict_vpn_net_to_local_subnet=""
marker: "# Marker set by modify-ipt-gateway.yml (restrict_vpn_net_to_local_service)"
when:
- main_ipv6_exists.stat.exists
- restrict_vpn_net_to_local_service_ipv6_present is changed
# --- # ---

114
roles/modify-ipt-server/tasks/ipt-server.yml
View File

@ -99,103 +99,67 @@
# === # ===
# --- # ---
# Add Prometheus Services # Add additional SMTP ports (OUT and IN)
# --- # ---
- name: Check if String 'prometheus_local_server_ips=..' is present - name: Check if String 'smtpd_additional_listen_ports=..' is present
shell: grep -q -E "^prometheus_local_server_ips=" /etc/ipt-firewall/main_ipv4.conf shell: grep -q -E "^smtpd_additional_listen_ports=" /etc/ipt-firewall/main_ipv4.conf
register: prometheus_local_server_ips_ipv4_present register: smtpd_additional_listen_ports_ipv4_present
when: main_ipv4_exists.stat.exists when: main_ipv4_exists.stat.exists
failed_when: "prometheus_local_server_ips_ipv4_present.rc > 1" failed_when: "smtpd_additional_listen_ports_ipv4_present.rc > 1"
changed_when: "prometheus_local_server_ips_ipv4_present.rc > 0" changed_when: "smtpd_additional_listen_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (prometheus_local_server_ips) - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (smtpd_additional_listen_ports)
blockinfile: blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*tftp_server_ips' insertafter: '^#?\s*forward_smtpd_ips'
block: | block: |
# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""
# - Prometheus Monitoring - local Server # Additional Ports for outgoing smtp traffic
# - #
# - blank separated list of IPv4 addresses # blank separated list of ports
# - #
prometheus_local_server_ips="" smtpd_additional_outgoung_ports=""
marker: "# Marker set by modify-ipt-server.yml (smtpd_additional_listen_ports)"
# - (Remote) prometheus ports
# -
# - !! comma separated list of ports
# -
prometheus_remote_client_ports="$standard_prometheus_ports"
# - Prometheus Monitoring - local Client
# -
# - blank separated list of IPv4 addresses
# -
prometheus_local_client_ips=""
# - Local prometheus ports
# -
# - !! comma separated list of ports
# -
prometheus_local_client_ports="$standard_prometheus_ports"
# - blank separated list of IPv4 addresses
# -
prometheus_remote_server_ips=""
marker: "# Marker set by modify-ipt-server.yml (prometheus_local_server_ips)"
when: when:
- main_ipv4_exists.stat.exists - main_ipv4_exists.stat.exists
- prometheus_local_server_ips_ipv4_present is changed - smtpd_additional_listen_ports_ipv4_present is changed
notify: notify:
- Restart IPv4 Firewall - Restart IPv4 Firewall
- name: Check if String 'prometheus_local_server_ips=..' is present - name: Check if String 'smtpd_additional_listen_ports=..' is present
shell: grep -q -E "^prometheus_local_server_ips=" /etc/ipt-firewall/main_ipv6.conf shell: grep -q -E "^smtpd_additional_listen_ports=" /etc/ipt-firewall/main_ipv6.conf
register: prometheus_local_server_ips_ipv6_present register: smtpd_additional_listen_ports_ipv6_present
when: main_ipv6_exists.stat.exists when: main_ipv6_exists.stat.exists
failed_when: "prometheus_local_server_ips_ipv6_present.rc > 1" failed_when: "smtpd_additional_listen_ports_ipv6_present.rc > 1"
changed_when: "prometheus_local_server_ips_ipv6_present.rc > 0" changed_when: "smtpd_additional_listen_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (prometheus_local_server_ips) - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (smtpd_additional_listen_ports)
blockinfile: blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*tftp_server_ips' insertafter: '^#?\s*forward_smtpd_ips'
block: | block: |
# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""
# - Prometheus Monitoring - local Server # Additional Ports for outgoing smtp traffic
# - #
# - blank separated list of IPv6 addresses # blank separated list of ports
# - #
prometheus_local_server_ips="" smtpd_additional_outgoung_ports=""
marker: "# Marker set by modify-ipt-server.yml (smtpd_additional_listen_ports)"
# - (Remote) prometheus ports
# -
# - !! comma separated list of ports
# -
prometheus_remote_client_ports="$standard_prometheus_ports"
# - Prometheus Monitoring - local Client
# -
# - blank separated list of IPv6 addresses
# -
prometheus_local_client_ips=""
# - Local prometheus ports
# -
# - !! comma separated list of ports
# -
prometheus_local_client_ports="$standard_prometheus_ports"
# - blank separated list of IPv6 addresses
# -
prometheus_remote_server_ips=""
marker: "# Marker set by modify-ipt-server.yml (prometheus_local_server_ips)"
when: when:
- main_ipv6_exists.stat.exists - main_ipv6_exists.stat.exists
- prometheus_local_server_ips_ipv6_present is changed - smtpd_additional_listen_ports_ipv6_present is changed
notify: notify:
- Restart IPv6 Firewall - Restart IPv6 Firewall