update..

2022-07-20 00:54:30 +02:00 · 2022-07-20 00:54:30 +02:00 · 34d8bccc43
commit 34d8bccc43
parent 9137c0a021
8 changed files with 219 additions and 60 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -112,6 +112,7 @@ copy_plain_files_sysctl:
    src_path: etc/sysctl.d/10-ddos.conf
    dest_path: /etc/sysctl.d/10-ddos.conf
 copy_additional_plain_files_sysctl: []
 # ---
@ -1053,7 +1054,7 @@ sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2"
 sshd_pubkey_authentication: !!str "yes"
-sshd_password_authentication: !!str "yes"
+sshd_password_authentication: !!str "no"
 sshd_use_pam: !!str "yes"
@ -1093,6 +1094,7 @@ sshd_hostkeyalgorithms:
 #      - chacha20-poly1305@openssh.com
 #      - aes256-gcm@openssh.com
 #      - aes256-ctr
 #sshd_ciphers: {}
 sshd_ciphers:
  - chacha20-poly1305@openssh.com
--- a/122
+++ b/122
@ -18,7 +18,6 @@ dns1.warenform.de
 [extra_hosts]
 backup.oopen.de
 backup-neu.oopen.de
 gitea.so36.net
 backup.so36.net
@ -150,15 +149,17 @@ o24.oopen.de
 cl-irights.oopen.de
 mm-irights.oopen.de
-# - o25.oopen.de
+# - o27.oopen.de
-o25.oopen.de
+o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 mail.faire-mobilitaet.de
 mail-neu.faire-mobilitaet.de
 # Hetzner Cloud CX31 - AK
 o26.oopen.de
-# Backup Server
+# Backup Faire Mobilitaet
 o28.oopen.de
 # Backup Server
@ -196,9 +197,6 @@ web-03.oopen.de
 web-test.oopen.de
 cl-test.oopen.de
 # Backup Faire Mobilitaet
 o37.oopen.de
 lxc-host-kb.anw-kb.netz
@ -349,26 +347,26 @@ o24.oopen.de
 cl-irights.oopen.de
 mm-irights.oopen.de
-# - o25.oopen.de
+# - o27.oopen.de
-o25.oopen.de
+o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 mail.faire-mobilitaet.de
 mail-neu.faire-mobilitaet.de
 # Hetzner Cloud CX31 - AK
 o26.oopen.de
-# - o28.oopen.de
+# Backup Faire Mobilitaet
 o28.oopen.de
 # - o29.oopen.de
 o29.oopen.de
 backup.oopen.de
 git.oopen.de
 munin.oopen.de
 nscache.oopen.de
 # - o29.oopen.de
 o29.oopen.de
 backup-neu.oopen.de
 git-neu.oopen.de
 # AK - Server Nextcloud/Jitsi Meet
 o30.oopen.de
 meet.akweb.de
@ -402,9 +400,6 @@ web-03.oopen.de
 web-test.oopen.de
 cl-test.oopen.de
 # Backup Faire Mobilitaet
 o37.oopen.de
 lxc-host-kb.anw-kb.netz
 # ---
@ -487,10 +482,9 @@ o13-web.oopen.de
 test.mariadb.oopen.de
 test.mx.oopen.de
 # o28.oopen.de
 munin.oopen.de
 # o29.oopen.de
 backup.oopen.de
 munin.oopen.de
 # o20.oopen.de (srv-cityslang.cityslang.com)
 o20.oopen.de
@ -510,9 +504,17 @@ cl-01.oopen.de
 # o24.oopen.de
 cl-irights.oopen.de
-# o25.oopen.de
+# o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 mail.faire-mobilitaet.de
 mail-neu.faire-mobilitaet.de
 # Backup Faire Mobilitaet
 o28.oopen.de
 # o29.oopen.de
 backup.oopen.de
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
@ -532,9 +534,6 @@ web-test.oopen.de
 b.mx.oopen.de
 cl-test.oopen.de
 # Backup Faire Mobilitaet
 o37.oopen.de
 # ---
 #  O.OPEN office network
 # ---
@ -744,8 +743,9 @@ test.mx.oopen.de
 # o21.oopen.de
 mail.cadus.org
-# o25.oopen.de
+# o27.oopen.de
 mail.faire-mobilitaet.de
 mail-neu.faire-mobilitaet.de
 # o35.oopen.de
 e.mx.oopen.de
@ -788,8 +788,9 @@ lists.mx.warenform.de
 o13-board.oopen.de
 o13-mail.oopen.de
-# o25.oopen.de
+# o27.oopen.de
 mail.faire-mobilitaet.de
 mail-neu.faire-mobilitaet.de
 # o35.oopen.de
 e.mx.oopen.de
@ -863,12 +864,19 @@ moodle.oopen.de
 cl-irights.oopen.de
 mm-irights.oopen.de
 # o25.oopen.de
 cl-fm.oopen.de
 # Hetzner Cloud CX31 - AK
 o26.oopen.de
 # o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 # Backup Faire Mobilitaet
 o28.oopen.de
 # o29.oopen.de
 backup.oopen.de
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
@ -888,9 +896,6 @@ web-03.oopen.de
 web-test.oopen.de
 cl-test.oopen.de
 # Backup Faire Mobilitaet
 o37.oopen.de
 # ---
 # Warenform
@ -947,9 +952,15 @@ cl-01.oopen.de
 # o24.oopen.de
 cl-irights.oopen.de
-# o25.oopen.de
+# o27.oopen.de
 cl-fm.oopen.de
 # o28.oopen.de
 o28.oopen.de
 # o29.oopen.de
 backup.oopen.de
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
@ -997,7 +1008,7 @@ o13-mail.oopen.de
 # o17.oopen.de
 test.mx.oopen.de
-# o28.oopen.de
+# o29.oopen.de
 nscache.oopen.de
 # o21.oopen.de
@ -1005,8 +1016,9 @@ mail.cadus.org
 o22.oopen.de
-# o25.oopen.de
+# o27.oopen.de
 mail.faire-mobilitaet.de
 mail-neu.faire-mobilitaet.de
 # o35.oopen.de
 d.mx.oopen.de
@ -1069,7 +1081,7 @@ backup-neu.oopen.de
 devel-root.wf.netz
 # Backup Faire Mobilitaet
-o37.oopen.de
+o28.oopen.de
 # ---
 # Warenform
@ -1155,8 +1167,7 @@ o21.oopen.de
 o22.oopen.de
 o23.oopen.de
 o24.oopen.de
-o25.oopen.de
+o27.oopen.de
 o28.oopen.de
 o29.oopen.de
 o30.oopen.de
 o32.oopen.de
@ -1248,23 +1259,20 @@ moodle.oopen.de
 cl-irights.oopen.de
 mm-irights.oopen.de
-# - o25.oopen.de
+# - o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 mail.faire-mobilitaet.de
 mail-neu.faire-mobilitaet.de
 # Hetzner Cloud CX31 - AK
 o26.oopen.de
-# o28.oopen.de
+# o29.oopen.de
 backup.oopen.de
 git.oopen.de
 nscache.oopen.de
 munin.oopen.de
-nc-gw.oopen.de
+nscache.oopen.de
 # o29.oopen.de
 backup-neu.oopen.de
 git-neu.oopen.de
 # o30.oopen.de - AK Server Nextcloud/Jitsi Meet
 meet.akweb.de
@ -1433,26 +1441,25 @@ o24.oopen.de
 cl-irights.oopen.de
 mm-irights.oopen.de
-# - o25.oopen.de
+# - o27.oopen.de
-o25.oopen.de
+o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 mail.faire-mobilitaet.de
 mail-neu.faire-mobilitaet.de
 # Hetzner Cloud CX31 - AK
 o26.oopen.de
-# - o28.oopen.de
+# Backup Faire Mobilitaet
 o28.oopen.de
 # - o29.oopen.de
 o29.oopen.de
 backup.oopen.de
 git.oopen.de
 nscache.oopen.de
 munin.oopen.de
 nc-gw.oopen.de
 # - o29.oopen.de
 o29.oopen.de
 backup-neu.oopen.de
 git-neu.oopen.de
 # AK - Server Nextcloud/Jitsi Meet
 o30.oopen.de
@ -1486,9 +1493,6 @@ web-01.oopen.de
 web-test.oopen.de
 cl-test.oopen.de
 # Backup Faire Mobilitaet
 o37.oopen.de
 lxc-host-kb.anw-kb.netz
--- a/roles/common/files/etc/sysctl.d/30-enable-ipv6.conf
+++ b/roles/common/files/etc/sysctl.d/30-enable-ipv6.conf
@ -0,0 +1,4 @@
 # Enable packet forwarding for IPv6
 #
 net.ipv6.conf.all.forwarding = 1
--- a/roles/common/files/etc/sysctl.d/60-elasticsearch.conf
+++ b/roles/common/files/etc/sysctl.d/60-elasticsearch.conf
@ -0,0 +1,8 @@
 # Needed by ElasticSearch Installation on virtual guest
 # systems (LX-Containers)
 #
 # The error message there was:
 #    max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
 #
 vm.max_map_count = 524288
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -54,6 +54,11 @@
    name: systemd-journald
    state: restarted
 - name: Restart redis-server
  service:
    name: redis-server
    state: restarted
 - name: Restart tor service
  service: 
    name: tor
--- a/roles/common/tasks/basic.yml
+++ b/roles/common/tasks/basic.yml
@ -126,6 +126,23 @@
  tags:
    - systctl-config
 - name: (basic.yml) Additional Kernel Parameters (files  /etc/sysctl.d/*.conf)
  copy:
    src: '{{ item.src_path }}'
    dest: '{{ item.dest_path }}'
    owner: root
    group: root
    mode: '0644'
  loop: "{{ copy_additional_plain_files_sysctl }}"
  loop_control:
    label: 'dest: {{ item.name }}'
  when: 
    - inventory_hostname not in groups['lxc_guest']
    - copy_additional_plain_files_sysctl is defined
    - copy_additional_plain_files_sysctl|length > 0
  tags:
    - systctl-config
 # ----------
 # unattended upgrades
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -188,6 +188,14 @@
  tags:
    - samba-server
 - import_tasks: redis-server.yml
  when: inventory_hostname in groups['nextcloud_server'] or 
        inventory_hostname in groups['apache2_webserver'] or
        inventory_hostname in groups['nginx_webserver']
  tags:
    - redis-server
 # tags supportetd inside caching-nameserver.yml
 #
 # apt-caching-nameserver
--- a/roles/common/tasks/redis-server.yml
+++ b/roles/common/tasks/redis-server.yml
@ -0,0 +1,111 @@
 ---
 - name: (redis-server.yml) update
  apt:
    update_cache: true
    cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
  when: apt_update|bool
  tags:
    - redis-server
 - name: (redis-server.yml) dpkg --configure
  command: >
    dpkg --configure -a
  args:
    warn: false
  changed_when: _dpkg_configure.stdout_lines | length
  register: _dpkg_configure
  when: apt_dpkg_configure|bool
  tags:
    - redis-server
 - name: (redis-server.yml) upgrade
  apt:
    upgrade: "{{ apt_upgrade_type }}"
    update_cache: true
    dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
  when: apt_upgrade|bool
  tags:
    - redis-server
 - name: (redis-server.yml) Install redis-server packages
  apt:
    name: redis-server
    state: present
  tags:
    - redis-server
 - name: (redis-server.yml) Determine available users
  getent:
    database: passwd
  tags:
    - redis-server
 - name: (redis-server.yml) Determine available groups
  getent:
    database: group
  tags:
    - redis-server
 - name: (redis-server.yml) Add user 'www-data' to group 'redis'
  user:
    name: www-data
    groups: redis
    append: yes
  when:
    - "'www-data' in my_users"
    - "'redis' in my_groups"
  vars:
     my_users: "{{ getent_passwd.keys()|list }}"
     my_groups: "{{ getent_group.keys()|list }}"
  tags:
    - redis-server
 - name: (redis-server.yml) Add user 'webadmin' to group 'redis'
  user:
    name: webadmin
    groups: redis
    append: yes
  when:
    - "'webadmin' in my_users"
    - "'redis' in my_groups"
  vars:
     my_users: "{{ getent_passwd.keys()|list }}"
     my_groups: "{{ getent_group.keys()|list }}"
  tags:
    - redis-server
 - name: (redis-server.yml)  Check if file '/etc/redis/redis.conf.ORIG' exists
  stat:
    path: /etc/redis/redis.conf.ORIG
  register: redis_conf_exists
  tags:
    - redis-server
 - name: (redis-server.yml) Backup existing file /etc/redis/redis.conf.
  command: cp -a /etc/redis/redis.conf /etc/redis/redis.conf.ORIG
  when:
    - redis_conf_exists.stat.exists == False
  tags:
    - samba-server
 - name: (redis-server.yml) adjust configuration '/etc/redis/redis.conf'
  lineinfile:
    dest: /etc/redis/redis.conf
    regexp: "{{ item.regexp }}"
    insertafter: "{{ item.insertafter }}"
    line: "{{ item.key }} {{ item.val }}"
    state: present
  loop:
      - { regexp: '^bind\s+', key: 'bind', val: '127.0.0.1 ::1', insertafter: '^#\s*bind\s+' }
      - { regexp: '^port\s+', key: 'port', val: '6379', insertafter: '^#\s*port\s+' }
      - { regexp: '^unixsocket\s+', key: 'unixsocket', val: '/run/redis/redis-server.sock', insertafter: '^#\s*unixsocketperm' }
      - { regexp: '^unixsocketperm', key: 'unixsocketperm', val: '770', insertafter: '^unixsocket\s+' }
      - { regexp: '^logfile', key: 'logfile',  val: '/var/log/redis/redis-server.log', insertafter: '^#\s+logfile\s+' }
  notify: "Restart redis-server"
  tags:
    - redis-server