From 22b9531c302ae128c708b672d8fe463516ef7225 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 13 Feb 2023 17:34:39 +0100 Subject: [PATCH] update.. --- group_vars/all/main.yml | 6 + host_vars/git.warenform.de.yml | 111 ++++++++ host_vars/gitea.oopen.de.yml | 111 ++++++++ hosts | 20 +- roles/modify-ipt-gateway/tasks/main.yml | 352 +++--------------------- 5 files changed, 270 insertions(+), 330 deletions(-) create mode 100644 host_vars/git.warenform.de.yml create mode 100644 host_vars/gitea.oopen.de.yml diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index d1e0dbc..fbca840 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -150,6 +150,8 @@ apt_initial_install_stretch: - dbus - openssh-server - rssh + - bash + - bash-completion - vim - vim-common - vim-doc @@ -264,6 +266,8 @@ apt_initial_install_buster: - dbus - openssh-server - rush + - bash + - bash-completion - vim - vim-common - vim-doc @@ -383,6 +387,8 @@ apt_initial_install_bullseye: - dbus - openssh-server - rush + - bash + - bash-completion - vim - vim-common - vim-doc diff --git a/host_vars/git.warenform.de.yml b/host_vars/git.warenform.de.yml new file mode 100644 index 0000000..4b30bd7 --- /dev/null +++ b/host_vars/git.warenform.de.yml @@ -0,0 +1,111 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_back_svn_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/svnadmin' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/gitea.oopen.de.yml b/host_vars/gitea.oopen.de.yml new file mode 100644 index 0000000..4b30bd7 --- /dev/null +++ b/host_vars/gitea.oopen.de.yml @@ -0,0 +1,111 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_back_svn_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/svnadmin' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/hosts b/hosts index 8020368..7f95a49 100644 --- a/hosts +++ b/hosts @@ -31,10 +31,8 @@ gw-fhxb.oopen.de gw-ckubu.local.netz gw-b3.oopen.de gw-blkr.oopen.de -172.16.162.89 gw-d11.oopen.de gw-flr.oopen.de -172.16.102.22 gw-irights.irights.netz gw-km.oopen.de gw-mbr.oopen.de @@ -57,7 +55,7 @@ gw-replacement3.local.netz k1371.dyndns.org ga-st-gw-ersatz.ga.netz -ga-st-gw-surf1.oopen.de +ga-st-gw.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de ga-st-lxc1.ga.netz @@ -161,8 +159,10 @@ o26.oopen.de # Backup Faire Mobilitaet o28.oopen.de -# Backup Server +# - o29.oopen.de Backup Server o29.oopen.de +backup.oopen.de +gitea.oopen.de # AK - Server Nextcloud/Jitsi Meet o30.oopen.de @@ -196,6 +196,7 @@ cl-test.oopen.de lxc-host-kb.anw-kb.netz + [initial_setup] # --- @@ -317,6 +318,7 @@ o28.oopen.de o29.oopen.de backup.oopen.de git.oopen.de +gitea.oopen.de munin.oopen.de nscache.oopen.de @@ -383,7 +385,6 @@ file-fhxb.fhxb.netz # Fluechtlingsrat BRB gw-flr.oopen.de -172.16.102.22 # iRights gw-irights.irights.netz @@ -394,7 +395,6 @@ file-km.anw-km.netz # - Kanzlei BLKR gw-blkr.oopen.de -172.16.162.89 file-blkr.blkr.netz # - Kanzlei EBS Leipzig @@ -426,7 +426,7 @@ gw-d11.oopen.de # - GA - Gemeinschaft Altensclirf ga-st-gw-ersatz.ga.netz -ga-st-gw-surf1.oopen.de +ga-st-gw.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de @@ -1238,6 +1238,7 @@ o26.oopen.de # o29.oopen.de backup.oopen.de git.oopen.de +gitea.oopen.de munin.oopen.de nscache.oopen.de @@ -1412,6 +1413,7 @@ o28.oopen.de o29.oopen.de backup.oopen.de git.oopen.de +gitea.oopen.de nscache.oopen.de munin.oopen.de @@ -1468,12 +1470,10 @@ gw-d11.oopen.de gw-ebs.oopen.de gw-elster.oopen.de gw-blkr.oopen.de -172.16.162.89 gw-ak.oopen.de gw-akb.oopen.de gw-ckubu.local.netz gw-flr.oopen.de -172.16.102.22 gw-replacement.local.netz gw-replacement2.local.netz gw-replacement3.local.netz @@ -1488,7 +1488,7 @@ gw-kb.oopen.de k1371.dyndns.org ga-st-gw-ersatz.ga.netz -ga-st-gw-surf1.oopen.de +ga-st-gw.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml index a5a8da4..643f7c8 100644 --- a/roles/modify-ipt-gateway/tasks/main.yml +++ b/roles/modify-ipt-gateway/tasks/main.yml @@ -122,351 +122,63 @@ # --- -# Block Routers +# MAC Address Filtering Gaming Devices # --- -- name: Check if String 'drop_syn_flood..' (IPv4) is present - shell: grep -q -E "^#?drop_syn_flood=" /etc/ipt-firewall/main_ipv4.conf - register: drop_syn_flood_ipv4_present +- name: Check if String 'gaming_device_mac_addresses..' (IPv4) is present + shell: grep -q -E "^#?gaming_device_mac_addresses=" /etc/ipt-firewall/main_ipv4.conf + register: gaming_device_mac_addresses_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "drop_syn_flood_ipv4_present.rc > 1" - changed_when: "drop_syn_flood_ipv4_present.rc > 0" + failed_when: "gaming_device_mac_addresses_ipv4_present.rc > 1" + changed_when: "gaming_device_mac_addresses_ipv4_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (drop_syn_flood) +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (gaming_device_mac_addresses) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*protect_against_several_attacks=true' + insertafter: '^#?\s*allow_remote_mac_src_addresses=' block: | - # Protection against syn-flooding - # - #drop_syn_flood=false + # ============= + # - MAC Address Filtering Gaming Devices + # ============= - # - I have to say that fragments scare me more than anything. - # - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" - # - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such - # - fragments is very OS-dependent (see this paper for details). - # - I am not going to trust any fragments. - # - Log fragments just to see if we get any, and deny them too + # - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks # - - # - !! 'drop_fragments' does not work within telekom mobile connections !! + # - Blank separated list # - - #drop_fragments=true - - # drop new packages without syn flag - # - #drop_new_not_sync=true - - # drop invalid packages - # - #drop_invalid_state=true - - # drop packages with unusal flags - # - #drop_invalid_flags=true - - # Refuse private addresses on extern interfaces - # - # Refuse packets claiming to be from a - # Class A private network - # Class B private network - # Class C private network - # loopback interface - # Class D multicast address - # Class E reserved IP address - # broadcast address - #drop_spoofed=true - - # Don't allow spoofing from that server - # - #drop_spoofed_out=true - - # Refusing packets claiming to be to the loopback interface protects against - # source quench, whereby a machine can be told to slow itself down by an icmp source - # quench to the loopback. - #drop_ext_to_lo=true - marker: "# Marker set by modify-ipt-gateway.yml (drop_syn_flood)" + gaming_device_mac_addresses="" + marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_mac_addresses)" when: - main_ipv4_exists.stat.exists - - drop_syn_flood_ipv4_present is changed + - gaming_device_mac_addresses_ipv4_present is changed -- name: Check if String 'drop6_syn_flood..' (IPv6) is present +- name: Check if String 'gaming_device_mac_addresses..' (IPv6) is present shell: grep -q -E "^#?drop6_syn_flood=" /etc/ipt-firewall/main_ipv6.conf - register: drop6_syn_flood_ipv6_present + register: gaming_device_mac_addresses_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "drop6_syn_flood_ipv6_present.rc > 1" - changed_when: "drop6_syn_flood_ipv6_present.rc > 0" + failed_when: "gaming_device_mac_addresses_ipv6_present.rc > 1" + changed_when: "gaming_device_mac_addresses_ipv6_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (drop6_syn_flood) +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (gaming_device_mac_addresses) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*protect6_against_several_attacks=true' + insertafter: '^#?\s*allow_remote_mac_src_addresses=' block: | - # Protection against syn-flooding - # - #drop6_syn_flood=false + # ============= + # - MAC Address Filtering Gaming Devices + # ============= - # drop new packages without syn flag - # - #drop6_new_not_sync=true - - # drop invalid packages - # - #drop6_invalid_state=true - - # drop packages with unusal flags - # - #drop6_invalid_flags=true - - # Refuse spoofed packets pretending to be from your IP address. - # - #drop6_from_own_ip=true - - # Refuse private addresses on extern interfaces - # - #drop6_spoofed=true - marker: "# Marker set by modify-ipt-gateway.yml (drop6_syn_flood)" + # - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks + # - + # - Blank separated list + # - + gaming_device_mac_addresses="" + marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_mac_addresses)" when: - main_ipv6_exists.stat.exists - - drop6_syn_flood_ipv6_present is changed - - -# --- -# Block UDP/TCP Ports out -# --- - -- name: Check if String 'block_udp_extern_out_ports..' (IPv4) is present - shell: grep -q -E "^block_udp_extern_out_ports=" /etc/ipt-firewall/main_ipv4.conf - register: block_udp_extern_out_ports_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "block_udp_extern_out_ports_ipv4_present.rc > 1" - changed_when: "block_udp_extern_out_ports_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (block_udp_extern_out_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*block_upnp_traffic_out' - block: | - - - # ============= - # --- Block UDP Ports out - # ============= - - # - UDP Ports to block (only extern out) - # - - # - Comma separated list of udp ports - # - - block_udp_extern_out_ports="" - - - # ============= - # --- Block TCP Ports out - # ============= - - # - TCP Ports to block (only extern out) - # - - # - Comma separated list of tcp ports - # - - block_tcp_extern_out_ports="${standard_turn_service_ports}" - marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)" - when: - - main_ipv4_exists.stat.exists - - block_udp_extern_out_ports_ipv4_present is changed - - -- name: Check if String 'block_udp_extern_out_ports..' (IPv6) is present - shell: grep -q -E "^block_udp_extern_out_ports=" /etc/ipt-firewall/main_ipv6.conf - register: block_udp_extern_out_ports_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "block_udp_extern_out_ports_ipv6_present.rc > 1" - changed_when: "block_udp_extern_out_ports_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (block_udp_extern_out_ports) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*block_upnp_traffic_out' - block: | - - - # ============= - # --- Block UDP Ports out - # ============= - - # - UDP Ports to block (only extern out) - # - - # - Comma separated list of udp ports - # - - block_udp_extern_out_ports="" - - - # ============= - # --- Block TCP Ports out - # ============= - - # - TCP Ports to block (only extern out) - # - - # - Comma separated list of tcp ports - # - - block_tcp_extern_out_ports="" - marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)" - when: - - main_ipv6_exists.stat.exists - - block_udp_extern_out_ports_ipv6_present is changed - - -# --- -# jitsi video conference service -# --- - -- name: Check if String 'jitsi_tcp_ports=..' (IPv4) is present - shell: grep -q -E "^jitsi_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf - register: jitsi_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "jitsi_service_ipv4_present.rc > 1" - changed_when: "jitsi_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - Jitsi Video Conference Service - # ====== - - # - Jitsi Video Conference Service Gateway - # - - # - NOT YET IMPLEMENTED - # - - local_jitsi_video_conference_service=false - - # - Jitsi Video Conference Service Ports - # - - # - TCP 80: Webinterface. - # - TCP 443: Webinterface (SSL) - # - - # - UDP 10000-20000: Virtual Media for Remote Console - # - - jitsi_tcp_ports="$standard_jitsi_tcp_ports" - jitsi_udp_ports="$standard_jitsi_udp_port_range" - marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" - when: - - main_ipv4_exists.stat.exists - - jitsi_service_ipv4_present is changed - -- name: Check if String 'jitsi_tcp_ports=..' (IPv6) is present - shell: grep -q -E "^jitsi_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf - register: jitsi_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "jitsi_service_ipv6_present.rc > 1" - changed_when: "jitsi_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*mumble_ports' - block: | - - # ====== - # - Jitsi Video Conference Service - # ====== - - # - Jitsi Video Conference Service Gateway - # - - # - NOT YET IMPLEMENTED - # - - local_jitsi_video_conference_service=false - - # - Jitsi Video Conference Service Ports - # - - # - TCP 80: Webinterface. - # - TCP 443: Webinterface (SSL) - # - - # - UDP 10000-20000: Virtual Media for Remote Console - # - - jitsi_tcp_ports="$standard_jitsi_tcp_ports" - jitsi_udp_ports="$standard_jitsi_udp_port_range" - marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - jitsi_service_ipv6_present is changed - - -# --- -# TURN Server (Stun Server) (for Nextcloud 'talk' app) -# --- - -- name: Check if String 'nc_turn_ports=..' (IPv4) is present - shell: grep -q -E "^nc_turn_ports=" /etc/ipt-firewall/main_ipv4.conf - register: nc_turn_service_ipv4_present - when: main_ipv4_exists.stat.exists - failed_when: "nc_turn_service_ipv4_present.rc > 1" - changed_when: "nc_turn_service_ipv4_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) - blockinfile: - path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*jitsi_udp_ports' - block: | - - # ====== - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # ====== - - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # - - # - NOT YET IMPLEMENTED - # - - local_nc_turn_service="" - - # - Ports used by local TURN Server (Stun Server) - # - - # - comma separated list - # - - nc_turn_ports="$standard_turn_service_ports" - nc_turn_udp_ports="$standard_turn_service_udp_ports" - marker: "# Marker set by modify-ipt-gateway.yml (nc's turn service)" - when: - - main_ipv4_exists.stat.exists - - nc_turn_service_ipv4_present is changed - -- name: Check if String 'nc_turn_ports=..' (IPv6) is present - shell: grep -q -E "^nc_turn_ports=" /etc/ipt-firewall/main_ipv6.conf - register: nc_turn_service_ipv6_present - when: main_ipv6_exists.stat.exists - failed_when: "nc_turn_service_ipv6_present.rc > 1" - changed_when: "nc_turn_service_ipv6_present.rc > 0" - -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*jitsi_udp_ports' - block: | - - # ====== - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # ====== - - # - TURN Server (Stun Server) (for Nextcloud 'talk' app) - # - - # - NOT YET IMPLEMENTED - # - - local_nc_turn_service="" - - # - Ports used by local TURN Server (Stun Server) - # - - # - comma separated list - # - - nc_turn_ports="$standard_turn_service_ports" - nc_turn_udp_ports="$standard_turn_service_udp_ports" - marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)" - when: - - main_ipv6_exists.stat.exists - - nc_turn_service_ipv6_present is changed + - gaming_device_mac_addresses_ipv6_present is changed # ---