ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move firewall script to roles. Adjust hosts. ..

Browse Source
This commit is contained in:
Christoph 2019-09-04 04:04:57 +02:00
parent 3e4b1cf988
commit 444674e8f7
16 changed files with 2012 additions and 1311 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
firewall.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: all
roles:
- firewall

12
group_vars/all/main.yml
View File

@ -11,7 +11,6 @@ apt_ansible_dependencies:
- python3-apt
- lsb-release
- apt-transport-https
- apt-transport-tor
- dbus
- sudo
- vim
@ -125,7 +124,6 @@ apt_upgrade_dpkg_options:
apt_initial_install_stretch:
- apt-transport-https
- apt-transport-tor
- dbus
- openssh-server
- rssh
@ -237,7 +235,6 @@ apt_initial_install_stretch:
apt_initial_install_buster:
- apt-transport-https
- apt-transport-tor
- dbus
- openssh-server
- rush
@ -475,6 +472,10 @@ apt_install_state: latest
apt_remove:
- rpcbind
- apt-transport-tor
- tor
- tor-geoipdb
- torsocks
apt_remove_purge: false
@ -718,7 +719,10 @@ git_apache2_repositories:
# ---
# group [nginx_webserver]
# ---
git_nginx_repositories: []
git_nginx_repositories:
- name: nginx
repo: https://git.oopen.de/install/nginx
dest: /usr/local/src/nginx
# ---

21
host_vars/nscache.oopen.de.yml
View File

@ -1,5 +1,21 @@
---
# ---
# used at role 'firewall'
# ---
is_local_resolver: true
resolver_allowed_ipv4_networks:
- 192.68.11.64/27
- 194.150.169.136/29
- 138.201.23.195
- 138.201.23.196
resolver_allowed_ipv6_networks:
- 2001:678:a40:3000::/64
- 2a01:4f8:171:2895::195
- 2a01:4f8:171:2895::196
# ---
# vars used by roles/ansible_dependencies
# ---
@ -67,6 +83,11 @@ acl_caching_nameserver:
- /* Backup wipe.so36.net / backup.so36.net */
- 194.150.169.139;
- 194.150.169.138;
- // site36.net
- 138.201.23.195;
- 138.201.23.196;
- 2a01:4f8:171:2895::195;
- 2a01:4f8:171:2895::196;
- sinma:
name: sinma
entries:

164
host_vars/site36.net
View File

@ -1,164 +0,0 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.so36.net
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.so36.net.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_root_ssh_keypair: true
root_ssh_keypair:
- name: backup
login: root
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.so36.net
default_user:
- name: ckubu
password: $6$eLO.YJBg$YryN2tvRhI9HK3vffWcid7KH2uyh0e67KhbPp9FxW/bdUAepk/9GB5re7n/DXWhpthf3ifPCznPHU24X2YQVV/
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
- name: defa
password: $6$LMelojO.$TY0vb.xSBparEY5O7p86YT.E4RXKVH0bDfwGsszuFS6EAl3oh.s6V.jIZYg56P1RTDiVUh4A0BOwk87Q/utaS1
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAmPpPUHYmhTlN97lPAIdDjmkvM4xbCrWHiAjJJ7RdM8lW6hLbBaiMgbUwULOB86FB49V2YSoaVX09UkxJOCf15TYbq79P7W2x2UtFzYxVEVgpr/HVhJjytEDzmFYbsNN3VDK/2JEFqYqtLpTXOqf/TFihmqbvfbkUQOK/NMbE8udxj/RHnwRDMaJJ0IP7L6Z/v5s654H75nv7/IRm8Ov5DmcJyz9BcEL7fpow2HYexUzUozWN9zMXabrQ5AtEeJ0FYuBFIkYPLaUQ+WJ5bLCmoeE81+SIl+fw0UG5Zeb6SMo+NFFaMBIvwyEsNVyz9Gf2SUq/9weTr0JxVdCGKmEZLj9imcr2WtQxcXRhjTzAyq4m8F/2uA9GkisFUM2VybfZxNtkTZdIEHYE1X/36PYNI7P8Cp98cM7EKNLaPniDuQRh7IBixVt9oxxwxVFjZrG21ySanvg6GnpHHAkhM2nlwA0zcDMYd2h5rJt9JB8s8UQplTJzmo+lAbGBc47pZr4J0BKywjTsfQtQed1kClm/oEjO19mvRIC5DBznBtWJ4jWeTsjs91tEARE7LforRCy2VkA2rNxPsWz6Iks/towoySuWz8oUmA0FdfE5ULUavuv4uFZQXurIX0AvyWp3dg8dG2srnoZqqagr3VdZT7jV5nlNICeaEFbb5iShaxDBoBk= defa@walther'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLT3rq/wQpGV0Rn57qnD6PswMYmamUS8gqv2DqlwOrNxfrfO8X/H139KQNHE4blMPaGQ+9OzugkZzzp9SC/Tud7bdt9HI50WOe4xYqd8uiGywWznsTTvcHQeT5UqGiwzRwy5ozdzlTJIcbJt7NhwUwtVUGCFuW20jjWpyHBNMJPHkL6by+4APGF6jWO+crSvAqodvi544Uw9BCSzInSkxUbrgt97ta6QYgcdHrOGUv7Pe9qITFUPeuMmFDkq1wYIcXyfa6lUXvj+QxHVsnMee50HJhlHlUAc2PmyvZX5xl0H7hM9AwWbSSfstRn4nL7pmkcfSGv5Y2RQly8AT5UAgT defa@split'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDakC8eT7Uv2TS0lPDoBpuowHbCCP/4xM9DnRljVrI9l9Kdta5avRovpa8qHxnapY8+CWqx28+TcqmRw/y342Vf2BErXuoDeR5JtpZhiOZs27Km+FwG3Xwp4jcx2yYSksMuHzq7d2yL8pW9bL0/l6StJL/4DXaFg0Ym2ZSv/0CZG4HLSc4AC2UhMqwqgf7YFissm0Qc2iJru6S1RBTNL1hIVxe1KQz85VwU+VUtimacHQQDZ2VgSMHXSTRM2+naJMhLd4TrU0SGyQWYCcqch6lksNiFqVnDSa8P55rOG2eolY3cHraRI+x5s/wXLLoSWzt4aEm3GZPEkogAmX5CaECE4bV1gNk+4kVlW2ZEPeFGF1yUJgd+cqTzPT2JqusVfjLhDMsjmHpfBz/E3TuPBy18hYeRAa3zUPWRDlntPzHrcRb0E3EgLlojcA8w0g+3KBDL5psa7t16MtrEC/pQJ/VM1C/ZBRfsFGDRzyY+AnIkEif6BwHtyOhXaETKmlt+tC8oueWMtdbM85mFFEyWYLPccp0NlRdgtPh5AylotSdaRhfmZqKHtqcrieuwKLBGpZB/WQ0l7HRn4lVg1TzePUaSYCSPiCcflts9VMJJBhp/KbqWJoEwWQiRNkkhKUOC48crzI3s9QNNyqy/aLTPFjn0OsHa0SW9MQOaSTFsKwryfQ== defa@work'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxdRSyPmX5CyzgxyV4nrF2Q7Zu0lQikgNQSTt2o8jrakSlngCNT1u9vFnbT2tynBuCEd9fE05AKqwg7m9+X3FeBzq/PF0CiS1GdanyJkNoW3RIWSeO0Amt+yxCNTmr3hSPCR5hwyWT+gAYjLYyOfbMUi66NVFiXRuSvuZ1+z5iGgdRIGlxVI74V/6tO7CLwMEEUxs8tXu6y96u8bvQowTEBixfEhzOlS/NbkZElsBcJ0+eZJ/GzN4RuFxYjd2pmz5UL4gHFcXVMSs/Wq13XWtdlzawM5K9wfFZJ83UYGxHfW0OjvqSZ8IlZSVQeEEy9UKsMwrN16qznI5Od4XmbIMd'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAD95P6omJldgvTdsdibJDAqq0gVAyiKL6zdZEUIxDu1r+pFZHmAB554C+9I2XN9DFm3c/V2Aix7ni2DRT6IWV8GgLAFxCgf2uaL7fghRNwfYMLTLuJXRzcEpO8Ph9Nz45YO/7n1GN2MNm8swxlMrl2ewkrvD6TTc3t4em8n3NxO5iqbKM/U8GUmyiRYGeC2KRy8HA3PNGeGvv0uGIS3KurIMdPRVFyKUt0xkMwvHeP1AIC8DIAPvD6CJf9tB8OmFxnibvrXXZCfzbgi59aJ6TRpM8qzq6gG3EtqR4x6X9gZ0h4lpsOxiUOetzemej0CY3K19tZsTjGR879h0+s8/b root@rambox.spreebytes.net'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCog1AKXq/JlrFFAIE43jkGhHBZXayU8kc/xxQau7UPnOJNtt/NTt0zrdb0HA4Y4OYyZY/PZ424ufFio6yTeGnQEKRbYLh/Ot8KxemywODuimtHxTFo6wWjdNIbwTwr/erDy7THiUptYKJdyMnbUNkhB41Ea0mCsoJvw6f49P1uO0+4nLmmKLxo6qfKyreDKcydh2dIOcetc7x3zV+1WsCSWwQdtPfW2O9MJki/33sQzXyra+FrtCafXN+Zzwo6oqgymx1m3ErkNCWpOzUq4MDTORFKUq7girlVmWjL7KYBfFVWn9FZy0SYXulQLxd0nO0xhQslyQE+2KI5uECRKRoyw53v0h5P2lX2XWIQb3cypRJNlychgaqQJH4mp2XLOgQb3t84KcOKMw7jgU0NUby26MQ84m+P0bQZu4NWuBd8arjR7dPNjTEF+mWSy7YrlIUoF6jdqqZ/+N+fX+3S5abzOPfLCJSLXrd9xvA1q38tU3xdoTaRuKRmdXCmjadN/xh6nq4tZ4YoILDevGJaaMj2Mw9xA2YE8r1xI5MmhZ/lds4l4qii+0eA3A45pic674hiTUhgATuMKAtFrNTeIU7vEcmF17bL5J0s98CkR2dS9czrqeEEQZKy5kcr0gdMGd+dOy1pd3x+P8Xtwg/WgW6yVcmGWvj9XIejL3CcUHJeDQ== defa@devnull'
- name: init
password: $6$NcRlPYtm$1YiBoiJUcEwB1ovXYLpQ.OM/ehceh46/G2K4jz0I/PK7tJzD/HDoKhaKVYEIe.uWld6zC63GrgEhq.UMJzFuS1
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcOAGa9XHPVGx7k5YWptABoMs2f1+OeqRr6UFXveCWtjdDuk+YUAWl1W8TlDaFmw0+kLGk4Sg5TEcDzlVL+9L1Du044mwieeGQx5WRnz2vtg9XP/AP19jmpn1gTUPt5HGvFWVCeCDkMnc2aEz+fbW1MGN3ZxRNXhoNZfSS/jC7B0RANu1o3nPDQ3fGxFee02bAWi76To+0dJJppH02qSmlkOSUExOI+9i5WSog5KuCim25isLTIwv/GJNWAASL2/OUMuH82mX1EIS6qRdvcRufWH8qxTAkSeNrLUjiJOtCcE9dchS566KDs8p0U02PBN/92VB9aS/ErQ23l7llVr4jr776qBlUQn4vMxv1MG9ETM+/tUErYNDYazx+FV4NT90sxvepc+8I/q0AZjD2HNp6P25LgPNIhegNznnF/Twy9wW4Jn50FB4GMf8tHCeD9clXOMA1gSGGQiyeyly+wzZ5eLduwWAtzzYJ7MpOfncPYq2kKqs/29p77/0fvdbH2zzJQDbR2A0kHK1z3K6A7I8c+dBdcf2Kb5pvmglHjjSS06rD3oJtl3EvTfBe7AFhCou+zaaIf9fjMyM5upOu/ik23gRcDD32pX6Y0ltixfIWm6PV+Rgl88q6mOeLMwnItKtXID/O2908JE4dyLao2JeauzhXBJjMY2yzbcPLSlz2xw== so_init_03'
- name: alex
password: $6$.3m20/Um$nTsNhF5jwIF.FMW4gTqRt0o3S8B81q6UuRnMYQ9om77DwOTsPgm5RgCkX90PbPShPe3BYVBQvJp7e53qPedie.
shell: /usr/bin/zsh
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMyXy0+TVREnROtJOzuFFrFW18UXaRyWWLm4Z1vCOXU home'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKb9VsHdwzIW8MpEtOKzWPJW+toe1UL1odj4k0mtYPac work'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJywUxxa2hNC8DNGmiyyLDaY0BP8muqqR1upMS8vBx6O laptop'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPKDhjGkGJNO9pmc3CDp0fi4TXmkXP1hm6wzAdqiMphE netbook'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINk3tyHir3go59oZnp98WhauGJNwf6KTRYcBvfFMs8fY mobile'
- name: alis
password: $6$w9SVHwkQ$PrVrCuugHTObqdBMJNdHV4xkgUf.FPwD4a1HA6mFbPwZPApdcnTSTNWwFJgGu5p5/5lL0Tw4TFDPVaN2Y6O44/
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEXvi4aBvd8777iALbpxMvzXdX+LnFYEOzHPuBEMjFt7+LArqqpfqU4rSCtfMD3QExAYbstIj0K/eyQ3S+Oe+Ry4Fr3hkZOtkpZF+MW1yvO2m1QuEzj+/2C9SU+yhGLo4cyIZN59wJOodWmLNy4u/vIQw305AHVwBdyE0zdq/5WRngk5nJmyjZHw7/rX5DPRgxOWk1zjruXt6mWoImRPk0Cy4jpouIl6DQ9gawryryX9+9E6aSI6Ona7ngUxKGcwe3ec3CM66c83J7xfC17EiZccjrJ+u9UPIlsXNs/ka3W/625wHTHCIaj2uOL2JZOj/TboZETPti5LO1fA5iLww+Iu1eGVPncdxojSgAcv4fcDKIG+IrEf8RyP7z7kABQH0jB+4jrnpptkOulrxccAYBxKp9AA0fp0dRo1IdSZ8IEnXluJ5pg2N73SFi/1MyC67urWC/qqhK5C32WjezDoXUx/n9DE9gKsFID6vEHmIZsuD1ohsIbksLkLq0Guh8goLfFxATJEdj1CpL+FtpaCcMLFSYYgSZwVsoCeEXz8h4nlYy8w7+kcweJIEJstjLHziZ0oIwmmRxqGLIeLrfQRF7miFUJzgIVmj+wIHrhk11ZdceP9RNT/TpnYFQvICRFJp7tYS4+uYS4rdNgJ0o9VtyHEoFrCKtB7mHvl1/MFGoYw== alis@mail36.net'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
sudo_users:
- chris
- sysadm
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

68
host_vars/site36.net.yml
View File

@ -1,68 +0,0 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_ports:
- 22
- 1036
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

59
host_vars/test.mx.oopen.de.yml Normal file
View File

@ -0,0 +1,59 @@
---
# ---
# vars used by role 'firewall'
# ---
is_web_server: true
is_mail_server: true
dovecot_auth_service_port: 44444
has_dovecot_auth_service_ipv4: false
has_dovecot_auth_service_ipv6: false
dovecot_auth_allowed_network_ipv4:
- 192.68.11.79
dovecot_auth_allowed_network_ipv6:
- 2001:678:a40:3000::/64
- 2a01:30:0:13:2f7:50ff:fed2:cef7
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
insert_sudoers_back_postgres_privileges: True
insert_sudoers_postfixadmin_privileges: True
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

62
hosts
View File

@ -12,26 +12,7 @@ a.ns.oopen.de
[extra_hosts]
o25.oopen.de
test.mx.oopen.de
ga-st-lxc1.ga.netz
gw-ah.kanzlei-kiel.netz
gw-akb.akb.netz
gw-ro.ro.netz
gw-irights.irights.netz
gw-opp.opp.netz
gw-mbr.oopen.de
ga-st-gw.oopen.de
ga-nh-gw.oopen.de
ga-al-gw.oopen.de
ga-st-gw-ersatz.ga.netz
gw-ak.oopen.de
reachout.homelinux.org
gw-spr.oopen.de
gw-km.oopen.de
server27.warenform.de
verdi-django.warenform.de
verdi-es.warenform.de
lobbycal.oopen.de
@ -101,6 +82,7 @@ limesurvey.oopen.de
o12.oopen.de
c.mx.oopen.de
initiativenserver.oopen.de
lobbycal.oopen.de
o13.oopen.de
o13-board.oopen.de
@ -213,6 +195,7 @@ limesurvey.oopen.de
# o12.oopen.de
initiativenserver.oopen.de
c.mx.oopen.de
lobbycal.oopen.de
# o13.oopen.de
o13-mail.oopen.de
@ -349,6 +332,9 @@ devel-todo.wf.netz
# o10.oopen.de
etherpad.oopen.de
# o12.oopen.de
lobbycal.oopen.de
# o13.oopen.de
o13-board.oopen.de
o13-pad.oopen.de
@ -505,6 +491,7 @@ limesurvey.oopen.de
# o12.oopen.de
c.mx.oopen.de
initiativenserver.oopen.de
lobbycal.oopen.de
# o13.oopen.de
o13-board.oopen.de
@ -704,6 +691,16 @@ anita.wf.netz
#test.mx.oopen.de
[local_resolver]
nscache.oopen.de
[ntp_server]
[xmpp_server]
[lxc_host]
# ---
@ -766,6 +763,7 @@ limesurvey.oopen.de
# - o12.oopen.de
c.mx.oopen.de
initiativenserver.oopen.de
lobbycal.oopen.de
# - o13.oopen.de
o13-board.oopen.de
@ -903,6 +901,7 @@ limesurvey.oopen.de
o12.oopen.de
c.mx.oopen.de
initiativenserver.oopen.de
lobbycal.oopen.de
# - o13.oopen.de
o13.oopen.de
@ -1053,29 +1052,6 @@ devel-repos.wf.netz
devel-todo.wf.netz
devel-wiki.wf.netz
#[so36_server]
#devnull.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#codecoop.org ansible_ssh_port=22 ansible_user=ckubu
#comm.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#noc.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#ns.so36net.de ansible_ssh_port=1036 ansible_user=ckubu
#rage.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#resolver-a.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#resolver-b.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#schleuder3.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#shell.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#sympa.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#usr-db.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#web.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#
#suck.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#
#wipe.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#backup.so36.net ansible_ssh_port=1036 ansible_user=ckubu
#
#o18.oopen.de ansible_ssh_port=1036 ansible_user=chris
#site36.net ansible_ssh_port=1036 ansible_user=ckubu
[oopen_office_ga]
# - GA - Gemeinschaft Altensclirf

2
open_the_vault.sh
View File

@ -2,7 +2,7 @@
echoerr() { echo "$@" 1>&2; }
PWFILE="$HOME/.private/ansible-oopen-vault-passphrase"
PWFILE="$HOME/.private/ansible/ansible-oopen-vault-passphrase"
if test ! -f "$PWFILE"
then

7
roles/common/templates/etc/bind/named.conf.options.j2
View File

@ -33,6 +33,13 @@ options {
//========================================================================
dnssec-validation auto;
// version statement - inhibited for security
// (avoids hacking any known weaknesses)
version "not currently available";
// disables all zone transfer requests
allow-transfer{"none";};
// caching name services
recursion yes;

40
roles/firewall/defaults/main.yml Normal file
View File

@ -0,0 +1,40 @@
---
is_dns_server: false
is_local_resolver: false
resolver_allowed_ipv4_networks: ""
resolver_allowed_ipv6_networks: ""
is_ntp_server: false
ntp_allowed_ipv4_net: ""
ntp_allowed_ipv6_net: ""
is_web_server: false
is_mail_server: false
dovecot_auth_service_port: ""
has_dovecot_auth_service_ipv4: false
has_dovecot_auth_service_ipv6: false
dovecot_auth_allowed_network_ipv4: {}
dovecot_auth_allowed_network_ipv6: {}
is_list_server: false
is_ftp_server: false
is_xmpp_server: false
xmpp_has_dovecot_auth: false
xmpp_dovecot_auth_service_ipv4: ""
xmpp_dovecot_auth_service_ipv6: ""
is_mumble_server: false
sshd_ports:
- 1036
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server

20
roles/firewall/handlers/main.yml Normal file
View File

@ -0,0 +1,20 @@
- name: Restart ulogd
service:
name: ulogd
state: restarted
- name: Restart IPv4 Firewall
service:
name: ipt-firewall
state: restarted
when:
- interfaces_ipv4_exists.stat.exists
- main_ipv4_exists.stat.exists
- name: Restart IPv6 Firewall
service:
name: ip6t-firewall
state: restarted
when:
- interfaces_ipv6_exists.stat.exists
- main_ipv6_exists.stat.exists

1733
roles/firewall/tasks/main.yml Normal file
View File

File diff suppressed because it is too large Load Diff

16
roles/firewall/templates/etc/systemd/system/ip6t-firewall.service.j2 Normal file
View File

@ -0,0 +1,16 @@
# {{ ansible_managed }}
[Unit]
Description=IPv6 Firewall with ip6tables
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ip6t-firewall-server start
ExecStop=/usr/local/sbin/ip6t-firewall-server stop
User=root
[Install]
WantedBy=multi-user.target

16
roles/firewall/templates/etc/systemd/system/ipt-firewall.service.j2 Normal file
View File

@ -0,0 +1,16 @@
# {{ ansible_managed }}
[Unit]
Description=IPv4 Firewall with iptables
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ipt-firewall-server start
ExecStop=/usr/local/sbin/ipt-firewall-server stop
User=root
[Install]
WantedBy=multi-user.target

1031
scripts/install-update-firewall.yml
View File

File diff suppressed because it is too large Load Diff

66
scripts/modify-postfix-main-dot-cf.yml Normal file
View File

@ -0,0 +1,66 @@
---
- hosts: all
tasks:
- name: Check if file '/etc/postfix/main.cf' exists
stat:
path: /etc/postfix/main.cf
register: postfix_main_cf_exists
# ---
# /etc/postfix/main.cf: compatibility_level = 2
# ---
- name: Check if String 'compatibility_level =..' is present
shell: grep -q -E "^\s*compatibility_level\s*=" /etc/postfix/main.cf
register: compatibility_level_present
when: postfix_main_cf_exists.stat.exists
failed_when: "compatibility_level_present.rc > 1"
changed_when: "compatibility_level_present.rc > 0"
- name: Adjust file '/etc/postfix/main.cf' (compatibility_level)
blockinfile:
path: /etc/postfix/main.cf
insertafter: '^#\s*=+\s*Basic\s*settings\s*=+'
block: |
# Disable backwards compatibility
#
compatibility_level = 2
marker: "# Marker set by modify-postfix-main-dot-cf.yml (compatibility_level)"
when:
- postfix_main_cf_exists.stat.exists
- compatibility_level_present is changed
notify:
- Restart postfix
# ---
# Remove Marker set by blockinfile
# ---
- name: Remove marker
replace :
path: /etc/postfix/main.cf
regexp: "^# Marker set by modify-postfix-main-dot-cf.yml.*$"
replace: ""
#register: marker_ipv4_removed
#failed_when: "marker_ipv4_removed.rc > 1"
#changed_when: "marker_ipv4_removed.rc < 1"
when:
- postfix_main_cf_exists.stat.exists
# ===
# Handlers used by this playbook
# ===
handlers:
- name: Restart postfix
service:
name: postfix
state: restarted