diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 89d58e5..0173bf9 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -987,7 +987,6 @@ default_user: password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. shell: /bin/bash ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' @@ -1334,11 +1333,27 @@ git_lxc_guest_repositories: git_gateway_repositories: + # install repositories (destination: /usr/local/src/) + # mailsystem + - name: mailsystem + repo: https://git.oopen.de/install/mailsystem + dest: /usr/local/src/mailsystem + # firewall - name: ipt-gateway repo: https://git.oopen.de/firewall/ipt-gateway dest: /usr/local/src/ipt-gateway + # script repositories (destination /root/bin/) + # Monitoring + - name: monitoring + repo: https://git.oopen.de/script/monitoring + dest: /root/bin/monitoring + + - name: manage-gw-config + repo: https://git.oopen.de/script/manage-gw-config + dest: /root/bin/manage-gw-config + # --- # group [apache2_webserver] @@ -1544,6 +1559,33 @@ git_jitsi_meet_repositories: git_other_repositories: [] +# ========== +# vars used by roles/common/tasks/nfs.yml +# ========== + +nfs_server: {} + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +# NOTE !! +# Take car to increase 'fsid' in case of more than one export +# +#nfs_exports: +# - src: 192.168.112.10:/data/home +# path: /data/home +# mount_opts: users,rsize=8192,wsize=8192,hard,intr +# export_opt: rw,root_squash,sync,subtree_check +# export_networks: +# - 192.168.112.0/24 +# - 10.0.112.0/24 +# - 10.1.112.0/24 +# - 192.168.63.0/24 +# use_fsid_option: true +# +nfs_exports: [] + + # --- # vars used by roles/common/tasks/copy_files.yml # --- @@ -1552,6 +1594,17 @@ copy_plain_files: [] copy_plain_files_postfwd_host_specific: [] +copy_plain_files_postfix: + + - name: header_checks.pcre + src_path: mailserver/etc/postfix/header_checks.pcre + dest_path: /etc/postfix/header_checks.pcre + + - name: body_check.pcre + src_path: mailserver/etc/postfix/body_check.pcre + dest_path: /etc/postfix/body_check.pcre + + copy_plain_files_postfwd: # Postfix Firewall postfwd diff --git a/host_vars/a.mx.oopen.de.yml b/host_vars/a.mx.oopen.de.yml index eb73093..7a451e4 100644 --- a/host_vars/a.mx.oopen.de.yml +++ b/host_vars/a.mx.oopen.de.yml @@ -196,6 +196,8 @@ roundcube_db_user: roundcube #roundcube_db_host: localhost roundcube_db_pass: '3Dsz3j5R' +roundcube_acl_plugin: true + roundcube_product_name: O.OPEN - Webmailer roundcube_support_url: https://www.oopen.de roundcube_skin_logo: "images/oopen-logo.png" @@ -210,6 +212,8 @@ roundcube_2_db_user: roundcube #roundcube_2_db_host: localhost roundcube_2_db_pass: '3Dsz3j5R' +roundcube2_acl_plugin: true + roundcube_2_product_name: O.OPEN - Webmailer roundcube_2_support_url: https://www.oopen.de roundcube_2_skin_logo: "images/oopen-logo.png" @@ -221,7 +225,7 @@ template_files_mailsystem_script: src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf - - name: mailsystem_install_postfixadmin.conf + - name: mailsystem__postfix_advanced.conf src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf diff --git a/host_vars/b.mx.oopen.de.yml b/host_vars/b.mx.oopen.de.yml index 9a7e9ba..c62888a 100644 --- a/host_vars/b.mx.oopen.de.yml +++ b/host_vars/b.mx.oopen.de.yml @@ -144,6 +144,6 @@ template_files_mailsystem_script: src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf - - name: install_postfix_advanced.conf + - name: mailsystem_install_postfix_advanced.conf src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf diff --git a/host_vars/c.mx.oopen.de.yml b/host_vars/c.mx.oopen.de.yml index 350a754..6e9c711 100644 --- a/host_vars/c.mx.oopen.de.yml +++ b/host_vars/c.mx.oopen.de.yml @@ -155,7 +155,7 @@ db_in_use: !!str "true" postfix_db_type: MySQL postfix_db_name: postfix postfix_db_user: postfix -postfix_db_host: 127.0.0.1 +#postfix_db_host: postfix_db_pass: AeB4kohyie5rahJ7 # install_amavis.conf @@ -201,9 +201,11 @@ autoreply_hostname: autoreply.initiativenserver.de roundcube_db_type: mysql roundcube_db_name: roundcubemail roundcube_db_user: roundcube -roundcube_db_host: localhost +#roundcube_db_host: roundcube_db_pass: 're6Xe8Fereejai3D' +roundcube_acl_plugin: false + roundcube_product_name: Webmailer Initiativenserver roundcube_support_url: "https://www.aktionsbuendnis-brandenburg.de/" roundcube_skin_logo: "images/oopen-logo.png" @@ -215,7 +217,7 @@ template_files_mailsystem_script: src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf - - name: mailsystem_install_postfixadmin.conf + - name: mailsystem_install_postfix_advanced.conf src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf diff --git a/host_vars/d.mx.oopen.de.yml b/host_vars/d.mx.oopen.de.yml new file mode 100644 index 0000000..a65395d --- /dev/null +++ b/host_vars/d.mx.oopen.de.yml @@ -0,0 +1,137 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +apt_install_compiler_pkgs: true + +apt_install_postgresql_pkgs: true + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: id-rsa-dehydrated + priv_key_src: d.mx/root/.ssh/d.mx-id_rsa-dehydrated + priv_key_dest: /root/.ssh/id_rsa-dehydrated + pub_key_src: d.mx/root/.ssh/d.mx-id_rsa-dehydrated.pub + pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub + - name: id-rsa-opendkim + priv_key_src: d.mx/root/.ssh/d.mx-id_rsa-opendkim + priv_key_dest: /root/.ssh/id_rsa-opendkim + pub_key_src: d.mx/root/.ssh/d.mx-id_rsa-opendkim.pub + pub_key_dest: /root/.ssh/id_rsa-opendkim.pub + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + +copy_plain_files: + + - name: monitoring_check_webservice_load.conf + src_path: d.mx/root/bin/monitoring/conf/check_webservice_load.conf + dest_path: /root/bin/monitoring/conf/check_webservice_load.conf + + - name: postfix_create_opendkim_key.conf + src_path: d.mx/root/bin/postfix/conf/create_opendkim_key.conf + dest_path: /root/bin/postfix/conf/create_opendkim_key.conf + + - name: postfix_whitelist_mb_sigs.conf + src_path: d.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf + dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf + + - name: install_sympa.conf + src_path: lists.mx.warenform/usr/local/src/sympa/conf/install_sympa.conf + dest_path: /usr/local/src/sympa/conf/install_sympa.conf + + +copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- + +hostname: d.mx.oopen.de +ipv4_address: 95.217.204.227 +ipv6_address: 2a01:4f9:4a:47e5::227 + +admin_email: argus@oopen.de +is_relay_host: false +is_sympa_list_server: true + +# install_amavis.conf +# +mp_receipt_number: 106015125438 +si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 + + +template_files_mailsystem_script: + + - name: mailsystem_install_postfix_advanced.conf + src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf + + - name: mailsystem_install_amavis.conf + src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf diff --git a/host_vars/e.mx.oopen.de.yml b/host_vars/e.mx.oopen.de.yml index e8cb16f..e20becf 100644 --- a/host_vars/e.mx.oopen.de.yml +++ b/host_vars/e.mx.oopen.de.yml @@ -189,6 +189,10 @@ roundcube_skin_logo: "images/oopen-logo.png" template_files_mailsystem_script: + - name: mailsystem_install_postfix_advanced.conf + src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf + - name: mailsystem_install_amavis.conf src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf diff --git a/host_vars/file-fhxb.fhxb.netz b/host_vars/file-fhxb.fhxb.netz index 65a94c2..a99706a 100644 --- a/host_vars/file-fhxb.fhxb.netz +++ b/host_vars/file-fhxb.fhxb.netz @@ -154,14 +154,51 @@ sudo_users: # --- +# --- +# vars used by roles/common/tasks/nfs.yml +# --- + +nfs_server: 192.168.192.10 + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +# NOTE !! +# Take car to increase 'fsid' in case of more than one export +# +nfs_exports: + - src: 192.168.192.10:/data/home + path: /data/home + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.192.0/24 + - 10.0.192.0/24 + - 10.1.192.0/24 + - 192.168.63.0/24 + use_fsid_option: true + + - src: 192.168.192.10:/data/samba/shares + path: /data/samba/shares + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.192.0/24 + - 10.0.192.0/24 + - 10.1.192.0/24 + - 192.168.63.0/24 + use_fsid_option: true + + + # --- # vars used by roles/common/tasks/samba-config-server.yml # vars used by roles/common/tasks/samba-user.yml # --- -samba_workgroup: OPP +samba_workgroup: FHXB -samba_netbios_name: ZAPATA +samba_netbios_name: FILE-FHXB samba_server_min_protocol: !!str NT1 @@ -217,28 +254,29 @@ samba_user: - name: chris groups: - - FHXB-Bildarchiv + - fhxb-bildarchiv - - FHXB-Sammlungen + - fhxb-sammlungen - - Archiv - - Ausstellungen - - Forschung - - Gedenken-im-Stadtraum - - Projekte - - Publikationen - - Stolpersteine - - Veranstaltungen + - archiv + - ausstellungen + - forschung + - gedenken-im-stadtraum + - projekte + - publikationen + - stolpersteine + - veranstaltungen + - vze - - Buero - - Intern - - Museum-Organisation - - Presse-Orga-Oeffentlichkeit - - Team - - Technik - - Vermietung - - Vermittlung - - Leitung + - buero + - intern + - museum-organisation + - presse-orga-oeffentlichkeit + - team + - technik + - vermietung + - vermittlung + - leitung password: !vault | $ANSIBLE_VAULT;1.1;AES256 @@ -250,32 +288,318 @@ samba_user: - name: sysadm groups: - - - FHXB-Bildarchiv - - - FHXB-Sammlungen - - - Archiv - - Ausstellungen - - Forschung - - Gedenken-im-Stadtraum - - Projekte - - Publikationen - - Stolpersteine - - Veranstaltungen - - - Buero - - Intern - - Museum-Organisation - - Presse-Orga-Oeffentlichkeit - - Team - - Technik - - Vermietung - - Vermittlung - - Leitung - + - archiv + - ausstellungen + - buero + - forschung + - gedenken-im-stadtraum + - intern + - leitung + - museum-organisation + - presse-orga-oeffentlichkeit + - projekte + - publikationen + - stolpersteine + - team + - technik + - veranstaltungen + - vermietung + - vermittlung + - vze + - fhxb-bildarchiv + - fhxb-sammlungen password: '5hE-7n.JRQ9Y' + # Archiv01 + - name : a.rchiv01 + groups: + - archiv + - fhxb-bildarchiv + - fhxb-sammlungen + password: '45pS2X-rim.e' + + # Archiv02 + - name : a.rchiv02 + groups: + - archiv + - fhxb-bildarchiv + - fhxb-sammlungen + password: '7gqKY/7-nh3Q' + + # Astrid Schiemann + - name : a.schiemann + groups: + - archiv + - ausstellungen + - buero + - forschung + - gedenken-im-stadtraum + - intern + - leitung + - museum-organisation + - presse-orga-oeffentlichkeit + - projekte + - publikationen + - stolpersteine + - team + - technik + - veranstaltungen + - vermietung + - vermittlung + - fhxb-bildarchiv + - fhxb-sammlungen + password: 'G.u3r.tJ6Qkh' + + # Babara Schaller + - name : b.schaller + groups: + - archiv + - buero + - publikationen + - team + - fhxb-bildarchiv + - fhxb-sammlungen + password: 'ufPmZ.L/63yJ' + + # Ellen Thieleman + - name : e.thieleman + groups: + - ausstellungen + - buero + - projekte + - team + password: 'MFS79-tzWA/c' + + # Erika Hausotter + - name : e.hausotter + groups: + - archiv + - team + password: 'A/pY4-9VvUdo' + + # Florian Helm + - name : f.helm + groups: + - archiv + - ausstellungen + - buero + - forschung + - gedenken-im-stadtraum + - intern + - leitung + - museum-organisation + - presse-orga-oeffentlichkeit + - projekte + - publikationen + - stolpersteine + - team + - technik + - veranstaltungen + - vermietung + - vermittlung + - vze + - fhxb-bildarchiv + - fhxb-sammlungen + password: 'z2FE..fUh4fx' + + # Frauke Erdmann + - name : f.erdmann + groups: + - archiv + - buero + - publikationen + - team + - fhxb-bildarchiv + - fhxb-sammlungen + password: 'P/yV5N9rxA-Y' + + # Gerhard Grosche + - name : g.grosche + groups: + - archiv + - publikationen + - team + - fhxb-bildarchiv + - fhxb-sammlungen + password: '6/H-EgRqP9-T' + + # Heike Müller + - name : h.mueller + groups: + - buero + - team + password: 'VT7/n5hHy-Av' + + # Jana König + - name : j.koenig + groups: + - archiv + - ausstellungen + - buero + - forschung + - gedenken-im-stadtraum + - intern + - museum-organisation + - presse-orga-oeffentlichkeit + - projekte + - publikationen + - stolpersteine + - team + - technik + - veranstaltungen + - vermietung + - vermittlung + - fhxb-bildarchiv + - fhxb-sammlungen + password: 'fE6.2K/HpnuS' + + # Jorinde Splettstößer + - name : j.splettstoesser + groups: + - archiv + - ausstellungen + - buero + - forschung + - gedenken-im-stadtraum + - intern + - museum-organisation + - presse-orga-oeffentlichkeit + - projekte + - publikationen + - stolpersteine + - team + - technik + - veranstaltungen + - vermietung + - vermittlung + - vze + - fhxb-bildarchiv + - fhxb-sammlungen + password: '2/octHEm/g5H' + + # Natalie Bayer + - name : n.bayer + groups: + - archiv + - ausstellungen + - buero + - forschung + - gedenken-im-stadtraum + - intern + - leitung + - museum-organisation + - presse-orga-oeffentlichkeit + - projekte + - publikationen + - stolpersteine + - team + - technik + - veranstaltungen + - vermietung + - vermittlung + - vze + - fhxb-bildarchiv + - fhxb-sammlungen + password: 'AI/.44Jt6rhY' + + # Norbert Schropp + - name : n.schropp + groups: + - archiv + - ausstellungen + - publikationen + - team + - fhxb-bildarchiv + - fhxb-sammlungen + password: 'rK/puJ2.7sb4' + + # Praktikum 01 + - name : p.raktikum01 + groups: + - ausstellungen + - buero + - presse-orga-oeffentlichkeit + - team + - veranstaltungen + - vermietung + password: '2IN.R5HIq-ig' + + # Praktikum 02 + - name : p.raktikum02 + groups: + - ausstellungen + - buero + - presse-orga-oeffentlichkeit + - team + - veranstaltungen + - vermietung + password: 'NnRYo5-d6i/n' + + # Volo 01 + - name : v.olo01 + groups: + - archiv + - ausstellungen + - buero + - forschung + - gedenken-im-stadtraum + - museum-organisation + - presse-orga-oeffentlichkeit + - projekte + - publikationen + - stolpersteine + - team + - technik + - veranstaltungen + - vermietung + - vermittlung + password: 'A/pY4-9VvUdo' + + # Volo 02 + - name : v.olo02 + groups: + - archiv + - ausstellungen + - buero + - forschung + - gedenken-im-stadtraum + - museum-organisation + - presse-orga-oeffentlichkeit + - projekte + - publikationen + - stolpersteine + - team + - technik + - veranstaltungen + - vermietung + - vermittlung + - vze + password: 'sp29q-Yn-6PY' + + # Volo 03 + - name : v.olo03 + groups: + - archiv + - ausstellungen + - buero + - forschung + - gedenken-im-stadtraum + - museum-organisation + - presse-orga-oeffentlichkeit + - projekte + - publikationen + - stolpersteine + - team + - technik + - veranstaltungen + - vermietung + - vermittlung + - vze + - fhxb-bildarchiv + - fhxb-sammlungen + password: 'n7I.fSsR-9vv' + + base_home: /home # remove_samba_users: @@ -288,26 +612,6 @@ remove_samba_users: samba_shares: - - name: FHXB-Bildarchiv - comment: Bildarchiv auf Fileserver - path: /data/samba/FHXB-Bildarchiv/Bildarchiv - group_valid_users: fhxb-bildarchiv - group_write_list: fhxb-bildarchiv - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - - - name: FHXB-Sammlungen - comment: FHXB-Sammlungen auf Fileserver - path: /data/samba/Darchim2/Bildarchiv - group_valid_users: fhxb-sammlungen - group_write_list: fhxb-sammlungen - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - - name: Archiv comment: Archiv auf Fileserver path: /data/samba/FHXB-Server/Archiv @@ -328,6 +632,16 @@ samba_shares: vfs_object_recycle: true recycle_path: '@Recycle' + - name: Buero + comment: Buero auf Fileserver + path: /data/samba/FHXB-Server/Buero + group_valid_users: buero + group_write_list: buero + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + - name: Forschung comment: Forschung auf Fileserver path: /data/samba/FHXB-Server/Forschung @@ -348,67 +662,6 @@ samba_shares: vfs_object_recycle: true recycle_path: '@Recycle' - - name: Projekte - comment: Projekte auf Fileserver - path: /data/samba/FHXB-Server/Projekte - group_valid_users: projekte - group_write_list: projekte - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - - - name: Publikationen - comment: Publikationen auf Fileserver - path: /data/samba/FHXB-Server/Publikationen - group_valid_users: publikationen - group_write_list: publikationen - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - - - name: Stolpersteine - comment: Stolpersteine auf Fileserver - path: /data/samba/FHXB-Server/Stolpersteine - group_valid_users: stolpersteine - group_write_list: stolpersteine - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - - - name: Veranstaltungen - comment: Veranstaltungen auf Fileserver - path: /data/samba/FHXB-Server/Veranstaltungen - group_valid_users: Veranstaltungen - group_write_list: Veranstaltungen - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - - - name: VZE - comment: VZE auf Fileserver - path: /data/samba/FHXB-Server/VZE - group_valid_users: vze - group_write_list: vze - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - - - - name: Buero - comment: Buero auf Fileserver - path: /data/samba/FHXB-Server/Buero - group_valid_users: buero - group_write_list: buero - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: '@Recycle' - - name: Intern comment: Intern auf Fileserver path: /data/samba/FHXB-Server/Intern @@ -449,6 +702,36 @@ samba_shares: vfs_object_recycle: true recycle_path: '@Recycle' + - name: Projekte + comment: Projekte auf Fileserver + path: /data/samba/FHXB-Server/Projekte + group_valid_users: projekte + group_write_list: projekte + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Publikationen + comment: Publikationen auf Fileserver + path: /data/samba/FHXB-Server/Publikationen + group_valid_users: publikationen + group_write_list: publikationen + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Stolpersteine + comment: Stolpersteine auf Fileserver + path: /data/samba/FHXB-Server/Stolpersteine + group_valid_users: stolpersteine + group_write_list: stolpersteine + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + - name: Team comment: Team auf Fileserver path: /data/samba/FHXB-Server/Team @@ -469,6 +752,26 @@ samba_shares: vfs_object_recycle: true recycle_path: '@Recycle' + - name: VZE + comment: VZE auf Fileserver + path: /data/samba/FHXB-Server/VZE + group_valid_users: vze + group_write_list: vze + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Veranstaltungen + comment: Veranstaltungen auf Fileserver + path: /data/samba/FHXB-Server/Veranstaltungen + group_valid_users: veranstaltungen + group_write_list: veranstaltungen + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + - name: Vermietung comment: Vermietung auf Fileserver path: /data/samba/FHXB-Server/Vermietung @@ -489,6 +792,26 @@ samba_shares: vfs_object_recycle: true recycle_path: '@Recycle' + - name: FHXB-Bildarchiv + comment: Bildarchiv auf Fileserver + path: /data/samba/FHXB-Bildarchiv/Bildarchiv + group_valid_users: fhxb-bildarchiv + group_write_list: fhxb-bildarchiv + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: FHXB-Sammlungen + comment: FHXB-Sammlungen auf Fileserver + path: /data/samba/Darchim2/Bildarchiv + group_valid_users: fhxb-sammlungen + group_write_list: fhxb-sammlungen + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + # ============================== diff --git a/host_vars/ga-st-mail.ga.netz.yml b/host_vars/ga-st-mail.ga.netz.yml new file mode 100644 index 0000000..adbd023 --- /dev/null +++ b/host_vars/ga-st-mail.ga.netz.yml @@ -0,0 +1,227 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +apt_install_compiler_pkgs: true + +apt_install_postgresql_pkgs: true + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: id-rsa-dehydrated + priv_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated + priv_key_dest: /root/.ssh/id_rsa-dehydrated + pub_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated.pub + pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub + - name: id-rsa-opendkim + priv_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim + priv_key_dest: /root/.ssh/id_rsa-opendkim + pub_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim.pub + pub_key_dest: /root/.ssh/id_rsa-opendkim.pub + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + +copy_plain_files: + + # /root/bin/monitoring + # + - name: monitoring_check_cert_for_dovecot.conf + src_path: ga-st-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf + dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf + + - name: monitoring_check_webservice_load.conf + src_path: ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf + dest_path: /root/bin/monitoring/conf/check_webservice_load.conf + + # /root/bin/postfix + # + - name: postfix_create_opendkim_key.conf + src_path: ga-st-mail/root/bin/postfix/conf/create_opendkim_key.conf + dest_path: /root/bin/postfix/conf/create_opendkim_key.conf + + - name: postfix_postfix_add_mailboxes.conf + src_path: ga-st-mail/root/bin/postfix/conf/postfix_add_mailboxes.conf + dest_path: /root/bin/postfix/conf/postfix_add_mailboxes.conf + + - name: postfix_sent_userinfo_postfix.conf + src_path: ga-st-mail/root/bin/postfix/conf/sent_userinfo_postfix.conf + dest_path: /root/bin/postfix/conf/sent_userinfo_postfix.conf + + - name: postfix_whitelist_mb_sigs.conf + src_path: ga-st-mail/root/bin/postfix/conf/whitelist_mb_sigs.conf + dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf + + +copy_plain_files_postfwd_host_specific: [] + + # Postfix Firewall postfwd + # + #- name: postfwd.wl-user + # src_path: ga-st-mail/etc/postfix/postfwd.wl-user + # dest_path: /etc/postfix/postfwd.wl-user + + +#copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- + +hostname: mx.gemeinschaft-altenschlirf.de +ipv4_address: 192.168.11.2 +#ipv6_address: + +admin_email: it@gemeinschaft-altenschlirf.org +is_relay_host: !!str "false" + +db_in_use: !!str "true" +# postfix_db_type +# +# possible values are 'PostgreSQL' and 'MySQL' +postfix_db_type: PostgreSQL +postfix_db_name: postfix +postfix_db_user: postfix +#postfix_db_host: +postfix_db_pass: R_wuKauoTE7+AJg9 + +# install_amavis.conf +# +mp_receipt_number: 106015125438 +si_authorisation_signature: b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89 + +# install_postfixadmin.conf +# +website_name_postfixadmin: adm.gemeinschaft-altenschlirf.de + +email_welcome_message: "\n +Hallo,\n + +Ihre/Deine neue E-Mail Adresse ist eingerichtet.\n + +IT Team Gemeinschaft Altenschlirf\n + +--\n +Gemeinschaft Altenschlirf | Phone: +49 6647 / 9606 0\n +Müser Straße 1 | Fax: +49 6647 / 9606 179\n +D-36358 Herbstein | E-Mail: it@gemeinschaft-altenschlirf.de\n +" + +# install_update_dovecot.conf +# +dovecot_from_address: "Administrator E-Mail " +dovecot_reply_to: "postmaster@gemeinschaft-altenschlirf.de" +webmailer_address: "https://webmail.gemeinschaft-altenschlirf.de" +salutation: "IT Team Gemeinschaft Altenschlirf\n + +--\n +Gemeinschaft Altenschlirf | Phone: +49 6647 / 9606 0\n +Müser Straße 1 | Fax: +49 6647 / 9606 179\n +D-36358 Herbstein | E-Mail: it@gemeinschaft-altenschlirf.de\n +" + +# install_upgrade_roundcube-webmail.conf +# +# Webmailer +webmail_site_name: webmail.gemeinschaft-altenschlirf.de +autoreply_hostname: autoreply.gemeinschaft-altenschlirf.de +# possible values: 'pgsql' or 'mysql' +roundcube_db_type: pgsql +roundcube_db_name: roundcubemail +roundcube_db_user: roundcube +#roundcube_db_host: +roundcube_db_pass: 'K3TbMmTfnCXdj4vz' + +#roundcube_acl_plugin: true + +roundcube_product_name: Gemeinschaft Altenschlirf - Webmailer +roundcube_support_url: https://www.gemeinschaft-altenschlirf.de +roundcube_skin_logo: "images/oopen-logo.png" + + +template_files_mailsystem_script: + + - name: mailsystem_install_postfix_advanced.conf + src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf + + - name: mailsystem_install_amavis.conf + src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + - name: mailsystem_install_postfixadmin.conf + src_path: usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfixadmin.conf + + - name: mailsystem_install_update_dovecot.conf + src_path: usr/local/src/mailsystem/conf/install_update_dovecot.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_update_dovecot.conf + + - name: mailsystem_install_upgrade_roundcube-webmail.conf + src_path: usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf diff --git a/host_vars/gw-fhxb.oopen.de.yml b/host_vars/gw-fhxb.oopen.de.yml new file mode 100644 index 0000000..d8021db --- /dev/null +++ b/host_vars/gw-fhxb.oopen.de.yml @@ -0,0 +1,278 @@ +--- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + - resolvconf + +network_interfaces: + + - device: eno1 + headline: eno1 - Uplink DSL via Fritz!Box + auto: true + family: inet + method: static + address: 192.168.178.254 + netmask: 24 + gateway: 192.168.178.1 + nameservers: + - 127.0.0.1 + - 192.168.192.1 + search: fhxb.netz + + + - device: eno2 + headline: eno2 - LAN + auto: true + family: inet + method: static + address: 192.168.192.254 + netmask: 24 + + + - device: eno2:ns + headline: eno2:ns - Alias on eno5 (Nameserver) + auto: true + family: inet + method: static + address: 192.168.192.1 + netmask: 32 + + + - device: eno3 + headline: eno3 - LAN + auto: true + family: inet + method: static + address: 192.168.193.254 + netmask: 24 + + + - device: eno4 + headline: eno4 - OLD LAN + auto: true + family: inet + method: static + address: 192.168.178.254 + netmask: 24 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + +cron_user_entries: + + - name: "Check if Postfix Mailservice is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if SSH service is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check if OpenVPN service is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_vpn.sh + + - name: "Check if nameservice (bind) is running?" + minute: '*/10' + hour: '*' + job: /root/bin/monitoring/check_dns.sh + + - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )" + minute: '0-59/2' + hour: '*' + job: /root/bin/monitoring/check_forwarding.sh + + - name: "Copy gateway configuration" + minute: '09' + hour: '3' + job: /root/bin/manage-gw-config/copy_gateway-config.sh FHXB + + +#cron_user_special_time_entries: [] +cron_user_special_time_entries: + + - name: "Check if Postfix Service is running at boot time" + special_time: reboot + job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" + insertafter: PATH + + - name: "Restart Systemd's resolved at boottime." + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +apt_install_bind9_packages: true + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - none + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/lists.mx.warenform.de.yml b/host_vars/lists.mx.warenform.de.yml new file mode 100644 index 0000000..61e9ae4 --- /dev/null +++ b/host_vars/lists.mx.warenform.de.yml @@ -0,0 +1,132 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +apt_install_compiler_pkgs: true + +apt_install_postgresql_pkgs: true + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: id-rsa-opendkim + priv_key_src: lists.mx.warenform/root/.ssh/lists.mx.warenform-id_rsa-opendkim + priv_key_dest: /root/.ssh/id_rsa-opendkim + pub_key_src: lists.mx.warenform/root/.ssh/lists.mx.warenform-id_rsa-opendkim.pub + pub_key_dest: /root/.ssh/id_rsa-opendkim.pub + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + +copy_plain_files: + + - name: monitoring_check_webservice_load.conf + src_path: lists.mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf + dest_path: /root/bin/monitoring/conf/check_webservice_load.conf + + - name: postfix_create_opendkim_key.conf + src_path: lists.mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf + dest_path: /root/bin/postfix/conf/create_opendkim_key.conf + + - name: postfix_whitelist_mb_sigs.conf + src_path: lists.mx.warenform/root/bin/postfix/conf/whitelist_mb_sigs.conf + dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf + + - name: install_sympa.conf + src_path: lists.mx.warenform/usr/local/src/sympa/conf/install_sympa.conf + dest_path: /usr/local/src/sympa/conf/install_sympa.conf + + +copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- + +hostname: lists.mx.warenform.de +ipv4_address: 83.223.86.78 +ipv6_address: 2a01:30:0:13:223:35ff:fef5:84b6 + +admin_email: argus@oopen.de +is_relay_host: false +is_sympa_list_server: true + +# install_amavis.conf +# +mp_receipt_number: 106015125438 +si_authorisation_signature: 76ed7ca6670dbee497e1a0397a7e178c4caa25888bc26d7327d1eab0195342a4cfa522dcf10382623d57dbc2a79bd37627b9a52def4d4bfe617d26e35405ce3b + + +template_files_mailsystem_script: + + - name: mailsystem_install_postfix_advanced.conf + src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf + + - name: mailsystem_install_amavis.conf + src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf diff --git a/host_vars/mail.cadus.org.yml b/host_vars/mail.cadus.org.yml index efc4ad1..c6c2076 100644 --- a/host_vars/mail.cadus.org.yml +++ b/host_vars/mail.cadus.org.yml @@ -112,7 +112,23 @@ copy_plain_files: dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf -copy_plain_files_postfwd_host_specific: [] +copy_plain_files_postfwd_host_specific: + + - name: postfwd.wl-hosts + src_path: mail.cadus/etc/postfix/postfwd.wl-hosts + dest_path: /etc/postfix/postfwd.wl-hosts + + - name: postfwd.wl-nets + src_path: mail.cadus/etc/postfix/postfwd.wl-nets + dest_path: /etc/postfix/postfwd.wl-nets + + - name: postfwd.wl-sender + src_path: mail.cadus/etc/postfix/postfwd.wl-sender + dest_path: /etc/postfix/postfwd.wl-sender + + - name: postfwd.wl-user + src_path: mail.cadus/etc/postfix/postfwd.wl-user + dest_path: /etc/postfix/postfwd.wl-user # Postfix Firewall postfwd # @@ -147,7 +163,7 @@ db_in_use: !!str "true" postfix_db_type: MySQL postfix_db_name: postfix postfix_db_user: postfix -postfix_db_host: "127.0.0.1" +#postfix_db_host: postfix_db_pass: T3CJnFMJNX9wmhNs # install_amavis.conf @@ -196,9 +212,11 @@ autoreply_hostname: autoreply.cadus.org roundcube_db_type: mysql roundcube_db_name: roundcubemail roundcube_db_user: roundcube -roundcube_db_host: localhost +#roundcube_db_host: roundcube_db_pass: 'j3vqsK7Ldm7MxNjH' +roundcube_acl_plugin: false + roundcube_product_name: O.OPEN - Webmailer roundcube_support_url: https://www.cadus.org roundcube_skin_logo: "images/cadu_logo_webmail.png" diff --git a/host_vars/mail.faire-mobilitaet.de.yml b/host_vars/mail.faire-mobilitaet.de.yml index 74d12cb..477dcf0 100644 --- a/host_vars/mail.faire-mobilitaet.de.yml +++ b/host_vars/mail.faire-mobilitaet.de.yml @@ -195,8 +195,10 @@ roundcube_db_user: roundcube #roundcube_db_host: roundcube_db_pass: 'gqnzTrfsjnRv4PWW' +#roundcube_acl_plugin: false + roundcube_product_name: O.OPEN - Webmailer -roundcube_support_url: https://www.cadus.org +roundcube_support_url: https://www.faire-mobilitaet.de/ roundcube_skin_logo: "images/oopen-logo.png" diff --git a/host_vars/mx.warenform.de.yml b/host_vars/mx.warenform.de.yml new file mode 100644 index 0000000..d6c6c7a --- /dev/null +++ b/host_vars/mx.warenform.de.yml @@ -0,0 +1,227 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +apt_install_compiler_pkgs: true + +apt_install_postgresql_pkgs: true + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: id-rsa-opendkim + priv_key_src: mx.warenform/root/.ssh/mx.warenform-id_rsa-opendkim + priv_key_dest: /root/.ssh/id_rsa-opendkim + pub_key_src: mx.warenform/root/.ssh/mx.warenform-id_rsa-opendkim.pub + pub_key_dest: /root/.ssh/id_rsa-opendkim.pub + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/copy_files.yml +# --- + +copy_plain_files: + + # /root/bin/monitoring + # + - name: monitoring_check_cert_for_dovecot.conf + src_path: mx.warenform/root/bin/monitoring/conf/check_cert_for_dovecot.conf + dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf + + - name: monitoring_check_webservice_load.conf + src_path: mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf + dest_path: /root/bin/monitoring/conf/check_webservice_load.conf + + # /root/bin/postfix + # + - name: postfix_create_opendkim_key.conf + src_path: mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf + dest_path: /root/bin/postfix/conf/create_opendkim_key.conf + + - name: postfix_postfix_add_mailboxes.conf + src_path: mx.warenform/root/bin/postfix/conf/postfix_add_mailboxes.conf + dest_path: /root/bin/postfix/conf/postfix_add_mailboxes.conf + + - name: postfix_sent_userinfo_postfix.conf + src_path: mx.warenform/root/bin/postfix/conf/sent_userinfo_postfix.conf + dest_path: /root/bin/postfix/conf/sent_userinfo_postfix.conf + + - name: postfix_whitelist_mb_sigs.conf + src_path: mx.warenform/root/bin/postfix/conf/whitelist_mb_sigs.conf + dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf + + +copy_plain_files_postfwd_host_specific: [] + + # Postfix Firewall postfwd + # + #- name: postfwd.wl-user + # src_path: mx.warenform/etc/postfix/postfwd.wl-user + # dest_path: /etc/postfix/postfwd.wl-user + + +#copy_template_files: [] +# +# - name: mailsystem_install_amavis.conf +# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 +# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + + +# --- +# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml +# --- + +hostname: mx.warenform.de +ipv4_address: 83.223.86.76 +ipv6_address: 2a01:30:0:13:231:32ff:fe8b:7763 + +admin_email: admin@warenform.net +is_relay_host: !!str "false" + +db_in_use: !!str "true" +# postfix_db_type +# +# possible values are 'PostgreSQL' and 'MySQL' +postfix_db_type: PostgreSQL +postfix_db_name: postfix +postfix_db_user: postfix +#postfix_db_host: /run/postgresql +postfix_db_pass: CbX8vg347Vvm + +# install_amavis.conf +# +mp_receipt_number: 106015125438 +si_authorisation_signature: 76ed7ca6670dbee497e1a0397a7e178c4caa25888bc26d7327d1eab0195342a4cfa522dcf10382623d57dbc2a79bd37627b9a52def4d4bfe617d26e35405ce3b + +# install_postfixadmin.conf +# +website_name_postfixadmin: adm.warenform.de + +email_welcome_message: "\n +Hallo,\n + +Ihre neue E-Mail Adresse ist eingerichtet.\n + +Das WARENFORM-Team\n + +--\n +WARENFORM | Phone: +49 30 / 61 65 17 52 -0\n +Dresdner Str. 11 | Fax: +49 30 / 61 65 17 52 -66\n +D-10999 Berlin | http://www.warenform.net\n +" + + +# install_update_dovecot.conf +# +dovecot_from_address: "warenform gbr " +dovecot_reply_to: "hilfe@kunden.warenform.net" +webmailer_address: "https://webmail.warenform.de" +salutation: "Das WARENFORM-Team\n + + +WARENFORM | Phone: +49 30 / 61 65 17 52 -0\n +Dresdner Str. 11 | Fax: +49 30 / 61 65 17 52 -66\n +D-10999 Berlin | http://www.warenform.net\n" + + +# install_upgrade_roundcube-webmail.conf +# +# Webmailer +webmail_site_name: webmail.warenform.de +autoreply_hostname: autoreply.warenform.de +# possible values: 'pgsql' or 'mysql' +roundcube_db_type: pgsql +roundcube_db_name: roundcubemail +roundcube_db_user: roundcube +#roundcube_db_host: localhost +roundcube_db_pass: 'Hoo5heis' + +#roundcube_acl_plugin: false + +roundcube_product_name: O.OPEN - Webmailer +roundcube_support_url: https://www.warenform.net +roundcube_skin_logo: "images/wf-webmail-logo.png" + + +template_files_mailsystem_script: + + - name: mailsystem_install_amavis.conf + src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf + + - name: mailsystem_install_postfix_advanced.conf + src_path: usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfix_advanced.conf + + - name: mailsystem_install_postfixadmin.conf + src_path: usr/local/src/mailsystem/conf/install_postfixadmin.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_postfixadmin.conf + + - name: mailsystem_install_update_dovecot.conf + src_path: usr/local/src/mailsystem/conf/install_update_dovecot.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_update_dovecot.conf + + - name: mailsystem_install_upgrade_roundcube-webmail.conf + src_path: usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf + + - name: mailsystem_install_upgrade_roundcube-webmail2.conf + src_path: usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail2.conf.j2 + dest_path: /usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail2.conf diff --git a/host_vars/o25.oopen.de.yml b/host_vars/o25.oopen.de.yml index b24f006..65554c4 100644 --- a/host_vars/o25.oopen.de.yml +++ b/host_vars/o25.oopen.de.yml @@ -17,26 +17,156 @@ network_interface_required_packages: - bridge-utils - ifmetric - ifupdown + - ifenslave - resolvconf network_interfaces: - - device: br0 + # Many device configurations are possible (as many as needed) + # + - device: enp41s0 # use only once per device (for the first device entry) - headline: br0 - bridge over device enp8s0 + headline: enp41s0 - primary device - # auto & allow are only used for the first device entry + # auto & allow are only used for the first entry of that devicei-name) + # allow: [] # array of allow-[stanzas] eg. allow-hotplug auto: true family: inet + + # The statisc Mode + # Options + # address + # gateway + # pointopoint
+ # hwaddress + # mtu + # scope
+ # + # The manual Method + # Options + # hwaddress + # mtu + # + # The dhcp Method + # Options + # hwaddress + # hostname + # metric + # leasehours + # leasetime + # vendor + # client + # + # The bootp Method + # Options + # bootfile: + # server: + # hwaddr + # method: static - hwaddress: 00:d8:61:0e:b9:1c + + hwaddress: description: - address: 144.76.24.11 - netmask: 27 - gateway: 144.76.24.1 + address: 65.109.28.179 + # dotted quad or number of bits + # + # the entry will be: address/netmask + netmask: 26 + gateway: 65.109.28.129 + metric: + pointopoint: + mtu: + scope: + + # additional user by dhcp method + # + hostname: + leasehours: + leasetime: + vendor: + client: + + # additional used by bootp method + # + bootfile: + server: + hwaddr: + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + nameservers: + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + search: + + # optional additional subnets/ips subnets: [] + # subnets: + # - '192.168.123.0/24' + # - '192.168.124.11/32' + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: {} + + # optional bonding parameters bond: {} + # bond: + # master + # primary + # slave + # mode: + # miimon: + # lacp-rate: + # ad-select-rate: + # master: + # slaves: + bond: {} + + # optional vlan settings | vlan: {} + # vlan: {} + # raw-device: 'eth0' + vlan: {} + + # inline hook scripts + # + # example: + # + # up: + # - !!str "route add -net 135.181.79.192 netmask 255.255.255.192 gw 135.181.79.193 dev enp41s0" + # + pre-up: [] # pre-up script lines + up: + - !!str "route add -net 65.109.28.128 netmask 255.255.255.192 gw 65.109.28.129 dev enp41s0" + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + - device: enp41s0 + # use only once per device (for the first device entry) + headline: + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: + + family: inet6 + method: static + address: 2a01:4f9:5a:1a07::2 + netmask: 64 + gateway: fe80::1 metric: pointopoint: mtu: @@ -64,8 +194,6 @@ network_interfaces: # search: warenform.de # nameservers: - - 195.201.179.131 - - 95.217.204.204 search: # optional additional subnets/ips subnets: [] @@ -80,24 +208,15 @@ network_interfaces: # fd: # maxwait: # waitport: - bridge: - ports: enp8s0 # for mor devices support a blank separated list - stp: !!str off - fd: 5 - hello: 2 - maxage: 12 + bridge: {} # optional bonding parameters bond: {} # bond: - # master - # primary - # slave - # method: + # mode: # miimon: - # lacp-rate: - # ad-select-rate: # master: # slaves: + # lacp-rate: bond: {} # optional vlan settings | vlan: {} @@ -106,18 +225,119 @@ network_interfaces: vlan: {} # inline hook scripts - pre-up: [] # pre-up script lines + pre-up: []# pre-up script lines up: [] # up script lines post-up: [] # post-up script lines (alias for up) pre-down: [] # pre-down script lines (alias for down) down: [] # down script lines post-down: [] # post-down script lines +# --- +# vars used by roles/ansible_dependencies +# --- - - device: br0 - family: inet6 - method: static - address: 2a01:4f8:191:b::2 - netmask: 64 - gateway: fe80::1 +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +#apt_manage_sources_list: false + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $y$j9T$myZ6f5/klmH0HDN2mb9tv/$s/bBrr6PEXdEgtn9CZYzBNZsA4.r6gWYYeZ4LAYotp9 + diff --git a/host_vars/o25.oopen.de.yml.BAK b/host_vars/o25.oopen.de.yml.BAK new file mode 100644 index 0000000..b24f006 --- /dev/null +++ b/host_vars/o25.oopen.de.yml.BAK @@ -0,0 +1,123 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - resolvconf + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device enp8s0 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + method: static + hwaddress: 00:d8:61:0e:b9:1c + description: + address: 144.76.24.11 + netmask: 27 + gateway: 144.76.24.1 + metric: + pointopoint: + mtu: + scope: + + # additional user by dhcp method + # + hostname: + leasehours: + leasetime: + vendor: + client: + + # additional used by bootp method + # + bootfile: + server: + hwaddr: + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + nameservers: + - 195.201.179.131 + - 95.217.204.204 + search: + + # optional additional subnets/ips subnets: [] + # subnets: + # - '192.168.123.0/24' + # - '192.168.124.11/32' + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: enp8s0 # for mor devices support a blank separated list + stp: !!str off + fd: 5 + hello: 2 + maxage: 12 + + # optional bonding parameters bond: {} + # bond: + # master + # primary + # slave + # method: + # miimon: + # lacp-rate: + # ad-select-rate: + # master: + # slaves: + bond: {} + + # optional vlan settings | vlan: {} + # vlan: {} + # raw-device: 'eth0' + vlan: {} + + # inline hook scripts + pre-up: [] # pre-up script lines + up: [] # up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + + + - device: br0 + family: inet6 + method: static + address: 2a01:4f8:191:b::2 + netmask: 64 + gateway: fe80::1 diff --git a/host_vars/oolm-shop-dev.oopen.de.yml b/host_vars/oolm-shop-dev.oopen.de.yml index ba852cd..38fcfe6 100644 --- a/host_vars/oolm-shop-dev.oopen.de.yml +++ b/host_vars/oolm-shop-dev.oopen.de.yml @@ -19,7 +19,7 @@ # vars used by roles/common/tasks/sshd.yml # --- -sshd_password_authentication: !!str "yes" +#sshd_password_authentication: !!str "yes" # --- @@ -31,6 +31,80 @@ sshd_password_authentication: !!str "yes" # vars used by roles/common/tasks/users.yml # --- +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: ilker + password: $6$KdZA19BkoB5hmlSq$0EnTYvavJh/xYsCc1Movk7Rt3fF0Kpiw/i.YQalZmL5kmChurAcJRgLNoceTtH7gFKY67SkeiE6Diy5L74CF71 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtV1K8uTgEA/KylUelsOAcSxRWIGoioIeymZAIm+9mqRlxEjk/PH393medpqayD1QDx0kcd8cyg8j1JyOxhhQbEo4z7KMTn9HfvncfuHYPuYqMXPto4kLTUXa0QhKgnYXKwBQ2qH3MlU5KC0poPXLIu6cbMaJPH+0WtP7hxJWMCmCV/ycuXL2Wr+S0vIZVUqnnyR911fMoElJJkJ5pxxLy8rGogMbl9y0RUS1ZBDXvjVR9F+g9KmZ5yWATOB4nGk9wl5zrtxqP1PTu5DHLLyx4tnhO3VqReMkPTKZb+JpEYc8IccuVLyk3Vdr7pob7J+QeqoN266QJNxTwK+QCfnpf ilkeregilmez@ulli.speedport.ip' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3oRUYDERuHw8QXRT6P5FjA+9OlK82/s71Ns3moLRG2PXkPlUHMJLDsImttlBpzrfxCHMzF/gAyzwCG8EFQA0fLQolShVYBVuJQ8sHS3xedbni2PbiUzgc5P9le/LwBjxOt2EFXGcNgHfFejY69esPsNmhbwQ7jxIledclIri0sG9G3rnx3NQdGcU6Ypi4WhuJ2B1y5DUO3Ym/fuqw0OpYrI12UZYYjpLL1V3c8PDshaBbnArW68+a6Fq4vRpEkHKKUcePYUHbB5APyjkkEzeINfJbrrv/WVb5dGaxSRH61LsjnlOrRDi2qITewfkLz3CMmxQM0fRAT3UV9q0FibzJ ilker@oolm-shop' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRmXj9h/gCTSODkPH1ooBgq6hOZFjxczLPw9Bv5gt+z6v41zxpYKBDyvMy7jblwK3//EA469QRqKEBq0Hhx1aocrVe8TWZGDqzc2nrzh2YSewvKjbx6Dv+pdoWcTzF6Rho2Klvu79p5lcV+2I/u82wLDNVBZliGuRJJ8yVVQ8RkSdvz/O15d9qfI7F0yzzjhYy+t/W6tDxEt2N65n7SC14i/q/DqdGCLp7eBAHkC2mTruLbzCIdMteFg7q0GuTdlII0BF5LPbHlVK8nm8iOOH61pI/gygXF0Z9WlL7e/hfE8qTGAucAsy0KoOodlEQD1LLV1Rubmy7zKZBk4qvXzh7 ilkeregilmez@Ilkers-MBP-2.fritz.box' + + - name: ilker-sudo + password: $6$KdZA19BkoB5hmlSq$0EnTYvavJh/xYsCc1Movk7Rt3fF0Kpiw/i.YQalZmL5kmChurAcJRgLNoceTtH7gFKY67SkeiE6Diy5L74CF71 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtV1K8uTgEA/KylUelsOAcSxRWIGoioIeymZAIm+9mqRlxEjk/PH393medpqayD1QDx0kcd8cyg8j1JyOxhhQbEo4z7KMTn9HfvncfuHYPuYqMXPto4kLTUXa0QhKgnYXKwBQ2qH3MlU5KC0poPXLIu6cbMaJPH+0WtP7hxJWMCmCV/ycuXL2Wr+S0vIZVUqnnyR911fMoElJJkJ5pxxLy8rGogMbl9y0RUS1ZBDXvjVR9F+g9KmZ5yWATOB4nGk9wl5zrtxqP1PTu5DHLLyx4tnhO3VqReMkPTKZb+JpEYc8IccuVLyk3Vdr7pob7J+QeqoN266QJNxTwK+QCfnpf ilkeregilmez@ulli.speedport.ip' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3oRUYDERuHw8QXRT6P5FjA+9OlK82/s71Ns3moLRG2PXkPlUHMJLDsImttlBpzrfxCHMzF/gAyzwCG8EFQA0fLQolShVYBVuJQ8sHS3xedbni2PbiUzgc5P9le/LwBjxOt2EFXGcNgHfFejY69esPsNmhbwQ7jxIledclIri0sG9G3rnx3NQdGcU6Ypi4WhuJ2B1y5DUO3Ym/fuqw0OpYrI12UZYYjpLL1V3c8PDshaBbnArW68+a6Fq4vRpEkHKKUcePYUHbB5APyjkkEzeINfJbrrv/WVb5dGaxSRH61LsjnlOrRDi2qITewfkLz3CMmxQM0fRAT3UV9q0FibzJ ilker@oolm-shop' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRmXj9h/gCTSODkPH1ooBgq6hOZFjxczLPw9Bv5gt+z6v41zxpYKBDyvMy7jblwK3//EA469QRqKEBq0Hhx1aocrVe8TWZGDqzc2nrzh2YSewvKjbx6Dv+pdoWcTzF6Rho2Klvu79p5lcV+2I/u82wLDNVBZliGuRJJ8yVVQ8RkSdvz/O15d9qfI7F0yzzjhYy+t/W6tDxEt2N65n7SC14i/q/DqdGCLp7eBAHkC2mTruLbzCIdMteFg7q0GuTdlII0BF5LPbHlVK8nm8iOOH61pI/gygXF0Z9WlL7e/hfE8qTGAucAsy0KoOodlEQD1LLV1Rubmy7zKZBk4qvXzh7 ilkeregilmez@Ilkers-MBP-2.fritz.box' + + - name: shop + password: $6$.7q7LwrI$LS0W95y5MHgaQZ4v5OvYukQn3pxmbeQvm9lNrPVSN7R.GVwGGIqdfnX2xOvGTgJcenUT3aJoa8HloOes1wUM71 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtV1K8uTgEA/KylUelsOAcSxRWIGoioIeymZAIm+9mqRlxEjk/PH393medpqayD1QDx0kcd8cyg8j1JyOxhhQbEo4z7KMTn9HfvncfuHYPuYqMXPto4kLTUXa0QhKgnYXKwBQ2qH3MlU5KC0poPXLIu6cbMaJPH+0WtP7hxJWMCmCV/ycuXL2Wr+S0vIZVUqnnyR911fMoElJJkJ5pxxLy8rGogMbl9y0RUS1ZBDXvjVR9F+g9KmZ5yWATOB4nGk9wl5zrtxqP1PTu5DHLLyx4tnhO3VqReMkPTKZb+JpEYc8IccuVLyk3Vdr7pob7J+QeqoN266QJNxTwK+QCfnpf ilkeregilmez@ulli.speedport.ip' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCf7Vfsl2u55IYnkPMxRI+CK+33wUKR+XR6B160J6xOGe6LnHTsqgAGrjR5nhy7ieQZo4tGFORkikRrwz+H9mQulCsvtCrhh+Gjdkut4SzQbZsE0yLaNKflT3etR6dwKnX5HrqTtkZZ6D/Bi6392xrEy94590nNWZm5M6Vi0DIztt2jqUEiHrcJomPu1RDhl0OLxG/+/gyo9Td3p8olcW6Xk4q8w4GVHZ3sTB+jsMHEMbG6KqkA+eR/agNlxqngPO0Pz3yd5ciOmF+E6Yf47WwlHctBs6Zs/8s1jFFjLqe9k0F6rzY2S7hLaoREXgf+SNRcaN4Y97yRPzeMspvJebwx shop@oolm-shop.oopen.de' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAybUzbWpMfAKzlapkec/IdznX8WGLES2AAsb94W5iO1VvFQfUseML5J91UB+LMl18jFFolk6tPqHL/F18sfFQ6dKtTh+JL87Bve8MrP/VWli+jdlSvX7k84eHxPYLpJQIfab/Th1DSXbF7E9xT9Z0iGxylaRja3FNYNT2Q0+clwUMcYX1mm47xVsM4JGsTDTTNV1CgxLphlajFbLgRlicCam6Vxr68k1sLRsu+iuie1AmUaR3Zvm9VH7/nbSpSxe0NN2FtMfxBTk54/rpr3MLhxgJDGjHILfOaGCL+vR3pK4isAvlnShpPphP6f9F/LFjitLAQ9Onpe/+MRxhCjvAi/uihM8xOmON1FRF1WW1NlPz2avod9BFHc7onct/+LalqiTtRkIiGAzLvar279J82abpsVjdYIHmcjz/z4RReEKLjvKCAy4Sdl8Msz60G0f7tXYowYQVpdYp68Cvc4x4d2LElKP0uAHe5wzfUL1haBbjiar8yECgvna20dof9rgzPRHffv9CeTxHxiBLAidb9jZer80StSKhCTbPBqyaTjzWLqegXY9UH92z82yVaW4jVu/43/OUlywd1AjLTcQKE+oI+3515bzXkGGNIDOdJ9AxLSNMpbHAAQ+E8UxplSiLSNYpxWpbnhlnKF+NpMoA+IUVQXJNa8Y291cwx/bNJTk= thomashauck@Thomas-Haucks-iMac-3.locali' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzEcbz4Jne4lZup1qB8nk8SnUv8xWvpgE6tYiLqsyve7+BGCtA01tM3CWcafRwffw3I/Tmw1PG2T+gEGKSIscKoBGNbpFeA3dSnG/d811VWPyN4j6DcKHDW5njdt+XdUkPTA2Xm2mcNayBovMP5ld2VgEqsYPFpNkcIx4Qsh4URRoVwM0a1CGW5eBWa5gwYypfiK9m/DyiA6gX0fCJKS64GKUilYyrwSSatlt8tkOw3Kb8A39AViYL243zFzrPSNvBRnkp81pOt3khNxB3V07CGUERPTvh4B/mKb3g5yBynLjzvbJkGboR+zzTYGiWPNlwgNOhzIP3h/YnMb3JKJzx shop@oolm-shop' + + - name: sven + password: $6$tUJZYAXg$DnHWYkGxXlkFTcyWKO3BvP34OekepDb8x19op8C/AzXxTtXrkE2CCeXhtkVu.89dWybdJPI23TVNpsd3dIyPA1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcm/+4FQ8yFKM05jut+Tsrd6ZHVvUpbKO1ezbpRagvh8s7LTclxRwBEktQD/lJgC7X2H1d4QF71MRcEjfmmH51r1MI5s+mV2KbowUh39io0e0qQrPKlX23872miyjIBMtESHTzWGWJo4VnOBWOoWzUu+sVpDPZ1bVw9EN3Iboq3q7i4pZLj85ASb8pZBJvCWqtOgDZ5qnbvmpPeewgfAOmSvQh1qdDW63pcbupwY/peneUUOCkIE91oCCW5ZKH4El+OGXDm4jKY5Z6Dh9nVcHsJ3Burp/2rPJr27TyhqeezewbyO5Y/XTm1/nx3iNnIudy7fF/N/DlHvb3RJLI+P/3 sven@oolm-shop-dev' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$2aYNjVAaYCJ7KuKYMjX3o1$M7E8/NkOHJnmmVcx0zD27oYExIf2aEergJ1KBnVbn92 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - ilker + - ilker-sudo + # --- # vars used by roles/common/tasks/users-systemfiles.yml diff --git a/host_vars/oolm-shop.oopen.de.yml b/host_vars/oolm-shop.oopen.de.yml index ba852cd..4526ab8 100644 --- a/host_vars/oolm-shop.oopen.de.yml +++ b/host_vars/oolm-shop.oopen.de.yml @@ -19,7 +19,7 @@ # vars used by roles/common/tasks/sshd.yml # --- -sshd_password_authentication: !!str "yes" +#sshd_password_authentication: !!str "yes" # --- @@ -31,6 +31,72 @@ sshd_password_authentication: !!str "yes" # vars used by roles/common/tasks/users.yml # --- +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: ilker + password: $6$KdZA19BkoB5hmlSq$0EnTYvavJh/xYsCc1Movk7Rt3fF0Kpiw/i.YQalZmL5kmChurAcJRgLNoceTtH7gFKY67SkeiE6Diy5L74CF71 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtV1K8uTgEA/KylUelsOAcSxRWIGoioIeymZAIm+9mqRlxEjk/PH393medpqayD1QDx0kcd8cyg8j1JyOxhhQbEo4z7KMTn9HfvncfuHYPuYqMXPto4kLTUXa0QhKgnYXKwBQ2qH3MlU5KC0poPXLIu6cbMaJPH+0WtP7hxJWMCmCV/ycuXL2Wr+S0vIZVUqnnyR911fMoElJJkJ5pxxLy8rGogMbl9y0RUS1ZBDXvjVR9F+g9KmZ5yWATOB4nGk9wl5zrtxqP1PTu5DHLLyx4tnhO3VqReMkPTKZb+JpEYc8IccuVLyk3Vdr7pob7J+QeqoN266QJNxTwK+QCfnpf ilkeregilmez@ulli.speedport.ip' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3oRUYDERuHw8QXRT6P5FjA+9OlK82/s71Ns3moLRG2PXkPlUHMJLDsImttlBpzrfxCHMzF/gAyzwCG8EFQA0fLQolShVYBVuJQ8sHS3xedbni2PbiUzgc5P9le/LwBjxOt2EFXGcNgHfFejY69esPsNmhbwQ7jxIledclIri0sG9G3rnx3NQdGcU6Ypi4WhuJ2B1y5DUO3Ym/fuqw0OpYrI12UZYYjpLL1V3c8PDshaBbnArW68+a6Fq4vRpEkHKKUcePYUHbB5APyjkkEzeINfJbrrv/WVb5dGaxSRH61LsjnlOrRDi2qITewfkLz3CMmxQM0fRAT3UV9q0FibzJ ilker@oolm-shop' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRmXj9h/gCTSODkPH1ooBgq6hOZFjxczLPw9Bv5gt+z6v41zxpYKBDyvMy7jblwK3//EA469QRqKEBq0Hhx1aocrVe8TWZGDqzc2nrzh2YSewvKjbx6Dv+pdoWcTzF6Rho2Klvu79p5lcV+2I/u82wLDNVBZliGuRJJ8yVVQ8RkSdvz/O15d9qfI7F0yzzjhYy+t/W6tDxEt2N65n7SC14i/q/DqdGCLp7eBAHkC2mTruLbzCIdMteFg7q0GuTdlII0BF5LPbHlVK8nm8iOOH61pI/gygXF0Z9WlL7e/hfE8qTGAucAsy0KoOodlEQD1LLV1Rubmy7zKZBk4qvXzh7 ilkeregilmez@Ilkers-MBP-2.fritz.box' + + - name: ilker-sudo + password: $6$KdZA19BkoB5hmlSq$0EnTYvavJh/xYsCc1Movk7Rt3fF0Kpiw/i.YQalZmL5kmChurAcJRgLNoceTtH7gFKY67SkeiE6Diy5L74CF71 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtV1K8uTgEA/KylUelsOAcSxRWIGoioIeymZAIm+9mqRlxEjk/PH393medpqayD1QDx0kcd8cyg8j1JyOxhhQbEo4z7KMTn9HfvncfuHYPuYqMXPto4kLTUXa0QhKgnYXKwBQ2qH3MlU5KC0poPXLIu6cbMaJPH+0WtP7hxJWMCmCV/ycuXL2Wr+S0vIZVUqnnyR911fMoElJJkJ5pxxLy8rGogMbl9y0RUS1ZBDXvjVR9F+g9KmZ5yWATOB4nGk9wl5zrtxqP1PTu5DHLLyx4tnhO3VqReMkPTKZb+JpEYc8IccuVLyk3Vdr7pob7J+QeqoN266QJNxTwK+QCfnpf ilkeregilmez@ulli.speedport.ip' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3oRUYDERuHw8QXRT6P5FjA+9OlK82/s71Ns3moLRG2PXkPlUHMJLDsImttlBpzrfxCHMzF/gAyzwCG8EFQA0fLQolShVYBVuJQ8sHS3xedbni2PbiUzgc5P9le/LwBjxOt2EFXGcNgHfFejY69esPsNmhbwQ7jxIledclIri0sG9G3rnx3NQdGcU6Ypi4WhuJ2B1y5DUO3Ym/fuqw0OpYrI12UZYYjpLL1V3c8PDshaBbnArW68+a6Fq4vRpEkHKKUcePYUHbB5APyjkkEzeINfJbrrv/WVb5dGaxSRH61LsjnlOrRDi2qITewfkLz3CMmxQM0fRAT3UV9q0FibzJ ilker@oolm-shop' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRmXj9h/gCTSODkPH1ooBgq6hOZFjxczLPw9Bv5gt+z6v41zxpYKBDyvMy7jblwK3//EA469QRqKEBq0Hhx1aocrVe8TWZGDqzc2nrzh2YSewvKjbx6Dv+pdoWcTzF6Rho2Klvu79p5lcV+2I/u82wLDNVBZliGuRJJ8yVVQ8RkSdvz/O15d9qfI7F0yzzjhYy+t/W6tDxEt2N65n7SC14i/q/DqdGCLp7eBAHkC2mTruLbzCIdMteFg7q0GuTdlII0BF5LPbHlVK8nm8iOOH61pI/gygXF0Z9WlL7e/hfE8qTGAucAsy0KoOodlEQD1LLV1Rubmy7zKZBk4qvXzh7 ilkeregilmez@Ilkers-MBP-2.fritz.box' + + - name: shop + password: $6$.7q7LwrI$LS0W95y5MHgaQZ4v5OvYukQn3pxmbeQvm9lNrPVSN7R.GVwGGIqdfnX2xOvGTgJcenUT3aJoa8HloOes1wUM71 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtV1K8uTgEA/KylUelsOAcSxRWIGoioIeymZAIm+9mqRlxEjk/PH393medpqayD1QDx0kcd8cyg8j1JyOxhhQbEo4z7KMTn9HfvncfuHYPuYqMXPto4kLTUXa0QhKgnYXKwBQ2qH3MlU5KC0poPXLIu6cbMaJPH+0WtP7hxJWMCmCV/ycuXL2Wr+S0vIZVUqnnyR911fMoElJJkJ5pxxLy8rGogMbl9y0RUS1ZBDXvjVR9F+g9KmZ5yWATOB4nGk9wl5zrtxqP1PTu5DHLLyx4tnhO3VqReMkPTKZb+JpEYc8IccuVLyk3Vdr7pob7J+QeqoN266QJNxTwK+QCfnpf ilkeregilmez@ulli.speedport.ip' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCf7Vfsl2u55IYnkPMxRI+CK+33wUKR+XR6B160J6xOGe6LnHTsqgAGrjR5nhy7ieQZo4tGFORkikRrwz+H9mQulCsvtCrhh+Gjdkut4SzQbZsE0yLaNKflT3etR6dwKnX5HrqTtkZZ6D/Bi6392xrEy94590nNWZm5M6Vi0DIztt2jqUEiHrcJomPu1RDhl0OLxG/+/gyo9Td3p8olcW6Xk4q8w4GVHZ3sTB+jsMHEMbG6KqkA+eR/agNlxqngPO0Pz3yd5ciOmF+E6Yf47WwlHctBs6Zs/8s1jFFjLqe9k0F6rzY2S7hLaoREXgf+SNRcaN4Y97yRPzeMspvJebwx shop@oolm-shop.oopen.de' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAybUzbWpMfAKzlapkec/IdznX8WGLES2AAsb94W5iO1VvFQfUseML5J91UB+LMl18jFFolk6tPqHL/F18sfFQ6dKtTh+JL87Bve8MrP/VWli+jdlSvX7k84eHxPYLpJQIfab/Th1DSXbF7E9xT9Z0iGxylaRja3FNYNT2Q0+clwUMcYX1mm47xVsM4JGsTDTTNV1CgxLphlajFbLgRlicCam6Vxr68k1sLRsu+iuie1AmUaR3Zvm9VH7/nbSpSxe0NN2FtMfxBTk54/rpr3MLhxgJDGjHILfOaGCL+vR3pK4isAvlnShpPphP6f9F/LFjitLAQ9Onpe/+MRxhCjvAi/uihM8xOmON1FRF1WW1NlPz2avod9BFHc7onct/+LalqiTtRkIiGAzLvar279J82abpsVjdYIHmcjz/z4RReEKLjvKCAy4Sdl8Msz60G0f7tXYowYQVpdYp68Cvc4x4d2LElKP0uAHe5wzfUL1haBbjiar8yECgvna20dof9rgzPRHffv9CeTxHxiBLAidb9jZer80StSKhCTbPBqyaTjzWLqegXY9UH92z82yVaW4jVu/43/OUlywd1AjLTcQKE+oI+3515bzXkGGNIDOdJ9AxLSNMpbHAAQ+E8UxplSiLSNYpxWpbnhlnKF+NpMoA+IUVQXJNa8Y291cwx/bNJTk= thomashauck@Thomas-Haucks-iMac-3.locali' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzEcbz4Jne4lZup1qB8nk8SnUv8xWvpgE6tYiLqsyve7+BGCtA01tM3CWcafRwffw3I/Tmw1PG2T+gEGKSIscKoBGNbpFeA3dSnG/d811VWPyN4j6DcKHDW5njdt+XdUkPTA2Xm2mcNayBovMP5ld2VgEqsYPFpNkcIx4Qsh4URRoVwM0a1CGW5eBWa5gwYypfiK9m/DyiA6gX0fCJKS64GKUilYyrwSSatlt8tkOw3Kb8A39AViYL243zFzrPSNvBRnkp81pOt3khNxB3V07CGUERPTvh4B/mKb3g5yBynLjzvbJkGboR+zzTYGiWPNlwgNOhzIP3h/YnMb3JKJzx shop@oolm-shop' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$2aYNjVAaYCJ7KuKYMjX3o1$M7E8/NkOHJnmmVcx0zD27oYExIf2aEergJ1KBnVbn92 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - ilker + - ilker-sudo + # --- # vars used by roles/common/tasks/users-systemfiles.yml diff --git a/hosts b/hosts index d420a28..416991c 100644 --- a/hosts +++ b/hosts @@ -27,8 +27,9 @@ devel-root.wf.netz gw-123.oopen.de gw-ah.oopen.de gw-ak.oopen.de -gw-ebs.oopen.de gw-akb.akb.netz +gw-ebs.oopen.de +gw-fhxb.oopen.de gw-ckubu.local.netz gw-b3.oopen.de gw-blkr.oopen.de @@ -43,12 +44,14 @@ gw-kb.oopen.de bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz zapata.opp.netz gw-replacement.local.netz gw-replacement2.local.netz +gw-replacement3.local.netz k1371.dyndns.org @@ -149,6 +152,9 @@ o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de +# IL - PAD +o25.oopen.de + # - o27.oopen.de o27.oopen.de cl-fm.oopen.de @@ -202,6 +208,7 @@ lxc-host-kb.anw-kb.netz [initial_setup] gw-123.oopen.de +gw-fhxb.oopen.de gw-ah.oopen.de gw-ak.oopen.de gw-ebs.oopen.de @@ -221,6 +228,7 @@ gw-kb.oopen.de bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz zapata.opp.netz @@ -229,6 +237,7 @@ gw-ckubu.local.netz gw-replacement.local.netz gw-replacement2.local.netz +gw-replacement3.local.netz k1371.dyndns.org @@ -346,6 +355,9 @@ o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de +# IL - PAD +o25.oopen.de + # - o27.oopen.de o27.oopen.de cl-fm.oopen.de @@ -415,6 +427,9 @@ gw-ak.oopen.de gw-ah.oopen.de file-ah.kanzlei-kiel.netz +# - FHXB Museum Friedrichshain Kreuzberg +file-fhxb.fhxb.netz + # - Kanzlei Berenice file-km.anw-km.netz @@ -446,7 +461,6 @@ anita.wf.netz devel-cloud.wf.netz devel-db.wf.netz devel-git.wf.netz -devel-php.wf.netz devel-repos.wf.netz devel-php.wf.netz devel-todo.wf.netz @@ -674,6 +688,8 @@ cl-test.oopen.de file-ah.kanzlei-kiel.netz +file-fhxb.fhxb.netz + [ftp_server] @@ -1091,18 +1107,27 @@ o17.oopen.de # --- # Warenform # --- -anita.wf.netz +#anita.wf.netz # --- # Büro Netzwerke # --- bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz zapata.opp.netz +[nfs_server] + +file-fhxb.fhxb.netz + + +[nfs_client] + + [mumble_server] #test.mx.oopen.de @@ -1303,6 +1328,7 @@ cl-test.oopen.de bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz +file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz zapata.opp.netz @@ -1434,6 +1460,9 @@ o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de +# IL - PAD +o25.oopen.de + # - o27.oopen.de o27.oopen.de cl-fm.oopen.de @@ -1502,14 +1531,16 @@ bbb.b3-bornim.netz [gateway_server_ro] -gw-123.oopen.de gw-blkr.oopen.de -gw-flr.oopen.de gw-replacement2.local.netz +gw-replacement3.local.netz [gateway_server_rw] +gw-fhxb.oopen.de + +gw-123.oopen.de gw-ah.oopen.de gw-ak.oopen.de gw-b3.oopen.de @@ -1518,6 +1549,7 @@ gw-ebs.oopen.de gw-ak.oopen.de gw-akb.oopen.de gw-ckubu.local.netz +gw-flr.oopen.de gw-replacement.local.netz gw-irights.irights.netz gw-km.oopen.de @@ -1545,6 +1577,7 @@ gateway_server_rw + [warenform_server] # server16 diff --git a/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-dehydrated b/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-dehydrated new file mode 100644 index 0000000..045a599 --- /dev/null +++ b/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-dehydrated @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEAt9Qh2dKZHZnFFaOuC3lHzf0G2Msxl4obACGEpo0a7MYcMId9 +AnrvFTbpAyla0H7u4TubESGvFY//A69RZy2c5yL2u3UapwielhxbEyxaA7gVOd6s +XoBPnxA36GBFSaUQ+hM0gMv1yUFH5DWCDxTN39ooJk8dhoxrZIPoyhg7v1BxKGtO +0aKijOHh70SPW4zogGK+Y/OxpMs39OQup05Nw/Al1/+jCBtrQtL8imjYHBYD+Fcj +IdRW/J1a+YB4g0mryu9WPvTd8hkcvEAUv2vwK7A90d1R/7Y9UXmgAYl3HCfkq3c0 +/PcBN7VfKmQyspmxJuphc/M9KRV8YrBtxdfZlOL62mbyuHX+RP0p2Oqh6Va4AzVy +FKV8dFA0diFbL7xbMRcz34QwitdHt2JNf3LUZGWWmOcfuJeFom4x9gScaWAMa4ho +z9cVonC1MsG2tT6SRunU0Eotn7sCgcV8PmP1xkQPtslxmHuvO1geaZIfMuVlVUGW +wnk4sSFZXsB4qzDqgncPrxU+0vhzmXVwOFCDPJxwM7n8UFbLMWxmQ96/Nd2HEm1c +pqF87Xu7hkEtuKH7trtYdRS75zw4wqyjXZK+gK4Vb2w3Id8j7czxtHWF+Yf38ko1 +WTzgD8cGlQ5Fsl0nJHhp2MTyIWOR+Mgl9by0e12oiHzO8yzWApDoxt3xH+0CAwEA +AQKCAgAPBrMBqBpF9iTLAQcf/vjkmJMvs2RJW8ubNiIurwgNZKA3Q0vvoPbcCBIB +5SZ8NnP2SzYAr30tSQjyVylTQsI5jn0Wk5rrHmRAJu824QA2n5x0j4QNcXWQrfWz +8/KV830ww9Md2A4uNjzXJZyM+QlfC+kOQJdMQTwiCjpEErkHiV7GjAb0UdPxqiEa +usLxG9KBdBDWALx7mPTo+qHpoRfwNTgSsN21svAQlUh5U9qeaRpH+W9wu3ekzIP8 +MwkmyiXVv7yQBtoBiRX1OVO41eza1VwoRGwId/AJMeTnW0I2NfiWH3dgWhxqXlP6 +FhiiyrdVVAFFRhOwwQXa10sRyfQJ+Q/Fb7/HeU3ANJzBa84R77Kk5C6Hut/Dwjd7 +lw7uLB1eRYpEFcr7JJysjFXEmVwhYBYf5KBAVFKD1HFwV5uDUtwG70lp3ls+coJC +cPncaE4gOk7Yl2jOHqckeEThZ0LKP13I2wa4Mn2NNZUu4d0Q6n2BBHwZAmd4QHzP +97St7QZh2c7SvGZzdyGJYiOL6d+Ta7/LU6Dh0I0UbGhsNC9CBA3fqhImvU+tqK0f +I0umo3PRrcrkQ2NSISiy/888bgo380ku12rOTaICxX+sD6O2sm1VaeeHr/nJ5pbK +rVizaSwTRWS13CX2gmXz2YzxcAi1M069fAb9MAU9833UgOW0gQKCAQEA3CYTKdzT +txZYtVNCHObDZo11D6LrdYeSslVmjagfSm4GGl9xDFVgVmW+CudA8ey4zzwLqySW +6Q2sRBqknJr/D8DTon0WezKocIUXUwy9zEQmDhq54ylkeZVno2GXMv/m6Qz59gE8 +Xb0HvXvKt6dOaDp+d8IOSoYahRk3o0jHoRH9Ca/9XEqGgCZcJI94csn+KsjfXymT +UYWdzei6vey6WgWrN1JdAnvXxI98SZukmQM+LiPkBkMxJ4kzOm9kMcqaVjNQJIIy +6Ukx56MNcuZ2ijG4TAvfaZBG8Wm/arn/1Wl5Uo4es70z//s6mQcthDOMOf5eIS2w +s2EtNYAdDE/94QKCAQEA1cPipN7hA6l80mCZW36QwVqmSfbst10sEjkyuRex0p+W +8eiRcjbHUKxlY7aspgyTQL3bI/wKqwkJ2uTEw5824EN6r0hUZN2JwjiRaNHBcC1S +AujUNDLxWoCX/Kte4Z+LDNP9ijNGsqyWwfIqS98gAZFR5ANeeYK4oy1BOrBohab4 +lku9nGp8FjFnAKU0BL4zJoVNBeTgaSdT/XPOM1eDt+LnbcUNSmZNFbUCD+efMEc4 +Gq2cXnDNL+7fLgvSIbLD6XBhfEpU93bWfUBuv7sRuicl6RcY1uu482YzP7LY6PdT +0SGUp/A5f3mUlaKhLdcJbAS7yam1Nnwldl8nXu2rjQKCAQBEjNqUw31tWlj/BVDl +3PllWpDj8JAvBaspOqx3Wa18qKvf1G5IL+GSpZW6oW24p0SYyxK7FOak5SwJ/N3b +IexgRGPiCd9RN2H5v4eWxbXoACR1ad8OHBp8PYiK+F1zdPm7Ad5nutTIP49EcmKa +M0+X5vbwZY27qOxjG4oWnxgCUK6hMJrM/SvKhadVfxM7cyhgvDHJ2RFVZizQLDLR +5v/T/kXlMRFjL5rtStyhswRa3QakqWpchNmufOtlu7/QPU03oDzJUX125OLURRJv +/9FTkM3ZaC0GGvXsQEhpfEdsda5ghX6L61Ng1yLU+cYzjzWP7WP0It0Nzimcqirh +ZZshAoIBAA/pKp9272ykWuQVyJRk0UVzB9mNhYUIbFVW6I2aU+QHeOa8lsbXiPJa +QpmvaR5a5UL2Xq9I/UpJu/ANAxBEc4Mxwpn1WkK/spdAOqKAqlM9LFOHHPRdrlU8 +KRPndYJ5q5Hi3YZB1stJyVbaPYe0Ld+v/1ZnYcrNjgynO6mwo7b+/JXDQXO5AU9t +kescYMjRl2EQnvEHXiS1hqzgx8JOi0FOpEcpWZnmD2rENEkWxmSDiIuDzJXC86LT +tszomFVlxutDMB5eMgDRWZmtCBFBTUp7y3iT/YdRuEx1mO7u0vJUJmr0guoVGVKB +rCuPFUwiK1Nc7tVNym0pxGgRIQ8RxakCggEBAJa+qKh7dyN+w6Txke8sGB+tyATX +JQgrfE9UEgrAL0e/0XS6UCD0AGH7rlmxEJH6OXJm3Lq/C2pe7+UMZXKPyfHG192v +BBA690lkxsqGVynq66ORidxK5xyX5k/YCWCoQT6BlvdX9UiSX45Pr4zgpGkWUBZ8 +Ak+8E+AQ8KawwzAOHAlCwOlwXoRejpvzX15+WNlJIHzWN3LUzU7WfLUpSRrhPEfL +YvOD4OHRyAjCPkJA2FjKDvO4ohAiTfIHWV4BdWD4MieOQda+0Yf8o3nikAVbuf3D +zfOeHc3UbA6EKbsDV2jxjdgytycsJWUXjqgLVkInt4AYyoqh41QUdm9sBUM= +-----END RSA PRIVATE KEY----- diff --git a/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-dehydrated.pub b/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-dehydrated.pub new file mode 100644 index 0000000..c03069b --- /dev/null +++ b/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-dehydrated.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC31CHZ0pkdmcUVo64LeUfN/QbYyzGXihsAIYSmjRrsxhwwh30Ceu8VNukDKVrQfu7hO5sRIa8Vj/8Dr1FnLZznIva7dRqnCJ6WHFsTLFoDuBU53qxegE+fEDfoYEVJpRD6EzSAy/XJQUfkNYIPFM3f2igmTx2GjGtkg+jKGDu/UHEoa07RoqKM4eHvRI9bjOiAYr5j87Gkyzf05C6nTk3D8CXX/6MIG2tC0vyKaNgcFgP4VyMh1Fb8nVr5gHiDSavK71Y+9N3yGRy8QBS/a/ArsD3R3VH/tj1ReaABiXccJ+SrdzT89wE3tV8qZDKymbEm6mFz8z0pFXxisG3F19mU4vraZvK4df5E/SnY6qHpVrgDNXIUpXx0UDR2IVsvvFsxFzPfhDCK10e3Yk1/ctRkZZaY5x+4l4WibjH2BJxpYAxriGjP1xWicLUywba1PpJG6dTQSi2fuwKBxXw+Y/XGRA+2yXGYe687WB5pkh8y5WVVQZbCeTixIVlewHirMOqCdw+vFT7S+HOZdXA4UIM8nHAzufxQVssxbGZD3r813YcSbVymoXzte7uGQS24ofu2u1h1FLvnPDjCrKNdkr6ArhVvbDch3yPtzPG0dYX5h/fySjVZPOAPxwaVDkWyXSckeGnYxPIhY5H4yCX1vLR7XaiIfM7zLNYCkOjG3fEf7Q== root@d.mx-dehydrated diff --git a/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-opendkim b/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-opendkim new file mode 100644 index 0000000..d6d8554 --- /dev/null +++ b/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-opendkim @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAs+Uv/Jbak2qHe4WSblP3AvgDjvjqILHQb+G7O3UV0ePRuApk +5Ju2JHsUQV3lvK1QpR+AGsqqiSofUGw03FISzQKH3tH4UsYYKa7SxFS7v4pZyeDD +q8Ye9M1IF8bvOnyQORNzgFUjN7w30+RGOFuQNTCbdcuLa/UVmS6buvDvQiT1OH1n +CNOoeckpnUlVXB4QQDT4xw0iYjln8NX2dDtabRBX+KP9CL86tbu2I6/At0R+cTh9 +gSM25w0XEeM8uTljXP4Bq9P/wrjkG2fxoawLVm/7NIn42WMRy2NaosunOFAxj9me +iYoqN+7xQrHpSLyr4XP53alIKOBD+N92LSQ8MvgeaY+ci/u7A+P5b6iz6E1+l2Ds +EIpbjw6GRjLWtYJU75DX2cJwjuBzLGHtY88uK/A7IxWnULblB4UNntsjL+FSf/oA +ecu7+/DbjAlSfrXbQMgbwsY7cHmt8tSifz8FQcgJb9bkc7CNxL48MXcxqqN5pRFg +bq8LZq9K1lfWZzA8G6lC+Jb1xP6ndd/MkzuW5ucDYAM7FI+/7i9WNy/Uc/jp0Zvp +YXSNfYbjTItmL/bkHJtpDRW2ZTVbutsjkSZeody5Kp+s28aTWdnbmWVAn0cP2z9V +mMh8nsUXg0/+V/6WldwhNv48l22joTdmrIEEtYOL3mUD5N6A/fy52TkhEAcCAwEA +AQKCAgBb4D5805K4XVzqchKSNGHga0ht+aShpA7fRTs5p5fIRYEzbGOQ+hGxWgbD +R7Bwh1e7rXXguQcV3KR3j3wD1gryF0vLOhOIOtHWYAoW6Wul7IPk/d0RWrMutbUP +J7PAfCOwcsW3kkPVUFR27IwMdn8VG0kahSUkstwgCtTQSgL4FiYDftBjiq3t3RZa +1Tw6OsRz9lnkV0nrPoReVPh07mdFcmZrf11Y3UmfzUm9uiJDt0CYlJBMpu6AXIge +w56cvrmHoda6qiBik8k0UgbvWg3ETJbQg3LLm7RX2ttMb5Rsx1A4tp0og58CSA+B +z5lkY6+pCnFfivhmn/s3HPGfJnVzepNRuRAbK1os3G044EJ1RA00SLm/LPLMwG+z +FNnX8ylkOOKppYqQeFxZ2CR8NmJH97mmW6FDV5P7WUlsvWI2A3dIe3yFX7WW2Xid +oMrW/Q4HEvFT+oeBEPEUiRLyQrtNa3/VHyiDqF+v45Sm5S7VHddQOhyf8L75G0ol +dVwqjfZJcK7NsonFgSklt9v7enXapI5i0ASsQE3ElWMvGv7uln2CXiKe1RPioKO7 +lMbDRF7RnG3AQSRnbShIRDagP0V21CXVZ2JYzNJ6rmFnEqOoLgUdUhkRbgCb+4hJ +LfX9cX9R4lj84y7HcJOPJOUgDAcjGZlIeNixX888rqPftdrA+QKCAQEA6awS4Ghh +qXzorBfdqxfrZ2A2iUMUTuaUUC0XYkI35dSZXr8QKmRjWqT+jUydBqtbLlXCG3XX +G1+Z5MEzfVACQ4BoPP0EBIMgMIidABVc8C2RR1VMce2ng19GmW47/sW1ObC/ghVb +Bxmoj4/t5W30kxjXdb5JXal68j+dFl7uUyKjgtvQWjrcuOaKCT6PoXXxG6NOpPoi +tOyGM90qGKqWIElHPpprSWvZOAwGD/Z7jnYl4ODKDQvmk4Yt58pdCSr1sZrevna+ +rIgIEhiQF+ffTyK7XgXAuGQPhYrMviAo3376oAB6HcyYr/CPwQ3bu6p09B0eE3FI +mhvk7kBhnBN2NQKCAQEAxRWpF9XZ2UuuPTYg+Vqwes7PLc/Dc+j6QohM/7PV29Hl +fJAJli4BqdqNdmmRSo+SAIwNaJvPpU0RUL/Fxa7ePmWVyTKJgG+zban8uT+FGGNl +QpcwICkytpw3ZJf66i0lU7JM7Mkjvs4nIAmQMzl8noc6bxcU+mHqEa/XpI/4e+14 +++Ixu+OWwZd5tVzon2s9oAv6dzrNDvcCqaEEmXBL3Ylh1pjYcvW2K6+hxQy3+JgD +0CysrqOfPZ6IRgs9Yn2zZDlWQ715T0hdf669253qdTZwieUs2kYVQUaxtBnUuJzq +UHlARm59wWa9PAiLvilgu0U4Rn0nqczvxXdUpaOEywKCAQB7KNSyLpH68Pj5a4LM +IMlULSPRaOeVRna5Y2rFwT0RB+LmSzHMBilPp1L7Snwg/cQLQewS6SM9LEBCj4oB +7F+lEFLggkLR1gLrUbXeS2Q2uu2teUnXank2BsuBJta8S5xfEcd+Wp8luOJc+HFc +0X1s4lT9nBOzKBbDA8BaACMA8mrYF99TD18ynV/3y1+MrEsuU/6peaU9UsTRJSqA +4bhKwBSq7FzLz+onXj77vuAUkDUat6AHDFS1QK2FU+WBZYEl4Qixvoh1CyWl1Ahu +cSoD3bx/q+yNwz9jFWsgcnbYhWa3WkkC18lKQjKigBlmaktGNuqZOMYZY8ZfxNMt +nhxZAoIBAQC4MVBBiIn7fbGwX6Bdq5Z4kEQs6pofAES0XbKo4CglM3wo+G0dQI4p +cqr3Wh6B8sBfZoU5mTVtpiNitnheEtp+sm5VBbhgowSsn0wkzerUKkD/BVHjHN3a +sRFMIIZOyjayjFc8jZeswfrrBEUSus1vU68XGBlxEIW0VgVSNYPkPsLtli8pDMFe +2PTUvapjI9UKeWdyezAepliEtIoZ5UviFn2sFFlmx6GkHpcwFHz0Bw65Rqd06FLx +QfLWk7ahEB3Ss4ud770qjdVkeanTUTlIpsJy/g73SLygrzNxwRqAF5cd8tRRfv5k +/GIrc0k3RnCzVTQNHPcuyOvmP2qLC9IVAoIBAQDoC9nZ2nioMfS4lsJ2IUMLyknz +Ji8ME5g4a64yDfaFjK9DLASAqjrflCtavgj5dAGMZmltNS1EN89lIPNNj1IrHVM0 +FHqUry9WkRQ0PxFvyJkhJ5w0sfiepocWWE0JhTDweDFKm/I7x0ZNBWOKzA3Myljv +PxSsh97Gkvcv69m6GDI8vfOc7kSGephchz94jH9IcmfG2EJjEfW1AynVVGtyniv/ +Dyq0EtDZqyiIFoCJzEXu+qm4sJk5RbKkMHRGDEN8BOwSFS0lPx3Tges0ORD03+EB +Iop6GLArJCkxay6XznpLC1SK/9Nf/3lSLpHwQ7lscKOux2OQh2l0p8kW1+gh +-----END RSA PRIVATE KEY----- diff --git a/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-opendkim.pub b/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-opendkim.pub new file mode 100644 index 0000000..4722ed6 --- /dev/null +++ b/roles/common/files/d.mx/root/.ssh/d.mx-id_rsa-opendkim.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz5S/8ltqTaod7hZJuU/cC+AOO+OogsdBv4bs7dRXR49G4CmTkm7YkexRBXeW8rVClH4AayqqJKh9QbDTcUhLNAofe0fhSxhgprtLEVLu/ilnJ4MOrxh70zUgXxu86fJA5E3OAVSM3vDfT5EY4W5A1MJt1y4tr9RWZLpu68O9CJPU4fWcI06h5ySmdSVVcHhBANPjHDSJiOWfw1fZ0O1ptEFf4o/0Ivzq1u7Yjr8C3RH5xOH2BIzbnDRcR4zy5OWNc/gGr0//CuOQbZ/GhrAtWb/s0ifjZYxHLY1qiy6c4UDGP2Z6Jiio37vFCselIvKvhc/ndqUgo4EP433YtJDwy+B5pj5yL+7sD4/lvqLPoTX6XYOwQiluPDoZGMta1glTvkNfZwnCO4HMsYe1jzy4r8DsjFadQtuUHhQ2e2yMv4VJ/+gB5y7v78NuMCVJ+tdtAyBvCxjtwea3y1KJ/PwVByAlv1uRzsI3EvjwxdzGqo3mlEWBurwtmr0rWV9ZnMDwbqUL4lvXE/qd138yTO5bm5wNgAzsUj7/uL1Y3L9Rz+OnRm+lhdI19huNMi2Yv9uQcm2kNFbZlNVu62yORJl6h3Lkqn6zbxpNZ2duZZUCfRw/bP1WYyHyexReDT/5X/paV3CE2/jyXbaOhN2asgQS1g4veZQPk3oD9/LnZOSEQBw== root@d.mx-opendkim diff --git a/roles/common/files/d.mx/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/d.mx/root/bin/monitoring/conf/check_webservice_load.conf new file mode 100644 index 0000000..9549ff9 --- /dev/null +++ b/roles/common/files/d.mx/root/bin/monitoring/conf/check_webservice_load.conf @@ -0,0 +1,154 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings +#----------------------------- +#--------------------------------------- + + +# --- +# - LOGGING +# - +# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - errors occurs. +# --- + + +# - What to check +# - +check_load=true +check_mysql=true +check_apache=true +check_php_fpm=false +check_website=false + + +# - Additional Settings for check_mysql +# - +# - MySQL / MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_php_fpm +# - +# - On Linux Vserver System set +# - curl_check_host=localhost +# - +# - On LX-Container set +# - curl_check_host=127.0.0.1 +# - +curl_check_host=127.0.0.1 + +# - Which PHP versions should be supported by this script. If more than one, +# - give a blank separated list +# - +# - Example: +# - php_versions="5.4 5.6 7.0 7.1" +# - +php_versions="" + +# - If PHP-FPM's ping.path setting does not match ping-$php_major_version, +# - set the value given in your ping.path setting here. Give ping_path also +# - the concerning php_version in form +# - : +# - +# - Multiple settings are possible, give a blank separated list. +# - +# - Example: +# - +# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de" +# - +ping_path="" + + +# - Additional Settings for check_website - checking (expected) website response +# - +# - example: +# - is_working_url="https://www.outoflineshop.de/" +# - check_string='ool-account-links' +# - include_cleanup_function=true +# - extra_alert_address="ilker@so36.net" +# - cleanup_function=' +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/* +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/* +# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1 +# - if [[ "$?" = "0" ]]; then +# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\"" +# - else +# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!" +# - fi +# - /etc/init.d/redis_6379 restart +# - if [[ "$?" = "0" ]]; then +# - ok "I restarted the redis service" +# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt +# - else +# - error "Restarting the redis server failed!" +# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt +# - fi +# - ' +# - +is_working_url='' + +check_string='' + +include_cleanup_function=true + +# - An extra e-mail address, which will be informed, if the given check URL +# - does not response as expected (check_string) AFTER script checking, restarting +# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done. +# - +extra_alert_address='' + +# - php_version_of_working_url +# - +# - If given website (is_working_url) does not response as expected, this PHP FPM +# - engines will be restarted. +# - +# - Type "None" if site does not support php +# - +# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions) +# - will be restarted +# - +php_version_of_working_url='' + +# - Notice: +# - If single qoutes "'" not needed inside cleanup function, then use single quotes +# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - sign inside. +# - +# - Otherwise use double quotes and masq any sign to prevent bash from interpreting. +# - +cleanup_function=' +' + + +# - E-Mail settings for sending script messages +# - +from_address="root@`hostname -f`" +content_type='Content-Type: text/plain;\n charset="utf-8"' +to_addresses="root" + diff --git a/roles/common/files/d.mx/root/bin/postfix/conf/create_opendkim_key.conf b/roles/common/files/d.mx/root/bin/postfix/conf/create_opendkim_key.conf new file mode 100644 index 0000000..f5a681d --- /dev/null +++ b/roles/common/files/d.mx/root/bin/postfix/conf/create_opendkim_key.conf @@ -0,0 +1,175 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --------------------------------------------------------- +# - Parameter Settings for script 'create_opendkim_key.sh'. +# --------------------------------------------------------- + + +# ---------- +# DNS Server +# ---------- + +# - dns_dkim_zone_master_server +# - +# - The DNS Server who is serving the update zone and is used +# - for the dynamic updates (nsupdate) +# - +#dns_dkim_zone_master_server="" +dns_dkim_zone_master_server="b.ns.oopen.de" + +# - update_dns +# - +# - Possible Values are 'true' or 'false' +# - +#update_dns="" + +# - update_zone +# - +# - Zone containing the DKIM TXT record. +# - +# - Defaults to '_domainkey.' +# - +# - Note: +# - do NOT change/set this option unless you know what you do. +# - +#update_zone="" + +# - TTL +# - +# - TTL for the DKIM TXT Record. +# - +# - Defaults to "" if update_dns=false +# - Defaults to "43200" if update_dns=true +# +#TTL="" + + +# ---------- +# TSIG Key +# ---------- + +# - key_secret +# - +# - Sectret Key used by 'nsupdate' to create/update the +# - DKIM TXT record. +# - +# - Example: +# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI=" +# - +#key_secret="" +key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw=" + +# - key_algo +# - +# - The key algorithm used for key creation. Available choices are: hmac-md5, +# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The +# - default is hmac-sha256. Options are case-insensitive. +# - +# - Example: +# - key_algo="hmac-md5" +# - +# - Defaults to 'hmac-sha256' +# - +#key_algo="hmac-sha256" + +# - key_name +# - +# - Name of the Key +# - +# - Defaults to "$update_zone" +# - +#key_name= +key_name="update-dkim" + + +# ---------- +# Access Credentials DNS Server +# ---------- + +# - dns_ssh_user +# - +# - Defaults to 'manage-bind' +# - +#dns_ssh_user="manage-bind" + +# - dns_ssh_port +# - +# - Defaults to '22' +# - +#dns_ssh_port=22 + +# - dns_ssh_key +# - +# - Defaults to '/root/.ssh/id_rsa-opendkim' +# - +#dns_ssh_key="/root/.ssh/id_rsa-opendkim" + + +# ---------- +# Scripts envoked at DNS Server +# ---------- + +# - set_new_serial_script +# - +# - Script increases the serial for a given domain or a given +# - hostname's concerning domain. +# - +# - Defaults to '/root/bin/bind/bind_set_new_serial.sh' +# - +#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh" + +# - create_dkim_delegation_script +# - +# - Script adds DKIM subdomain delegation for a given domain +# - +# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh' +# - +#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh" + +# - add_dkim_zone_master_script +# - +# - Script adds zone _domainkey. as master zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh' +# - +#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh" + +# - add_dkim_zone_slave_script +# - +# - Script adds zone _domainkey. as slave zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh' +# - +#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh" + + + +# ---------- +# OpenDKIM Installation +# ---------- + +# - opendkim_dir +# - +# - OpenDKIM's etc-directory +# - +# - Defaults to opendkim_dir="/etc/opendkim" +# - +#opendkim_dir="/etc/opendkim" + +# - key_base_dir +# - +# - Defaults to "${opendkim_dir}/keys" +# - +#key_base_dir=${opendkim_dir}/keys + +# - signing_table_file +# - +# - Defaults to "${opendkim_dir}/signing.table" +# - +#signing_table_file="${opendkim_dir}/signing.table" + +# - key_table_file +# - +# - Defaults to "${opendkim_dir}/key.table" +# - +#key_table_file="${opendkim_dir}/key.table" diff --git a/roles/common/files/d.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf b/roles/common/files/d.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf new file mode 100644 index 0000000..11c60fa --- /dev/null +++ b/roles/common/files/d.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf @@ -0,0 +1,44 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ====================================================== +# --- +# Parameter Settings for Script 'whitelist_mb_sigs.conf' +# --- +# ====================================================== + +# QUARANTINE_BASE_DIR +# +# Base directory where amavis stores quarantined e-mails, mostly in +# +# virus e-mails: $QUARANTINE_BASE_DIR/virus +# spam emails: $QUARANTINE_BASE_DIR/spam +# .. +# +# Defaults to: +# QUARANTINE_BASE_DIR="/var/QUARANTINE" +# +#QUARANTINE_BASE_DIR="/var/QUARANTINE" + + +# CLAMAV_VIRUS_WHITE_LIST +# +# Full path to clamav's (personal) white list file +# +# Defaults to: +# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" +# +#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" + + +# WHITE_LIST_STRINGS +# +# A blank separated list of strings to whitelist. +# +# Example: +# WHITE_LIST_STRINGS="google.com tinyurl.com" +# +# Defaults to: +# WHITE_LIST_STRINGS="google.com" +# +#WHITE_LIST_STRINGS="google.com" +WHITE_LIST_STRINGS="google.com tinyurl.com" diff --git a/roles/common/files/d.mx/usr/local/src/sympa/conf/install_sympa.conf b/roles/common/files/d.mx/usr/local/src/sympa/conf/install_sympa.conf new file mode 100644 index 0000000..d6032c8 --- /dev/null +++ b/roles/common/files/d.mx/usr/local/src/sympa/conf/install_sympa.conf @@ -0,0 +1,138 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --------------------------------------- +# - Configuration for sympa install script +# ---------------------------------------- + + +# - PREFIX +# - +# - Sympa Installation directory +# - +# - Defaults to: "/usr/local/sympa" +# - +#PREFIX="/usr/local/sympa" + +# - SYMPA_USER +# - +# - User under which Sympa services are running +# - +# - Defaults to: "sympa" +# - +#SYMPA_USER="sympa" + + +# - SYMPA_MAIN_CONF_DIR +# - +# - Sympas main configuration directory +# - +# - Defaults to: "/etc/sympa" +# - +#SYMPA_MAIN_CONF_DIR="/etc/sympa" + + +# - SYMPA_LIST_DATA_DIR +# - +# - Data directory for sympa lists +# - +# - defaults to: "/data/sympa/list_data" +# - +#SYMPA_LIST_DATA_DIR=/data/sympa/list_data + + +# - SYMPA_DOMAIN +# - +# - Note: if sympa will be configured to support multidomains +# - this (SYMPA_DOMAIN) should not contain list definitions +# - +# - +SYMPA_DOMAIN="sympa.oopen.de" + + +# - START_AT_BOOTTIME +# - +# - Defaults to: "yes" +# - +#START_AT_BOOTTIME="yes" + + +# - SYMPA_LISTMASTER +# - +# - +# - Defaults to "postmaster@$SYMPA_DOMAIN" +# - +#SYMPA_LISTMASTER="postmaster@$SYMPA_DOMAIN" + + + +# - SYMPA_DB_TYPE +# - +# - Database type of sympas database +# - +# - If database is SQLite, then this parameter is not in use. +# - +# - Possible values are 'mysql' (MySQL) or 'Pg' (PostgeSQL), 'Sybase', 'Oracle' +# - +# - Defaults to: SYMPA_DB_TYPE="mysql" +# - +#SYMPA_DB_TYPE="mysql" + +# - SYMPA_DB_HOST +# - +# - Defaults to: SYMPA_DB_HOST="127.0.0.1" +# - +#SYMPA_DB_HOST="127.0.0.1" + +# - SYMPA_DB_PORT +# - +# - Defaults to: +# - 3306 - if SYMPA_DB_TYPE=mysql +# - 5432 - if SYMPA_DB_TYPE=Pg +# - 2638 - if SYMPA_DB_TYPE=Sybase +# - 1575 - if SYMPA_DB_TYPE=Oracle +# - +# - +#SYMPA_DB_PORT="3306" + +# - SYMPA_DB_NAME +# - +# - Defaults to: SYMPA_DB_NAME="sympa" +# - +#SYMPA_DB_NAME="sympa" + +# - SYMPA_DB_USER +# - +# - Defaults to: SYMPA_DB_USER="sympa" +# - +#SYMPA_DB_USER="sympa" + +# - SYMPA_DB_PASSWD +# - +# - Password for Sympa's database. +# - +SYMPA_DB_PASSWD="nw7FMhzRJPjcTHvm" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '/usr/local/mysql/sys-maint.cnf' otherwise +# - +MYSQL_CREDENTIALS="--login-path=local" + + + +# - VSERVER_GUEST +# - +# - Is this a Linux Vserver guest system? +# - +# - Possible values: yes/no +# - +# - Defaults to 'VSERVER_GUEST=no' +# - +#VSERVER_GUEST=no diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.bl-hosts b/roles/common/files/e.mx/etc/postfix/postfwd.bl-hosts deleted file mode 100644 index 875dcf6..0000000 --- a/roles/common/files/e.mx/etc/postfix/postfwd.bl-hosts +++ /dev/null @@ -1,22 +0,0 @@ -# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** - -# --- -# hosts blocked by postfwd -# -# This file is called with '=~'. This means perl regexp is possible -# -# -# To increase performance use ^ and/or $ in regular expressions -# -# Example: -# -# # block all hosts of domain 'oopen.de' -# \.oopen\.de$ -# -# # block host a.mx.oopen.de -# ^a\.mx\.oopen\.de$ -# -# --- - -# give hostnames to blocke here - diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.bl-nets b/roles/common/files/e.mx/etc/postfix/postfwd.bl-nets deleted file mode 100644 index e1db645..0000000 --- a/roles/common/files/e.mx/etc/postfix/postfwd.bl-nets +++ /dev/null @@ -1,16 +0,0 @@ -# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** - -# --- -# Networks blocked by postfwd -# -# Example: -# -# # web0.warenform.de -# #83.223.86.76 -# #2a01:30:0:505:286:96ff:fe4a:6ee -# #2a01:30:0:13:286:96ff:fe4a:6eee -# -# --- - -# give networks to block here - diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.bl-sender b/roles/common/files/e.mx/etc/postfix/postfwd.bl-sender deleted file mode 100644 index efe38b9..0000000 --- a/roles/common/files/e.mx/etc/postfix/postfwd.bl-sender +++ /dev/null @@ -1,38 +0,0 @@ -# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** - -# --- -# Sender addresses blocked by postfwd -# -# This file is called with '=~'. This means perl regexp is possible -# -# -# To increase performance use ^ and/or $ in regular expressions -# -# @acieu\.co\.uk$ -# ^error@mailfrom.com$ -# -# instedt of -# -# @acieu.co.uk -# error@mailfrom.com -# -# -# Example: -# -# # # annoying spammer domains -# # block all senders of maildomaindomain 'oopen.de' -# @acieu\.co\.uk$ -# -# # annoying spammer addresses -# # block sender address -# error@mailfrom.com -# sqek@eike\.se$ -# -# --- - -# annoying spammer domains -@acieu\.co\.uk$ - -# annoying spammer addresses -^error@mailfrom\.com$ -^sqek@eike\.se$ diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.bl-user b/roles/common/files/e.mx/etc/postfix/postfwd.bl-user deleted file mode 100644 index 3ca2bb7..0000000 --- a/roles/common/files/e.mx/etc/postfix/postfwd.bl-user +++ /dev/null @@ -1,13 +0,0 @@ -# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** - -# --- -# SASL Users blocked by postfwd -# -# Example: -# -# # give SASL usernames to block here -# ckubu@oopen.de -# -# --- - -# give SASL usernames to block here diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.cf b/roles/common/files/e.mx/etc/postfix/postfwd.cf deleted file mode 100644 index d106016..0000000 --- a/roles/common/files/e.mx/etc/postfix/postfwd.cf +++ /dev/null @@ -1,172 +0,0 @@ - -#======= Definitions ============ - -# Match messages with an associated SASL username -&&SASL_AUTH { - sasl_username!~^$ -} - -# Trusted networks -&&TRUSTED_NETS { - client_address==file:/etc/postfix/postfwd.wl-nets -} - -# Trusted hostnames -# client_name~=.warenform.de$ -&&TRUSTED_HOSTS { - client_name=~file:/etc/postfix/postfwd.wl-hosts -} - -# Trusted users -&&TRUSTED_USERS { - sasl_username==file:/etc/postfix/postfwd.wl-user -} - -# Trusted senders -&&TRUSTED_SENDERS { - sender=~file:/etc/postfix/postfwd.wl-sender -} - -# Blacklist networks -&&BLOCK_NETS { - client_address==file:/etc/postfix/postfwd.bl-nets -} - -# Blacklist hostnames -&&BLOCK_HOSTS { - client_name=~file:/etc/postfix/postfwd.bl-hosts -} - -# Blacklist users -&&BLOCK_USERS { - sasl_username==file:/etc/postfix/postfwd.bl-user -} - -# Blacklist sender adresses -&&BLOCK_SENDER { - # =~ - # using '=~' allows also matching entries for domains (i.e. @acieu.co.uk) - sender=~file:/etc/postfix/postfwd.bl-sender -} - -# Inbound emails only -&&INCOMING { - client_address!=127.0.0.1 -} - - -#======= Rule Sets ============ - -# --- -# -# Processing of the Rule Sets -# -# The parser checks the elements of a policy delegation request against the postfwd set -# of rules and, if necessary, triggers the configured action (action=). Similar to a -# classic firewall, a rule is considered true if every element of the set of rules (or -# one from every element list) applies to the comparison. I.e. the following rule: -# -# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT -# -# triggers a REJECT if the -# -# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' -# -# -# Note: -# If an element occurs more than once, an element list is formed: -# -# The following rule set is equivalent to the above: -# -# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT -# -# -# triggers a REJECT if (as above) the -# -# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' -# -# --- - -# Whitelists - -# Whitelist trusted networks -id=WHL_NETS - &&TRUSTED_NETS - action=DUNNO - -# Whitelist trusted hostnames -id=WHL_HOSTS - &&TRUSTED_HOSTS - action=DUNNO - -# Whitelist sasl users -id=WHL_USERS - &&TRUSTED_USERS - action=DUNNO - -# Whitelist senders -id=WHL_SENDERS - &&INCOMING - &&TRUSTED_SENDERS - action=DUNNO - - -# Blacklists - -# Block networks -id=BL_NETS - &&BLOCK_NETS - action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS - -# Block hostname -id=BL_HOSTS - &&BLOCK_HOSTS - action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS - -# Block users -id=BL_USERS - &&BLOCK_USERS - action=REJECT User is blocked by Mailserver admins. Error: BL_USERS - -# Blacklist sender -# -# Claim successful delivery and silently discard the message. -# -id=BL_SENDER - &&BLOCK_SENDER - #action=DISCARD - action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER - - -# Rate Limits - -# Throttle unknown clients to 5 recipients per 5 minutes: -id=RATE_UNKNOWN_CLIENT_ADDR - sasl_username =~ /^$/ - client_name==unknown - action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed) - -# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT) -id=RATE_CLIENT_ADDR - &&INCOMING - action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address) - -# Block messages with more than 50 recipients -id=BLOCK_MSG_RCPT - &&INCOMING - &&SASL_AUTH - recipient_count=50 - action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT - -# Block users sending more than 50 messages/hour -id=RATE_MSG - &&INCOMING - &&SASL_AUTH - action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG) - -# Block users sending more than 250 recipients total/hour -id=RATE_RCPT - &&INCOMING - &&SASL_AUTH - action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT) - diff --git a/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated b/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated new file mode 100644 index 0000000..0a256b5 --- /dev/null +++ b/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated @@ -0,0 +1,49 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn +NhAAAAAwEAAQAAAgEAxe0sdGCZS444N0pvLolycgXiipmRbptw/DMNlUGa1yYGDq1Qf0lQ +1zuDeSOjTk+W78bPHOQy1f+CeHsBj+XRkmInqUZ5K0UgVFEuiAsJGH8l63phyd9bkRHzg0 +QQOFZ7JqcNEpW0NiPSKWMLGg9/yA2XoQ4GgiruA9PyyKa2YdP7vll+5Dhm/E5Jvzwbtkkm +wM1EWjF5/1LRrFMq4nJAJhCval2Q7DWIHMDqmWj7ZDGT95gHYsf4CmlldO6FOPc8Qa6Lg/ +IEVgLP8ji78TntSQ3B9mRMV5fNYyWJVH3ymqwR7FjTRO/YVCJ5x/WE38T9QBAvjMhV8ais +M9y5NXUMlKNUxbSU2GPvyB7F0/+ioWzourcIY+1O7mRKmiFsqOjfllS/XxYYJm0qFSBOiq +wTOVbTna99wN2vl3jQEBo1upqjnL94jVA4qU5w0ypBAFkFlpyuWEbmicNXlAqIovxQ6dIU +U1iKp/kVQoJDhoBIzCEQvLYkKLgl8cH7pH3Kvcw/EvFAsskGNLlkR5t7jORh05ryCRwV31 +wUl/wfj4HrEmVcCAgokv+mUlk/ug+TmwXShpM9dgO/e2MmjLDe0bSZ+jgYT0axn6kCwiDO +5acSRwKEJk0jIrkKf04xy3nYwJtxb8RE9mb6j1oPULb0syKM9iTnSsrGRxoGwXQu6ugrLL +8AAAdApTZfwqU2X8IAAAAHc3NoLXJzYQAAAgEAxe0sdGCZS444N0pvLolycgXiipmRbptw +/DMNlUGa1yYGDq1Qf0lQ1zuDeSOjTk+W78bPHOQy1f+CeHsBj+XRkmInqUZ5K0UgVFEuiA +sJGH8l63phyd9bkRHzg0QQOFZ7JqcNEpW0NiPSKWMLGg9/yA2XoQ4GgiruA9PyyKa2YdP7 +vll+5Dhm/E5JvzwbtkkmwM1EWjF5/1LRrFMq4nJAJhCval2Q7DWIHMDqmWj7ZDGT95gHYs +f4CmlldO6FOPc8Qa6Lg/IEVgLP8ji78TntSQ3B9mRMV5fNYyWJVH3ymqwR7FjTRO/YVCJ5 +x/WE38T9QBAvjMhV8aisM9y5NXUMlKNUxbSU2GPvyB7F0/+ioWzourcIY+1O7mRKmiFsqO +jfllS/XxYYJm0qFSBOiqwTOVbTna99wN2vl3jQEBo1upqjnL94jVA4qU5w0ypBAFkFlpyu +WEbmicNXlAqIovxQ6dIUU1iKp/kVQoJDhoBIzCEQvLYkKLgl8cH7pH3Kvcw/EvFAsskGNL +lkR5t7jORh05ryCRwV31wUl/wfj4HrEmVcCAgokv+mUlk/ug+TmwXShpM9dgO/e2MmjLDe +0bSZ+jgYT0axn6kCwiDO5acSRwKEJk0jIrkKf04xy3nYwJtxb8RE9mb6j1oPULb0syKM9i +TnSsrGRxoGwXQu6ugrLL8AAAADAQABAAACAChfUIoMijhXMjBVBoi/kJChkqwi1v9wxYMs +BsFDOIpaPzIPODQ+iDbe9Npo4o6+vVL7gpOqGJR+IebhcFgh0LXDP8PPlDe3Sfjo9kzZs2 +lDxkBaHkhHPy5AMyO7ZnOXcFdaC9iWoMPKWrwGb+VI9A+idiNr8PfsOdCeEw/KsbkSvG7/ +Ylq7BobAkVposF5mXXlGZYLgRLpH8mzsKfs2ws8A6EcR/tWvtavnzfKs71poon4GjLshfv +7gsMlBPft4stnS+LJZU3kX6cLGv89cuYIFRGM14jybwlFO/sw1RJ84Kg/DrpSJN98xiRW4 +hvn9/IpswsY8twssFLQfecflsELlfkzVNE1YR1d2rHdBEHKSa0piNvaUgPuIP9oggDkE/m +pF4Oz/aW71fHLWQVxf3qlCnYfshf86XqJTZvJ8N7edF4XZ+UiOWPl5c8vXBJDFLrydenWF +9z4IExHZafmYygnbLdEP4cFq8fPsb7zbhNr8aLOLfIyLj30brvIE9/gc7VnME0PdK3n2FO +u4GDTYSE0UNpjctw5Fg4+89Yv1xD/onLIA43scw3l3NhCtLI5QHnsO8cckga6/wcdfOG2f +V8kMzICZt3IFnR4EgDlavLMx+FthyYKDE4JYOKM2Qy6xGRg9p6kFyb7SQEFy91JgCN5tpJ +V5ezfJF7bgTW8tuQpBAAABABSvsV4UpatmjpicZChtXMQHuDob/ZUcVwJ3emORxD5vfKd8 +zuySbJxlJBIIUVT2ako8AmUYQBjIU+vPI18CHdhDhL4rDmeletC6Sl1KB089dc2qavIvtC +N0E5+iozCXHGirr79t3UTVGBMGr5UYG9y5nfa7WWY38UqVc63TK2EVT0wrNxgS9hUtZWbk +LsEiIAUEp/8N5wKKv4+uVfzSfg0sEy/JGNU0KNcxFUZNolSEeieQUdmopALD04f/YOdhO5 +mV5oS3lDUC8cnbefQmoK/kszfgOb/qMC76RqLa7IUm91IZbKfA78x81gjSsuiqfPXsE9El +GxqXrnggbHarFG4AAAEBAOwpW++DbYcI3AJn44o3sH6bGVVsNbAualMxFz0XYwdnoD7UUG +aOhlRFWZXqOQEbvt1LOp4SYyT50puwdvg0as6+78FnlwVXVaHKjP0Igh2e8Ls5YYpp8jas +FDcZa0F5JiAFPamxY+ypvaD/Fmc3ha7JBGOGkV67qktOO+Dtd2NSKB6EIt8ShKbjZA6U2i +UAQCp2AC+f3CDL+3vN/Gj4oBI2ysYl3QVG/nuBT8Lxdf+JabEYwPBMlOqYVfjYQj0FL6Ht +/+MCeVyaeww+a0/i+W5RqqBn1ptOw1YlamsOvLG2Z0FL6s2/uTE9+dYfQXto6j6vkAGrIr +yugIYwC0abzxsAAAEBANaNkiXeqKssyYZ14OEfzXyD7M3l2vvfGRvCS0XgqEodvVGbB/A4 +AAWtkuPvOPqSzaOIfdbIcN1dvccJuxU/SPanL33aX7PLROuq7ApIbhzFI5QblvoivUAMST +ND9QjAu8hHiO9K6qRU3evEpJVvN2iOznTuU/A91n5ChJLeQAjqpMhgB45ZlWKmPE+y0kw6 +aCZq7qmqqCRr5nzY1YYFy2UilbOUyeO5wCDa6bN8FXYvKTBWOmTvsoILPjTjiaZbfITmfd +f2n4mNITViGU6kirtZSzjRRqqQRj0Vz9f5Qn2TBZ/uCkTDQEBtr/rdAHL9eBaSXYXWVIpl +RsBCSs/Sny0AAAAHcm9vdEBteAECAwQ= +-----END OPENSSH PRIVATE KEY----- diff --git a/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated.pub b/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated.pub new file mode 100644 index 0000000..fe60301 --- /dev/null +++ b/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF7Sx0YJlLjjg3Sm8uiXJyBeKKmZFum3D8Mw2VQZrXJgYOrVB/SVDXO4N5I6NOT5bvxs8c5DLV/4J4ewGP5dGSYiepRnkrRSBUUS6ICwkYfyXremHJ31uREfODRBA4Vnsmpw0SlbQ2I9IpYwsaD3/IDZehDgaCKu4D0/LIprZh0/u+WX7kOGb8Tkm/PBu2SSbAzURaMXn/UtGsUyrickAmEK9qXZDsNYgcwOqZaPtkMZP3mAdix/gKaWV07oU49zxBrouD8gRWAs/yOLvxOe1JDcH2ZExXl81jJYlUffKarBHsWNNE79hUInnH9YTfxP1AEC+MyFXxqKwz3Lk1dQyUo1TFtJTYY+/IHsXT/6KhbOi6twhj7U7uZEqaIWyo6N+WVL9fFhgmbSoVIE6KrBM5VtOdr33A3a+XeNAQGjW6mqOcv3iNUDipTnDTKkEAWQWWnK5YRuaJw1eUCoii/FDp0hRTWIqn+RVCgkOGgEjMIRC8tiQouCXxwfukfcq9zD8S8UCyyQY0uWRHm3uM5GHTmvIJHBXfXBSX/B+PgesSZVwICCiS/6ZSWT+6D5ObBdKGkz12A797YyaMsN7RtJn6OBhPRrGfqQLCIM7lpxJHAoQmTSMiuQp/TjHLedjAm3FvxET2ZvqPWg9QtvSzIoz2JOdKysZHGgbBdC7q6Cssvw== root@ga-st-mail-dehydrated diff --git a/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim b/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim new file mode 100644 index 0000000..59e5e27 --- /dev/null +++ b/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim @@ -0,0 +1,49 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn +NhAAAAAwEAAQAAAgEAr9qw2oQHkAUfTXEJBxuVR2zDRpTsxyT24eVd+KIJaALVtFVTu8Z3 +rNwJN0P3jNLRWxTBuDEbYtTN1J9Bic01fR9m6jdNk5lKeTJw1Q3BzXxuC+4aix9ircJ4in +geNSCiHiVHYaSsXRRajPGe/F5+RAEjuRbt95UHB/kU25qGIpBK9Vq0m0Ad8HKrV0vpTb3s +hVJSQ/VydDC82pwXj0IfW6HPdwnzmt8hU2/dIK3weUI56S+9euzKUh+jqvw1YeTXJzM76G +I2X/YLDEx7jgFMlChnlHYNivPYBY5Aatq90t6LiqQ0MT0kVx7jQwUnhyRB8vAz+qznftKm +VTmjxL90IvwUTzvS1nHNmlIPMnSO8NaDHf0k2iueD2lCSe7l1d2U0LMRss4sGZcfhqtDzQ +DIyhXWFwHLhj55WMQxoVXCSRJRLruwyUKqVn86H6L9lRJ4kEPBJJJ6cXeTBWJGtDT9N/Ja +SGcjM8tdwxSeilHIW0xn85B3MCphV/t72RRAaqua2VjrmN9N6nuYD+3iobAVf4ruOzXtTr +U0tjdEBT0xJbIZNwi22Snq0KPly8aN2deXEQ8Q7IJHQB7WNT4jI13l/GWocFwtr7NWXwaD +eJCtoiB9RraK+EBvoO3IYymvpGQyqhXeMtBGc3kdCI2AslrdpjXd4TGxIwbWae+Xa2JkZa +kAAAdAgUVtA4FFbQMAAAAHc3NoLXJzYQAAAgEAr9qw2oQHkAUfTXEJBxuVR2zDRpTsxyT2 +4eVd+KIJaALVtFVTu8Z3rNwJN0P3jNLRWxTBuDEbYtTN1J9Bic01fR9m6jdNk5lKeTJw1Q +3BzXxuC+4aix9ircJ4ingeNSCiHiVHYaSsXRRajPGe/F5+RAEjuRbt95UHB/kU25qGIpBK +9Vq0m0Ad8HKrV0vpTb3shVJSQ/VydDC82pwXj0IfW6HPdwnzmt8hU2/dIK3weUI56S+9eu +zKUh+jqvw1YeTXJzM76GI2X/YLDEx7jgFMlChnlHYNivPYBY5Aatq90t6LiqQ0MT0kVx7j +QwUnhyRB8vAz+qznftKmVTmjxL90IvwUTzvS1nHNmlIPMnSO8NaDHf0k2iueD2lCSe7l1d +2U0LMRss4sGZcfhqtDzQDIyhXWFwHLhj55WMQxoVXCSRJRLruwyUKqVn86H6L9lRJ4kEPB +JJJ6cXeTBWJGtDT9N/JaSGcjM8tdwxSeilHIW0xn85B3MCphV/t72RRAaqua2VjrmN9N6n +uYD+3iobAVf4ruOzXtTrU0tjdEBT0xJbIZNwi22Snq0KPly8aN2deXEQ8Q7IJHQB7WNT4j +I13l/GWocFwtr7NWXwaDeJCtoiB9RraK+EBvoO3IYymvpGQyqhXeMtBGc3kdCI2Aslrdpj +Xd4TGxIwbWae+Xa2JkZakAAAADAQABAAACABJKDFqtoJu57KeBOg8jL0NebHDKzFVp4sNb +t4pET/YhVViMB0lgOtIfkFXPG8/pnRx77Cnb8Z01xLJ4XbiXPxjkSy/Q0KCpMLWqKVH/PE +jCyC81dE1D1l97+k1scLfVzQaVmfbtyX9kvoYqGv7kVP19oNl/KQC23yRVI3Yze//cQe+C +n4YGBRcc1fUeUAVl21OCXEv1GxI6f2m9EjY0Ck7dZVZcEpno2u5yk+zyKjByUtONw4clWW +VxJPSDhonH4xiQm4pvrHgOfteonLEIMY63JQ6ruHzbH3x0bv6uAVANFTY2HbeBRGZLMBeo +UZQckT9S/BT2Jp1qCyKR/BZaUxmkLOAfJl2rW5IfOOOtKEE/q0DVRidfDf2A2ihmsfbCqR +hbhOmf7IbqC4XTGm6W9U3pNyu8Oz4QxRyhwlTWTa3hqvF/xJo6C82yy3p4HYRTX5VfZNbN +iQ7CM/UY0ee69br80MPPdxLetmGX9VvR6g1lsRK8/447DiOD9TZtAXMAiCOf3FUyhwRmRP +qUdGOXHjXsBAjDMWA0OwwdiGFI7dk5zdyQNTpRsM38cctGeBixPs9SOrTKr10zSaf9NzX4 +srsXnoAdm2LHQIa0Awfd1TJydFjC6KIGgtZgXy4UDpPE6RzlDnkY8DO/pLLhXMAgtts+G/ +ZiaRBKY65VYOHKqVoBAAABAHsbFe8LTyYnDhzgKrlLbeGDySEHTeBbVpKbIUhDjkqoyHvc +HzEt7b2idhJtjXsEIcMUO+0ut1A2toY/JHkHOKnyXPpqv1NxXR/4ru6rAXrOGB/LQCUtcl +5Q4StZvvOtcKbt8b0kvvvBMmkFGEtJr5ybDy6K5CFyyROGlUTpXPfjZjuv6YuzqCsLYXXM +o4cWK1ZUQ7Yf1YovZr3zk6VMzd4gHHQzyTVP5iNflSB3k+AQZClLy771bw2caPFgdpu87a +kAvhtW+anGLkFxSCZFRMkv9rXl8tB2ZPKWqQb8jEzAfH0CC7sDkddLE2l45RapGMUtsJ1V +fF8pGpFiHX7FABoAAAEBAN9JT4Tc29Wc5lDVZEqz8IYT+/eRVBAlALmt7jTVwclY+KSZ5g +i+QONIWj+Js+1Z84bzOzcQ6pZIFAZ57+5qkFeUpfVJB+UL7bLqNF2GeBAvtZ+GgguBK5uN +H+uXrnyeEWn8ppcHebA5vi/GxzCebZ29VnUbh/nHn0WmMvOBAFYqtjGNxo1diYyp8vS0k+ +pmhZA5xtgGKzGGwrlAJrWLPzAieFPkNJsDMcY03RkU9u0XI3SkrtlmRqaykSzJpIAtDuT/ +D7gyjrNBH6a8qv57LxaUyeWEBOtlC7C4mtTrWcu/+zS8dkh7Y4ZaNR83Zx24DRzAfbuA/R +04eb6Jd55ATr0AAAEBAMmeXjYdwqh2gbizFgyP8ZgTxXUWp5B0YQ7XUOC8CuQqAL8/HlE3 +gVHLwrUIKAwTUADfqvzyG86IgJOw1byU3DWY9b5dKfrWm1RhcvLWMgIjRHH3sqnVWxIBam +RkfDkRZ/B8236SoAxe5k7yqZ3wQ6BNJstY1Nya+iJG1h6mLPasEzqZH+JOd0Uc9Fsr8uYR +CmvojolkAaa2We44y9oCXTTHCBfpFUZf0gySmG7ZEXA6MqwTCcbFCP599YmRQ2BmdO0SQF +YHIhpmc3xBjKMiNqhNBii2PUejVp7OVqHQBCeWq/GH9yTj00JeX9KoL7DdoyCoCWHG4eB0 +JVW9wg49J10AAAAHcm9vdEBteAECAwQ= +-----END OPENSSH PRIVATE KEY----- diff --git a/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim.pub b/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim.pub new file mode 100644 index 0000000..1a1f50d --- /dev/null +++ b/roles/common/files/ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCv2rDahAeQBR9NcQkHG5VHbMNGlOzHJPbh5V34ogloAtW0VVO7xnes3Ak3Q/eM0tFbFMG4MRti1M3Un0GJzTV9H2bqN02TmUp5MnDVDcHNfG4L7hqLH2KtwniKeB41IKIeJUdhpKxdFFqM8Z78Xn5EASO5Fu33lQcH+RTbmoYikEr1WrSbQB3wcqtXS+lNveyFUlJD9XJ0MLzanBePQh9boc93CfOa3yFTb90grfB5QjnpL7167MpSH6Oq/DVh5NcnMzvoYjZf9gsMTHuOAUyUKGeUdg2K89gFjkBq2r3S3ouKpDQxPSRXHuNDBSeHJEHy8DP6rOd+0qZVOaPEv3Qi/BRPO9LWcc2aUg8ydI7w1oMd/STaK54PaUJJ7uXV3ZTQsxGyziwZlx+Gq0PNAMjKFdYXAcuGPnlYxDGhVcJJElEuu7DJQqpWfzofov2VEniQQ8Ekknpxd5MFYka0NP038lpIZyMzy13DFJ6KUchbTGfzkHcwKmFX+3vZFEBqq5rZWOuY303qe5gP7eKhsBV/iu47Ne1OtTS2N0QFPTElshk3CLbZKerQo+XLxo3Z15cRDxDsgkdAHtY1PiMjXeX8ZahwXC2vs1ZfBoN4kK2iIH1Gtor4QG+g7chjKa+kZDKqFd4y0EZzeR0IjYCyWt2mNd3hMbEjBtZp75drYmRlqQ== root@ga-st-mail-opendkim diff --git a/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf b/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf new file mode 100644 index 0000000..599e93b --- /dev/null +++ b/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf @@ -0,0 +1,135 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings for script check_cert_for_dovecot.sh +#----------------------------- +#--------------------------------------- + +# - service_domain +# - +# - The main domain for which the certificate was issued +# - +# - Example: +# - service_domain="a.mx.oopen.de" +# - service_domain="mail.cadus.org" +# - service_domain="mx.warenform.de" +# - +#service_domain="" +service_domain="mx.gemeinschaft-altenschlirf.de" + + +# - service_name +# - +# - Name of service. +# - +# - Note: this var will also be used to determin systemd service file +# - or sysVinit script. +# - +# - Example: +# - service_name="Mumble" +# - service_name="Prosody" +# - +# - Defaults to: +# - service_name="Dovecot" +# - +#service_name="" + + +# - check_string_ps +# - +# - String wich (clearly) identifies the service at the process list (ps) +# - +# - Example: +# - check_string_ps="[[:digit:]]\ /usr/sbin/murmurd" +# - check_string_ps="" +# - +# - Defaults to: +# - check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot" +# - +#check_string_ps="" + + +# - service_user +# - +# - User under which the service is running. +# - +# - Example: +# - service_user="mumble-server" +# - service_user="prosody" +# - +# - Defaults to: +# - service_user="prosody" +# - +#service_user="" + + +# - service_group +# - +# - Group under which the service is running. +# - +# - Example: +# - service_group="mumble-server" +# - service_group="prosody" +# - +# - Defaults to: +# - service_group="prosody" +# - +#service_group="" + + +# - cert_installed +# - +# - Locataion of certificate read by service +# - +# - Example: +# - cert_installed="/var/lib/mumble-server/fullchain.pem" +# - cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem" +# - +# - Defaults to: +# - /etc/dovecot/ssl/mailserver.crt +# - +#cert_installed="" + + +# - key_installed +# - +# - Location of the key read by service +# - +# - Example: +# - key_installed="/var/lib/mumble-server/privkey.pem" +# - key_installed="/etc/prosody/certs/privkey_jabber.so36.pem" +# - +# - Defaults to: +# - /etc/dovecot/ssl/mailserver.key +# - +#key_installed="" + + +# - cert_newest +# - +# - Location of the newest certificate. +# - +# - Example: +# - cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem" +# - cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem" +# - +# - Defaults to: +# - /var/lib/dehydrated/certs/${service_domain}/fullchain.pem +# - +#cert_newest="" + + +# - key_newest +# - +# - Location of the newest Key +# - +# - Example: +# - key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem" +# - key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem" +# - +# - Defaults to: +# - /var/lib/dehydrated/certs/${service_domain}/privkey.pem +# - +#key_newest="" + diff --git a/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf new file mode 100644 index 0000000..ceb5d81 --- /dev/null +++ b/roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf @@ -0,0 +1,178 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings +#----------------------------- +#--------------------------------------- + + +# --- +# - LOGGING +# - +# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - errors occurs. +# --- + + +# - What to check +# - +check_load=true +check_mysql=false + +# - PostgreSQL +# - +# - NOT useful, if more than one PostgreSQL instances are running! +# - +check_postgresql=true + +check_apache=true +check_nginx=false +check_php_fpm=true +check_redis=false +check_website=false + +# - If service is not listen on 127.0.0.1/loclhost, curl check must +# - be ommited +# - +# - Defaults to: ommit_curl_check_nginx=false +# - +#ommit_curl_check_nginx=false + +# - Is this a vserver guest machine? +# - +# - Not VSerber guest host does not support systemd! +# - +# - defaults to: vserver_guest=false +# - +#vserver_guest=false + + +# - Additional Settings for check_mysql +# - +# - MySQL / MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +mysql_credential_args="" + + +# - Additional Settings for check_php_fpm +# - +# - On Linux Vserver System set +# - curl_check_host=localhost +# - +# - On LX-Container set +# - curl_check_host=127.0.0.1 +# - +curl_check_host=127.0.0.1 + +# - Which PHP versions should be supported by this script. If more than one, +# - give a blank separated list +# - +# - Example: +# - php_versions="5.4 5.6 7.0 7.1" +# - +php_versions="7.4" + +# - If PHP-FPM's ping.path setting does not match ping-$php_major_version, +# - set the value given in your ping.path setting here. Give ping_path also +# - the concerning php_version in form +# - : +# - +# - Multiple settings are possible, give a blank separated list. +# - +# - Example: +# - +# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de" +# - +ping_path="" + + +# - Additional Settings for check_website - checking (expected) website response +# - +# - example: +# - is_working_url="https://www.outoflineshop.de/" +# - check_string='ool-account-links' +# - include_cleanup_function=true +# - extra_alert_address="ilker@so36.net" +# - cleanup_function=' +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/* +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/* +# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1 +# - if [[ "$?" = "0" ]]; then +# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\"" +# - else +# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!" +# - fi +# - /etc/init.d/redis_6379 restart +# - if [[ "$?" = "0" ]]; then +# - ok "I restarted the redis service" +# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt +# - else +# - error "Restarting the redis server failed!" +# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt +# - fi +# - ' +# - +is_working_url='' + +check_string='' + +include_cleanup_function=true + +# - An extra e-mail address, which will be informed, if the given check URL +# - does not response as expected (check_string) AFTER script checking, restarting +# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done. +# - +extra_alert_address='' + +# - php_version_of_working_url +# - +# - If given website (is_working_url) does not response as expected, this PHP FPM +# - engines will be restarted. +# - +# - Type "None" if site does not support php +# - +# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions) +# - will be restarted +# - +php_version_of_working_url='' + +# - Notice: +# - If single qoutes "'" not needed inside cleanup function, then use single quotes +# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - sign inside. +# - +# - Otherwise use double quotes and masq any sign to prevent bash from interpreting. +# - +cleanup_function=' +' + + +# - E-Mail settings for sending script messages +# - +from_address="root@`hostname -f`" +content_type='Content-Type: text/plain;\n charset="utf-8"' +to_addresses="root" + diff --git a/roles/common/files/ga-st-mail/root/bin/postfix/conf/create_opendkim_key.conf b/roles/common/files/ga-st-mail/root/bin/postfix/conf/create_opendkim_key.conf new file mode 100644 index 0000000..424d06d --- /dev/null +++ b/roles/common/files/ga-st-mail/root/bin/postfix/conf/create_opendkim_key.conf @@ -0,0 +1,176 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --------------------------------------------------------- +# - Parameter Settings for script 'create_opendkim_key.sh'. +# --------------------------------------------------------- + + +# ---------- +# DNS Server +# ---------- + +# - dns_dkim_zone_master_server +# - +# - The DNS Server who is serving the update zone and is used +# - for the dynamic updates (nsupdate) +# - +#dns_dkim_zone_master_server="" +dns_dkim_zone_master_server="b.ns.oopen.de" + +# - update_dns +# - +# - Possible Values are 'true' or 'false' +# - +#update_dns="" + +# - update_zone +# - +# - Zone containing the DKIM TXT record. +# - +# - Defaults to '_domainkey.' +# - +# - Note: +# - do NOT change/set this option unless you know what you do. +# - +#update_zone="" + +# - TTL +# - +# - TTL for the DKIM TXT Record. +# - +# - Defaults to "" if update_dns=false +# - Defaults to "43200" if update_dns=true +# +#TTL="" + + +# ---------- +# TSIG Key +# ---------- + +# - key_secret +# - +# - Sectret Key used by 'nsupdate' to create/update the +# - DKIM TXT record. +# - +# - Example: +# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI=" +# - +#key_secret="" +key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw=" + +# - key_algo +# - +# - The key algorithm used for key creation. Available choices are: hmac-md5, +# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The +# - default is hmac-sha256. Options are case-insensitive. +# - +# - Example: +# - key_algo="hmac-md5" +# - +# - Defaults to 'hmac-sha256' +# - +#key_algo="hmac-sha256" +key_algo="hmac-sha256" + +# - key_name +# - +# - Name of the Key +# - +# - Defaults to "$update_zone" +# - +#key_name= +key_name="update-dkim" + + +# ---------- +# Access Credentials DNS Server +# ---------- + +# - dns_ssh_user +# - +# - Defaults to 'manage-bind' +# - +#dns_ssh_user="manage-bind" + +# - dns_ssh_port +# - +# - Defaults to '22' +# - +#dns_ssh_port=22 + +# - dns_ssh_key +# - +# - Defaults to '/root/.ssh/id_rsa-opendkim' +# - +#dns_ssh_key="/root/.ssh/id_rsa-opendkim" + + +# ---------- +# Scripts envoked at DNS Server +# ---------- + +# - set_new_serial_script +# - +# - Script increases the serial for a given domain or a given +# - hostname's concerning domain. +# - +# - Defaults to '/root/bin/bind/bind_set_new_serial.sh' +# - +#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh" + +# - create_dkim_delegation_script +# - +# - Script adds DKIM subdomain delegation for a given domain +# - +# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh' +# - +#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh" + +# - add_dkim_zone_master_script +# - +# - Script adds zone _domainkey. as master zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh' +# - +#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh" + +# - add_dkim_zone_slave_script +# - +# - Script adds zone _domainkey. as slave zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh' +# - +#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh" + + + +# ---------- +# OpenDKIM Installation +# ---------- + +# - opendkim_dir +# - +# - OpenDKIM's etc-directory +# - +# - Defaults to opendkim_dir="/etc/opendkim" +# - +#opendkim_dir="/etc/opendkim" + +# - key_base_dir +# - +# - Defaults to "${opendkim_dir}/keys" +# - +#key_base_dir=${opendkim_dir}/keys + +# - signing_table_file +# - +# - Defaults to "${opendkim_dir}/signing.table" +# - +#signing_table_file="${opendkim_dir}/signing.table" + +# - key_table_file +# - +# - Defaults to "${opendkim_dir}/key.table" +# - +#key_table_file="${opendkim_dir}/key.table" diff --git a/roles/common/files/ga-st-mail/root/bin/postfix/conf/postfix_add_mailboxes.conf b/roles/common/files/ga-st-mail/root/bin/postfix/conf/postfix_add_mailboxes.conf new file mode 100644 index 0000000..01c247b --- /dev/null +++ b/roles/common/files/ga-st-mail/root/bin/postfix/conf/postfix_add_mailboxes.conf @@ -0,0 +1,86 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ---------------------------------------------------- +# --- +# - Parameter Settings for script 'postfix_add_mailboxes.sh'. +# --- +# ---------------------------------------------------- + +# - dovecot_enc_method +# - +# - The (dovecot) password scheme which should be used to generate the hashed +# - passwords of EXISTING users. +# - +# - Possible values are: +# - +# - See output of 'doveadm pw -l' +# - +# - DEFAULTS to: dovecot_enc_method="SHA512-CRYPT" +# - +#dovecot_enc_method="SHA512-CRYPT" + +# - in_file +# - +# - The file from wich the script reads the e-mail-address/password +# - kombination(s). Each line in this file must only contain +# - +# - +# - Defaults to: in_file="${conf_dir}/mailboxes_new.lst" +# - +#in_file="${conf_dir}/mailboxes_new.lst" + +# - db_type +# - +# - Type of Postfix Database +# - +# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL) +# - +# - Defaults to: db_type="pgsql" +# - +#db_type="pgsql" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '--defaults-file=/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '--defaults-file=/usr/local/mysql/sys-maint.cnf' otherwise +# - +#mysql_credential_args="" + +# - quota +# - +# - The quota setting for the new mailboxes. +# - +# - Defaults to: quota="536870912" +# - +#quota="536870912" +quota="2147483648" + +# - log_file +# - +# - Where to write logging informations? +# - +# - Defaults to: log_file="${script_dir}/log/postfix_add_mailboxes.log" +# - +#log_file="${script_dir}/log/postfix_add_mailboxes.log" diff --git a/roles/common/files/ga-st-mail/root/bin/postfix/conf/sent_userinfo_postfix.conf b/roles/common/files/ga-st-mail/root/bin/postfix/conf/sent_userinfo_postfix.conf new file mode 100644 index 0000000..6fde436 --- /dev/null +++ b/roles/common/files/ga-st-mail/root/bin/postfix/conf/sent_userinfo_postfix.conf @@ -0,0 +1,92 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ---------------------------------------------------- +# --- +# - Parameter Settings for script 'sent_userinfo_postfix.sh'. +# --- +# ---------------------------------------------------- + +# - message_body_file +# - +# - Full path to file containing the user info. This file must contain +# - the message body WITHOUT e-mail headers. If file is placed in the +# - 'files' directory use '${file_dir}/' +# - +# - Defaults to '${file_dir}/sent_userinfo_postfix.message' +# - +#message_body_file="${file_dir}/sent_userinfo_postfix.email" + + +# - email_from +# - +# - From Address of user info +# - +# - Example: 'oo@oopen.de' +# - +email_from="it@gemeinschaft-altenschlirf.de" + + +# - email_from_org +# - +# - Example: email_from_org="O.OPEN" +# - +email_from_org="Gemeinschaft Altenschlirf" + + +# - db_type +# - +# - Type of Postfix Database +# - +# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL) +# - +# - Defaults to: db_type="pgsql" +# - +#db_type="pgsql" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '/usr/local/mysql/sys-maint.cnf' otherwise +# - +#mysql_credential_args="" + + +# - mail_user +# - +# - The owner of the mailbox directories and within the e-mails itself. +# - +# - defaults to mail_user="vmail" +# - +#mail_user="vmail" + + +# - mail_group +# - +# - The group of the mailbox directories +# - +# - defaults to mail_group="vmail" +# - +#mail_group="vmail" + + +# - mail_basedir - No more needed! +# - +# - The root directory where all mailbox-domains are located. +# - +# - Defaults to '/var/vmail'. +# - +#mail_basedir=/var/vmail diff --git a/roles/common/files/ga-st-mail/root/bin/postfix/conf/whitelist_mb_sigs.conf b/roles/common/files/ga-st-mail/root/bin/postfix/conf/whitelist_mb_sigs.conf new file mode 100644 index 0000000..11c60fa --- /dev/null +++ b/roles/common/files/ga-st-mail/root/bin/postfix/conf/whitelist_mb_sigs.conf @@ -0,0 +1,44 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ====================================================== +# --- +# Parameter Settings for Script 'whitelist_mb_sigs.conf' +# --- +# ====================================================== + +# QUARANTINE_BASE_DIR +# +# Base directory where amavis stores quarantined e-mails, mostly in +# +# virus e-mails: $QUARANTINE_BASE_DIR/virus +# spam emails: $QUARANTINE_BASE_DIR/spam +# .. +# +# Defaults to: +# QUARANTINE_BASE_DIR="/var/QUARANTINE" +# +#QUARANTINE_BASE_DIR="/var/QUARANTINE" + + +# CLAMAV_VIRUS_WHITE_LIST +# +# Full path to clamav's (personal) white list file +# +# Defaults to: +# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" +# +#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" + + +# WHITE_LIST_STRINGS +# +# A blank separated list of strings to whitelist. +# +# Example: +# WHITE_LIST_STRINGS="google.com tinyurl.com" +# +# Defaults to: +# WHITE_LIST_STRINGS="google.com" +# +#WHITE_LIST_STRINGS="google.com" +WHITE_LIST_STRINGS="google.com tinyurl.com" diff --git a/roles/common/files/lists.mx.warenform/root/.ssh/lists.mx.warenform-id_rsa-opendkim b/roles/common/files/lists.mx.warenform/root/.ssh/lists.mx.warenform-id_rsa-opendkim new file mode 100644 index 0000000..42bf1ce --- /dev/null +++ b/roles/common/files/lists.mx.warenform/root/.ssh/lists.mx.warenform-id_rsa-opendkim @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEApbqZLq1PmnCUbadrPRoIgvqwDapbqfEn4bbpVdGv/M+p6G43 +KUFq31avjDYzO1YIZ5TAMDI8+7XHBRsgpiaEktdUXJxbT5qp0jY9P0yPM8mDmVL2 +QnMzwUnqrPyMWsMmM/dXt0ZT1m6b+9TY/vxB1GQKWZJHU5KWB3bkiWFrSmANpdhp +c5o3dndrvyBSJKl4b5dW090VDC2SamHRMGAL5VtiQfOBCFjX+MrXBnLuq2pFwkT/ +aOtgW0c2twHzIEn2uOTy6HT4uVaag4kx0giAZZflTri6k4EAgWHgDUTwpTC27nlV +13DK5hMKw13gtHaak3YGhdk898WLKwM03um3DSbBoBgkMk7QyqbAIKCm99WoLMsu +vAqGbaNdxGuFmLDVcdE9ymkZWg5vfCqp1CVxyb15y3oKn14lES+QacV5gJxb2dHb +h67UZFac3ruZ+b8+NUS5xR8i5Z9lROmviGHYi5T5doQvu6bMG/pwT/cjZ+k+FkGT +bR6eGLLADbmCjvv4CWh6TCdU6oC/yKeunqyvt+9jNU/+om4lN/qh28FuxW11X59w +89mmyRsjZKGmRqUCF7cdFMVmGRxfBN+WdJZfTUKNQpw71d4wNWjJ2FU7/Q7kmMai +2N+KB1lxBczMkrQkVrqeE366d6U+tRkYW9ofJGYuXakLq/Sq6lpgOhxfQ/kCAwEA +AQKCAgEAndJG0eaFaeNP1eSbAQLrnB+yzDCxPfLDMfWH2wvmdfAkM43Rxd3gMnNQ +lUuAGj9hnZJQOxV8cY+3ySr+OntvwI6CbfcQFYyJr/+q776umHiMc9RHYxxl6unD +K50M49n3ZYFj7MpySD/pFzaotpnu7p2eJZJhjjqH2O/lztYQ4DD8jjS6pzXzH0O2 +Pbo/v14LrOkH7JYa1xAG4HvqRBETAwW1WmzTMem5MdmoTyHgGykG6WvfdkC/7+yv +NDQNHXCSHZ0ZnTjXK1hHqH9cDFHAQ/8UhZTxSEqO+qcEQF6odAciDZNKpfFppxP3 +KfkaZYCUz1yT9Z7cqm9aiklxbd5PTBPV+nmzUd/FLw2j94D5+egvZcVrRBx63vVg +0Gzt/LPvejhBfZoHyRxepcvNWRtxVkvUuzc/b8cP1HpmruSGri+c8TI1qRWID5Fj +EcQ4lYRt+v98J21FDhKNLSN7QUfrB0CqFQfLcfrkrM2919SY+JEdj6zxEED/nx20 +N5jmqvGZjllXJ/7N838sw5bCX8LsA0NXd86LuEjxRhiiqwdtKFz4pNSAdO8R724G +hTowNOVFlwunT8rTWipq0YXkrC1c1PUMhqcwyEsYzOx003MJDJ8biZaTh9yf7zOz +CQDcf2AzWJAevK5tnfbDHnmDv2rfSlQxkNikC3gJlRPsAYsJNSECggEBANrpvBH/ +pasjPm5MAb+7YfY7razcO5gStKTavpJRDv92x87gZ+OLRRY+fqunCG9YCUMvbh+H +RAryK6Nui6+SOPH/KYMRRFunxUOBjxxDmYjdNLf+rWMbRzntbdWORRBZ70KGfWjO +eEtNe/++qyKGQKIDLYs3Wm0nmk8phWK2ZqPsz+3eQrLtERNZ5MesA+R8Oi7yffoc +/VId47RsRBfPpfNBZ8XK7yzHqO5rq4xfpaBIGm0pih91NBBo/RcPTcuDNQiNLoja +rIXOR+mV0Qwv/hKaOGeHf4uH8ypkn3QaZIYGyBAiZf45itku9kRnxKYl+sXkJPnr +9Q3aRmJ0gByOpw0CggEBAMHORDC++s3M14c0vdC+lXpyKEkzCKoLlfJMGV/kzF2V +X+v0AehIPxIiAEzMg/2HhRwwQ5f7StM4jybu+VVrSvQ5fbOxiAj/ucF1sA2N4C32 +v6r/iIwolZhkbElx5SZwj5dMWcwvwyFiY32oLa0w9wgAt1Te5wx1x42rCWnL4zN6 +NtE2BFw8yUkrPOm5QI8ztCl8tJZO03uhJXz/3fXuxDWbVkeTB1wgRz/l/ML8WvwR +yyReQlKkmneANR1axMPRFXREEqY/HA45STPA+GmSq9bW56j+diXDmWxlRNFiZbeT +WkuExcGATt9FOJS9e7OID1XEVLc1jXSjYjmhAA451Z0CggEAKehI6qEoE+UBVJgU +VaIHlN3D162pculRz6VYiiYeWuVgRshK2xKUPTflg/LL+JS/4S65RCve6MGHfRfy +gb/aSulwBvlNPsaVSuEIhn6ia8L9DqQgiTJ1pi8/sXw02HZ/CRs58tBj0vaYYFMd +69QLl3hIRbhpBTBpp/Ho6QbGC2eQPpcn6ZzcgfnZhCf37suhT894MmNOU2QJbUa0 +mmJUAIdq2ECLHOVz/4B5LLw6tr5W4MLtACyttN6EZN+3ItiRVHvChsxl7o+Y0Kyv +gkfFucXwOlGEJy/1aw4sQEu1JrsxnXUYVVyqqf0Fg/7hdHUc1rlgIr/6/5Xjl4F5 +7P2aGQKCAQBF/m3IQSEpdIKelSC8pCguKc586U6Gw1prQKqlZGeeoNUczWpm7rjA +nsEG+5Hr3aboUFIJMLuMX0/sGsC35eETJTRN0p8zyM/Ym91yd7vwPb5pTpKNNBcb +C6HEQLsmz948IVoJEXLiurr95eBhPV7qZ//OShad/GeOtafXqsgqjkf/9QdMHLQB +lfkQ3FQBpAW8OgqqgluEueVlKK+MI6h/R9O4U9SDpDC3ViOcdDGT+gUo5FYFrOcQ +o6ALMv3/TqL186PcoMxMIspaQ6Yz0sH2/HR8JzKaXvMpH8Xj7SqZS0GAJrqZMPLL +Vh+iMHDdnRUUv6xs4o1tA5j1AT2Y5bBNAoIBACM3gjrDabLWR3lIZY0o7rQPCp9x +WCF39r1GyhEeX4W5NrLFichSrFV8NJ2bMW9vmUvh7Z0CoJaiPssi2KWxuWdn+30s ++gi096f4VX/HHbXlTh90uZaqYP5zoPTs4MIR0gnMsKaIanRjla8n9FxkjRxfsvKc +GFKpaY5zCRT/Qms6gLENbrB0SDnfV3xdI/cQhCCgfHA9mqwVfvEsZRdw7AWvqHQH +prppgzt/8FMrEaQhMHbMXVskk9SbUz+AOT4/Z0gnpkjwrrBoJLRcYkU28CQLCLJs +oAWKnlt5BMYjl/v8tmnc8C6+OoS+LfXzD5tKmJUN5O7wFl1TOMsUGBxqqX8= +-----END RSA PRIVATE KEY----- diff --git a/roles/common/files/lists.mx.warenform/root/.ssh/lists.mx.warenform-id_rsa-opendkim.pub b/roles/common/files/lists.mx.warenform/root/.ssh/lists.mx.warenform-id_rsa-opendkim.pub new file mode 100644 index 0000000..96b392e --- /dev/null +++ b/roles/common/files/lists.mx.warenform/root/.ssh/lists.mx.warenform-id_rsa-opendkim.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQClupkurU+acJRtp2s9GgiC+rANqlup8SfhtulV0a/8z6nobjcpQWrfVq+MNjM7VghnlMAwMjz7tccFGyCmJoSS11RcnFtPmqnSNj0/TI8zyYOZUvZCczPBSeqs/IxawyYz91e3RlPWbpv71Nj+/EHUZApZkkdTkpYHduSJYWtKYA2l2Glzmjd2d2u/IFIkqXhvl1bT3RUMLZJqYdEwYAvlW2JB84EIWNf4ytcGcu6rakXCRP9o62BbRza3AfMgSfa45PLodPi5VpqDiTHSCIBll+VOuLqTgQCBYeANRPClMLbueVXXcMrmEwrDXeC0dpqTdgaF2Tz3xYsrAzTe6bcNJsGgGCQyTtDKpsAgoKb31agsyy68CoZto13Ea4WYsNVx0T3KaRlaDm98KqnUJXHJvXnLegqfXiURL5BpxXmAnFvZ0duHrtRkVpzeu5n5vz41RLnFHyLln2VE6a+IYdiLlPl2hC+7pswb+nBP9yNn6T4WQZNtHp4YssANuYKO+/gJaHpMJ1TqgL/Ip66erK+372M1T/6ibiU3+qHbwW7FbXVfn3Dz2abJGyNkoaZGpQIXtx0UxWYZHF8E35Z0ll9NQo1CnDvV3jA1aMnYVTv9DuSYxqLY34oHWXEFzMyStCRWup4Tfrp3pT61GRhb2h8kZi5dqQur9KrqWmA6HF9D+Q== root@lists.mx diff --git a/roles/common/files/lists.mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/lists.mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf new file mode 100644 index 0000000..a6721e8 --- /dev/null +++ b/roles/common/files/lists.mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf @@ -0,0 +1,155 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings +#----------------------------- +#--------------------------------------- + + +# --- +# - LOGGING +# - +# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - errors occurs. +# --- + + +# - What to check +# - +check_load=true +check_mysql=true +check_apache=true +check_php_fpm=false +check_website=false + + +# - Additional Settings for check_mysql +# - +# - MySQL / MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +mysql_credential_args="--login-path=local" + + +# - Additional Settings for check_php_fpm +# - +# - On Linux Vserver System set +# - curl_check_host=localhost +# - +# - On LX-Container set +# - curl_check_host=127.0.0.1 +# - +curl_check_host=127.0.0.1 + +# - Which PHP versions should be supported by this script. If more than one, +# - give a blank separated list +# - +# - Example: +# - php_versions="5.4 5.6 7.0 7.1" +# - +php_versions="" + +# - If PHP-FPM's ping.path setting does not match ping-$php_major_version, +# - set the value given in your ping.path setting here. Give ping_path also +# - the concerning php_version in form +# - : +# - +# - Multiple settings are possible, give a blank separated list. +# - +# - Example: +# - +# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de" +# - +ping_path="" + + +# - Additional Settings for check_website - checking (expected) website response +# - +# - example: +# - is_working_url="https://www.outoflineshop.de/" +# - check_string='ool-account-links' +# - include_cleanup_function=true +# - extra_alert_address="ilker@so36.net" +# - cleanup_function=' +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/* +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/* +# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1 +# - if [[ "$?" = "0" ]]; then +# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\"" +# - else +# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!" +# - fi +# - /etc/init.d/redis_6379 restart +# - if [[ "$?" = "0" ]]; then +# - ok "I restarted the redis service" +# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt +# - else +# - error "Restarting the redis server failed!" +# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt +# - fi +# - ' +# - +is_working_url='' + +check_string='' + +include_cleanup_function=true + +# - An extra e-mail address, which will be informed, if the given check URL +# - does not response as expected (check_string) AFTER script checking, restarting +# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done. +# - +extra_alert_address='' + +# - php_version_of_working_url +# - +# - If given website (is_working_url) does not response as expected, this PHP FPM +# - engines will be restarted. +# - +# - Type "None" if site does not support php +# - +# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions) +# - will be restarted +# - +php_version_of_working_url='' + +# - Notice: +# - If single qoutes "'" not needed inside cleanup function, then use single quotes +# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - sign inside. +# - +# - Otherwise use double quotes and masq any sign to prevent bash from interpreting. +# - +cleanup_function=' +' + + +# - E-Mail settings for sending script messages +# - +from_address="root@`hostname -f`" +content_type='Content-Type: text/plain;\n charset="utf-8"' +to_addresses="root" + + diff --git a/roles/common/files/lists.mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf b/roles/common/files/lists.mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf new file mode 100644 index 0000000..6aa45e5 --- /dev/null +++ b/roles/common/files/lists.mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf @@ -0,0 +1,173 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --------------------------------------------------------- +# - Parameter Settings for script 'create_opendkim_key.sh'. +# --------------------------------------------------------- + + +# ---------- +# DNS Server +# ---------- + +# - dns_dkim_zone_master_server +# - +# - The DNS Server who is serving the update zone and is used +# - for the dynamic updates (nsupdate) +# - +dns_dkim_zone_master_server="dns0.warenform.de" + +# - update_dns +# - +# - Possible Values are 'true' or 'false' +# - +#update_dns="" + +# - update_zone +# - +# - Zone containing the DKIM TXT record. +# - +# - Defaults to '_domainkey.' +# - +# - Note: +# - do NOT change/set this option unless you know what you do. +# - +#update_zone="" + +# - TTL +# - +# - TTL for the DKIM TXT Record. +# - +# - Defaults to "" if update_dns=false +# - Defaults to "43200" if update_dns=true +# +#TTL="" + + +# ---------- +# TSIG Key +# ---------- + +# - key_secret +# - +# - Sectret Key used by 'nsupdate' to create/update the +# - DKIM TXT record. +# - +# - Example: +# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI=" +# - +key_secret="qG9e/gOucCXcwVUTU+uewU0Yth1iJh2JHgnogrHvh2A=" +#key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw=" + +# - key_algo +# - +# - The key algorithm used for key creation. Available choices are: hmac-md5, +# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The +# - default is hmac-sha256. Options are case-insensitive. +# - +# - Example: + # - key_algo="hmac-md5" +# - +# - Defaults to 'hmac-sha256' +# - +#key_algo="hmac-sha256" + +# - key_name +# - +# - Name of the Key +# - +# - Defaults to "$update_zone" +# - +key_name="update-dkim" + + +# ---------- +# Access Credentials DNS Server +# ---------- + +# - dns_ssh_user +# - +# - Defaults to 'manage-bind' +# - +#dns_ssh_user="manage-bind" + +# - dns_ssh_port +# - +# - Defaults to '22' +# - +#dns_ssh_port=22 + +# - dns_ssh_key +# - +# - Defaults to '/root/.ssh/id_rsa-opendkim' +# - +#dns_ssh_key="/root/.ssh/id_rsa-opendkim" + + +# ---------- +# Scripts envoked at DNS Server +# ---------- + +# - set_new_serial_script +# - +# - Script increases the serial for a given domain or a given +# - hostname's concerning domain. +# - +# - Defaults to '/root/bin/bind/bind_set_new_serial.sh' +# - +#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh" + +# - create_dkim_delegation_script +# - +# - Script adds DKIM subdomain delegation for a given domain +# - +# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh' +# - +#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh" + +# - add_dkim_zone_master_script +# - +# - Script adds zone _domainkey. as master zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh' +# - +#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh" + +# - add_dkim_zone_slave_script +# - +# - Script adds zone _domainkey. as slave zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh' +# - +#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh" + + + +# ---------- +# OpenDKIM Installation +# ---------- + +# - opendkim_dir +# - +# - OpenDKIM's etc-directory +# - +# - Defaults to opendkim_dir="/etc/opendkim" +# - +#opendkim_dir="/etc/opendkim" + +# - key_base_dir +# - +# - Defaults to "${opendkim_dir}/keys" +# - +#key_base_dir=${opendkim_dir}/keys + +# - signing_table_file +# - +# - Defaults to "${opendkim_dir}/signing.table" +# - +#signing_table_file="${opendkim_dir}/signing.table" + +# - key_table_file +# - +# - Defaults to "${opendkim_dir}/key.table" +# - +#key_table_file="${opendkim_dir}/key.table" diff --git a/roles/common/files/lists.mx.warenform/root/bin/postfix/conf/whitelist_mb_sigs.conf b/roles/common/files/lists.mx.warenform/root/bin/postfix/conf/whitelist_mb_sigs.conf new file mode 100644 index 0000000..11c60fa --- /dev/null +++ b/roles/common/files/lists.mx.warenform/root/bin/postfix/conf/whitelist_mb_sigs.conf @@ -0,0 +1,44 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ====================================================== +# --- +# Parameter Settings for Script 'whitelist_mb_sigs.conf' +# --- +# ====================================================== + +# QUARANTINE_BASE_DIR +# +# Base directory where amavis stores quarantined e-mails, mostly in +# +# virus e-mails: $QUARANTINE_BASE_DIR/virus +# spam emails: $QUARANTINE_BASE_DIR/spam +# .. +# +# Defaults to: +# QUARANTINE_BASE_DIR="/var/QUARANTINE" +# +#QUARANTINE_BASE_DIR="/var/QUARANTINE" + + +# CLAMAV_VIRUS_WHITE_LIST +# +# Full path to clamav's (personal) white list file +# +# Defaults to: +# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" +# +#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" + + +# WHITE_LIST_STRINGS +# +# A blank separated list of strings to whitelist. +# +# Example: +# WHITE_LIST_STRINGS="google.com tinyurl.com" +# +# Defaults to: +# WHITE_LIST_STRINGS="google.com" +# +#WHITE_LIST_STRINGS="google.com" +WHITE_LIST_STRINGS="google.com tinyurl.com" diff --git a/roles/common/files/lists.mx.warenform/usr/local/src/sympa/conf/install_sympa.conf b/roles/common/files/lists.mx.warenform/usr/local/src/sympa/conf/install_sympa.conf new file mode 100644 index 0000000..6294545 --- /dev/null +++ b/roles/common/files/lists.mx.warenform/usr/local/src/sympa/conf/install_sympa.conf @@ -0,0 +1,141 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --------------------------------------- +# - Configuration for sympa install script +# ---------------------------------------- + + +# - PREFIX +# - +# - Sympa Installation directory +# - +# - Defaults to: "/usr/local/sympa" +# - +#PREFIX="/usr/local/sympa" + +# - SYMPA_USER +# - +# - User under which Sympa services are running +# - +# - Defaults to: "sympa" +# - +#SYMPA_USER="sympa" + + +# - SYMPA_MAIN_CONF_DIR +# - +# - Sympas main configuration directory +# - +# - Defaults to: "/etc/sympa" +# - +#SYMPA_MAIN_CONF_DIR="/etc/sympa" + + +# - SYMPA_LIST_DATA_ROOT_DIR +# - +# - Root Path containing Sympa's list data directories +# - +# - Note: +# - the real list data directory becomes: ${SYMPA_LIST_DATA_ROOT_DIR}/sympa-$SYMPA_VERSION/list_data +# - +# - Defaults to: "/data" +# - +#SYMPA_LIST_DATA_ROOT_DIR="/data" + + +# - SYMPA_DOMAIN +# - +# - Note: if sympa will be configured to support multidomains +# - this (SYMPA_DOMAIN) should not contain list definitions +# - +# - +SYMPA_DOMAIN="lists.mx.warenform.de" + + +# - START_AT_BOOTTIME +# - +# - Defaults to: "yes" +# - +#START_AT_BOOTTIME="yes" + + +# - SYMPA_LISTMASTER +# - +# - +# - Defaults to "postmaster@$SYMPA_DOMAIN" +# - +#SYMPA_LISTMASTER="postmaster@$SYMPA_DOMAIN" + + + +# - SYMPA_DB_TYPE +# - +# - Database type of sympas database +# - +# - If database is SQLite, then this parameter is not in use. +# - +# - Possible values are 'mysql' (MySQL) or 'Pg' (PostgeSQL), 'Sybase', 'Oracle' +# - +# - Defaults to: SYMPA_DB_TYPE="mysql" +# - +#SYMPA_DB_TYPE="mysql" + +# - SYMPA_DB_HOST +# - +# - Defaults to: SYMPA_DB_HOST="127.0.0.1" +# - +#SYMPA_DB_HOST="127.0.0.1" + +# - SYMPA_DB_PORT +# - +# - Defaults to: +# - 3306 - if SYMPA_DB_TYPE=mysql +# - 5432 - if SYMPA_DB_TYPE=Pg +# - 2638 - if SYMPA_DB_TYPE=Sybase +# - 1575 - if SYMPA_DB_TYPE=Oracle +# - +# - +#SYMPA_DB_PORT="3306" + +# - SYMPA_DB_NAME +# - +# - Defaults to: SYMPA_DB_NAME="sympa" +# - +#SYMPA_DB_NAME="sympa" + +# - SYMPA_DB_USER +# - +# - Defaults to: SYMPA_DB_USER="sympa" +# - +#SYMPA_DB_USER="sympa" + +# - SYMPA_DB_PASSWD +# - +# - Password for Sympa's database. +# - +SYMPA_DB_PASSWD="RkFt9rfhpngswF3g" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '/usr/local/mysql/sys-maint.cnf' otherwise +# - +MYSQL_CREDENTIALS="--login-path=local" + + + +# - VSERVER_GUEST +# - +# - Is this a Linux Vserver guest system? +# - +# - Possible values: yes/no +# - +# - Defaults to 'VSERVER_GUEST=no' +# - +#VSERVER_GUEST=no diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.wl-hosts b/roles/common/files/mail.cadus/etc/postfix/postfwd.wl-hosts similarity index 100% rename from roles/common/files/e.mx/etc/postfix/postfwd.wl-hosts rename to roles/common/files/mail.cadus/etc/postfix/postfwd.wl-hosts diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.wl-nets b/roles/common/files/mail.cadus/etc/postfix/postfwd.wl-nets similarity index 80% rename from roles/common/files/e.mx/etc/postfix/postfwd.wl-nets rename to roles/common/files/mail.cadus/etc/postfix/postfwd.wl-nets index d194340..02ef1ed 100644 --- a/roles/common/files/e.mx/etc/postfix/postfwd.wl-nets +++ b/roles/common/files/mail.cadus/etc/postfix/postfwd.wl-nets @@ -13,3 +13,6 @@ # --- # give truested networrk adresses here +# d.mx.oopen.de (listen server) +95.217.204.227 +2a01:4f9:4a:47e5::227 diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.wl-sender b/roles/common/files/mail.cadus/etc/postfix/postfwd.wl-sender similarity index 100% rename from roles/common/files/e.mx/etc/postfix/postfwd.wl-sender rename to roles/common/files/mail.cadus/etc/postfix/postfwd.wl-sender diff --git a/roles/common/files/e.mx/etc/postfix/postfwd.wl-user b/roles/common/files/mail.cadus/etc/postfix/postfwd.wl-user similarity index 92% rename from roles/common/files/e.mx/etc/postfix/postfwd.wl-user rename to roles/common/files/mail.cadus/etc/postfix/postfwd.wl-user index f1d2ac5..6a17d92 100644 --- a/roles/common/files/e.mx/etc/postfix/postfwd.wl-user +++ b/roles/common/files/mail.cadus/etc/postfix/postfwd.wl-user @@ -12,4 +12,4 @@ # --- # give trusted sasl usernames here - +#spenden@cadus\.org diff --git a/roles/common/files/mailserver/etc/postfix/body_check.pcre b/roles/common/files/mailserver/etc/postfix/body_check.pcre new file mode 100644 index 0000000..1d2a20e --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/body_check.pcre @@ -0,0 +1,9 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# - Body Checks +# --- + +/See the attached file for details/ REJECT Sobig Virus found. - Body-Spamschutzregel TEXT-1001 + +/.*https?:\/\/click2eat.shop\/Installer\/updatedwebmails/ REJECT Maype fishing E-Mail credentials - Body-Spamschutzregel TEXT-1002 diff --git a/roles/common/files/mailserver/etc/postfix/header_checks.pcre b/roles/common/files/mailserver/etc/postfix/header_checks.pcre new file mode 100644 index 0000000..2865d28 --- /dev/null +++ b/roles/common/files/mailserver/etc/postfix/header_checks.pcre @@ -0,0 +1,37 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --- +# - Replace headers + +# - Replace recieved from IPv4 +#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4 + +# - Replace recieved from IPv6 +#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6 + +# --- +# - Ignore Headers +# --- + +#/^\s*User-Agent/ IGNORE +#/^\s*X-Enigmail/ IGNORE +#/^\s*X-Mailer/ IGNORE +#/^\s*X-Originating-IP/ IGNORE + + +# --- +# - Reject / Discard headers +# --- + +/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001 + +/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001 + +/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001 + +/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001 + +/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001 +/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002 +/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003 +/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts index 7cf08f4..17e36b5 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -22,3 +22,25 @@ illuminatus\.lionheart\.lovejoy$ dancortez\.500$ geplosser\.pl$ +zukunftbeitragen\.quest$ +gulpagerts\.com$ +flodesyta\.shop$ +einfach-mail-express\.eu$ +feowatley\.shop$ +kssalon\.com$ +zeitarbeitsgruppe\.com$ +jobinscenter\.mom$ +bilingates\.gsm\.pl$ +^mail\.finsky-palace\.radio\.am$ +^mail\.newslinkes\.radio\.fm$ +thecaffeinatedquilter\.com$ +^mail\.hossted\.app$ +rea\.realflightshop\.com$ +tetontimberlinetrading\.com$ +walelaber\.shop$ +couetsart\.xyz$ +technedigitale\.com$ +dia-two-2\.de$ +surlumice\.store$ +hecnvoipl\.xyz$ +viastarco\.xyz$ diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets index 40da8b5..5c8c043 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -18,3 +18,55 @@ 85.254.72.106 103.136.40.0/23 185.53.170.115 +# zukunftbeitragen.quest +86.107.103.211 +# RU (u.a. mail.geplosser.pl) +62.152.59.0/24 +# GB mx.bilingates.gsm.pl +95.168.184.156 +# RU (u.a. mx.jobinscenter.mom) +31.28.27.0/24 +# RU (u.a. mx.novatechs.gen.tr) +93.189.44.0/22 +# RU (u.a. vh126.timeweb.ru) +92.53.96.0/24 +# RU (u.a. mail.newslinkes.radio.am) +45.130.151.0/24 +# US - OLink Cloud LLC US Cloud ( u.a. pritionch.store) +104.160.19.0/24 +# TR (u.a. dosvufpro.store +185.219.135.0/24 +# RZ ( u.a. mx.jobinscenter.mom) +31.28.27.0/24 +# RU (mx.novatechs.gen.tr) +93.189.44.0/22 +# mx.bilingates.gsm.pl +95.168.184.156 +# mail.finsky-palace.radio.am +89.163.230.186 +# mail.newslinkes.radio.fm +62.3.58.20 +# SC ( u.a. undialogy.store) +149.3.170.0/24 +# tetontimberlinetrading.com +155.94.219.66 +185.43.108.101 +# US (u.a.walelaber.shop) +216.250.247.0/24 +# IN (u.a. couetsart.xyz) +103.174.86.0/23 +# DE ( u.a. smtp15.dia-two-2.de +193.168.252.0/23 +# US ( u.a. surlumice.store ) +# 192.161.160.0/19 +192.161.173.22 +# RU +194.87.236.0/22 +# SC (u.a. werkzeughandeldirekt.net) +146.19.253.0/24 +# Piscataway NJ (u.a. werkzeughandeldirekt.net) +209.182.224.0/22 +# LV (u.a. eur-versand.com ) +217.199.96.0/19 +# viastarco.xyz (eur-versand.com) +163.123.180.214 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender index cd3881e..a3faea1 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender @@ -40,6 +40,23 @@ @geplosser\.pl$ @alfasells\.de$ @news-des-tages\.de$ +@handel2022\.com$ +@zukunftbeitragen\.quest$ +@ip-51-83-242\.eu$ +@notreesnolife\.com$ +@ilsang\.biz$ +vorteilsemail\.de$ +@inbox\.ru$ +@poeloker\.com$ +@jobinscenter\.mom$ +@novatechs\.gen\.tr$ +@bilingates\.gsm\.pl$ +@newslinkes\.radio\.fm$ +@finsky-palace\.radio\.am$ +@deutsche-ecommerce\.net$ +@cpsarg\.com$ +@markenhandelonline\.com$ +firmen-infos\.com$ @inx1and1\..+$ @ppe-healthcare-europe\.\S+$ @@ -56,3 +73,5 @@ # annoying spammer addresses ^error@mailfrom\.com$ ^sqek@eike\.se$ +^info@webmeinung\.de$ +^info@handel-versand\.com$ diff --git a/roles/common/files/mx.warenform/root/.ssh/mx.warenform-id_rsa-opendkim b/roles/common/files/mx.warenform/root/.ssh/mx.warenform-id_rsa-opendkim new file mode 100644 index 0000000..b27ca2b --- /dev/null +++ b/roles/common/files/mx.warenform/root/.ssh/mx.warenform-id_rsa-opendkim @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEAquVzjpidmKqq1AhSB1TvzA9fpXWBLmhbGyiaxr7Rq987+CZd ++aDKCBI11CCHlKmWu7/SXIGFFrHENvKip+KqsfHSKp6R5cgklnc+ok+UXZuBMegK +jX9/XmD48xF2/m+p8NOGWfVxiOiXrFPvvcRX9AD/qB318uUyjvcknUJ03NeAdB72 +1u7yFIcOMLOBiVUQgguTPkB+QPMSnF5uOLqrmocLsKfHsSg4RRVN01BEKORw6f12 +JImep/yaFvVu3XmSctl7q7QtAIAobats7VUJgRxHSf31phc1pQBXWJdz3lVehfCr +HBYM09FbskIBMmOlBz4mU2cU64jnYsqQNgs8fH9Ix0VCkhKM1EichoSNDqc1TTKo +yNHnfTkreuOWPxa+b8/FBqd/d4I8QLev7h3AzNJtq1ssINRgMmkSsJPEKq1qKriZ ++ZE19TXcb6RvNeOvYokr6dtwdTYE3bIZiaffJz1CeRzsr6YJ9ItzHGubKllsIS2n +yrYXP2X6ubCAyAi6n+hubN/scUqKPPby6B0hTSzguYSBLtHtsHtS7LWtbPkfDEv7 +pS9mleMMB/PiYLOh2tmGNeTn3B2OglTFYWqe1miyeB/FNsIgC1+zbMSReufWTxDk +cmVGjg3kIuuv0DlnVmZZjvmAhXbGyi/xHuXkl1YOdCYVFdzxnqN991LGboECAwEA +AQKCAgBDSDboqzlQw9ChzezNqikGw/66G7sSVE+aL7BQEwxliGwJ1MEm6KDh8Jl0 +vKHka6hGnszpUqzdNHu1zm0vf9QIXtaJpQh32QZenu/v4zjcab7BsUOGVe4FcFRT +Dks0/S2A/SZmAHYEmt4sIJfAtK6UCFifDbypNodjNfYaW/G6iLWwAgjYshZo8osp +rWKQeQcYzAnadnW+iHSJT7xBZWzuV8DIeiXqn5UXzb1oNq+/EcFKvllnJS9rn83i +wBo35Ac+ZFWGUldtXQeNtfIatmIZjNKcVPoDvBuIrMu2u1oI7L9cKFaVpjDCrChX +1Bi4h/aPFW7tYyYfXTUL9gg03tOe44GyO4/3LMrijHV6chYKtzPdv9Kq7TKfWi63 +dyyi4W/3c7A8cWizyQwroJjN7aiFTokKXlj6TbgcbTByt5tsk2ItwMH1TwD55tpu +Uqf2vSA4PvPLw3EtGaRlBqD5OvgktH4SR/IsuCd5GRVRGUslU6T0OOzlWHMZBB16 +2d/pBrHNW3toL2jeAXxDmGPZVgK5+CLqC88bKO0lO3d8HbnSW5WBDiP5wIuNA8R2 +MRBsOwCd+PK/hqxCXWjsCNFmXLgSSJRP4aX0TvFbs06IV371f5I7LiBj5yL68oEz +dhUc+AVTFrGPTAHR/mXhevVYpNXeUUhUrkVr6spS80FfgO7tgQKCAQEA2anb3vAB +WsjuK++K29N3msqapt6SO+rA927ySpXEkM5AEf8+71b1RoEtJK9qrZ5Iy6JYrZgb +XZIycDllq7UURWej3dAPJeT4Wyy4tv+zX90GoJE2QMShnNf4jjkVtfiZ7v2qFly/ +nn5ieGXNRGF1I1m1AMK93GdlXY/HDuPLf+OEedzKeEdlQC2/WyOE6sqZwE5BBAOn +2jvr2WmxTDxoFCV4UpZ7qPcQWVasH6Csaj4lXfMLjSMKnHwOCQmrO4qlDxChKcdw +4vQyKDU+XQxQ4puxbD123ZtD/3BqcoTA8EgnpsZlTcqLZeXlQxWZP2UVKii99xC3 +u4tCP37BnGu/qQKCAQEAyP7ssmZ2AEXCwe51FdbPupOlE1D7eUIpfKGMzjiOOhus +qLjIClac7NqFhwMlu5hL9VkxyKGbjYVzbZQ39Jk8Ua20Z+XvF7uoLx3py5Rxxq8+ +DW7rfaaaM/qa73hlOL9xniuozplqihzuXFRi826BSwEFbWUEit1MZfl+S7QYWVjD +eR41YIKvHDe629mwXn1bJum4biTCCoXVS3xgDPjEY60xwLZNk1IoYTuoznTO3Nt+ +dhIywx+19v0gzBsggPfn7En9AEqqqFPOiM8WHaFU+earsFMQfUMrhcThatr7JzTc +R2WK96P6lGbl6LjMzp3MRnYSqvpYS13FciRed7lfGQKCAQARFMJbaWxBypjeO8si +2yJ8tD+Ursy9BPwlrsA22C/3ySfAAc7Xi3RuFv8K7PUrMMu3p0LcRJ6JJkrtAaQX +6Hrxw2NZqdU2fRR8WzMXsVNLR5YYjay7QnMIUu5/gr1QbXTvC1sIrDihYHurxRlp +r1g48PZCXAX4QOj0ga72XSwAGkOwKIJ/E+M/ORfWOCBbKJEORVXW0c6fUqp8gk3W +lLr6McKSgJqttM3EpQeW583//GaES+lxJvnTM+0KCoc0gfnYB88N70fNl6pD+4Gs +XaYPUnaG7v/f/ipE5naEDCTz9kWeUd1rUGTGF1d5fz1qey1BBLd7pwU0I4aMYw8g +jlgZAoIBAQCgr/03Wua3rQ3Y0PTWMtf7x5HPcYy6EoTsWJMjQt+h4QIWGTQD396x +FLpvh7qg0U7YpShBx8F+UNRJJJffeqpYelCiR5bwGFyK3pVM5i5Xsz4eqzClUY4y +RAWdsVjrF1KUKz9XfBtKs3p0YhqBlzTSa8yU+o+5HNa5J88qYp6cv3P23om50ICC +RKOko9J2mC1JXMzPcZ+Xngs5wANiG3eWYJ5H/Pbj8mjJ41I/S+8dbnUZm87tY+qr +vQ59XqqLsKW/qB8WHpt02xthEH4TzikLaLiVzLKAEjU3SoEUVmE3pPD+O1XwSS5J +ekIP3b4O6OSo6DhgbKguCJeTezPy70XxAoIBAH8+SK4eaw7EUWAkxY4VDuP+VEOh +VI80/lmPaPRzaYHodpKMVX27mYqU03n8VqE8Tu1DI0DAKcDAB28hPTdbbJ21oSGr +9sJa3lSuOC/TVv/Q3nVUCTO+EaJ/qTjJQDukDWW4pQCfMJANRszlyQ+tJ46/4ofI +MqTiWbKZj32xUw/dY+XH2ZRYOQvndT8kpxBTUuGPPJliZ1YaO+9hhUGBlhrcrU7y +Uq7xVrG3MBn0I6ibwRGy+zo82ZZIrblMT+Fz3jQVjQzyIKiQvph+8QivFWThR+ej +K2S7h4A/UD69jkIy5nDVGEmL8cMS2Wgn3RAwyS5c7aUaVS+F93zzw2cyx1E= +-----END RSA PRIVATE KEY----- diff --git a/roles/common/files/mx.warenform/root/.ssh/mx.warenform-id_rsa-opendkim.pub b/roles/common/files/mx.warenform/root/.ssh/mx.warenform-id_rsa-opendkim.pub new file mode 100644 index 0000000..61139c2 --- /dev/null +++ b/roles/common/files/mx.warenform/root/.ssh/mx.warenform-id_rsa-opendkim.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCq5XOOmJ2YqqrUCFIHVO/MD1+ldYEuaFsbKJrGvtGr3zv4Jl35oMoIEjXUIIeUqZa7v9JcgYUWscQ28qKn4qqx8dIqnpHlyCSWdz6iT5Rdm4Ex6AqNf39eYPjzEXb+b6nw04ZZ9XGI6JesU++9xFf0AP+oHfXy5TKO9ySdQnTc14B0HvbW7vIUhw4ws4GJVRCCC5M+QH5A8xKcXm44uquahwuwp8exKDhFFU3TUEQo5HDp/XYkiZ6n/JoW9W7deZJy2XurtC0AgChtq2ztVQmBHEdJ/fWmFzWlAFdYl3PeVV6F8KscFgzT0VuyQgEyY6UHPiZTZxTriOdiypA2Czx8f0jHRUKSEozUSJyGhI0OpzVNMqjI0ed9OSt645Y/Fr5vz8UGp393gjxAt6/uHcDM0m2rWywg1GAyaRKwk8QqrWoquJn5kTX1NdxvpG81469iiSvp23B1NgTdshmJp98nPUJ5HOyvpgn0i3Mca5sqWWwhLafKthc/Zfq5sIDICLqf6G5s3+xxSoo89vLoHSFNLOC5hIEu0e2we1Lsta1s+R8MS/ulL2aV4wwH8+Jgs6Ha2YY15OfcHY6CVMVhap7WaLJ4H8U2wiALX7NsxJF659ZPEORyZUaODeQi66/QOWdWZlmO+YCFdsbKL/Ee5eSXVg50JhUV3PGeo333UsZugQ== root@mx diff --git a/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_cert_for_dovecot.conf b/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_cert_for_dovecot.conf new file mode 100644 index 0000000..63bc895 --- /dev/null +++ b/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_cert_for_dovecot.conf @@ -0,0 +1,134 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings for script check_cert_for_dovecot.sh +#----------------------------- +#--------------------------------------- + +# - service_domain +# - +# - The main domain for which the certificate was issued +# - +# - Example: +# - service_domain="a.mx.oopen.de" +# - service_domain="mail.cadus.org" +# - service_domain="mx.warenform.de" +# - +#service_domain="" +service_domain="mx.warenform.de" + +# - service_name +# - +# - Name of service. +# - +# - Note: this var will also be used to determin systemd service file +# - or sysVinit script. +# - +# - Example: +# - service_name="Mumble" +# - service_name="Prosody" +# - +# - Defaults to: +# - service_name="Dovecot" +# - +#service_name="" + + +# - check_string_ps +# - +# - String wich (clearly) identifies the service at the process list (ps) +# - +# - Example: +# - check_string_ps="[[:digit:]]\ /usr/sbin/murmurd" +# - check_string_ps="" +# - +# - Defaults to: +# - check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot" +# - +#check_string_ps="" + + +# - service_user +# - +# - User under which the service is running. +# - +# - Example: +# - service_user="mumble-server" +# - service_user="prosody" +# - +# - Defaults to: +# - service_user="prosody" +# - +#service_user="" + + +# - service_group +# - +# - Group under which the service is running. +# - +# - Example: +# - service_group="mumble-server" +# - service_group="prosody" +# - +# - Defaults to: +# - service_group="prosody" +# - +#service_group="" + + +# - cert_installed +# - +# - Locataion of certificate read by service +# - +# - Example: +# - cert_installed="/var/lib/mumble-server/fullchain.pem" +# - cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem" +# - +# - Defaults to: +# - /etc/dovecot/ssl/mailserver.crt +# - +#cert_installed="" + + +# - key_installed +# - +# - Location of the key read by service +# - +# - Example: +# - key_installed="/var/lib/mumble-server/privkey.pem" +# - key_installed="/etc/prosody/certs/privkey_jabber.so36.pem" +# - +# - Defaults to: +# - /etc/dovecot/ssl/mailserver.key +# - +#key_installed="" + + +# - cert_newest +# - +# - Location of the newest certificate. +# - +# - Example: +# - cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem" +# - cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem" +# - +# - Defaults to: +# - /var/lib/dehydrated/certs/${service_domain}/fullchain.pem +# - +#cert_newest="" + + +# - key_newest +# - +# - Location of the newest Key +# - +# - Example: +# - key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem" +# - key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem" +# - +# - Defaults to: +# - /var/lib/dehydrated/certs/${service_domain}/privkey.pem +# - +#key_newest="" + diff --git a/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf new file mode 100644 index 0000000..8c95328 --- /dev/null +++ b/roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf @@ -0,0 +1,154 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#--------------------------------------- +#----------------------------- +# Settings +#----------------------------- +#--------------------------------------- + + +# --- +# - LOGGING +# - +# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose, +# - the output will be verbos. If running as cronjob, output will only be written, if warnings or +# - errors occurs. +# --- + + +# - What to check +# - +check_load=true +check_mysql=false +check_apache=true +check_php_fpm=true +check_website=false + + +# - Additional Settings for check_mysql +# - +# - MySQL / MariaDB credentials +# - +# - Giving password on command line is insecure an sind mysql 5.5 +# - you will get a warning doing so. +# - +# - Reading username/password fro file ist also possible, using MySQL/MariaDB +# - commandline parameter '--defaults-file'. +# - +# - Since Mysql Version 5.6, you can read username/password from +# - encrypted file. +# - +# - Create (encrypted) option file: +# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password +# - $ Password: +# - +# - Use of option file: +# - $ mysql --login-path=local ... +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +mysql_credential_args="" + + +# - Additional Settings for check_php_fpm +# - +# - On Linux Vserver System set +# - curl_check_host=localhost +# - +# - On LX-Container set +# - curl_check_host=127.0.0.1 +# - +curl_check_host=127.0.0.1 + +# - Which PHP versions should be supported by this script. If more than one, +# - give a blank separated list +# - +# - Example: +# - php_versions="5.4 5.6 7.0 7.1" +# - +php_versions="7.4" + +# - If PHP-FPM's ping.path setting does not match ping-$php_major_version, +# - set the value given in your ping.path setting here. Give ping_path also +# - the concerning php_version in form +# - : +# - +# - Multiple settings are possible, give a blank separated list. +# - +# - Example: +# - +# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de" +# - +ping_path="" + + +# - Additional Settings for check_website - checking (expected) website response +# - +# - example: +# - is_working_url="https://www.outoflineshop.de/" +# - check_string='ool-account-links' +# - include_cleanup_function=true +# - extra_alert_address="ilker@so36.net" +# - cleanup_function=' +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/* +# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/* +# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1 +# - if [[ "$?" = "0" ]]; then +# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\"" +# - else +# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!" +# - fi +# - /etc/init.d/redis_6379 restart +# - if [[ "$?" = "0" ]]; then +# - ok "I restarted the redis service" +# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt +# - else +# - error "Restarting the redis server failed!" +# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt +# - fi +# - ' +# - +is_working_url='' + +check_string='' + +include_cleanup_function=true + +# - An extra e-mail address, which will be informed, if the given check URL +# - does not response as expected (check_string) AFTER script checking, restarting +# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done. +# - +extra_alert_address='' + +# - php_version_of_working_url +# - +# - If given website (is_working_url) does not response as expected, this PHP FPM +# - engines will be restarted. +# - +# - Type "None" if site does not support php +# - +# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions) +# - will be restarted +# - +php_version_of_working_url='' + +# - Notice: +# - If single qoutes "'" not needed inside cleanup function, then use single quotes +# - to enclose variable "cleanup_function". Then you don't have do masquerade any +# - sign inside. +# - +# - Otherwise use double quotes and masq any sign to prevent bash from interpreting. +# - +cleanup_function=' +' + + +# - E-Mail settings for sending script messages +# - +from_address="root@`hostname -f`" +content_type='Content-Type: text/plain;\n charset="utf-8"' +to_addresses="root" + diff --git a/roles/common/files/mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf b/roles/common/files/mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf new file mode 100644 index 0000000..bab2125 --- /dev/null +++ b/roles/common/files/mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf @@ -0,0 +1,174 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# --------------------------------------------------------- +# - Parameter Settings for script 'create_opendkim_key.sh'. +# --------------------------------------------------------- + + +# ---------- +# DNS Server +# ---------- + +# - dns_dkim_zone_master_server +# - +# - The DNS Server who is serving the update zone and is used +# - for the dynamic updates (nsupdate) +# - +dns_dkim_zone_master_server="dns0.warenform.de" + +# - update_dns +# - +# - Possible Values are 'true' or 'false' +# - +#update_dns="" + +# - update_zone +# - +# - Zone containing the DKIM TXT record. +# - +# - Defaults to '_domainkey.' +# - +# - Note: +# - do NOT change/set this option unless you know what you do. +# - +#update_zone="" + +# - TTL +# - +# - TTL for the DKIM TXT Record. +# - +# - Defaults to "" if update_dns=false +# - Defaults to "43200" if update_dns=true +# +#TTL="" + + +# ---------- +# TSIG Key +# ---------- + +# - key_secret +# - +# - Sectret Key used by 'nsupdate' to create/update the +# - DKIM TXT record. +# - +# - Example: +# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI=" +# - +#key_secret="" +key_secret="qG9e/gOucCXcwVUTU+uewU0Yth1iJh2JHgnogrHvh2A=" + +# - key_algo +# - +# - The key algorithm used for key creation. Available choices are: hmac-md5, +# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The +# - default is hmac-sha256. Options are case-insensitive. +# - +# - Example: +# - key_algo="hmac-md5" +# - +# - Defaults to 'hmac-sha256' +# - +#key_algo="hmac-sha256" + +# - key_name +# - +# - Name of the Key +# - +# - Defaults to "$update_zone" +# - +#key_name= +key_name="update-dkim" + + +# ---------- +# Access Credentials DNS Server +# ---------- + +# - dns_ssh_user +# - +# - Defaults to 'manage-bind' +# - +#dns_ssh_user="manage-bind" + +# - dns_ssh_port +# - +# - Defaults to '22' +# - +#dns_ssh_port=22 + +# - dns_ssh_key +# - +# - Defaults to '/root/.ssh/id_rsa-opendkim' +# - +#dns_ssh_key="/root/.ssh/id_rsa-opendkim" + + +# ---------- +# Scripts envoked at DNS Server +# ---------- + +# - set_new_serial_script +# - +# - Script increases the serial for a given domain or a given +# - hostname's concerning domain. +# - +# - Defaults to '/root/bin/bind/bind_set_new_serial.sh' +# - +#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh" + +# - create_dkim_delegation_script +# - +# - Script adds DKIM subdomain delegation for a given domain +# - +# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh' +# - +#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh" + +# - add_dkim_zone_master_script +# - +# - Script adds zone _domainkey. as master zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh' +# - +#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh" + +# - add_dkim_zone_slave_script +# - +# - Script adds zone _domainkey. as slave zone +# - +# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh' +# - +#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh" + + + +# ---------- +# OpenDKIM Installation +# ---------- + +# - opendkim_dir +# - +# - OpenDKIM's etc-directory +# - +# - Defaults to opendkim_dir="/etc/opendkim" +# - +#opendkim_dir="/etc/opendkim" + +# - key_base_dir +# - +# - Defaults to "${opendkim_dir}/keys" +# - +#key_base_dir=${opendkim_dir}/keys + +# - signing_table_file +# - +# - Defaults to "${opendkim_dir}/signing.table" +# - +#signing_table_file="${opendkim_dir}/signing.table" + +# - key_table_file +# - +# - Defaults to "${opendkim_dir}/key.table" +# - +#key_table_file="${opendkim_dir}/key.table" diff --git a/roles/common/files/mx.warenform/root/bin/postfix/conf/postfix_add_mailboxes.conf b/roles/common/files/mx.warenform/root/bin/postfix/conf/postfix_add_mailboxes.conf new file mode 100644 index 0000000..206a802 --- /dev/null +++ b/roles/common/files/mx.warenform/root/bin/postfix/conf/postfix_add_mailboxes.conf @@ -0,0 +1,86 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ---------------------------------------------------- +# --- +# - Parameter Settings for script 'postfix_add_mailboxes.sh'. +# --- +# ---------------------------------------------------- + +# - dovecot_enc_method +# - +# - The (dovecot) password scheme which should be used to generate the hashed +# - passwords of EXISTING users. +# - +# - Possible values are: +# - +# - See output of 'doveadm pw -l' +# - +# - DEFAULTS to: dovecot_enc_method="SHA512-CRYPT" +# - +#dovecot_enc_method="SHA512-CRYPT" + +# - in_file +# - +# - The file from wich the script reads the e-mail-address/password +# - kombination(s). Each line in this file must only contain +# - +# - +# - Defaults to: in_file="${conf_dir}/mailboxes_new.lst" +# - +#in_file="${conf_dir}/mailboxes_new.lst" + +# - db_type +# - +# - Type of Postfix Database +# - +# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL) +# - +# - Defaults to: db_type="pgsql" +# - +#db_type="pgsql" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '--defaults-file=/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '--defaults-file=/usr/local/mysql/sys-maint.cnf' otherwise +# - +#mysql_credential_args="" + +# - quota +# - +# - The quota setting for the new mailboxes. +# - +# - Defaults to: quota="536870912" +# - +#quota="536870912" +quota=2147483648 + +# - log_file +# - +# - Where to write logging informations? +# - +# - Defaults to: log_file="${script_dir}/log/postfix_add_mailboxes.log" +# - +#log_file="${script_dir}/log/postfix_add_mailboxes.log" diff --git a/roles/common/files/mx.warenform/root/bin/postfix/conf/sent_userinfo_postfix.conf b/roles/common/files/mx.warenform/root/bin/postfix/conf/sent_userinfo_postfix.conf new file mode 100644 index 0000000..e80975b --- /dev/null +++ b/roles/common/files/mx.warenform/root/bin/postfix/conf/sent_userinfo_postfix.conf @@ -0,0 +1,92 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ---------------------------------------------------- +# --- +# - Parameter Settings for script 'sent_userinfo_postfix.sh'. +# --- +# ---------------------------------------------------- + +# - message_body_file +# - +# - Full path to file containing the user info. This file must contain +# - the message body WITHOUT e-mail headers. If file is placed in the +# - 'files' directory use '${file_dir}/' +# - +# - Defaults to '${file_dir}/sent_userinfo_postfix.message' +# - +#message_body_file="${file_dir}/sent_userinfo_postfix.email" + + +# - email_from +# - +# - From Address of user info +# - +# - Example: 'oo@oopen.de' +# - +email_from="admin@warenform.net" + + +# - email_from_org +# - +# - Example: email_from_org="O.OPEN" +# - +email_from_org="WARENFORM" + + +# - db_type +# - +# - Type of Postfix Database +# - +# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL) +# - +# - Defaults to: db_type="pgsql" +# - +#db_type="pgsql" + +# - db_name +# - +# - Database name for the postfix database +# - +# - Defaults to: db_name="postfix" +# - +#db_name="postfix" + +# - mysql_credential_args (root access to MySQL Database) +# - +# - Example +# - mysql_credential_args="--login-path=local" +# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default) +# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf" +# - +# - Defaults to: +# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system +# - '/usr/local/mysql/sys-maint.cnf' otherwise +# - +#mysql_credential_args="" + + +# - mail_user +# - +# - The owner of the mailbox directories and within the e-mails itself. +# - +# - defaults to mail_user="vmail" +# - +#mail_user="vmail" + + +# - mail_group +# - +# - The group of the mailbox directories +# - +# - defaults to mail_group="vmail" +# - +#mail_group="vmail" + + +# - mail_basedir - No more needed! +# - +# - The root directory where all mailbox-domains are located. +# - +# - Defaults to '/var/vmail'. +# - +#mail_basedir=/var/vmail diff --git a/roles/common/files/mx.warenform/root/bin/postfix/conf/whitelist_mb_sigs.conf b/roles/common/files/mx.warenform/root/bin/postfix/conf/whitelist_mb_sigs.conf new file mode 100644 index 0000000..11c60fa --- /dev/null +++ b/roles/common/files/mx.warenform/root/bin/postfix/conf/whitelist_mb_sigs.conf @@ -0,0 +1,44 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +# ====================================================== +# --- +# Parameter Settings for Script 'whitelist_mb_sigs.conf' +# --- +# ====================================================== + +# QUARANTINE_BASE_DIR +# +# Base directory where amavis stores quarantined e-mails, mostly in +# +# virus e-mails: $QUARANTINE_BASE_DIR/virus +# spam emails: $QUARANTINE_BASE_DIR/spam +# .. +# +# Defaults to: +# QUARANTINE_BASE_DIR="/var/QUARANTINE" +# +#QUARANTINE_BASE_DIR="/var/QUARANTINE" + + +# CLAMAV_VIRUS_WHITE_LIST +# +# Full path to clamav's (personal) white list file +# +# Defaults to: +# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" +# +#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2" + + +# WHITE_LIST_STRINGS +# +# A blank separated list of strings to whitelist. +# +# Example: +# WHITE_LIST_STRINGS="google.com tinyurl.com" +# +# Defaults to: +# WHITE_LIST_STRINGS="google.com" +# +#WHITE_LIST_STRINGS="google.com" +WHITE_LIST_STRINGS="google.com tinyurl.com" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index ad7083c..9f5f9c4 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -20,6 +20,14 @@ name: ssh state: restarted +- name: Reload nfs + service: + name: nfs-kernel-server + state: reloaded + enabled: yes + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + - name: Restart postfix service: name: postfix diff --git a/roles/common/tasks/copy_files.yml b/roles/common/tasks/copy_files.yml index 23a07d2..27285f0 100644 --- a/roles/common/tasks/copy_files.yml +++ b/roles/common/tasks/copy_files.yml @@ -19,6 +19,24 @@ - copy-files - copy-plain-files +- name: (copy_files.yml) Copy plain files Postfix (/etc/postfix) + copy: + src: '{{ item.src_path }}' + dest: '{{ item.dest_path }}' + owner: root + group: root + mode: '0644' + loop: "{{ copy_plain_files_postfix }}" + loop_control: + label: 'dest: {{ item.name }}' + when: + - inventory_hostname in groups['mail_server'] + - copy_plain_files_postfix is defined + - copy_plain_files_postfix|length > 0 + tags: + - copy-files + - copy-plain-files + - name: (copy_files.yml) Copy plain files Postfix Firewall (postfwd) copy: src: '{{ item.src_path }}' diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 9b896de..36d271d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -131,6 +131,15 @@ tags: git +# tags supported inside nfs.yml: +# +# nfs-server +# nfs-client +- import_tasks: nfs.yml + tags: + - nfs + + # tags supported inside copy_files.yml: # # copy-files diff --git a/roles/common/tasks/nfs.yml b/roles/common/tasks/nfs.yml new file mode 100644 index 0000000..0960de8 --- /dev/null +++ b/roles/common/tasks/nfs.yml @@ -0,0 +1,96 @@ +--- + +# --- +# NFS Server +# --- + +- name: (nfs.yml) Ensure NFS utilities (server) are installed. + apt: + name: + - nfs-common + - nfs-kernel-server + state: present + when: + - ansible_os_family == "Debian" + - "groups['nfs_server']|string is search(inventory_hostname)" + tags: + - nfs-server + +- name: (nfs.yml) Ensure directories to export exist + file: + path: '{{ item.src.split(":")[1] }}' + owner: root + group: root + mode: '0755' + state: directory + with_items: "{{ nfs_exports }}" + loop_control: + label: '{{ item.path }}' + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + tags: + - nfs-server + +- name: (nfs.yml) Copy exports file. + template: + src: etc/exports.j2 + dest: /etc/exports + owner: root + group: root + mode: 0644 + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + notify: Reload nfs + tags: + - nfs-server + +- name: Enable service rpc-statd and ensure it is not masked + systemd: + name: rpc-statd + enabled: yes + masked: no + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + +- name: Make sure service rpc-statd is running + systemd: + state: started + name: rpc-statd + when: + - "groups['nfs_server']|string is search(inventory_hostname)" + tags: + - nfs-server + +# --- +# NFS clients +# --- + +- name: (nfs.yml) Ensure NFS utilities (clients) are installed. + apt: + pkg: nfs-common + state: present + when: + - ansible_os_family == "Debian" + - "groups['nfs_client']|string is search(inventory_hostname)" + tags: + - nfs-client + +- name: (nfs.yml) NFS Mount exports from nfs server + mount: + path: "{{ item.path }}" + src: "{{ item.src }}" + fstype: nfs + opts: "{{ item.mount_opts }}" + dump: "{{ item.dump | default(omit) }}" + passno: "{{ item.passno | default(omit) }}" + state: mounted + loop: "{{ nfs_exports }}" + loop_control: + label: '{{ item.src }}' + when: + - "groups['nfs_client']|string is search(inventory_hostname)" + tags: + - nfs-client + + + diff --git a/roles/common/tasks/samba-config-server.yml b/roles/common/tasks/samba-config-server.yml index 5ef4d71..6aabaa8 100644 --- a/roles/common/tasks/samba-config-server.yml +++ b/roles/common/tasks/samba-config-server.yml @@ -4,6 +4,16 @@ # Samba Server # --- + +- name: (samba-install.yml) Ensure samba packages server are installed. + package: + pkg: '{{ apt_install_server_samba }}' + state: present + when: + - "groups['samba_server']|string is search(inventory_hostname)" + tags: + - samba-server + - name: (samba-config-server.yml) Ensure samba share directories exists file: path: "{{ item.path }}" diff --git a/roles/common/templates/etc/exports.j2 b/roles/common/templates/etc/exports.j2 new file mode 100644 index 0000000..b4e6158 --- /dev/null +++ b/roles/common/templates/etc/exports.j2 @@ -0,0 +1,31 @@ +# {{ ansible_managed }} + +# /etc/exports: the access control list for filesystems which may be exported +# to NFS clients. See exports(5). +# +# Example for NFSv2 and NFSv3: +# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) +# +# Example for NFSv4: +# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) +# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) +# + +{% set count = namespace(nfs_exports=100) %} +{% for export in nfs_exports %} + +{% set export_str= namespace(nfs_exports = export.src.split(":")[1]) %} + +{% set count.nfs_exports = count.nfs_exports + 10 %} +{% for network in export.export_networks %} +{% if export.use_fsid_option is defined and export.use_fsid_option is sameas true %} +{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~",fsid="~count.nfs_exports~")" %} +#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }},fsid={{ count.nfs_exports }}) +{% else %} +{% set export_str.nfs_exports = export_str.nfs_exports~" "~network~"("~export.export_opt~")" %} +#{{ export.src.split(":")[1] }} {{ network }}({{ export.export_opt }}) +{% endif %} +{% endfor %} + +{{ export_str.nfs_exports }} +{% endfor %} diff --git a/roles/common/templates/usr/local/src/mailsystem/conf/install_amavis.conf.j2 b/roles/common/templates/usr/local/src/mailsystem/conf/install_amavis.conf.j2 index acd5d5e..9a12c49 100644 --- a/roles/common/templates/usr/local/src/mailsystem/conf/install_amavis.conf.j2 +++ b/roles/common/templates/usr/local/src/mailsystem/conf/install_amavis.conf.j2 @@ -7,7 +7,11 @@ _HOSTNAME={{ hostname }} _IPV4='{{ ipv4_address | default(omit) }}' -_IPV6='{{ ipv6_address | default(omit) }}' +{% if ipv6_address is defined and ipv6_address %} +_IPV6="{{ ipv6_address }}" +{% else %} +_IPV6=disabled +{% endif %} _QUARANTINE_DIR=/var/QUARANTINE _QUARANTINE_ADMIN=postmaster\@$mydomain diff --git a/roles/common/templates/usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 b/roles/common/templates/usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 index db3d732..fbc1a22 100644 --- a/roles/common/templates/usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 +++ b/roles/common/templates/usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2 @@ -11,10 +11,20 @@ _HOSTNAME={{ hostname }} _IPV4='{{ ipv4_address | default(omit) }}' -_IPV6='{{ ipv6_address | default(omit) }}' +{% if ipv6_address is defined and ipv6_address %} +_IPV6="{{ ipv6_address }}" +{% else %} +_IPV6=disabled +{% endif %} _ADMIN_EMAIL="{{ admin_email }}" _SASL_AUTH_ENABLED="{{ sasl_auth_enable | default('no') }}" _SASL_USER='{{ sasl_user | default(omit) }}' _SASL_PASS='{{ sasl_pass | default(omit) }}' +{% if is_sympa_list_server is defined and is_sympa_list_server is sameas true %} +_RELAY_HOST=true +_SYMPA_LIST_SERVER=true +{% else %} _RELAY_HOST="{{ is_relay_host | default('false') }}" +_SYMPA_LIST_SERVER=false +{% endif %} diff --git a/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 b/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 index 61058bf..e9e412a 100644 --- a/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 +++ b/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail.conf.j2 @@ -42,7 +42,11 @@ IPV6="{{ ipv6_address | default(omit) }}" # - # - Defaults to 'admin@.' # - +{% if (admin_email is defined) and admin_email %} +POSTFIX_DB_HOST_PGSQL="{{ postfix_db_host }}" +{% else %} #WEBMASTER_EMAIL="" +{% endif %} # - Base Directory of Roundcube Website # - @@ -290,7 +294,11 @@ POSTFIX_DB_PASSWD='{{ postfix_db_pass | default(omit) }}' # - # - Defaults to 'false' # - +{% if roundcube_acl_plugin is defined and roundcube_acl_plugin is sameas true %} INCLUDE_ACL_PLUGIN="true" +{% else %} +#INCLUDE_ACL_PLUGIN="false" +{% endif %} # === diff --git a/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail2.conf.j2 b/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail2.conf.j2 index a8a83dd..b72b4ed 100644 --- a/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail2.conf.j2 +++ b/roles/common/templates/usr/local/src/mailsystem/conf/install_upgrade_roundcube-webmail2.conf.j2 @@ -265,7 +265,11 @@ POSTFIX_DB_PASSWD='{{ postfix_db_pass | default(omit) }}' # - # - Defaults to 'false' # - +{% if roundcube2_acl_plugin is defined and roundcube2_acl_plugin is sameas true %} INCLUDE_ACL_PLUGIN="true" +{% else %} +#INCLUDE_ACL_PLUGIN="false" +{% endif %} # === diff --git a/roles/common/templates/var/www/.ssh/config.j2 b/roles/common/templates/var/www/.ssh/config.j2 index e8b9237..7cf6110 100644 --- a/roles/common/templates/var/www/.ssh/config.j2 +++ b/roles/common/templates/var/www/.ssh/config.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -Host wf.oopen.de 80.152.216.128 gw-d11.oopen.de d11.warenform.de +Host wf.oopen.de 79.140.184.145 gw-d11.oopen.de d11.warenform.de user webadmin Protocol 2 Port 9998