diff --git a/files/homedirs/chris/_vimrc b/files/homedirs/chris/_vimrc index 52e08f4..686cbb8 100644 --- a/files/homedirs/chris/_vimrc +++ b/files/homedirs/chris/_vimrc @@ -175,4 +175,7 @@ set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ set laststatus=2 highlight StatusLine cterm=none ctermfg=white ctermbg=blue +"Remove all trailing whitespace by pressing F5 +nnoremap :let _s=@/:%s/\s\+$//e:let @/=_s + colorscheme PaperColor diff --git a/files/homedirs/root/_vimrc b/files/homedirs/root/_vimrc index 52e08f4..686cbb8 100644 --- a/files/homedirs/root/_vimrc +++ b/files/homedirs/root/_vimrc @@ -175,4 +175,7 @@ set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ set laststatus=2 highlight StatusLine cterm=none ctermfg=white ctermbg=blue +"Remove all trailing whitespace by pressing F5 +nnoremap :let _s=@/:%s/\s\+$//e:let @/=_s + colorscheme PaperColor diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 9d12c14..fb94574 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2610,6 +2610,10 @@ copy_plain_files_postfix: src_path: mailserver/etc/postfix/body_check.pcre dest_path: /etc/postfix/body_check.pcre + - name: smtpd_milter_map + src_path: mailserver/etc/postfix/smtpd_milter_map + dest_path: /etc/postfix/smtpd_milter_map + copy_plain_files_postfwd: diff --git a/group_vars/oopen_office_ga.yml b/group_vars/oopen_office_ga.yml index 2ff300c..8e2a7cc 100644 --- a/group_vars/oopen_office_ga.yml +++ b/group_vars/oopen_office_ga.yml @@ -59,8 +59,6 @@ default_user: - name: wadmin password: $6$7oimWvvy$EHjynqU3KxaHie.9njz9rmVyh/dYpZOREl9gLo7fLrQXCAM9LqvrRvijCiAhfgnA6pz5VQe5oubkJQB0HF2pf/ - user_id: 1001 - group_id: 1001 shell: /bin/bash ssh_keys: - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSwqi8XhpwFWjtxC99MyGbt6E41C92Tv3ZVZPZ5eFNuyGY+RzTAF3PYymBWOPcM6cPQYihNLzjWEGOJccA2qac4Vu0sPQKu2njuiydN7vfHUZ9lvQuita7/uuwCRYDbHyVF5mSeqEKC5bOMIyanMpYghkH975Uzm2LSGtgT8u3/wEfizt3WpthCcAfVO8kU7wiMoikJcW249kBUGJxIqKrs8zJZC+6/OmnRmkgc9JlNvBTdGi9zhCSLJ7pEbuOjFMmjFTHpDRYHR6XhYsfImAPM4N3GOfRn9Cx/jTEV9sO7IoFRXwMgE1obuEntCzWAfUQJC/8HGS7sGUVHUfE3loz wadmin@ga13wks03' diff --git a/host_vars/172.16.162.89.yml b/host_vars/172.16.162.89.yml deleted file mode 100644 index d8bf42c..0000000 --- a/host_vars/172.16.162.89.yml +++ /dev/null @@ -1,291 +0,0 @@ ---- - -# --- -# vars used by roles/network_interfaces -# --- - - -# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted -network_manage_devices: True - -# Should the interfaces be reloaded after config change? -network_interface_reload: False - -network_interface_path: /etc/network/interfaces.d -network_interface_required_packages: - - vlan - - bridge-utils - - ifmetric - - ifupdown - - ifenslave - - resolvconf - -network_interfaces: - - - device: eno1 - headline: eno1 - Uplink DSL via Fritz!Box - auto: true - family: inet - method: static - address: 172.16.162.2 - netmask: 24 - gateway: 172.16.162.254 - nameservers: - - 127.0.0.1 - search: blkr.netz - - - - device: eno2 - headline: eno2 - LAN - auto: true - family: inet - method: static - address: 192.168.162.253 - netmask: 24 - - - #- device: eno2:ns - # headline: eno2:ns - Alias on eno2 (Nameserver) - # auto: true - # family: inet - # method: static - # address: 192.168.162.1 - # netmask: 32 - - - - device: eno3 - headline: eno3 - WLAN - auto: true - family: inet - method: static - address: 192.168.163.254 - netmask: 24 - - -# --- -# vars used by roles/ansible_dependencies -# --- - - -# --- -# vars used by roles/ansible_user -# --- - - -# --- -# vars used by roles/common/tasks/basic.yml -# --- - -cron_user_entries: - - - name: "Check if Postfix Mailservice is up and running?" - minute: '*/15' - hour: '*' - job: /root/bin/monitoring/check_postfix.sh - - - name: "Check Postfix E-Mail LOG file for 'fatal' errors" - minute: '17' - hour: '*' - job: /root/bin/monitoring/check_postfix.sh - - - name: "Check if SSH service is up and running?" - minute: '*/15' - hour: '*' - job: /root/bin/monitoring/check_ssh.sh - - - name: "Check if OpenVPN service is up and running?" - minute: '*/30' - hour: '*' - job: /root/bin/monitoring/check_vpn.sh - - - name: "Check if nameservice (bind) is running?" - minute: '*/10' - hour: '*' - job: /root/bin/monitoring/check_dns.sh - - - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )" - minute: '0-59/2' - hour: '*' - job: /root/bin/monitoring/check_forwarding.sh - - - name: "Copy gateway configuration" - minute: '09' - hour: '3' - job: /root/bin/manage-gw-config/copy_gateway-config.sh BLKR - - -#cron_user_special_time_entries: [] -cron_user_special_time_entries: - - - name: "Check if Postfix Service is running at boot time" - special_time: reboot - job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" - insertafter: PATH - - - name: "Restart Systemd's resolved at boottime." - special_time: reboot - job: "sleep 10 ; /bin/systemctl restart systemd-resolved" - insertafter: PATH - - -# --- -# vars used by roles/common/tasks/sshd.yml -# --- - -sshd_hostkeyalgorithms: - - ssh-ed25519 - - ssh-ed25519-cert-v01@openssh.com - - rsa-sha2-256 - - rsa-sha2-512 - - ecdsa-sha2-nistp256 - - rsa-sha2-256-cert-v01@openssh.com - - rsa-sha2-512-cert-v01@openssh.com - - -# --- -# vars used by roles/common/tasks/apt.yml -# --- - - -# --- -# vars used by roles/common/tasks/users.yml -# --- - -insert_ssh_keypair_backup_server: false -ssh_keypair_backup_server: - - name: backup - backup_user: back - priv_key_src: root/.ssh/id_rsa.backup.oopen.de - priv_key_dest: /root/.ssh/id_rsa - pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub - pub_key_dest: /root/.ssh/id_rsa.pub - -insert_keypair_backup_client: true -ssh_keypair_backup_client: - - name: backup - priv_key_src: root/.ssh/id_ed25519.oopen-server - priv_key_dest: /root/.ssh/id_ed25519 - pub_key_src: root/.ssh/id_ed25519.oopen-server.pub - pub_key_dest: /root/.ssh/id_ed25519.pub - target: backup.oopen.de - -default_user: - - - name: chris - password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - - name: sysadm - user_id: 1050 - group_id: 1050 - group: sysadm - password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - - name: back - user_id: 1060 - group_id: 1060 - group: back - password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - -sudo_users: - - chris - - sysadm - - -# --- -# vars used by roles/common/tasks/users-systemfiles.yml -# --- - - -# --- -# vars used by roles/common/tasks/webadmin-user.yml -# --- - - -# --- -# vars used by roles/common/tasks/sudoers.yml -# --- -# -# see: roles/common/tasks/vars - - -# --- -# vars used by roles/common/tasks/caching-nameserver.yml -# --- - -install_bind_packages: true - -bind9_gateway_acl: - - local-net: - name: local-net - entries: - - 127.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - 10.0.0.0/8 - - fc00::/7 - - fe80::/10 - - ::1/128 - - internaldns: - name: internaldns - entries: - - '// Nameserver Kanzlei EBS' - - 192.168.182.1 - -bind9_gateway_listen_on_v6: - - none - -bind9_gateway_listen_on: - - any - -#bind9_gateway_allow_transfer: {} -bind9_gateway_allow_transfer: - - internaldns - -bind9_transfer_source: !!str "192.168.162.1" -bind9_notify_source: !!str "192.168.162.1" - -#bind9_gateway_allow_query: {} -bind9_gateway_allow_query: - - local-net - -#bind9_gateway_allow_query_cache: {} -bind9_gateway_allow_query_cache: - - local-net - -bind9_gateway_recursion: !!str "yes" -#bind9_gateway_allow_recursion: {} -bind9_gateway_allow_recursion: - - local-net - - -# --- -# vars used by roles/common/tasks/git.yml -# --- - -git_firewall_repository: - name: ipt-gateway - repo: https://git.oopen.de/firewall/ipt-gateway - dest: /usr/local/src/ipt-gateway - -# ============================== - - -# --- -# vars used by scripts/reset_root_passwd.yml -# --- - -root_user: - name: root - password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. - diff --git a/host_vars/a.mx.oopen.de.yml b/host_vars/a.mx.oopen.de.yml index 3b39ed7..e0381fa 100644 --- a/host_vars/a.mx.oopen.de.yml +++ b/host_vars/a.mx.oopen.de.yml @@ -29,6 +29,76 @@ install_compiler_pkgs: true install_postgresql_pkgs: true +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 185.12.64.2 + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/c.mx.oopen.de.yml b/host_vars/c.mx.oopen.de.yml index bc0fac7..eceef9d 100644 --- a/host_vars/c.mx.oopen.de.yml +++ b/host_vars/c.mx.oopen.de.yml @@ -26,7 +26,77 @@ install_compiler_pkgs: true -install_postgresql_pkgs: true +install_postgresql_pkgs: false + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 # --- @@ -53,7 +123,6 @@ root_ssh_keypair: pub_key_dest: /root/.ssh/id_rsa.pub - # --- # vars used by roles/common/tasks/users-systemfiles.yml # --- @@ -135,8 +204,6 @@ copy_plain_files_postfwd_host_specific: [] - - # --- # vars used by roles/common/tasks/config_files_mailsystem_scripts.yml # --- diff --git a/host_vars/cl-01.oopen.de.yml b/host_vars/cl-01.oopen.de.yml index a7c1f06..1adf9a7 100644 --- a/host_vars/cl-01.oopen.de.yml +++ b/host_vars/cl-01.oopen.de.yml @@ -26,10 +26,142 @@ sshd_permit_root_login: !!str "prohibit-password" # --- +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 213.133.100.100 + - 213.133.98.98 + - 2a01:4f8:0:1::add:9999 + - 2a01:4f8:0:1::add:9898 + - 213.133.100.100 + - 2a01:4f8:0:1::add:1010 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # --- # vars used by roles/common/tasks/users.yml # --- +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + + user_id: 1051 + group_id: 1051 + group: localadmin + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: cryptpad + user_id: 2010 + group_id: 2010 + group: cryptpad + home: /var/www/cryptpad + password: $y$j9T$TUSURhYNq5B1eWlxis.xy.$YfCpyp24dmaZwiIEMaJvX7u3P.MEdAyz8YXMusM4lu7 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + # --- # vars used by roles/common/tasks/users-systemfiles.yml diff --git a/host_vars/cl-02.oopen.de.yml b/host_vars/cl-02.oopen.de.yml index a7c1f06..984d873 100644 --- a/host_vars/cl-02.oopen.de.yml +++ b/host_vars/cl-02.oopen.de.yml @@ -26,10 +26,129 @@ sshd_permit_root_login: !!str "prohibit-password" # --- +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 213.133.99.99 + - 2a01:4f8:0:1::add:9898 + - 213.133.100.100 + - 2a01:4f8:0:1::add:9999 + - 213.133.98.98 + - 2a01:4f8:0:1::add:1010 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # --- # vars used by roles/common/tasks/users.yml # --- +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + # --- # vars used by roles/common/tasks/users-systemfiles.yml diff --git a/host_vars/cloud.akweb.de.yml b/host_vars/cloud.akweb.de.yml index a7c1f06..8ceb621 100644 --- a/host_vars/cloud.akweb.de.yml +++ b/host_vars/cloud.akweb.de.yml @@ -26,10 +26,128 @@ sshd_permit_root_login: !!str "prohibit-password" # --- +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.1 + - 2a01:4f8:0:1::add:9898 + - 213.133.100.100 + - 2a01:4f8:0:1::add:9999 + - 185.12.64.2 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # --- # vars used by roles/common/tasks/users.yml # --- +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + # --- # vars used by roles/common/tasks/users-systemfiles.yml diff --git a/host_vars/ga-st-mail.ga.netz.yml b/host_vars/ga-st-mail.ga.netz.yml index 072fd59..f543658 100644 --- a/host_vars/ga-st-mail.ga.netz.yml +++ b/host_vars/ga-st-mail.ga.netz.yml @@ -29,6 +29,77 @@ install_compiler_pkgs: true install_postgresql_pkgs: true +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - ga.netz + - ga.intra + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 192.168.11.1 + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/ga-st-services.ga.netz.yml b/host_vars/ga-st-services.ga.netz.yml new file mode 100644 index 0000000..cbc5705 --- /dev/null +++ b/host_vars/ga-st-services.ga.netz.yml @@ -0,0 +1,159 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +install_compiler_pkgs: true + +install_postgresql_pkgs: false + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.11.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - ga.netz + - ga.intra + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 192.168.10.1 + - 192.168.10.3 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + + # Postfix Firewall postfwd + # + #- name: postfwd.wl-user + # src_path: ga-st-mail/etc/postfix/postfwd.wl-user + # dest_path: /etc/postfix/postfwd.wl-user + + +#copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- diff --git a/host_vars/gw-ebs.oopen.de.yml b/host_vars/gw-ebs.oopen.de.yml index a9d7809..3dc5b72 100644 --- a/host_vars/gw-ebs.oopen.de.yml +++ b/host_vars/gw-ebs.oopen.de.yml @@ -18,7 +18,6 @@ network_interface_required_packages: - ifmetric - ifupdown - ifenslave - - resolvconf network_interfaces: @@ -30,10 +29,6 @@ network_interfaces: address: 172.16.182.1 netmask: 24 gateway: 172.16.182.254 - nameservers: - - 127.0.0.1 - - 192.168.182.1 - search: ebs.netz kanzlei-kiel.netz elster.netz - device: eno2 diff --git a/host_vars/mail.cadus.org.yml b/host_vars/mail.cadus.org.yml index 053d7b7..35f0aca 100644 --- a/host_vars/mail.cadus.org.yml +++ b/host_vars/mail.cadus.org.yml @@ -29,6 +29,76 @@ install_compiler_pkgs: true install_postgresql_pkgs: false +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 185.12.64.2 + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/mail.faire-mobilitaet.de.yml b/host_vars/mail.faire-mobilitaet.de.yml index 2289f29..01459ff 100644 --- a/host_vars/mail.faire-mobilitaet.de.yml +++ b/host_vars/mail.faire-mobilitaet.de.yml @@ -29,6 +29,76 @@ install_compiler_pkgs: true install_postgresql_pkgs: true +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 185.12.64.1 + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/meet.akweb.de.yml b/host_vars/meet.akweb.de.yml new file mode 100644 index 0000000..b79b0ec --- /dev/null +++ b/host_vars/meet.akweb.de.yml @@ -0,0 +1,201 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_permit_root_login: !!str "prohibit-password" + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.1 + - 2a01:4f8:0:1::add:9898 + - 213.133.100.100 + - 2a01:4f8:0:1::add:9999 + - 185.12.64.2 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +git_other_repositories: + - name: jitsi + repo: https://git.oopen.de/install/jitsi + dest: /usr/local/src/jitsi + + - name: etherpad-lite + repo: https://git.oopen.de/install/etherpad-lite + dest: /usr/local/src/etherpad-lite + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/host_vars/mx.warenform.de.yml b/host_vars/mx.warenform.de.yml index 987f315..b38af47 100644 --- a/host_vars/mx.warenform.de.yml +++ b/host_vars/mx.warenform.de.yml @@ -29,6 +29,76 @@ install_compiler_pkgs: true install_postgresql_pkgs: true +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 83.223.66.51 + + # --- # vars used by roles/common/tasks/users.yml # --- @@ -163,7 +233,7 @@ Das WARENFORM-Team\n --\n WARENFORM | Phone: +49 30 / 61 65 17 52 -0\n -Dresdner Str. 11 | Fax: +49 30 / 61 65 17 52 -66\n +Schierker Str. 24 | Fax: +49 30 / 61 65 17 52 -66\n D-10999 Berlin | http://www.warenform.net\n " @@ -177,7 +247,7 @@ salutation: "Das WARENFORM-Team\n WARENFORM | Phone: +49 30 / 61 65 17 52 -0\n -Dresdner Str. 11 | Fax: +49 30 / 61 65 17 52 -66\n +Schierker Str. 24 | Fax: +49 30 / 61 65 17 52 -66\n D-10999 Berlin | http://www.warenform.net\n" diff --git a/host_vars/nd-live.warenform.de.yml b/host_vars/nd-live.warenform.de.yml new file mode 100644 index 0000000..10f71de --- /dev/null +++ b/host_vars/nd-live.warenform.de.yml @@ -0,0 +1,225 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +apt_install_extra_pkgs: true +apt_extra_pkgs: + - wkhtmltopdf + - subversion + - subversion-tools + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 212.42.230.1 + - 83.223.66.51 + - 83.223.90.90 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - warenform.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +create_sftp_group: false + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.warenform.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.warenform.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.warenform-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.warenform-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.warenform.de + + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: axel + password: $6$zUWC465e$XblctxwnBIOa7mPcN6foEQrwChjpwoY7lLtacXJrSsvjZS3I6Ox1mYUtN3/gzkvpbzOPx/9PlRJV.mbl939mD. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICOPnP788dlfeFi9oo8UkS0Chi/jcxUGjsOuQnxW/GR+ axel@wf.netz' + + - name: sysadm + user_id: 1050 + group_id: 1050 + password: $6$vvccwrTc$Sz1HaSb3ujObprltiG7D6U1Rr3fpgfjkKuDDWYdHzPkPx/0pEofCWC.vyTn78hcemkntl.6wVUOnJnNloKt/E/ + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICOPnP788dlfeFi9oo8UkS0Chi/jcxUGjsOuQnxW/GR+ axel@wf.netz' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - axel + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/nd.warenform.de.yml b/host_vars/nd.warenform.de.yml index d040269..6a232bd 100644 --- a/host_vars/nd.warenform.de.yml +++ b/host_vars/nd.warenform.de.yml @@ -27,10 +27,83 @@ apt_install_extra_pkgs: true apt_extra_pkgs: - wkhtmltopdf + - pdftk - subversion - subversion-tools +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 212.42.230.1 + - 83.223.66.51 + - 83.223.90.90 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - warenform.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # --- # vars used by roles/common/tasks/users.yml # --- @@ -91,8 +164,6 @@ default_user: ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' - name: back user_id: 1060 diff --git a/host_vars/o17.oopen.de.yml b/host_vars/o17.oopen.de.yml index 5d39ffa..47b5693 100644 --- a/host_vars/o17.oopen.de.yml +++ b/host_vars/o17.oopen.de.yml @@ -17,7 +17,6 @@ network_interface_required_packages: - ifmetric - ifupdown - ifenslave - - resolvconf network_interfaces: diff --git a/host_vars/o18.oopen.de.yml b/host_vars/o18.oopen.de.yml index c7515ba..dccdf31 100644 --- a/host_vars/o18.oopen.de.yml +++ b/host_vars/o18.oopen.de.yml @@ -18,7 +18,6 @@ network_interface_required_packages: - ifmetric - ifupdown - ifenslave - - resolvconf network_interfaces: diff --git a/host_vars/o20.oopen.de.yml b/host_vars/o20.oopen.de.yml new file mode 100644 index 0000000..d3480d8 --- /dev/null +++ b/host_vars/o20.oopen.de.yml @@ -0,0 +1,266 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 213.133.99.99 + - 2a01:4f8:0:1::add:9898 + - 213.133.100.100 + - 2a01:4f8:0:1::add:9999 + - 213.133.98.98 + - 2a01:4f8:0:1::add:1010 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_env_entries: + - name: PATH + job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + + - name: SHELL + job: /bin/bash + insertafter: PATH + + + +cron_user_entries: + + - name: "Check if webservices sre running. Restart if necessary" + minute: '*/5' + hour: '*' + job: /root/bin/monitoring/check_webservice_load.sh + + - name: "Check if SSH service is running. Restart service if needed." + minute: '*/5' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check connectifity - reboot if needed" + minute: '*/10' + hour: '*' + job: /root/bin/admin-stuff/check-connectivity.sh + + - name: "Check if Postfix Mailservice is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check Postfix E-Mail LOG file for 'fatal' errors.." + minute: '*/17' + hour: '*' + job: /root/bin/postfix/check-postfix-fatal-errors.sh + + - name: "Optimize mysql tables" + minute: '51' + hour: '04' + job: /root/bin/mysql/optimize_mysql_tables.sh + + - name: "Flush query cache for mysql tables" + minute: '27' + hour: '04' + job: /root/bin/mysql/flush_query_cache.sh + + - name: "Flush Host cache" + minute: '17' + hour: '05' + job: /root/bin/mysql/flush_host_cache.sh + + - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)" + minute: '31' + hour: '05' + job: /var/lib/dehydrated/cron/dehydrated_cron.sh + + - name: "Check whether all certificates are included in the VHOST configurations" + minute: '43' + hour: '05' + job: /var/lib/dehydrated/tools/update_ssl_directives.sh + + - name: "Check hard disc usage." + minute: '43' + hour: '6' + job: /root/bin/admin-stuff/check-disc-usage.sh -c 85 + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o22.oopen.de.yml b/host_vars/o22.oopen.de.yml index be61cb9..e5eb7cb 100644 --- a/host_vars/o22.oopen.de.yml +++ b/host_vars/o22.oopen.de.yml @@ -17,7 +17,6 @@ network_interface_required_packages: - ifmetric - ifupdown - ifenslave - - resolvconf network_interfaces: diff --git a/host_vars/o30.oopen.de.yml b/host_vars/o30.oopen.de.yml index dd4057c..86fcc46 100644 --- a/host_vars/o30.oopen.de.yml +++ b/host_vars/o30.oopen.de.yml @@ -55,18 +55,6 @@ network_interfaces: server: hwaddr: - # optional dns settings nameservers: [] - # - # nameservers: - # - 194.150.168.168 # dns.as250.net - # - 91.239.100.100 # anycast.censurfridns.dk - # search: warenform.de - # - nameservers: - - 195.201.179.131 - - 95.217.204.204 - search: - # optional additional subnets/ips subnets: [] # subnets: # - '192.168.123.0/24' @@ -226,7 +214,7 @@ resolved_fallback_nameserver: cron_env_entries: - name: PATH - job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + job: /root/bin/admin-stuff:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - name: SHELL job: /bin/bash diff --git a/host_vars/oolm-shop-dev.oopen.de.yml b/host_vars/oolm-shop-dev.oopen.de.yml index 455edb3..7556ceb 100644 --- a/host_vars/oolm-shop-dev.oopen.de.yml +++ b/host_vars/oolm-shop-dev.oopen.de.yml @@ -21,11 +21,89 @@ #sshd_password_authentication: !!str "yes" +sshd_pasword_auth_ip: + - 34.107.7.34 + # --- # vars used by apt.yml # --- +apt_install_extra_pkgs: true +apt_extra_pkgs: + - wkhtmltopdf + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 212.42.230.1 + - 83.223.66.51 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + # --- # vars used by roles/common/tasks/users.yml @@ -61,8 +139,8 @@ default_user: - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRmXj9h/gCTSODkPH1ooBgq6hOZFjxczLPw9Bv5gt+z6v41zxpYKBDyvMy7jblwK3//EA469QRqKEBq0Hhx1aocrVe8TWZGDqzc2nrzh2YSewvKjbx6Dv+pdoWcTzF6Rho2Klvu79p5lcV+2I/u82wLDNVBZliGuRJJ8yVVQ8RkSdvz/O15d9qfI7F0yzzjhYy+t/W6tDxEt2N65n7SC14i/q/DqdGCLp7eBAHkC2mTruLbzCIdMteFg7q0GuTdlII0BF5LPbHlVK8nm8iOOH61pI/gygXF0Z9WlL7e/hfE8qTGAucAsy0KoOodlEQD1LLV1Rubmy7zKZBk4qvXzh7 ilkeregilmez@Ilkers-MBP-2.fritz.box' - name: shop - user_id: 1061 - group_id: 1061 + user_id: 1064 + group_id: 1064 password: $6$.7q7LwrI$LS0W95y5MHgaQZ4v5OvYukQn3pxmbeQvm9lNrPVSN7R.GVwGGIqdfnX2xOvGTgJcenUT3aJoa8HloOes1wUM71 shell: /bin/bash ssh_keys: diff --git a/host_vars/oolm-shop.oopen.de.yml b/host_vars/oolm-shop.oopen.de.yml index ca57b49..e70a17d 100644 --- a/host_vars/oolm-shop.oopen.de.yml +++ b/host_vars/oolm-shop.oopen.de.yml @@ -33,6 +33,10 @@ sshd_pasword_auth_ip: # vars used by apt.yml # --- +apt_install_extra_pkgs: true +apt_extra_pkgs: + - wkhtmltopdf + # --- # vars used by roles/common/tasks/users.yml diff --git a/host_vars/server16.warenform.de.yml b/host_vars/server16.warenform.de.yml index 30c4b62..35d9c9b 100644 --- a/host_vars/server16.warenform.de.yml +++ b/host_vars/server16.warenform.de.yml @@ -17,7 +17,6 @@ network_interface_required_packages: - ifmetric - ifupdown - ifenslave - - resolvconf network_interfaces: diff --git a/host_vars/server20.warenform.de.yml b/host_vars/server20.warenform.de.yml index 90fcdf8..810114e 100644 --- a/host_vars/server20.warenform.de.yml +++ b/host_vars/server20.warenform.de.yml @@ -17,7 +17,6 @@ network_interface_required_packages: - ifmetric - ifupdown - ifenslave - - resolvconf network_interfaces: @@ -56,19 +55,6 @@ network_interfaces: server: hwaddr: - # optional dns settings nameservers - needs package resolvconf installed - # - # nameservers: - # - 194.150.168.168 # dns.as250.net - # - 91.239.100.100 # anycast.censurfridns.dk - # search: warenform.de - # - nameservers: - - 83.223.66.51 - - 212.42.230.1 - - 83.223.90.90 - search: warenform.de - # optional additional subnets/ips subnets: [] # subnets: # - '192.168.123.0/24' diff --git a/host_vars/server22.warenform.de.yml b/host_vars/server22.warenform.de.yml index bc66631..0a74e80 100644 --- a/host_vars/server22.warenform.de.yml +++ b/host_vars/server22.warenform.de.yml @@ -55,13 +55,6 @@ network_interfaces: server: hwaddr: - # optional dns settings nameservers - needs package resolvconf installed - # - # nameservers: - # - 194.150.168.168 # dns.as250.net - # - 91.239.100.100 # anycast.censurfridns.dk - # search: warenform.de - # optional additional subnets/ips subnets: [] # subnets: # - '192.168.123.0/24' diff --git a/host_vars/server23.warenform.de.yml b/host_vars/server23.warenform.de.yml index 824e67d..5ae786a 100644 --- a/host_vars/server23.warenform.de.yml +++ b/host_vars/server23.warenform.de.yml @@ -55,19 +55,6 @@ network_interfaces: server: hwaddr: - # optional dns settings nameservers - needs package resolvconf installed - # - # nameservers: - # - 194.150.168.168 # dns.as250.net - # - 91.239.100.100 # anycast.censurfridns.dk - # search: warenform.de - # - #nameservers: - # - 83.223.66.51 - # - 83.223.90.90 - # - 212.42.230.1 - #search: warenform.de - # optional additional subnets/ips subnets: [] # subnets: # - '192.168.123.0/24' diff --git a/host_vars/web-04.oopen.de.yml b/host_vars/web-04.oopen.de.yml new file mode 100644 index 0000000..2ff2d87 --- /dev/null +++ b/host_vars/web-04.oopen.de.yml @@ -0,0 +1,194 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 213.133.99.99 + - 2a01:4f8:0:1::add:9898 + - 213.133.100.100 + - 2a01:4f8:0:1::add:9999 + - 213.133.98.98 + - 2a01:4f8:0:1::add:1010 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/web.cadus.org.yml b/host_vars/web.cadus.org.yml new file mode 100644 index 0000000..e43a333 --- /dev/null +++ b/host_vars/web.cadus.org.yml @@ -0,0 +1,197 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 185.12.64.1 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + + +#copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- diff --git a/host_vars/web0.warenform.de.yml b/host_vars/web0.warenform.de.yml index 9363a12..0a6cfbd 100644 --- a/host_vars/web0.warenform.de.yml +++ b/host_vars/web0.warenform.de.yml @@ -27,6 +27,7 @@ apt_install_extra_pkgs: true apt_extra_pkgs: - wkhtmltopdf + - pdftk - subversion - subversion-tools diff --git a/host_vars/wiki.cadus.org.yml b/host_vars/wiki.cadus.org.yml new file mode 100644 index 0000000..e43a333 --- /dev/null +++ b/host_vars/wiki.cadus.org.yml @@ -0,0 +1,197 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 185.12.64.1 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + + +#copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- diff --git a/hosts b/hosts index 52d0a8e..7699aa4 100644 --- a/hosts +++ b/hosts @@ -20,6 +20,8 @@ lxc-host-kb.anw-kb.netz o33.oopen.de o25.oopen.de o13-staging-board.oopen.de +dc-opp.oopen.de +discourse.oopen.de [dns_sinma] @@ -127,12 +129,9 @@ o13-board.oopen.de o13-staging-board.oopen.de o13-mail.oopen.de o13-mumble.oopen.de -o13-mumble-neu.oopen.de o13-pad.oopen.de -o13-pad-neu.oopen.de o13-cryptpad.oopen.de o13-web.oopen.de -o13-web-neu.oopen.de o17.oopen.de test.mx.oopen.de @@ -146,7 +145,6 @@ o21.oopen.de o22.oopen.de oolm-db.oopen.de -oolm-db-dev.oopen.de oolm-shop.oopen.de oolm-shop-dev.oopen.de oolm-web.oopen.de @@ -172,7 +170,6 @@ cl-fm.oopen.de mail.faire-mobilitaet.de # Hetzner Cloud CX31 - AK -o26.oopen.de # Backup Faire Mobilitaet o28.oopen.de @@ -217,7 +214,7 @@ b.mx.oopen.de matomo-01.oopen.de web-01.oopen.de web-03.oopen.de -web-test.oopen.de +web-04.oopen.de cl-test.oopen.de # OPP - dc-01.oopen.de @@ -232,7 +229,6 @@ web-06.oopen.de web-07.oopen.de web-08.oopen.de web-09.oopen.de -web-10.oopen.de lxc-host-kb.anw-kb.netz @@ -302,12 +298,9 @@ o13-board.oopen.de o13-staging-board.oopen.de o13-mail.oopen.de o13-mumble.oopen.de -o13-mumble-neu.oopen.de o13-pad.oopen.de -o13-pad-neu.oopen.de o13-cryptpad.oopen.de o13-web.oopen.de -o13-web-neu.oopen.de o17.oopen.de test.mx.oopen.de @@ -324,7 +317,6 @@ o21.oopen.de # - o22.oopen.de o22.oopen.de oolm-db.oopen.de -oolm-db-dev.oopen.de oolm-shop.oopen.de oolm-shop-dev.oopen.de oolm-web.oopen.de @@ -352,7 +344,6 @@ cl-fm.oopen.de mail.faire-mobilitaet.de # Hetzner Cloud CX31 - AK -o26.oopen.de # Backup Faire Mobilitaet o28.oopen.de @@ -399,7 +390,7 @@ b.mx.oopen.de matomo-01.oopen.de web-01.oopen.de web-03.oopen.de -web-test.oopen.de +web-04.oopen.de cl-test.oopen.de # OPP - dc-01.oopen.de @@ -414,7 +405,6 @@ web-06.oopen.de web-07.oopen.de web-08.oopen.de web-09.oopen.de -web-10.oopen.de lxc-host-kb.anw-kb.netz @@ -502,6 +492,7 @@ ga-nh-gw.oopen.de ga-st-lxc1.ga.netz ga-st-mail.ga.netz +ga-st-services.ga.netz ga-al-ws1.ga.netz ga-st-kvm1.ga.netz ga-al-kvm2.ga.netz @@ -537,9 +528,7 @@ c.mx.oopen.de # o13.oopen.de o13-mail.oopen.de o13-mumble.oopen.de -o13-mumble-neu.oopen.de o13-web.oopen.de -o13-web-neu.oopen.de # o17.oopen.de test.mariadb.oopen.de @@ -595,7 +584,7 @@ a.mx.oopen.de matomo-01.oopen.de web-01.oopen.de web-03.oopen.de -web-test.oopen.de +web-04.oopen.de b.mx.oopen.de cl-test.oopen.de @@ -608,7 +597,6 @@ web-06.oopen.de web-07.oopen.de web-08.oopen.de web-09.oopen.de -web-10.oopen.de # o39.oopen.de @@ -623,6 +611,7 @@ at-10-neu.ak.netz # - GA - Gemeinschaft Altensclirf ga-st-mail.ga.netz ga-al-ws1.ga.netz +ga-st-services.ga.netz # --- # Warenform server @@ -716,7 +705,6 @@ stolpersteine.oopen.de o13-board.oopen.de o13-staging-board.oopen.de o13-pad.oopen.de -o13-pad-neu.oopen.de o13-cryptpad.oopen.de # o17.oopen.de @@ -730,59 +718,6 @@ mm.oopen.de mm-irights.oopen.de # Hetzner Cloud CX31 - AK -o26.oopen.de - -# o30.oopen.de - AK Server Nextcloud/Jitsi Meet -meet.akweb.de - -# o31.oopen.de -wiki.cadus.org - -# etventure -o32.oopen.de - -# BigBlueButton - O.OPEN -o33.oopen.de - -# o35.oopen.de -cl-02.oopen.de - -# o36.oopen.de -cl-test.oopen.de - -# --- -# Büro Netzwerke -# --- - -file-ah.kanzlei-kiel.netz - - -[ftp_server] - -# --- -# - O.OPEN Server -# --- - -# o12.oopen.de -initiativenserver.oopen.de - -# o13.oopen.de -o13-web.oopen.de -o13-web-neu.oopen.de - - -# o31.oopen.de -web.cadus.org -wiki.cadus.org - -# o20.oopen.de (srv-cityslang.cityslang.com) -o20.oopen.de - -# o22.oopen.de -oolm-web.oopen.de - -# Hetzner Cloud CX31 - AK -o26.oopen.de # etventure o32.oopen.de @@ -797,7 +732,7 @@ web-02.oopen.de # o36 - b.mx, web-01, web-03,-- web-01.oopen.de web-03.oopen.de -web-test.oopen.de +web-04.oopen.de # o39 - web-05 web-05.oopen.de @@ -805,9 +740,9 @@ web-06.oopen.de web-07.oopen.de web-08.oopen.de web-09.oopen.de -web-10.oopen.de - +# GA - Gemeinschaft Altensclirf +ga-st-services.ga.netz # --- # Warenform server @@ -899,7 +834,6 @@ a.mx.oopen.de # o36 - b.mx, web-01, web-03,-- web-01.oopen.de web-03.oopen.de -web-test.oopen.de # --- # O.OPEN office network @@ -938,7 +872,6 @@ o13-board.oopen.de o13-staging-board.oopen.de o13-mail.oopen.de o13-web.oopen.de -o13-web-neu.oopen.de # o17.oopen.de test.mx.oopen.de @@ -951,7 +884,6 @@ o20.oopen.de o21.oopen.de # o22.oopen.de -oolm-db-dev.oopen.de oolm-db.oopen.de oolm-web.oopen.de @@ -964,7 +896,6 @@ cl-irights.oopen.de mm-irights.oopen.de # Hetzner Cloud CX31 - AK -o26.oopen.de # o27.oopen.de cl-fm.oopen.de @@ -999,7 +930,7 @@ d.mx.oopen.de matomo-01.oopen.de web-01.oopen.de web-03.oopen.de -web-test.oopen.de +web-04.oopen.de cl-test.oopen.de # o38 - dc-opp cl-opp @@ -1011,7 +942,6 @@ web-06.oopen.de web-07.oopen.de web-08.oopen.de web-09.oopen.de -web-10.oopen.de # --- @@ -1353,12 +1283,9 @@ o13-board.oopen.de o13-staging-board.oopen.de o13-mail.oopen.de o13-mumble.oopen.de -o13-mumble-neu.oopen.de o13-pad.oopen.de -o13-pad-neu.oopen.de o13-cryptpad.oopen.de o13-web.oopen.de -o13-web-neu.oopen.de # - o17.oopen.de test.mx.oopen.de @@ -1374,7 +1301,6 @@ o21.oopen.de # - o22.oopen.de oolm-db.oopen.de -oolm-db-dev.oopen.de oolm-shop.oopen.de oolm-shop-dev.oopen.de oolm-web.oopen.de @@ -1396,7 +1322,6 @@ cl-fm.oopen.de mail.faire-mobilitaet.de # Hetzner Cloud CX31 - AK -o26.oopen.de # o29.oopen.de backup.oopen.de @@ -1430,7 +1355,7 @@ b.mx.oopen.de matomo-01.oopen.de web-01.oopen.de web-03.oopen.de -web-test.oopen.de +web-04.oopen.de cl-test.oopen.de # o38 - dc-opp cl-opp @@ -1443,7 +1368,6 @@ web-06.oopen.de web-07.oopen.de web-08.oopen.de web-09.oopen.de -web-10.oopen.de # --- # O.OPEN office network @@ -1462,6 +1386,7 @@ file-ipa.local.netz # - GA - Gemeinschaft Altensclirf ga-st-mail.ga.netz +ga-st-services.ga.netz # --- # Warenform Server @@ -1536,12 +1461,9 @@ o13-board.oopen.de o13-staging-board.oopen.de o13-mail.oopen.de o13-mumble.oopen.de -o13-mumble-neu.oopen.de o13-pad.oopen.de -o13-pad-neu.oopen.de o13-cryptpad.oopen.de o13-web.oopen.de -o13-web-neu.oopen.de # - o17.oopen.de o17.oopen.de @@ -1563,7 +1485,6 @@ o21.oopen.de # - o22.oopen.de o22.oopen.de oolm-db.oopen.de -oolm-db-dev.oopen.de oolm-shop.oopen.de oolm-shop-dev.oopen.de oolm-web.oopen.de @@ -1591,7 +1512,6 @@ cl-fm.oopen.de mail.faire-mobilitaet.de # Hetzner Cloud CX31 - AK -o26.oopen.de # Backup Faire Mobilitaet o28.oopen.de @@ -1631,8 +1551,8 @@ o36.oopen.de b.mx.oopen.de matomo-01.oopen.de web-03.oopen.de +web-04.oopen.de web-01.oopen.de -web-test.oopen.de cl-test.oopen.de # o38 - dc-01.oopen.de @@ -1647,7 +1567,6 @@ web-06.oopen.de web-07.oopen.de web-08.oopen.de web-09.oopen.de -web-10.oopen.de lxc-host-kb.anw-kb.netz @@ -1781,6 +1700,7 @@ devel-ruby.wf.netz # - GA - Gemeinschaft Altensclirf ga-st-lxc1.ga.netz ga-st-mail.ga.netz +ga-st-services.ga.netz ga-st-kvm1.ga.netz ga-al-kvm2.ga.netz ga-al-kvm3.ga.netz @@ -1795,9 +1715,6 @@ o13-board.oopen.de o13-staging-board.oopen.de o13-mail.oopen.de o13-mumble.oopen.de -o13-mumble-neu.oopen.de o13-pad.oopen.de -o13-pad-neu.oopen.de o13-cryptpad.oopen.de o13-web.oopen.de -o13-web-neu.oopen.de diff --git a/main.yml b/main.yml new file mode 100644 index 0000000..9d12c14 --- /dev/null +++ b/main.yml @@ -0,0 +1,2917 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + +apt_ansible_dependencies: + - apt-transport-https + - ca-certificates + - dbus + - lsb-release + - mc + - net-tools + - openssl + - python-apt-common + - python3 + - python3-apt + - software-properties-common + - sudo + - vim + - vlan + + +# --- +# vars used by roles/ansible_user +# --- + +ansible_remote_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + +time_zone: Europe/Berlin + +locales: + - en_US.UTF-8 + - de_DE.UTF-8 + +#copy_plain_files_security_limits: [] +copy_plain_files_security_limits: + + # /etc/security/limits.d/*.conf + # + - name: 90-user-NOFILE.conf + src_path: etc/security/limits.d/90-user-NOFILE.conf + dest_path: /etc/security/limits.d/90-user-NOFILE.conf + + +#copy_plain_files_systemd: [] +copy_plain_files_systemd: + + # /etc/systemd/system.conf.d/*.conf + # + - name: DefaultLimitNOFILE + src_path: etc/systemd/system.conf.d/20-DefaultLimitNOFILE.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultLimitNOFILE.conf + + - name: DefaultTasksMax + src_path: etc/systemd/system.conf.d/20-DefaultTasksMax.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultTasksMax.conf + + - name: DefaultLimitCORE + src_path: etc/systemd/system.conf.d/20-DefaultLimitCORE.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultLimitCORE.conf + + - name: DefaultLimitNPROC + src_path: etc/systemd/system.conf.d/20-DefaultLimitNPROC.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultLimitNPROC.conf + + - name: DefaultLimitRTPRIO + src_path: etc/systemd/system.conf.d/20-DefaultLimitRTPRIO.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultLimitRTPRIO.conf + + - name: DefaultLimitRTTIME + src_path: etc/systemd/system.conf.d/20-DefaultLimitRTTIME.conf + dest_path: /etc/systemd/system.conf.d/20-DefaultLimitRTTIME.conf + + +#copy_plain_files_journald: [] +copy_plain_files_journald: + + - name: SystemMaxUse + src_path: etc/systemd/journald.conf.d/50-SystemMaxUse.conf + dest_path: /etc/systemd/journald.conf.d/50-SystemMaxUse.conf + + - name: SystemMaxFileSize + src_path: etc/systemd/journald.conf.d/50-SystemMaxFileSize.conf + dest_path: /etc/systemd/journald.conf.d/50-SystemMaxFileSize.conf + + - name: MaxFileSec + src_path: etc/systemd/journald.conf.d/50-MaxFileSec.conf + dest_path: /etc/systemd/journald.conf.d/50-MaxFileSec.conf + + + +#copy_plain_files_sysctl: [] +copy_plain_files_sysctl: + + # /etc/sysctl.d/*.conf + # + - name: dovecot + src_path: etc/sysctl.d/50-dovecot.conf + dest_path: /etc/sysctl.d/50-dovecot.conf + + - name: redis + src_path: etc/sysctl.d/50-redis.conf + dest_path: /etc/sysctl.d/50-redis.conf + + - name: swappiness + src_path: etc/sysctl.d/50-swappiness.conf + dest_path: /etc/sysctl.d/50-swappiness.conf + + - name: ddos + src_path: etc/sysctl.d/10-ddos.conf + dest_path: /etc/sysctl.d/10-ddos.conf + +copy_additional_plain_files_sysctl: [] + + +# --- +# vars used by apt.yml +# --- + +apt_manage_sources_list: true + +apt_src_enable: true +apt_backports_enable: true + +apt_debian_mirror: http://ftp.de.debian.org/debian/ +apt_debian_contrib_nonfree_enable: true + +# Ubuntu mirror +apt_ubuntu_mirror: http://archive.ubuntu.com/ubuntu + +apt_update_cache_valid_time: 3600 + +apt_upgrade: true +apt_update: true + +apt_clean: true +apt_autoremove: true + +apt_dpkg_configure: true +apt_upgrade_type: dist +apt_upgrade_dpkg_options: + - force-confdef + - force-confold + +apt_initial_install_stretch: + - apt-transport-https + - cryptsetup + - dbus + - openssh-server + - rssh + - bash + - bash-completion + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - exuberant-ctags + - mime-support + - file + - coreutils + - moreutils + - less + - realpath + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.24 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libreadline5 + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man-db + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + +apt_initial_install_buster: + - apt-transport-https + - cryptsetup + - gnupg + - gpgv + - deborphan + - dbus + - openssh-server + - rush + - bash + - bash-completion + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - cron + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.28 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - libreadline5 + - libcroco3-dev + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + - lua5.3 + - btrfs-tools + - fdisk + +apt_initial_install_bullseye: + - apt-transport-https + - cryptsetup + - gnupg + - gpgv + - deborphan + - zstd + - dbus + - openssh-server + - rush + - bash + - bash-completion + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - cron + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - universal-ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.32 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - libreadline-dev + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + - lua5.4 + - btrfs-progs + - fdisk + +apt_initial_install_bookworm: + - cryptsetup + - dbus + - openssh-server + - rush + - bash + - bash-completion + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - cron + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - universal-ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.36 + - perl-doc + - libperl-dev + - libreadline-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + - lua5.4 + - btrfs-progs + - fdisk + + +apt_initial_install_xenial: + - apt-transport-https + - cryptsetup + - dbus + - openssh-server + - rush + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - bc + - figlet + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.22 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - libreadline5 + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - ifupdown + - socat + +apt_initial_install_bionic: + - apt-transport-https + - cryptsetup + - dbus + - openssh-server + - rush + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - bc + - figlet + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.26 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - libreadline5 + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - ifupdown + - socat + +apt_initial_install_jammy: + - apt-transport-https + - dbus + - openssh-server + - rush + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - bc + - figlet + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - exuberant-ctags + - universal-ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - libreadline5 + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - ifupdown + - socat + +install_compiler_pkgs: false +apt_compiler_pkgs: + - g++ + - g++-multilib + - gcc + - gcc-multilib + - cpp + - make + - automake + - autoconf + - libtool + - flex + - bison + - gettext + - pkg-config + - gnu-standards + - libssl-dev + - libreadline-dev + - libncurses-dev + - libsystemd-dev + - libnss3-dev + #- python-dev + +yum_compiler_pkgs_centos: + - gcc-c++ + - cpp + - make + - cmake + - automake + - autoconf + - libtool + - flex + - bison + - gettext + - pkgconfig + - openssl-devel + - openssl-static + - readline-devel + - readline-static + - ncurses + - ncurses-devel + - ncurses-static + - systemd-devel + - nss-devel + +yum_compiler_pkgs_fedora: + - gcc-c++ + - cpp + - make + - cmake + - automake + - autoconf + - libtool + - flex + - bison + - gettext + - pkgconfig + - openssl-devel + - readline-devel + - readline-static + - ncurses + - ncurses-devel + - ncurses-static + - systemd-devel + - nss-devel + +install_webserver_pkgs: false + +yum_webserver_pkgs_centos: + - libdb-devel + - zlib + - zlib-devel + - zlib-static + - openssl-devel + - openssl-static + - neon + - neon-devel + - libxml2 + - libxml2-devel + - libxml2-static + - curl + - libcurl + - libcurl-devel + - gdbm + - gdbm-devel + - aspell + - aspell-devel + - libjpeg-turbo + - libjpeg-turbo-devel + - libjpeg-turbo-static + - libXpm + - libXpm-devel + - freetype + - freetype-devel + - libwmf + - libwmf-devel + - libtiff + - libtiff-devel + - libtiff-static + - libpaper-devel + - libpaper-devel + - file-libs + - file-devel + - file-static + - GraphicsMagick + - GraphicsMagick-perl + - GraphicsMagick-devel + - GraphicsMagick-doc + - GraphicsMagick-c++ + - GraphicsMagick-c++-devel + - graphviz + - graphviz-devel + - libgsf + - libgsf-devel + - ilmbase + - ilmbase-devel + - libvpx + - libvpx-devel + - libvpx-utils + - gpm + - gpm-devel + - gpm-static + - texlive-kpathsea + - texlive-kpathsea-bin + - texlive-kpathsea-lib + - texlive-kpathsea-lib-devel + - OpenEXR + - OpenEXR-libs + - OpenEXR-devel + - librsvg2 + - librsvg2-devel + - librsvg2-tools + - djvulibre + - djvulibre-libs + - djvulibre-devel + - expat + - expat-devel + - expat-static + - ImageMagick + - ImageMagick-devel + - libexif + - libexif-devel + - exiv2 + - exiv2-libs + - exiv2-devel + - re2c + - netpbm + - netpbm-devel + - netpbm-progs + - mcrypt + - libmcrypt + - libmcrypt-devel + - mariadb-libs + - mariadb-devel + - postgresql-libs + - postgresql-devel + - postgresql-static + - libdbi + - libdbi-devel + - libdbi-dbd-mysql + - libdbi-dbd-pgsql + - libdbi-dbd-sqlite + - libdbi-devel + - libdbi-drivers + - readline + - readline-devel + - ncurses + - ncurses-devel + - ncurses-static + - libdb + - libdb-devel + - libdb-cxx + - libdb-cxx-devel + - libxslt + - libxslt-devel + - pcre + - pcre-devel + - pcre-static + - libc-client + - libicu + - libicu-devel + - libtidy + - libtidy-devel + - ModemManager + - ModemManager-glib + - gmp + - gmp-devel + - gmp-static + - krb5-libs + - krb5-devel + - openldap + - openldap-devel + - mhash + - mhash-devel.x86_64 + - gd + - gd-devel + - lua + - lua-static + - lua-devel + - apr + - apr-devel.i686 + - apr-util + - apr-util-devel + - apr-util-ldap + - apr-util-mysql + - apr-util-nss + - apr-util-odbc + - apr-util-openssl + - apr-util-pgsql + - apr-util-sqlite + - lksctp-tools + - lksctp-tools-devel + - openssl + - openssl-libs + - openssl-devel + - openssl-static + - cryptopp + - cryptopp-devel + - GeoIP + - GeoIP-devel + - libaio + - libaio-devel + - tk + - tk-devel + - tcl + - tcl-devel + - tcl-tclreadline + - tcl-tclreadline-devel + - expect + - expect-devel + - perl-Expect + - poppler-utils + + # - libqdbm-dev + #- libatm-dev + #- libc-client2007e-dev + #- libc-client-dev + #- ffmpeg + +yum_webserver_pkgs_fedora: + - libdb-devel + - zlib + - zlib-devel + - zlib-static + - openssl-devel + - neon + - neon-devel + - libxml2 + - libxml2-devel + - libxml2-static + - curl + - libcurl + - libcurl-devel + - gdbm + - gdbm-devel + - aspell + - aspell-devel + - libjpeg-turbo + - libjpeg-turbo-devel + - libjpeg-turbo-static + - libXpm + - libXpm-devel + - freetype + - freetype-devel + - libwmf + - libwmf-devel + - libtiff + - libtiff-devel + - libtiff-static + - libpaper-devel + - libpaper-devel + - file-libs + - file-devel + - file-static + - GraphicsMagick + - GraphicsMagick-perl + - GraphicsMagick-devel + - GraphicsMagick-doc + - GraphicsMagick-c++ + - GraphicsMagick-c++-devel + - graphviz + - graphviz-devel + - libgsf + - libgsf-devel + - ilmbase + - ilmbase-devel + - libvpx + - libvpx-devel + - libvpx-utils + - gpm + - gpm-devel + - gpm-static + - texlive-kpathsea + - texlive-kpathsea-bin + - texlive-kpathsea-lib + - texlive-kpathsea-lib-devel + - OpenEXR + - OpenEXR-libs + - OpenEXR-devel + - librsvg2 + - librsvg2-devel + - librsvg2-tools + - djvulibre + - djvulibre-libs + - djvulibre-devel + - expat + - expat-devel + - expat-static + - ImageMagick + - ImageMagick-devel + - libexif + - libexif-devel + - exiv2 + - exiv2-libs + - exiv2-devel + - re2c + - netpbm + - netpbm-devel + - netpbm-progs + - mcrypt + - libmcrypt + - libmcrypt-devel + - mariadb-devel + - postgresql-libs + - postgresql-private-devel + - postgresql-static + - libdbi + - libdbi-devel + - libdbi-dbd-mysql + - libdbi-dbd-pgsql + - libdbi-dbd-sqlite + - libdbi-devel + - libdbi-drivers + - readline + - readline-devel + - ncurses + - ncurses-devel + - ncurses-static + - libdb + - libdb-devel + - libdb-cxx + - libdb-cxx-devel + - libxslt + - libxslt-devel + - pcre + - pcre-devel + - pcre-static + - libicu + - libicu-devel + - libtidy + - libtidy-devel + - ModemManager + - ModemManager-glib + - gmp + - gmp-devel + - gmp-static + - krb5-libs + - krb5-devel + - openldap + - openldap-devel + - mhash + - mhash-devel.x86_64 + - gd + - gd-devel + - lua + - lua-static + - lua-devel + - apr + - apr-devel.i686 + - apr-util + - apr-util-devel + - apr-util-ldap + - apr-util-mysql + - apr-util-odbc + - apr-util-openssl + - apr-util-pgsql + - apr-util-sqlite + - lksctp-tools + - lksctp-tools-devel + - openssl + - openssl-libs + - openssl-devel + - cryptopp + - cryptopp-devel + - GeoIP + - GeoIP-devel + - libaio + - libaio-devel + - tk + - tk-devel + - tcl + - tcl-devel + - tcl-tclreadline + - tcl-tclreadline-devel + - expect + - expect-devel + - perl-Expect + - poppler-utils + + +apt_webserver_pkgs: + - libdb-dev + - zlib1g + - zlib1g-dev + - libssl-dev + - libneon27-dev + - libxml2 + - libxml2-dev + - curl + - libcurl4-openssl-dev + - libqdbm-dev + - libgdbm-dev + - libpspell-dev + - libjpeg-dev + - libpng-dev + - libxpm-dev + - libfreetype6-dev + - libwmf-dev + - libtiff-dev + - libpaper-dev + - libmagic-dev + - libgraphics-magick-perl + - libgraphicsmagick++1-dev + - libgraphicsmagick-q16-3 + - libgraphicsmagick1-dev + - libgraphviz-dev + - libgsf-1-dev + - libilmbase-dev + - libvpx-dev + - vpx-tools + - libgpm-dev + - libkpathsea-dev + - libopenexr-dev + - librsvg2-dev + - libdjvulibre-dev + - libatm-dev + - libexpat-dev + - imagemagick + - graphicsmagick + - exif + - libexiv2-dev + - re2c + - netpbm + - libnetpbm10-dev + - libmcrypt-dev + - mcrypt + - default-libmysqlclient-dev + - libpq-dev + - postgresql-client + - libreadline-dev + - libncurses-dev + - libdb5.3 + - libdb5.3++ + - libdb5.3++-dev + - libdb5.3-dev + - libxslt1-dev + - libpcre3-dev + - libc-client2007e-dev + - libc-client-dev + - libicu-dev + - libtidy-dev + - libmm-dev + - libgmp-dev + - libkrb5-dev + - libldap-dev + - libmhash-dev + - libgd-dev + - liblua5.3-dev + - libapr1-dev + - libaprutil1-dev + - libsctp-dev + - libcrypto++-dev + - ffmpeg + - libmagickwand-dev + - libgeoip-dev + - libaio-dev + - tk-dev + - tcl-dev + - tclreadline + - expect + - expect-dev + - libexpect-perl + - poppler-utils + +install_postgresql_pkgs: false +apt_postgresql_pkgs: + - postgresql + +yum_postgresql_pkgs_centos: + - postgresql + - postgresql-server + - postgresql-libs + - postgresql-devel + - postgresql-static + - postgresql-plperl + - perl-DBD-Pg + - perl-DateTime-Format-Pg + - check_postgres + +yum_postgresql_pkgs_fedora: + - postgresql + - postgresql-server + - postgresql-libs + - postgresql-private-devel + - postgresql-static + - postgresql-plperl + - perl-DBD-Pg + - perl-DateTime-Format-Pg + - check_postgres + +install_bind_packages: false +apt_bind_pkgs: + - bind9 + +yum_bind_pks: + - bind + + +install_lxc_host_pkgs: false +apt_lxc_host_pkgs: + - bridge-utils + - lxc + - lxc-templates + - lxcfs + - python3-lxc + - debootstrap + - ntpsec + +yum_lxc_host_pkgs_centos: + - bridge-utils + - lxc + - lxc-templates + - python36-lxc + - debootstrap + - ntp + +yum_lxc_host_pkgs_fedora: + - bridge-utils + - lxc + - lxc-templates + - python3-lxc + - debootstrap + - ntpsec + + +install_kvm_host_pkgs: false +apt_kvm_host_pkgs: + - lvm2 + - bridge-utils + - ntfs-3g + - qemu-system + - qemu-kvm + - libvirt-clients + - libvirt-daemon-system + - libosinfo-bin + - virtinst + - libguestfs-tools + - kpartx + - debootstrap + - ntpsec + + +apt_gateway_host_pkgs: + - iptraf + - speedtest-cli + + +# available in debian 10 (buster) but not in debian 11 (bullseye) +# +apt_kvm_host_buster_pkgs: + - virt-top + +apt_install_extra_pkgs: false +apt_extra_pkgs: [] + +apt_install: {} +apt_install_state: latest + +apt_remove: + - rpcbind + - apt-transport-tor + - tor + - tor-geoipdb + - torsocks + +apt_remove_purge: false + +microcode_package: + - intel-microcode + - amd64-microcode + + +# --- +# vars used by yum.yml +# --- + +yum_install_state: latest + +yum_ansible_dependencies: + - ca-certificates + - dbus + - redhat-lsb-core + - mc + - net-tools + - openssl + - python3 + - sudo + - vim + +yum_base_install_centos_7: + - redhat-lsb-core + - ca-certificates + - git + - iproute + - mc + - net-tools + - bind-utils + - openssl + - python2 + - python3 + - sudo + - vim + - yum-utils + +yum_initial_install_centos_7: + - cryptsetup + - dbus + - openssh-server + - bash + - bash-completion + - vim + - vim-common + - mc + - screen + - tmux + - cronie + - bc + - figlet + - sudo + - rsync + - dselect + - iputils + - zip + - unzip + - bzip2 + - arj + - mlocate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - ctags + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - whois + - gettext + - gettext-devel + - debian-keyring + - patch + - patchutils + - recode + - recode-devel + - sharutils + - perl + - perl-devel + - readline + - readline-devel + - libtermkey + - libtermkey-devel + - perl-Time-Duration-Parse + - perl-DateTime + - perl-libwww-perl + - pcre + - pcre2 + - perl-IO-Compress + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - bridge-utils + - ethtool + - nwipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - man + - groff + - iptables + - ShellCheck + - ftp + - htop + - net-tools + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + - lua + - btrfs-progs + +yum_base_install_fedora_38: + - redhat-lsb-core + - ca-certificates + - git + - iproute + - mc + - net-tools + - bind-utils + - openssl + - python2 + - python3 + - sudo + - vim + - yum-utils + +yum_initial_install_fedora_38: + - cryptsetup + - dbus + - openssh-server + - bash + - bash-completion + - vim + - vim-common + - mc + - screen + - tmux + - cronie + - bc + - figlet + - sudo + - rsync + - dselect + - iputils + - zip + - unzip + - bzip2 + - arj + - mlocate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - ctags + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - whois + - gettext + - gettext-devel + - debian-keyring + - patch + - patchutils + - recode + - recode-devel + - sharutils + - perl + - perl-devel + - readline + - readline-devel + - libtermkey + - libtermkey-devel + - perl-Time-Duration-Parse + - perl-DateTime + - perl-libwww-perl + - pcre + - pcre2 + - perl-IO-Compress + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - bridge-utils + - ethtool + - nwipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - man + - groff + - iptables + - ShellCheck + - ftp + - htop + - net-tools + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + - lua + - btrfs-progs + + + #- ntpdate + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: false + + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 195.10.195.195 + - 1.1.1.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - oopen.de + +resolved_dnssec: true + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by tor.yml +# --- + +torrc_path: /etc/tor/torrc + +tordir: /var/lib/tor/ + +tor_hidden_service_dir: /var/lib/tor/hidden_service/ + +tor_hidden_service_port: + - 25 127.0.0.25:25 + - 80 127.0.0.1:80 + - 465 127.0.0.25:465 + - 587 127.0.0.25:587 + - 993 127.0.0.1:993 + - 995 127.0.0.1:995 + + +# --- +# vars used by modify-munin-ip.yml +# --- + +munin_remote_ipv4: 135.181.136.84 +munin_remote_ipv6: 2a01:4f9:3a:1051::84 + +munin_remote_ipv4_old: 95.217.64.122 +munin_remote_ipv6_old: 2a01:4f9:4a:2b57::122 + + +# --- +# vars used by cron.yml +# --- + +cron_env_entries: [] +#cron_env_entries: +# - name: PATH +# job: /root/bin/admin-stuff:/root/bin:usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +# +# - name: SHELLforwarding +# job: /bin/bash + +cron_user_entries: [] +#cron_user_entries: +# +# - name: "Check if Postfix Mailservice is up and running?" +# minute: "*/15" +# job: /root/bin/monitoring/check_postfix.sh +# +# - name: "Check if SSH service is up and running?" +# minute: "*/15" +# job: /root/bin/monitoring/check_ssh.sh + + +cron_user_special_time_entries: [] +#cron_user_special_time_entries: +# +# - name: "Check if Postfix Service is running at boot time" +# special_time: reboot +# job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" +# insertafter: PATH + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false + +ssh_keypair_backup_server: [] + + +insert_keypair_backup_client: false + +ssh_keypair_backup_client: [] + + +insert_root_ssh_keypair: false + +root_ssh_keypair: [] + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + + user_id: 1051 + group_id: 1051 + group: localadmin + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +extra_user: [] + +sudo_users: [] + +extra_system_user: [] + + +entries_authorized_key: [] +#entries_authorized_key: +# - user: root +# - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcc4brtgGW0xP2KiZGq5xsyUKcNiYF72zQ49Z0lqx3iu0zj9oz79oGZY1N9jCeKG30AsbwL+4H6/l2hAekFZu6fIwuiRgCVRAwYrnnlOGDAnYOGHfks23pk2BU0/fb2VnxiK967FvpJ/xDP49t1UC5voX/O2MTkz6NROJPwIClHgnwN1bg+C09UpJNmmdROi8myhiu1/aYbAWDfQzVUnHio0q3vBM16ZUQkoIHxQT4fF8elS408n0jd9WJHyRtLB/mCMI6O3G2yHdPVciqKwgRwRtJ8hDjmFfyeLtxb4ADpa2Q/f6MuJI0elxbxjp8l2XKjVSwPJ8GKomC16HfgFMrnUNQcx9YMrXB26f+lperf9NlwbQtXZffj9M+BxTAFvh+1Q/iIHqRat2Bb/8OUY9JI2zuWUliffqb5Kbzjik4vMqZvI2ED2zphsPcpLST7u+4z40vZliBf1F4P2vDBfIRK87ldfJQQw6saMZznjZPNV7CA+K7IFCpOz0wuoVE3wOka8hdYmMIMno34Zf6P+xuTaAPXJOCubKuhicUlhtX7q72Pln5kuvbO3ZRgEK3XnyIWeAd2rkaU6XVo7W19043e9HkkbG8nZETYu7TGFhufXyloinde5XLyW295BS8fKa1AteJPDLY4ClF2PZiWbxWRjAhlRAlgXgup09rN2HHjw== root@b.ns' + +create_sftp_group: false + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + +insert_webadmin_ssh_keypair: false + +webadmin_ssh_keypair: [] + +webadmin_user: [] + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_ports: + - 22 + +sshd_listen_address: + - '::' + - '0.0.0.0' + +sshd_host_keys: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ed25519_key + +sshd_max_startups: !!str "10:30:100" + +sshd_max_auth_tries: 6 + +sshd_max_sessions: 10 + +# only for debian version <= 9 +# +sshd_use_privilege_separation: !!str "sandbox" + +sshd_permit_root_login: !!str "prohibit-password" + +sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2" + +sshd_pubkey_authentication: !!str "yes" + +sshd_password_authentication: !!str "no" + +sshd_use_pam: !!str "yes" + +#sshd_allowed_users: +# - chris +# - sysadm +sshd_allowed_users: {} + +sshd_print_motd: !!str "no" + +sshd_use_dns: !!str "no" + +sshd_gateway_ports: !!str "no" + +# sshd_kexalgorithms +# +# Example: +# sshd_kexalgorithms: +# - curve25519-sha256@libssh.org +# - diffie-hellman-group-exchange-sha256 +# - diffie-hellman-group14-sha1 +# +#sshd_kexalgorithms: {} + +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com + + +# sshd_kexalgorithms +# +# Example: +# sshd_ciphers: +# - chacha20-poly1305@openssh.com +# - aes256-gcm@openssh.com +# - aes256-ctr + +#sshd_ciphers: {} +sshd_ciphers: + - chacha20-poly1305@openssh.com + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr + +#sshd_macs: {} +sshd_macs: + - hmac-sha2-256-etm@openssh.com + - hmac-sha2-512-etm@openssh.com + - umac-128-etm@openssh.com + +# This users are allowed to use password authentification +# +sshd_pasword_auth_user: + +# This IP-Addresses are allowed to use password authentification +# +sshd_pasword_auth_ip: + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- + +# /etc/sudoers +# +sudoers_defaults: + - env_reset + - mail_badpass + - 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' + +sudoers_host_aliases: [] + +sudoers_user_aliases: [] + +sudoers_cmnd_aliases: [] + +sudoers_runas_aliases: [] + +sudoers_user_privileges: + - name: root + entry: 'ALL=(ALL:ALL) ALL' + +sudoers_group_privileges: [] + +sudoers_remove_user: + - back + - www-data + + +# /etc/sudoers.d/50-user +# +sudoers_file_defaults: [] + +sudoers_file_host_aliases: [] + +sudoers_file_user_aliases: [] + +sudoers_file_cmnd_aliases: [] + +sudoers_file_runas_aliases: [] + +sudoers_file_user_back_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/rsync' + - 'ALL=(root) NOPASSWD: /usr/bin/find' + - 'ALL=(root) NOPASSWD: /usr/bin/realpath' + +sudoers_file_user_back_postgres_privileges: + - 'ALL=(postgres) NOPASSWD: /usr/bin/psql' + - 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dump' + - 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dumpall' + +sudoers_file_user_back_svn_privileges: [] + +sudoers_file_user_back_disk_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/which' + - 'ALL=(root) NOPASSWD: /sbin/hdparm -I /dev/*' + - 'ALL=(root) NOPASSWD: /sbin/fdisk' + - 'ALL=(root) NOPASSWD: /sbin/sgdisk' + - 'ALL=(root) NOPASSWD: /sbin/sfdisk -d /dev/*' + - 'ALL=(root) NOPASSWD: /bin/dd if=/dev/*' + - 'ALL=(root) NOPASSWD: /sbin/parted' + - 'ALL=(root) NOPASSWD: /sbin/gdisk' + +sudoers_file_user_webadmin_disk_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/mailq' + - 'ALL=(root) NOPASSWD: /usr/bin/tail' + - 'ALL=(root) NOPASSWD: /usr/bin/view' + +sudoers_file_dns_server_privileges: + - name: manage-bind + entry: 'ALL=(root) NOPASSWD: /usr/local/bin/bind_*' + - name: manage-bind + entry: 'ALL=(root) NOPASSWD: /root/bin/bind/bind_*' + - name: chris + entry: 'ALL=(root) NOPASSWD: /root/bin/bind/*' + +sudoers_file_postfixadmin_privileges: + - name: www-data + entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-mailbox-postdeletion.sh' + - name: www-data + entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-domain-postdeletion.sh' + +sudoers_file_user_privileges: [] + +sudoers_file_group_privileges: [] + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +acl_caching_nameserver: {} + + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - none + +#bind9_transfer_source: !!str "192.168.182.1" +bind9_transfer_source: {} + +#bind9_notify_source: !!str "192.168.182.1" +bind9_notify_source: {} + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +# --- +# Firewall repository +# --- + +git_firewall_repository: {} + +# --- +# all servers +# --- + +git_default_repositories: + + # script repositories (destination /root/bin/) + - name: admin-stuff + repo: https://git.oopen.de/script/admin-stuff + dest: /root/bin/admin-stuff + + - name: postfix + repo: https://git.oopen.de/script/postfix + dest: /root/bin/postfix + + # install repositories (destination: /usr/local/src/) + - name: mailsystem + repo: https://git.oopen.de/install/mailsystem + dest: /usr/local/src/mailsystem + + # Monitoring + - name: monitoring + repo: https://git.oopen.de/script/monitoring + dest: /root/bin/monitoring + +# --- +# group [oopen_server] +# --- +git_oopen_server_repositories: + + # firewall + - name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# --- +# group [warenform_server] +# --- +git_warenform_server_repositories: + + # firewall + - name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# --- +# group [lxc_host] +# --- +git_lxc_host_repositories: + + # LXC + - name: LXC + repo: https://git.oopen.de/script/LXC + dest: /root/bin/LXC + +# --- +# group [lxc_guest] +# --- +git_lxc_guest_repositories: + + # dehydrated-cron + - name: dehydrated-cron + repo: https://git.oopen.de/certificates/dehydrated-cron.git + dest: /usr/local/src/dehydrated-cron + +# --- +# group [gateway_server] +# --- + +git_gateway_repositories: + + # install repositories (destination: /usr/local/src/) + # mailsystem + - name: mailsystem + repo: https://git.oopen.de/install/mailsystem + dest: /usr/local/src/mailsystem + + # firewall + - name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + + - name: manage-gw-config + repo: https://git.oopen.de/script/manage-gw-config + dest: /root/bin/manage-gw-config + + +# --- +# group [apache2_webserver] +# --- +git_apache2_repositories: + # script repositories (destination /root/bin/) + - name: apache2 + repo: https://git.oopen.de/script/apache2 + dest: /root/bin/apache2 + + # install repositories (destination: /usr/local/src/) + - name: apache2 + repo: https://git.oopen.de/install/apache2 + dest: /usr/local/src/apache2 + + - name: php + repo: https://git.oopen.de/install/php + dest: /usr/local/src/php + + # dehydrated-cron + - name: dehydrated-cron + repo: https://git.oopen.de/certificates/dehydrated-cron.git + dest: /usr/local/src/dehydrated-cron + + +# --- +# group [nginx_webserver] +# --- +git_nginx_repositories: + - name: nginx + repo: https://git.oopen.de/install/nginx + dest: /usr/local/src/nginx + + - name: php + repo: https://git.oopen.de/install/php + dest: /usr/local/src/php + + +# --- +# group [mysql_server] +# --- +git_mysql_repositories: + + # script repositories (destination /root/bin/) + - name: mysql + repo: https://git.oopen.de/script/mysql + dest: /root/bin/mysql + + # install repositories (destination: /usr/local/src/) + - name: mysql + repo: https://git.oopen.de/install/mysql + dest: /usr/local/src/mysql + + +# --- +# group [postgresql_server] +# --- +git_postgresql_repositories: + + # script repositories (destination /root/bin/) + - name: postgres + repo: https://git.oopen.de/script/postgres + dest: /root/bin/postgres + + +# --- +# group [nextcloud_server] +# --- +git_nextcloud_repositories: + + # script repositories (destination /root/bin/) + - name: nextcloud + repo: https://git.oopen.de/script/nextcloud + dest: /root/bin/nextcloud + + # install repositories (destination: /usr/local/src/) + - name: nextcloud + repo: https://git.oopen.de/install/nextcloud + dest: /usr/local/src/nextcloud + + +# --- +# group [dns_server] +# --- +git_dns_repositories: + + # script repositories (destination /root/bin/) + - name: bind + repo: https://git.oopen.de/script/bind + dest: /root/bin/bind + + +# --- +# group [backup_server] +# --- +git_backup_repositories: + + # script repositories (destination /root/bin/) + - name: backup-rcopy + repo: https://git.oopen.de/backup/backup-rcopy + dest: /root/crontab/backup-rcopy + + +# --- +# group [samba_server] +# --- +git_samba_repositories: + + # script repositories (destination /root/bin/) + - name: samba + repo: https://git.oopen.de/script/samba + dest: /root/bin/samba + + +# --- +# group [mail_server] +# --- +git_mailserver_repositories: + + # script repositories (destination /root/bin/) + - name: apache2 + repo: https://git.oopen.de/script/apache2 + dest: /root/bin/apache2 + + - name: postfix + repo: https://git.oopen.de/script/postfix + dest: /root/bin/postfix + + # install repositories (destination: /usr/local/src/) + - name: apache2 + repo: https://git.oopen.de/install/apache2 + dest: /usr/local/src/apache2 + + - name: php + repo: https://git.oopen.de/install/php + dest: /usr/local/src/php + + - name: mysql + repo: https://git.oopen.de/install/mysql + dest: /usr/local/src/mysql + + - name: mailsystem + repo: https://git.oopen.de/install/mailsystem + dest: /usr/local/src/mailsystem + + - name: fail2ban + repo: https://git.oopen.de/install/fail2ban + dest: /usr/local/src/fail2ban + + # let's encrypt + - name: dehydrated-cron + repo: https://git.oopen.de/certificates/dehydrated-cron.git + dest: /usr/local/src/dehydrated-cron + + +# --- +# group [sympa_list_servers] +# --- +git_sympa_repositories: + + # install repositories (destination: /usr/local/src/) + - name: sympa + repo: https://git.oopen.de/install/sympa + dest: /usr/local/src/sympa + + +# --- +# group [jitsi_meet_server] +# --- +git_jitsi_meet_repositories: + + # install repositories (destination: /usr/local/src/) + - name: jitsi + repo: https://git.oopen.de/install/jitsi + dest: /usr/local/src/jitsi + + +# --- +# group [so36_server_dehydrated] +# --- +#git_so36_dehydrated_repositories: +# +# # install repositories (destination: /usr/local/src/) +# - name: dehydrated-cron +# repo: https://git.oopen.de/certificates/dehydrated-cron.git +# dest: /usr/local/src/dehydrated-cron + + +# --- +# Use this for host specific repositories defined in files git-.yaml +# +# Leave empty here +# --- +git_other_repositories: [] + + +# ========== +# vars used by roles/common/tasks/nfs.yml +# ========== + +nfs_server: {} + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +# NOTE !! +# Take car to increase 'fsid' in case of more than one export +# +#nfs_exports: +# - src: 192.168.112.10:/data/home +# path: /data/home +# mount_opts: users,rsize=8192,wsize=8192,hard,intr +# export_opt: rw,root_squash,sync,subtree_check +# export_networks: +# - 192.168.112.0/24 +# - 10.0.112.0/24 +# - 10.1.112.0/24 +# - 192.168.63.0/24 +# use_fsid_option: true +# +nfs_exports: [] + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + +copy_plain_files: [] + +copy_plain_files_postfix_host_specific: [] + +copy_plain_files_postfwd_host_specific: [] + +copy_plain_files_postfix: + + - name: header_checks.pcre + src_path: mailserver/etc/postfix/header_checks.pcre + dest_path: /etc/postfix/header_checks.pcre + + - name: body_check.pcre + src_path: mailserver/etc/postfix/body_check.pcre + dest_path: /etc/postfix/body_check.pcre + + +copy_plain_files_postfwd: + + # Postfix Firewall postfwd + # + - name: postfwd.cf + src_path: mailserver/etc/postfix/postfwd.cf + dest_path: /etc/postfix/postfwd.cf + + - name: postfwd.bl-hosts + src_path: mailserver/etc/postfix/postfwd.bl-hosts + dest_path: /etc/postfix/postfwd.bl-hosts + + - name: postfwd.bl-nets + src_path: mailserver/etc/postfix/postfwd.bl-nets + dest_path: /etc/postfix/postfwd.bl-nets + + - name: postfwd.bl-sender + src_path: mailserver/etc/postfix/postfwd.bl-sender + dest_path: /etc/postfix/postfwd.bl-sender + + - name: postfwd.bl-user + src_path: mailserver/etc/postfix/postfwd.bl-user + dest_path: /etc/postfix/postfwd.bl-user + + - name: postfwd.wl-hosts + src_path: mailserver/etc/postfix/postfwd.wl-hosts + dest_path: /etc/postfix/postfwd.wl-hosts + + - name: postfwd.wl-nets + src_path: mailserver/etc/postfix/postfwd.wl-nets + dest_path: /etc/postfix/postfwd.wl-nets + + - name: postfwd.wl-sender + src_path: mailserver/etc/postfix/postfwd.wl-sender + dest_path: /etc/postfix/postfwd.wl-sender + + - name: postfwd.wl-user + src_path: mailserver/etc/postfix/postfwd.wl-user + dest_path: /etc/postfix/postfwd.wl-user + +copy_template_files: [] + + +# --- +# vars used by roles/common/tasks/symlink_files.yml +# --- + +symlink_files: [] + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- + +hostname: +ipv4_address: +ipv6_address: + +# postfix_db_type +# + +is_relay_host: + +# sasl_auth_enable: +# +# possible values are: +# !!str "true" +# !!str "false" +sasl_auth_enable: +sasl_user: +sasl_pass: + +# - +# install_amavis.conf +# - + +# db_in_use: +# +# possible values are: +# !!str "true" +# !!str "false" +db_in_use: +# postfix_db_type +# +# possible values are +# 'PostgreSQL' +# 'MySQL' +# +postfix_db_type: +postfix_db_name: +postfix_db_user: +postfix_db_host: +postfix_db_pass: + +# mp_receipt_number +# +# O.OPEN/IL/Warenform: 106015125438 +# +mp_receipt_number: + +# si_authorisation_signature +# +# O.OPEN/IL: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 +# +# Warenform: 76ed7ca6670dbee497e1a0397a7e178c4caa25888bc26d7327d1eab0195342a4cfa522dcf10382623d57dbc2a79bd37627b9a52def4d4bfe617d26e35405ce3b +# +si_authorisation_signature: + +# - +# install_postfixadmin.conf +# - + +website_name_postfixadmin: + +#email_welcome_message: "\n +#Hallo,\n +# +#Ihre/Deine neue E-Mail Adresse ist eingerichtet.\n +# +#O.OPEN\n +# +#--\n +#O.OPEN | Phone: +49 30 / 290 484 91\n +#Erkelenzdamm 21 | Fax: +49 30 / 290 484 99\n +#D-10999 Berlin | E-MAIL: oo@oopen.de\n +#" +email_welcome_message: + +# - +# install_update_dovecot.conf +# - + +dovecot_from_address: +dovecot_reply_to: +webmailer_address: + +#salutation: "O.OPEN\n +# +#--\n +#O.OPEN | Phone: +49 30 / 290 484 91\n +#Erkelenzdamm 21 | Fax: +49 30 / 290 484 99\n +#D-10999 Berlin | http://oopen.de" +salutation: + +# - +# install_upgrade_roundcube-webmail.conf +# - + +# First Webmailer +webmail_site_name: +autoreply_hostname: +# possible values: 'pgsql' or 'mysql' +roundcube_db_type: +roundcube_db_name: +roundcube_db_user: +roundcube_db_host: +roundcube_db_pass: + +roundcube_product_name: +roundcube_support_url: +roundcube_skin_logo: + +# 2 Webmailer +webmaili_2_site_name: +autoreply_2_hostname: +# possible values: 'pgsql' or 'mysql' +roundcube_2_db_type: +roundcube_2_db_name: +roundcube_2_db_user: +roundcube_2_db_host: +roundcube_2_db_pass: + +roundcube_2_product_name: +roundcube_2_support_url: +roundcube_2_skin_logo: + + +# ========== +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# ========== + +samba_server_ip: +samba_server_cidr_prefix: 24 + +apt_install_server_samba: + - samba + - nscd + +# samba_workgroup +# +# example: +# samba_workgroup: MBR +# +samba_workgroup: + +# samba_netbios_name +# +# example: +# samba_netbios_name: FILE-MBR +# +samba_netbios_name: + +# samba_server_min_protocol +# +samba_server_min_protocol: [] + +samba_groups: [] + +# samba_user: +# - name: chris +# groups: +# - group1 +# - group2 +# password: 'H-.T/TvN5S9J' +# +samba_user: [] + +base_home: /home + +# remove_samba_users: +# - name: name1 +# - name: name2 +# +remove_samba_users: [] + +# samba_shares +# +# samba_shares: +# - name: Arbeitsrechtliches +# comment: +# path: /data/shares/Arbeitsrechtliches +# browseable: !!str yes +# read_only: !!str no +# writeable: !!str yes +# guest_ok: !!str no +# file_create_mask: !!str 0660 +# dir_create_mask: !!str 2770 +# valid_users: '%S' +# group_valid_users: mbr-finanzen +# group_write_list: mbr-finanzen +# vfs_object_recycle: true +# recycle_path: '@Recycle.Bin' +# vfs_object_recycle_is_visible: false +# +samba_shares: [] + +samba_cronjob_trash_dirs: + name: Clean up Samba Trash Dirs + minute: "02" + hour: "23" + day: "*" + month: "*" + weekday: '*' + user: root + job: "/root/bin/samba/clean_samba_trash.sh" + +samba_cronjob_permissions: + name: Set (group and access) Permissons for Samba shares + minute: "14" + hour: "23" + day: "*" + month: "*" + weekday: '*' + user: root + job: "/root/bin/samba/set_permissions_samba_shares.sh" + + +# ========== +# vars used by roles/common/tasks/systemd-services.yml +# ========== + +# Take care that if these services are installed, they are running and +# start automatically after boot. +# +debian_services_active_and_started: + - bind + - cron + - haveged + - ntp + - redis-server + - ssh + - tor + +redhat_services_active_and_started: + - crond + - haveged + - named + - ntpd + - redis + - sshd + - tor + + + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: {} diff --git a/roles/common/files/a.mx/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/a.mx/root/bin/monitoring/conf/check_webservice_load.conf index 2d24a4a..f6f71dc 100644 --- a/roles/common/files/a.mx/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/a.mx/root/bin/monitoring/conf/check_webservice_load.conf @@ -6,18 +6,97 @@ #----------------------------- #--------------------------------------- -#LOGGING=true -LOGGING=false + +# --- +# - LOGGING +# - +# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - errors occurs. +# --- + + +# - CONFLICTING_SCRIPTS +# - +# - The scripts listed here conflict with this script. If one of these scripts +# - is currently running, this script will be stopped. +# - +# - In addition to the script, a LOCK directory can also be specified which is +# - connected to it. +# - +# - If no fixed LOCK directory is connected to the script, set +# - this value to the constant 'CHECK_PROCESS_LIST'. +# - +# - If no value for the LOCK directory is given, the LOCK directory +# - '/tmp/.LOCK' is assumed. +# - +# - +# - Example: +# - CONFLICTING_SCRIPTS=" +# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST +# - /root/bin/monitoring/check_remote_websites.sh +# - " +# - +# - Defaults to: +# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK" +# - +#CONFLICTING_SCRIPTS="" + # - What to check # - check_load=true check_mysql=false +check_mariadb=false + +# - PostgreSQL +# - +# - NOT useful, if more than one PostgreSQL instances are running! +# - +check_postgresql=true + check_apache=true +check_nginx=false check_php_fpm=true +check_redis=false check_website=false +# TIMEOUT_CHECK_WEBSITE +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_WEBSITE=10 +# +#TIMEOUT_CHECK_WEBSITE=10 + +# TIMEOUT_CHECK_PHP +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_PHP=10 +# +#TIMEOUT_CHECK_PHP=10 + + +# - If service is not listen on 127.0.0.1/loclhost, curl check must +# - be ommited +# - +# - Defaults to: ommit_curl_check_nginx=false +# - +#ommit_curl_check_nginx=false + +# - Is this a vserver guest machine? +# - +# - Not VSerber guest host does not support systemd! +# - +# - defaults to: vserver_guest=false +# - +#vserver_guest=false + + # - Additional Settings for check_mysql # - # - MySQL / MariaDB credentials @@ -39,11 +118,47 @@ check_website=false # - $ mysql --login-path=local ... # - # - Example +# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock" # - mysql_credential_args="--login-path=local" # - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) # - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" # - -mysql_credential_args="--login-path=local" +# - defaults to: +# - mysql_credential_args="--login-path=local" +# - +#mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_mariadb +# - +# - MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock" +# - mariadb_credential_args="--login-path=local" +# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - defaults to empty string +# - mariadb_credential_args="" +# - +#mariadb_credential_args="" # - Additional Settings for check_php_fpm @@ -62,7 +177,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="8.1" +php_versions="8.2" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also diff --git a/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf index 0cbc7e6..8a5f19c 100644 --- a/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf @@ -11,15 +11,43 @@ # - LOGGING # - # - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, -# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or # - errors occurs. # --- +# - CONFLICTING_SCRIPTS +# - +# - The scripts listed here conflict with this script. If one of these scripts +# - is currently running, this script will be stopped. +# - +# - In addition to the script, a LOCK directory can also be specified which is +# - connected to it. +# - +# - If no fixed LOCK directory is connected to the script, set +# - this value to the constant 'CHECK_PROCESS_LIST'. +# - +# - If no value for the LOCK directory is given, the LOCK directory +# - '/tmp/.LOCK' is assumed. +# - +# - +# - Example: +# - CONFLICTING_SCRIPTS=" +# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST +# - /root/bin/monitoring/check_remote_websites.sh +# - " +# - +# - Defaults to: +# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK" +# - +#CONFLICTING_SCRIPTS="" + + # - What to check # - check_load=true -check_mysql=true +check_mysql=false +check_mariadb=true # - PostgreSQL # - @@ -33,6 +61,26 @@ check_php_fpm=true check_redis=false check_website=false + +# TIMEOUT_CHECK_WEBSITE +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_WEBSITE=10 +# +#TIMEOUT_CHECK_WEBSITE=10 + +# TIMEOUT_CHECK_PHP +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_PHP=10 +# +#TIMEOUT_CHECK_PHP=10 + + # - If service is not listen on 127.0.0.1/loclhost, curl check must # - be ommited # - @@ -55,10 +103,10 @@ check_website=false # - # - Giving password on command line is insecure an sind mysql 5.5 # - you will get a warning doing so. -# - +# - # - Reading username/password fro file ist also possible, using MySQL/MariaDB # - commandline parameter '--defaults-file'. -# - +# - # - Since Mysql Version 5.6, you can read username/password from # - encrypted file. # - @@ -70,11 +118,48 @@ check_website=false # - $ mysql --login-path=local ... # - # - Example +# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock" # - mysql_credential_args="--login-path=local" # - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) # - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" # - -mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" +# - defaults to: +# - mysql_credential_args="--login-path=local" +# - +#mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_mariadb +# - +# - MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock" +# - mariadb_credential_args="--login-path=local" +# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - defaults to empty string +# - mariadb_credential_args="" +# - +#mariadb_credential_args="" +mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock" # - Additional Settings for check_php_fpm @@ -93,7 +178,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="8.1" +php_versions="8.2" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also @@ -161,7 +246,7 @@ php_version_of_working_url='' # - Notice: # - If single qoutes "'" not needed inside cleanup function, then use single quotes -# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - to enclose variable "cleanup_function". Then you don't have do masquerade any # - sign inside. # - # - Otherwise use double quotes and masq any sign to prevent bash from interpreting. diff --git a/roles/common/files/d.mx/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/d.mx/root/bin/monitoring/conf/check_webservice_load.conf index 9549ff9..d813351 100644 --- a/roles/common/files/d.mx/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/d.mx/root/bin/monitoring/conf/check_webservice_load.conf @@ -16,15 +16,87 @@ # --- +# - CONFLICTING_SCRIPTS +# - +# - The scripts listed here conflict with this script. If one of these scripts +# - is currently running, this script will be stopped. +# - +# - In addition to the script, a LOCK directory can also be specified which is +# - connected to it. +# - +# - If no fixed LOCK directory is connected to the script, set +# - this value to the constant 'CHECK_PROCESS_LIST'. +# - +# - If no value for the LOCK directory is given, the LOCK directory +# - '/tmp/.LOCK' is assumed. +# - +# - +# - Example: +# - CONFLICTING_SCRIPTS=" +# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST +# - /root/bin/monitoring/check_remote_websites.sh +# - " +# - +# - Defaults to: +# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK" +# - +#CONFLICTING_SCRIPTS="" + + # - What to check # - check_load=true -check_mysql=true +check_mysql=false +check_mariadb=true + +# - PostgreSQL +# - +# - NOT useful, if more than one PostgreSQL instances are running! +# - +check_postgresql=true + check_apache=true +check_nginx=false check_php_fpm=false +check_redis=false check_website=false +# TIMEOUT_CHECK_WEBSITE +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_WEBSITE=10 +# +#TIMEOUT_CHECK_WEBSITE=10 + +# TIMEOUT_CHECK_PHP +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_PHP=10 +# +#TIMEOUT_CHECK_PHP=10 + + +# - If service is not listen on 127.0.0.1/loclhost, curl check must +# - be ommited +# - +# - Defaults to: ommit_curl_check_nginx=false +# - +#ommit_curl_check_nginx=false + +# - Is this a vserver guest machine? +# - +# - Not VSerber guest host does not support systemd! +# - +# - defaults to: vserver_guest=false +# - +#vserver_guest=false + + # - Additional Settings for check_mysql # - # - MySQL / MariaDB credentials @@ -46,11 +118,47 @@ check_website=false # - $ mysql --login-path=local ... # - # - Example +# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock" # - mysql_credential_args="--login-path=local" # - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) # - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" # - -mysql_credential_args="--login-path=local" +# - defaults to: +# - mysql_credential_args="--login-path=local" +# - +#mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_mariadb +# - +# - MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock" +# - mariadb_credential_args="--login-path=local" +# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - defaults to empty string +# - mariadb_credential_args="" +# - +#mariadb_credential_args="" # - Additional Settings for check_php_fpm diff --git a/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf index c97f45e..a1de7f7 100644 --- a/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf @@ -11,15 +11,43 @@ # - LOGGING # - # - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, -# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or # - errors occurs. # --- +# - CONFLICTING_SCRIPTS +# - +# - The scripts listed here conflict with this script. If one of these scripts +# - is currently running, this script will be stopped. +# - +# - In addition to the script, a LOCK directory can also be specified which is +# - connected to it. +# - +# - If no fixed LOCK directory is connected to the script, set +# - this value to the constant 'CHECK_PROCESS_LIST'. +# - +# - If no value for the LOCK directory is given, the LOCK directory +# - '/tmp/.LOCK' is assumed. +# - +# - +# - Example: +# - CONFLICTING_SCRIPTS=" +# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST +# - /root/bin/monitoring/check_remote_websites.sh +# - " +# - +# - Defaults to: +# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK" +# - +#CONFLICTING_SCRIPTS="" + + # - What to check # - check_load=true check_mysql=false +check_mariadb=false # - PostgreSQL # - @@ -33,6 +61,26 @@ check_php_fpm=true check_redis=false check_website=false + +# TIMEOUT_CHECK_WEBSITE +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_WEBSITE=10 +# +#TIMEOUT_CHECK_WEBSITE=10 + +# TIMEOUT_CHECK_PHP +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_PHP=10 +# +#TIMEOUT_CHECK_PHP=10 + + # - If service is not listen on 127.0.0.1/loclhost, curl check must # - be ommited # - @@ -55,10 +103,10 @@ check_website=false # - # - Giving password on command line is insecure an sind mysql 5.5 # - you will get a warning doing so. -# - +# - # - Reading username/password fro file ist also possible, using MySQL/MariaDB # - commandline parameter '--defaults-file'. -# - +# - # - Since Mysql Version 5.6, you can read username/password from # - encrypted file. # - @@ -70,11 +118,47 @@ check_website=false # - $ mysql --login-path=local ... # - # - Example +# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock" # - mysql_credential_args="--login-path=local" # - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) # - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" # - -mysql_credential_args="" +# - defaults to: +# - mysql_credential_args="--login-path=local" +# - +#mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_mariadb +# - +# - MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock" +# - mariadb_credential_args="--login-path=local" +# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - defaults to empty string +# - mariadb_credential_args="" +# - +#mariadb_credential_args="" # - Additional Settings for check_php_fpm @@ -93,7 +177,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="8.1" +php_versions="8.2" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also @@ -161,7 +245,7 @@ php_version_of_working_url='' # - Notice: # - If single qoutes "'" not needed inside cleanup function, then use single quotes -# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - to enclose variable "cleanup_function". Then you don't have do masquerade any # - sign inside. # - # - Otherwise use double quotes and masq any sign to prevent bash from interpreting. diff --git a/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf index 0cbc7e6..e469ff9 100644 --- a/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf @@ -16,10 +16,38 @@ # --- +# - CONFLICTING_SCRIPTS +# - +# - The scripts listed here conflict with this script. If one of these scripts +# - is currently running, this script will be stopped. +# - +# - In addition to the script, a LOCK directory can also be specified which is +# - connected to it. +# - +# - If no fixed LOCK directory is connected to the script, set +# - this value to the constant 'CHECK_PROCESS_LIST'. +# - +# - If no value for the LOCK directory is given, the LOCK directory +# - '/tmp/.LOCK' is assumed. +# - +# - +# - Example: +# - CONFLICTING_SCRIPTS=" +# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST +# - /root/bin/monitoring/check_remote_websites.sh +# - " +# - +# - Defaults to: +# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK" +# - +#CONFLICTING_SCRIPTS="" + + # - What to check # - check_load=true -check_mysql=true +check_mysql=false +check_mariadb=true # - PostgreSQL # - @@ -33,6 +61,26 @@ check_php_fpm=true check_redis=false check_website=false + +# TIMEOUT_CHECK_WEBSITE +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_WEBSITE=10 +# +#TIMEOUT_CHECK_WEBSITE=10 + +# TIMEOUT_CHECK_PHP +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_PHP=10 +# +#TIMEOUT_CHECK_PHP=10 + + # - If service is not listen on 127.0.0.1/loclhost, curl check must # - be ommited # - @@ -70,11 +118,48 @@ check_website=false # - $ mysql --login-path=local ... # - # - Example +# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock" # - mysql_credential_args="--login-path=local" # - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) # - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" # - -mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" +# - defaults to: +# - mysql_credential_args="--login-path=local" +# - +#mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_mariadb +# - +# - MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock" +# - mariadb_credential_args="--login-path=local" +# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - defaults to empty string +# - mariadb_credential_args="" +# - +#mariadb_credential_args="" +mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock" # - Additional Settings for check_php_fpm @@ -93,7 +178,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="8.1" +php_versions="8.2" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also diff --git a/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf index 5fc73c4..a1de7f7 100644 --- a/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf @@ -11,21 +11,49 @@ # - LOGGING # - # - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, -# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or # - errors occurs. # --- +# - CONFLICTING_SCRIPTS +# - +# - The scripts listed here conflict with this script. If one of these scripts +# - is currently running, this script will be stopped. +# - +# - In addition to the script, a LOCK directory can also be specified which is +# - connected to it. +# - +# - If no fixed LOCK directory is connected to the script, set +# - this value to the constant 'CHECK_PROCESS_LIST'. +# - +# - If no value for the LOCK directory is given, the LOCK directory +# - '/tmp/.LOCK' is assumed. +# - +# - +# - Example: +# - CONFLICTING_SCRIPTS=" +# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST +# - /root/bin/monitoring/check_remote_websites.sh +# - " +# - +# - Defaults to: +# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK" +# - +#CONFLICTING_SCRIPTS="" + + # - What to check # - check_load=true check_mysql=false +check_mariadb=false # - PostgreSQL # - # - NOT useful, if more than one PostgreSQL instances are running! # - -check_postgresql=false +check_postgresql=true check_apache=true check_nginx=false @@ -33,6 +61,26 @@ check_php_fpm=true check_redis=false check_website=false + +# TIMEOUT_CHECK_WEBSITE +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_WEBSITE=10 +# +#TIMEOUT_CHECK_WEBSITE=10 + +# TIMEOUT_CHECK_PHP +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_PHP=10 +# +#TIMEOUT_CHECK_PHP=10 + + # - If service is not listen on 127.0.0.1/loclhost, curl check must # - be ommited # - @@ -55,10 +103,10 @@ check_website=false # - # - Giving password on command line is insecure an sind mysql 5.5 # - you will get a warning doing so. -# - +# - # - Reading username/password fro file ist also possible, using MySQL/MariaDB # - commandline parameter '--defaults-file'. -# - +# - # - Since Mysql Version 5.6, you can read username/password from # - encrypted file. # - @@ -70,11 +118,47 @@ check_website=false # - $ mysql --login-path=local ... # - # - Example +# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock" # - mysql_credential_args="--login-path=local" # - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) # - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" # - -mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - defaults to: +# - mysql_credential_args="--login-path=local" +# - +#mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_mariadb +# - +# - MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock" +# - mariadb_credential_args="--login-path=local" +# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - defaults to empty string +# - mariadb_credential_args="" +# - +#mariadb_credential_args="" # - Additional Settings for check_php_fpm @@ -93,7 +177,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="8.1" +php_versions="8.2" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also @@ -161,7 +245,7 @@ php_version_of_working_url='' # - Notice: # - If single qoutes "'" not needed inside cleanup function, then use single quotes -# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - to enclose variable "cleanup_function". Then you don't have do masquerade any # - sign inside. # - # - Otherwise use double quotes and masq any sign to prevent bash from interpreting. diff --git a/roles/common/files/mailserver/etc/postfix/smtpd_milter_map b/roles/common/files/mailserver/etc/postfix/smtpd_milter_map new file mode 100644 index 0000000..1e91a57 --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/smtpd_milter_map @@ -0,0 +1,23 @@ +# Disable Milters for local clients. +#127.0.0.0/8 DISABLE +#192.168.0.0/16 DISABLE +#172.16.0.0/12 DISABLE +#::/64 DISABLE + +# Disable Milters for b.mx.oopen.de +162.55.82.73 DISABLE +2a01:4f8:271:1266::73 DISABLE + +# Disable Milters for d.mx.oopen.de +95.217.204.227 DISABLE +2a01:4f9:4a:47e5::227 DISABLE + +# Disable Milters for lists.mx.warenform.de +83.223.86.78 DISABLE +2a01:30:0:13:223:35ff:fef5:84b6 DISABLE + +# Disable Milters for lists36.net +192.68.11.82 DISABLE +2001:678:a40:3000::82 DISABLE + + diff --git a/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf index 2b9827b..a1de7f7 100644 --- a/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf +++ b/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf @@ -11,30 +11,102 @@ # - LOGGING # - # - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, -# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or # - errors occurs. # --- +# - CONFLICTING_SCRIPTS +# - +# - The scripts listed here conflict with this script. If one of these scripts +# - is currently running, this script will be stopped. +# - +# - In addition to the script, a LOCK directory can also be specified which is +# - connected to it. +# - +# - If no fixed LOCK directory is connected to the script, set +# - this value to the constant 'CHECK_PROCESS_LIST'. +# - +# - If no value for the LOCK directory is given, the LOCK directory +# - '/tmp/.LOCK' is assumed. +# - +# - +# - Example: +# - CONFLICTING_SCRIPTS=" +# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST +# - /root/bin/monitoring/check_remote_websites.sh +# - " +# - +# - Defaults to: +# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK" +# - +#CONFLICTING_SCRIPTS="" + + # - What to check # - check_load=true check_mysql=false +check_mariadb=false + +# - PostgreSQL +# - +# - NOT useful, if more than one PostgreSQL instances are running! +# - +check_postgresql=true + check_apache=true +check_nginx=false check_php_fpm=true +check_redis=false check_website=false +# TIMEOUT_CHECK_WEBSITE +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_WEBSITE=10 +# +#TIMEOUT_CHECK_WEBSITE=10 + +# TIMEOUT_CHECK_PHP +# +# Maximum time in seconds that you allow for the response from the webserver. +# +# Defaults to: +# TIMEOUT_CHECK_PHP=10 +# +#TIMEOUT_CHECK_PHP=10 + + +# - If service is not listen on 127.0.0.1/loclhost, curl check must +# - be ommited +# - +# - Defaults to: ommit_curl_check_nginx=false +# - +#ommit_curl_check_nginx=false + +# - Is this a vserver guest machine? +# - +# - Not VSerber guest host does not support systemd! +# - +# - defaults to: vserver_guest=false +# - +#vserver_guest=false + + # - Additional Settings for check_mysql # - # - MySQL / MariaDB credentials # - # - Giving password on command line is insecure an sind mysql 5.5 # - you will get a warning doing so. -# - +# - # - Reading username/password fro file ist also possible, using MySQL/MariaDB # - commandline parameter '--defaults-file'. -# - +# - # - Since Mysql Version 5.6, you can read username/password from # - encrypted file. # - @@ -46,11 +118,47 @@ check_website=false # - $ mysql --login-path=local ... # - # - Example +# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock" # - mysql_credential_args="--login-path=local" # - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) # - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" # - -mysql_credential_args="" +# - defaults to: +# - mysql_credential_args="--login-path=local" +# - +#mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_mariadb +# - +# - MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock" +# - mariadb_credential_args="--login-path=local" +# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - defaults to empty string +# - mariadb_credential_args="" +# - +#mariadb_credential_args="" # - Additional Settings for check_php_fpm @@ -69,7 +177,7 @@ curl_check_host=127.0.0.1 # - Example: # - php_versions="5.4 5.6 7.0 7.1" # - -php_versions="8.1" +php_versions="8.2" # - If PHP-FPM's ping.path setting does not match ping-$php_major_version, # - set the value given in your ping.path setting here. Give ping_path also @@ -137,7 +245,7 @@ php_version_of_working_url='' # - Notice: # - If single qoutes "'" not needed inside cleanup function, then use single quotes -# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - to enclose variable "cleanup_function". Then you don't have do masquerade any # - sign inside. # - # - Otherwise use double quotes and masq any sign to prevent bash from interpreting. diff --git a/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 b/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 index 766a3ff..67d06e9 100644 --- a/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 +++ b/roles/common/templates/usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 @@ -223,11 +223,17 @@ POSTFIX_DB_TYPE="mysql" # - # - Note: # - Dont't use 'localhost' if your MySQL socket is NOT -# - located at '/var/run/mysqld/mysqld.sock' +# - located at '/run/mysqld/mysqld.sock' # - -# - Defaults to 'unix:/tmp/mysql.sock' +# - Defaults to: +# - 'unix:/tmp/mysql.sock'if this socket exists at intsall time +# - 'unix:/run/mysqld/mysqld.sock' othwerwise # - +{% if (postfix_db_host is defined) and postfix_db_host and "MySQL" == postfix_db_type %} +POSTFIX_DB_HOST_MYSQL="{{ postfix_db_host }}" +{% else %} #POSTFIX_DB_HOST_MYSQL="" +{% endif %} # - Host/Socket of Postfix Database (PostgeSQL) # - @@ -236,7 +242,7 @@ POSTFIX_DB_TYPE="mysql" # - # - Defaults to '/run/postgresql' # - -{% if (postfix_db_host is defined) and postfix_db_host %} +{% if (postfix_db_host is defined) and postfix_db_host and "PostgreSQL" == postfix_db_type %} POSTFIX_DB_HOST_PGSQL="{{ postfix_db_host }}" {% else %} #POSTFIX_DB_HOST_PGSQL=""