From 4e06ed01aa863ab505838dc49f0e4171d69d38fb Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 1 Feb 2026 12:30:58 +0100 Subject: [PATCH] get rid of deprecated code. --- group_vars/all/main.yml | 1 - hosts | 37 ++++--- modify-ipt-server.yml | 1 + roles/common/tasks/apt.yml | 10 +- roles/common/tasks/main.yml | 8 +- roles/common/tasks/nfs.yml | 4 +- roles/common/tasks/ntp.yml | 6 +- roles/common/tasks/redis-server.yml | 8 +- roles/common/tasks/samba-user.yml | 3 +- roles/common/tasks/show.yml | 4 +- .../systemd-services_redhat_based_OS.yml | 4 +- roles/common/tasks/tor.yml | 2 +- roles/common/tasks/yum.yml | 64 ++++++------ .../common/templates/etc/sudoers.d/50-user.j2 | 10 +- roles/modify-ipt-server/tasks/ipt-server.yml | 98 ++++++++++++++++--- 15 files changed, 162 insertions(+), 98 deletions(-) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index fc6d52f..a970616 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -745,7 +745,6 @@ apt_initial_install_trixie: - patchutils - perl - perl-doc - - perl-modules - psmisc - quota - quotatool diff --git a/hosts b/hosts index 3f42e13..d928eb5 100644 --- a/hosts +++ b/hosts @@ -2,13 +2,24 @@ formbricks-nd.oopen.de #[so36_server_dehydrated] #comm.so36.net ansible_user=ckubu #noc.so36.net ansible_user=ckubu -rage.so36.net ansible_user=ckubu #rubyhost.so36.net ansible_user=ckubu #sympa.so36.net ansible_user=ckubu #schleuder3.so36.net ansible_user=ckubu #site36.net ansible_user=ckubu #web.so36.net ansible_user=ckubu [so36_server] +backup.so36.net ansible_user=ckubu +comm.so36.net ansible_user=ckubu +devnull.so36.net ansible_user=ckubu +ns.so36net.de ansible_user=ckubu +rage.so36.net ansible_user=ckubu +resolver-b.so36.net ansible_user=ckubu +resolver-a.so36.net ansible_user=ckubu +schleuder3.so36.net ansible_user=ckubu +shell.so36.net ansible_user=ckubu +site36.net ansible_user=ckubu +sympa.so36.net ansible_user=ckubu +web.so36.net ansible_user=ckubu #kvm05.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 #kvm13.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 @@ -19,14 +30,12 @@ lxc-host-kb.anw-kb.netz o13-git.oopen.de o13-staging-board.oopen.de o25.oopen.de -o33.oopen.de o41.oopen.de dc-opp.oopen.de discourse.oopen.de test-nd.oopen.de formbricks-nd.oopen.de - -ga-st-mm.ga.netz +cl-lubax.oopen.de [dns_sinma] @@ -55,6 +64,7 @@ gw-irights.oopen.de gw-km.oopen.de gw-mbr.oopen.de gw-opp.oopen.de +gw-opp-neu.opp.netz gw-spr.oopen.de gw-kb.oopen.de @@ -86,7 +96,6 @@ ga-gh-gw.oopen.de gw-campus.oopen.de ga-st-lxc1.ga.netz ga-st-mail.ga.netz -ga-st-mm.ga.netz ga-al-relay.ga.netz ga-st-kvm1.ga.netz ga-al-kvm2.ga.netz @@ -218,7 +227,6 @@ web.cadus.org cl-lubax.oopen.de # BigBlueButton - O.OPEN -o33.oopen.de # Nextcloud / DokuWiki VBER o34.oopen.de @@ -398,7 +406,6 @@ mm-migration.oopen.de o24.oopen.de cl-irights.oopen.de cl-irights-neu.oopen.de -ga-st-mm.ga.netz # IL - PAD o25.oopen.de @@ -432,7 +439,6 @@ web.cadus.org cl-lubax.oopen.de # BigBlueButton - O.OPEN -o33.oopen.de # Nextcloud / DokuWiki VBER o34.oopen.de @@ -569,6 +575,7 @@ gw-mbr.oopen.de # OPP gw-opp.oopen.de +gw-opp-neu.opp.netz zapata.opp.netz # Sprachenatelier @@ -588,7 +595,6 @@ gw-campus.oopen.de ga-st-lxc1.ga.netz ga-st-mail.ga.netz -ga-st-mm.ga.netz ga-al-relay.ga.netz ga-st-services.ga.netz ga-al-ws1.ga.netz @@ -877,7 +883,6 @@ mm-migration.oopen.de # o24.oopen.de mm-irights.oopen.de -ga-st-mm.ga.netz # Hetzner Cloud CX31 - AK @@ -918,7 +923,6 @@ web-nd.oopen.de # GA - Gemeinschaft Altensclirf ga-st-services.ga.netz -ga-st-mm.ga.netz # --- # Warenform server @@ -1012,7 +1016,6 @@ mm-migration.oopen.de # o24.oopen.de mm-irights.oopen.de -ga-st-mm.ga.netz # o27.oopen.de mail.faire-mobilitaet.de @@ -1037,7 +1040,6 @@ g.mx.oopen.de # - GA - Gemeinschaft Altensclirf ga-st-mail.ga.netz -ga-st-mm.ga.netz ga-al-relay.ga.netz # --- @@ -1074,7 +1076,7 @@ stolpersteine.oopen.de # o13.oopen.de o13-staging-board.oopen.de -o13-mail.oopen.de +#o13-mail.oopen.de o13-web.oopen.de # Freiheit für daniela @@ -1110,7 +1112,6 @@ mm-migration.oopen.de cl-irights.oopen.de cl-irights-neu.oopen.de mm-irights.oopen.de -ga-st-mm.ga.netz # Hetzner Cloud CX31 - AK @@ -1603,7 +1604,6 @@ mm-migration.oopen.de cl-irights.oopen.de cl-irights-neu.oopen.de mm-irights.oopen.de -ga-st-mm.ga.netz # - o27.oopen.de cl-fm.oopen.de @@ -1619,7 +1619,6 @@ meet.akweb.de cloud.akweb.de # BigBlueButton - O.OPEN -o33.oopen.de # Nextcloud / DokuWiki VBER o34.oopen.de @@ -1686,7 +1685,6 @@ zapata.opp.netz # - GA - Gemeinschaft Altensclirf ga-st-mail.ga.netz -ga-st-mm.ga.netz ga-al-relay.ga.netz ga-st-services.ga.netz @@ -1844,7 +1842,6 @@ web.cadus.org cl-lubax.oopen.de # BigBlueButton - O.OPEN -o33.oopen.de # Nextcloud / DokuWiki VBER o34.oopen.de @@ -1903,7 +1900,6 @@ web-nd.oopen.de test-nd.oopen.de # Gemeinchaft Altenschlirf -ga-st-mm.ga.netz lxc-host-kb.anw-kb.netz @@ -1955,6 +1951,7 @@ gw-irights.oopen.de gw-km.oopen.de gw-mbr.oopen.de gw-opp.oopen.de +gw-opp-neu.opp.netz gw-spr.oopen.de gw-kb.oopen.de diff --git a/modify-ipt-server.yml b/modify-ipt-server.yml index 8056beb..149ff75 100644 --- a/modify-ipt-server.yml +++ b/modify-ipt-server.yml @@ -4,5 +4,6 @@ - hosts: - oopen_server - warenform_server + - so36_server roles: - modify-ipt-server diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml index d71b042..de795c1 100644 --- a/roles/common/tasks/apt.yml +++ b/roles/common/tasks/apt.yml @@ -167,7 +167,7 @@ apt: name: "{{ microcode_package }}" state: present - default_release: "{{ ansible_distribution_release }}-backports" + default_release: "{{ ansible_facts['distribution_release'] }}-backports" when: - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version'] == "9" @@ -181,7 +181,7 @@ apt: name: "{{ microcode_package }}" state: present - default_release: "{{ ansible_distribution_release }}" + default_release: "{{ ansible_facts['distribution_release'] }}" when: - ansible_facts['distribution'] == "Debian" - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" or ansible_facts['distribution_major_version'] == "12" or ansible_facts['distribution_major_version'] == "13" @@ -195,7 +195,7 @@ apt: name: "{{ microcode_package }}" state: present - default_release: "{{ ansible_distribution_release }}" + default_release: "{{ ansible_facts['distribution_release'] }}" when: - ansible_facts['distribution'] == "Ubuntu" - ansible_facts['distribution_release'] == "bionic" @@ -209,7 +209,7 @@ apt: name: "{{ microcode_package }}" state: present - default_release: "{{ ansible_distribution_release }}" + default_release: "{{ ansible_facts['distribution_release'] }}" when: - ansible_facts['distribution'] == "Ubuntu" - ansible_facts['distribution_release'] == "xenial" @@ -223,7 +223,7 @@ apt: name: "{{ microcode_package }}" state: present - default_release: "{{ ansible_distribution_release }}" + default_release: "{{ ansible_facts['distribution_release'] }}" when: - ansible_facts['distribution'] == "Ubuntu" - ansible_facts['distribution_release'] == "jammy" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c72bdcd..37c57d5 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -51,8 +51,8 @@ # yum-initial-install - import_tasks: yum.yml when: - - ansible_os_family == "RedHat" - - ansible_distribution == "CentOS" or ansible_distribution == "Fedora" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "CentOS" or ansible_facts.distribution == "Fedora" tags: yum @@ -293,14 +293,14 @@ - import_tasks: systemd-services_debian_based_OS.yml when: - - ansible_os_family == "Debian" + - ansible_facts.os_family == "Debian" tags: - services - import_tasks: systemd-services_redhat_based_OS.yml when: - - ansible_os_family == "RedHat" + - ansible_facts.os_family == "RedHat" tags: - services diff --git a/roles/common/tasks/nfs.yml b/roles/common/tasks/nfs.yml index 24b6403..a5672e9 100644 --- a/roles/common/tasks/nfs.yml +++ b/roles/common/tasks/nfs.yml @@ -11,7 +11,7 @@ - nfs-kernel-server state: present when: - - ansible_os_family == "Debian" + - ansible_facts['os_family'] == "Debian" - "groups['nfs_server']|string is search(inventory_hostname)" tags: - nfs-server @@ -132,7 +132,7 @@ pkg: nfs-common state: present when: - - ansible_os_family == "Debian" + - ansible_facts['os_family'] == "Debian" - "groups['nfs_client']|string is search(inventory_hostname)" tags: - nfs-client diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml index 1c6f17c..31bd749 100644 --- a/roles/common/tasks/ntp.yml +++ b/roles/common/tasks/ntp.yml @@ -10,7 +10,7 @@ - ntpsec state: present when: - - ansible_os_family == "Debian" + - ansible_facts.os_family == "Debian" tags: - ntp-server @@ -19,7 +19,7 @@ path: /etc/ntpsec/ntp.conf.ORIG register: etc_ntpsec_conf_ORIG when: - - ansible_distribution == "Debian" + - ansible_facts.distribution == "Debian" tags: - ntp-server @@ -32,7 +32,7 @@ group: ntpsec mode: '0755' when: - - ansible_distribution == "Debian" + - ansible_facts.distribution == "Debian" - name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf' diff --git a/roles/common/tasks/redis-server.yml b/roles/common/tasks/redis-server.yml index c6efbc0..71fc45e 100644 --- a/roles/common/tasks/redis-server.yml +++ b/roles/common/tasks/redis-server.yml @@ -80,8 +80,8 @@ - "'www-data' in my_users" - "'redis' in my_groups" vars: - my_users: "{{ getent_passwd.keys()|list }}" - my_groups: "{{ getent_group.keys()|list }}" + my_users: "{{ ansible_facts.getent_passwd.keys()|list }}" + my_groups: "{{ ansible_facts.getent_group.keys()|list }}" tags: - redis-server @@ -94,8 +94,8 @@ - "'webadmin' in my_users" - "'redis' in my_groups" vars: - my_users: "{{ getent_passwd.keys()|list }}" - my_groups: "{{ getent_group.keys()|list }}" + my_users: "{{ ansible_facts.getent_passwd.keys()|list }}" + my_groups: "{{ ansible_facts.getent_group.keys()|list }}" tags: - redis-server diff --git a/roles/common/tasks/samba-user.yml b/roles/common/tasks/samba-user.yml index 7124d8c..56eb5c5 100644 --- a/roles/common/tasks/samba-user.yml +++ b/roles/common/tasks/samba-user.yml @@ -42,7 +42,8 @@ loop_control: label: '{{ item.name }}' when: - - item.name not in getent_passwd + - ansible_facts.getent_passwd is defined + - item.name not in ansible_facts.getent_passwd tags: - samba-server - samba-user diff --git a/roles/common/tasks/show.yml b/roles/common/tasks/show.yml index 62961b9..9821dbb 100644 --- a/roles/common/tasks/show.yml +++ b/roles/common/tasks/show.yml @@ -2,6 +2,6 @@ - name: Show hostname debug: - msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] }}.{{ ansible_fqdn.split('.')[1] | default('NONE') }}.{{ ansible_fqdn.split('.')[2] | default('NONE') }}" -# msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] | join( '.') }} | {{ join ( ansible_fqdn.split('.')[1] ) }}" + msg: "Host: {{ ansible_facts.fqdn | split('.') | first }} FQDN: {{ ansible_facts.fqdn.split('.')[0] }}.{{ ansible_facts.fqdn.split('.')[1] | default('NONE') }}.{{ ansible_facts.fqdn.split('.')[2] | default('NONE') }}" +# msg: "Host: {{ ansible_facts.fqdn | split('.') | first }} FQDN: {{ ansible_facts.fqdn.split('.')[0] | join( '.') }} | {{ join ( ansible_facts.fqdn.split('.')[1] ) }}" diff --git a/roles/common/tasks/systemd-services_redhat_based_OS.yml b/roles/common/tasks/systemd-services_redhat_based_OS.yml index e205f95..7b4122e 100644 --- a/roles/common/tasks/systemd-services_redhat_based_OS.yml +++ b/roles/common/tasks/systemd-services_redhat_based_OS.yml @@ -8,7 +8,7 @@ with_items: - "{{ redhat_services_active_and_started }}" when: - - ansible_os_family == "RedHat" + - ansible_facts.os_family == "RedHat" #- debug: msg="{{ service_exists.results }}" @@ -23,7 +23,7 @@ label: '{{ item.item }}' when: - item.rc == 0 - - ansible_os_family == "RedHat" + - ansible_facts.os_family == "RedHat" #- debug: msg="{{ service_is_enabled.results }}" diff --git a/roles/common/tasks/tor.yml b/roles/common/tasks/tor.yml index 29415e6..96e7702 100644 --- a/roles/common/tasks/tor.yml +++ b/roles/common/tasks/tor.yml @@ -6,7 +6,7 @@ - tor state: present when: - - ansible_os_family == "Debian" + - ansible_facts.os_family == "Debian" tags: - tor-service diff --git a/roles/common/tasks/yum.yml b/roles/common/tasks/yum.yml index f233eac..54cc67b 100644 --- a/roles/common/tasks/yum.yml +++ b/roles/common/tasks/yum.yml @@ -7,8 +7,8 @@ update_cache: yes #cache_valid_time: 3600 when: - - ansible_os_family == "RedHat" - - ansible_distribution == "CentOS" or ansible_distribution == "Fedora" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "CentOS" or ansible_facts.distribution == "Fedora" tags: - yum-update @@ -18,8 +18,8 @@ name: epel-release state: latest when: - - ansible_os_family == "RedHat" - - ansible_distribution == "CentOS" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "CentOS" # Its more eficient to in @@ -28,9 +28,9 @@ name: "{{ yum_base_install_centos_7 }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "CentOS" - - ansible_distribution_major_version == "7" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "CentOS" + - ansible_facts.distribution_major_version == "7" tags: - yum-base-install @@ -39,9 +39,9 @@ name: "{{ yum_initial_install_centos_7 }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "CentOS" - - ansible_distribution_major_version == "7" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "CentOS" + - ansible_facts.distribution_major_version == "7" tags: - yum-initial-install @@ -52,9 +52,9 @@ name: "{{ yum_base_install_fedora_38 }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "Fedora" - - ansible_distribution_major_version == "38" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "Fedora" + - ansible_facts.distribution_major_version == "38" tags: - yum-base-install @@ -63,9 +63,9 @@ name: "{{ yum_initial_install_fedora_38 }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "Fedora" - - ansible_distribution_major_version == "38" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "Fedora" + - ansible_facts.distribution_major_version == "38" tags: - yum-initial-install @@ -75,8 +75,8 @@ name: "{{ yum_lxc_host_pkgs_centos }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "CentOS" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "CentOS" - groups['lxc_host']|string is search(inventory_hostname) tags: - yum-lxc-hosts-pkgs @@ -86,8 +86,8 @@ name: "{{ yum_lxc_host_pkgs_fedora }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "Fedora" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "Fedora" - groups['lxc_host']|string is search(inventory_hostname) tags: - yum-lxc-hosts-pkgs @@ -98,8 +98,8 @@ name: "{{ yum_postgresql_pkgs_centos }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "CentOS" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "CentOS" - install_postgresql_pkgs|bool tags: - apt-postgresql-server-pkgs @@ -109,8 +109,8 @@ name: "{{ yum_postgresql_pkgs_fedora }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "Fedora" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "Fedora" - install_postgresql_pkgs|bool tags: - apt-postgresql-server-pkgs @@ -121,8 +121,8 @@ name: "{{ yum_compiler_pkgs_centos }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "CentOS" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "CentOS" - install_compiler_pkgs|bool tags: - yum-compiler-pkgs @@ -132,8 +132,8 @@ name: "{{ yum_compiler_pkgs_fedora }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "Fedora" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "Fedora" - install_compiler_pkgs|bool tags: - yum-compiler-pkgs @@ -143,8 +143,8 @@ name: "{{ yum_webserver_pkgs_centos }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "CentOS" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "CentOS" - install_webserver_pkgs|bool tags: - yum-webserver-pkgs @@ -154,8 +154,8 @@ name: "{{ yum_webserver_pkgs_fedora }}" state: "{{ yum_install_state }}" when: - - ansible_os_family == "RedHat" - - ansible_distribution == "Fedora" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution == "Fedora" - install_webserver_pkgs|bool tags: - yum-webserver-pkgs diff --git a/roles/common/templates/etc/sudoers.d/50-user.j2 b/roles/common/templates/etc/sudoers.d/50-user.j2 index 5d1dac3..bd8efd9 100644 --- a/roles/common/templates/etc/sudoers.d/50-user.j2 +++ b/roles/common/templates/etc/sudoers.d/50-user.j2 @@ -41,7 +41,7 @@ back {{ item }} {% endfor -%} -{%- if ansible_virtualization_role == 'host' %} +{%- if ansible_facts['virtualization_role'] == 'host' %} {% for item in sudoers_file_user_back_disk_privileges | default([]) %} back {{ item }} @@ -49,7 +49,7 @@ back {{ item }} {% endif -%} -{%- if groups['webadmin']|string is search(inventory_hostname) %} +{%- if inventory_hostname in (groups["webadmin"] | default([])) %} {% for item in sudoers_file_user_webadmin_disk_privileges | default([]) %} webadmin {{ item }} @@ -57,7 +57,7 @@ webadmin {{ item }} {% endif -%} -{%- if groups['postgresql_server']|string is search(inventory_hostname) %} +{%- if inventory_hostname in (groups["postgresql_server"] | default([])) %} {% for item in sudoers_file_user_back_postgres_privileges | default([]) %} back {{ item }} @@ -66,7 +66,7 @@ back {{ item }} {# dns server #} -{%- if groups['dns_server']|string is search(inventory_hostname) %} +{%- if inventory_hostname in (groups["dns_server"] | default([])) %} {% for item in sudoers_file_dns_server_privileges | default([]) %} {{ item.name }} {{ item.entry }} @@ -75,7 +75,7 @@ back {{ item }} {# postfixadmin rules #} -{%- if groups['mail_server']|string is search(inventory_hostname) %} +{%- if inventory_hostname in (groups["mail_server"] | default([])) %} {% for item in sudoers_file_postfixadmin_privileges | default([]) %} {{ item.name }} {{ item.entry }} diff --git a/roles/modify-ipt-server/tasks/ipt-server.yml b/roles/modify-ipt-server/tasks/ipt-server.yml index e484234..745915f 100644 --- a/roles/modify-ipt-server/tasks/ipt-server.yml +++ b/roles/modify-ipt-server/tasks/ipt-server.yml @@ -172,8 +172,8 @@ when: - main_ipv4_exists.stat.exists - drop_mndp_ipv4_present is changed - notify: - - Restart IPv4 Firewall +# notify: +# - Restart IPv4 Firewall - name: Check if String 'drop_mndp=..' is present @@ -246,8 +246,69 @@ when: - main_ipv6_exists.stat.exists - drop_mndp_ipv6_present is changed - notify: - - Restart IPv6 Firewall +# notify: +# - Restart IPv6 Firewall + +# --- +# Fix section Limit Connections - add limit_new_tcp_connections_per_seconds_ports +# --- + +- name: Check if String 'limit_new_tcp_connections_per_seconds_ports=..' is present + shell: grep -q -E "^limit_new_tcp_connections_per_seconds_ports=" /etc/ipt-firewall/main_ipv4.conf + register: drop_limit_new_tcp_connections_per_seconds_ports_present + when: main_ipv4_exists.stat.exists + failed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 1" + changed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (limit_new_tcp_connections_per_seconds_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*limit_new_tcp_connections_per_seconds_per_source_IP' + block: | + # - limit_new_tcp_connections_per_seconds_ports + # - + # - comma separated list of ports + # - + # - Example: + # - limit_new_tcp_connections_per_seconds_ports="80,443" + # - limit_new_tcp_connections_per_seconds_ports="80,110,143,443,465,995" + # + limit_new_tcp_connections_per_seconds_ports="" + marker: "# Marker set by modify-ipt-server.yml (limit_new_tcp_connections_per_seconds_ports)" + when: + - main_ipv4_exists.stat.exists + - drop_limit_new_tcp_connections_per_seconds_ports_present is changed +# notify: +# - Restart IPv4 Firewall + + +- name: Check if String 'limit_new_tcp_connections_per_seconds_ports=..' is present + shell: grep -q -E "^limit_new_tcp_connections_per_seconds_ports=" /etc/ipt-firewall/main_ipv6.conf + register: drop_limit_new_tcp_connections_per_seconds_ports_present + when: main_ipv6_exists.stat.exists + failed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 1" + changed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (limit_new_tcp_connections_per_seconds_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*limit_new_tcp_connections_per_seconds_per_source_IP' + block: | + # - limit_new_tcp_connections_per_seconds_ports + # - + # - comma separated list of ports + # - + # - Example: + # - limit_new_tcp_connections_per_seconds_ports="80,443" + # - limit_new_tcp_connections_per_seconds_ports="80,110,143,443,465,995" + # + limit_new_tcp_connections_per_seconds_ports="" + marker: "# Marker set by modify-ipt-server.yml (limit_new_tcp_connections_per_seconds_ports)" + when: + - main_ipv6_exists.stat.exists + - drop_limit_new_tcp_connections_per_seconds_ports_present is changed +# notify: +# - Restart IPv6 Firewall # === @@ -318,8 +379,8 @@ when: - main_ipv4_exists.stat.exists - per_ip_connection_limit_settings_ipv4_present is changed - notify: - - Restart IPv4 Firewall +# notify: +# - Restart IPv4 Firewall - name: Check if String 'per_IP_connection_limit=..' is present @@ -337,8 +398,8 @@ when: - main_ipv6_exists.stat.exists - per_ip_connection_limit_settings_ipv6_present is changed - notify: - - Restart IPv6 Firewall +# notify: +# - Restart IPv6 Firewall @@ -363,7 +424,7 @@ - load_modules_ipv6.conf - logging_ipv4.conf - logging_ipv6.conf - - post_decalrations.conf + - post_declarations.conf register: diff_script_output - name: Ensure configuration files are latest @@ -375,13 +436,13 @@ - load_modules_ipv6.conf - logging_ipv4.conf - logging_ipv6.conf - - post_decalrations.conf + - post_declarations.conf when: - git_firewall_repository is defined and git_firewall_repository|length > 0 - diff_script_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall +# notify: +# - Restart IPv4 Firewall +# - Restart IPv6 Firewall @@ -412,9 +473,9 @@ when: - git_firewall_repository is defined and git_firewall_repository|length > 0 - diff_script_output.changed - notify: - - Restart IPv4 Firewall - - Restart IPv6 Firewall +# notify: +# - Restart IPv4 Firewall +# - Restart IPv6 Firewall @@ -432,3 +493,8 @@ state: absent path: /etc/ipt-firewall/ports.conf +- name: Delete file '/etc/ipt-firewall/ports.conf' .. + file: + state: absent + path: /etc/ipt-firewall/post_decalrations.conf +