update..

2023-02-13 17:34:39 +01:00 · 2023-02-13 17:34:39 +01:00 · 22b9531c30
commit 22b9531c30
parent 5408f880eb
5 changed files with 270 additions and 330 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -150,6 +150,8 @@ apt_initial_install_stretch:
  - dbus
  - openssh-server
  - rssh
  - bash
  - bash-completion
  - vim
  - vim-common
  - vim-doc
@ -264,6 +266,8 @@ apt_initial_install_buster:
  - dbus
  - openssh-server
  - rush
  - bash
  - bash-completion
  - vim
  - vim-common
  - vim-doc
@ -383,6 +387,8 @@ apt_initial_install_bullseye:
  - dbus
  - openssh-server
  - rush
  - bash
  - bash-completion
  - vim
  - vim-common
  - vim-doc
--- a/host_vars/git.warenform.de.yml
+++ b/host_vars/git.warenform.de.yml
@ -0,0 +1,111 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 sudoers_file_user_back_svn_privileges:
  - 'ALL=(root) NOPASSWD: /usr/bin/svnadmin'
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-server
  repo: https://git.oopen.de/firewall/ipt-server
  dest: /usr/local/src/ipt-server
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/gitea.oopen.de.yml
+++ b/host_vars/gitea.oopen.de.yml
@ -0,0 +1,111 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 sudoers_file_user_back_svn_privileges:
  - 'ALL=(root) NOPASSWD: /usr/bin/svnadmin'
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-server
  repo: https://git.oopen.de/firewall/ipt-server
  dest: /usr/local/src/ipt-server
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/20
+++ b/20
@ -31,10 +31,8 @@ gw-fhxb.oopen.de
 gw-ckubu.local.netz
 gw-b3.oopen.de
 gw-blkr.oopen.de
 172.16.162.89
 gw-d11.oopen.de
 gw-flr.oopen.de
 172.16.102.22
 gw-irights.irights.netz
 gw-km.oopen.de
 gw-mbr.oopen.de
@ -57,7 +55,7 @@ gw-replacement3.local.netz
 k1371.dyndns.org
 ga-st-gw-ersatz.ga.netz
-ga-st-gw-surf1.oopen.de
+ga-st-gw.ga.netz
 ga-al-gw.oopen.de
 ga-nh-gw.oopen.de
 ga-st-lxc1.ga.netz
@ -161,8 +159,10 @@ o26.oopen.de
 # Backup Faire Mobilitaet
 o28.oopen.de
-# Backup Server
+# - o29.oopen.de Backup Server
 o29.oopen.de
 backup.oopen.de
 gitea.oopen.de
 # AK - Server Nextcloud/Jitsi Meet
 o30.oopen.de
@ -196,6 +196,7 @@ cl-test.oopen.de
 lxc-host-kb.anw-kb.netz
 [initial_setup]
 # ---
@ -317,6 +318,7 @@ o28.oopen.de
 o29.oopen.de
 backup.oopen.de
 git.oopen.de
 gitea.oopen.de
 munin.oopen.de
 nscache.oopen.de
@ -383,7 +385,6 @@ file-fhxb.fhxb.netz
 # Fluechtlingsrat BRB
 gw-flr.oopen.de
 172.16.102.22
 # iRights
 gw-irights.irights.netz
@ -394,7 +395,6 @@ file-km.anw-km.netz
 # - Kanzlei BLKR
 gw-blkr.oopen.de
 172.16.162.89
 file-blkr.blkr.netz
 # - Kanzlei EBS Leipzig
@ -426,7 +426,7 @@ gw-d11.oopen.de
 # - GA - Gemeinschaft Altensclirf
 ga-st-gw-ersatz.ga.netz
-ga-st-gw-surf1.oopen.de
+ga-st-gw.ga.netz
 ga-al-gw.oopen.de
 ga-nh-gw.oopen.de
@ -1238,6 +1238,7 @@ o26.oopen.de
 # o29.oopen.de
 backup.oopen.de
 git.oopen.de
 gitea.oopen.de
 munin.oopen.de
 nscache.oopen.de
@ -1412,6 +1413,7 @@ o28.oopen.de
 o29.oopen.de
 backup.oopen.de
 git.oopen.de
 gitea.oopen.de
 nscache.oopen.de
 munin.oopen.de
@ -1468,12 +1470,10 @@ gw-d11.oopen.de
 gw-ebs.oopen.de
 gw-elster.oopen.de
 gw-blkr.oopen.de
 172.16.162.89
 gw-ak.oopen.de
 gw-akb.oopen.de
 gw-ckubu.local.netz
 gw-flr.oopen.de
 172.16.102.22
 gw-replacement.local.netz
 gw-replacement2.local.netz
 gw-replacement3.local.netz
@ -1488,7 +1488,7 @@ gw-kb.oopen.de
 k1371.dyndns.org
 ga-st-gw-ersatz.ga.netz
-ga-st-gw-surf1.oopen.de
+ga-st-gw.ga.netz
 ga-al-gw.oopen.de
 ga-nh-gw.oopen.de
--- a/roles/modify-ipt-gateway/tasks/main.yml
+++ b/roles/modify-ipt-gateway/tasks/main.yml
@ -122,351 +122,63 @@
 # ---
-# Block Routers
+# MAC Address Filtering Gaming Devices
 # ---
- name: Check if String 'drop_syn_flood..' (IPv4) is present
+- name: Check if String 'gaming_device_mac_addresses..' (IPv4) is present
-  shell: grep -q -E "^#?drop_syn_flood=" /etc/ipt-firewall/main_ipv4.conf
+  shell: grep -q -E "^#?gaming_device_mac_addresses=" /etc/ipt-firewall/main_ipv4.conf
-  register: drop_syn_flood_ipv4_present
+  register: gaming_device_mac_addresses_ipv4_present
  when: main_ipv4_exists.stat.exists
-  failed_when: "drop_syn_flood_ipv4_present.rc > 1"
+  failed_when: "gaming_device_mac_addresses_ipv4_present.rc > 1"
-  changed_when: "drop_syn_flood_ipv4_present.rc > 0"
+  changed_when: "gaming_device_mac_addresses_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (drop_syn_flood)
+- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (gaming_device_mac_addresses)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv4.conf
-    insertafter: '^#?\s*protect_against_several_attacks=true'
+    insertafter: '^#?\s*allow_remote_mac_src_addresses='
    block: |
-      # Protection against syn-flooding
+      # =============
-      #
+      # -  MAC Address Filtering Gaming Devices
-      #drop_syn_flood=false
+      # =============
-      # - I have to say that fragments scare me more than anything.
+      # - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks
      # - Sending lots of non-first fragments was what allowed Jolt2  to effectively "drown"
      # - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
      # - fragments is very OS-dependent (see this paper for details).
      # - I am not going to trust any fragments.
      # - Log fragments just to see if we get any, and deny them too
      # -
-      # - !! 'drop_fragments' does not work within telekom mobile connections !!
+      # - Blank separated list
      # -
-      #drop_fragments=true
+      gaming_device_mac_addresses=""
-
+    marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_mac_addresses)"
      # drop new packages without syn flag
      #
      #drop_new_not_sync=true
      # drop invalid packages
      #
      #drop_invalid_state=true
      # drop packages with unusal flags
      #
      #drop_invalid_flags=true
      # Refuse private addresses on extern interfaces
      #
      # Refuse packets claiming to be from a
      #   Class A private network
      #   Class B private network
      #   Class C private network
      #   loopback interface
      #   Class D multicast address
      #   Class E reserved IP address
      #   broadcast address
      #drop_spoofed=true
      # Don't allow spoofing from that server
      #
      #drop_spoofed_out=true
      # Refusing packets claiming to be to the loopback interface protects against
      # source quench, whereby a machine can be told to slow itself down by an icmp source
      # quench to the loopback.
      #drop_ext_to_lo=true
    marker: "# Marker set by modify-ipt-gateway.yml (drop_syn_flood)"
  when: 
    - main_ipv4_exists.stat.exists
-    - drop_syn_flood_ipv4_present is changed
+    - gaming_device_mac_addresses_ipv4_present is changed
- name: Check if String 'drop6_syn_flood..' (IPv6) is present
+- name: Check if String 'gaming_device_mac_addresses..' (IPv6) is present
  shell: grep -q -E "^#?drop6_syn_flood=" /etc/ipt-firewall/main_ipv6.conf
-  register: drop6_syn_flood_ipv6_present
+  register: gaming_device_mac_addresses_ipv6_present
  when: main_ipv6_exists.stat.exists
-  failed_when: "drop6_syn_flood_ipv6_present.rc > 1"
+  failed_when: "gaming_device_mac_addresses_ipv6_present.rc > 1"
-  changed_when: "drop6_syn_flood_ipv6_present.rc > 0"
+  changed_when: "gaming_device_mac_addresses_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (drop6_syn_flood)
+- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (gaming_device_mac_addresses)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv6.conf
-    insertafter: '^#?\s*protect6_against_several_attacks=true'
+    insertafter: '^#?\s*allow_remote_mac_src_addresses='
    block: |
-      # Protection against syn-flooding
+      # =============
-      #
+      # -  MAC Address Filtering Gaming Devices
-      #drop6_syn_flood=false
+      # =============
-      # drop new packages without syn flag
+      # - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks
-      #
+      # -
-      #drop6_new_not_sync=true
+      # - Blank separated list
-
+      # -
-      # drop invalid packages
+      gaming_device_mac_addresses=""
-      #
+    marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_mac_addresses)"
      #drop6_invalid_state=true
      # drop packages with unusal flags
      #
      #drop6_invalid_flags=true
      # Refuse spoofed packets pretending to be from your IP address.
      #
      #drop6_from_own_ip=true
      # Refuse private addresses on extern interfaces
      #
      #drop6_spoofed=true
    marker: "# Marker set by modify-ipt-gateway.yml (drop6_syn_flood)"
  when: 
    - main_ipv6_exists.stat.exists
-    - drop6_syn_flood_ipv6_present is changed
+    - gaming_device_mac_addresses_ipv6_present is changed
 # ---
 # Block UDP/TCP Ports out
 # ---
 - name: Check if String 'block_udp_extern_out_ports..' (IPv4) is present
  shell: grep -q -E "^block_udp_extern_out_ports=" /etc/ipt-firewall/main_ipv4.conf
  register: block_udp_extern_out_ports_ipv4_present
  when: main_ipv4_exists.stat.exists
  failed_when: "block_udp_extern_out_ports_ipv4_present.rc > 1"
  changed_when: "block_udp_extern_out_ports_ipv4_present.rc > 0"
 - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (block_udp_extern_out_ports)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv4.conf
    insertafter: '^#?\s*block_upnp_traffic_out'
    block: |
      # =============
      # --- Block UDP Ports out
      # =============
      # - UDP Ports to block (only extern out)
      # -
      # - Comma separated list of udp ports
      # -
      block_udp_extern_out_ports=""
      # =============
      # --- Block TCP Ports out
      # =============
      # - TCP Ports to block (only extern out)
      # -
      # - Comma separated list of tcp ports
      # -
      block_tcp_extern_out_ports="${standard_turn_service_ports}"
    marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)"
  when: 
    - main_ipv4_exists.stat.exists
    - block_udp_extern_out_ports_ipv4_present is changed
 - name: Check if String 'block_udp_extern_out_ports..' (IPv6) is present
  shell: grep -q -E "^block_udp_extern_out_ports=" /etc/ipt-firewall/main_ipv6.conf
  register: block_udp_extern_out_ports_ipv6_present
  when: main_ipv6_exists.stat.exists
  failed_when: "block_udp_extern_out_ports_ipv6_present.rc > 1"
  changed_when: "block_udp_extern_out_ports_ipv6_present.rc > 0"
 - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (block_udp_extern_out_ports)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv6.conf
    insertafter: '^#?\s*block_upnp_traffic_out'
    block: |
      # =============
      # --- Block UDP Ports out
      # =============
      # - UDP Ports to block (only extern out)
      # -
      # - Comma separated list of udp ports
      # -
      block_udp_extern_out_ports=""
      # =============
      # --- Block TCP Ports out
      # =============
      # - TCP Ports to block (only extern out)
      # -
      # - Comma separated list of tcp ports
      # -
      block_tcp_extern_out_ports=""
    marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)"
  when: 
    - main_ipv6_exists.stat.exists
    - block_udp_extern_out_ports_ipv6_present is changed
 # ---
 # jitsi video conference service
 # ---
 - name: Check if String 'jitsi_tcp_ports=..' (IPv4) is present
  shell: grep -q -E "^jitsi_tcp_ports=" /etc/ipt-firewall/main_ipv4.conf
  register: jitsi_service_ipv4_present
  when: main_ipv4_exists.stat.exists
  failed_when: "jitsi_service_ipv4_present.rc > 1"
  changed_when: "jitsi_service_ipv4_present.rc > 0"
 - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi service)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv4.conf
    insertafter: '^#?\s*mumble_ports'
    block: |
      # ======
      # - Jitsi Video Conference Service
      # ======
      # - Jitsi Video Conference Service Gateway
      # -
      # - NOT YET IMPLEMENTED
      # -
      local_jitsi_video_conference_service=false
      # - Jitsi Video Conference Service Ports
      # -
      # - TCP 80:    Webinterface.
      # - TCP 443:   Webinterface (SSL)
      # -
      # - UDP 10000-20000:   Virtual Media for Remote Console
      # -
      jitsi_tcp_ports="$standard_jitsi_tcp_ports"
      jitsi_udp_ports="$standard_jitsi_udp_port_range"
    marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)"
  when: 
    - main_ipv4_exists.stat.exists
    - jitsi_service_ipv4_present is changed
 - name: Check if String 'jitsi_tcp_ports=..' (IPv6) is present
  shell: grep -q -E "^jitsi_tcp_ports=" /etc/ipt-firewall/main_ipv6.conf
  register: jitsi_service_ipv6_present
  when: main_ipv6_exists.stat.exists
  failed_when: "jitsi_service_ipv6_present.rc > 1"
  changed_when: "jitsi_service_ipv6_present.rc > 0"
 - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv6.conf
    insertafter: '^#?\s*mumble_ports'
    block: |
       # ======
       # - Jitsi Video Conference Service
       # ======
       # - Jitsi Video Conference Service Gateway
       # -
       # - NOT YET IMPLEMENTED
       # -
       local_jitsi_video_conference_service=false
       # - Jitsi Video Conference Service Ports
       # -
       # - TCP 80:    Webinterface.
       # - TCP 443:   Webinterface (SSL)
       # -
       # - UDP 10000-20000:   Virtual Media for Remote Console
       # -
       jitsi_tcp_ports="$standard_jitsi_tcp_ports"
       jitsi_udp_ports="$standard_jitsi_udp_port_range"
    marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)"
  when: 
    - main_ipv6_exists.stat.exists
    - jitsi_service_ipv6_present is changed
 # ---
 # TURN Server (Stun Server) (for Nextcloud 'talk' app)
 # ---
 - name: Check if String 'nc_turn_ports=..' (IPv4) is present
  shell: grep -q -E "^nc_turn_ports=" /etc/ipt-firewall/main_ipv4.conf
  register: nc_turn_service_ipv4_present
  when: main_ipv4_exists.stat.exists
  failed_when: "nc_turn_service_ipv4_present.rc > 1"
  changed_when: "nc_turn_service_ipv4_present.rc > 0"
 - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc's turn service)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv4.conf
    insertafter: '^#?\s*jitsi_udp_ports'
    block: |
      # ======
      # - TURN Server (Stun Server) (for Nextcloud 'talk' app)
      # ======
      # - TURN Server (Stun Server) (for Nextcloud 'talk' app)
      # -
      # - NOT YET IMPLEMENTED
      # -
      local_nc_turn_service=""
      # - Ports used by local TURN Server (Stun Server)
      # -
      # - comma separated list
      # -
      nc_turn_ports="$standard_turn_service_ports"
      nc_turn_udp_ports="$standard_turn_service_udp_ports"
    marker: "# Marker set by modify-ipt-gateway.yml (nc's turn service)"
  when: 
    - main_ipv4_exists.stat.exists
    - nc_turn_service_ipv4_present is changed
 - name: Check if String 'nc_turn_ports=..' (IPv6) is present
  shell: grep -q -E "^nc_turn_ports=" /etc/ipt-firewall/main_ipv6.conf
  register: nc_turn_service_ipv6_present
  when: main_ipv6_exists.stat.exists
  failed_when: "nc_turn_service_ipv6_present.rc > 1"
  changed_when: "nc_turn_service_ipv6_present.rc > 0"
 - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv6.conf
    insertafter: '^#?\s*jitsi_udp_ports'
    block: |
      # ======
      # - TURN Server (Stun Server) (for Nextcloud 'talk' app)
      # ======
      # - TURN Server (Stun Server) (for Nextcloud 'talk' app)
      # -
      # - NOT YET IMPLEMENTED
      # -
      local_nc_turn_service=""
      # - Ports used by local TURN Server (Stun Server)
      # -
      # - comma separated list
      # -
      nc_turn_ports="$standard_turn_service_ports"
      nc_turn_udp_ports="$standard_turn_service_udp_ports"
    marker: "# Marker set by modify-ipt-gateway.yml (jitsi service)"
  when: 
    - main_ipv6_exists.stat.exists
    - nc_turn_service_ipv6_present is changed
 # ---