diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 70f2104..2ebf17d 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -112,6 +112,7 @@ copy_plain_files_sysctl: src_path: etc/sysctl.d/10-ddos.conf dest_path: /etc/sysctl.d/10-ddos.conf +copy_additional_plain_files_sysctl: [] # --- @@ -1053,7 +1054,7 @@ sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2" sshd_pubkey_authentication: !!str "yes" -sshd_password_authentication: !!str "yes" +sshd_password_authentication: !!str "no" sshd_use_pam: !!str "yes" @@ -1093,6 +1094,7 @@ sshd_hostkeyalgorithms: # - chacha20-poly1305@openssh.com # - aes256-gcm@openssh.com # - aes256-ctr + #sshd_ciphers: {} sshd_ciphers: - chacha20-poly1305@openssh.com diff --git a/hosts b/hosts index 2c34601..c488014 100644 --- a/hosts +++ b/hosts @@ -18,7 +18,6 @@ dns1.warenform.de [extra_hosts] backup.oopen.de -backup-neu.oopen.de gitea.so36.net backup.so36.net @@ -150,15 +149,17 @@ o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de -# - o25.oopen.de -o25.oopen.de +# - o27.oopen.de +o27.oopen.de cl-fm.oopen.de +cl-fm-neu.oopen.de mail.faire-mobilitaet.de +mail-neu.faire-mobilitaet.de # Hetzner Cloud CX31 - AK o26.oopen.de -# Backup Server +# Backup Faire Mobilitaet o28.oopen.de # Backup Server @@ -196,9 +197,6 @@ web-03.oopen.de web-test.oopen.de cl-test.oopen.de -# Backup Faire Mobilitaet -o37.oopen.de - lxc-host-kb.anw-kb.netz @@ -349,26 +347,26 @@ o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de -# - o25.oopen.de -o25.oopen.de +# - o27.oopen.de +o27.oopen.de cl-fm.oopen.de +cl-fm-neu.oopen.de mail.faire-mobilitaet.de +mail-neu.faire-mobilitaet.de # Hetzner Cloud CX31 - AK o26.oopen.de -# - o28.oopen.de +# Backup Faire Mobilitaet o28.oopen.de + +# - o29.oopen.de +o29.oopen.de backup.oopen.de git.oopen.de munin.oopen.de nscache.oopen.de -# - o29.oopen.de -o29.oopen.de -backup-neu.oopen.de -git-neu.oopen.de - # AK - Server Nextcloud/Jitsi Meet o30.oopen.de meet.akweb.de @@ -402,9 +400,6 @@ web-03.oopen.de web-test.oopen.de cl-test.oopen.de -# Backup Faire Mobilitaet -o37.oopen.de - lxc-host-kb.anw-kb.netz # --- @@ -487,10 +482,9 @@ o13-web.oopen.de test.mariadb.oopen.de test.mx.oopen.de -# o28.oopen.de -munin.oopen.de - # o29.oopen.de +backup.oopen.de +munin.oopen.de # o20.oopen.de (srv-cityslang.cityslang.com) o20.oopen.de @@ -510,9 +504,17 @@ cl-01.oopen.de # o24.oopen.de cl-irights.oopen.de -# o25.oopen.de +# o27.oopen.de cl-fm.oopen.de +cl-fm-neu.oopen.de mail.faire-mobilitaet.de +mail-neu.faire-mobilitaet.de + +# Backup Faire Mobilitaet +o28.oopen.de + +# o29.oopen.de +backup.oopen.de # o30.oopen.de - AK server Jitsi Meet/Nextcloud cloud.akweb.de @@ -532,9 +534,6 @@ web-test.oopen.de b.mx.oopen.de cl-test.oopen.de -# Backup Faire Mobilitaet -o37.oopen.de - # --- # O.OPEN office network # --- @@ -744,8 +743,9 @@ test.mx.oopen.de # o21.oopen.de mail.cadus.org -# o25.oopen.de +# o27.oopen.de mail.faire-mobilitaet.de +mail-neu.faire-mobilitaet.de # o35.oopen.de e.mx.oopen.de @@ -788,8 +788,9 @@ lists.mx.warenform.de o13-board.oopen.de o13-mail.oopen.de -# o25.oopen.de +# o27.oopen.de mail.faire-mobilitaet.de +mail-neu.faire-mobilitaet.de # o35.oopen.de e.mx.oopen.de @@ -863,12 +864,19 @@ moodle.oopen.de cl-irights.oopen.de mm-irights.oopen.de -# o25.oopen.de -cl-fm.oopen.de - # Hetzner Cloud CX31 - AK o26.oopen.de +# o27.oopen.de +cl-fm.oopen.de +cl-fm-neu.oopen.de + +# Backup Faire Mobilitaet +o28.oopen.de + +# o29.oopen.de +backup.oopen.de + # o30.oopen.de - AK server Jitsi Meet/Nextcloud cloud.akweb.de @@ -888,9 +896,6 @@ web-03.oopen.de web-test.oopen.de cl-test.oopen.de -# Backup Faire Mobilitaet -o37.oopen.de - # --- # Warenform @@ -947,9 +952,15 @@ cl-01.oopen.de # o24.oopen.de cl-irights.oopen.de -# o25.oopen.de +# o27.oopen.de cl-fm.oopen.de +# o28.oopen.de +o28.oopen.de + +# o29.oopen.de +backup.oopen.de + # o30.oopen.de - AK server Jitsi Meet/Nextcloud cloud.akweb.de @@ -997,7 +1008,7 @@ o13-mail.oopen.de # o17.oopen.de test.mx.oopen.de -# o28.oopen.de +# o29.oopen.de nscache.oopen.de # o21.oopen.de @@ -1005,8 +1016,9 @@ mail.cadus.org o22.oopen.de -# o25.oopen.de +# o27.oopen.de mail.faire-mobilitaet.de +mail-neu.faire-mobilitaet.de # o35.oopen.de d.mx.oopen.de @@ -1069,7 +1081,7 @@ backup-neu.oopen.de devel-root.wf.netz # Backup Faire Mobilitaet -o37.oopen.de +o28.oopen.de # --- # Warenform @@ -1155,8 +1167,7 @@ o21.oopen.de o22.oopen.de o23.oopen.de o24.oopen.de -o25.oopen.de -o28.oopen.de +o27.oopen.de o29.oopen.de o30.oopen.de o32.oopen.de @@ -1248,23 +1259,20 @@ moodle.oopen.de cl-irights.oopen.de mm-irights.oopen.de -# - o25.oopen.de +# - o27.oopen.de cl-fm.oopen.de +cl-fm-neu.oopen.de mail.faire-mobilitaet.de +mail-neu.faire-mobilitaet.de # Hetzner Cloud CX31 - AK o26.oopen.de -# o28.oopen.de +# o29.oopen.de backup.oopen.de git.oopen.de -nscache.oopen.de munin.oopen.de -nc-gw.oopen.de - -# o29.oopen.de -backup-neu.oopen.de -git-neu.oopen.de +nscache.oopen.de # o30.oopen.de - AK Server Nextcloud/Jitsi Meet meet.akweb.de @@ -1433,26 +1441,25 @@ o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de -# - o25.oopen.de -o25.oopen.de +# - o27.oopen.de +o27.oopen.de cl-fm.oopen.de +cl-fm-neu.oopen.de mail.faire-mobilitaet.de +mail-neu.faire-mobilitaet.de # Hetzner Cloud CX31 - AK o26.oopen.de -# - o28.oopen.de +# Backup Faire Mobilitaet o28.oopen.de + +# - o29.oopen.de +o29.oopen.de backup.oopen.de git.oopen.de nscache.oopen.de munin.oopen.de -nc-gw.oopen.de - -# - o29.oopen.de -o29.oopen.de -backup-neu.oopen.de -git-neu.oopen.de # AK - Server Nextcloud/Jitsi Meet o30.oopen.de @@ -1486,9 +1493,6 @@ web-01.oopen.de web-test.oopen.de cl-test.oopen.de -# Backup Faire Mobilitaet -o37.oopen.de - lxc-host-kb.anw-kb.netz diff --git a/roles/common/files/etc/sysctl.d/30-enable-ipv6.conf b/roles/common/files/etc/sysctl.d/30-enable-ipv6.conf new file mode 100644 index 0000000..7ad2c64 --- /dev/null +++ b/roles/common/files/etc/sysctl.d/30-enable-ipv6.conf @@ -0,0 +1,4 @@ + +# Enable packet forwarding for IPv6 +# +net.ipv6.conf.all.forwarding = 1 diff --git a/roles/common/files/etc/sysctl.d/60-elasticsearch.conf b/roles/common/files/etc/sysctl.d/60-elasticsearch.conf new file mode 100644 index 0000000..7c197d5 --- /dev/null +++ b/roles/common/files/etc/sysctl.d/60-elasticsearch.conf @@ -0,0 +1,8 @@ + +# Needed by ElasticSearch Installation on virtual guest +# systems (LX-Containers) +# +# The error message there was: +# max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144] +# +vm.max_map_count = 524288 diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index dd7404d..fec35b3 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -54,6 +54,11 @@ name: systemd-journald state: restarted +- name: Restart redis-server + service: + name: redis-server + state: restarted + - name: Restart tor service service: name: tor diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml index 8adc901..1154441 100644 --- a/roles/common/tasks/basic.yml +++ b/roles/common/tasks/basic.yml @@ -126,6 +126,23 @@ tags: - systctl-config +- name: (basic.yml) Additional Kernel Parameters (files /etc/sysctl.d/*.conf) + copy: + src: '{{ item.src_path }}' + dest: '{{ item.dest_path }}' + owner: root + group: root + mode: '0644' + loop: "{{ copy_additional_plain_files_sysctl }}" + loop_control: + label: 'dest: {{ item.name }}' + when: + - inventory_hostname not in groups['lxc_guest'] + - copy_additional_plain_files_sysctl is defined + - copy_additional_plain_files_sysctl|length > 0 + tags: + - systctl-config + # ---------- # unattended upgrades diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index b5c1e2c..9b896de 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -188,6 +188,14 @@ tags: - samba-server +- import_tasks: redis-server.yml + when: inventory_hostname in groups['nextcloud_server'] or + inventory_hostname in groups['apache2_webserver'] or + inventory_hostname in groups['nginx_webserver'] + tags: + - redis-server + + # tags supportetd inside caching-nameserver.yml # # apt-caching-nameserver diff --git a/roles/common/tasks/redis-server.yml b/roles/common/tasks/redis-server.yml new file mode 100644 index 0000000..7f77929 --- /dev/null +++ b/roles/common/tasks/redis-server.yml @@ -0,0 +1,111 @@ + +--- + +- name: (redis-server.yml) update + apt: + update_cache: true + cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}" + when: apt_update|bool + tags: + - redis-server + + +- name: (redis-server.yml) dpkg --configure + command: > + dpkg --configure -a + args: + warn: false + changed_when: _dpkg_configure.stdout_lines | length + register: _dpkg_configure + when: apt_dpkg_configure|bool + tags: + - redis-server + + +- name: (redis-server.yml) upgrade + apt: + upgrade: "{{ apt_upgrade_type }}" + update_cache: true + dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" + when: apt_upgrade|bool + tags: + - redis-server + + +- name: (redis-server.yml) Install redis-server packages + apt: + name: redis-server + state: present + tags: + - redis-server + +- name: (redis-server.yml) Determine available users + getent: + database: passwd + tags: + - redis-server + +- name: (redis-server.yml) Determine available groups + getent: + database: group + tags: + - redis-server + +- name: (redis-server.yml) Add user 'www-data' to group 'redis' + user: + name: www-data + groups: redis + append: yes + when: + - "'www-data' in my_users" + - "'redis' in my_groups" + vars: + my_users: "{{ getent_passwd.keys()|list }}" + my_groups: "{{ getent_group.keys()|list }}" + tags: + - redis-server + +- name: (redis-server.yml) Add user 'webadmin' to group 'redis' + user: + name: webadmin + groups: redis + append: yes + when: + - "'webadmin' in my_users" + - "'redis' in my_groups" + vars: + my_users: "{{ getent_passwd.keys()|list }}" + my_groups: "{{ getent_group.keys()|list }}" + tags: + - redis-server + +- name: (redis-server.yml) Check if file '/etc/redis/redis.conf.ORIG' exists + stat: + path: /etc/redis/redis.conf.ORIG + register: redis_conf_exists + tags: + - redis-server + +- name: (redis-server.yml) Backup existing file /etc/redis/redis.conf. + command: cp -a /etc/redis/redis.conf /etc/redis/redis.conf.ORIG + when: + - redis_conf_exists.stat.exists == False + tags: + - samba-server + +- name: (redis-server.yml) adjust configuration '/etc/redis/redis.conf' + lineinfile: + dest: /etc/redis/redis.conf + regexp: "{{ item.regexp }}" + insertafter: "{{ item.insertafter }}" + line: "{{ item.key }} {{ item.val }}" + state: present + loop: + - { regexp: '^bind\s+', key: 'bind', val: '127.0.0.1 ::1', insertafter: '^#\s*bind\s+' } + - { regexp: '^port\s+', key: 'port', val: '6379', insertafter: '^#\s*port\s+' } + - { regexp: '^unixsocket\s+', key: 'unixsocket', val: '/run/redis/redis-server.sock', insertafter: '^#\s*unixsocketperm' } + - { regexp: '^unixsocketperm', key: 'unixsocketperm', val: '770', insertafter: '^unixsocket\s+' } + - { regexp: '^logfile', key: 'logfile', val: '/var/log/redis/redis-server.log', insertafter: '^#\s+logfile\s+' } + notify: "Restart redis-server" + tags: + - redis-server