From 505cdbf12008ba61826260e773028d010d119ac7 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 3 Jul 2019 04:14:14 +0200 Subject: [PATCH] Reduce output from ansible playbooks. Some minor changes. --- group_vars/all/main.yml | 778 ++++++++++---- group_vars/gateway_server.yml | 126 +++ group_vars/oopen_server.yml | 6 +- ...{warenform_office => warenform_office.yml} | 2 - group_vars/warenform_server.yml | 7 +- hosts | 72 +- roles/common/tasks/apt.yml | 4 +- roles/common/tasks/first-run.yml | 11 + roles/common/tasks/git.yml | 108 +- roles/common/tasks/main.yml | 3 + roles/common/tasks/sudoers.yml | 22 +- roles/common/tasks/users-systemfiles.yml | 29 +- roles/common/tasks/users.yml | 52 +- roles/common/tasks/webadmin-user.yml | 26 + roles/common/templates/etc/ssh/sshd_config.j2 | 55 +- roles/common/vars/git-debian.yml | 218 ---- roles/common/vars/sudoers-debian.yml | 87 -- scripts/first-run.retry | 1 - scripts/first-run.yml | 117 ++- scripts/first-run.yml.BAK | 46 + scripts/install-firewall.yml | 455 +++++++++ scripts/install-ulogd.yml | 132 +++ scripts/install-update-firewall.yml | 947 ++++++++++++++++++ scripts/modify-ipt-server.yml | 441 ++++++++ scripts/test.yml | 28 +- 25 files changed, 3158 insertions(+), 615 deletions(-) create mode 100644 group_vars/gateway_server.yml rename group_vars/{warenform_office => warenform_office.yml} (99%) create mode 100644 roles/common/tasks/first-run.yml delete mode 100644 roles/common/vars/git-debian.yml delete mode 100644 roles/common/vars/sudoers-debian.yml delete mode 100644 scripts/first-run.retry create mode 100644 scripts/first-run.yml.BAK create mode 100644 scripts/install-firewall.yml create mode 100644 scripts/install-ulogd.yml create mode 100644 scripts/install-update-firewall.yml create mode 100644 scripts/modify-ipt-server.yml diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index f86d6ba..88cac47 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -10,6 +10,10 @@ apt_ansible_dependencies: - python3 - python3-apt - lsb-release + - apt-transport-https + - apt-transport-tor + - dbus + - sudo - vim @@ -66,8 +70,30 @@ sshd_password_authentication: !!str "no" sshd_print_motd: !!str "no" +# sshd_kexalgorithms +# +# Example: +# sshd_kexalgorithms: +# - curve25519-sha256@libssh.org +# - diffie-hellman-group-exchange-sha256 +# - diffie-hellman-group14-sha1 +# +sshd_kexalgorithms: {} + +# sshd_kexalgorithms +# +# Example: +# sshd_ciphers: +# - chacha20-poly1305@openssh.com +# - aes256-gcm@openssh.com +# - aes256-ctr +sshd_ciphers: {} + sshd_use_dns: !!str "no" +sshd_allowed_users: {} + + # --- # vars used by apt.yml @@ -96,224 +122,230 @@ apt_upgrade_dpkg_options: - force-confold apt_initial_install_stretch: - - openssh-server - - rssh - - vim - - vim-common - - vim-doc - - mc - - screen - - tmux - - bc - - figlet - - rcconf - - sudo - - rsync - - dselect - - iputils-ping - - apt-utils - - aptitude - - apt-transport-https - - zip - - unzip - - bzip2 - - arj - - locate - - curl - - gawk - - mawk - - lynx - - links - - w3m - - exuberant-ctags - - mime-support - - file - - coreutils - - moreutils - - less - - realpath - - sipcalc - - psmisc - - dnsutils - - rblcheck - - whois - - gettext - - gettext-base - - gettext-doc - - debian-keyring - - patch - - patchutils - - recode - - recode-doc - - librecode0 - - librecode-dev - - sharutils - - perl - - perl-modules-5.24 - - perl-doc - - libperl-dev - - libterm-readline-gnu-perl - - libterm-readline-perl-perl - - libterm-readkey-perl - - libmail-imapclient-perl - - libtime-duration-perl - - libtimedate-perl - - libwww-perl - - libpcre3 - - libreadline5 - - re2c - - util-linux - - parted - - lshw - - gdisk - - smartmontools - - tcpdump - - telnet - - unhide - - lsof - - hdparm - - groff - - iproute2 - - bridge-utils - - vlan - - ethtool - - wipe - - iperf - - mtr - - iptraf - - wget - - logrotate - - rsyslog - - haveged - - rdate - - ntpdate - - wipe - - man-db - - groff - - iptables - - shellcheck - - ssl-cert - - ssl-cert-check - - git - - ftp - - htop - - net-tools - - lsb-release - - attr - - acl - - quota - - quotatool - - needrestart + - apt-transport-https + - apt-transport-tor + - dbus + - openssh-server + - rssh + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - apt-transport-https + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - exuberant-ctags + - mime-support + - file + - coreutils + - moreutils + - less + - realpath + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.24 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libreadline5 + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man-db + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart apt_initial_install_buster: - - openssh-server - - rush - - vim - - vim-common - - vim-doc - - mc - - screen - - tmux - - bc - - figlet - - rcconf - - sudo - - rsync - - dselect - - iputils-ping - - apt-utils - - aptitude - - apt-transport-https - - zip - - unzip - - bzip2 - - arj - - locate - - curl - - gawk - - mawk - - lynx - - links - - w3m - - ctags - - mime-support - - file - - coreutils - - moreutils - - less - - sipcalc - - psmisc - - dnsutils - - rblcheck - - whois - - gettext - - gettext-base - - gettext-doc - - debian-keyring - - patch - - patchutils - - recode - - recode-doc - - librecode0 - - librecode-dev - - sharutils - - perl - - perl-modules-5.28 - - perl-doc - - libperl-dev - - libterm-readline-gnu-perl - - libterm-readline-perl-perl - - libterm-readkey-perl - - libmail-imapclient-perl - - libtime-duration-perl - - libtimedate-perl - - libwww-perl - - libpcre3 - - libio-compress-perl - - libreadline5 - - re2c - - util-linux - - parted - - lshw - - gdisk - - smartmontools - - tcpdump - - telnet - - unhide - - lsof - - hdparm - - groff - - iproute2 - - bridge-utils - - vlan - - ethtool - - wipe - - iperf - - mtr - - iptraf - - wget - - logrotate - - rsyslog - - haveged - - rdate - - ntpdate - - wipe - - man - - groff - - iptables - - shellcheck - - ssl-cert - - ssl-cert-check - - git - - ftp - - htop - - net-tools - - lsb-release - - attr - - acl - - quota - - quotatool - - needrestart + - apt-transport-https + - apt-transport-tor + - dbus + - openssh-server + - rush + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - bc + - figlet + - rcconf + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - apt-transport-https + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - ctags + - mime-support + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules-5.28 + - perl-doc + - libperl-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - libreadline5 + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - telnet + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart apt_install_compiler_pkgs: false apt_compiler_pkgs: @@ -436,6 +468,7 @@ apt_lxc_host_pkgs: - lxc - btrfs-tools - lua5.3 + - ntp apt_install: {} apt_install_state: latest @@ -486,8 +519,87 @@ webadmin_user: {} # --- # vars used by roles/common/tasks/sudoers.yml # --- + +# /etc/sudoers # -# see: roles/common/tasks/vars +sudoers_defaults: + - env_reset + - mail_badpass + - 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' + +sudoers_host_aliases: [] + +sudoers_user_aliases: [] + +sudoers_cmnd_aliases: [] + +sudoers_runas_aliases: [] + +sudoers_user_privileges: + - name: root + entry: 'ALL=(ALL:ALL) ALL' + +sudoers_group_privileges: [] + +sudoers_remove_user: + - back + - www-data + + +# /etc/sudoers.d/50-user +# +sudoers_file_defaults: [] + +sudoers_file_host_aliases: [] + +sudoers_file_user_aliases: [] + +sudoers_file_cmnd_aliases: [] + +sudoers_file_runas_aliases: [] + +sudoers_file_user_back_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/rsync' + - 'ALL=(root) NOPASSWD: /usr/bin/find' + - 'ALL=(root) NOPASSWD: /usr/bin/realpath' + +sudoers_file_user_back_postgres_privileges: + - 'ALL=(postgres) NOPASSWD: /usr/bin/psql' + - 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dump' + - 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dumpall' + +sudoers_file_user_back_disk_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/which' + - 'ALL=(root) NOPASSWD: /sbin/hdparm -I /dev/*' + - 'ALL=(root) NOPASSWD: /sbin/fdisk' + - 'ALL=(root) NOPASSWD: /sbin/sgdisk' + - 'ALL=(root) NOPASSWD: /sbin/sfdisk -d /dev/*' + - 'ALL=(root) NOPASSWD: /bin/dd if=/dev/*' + - 'ALL=(root) NOPASSWD: /sbin/parted' + - 'ALL=(root) NOPASSWD: /sbin/gdisk' + +sudoers_file_user_webadmin_disk_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/mailq' + - 'ALL=(root) NOPASSWD: /usr/bin/tail' + - 'ALL=(root) NOPASSWD: /usr/bin/view' + +sudoers_file_dns_server_privileges: + - name: manage-bind + entry: 'ALL=(root) NOPASSWD: /usr/local/bin/bind_*' + - name: manage-bind + entry: 'ALL=(root) NOPASSWD: /root/bin/bind/bind_*' + - name: chris + entry: 'ALL=(root) NOPASSWD: /root/bin/bind/*' + +sudoers_file_postfixadmin_privileges: + - name: www-data + entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-mailbox-postdeletion.sh' + - name: www-data + entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-domain-postdeletion.sh' + +sudoers_file_user_privileges: [] + +sudoers_file_group_privileges: [] # --- @@ -500,8 +612,238 @@ acl_caching_nameserver: {} # --- # vars used by roles/common/tasks/git.yml # --- + +# --- +# Firewall repository +# --- + +git_firewall_repository: [] + +# --- +# all servers +# --- + +git_default_repositories: + + # script repositories (destination /root/bin/) + - name: admin-stuff + repo: https://git.oopen.de/script/admin-stuff + dest: /root/bin/admin-stuff + + - name: postfix + repo: https://git.oopen.de/script/postfix + dest: /root/bin/postfix + + # install repositories (destination: /usr/local/src/) + - name: mailsystem + repo: https://git.oopen.de/install/mailsystem + dest: /usr/local/src/mailsystem + +# --- +# group [lxc_host] +# --- +git_lxc_host_repositories: + + # Monitoring + - name: monitoring + repo: https://git.oopen.de/script/monitoring + dest: /root/bin/monitoring + + # LXC + - name: LXC + repo: https://git.oopen.de/script/LXC + dest: /root/bin/LXC + + # firewall + - name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# --- +# group [lxc_guest] +# --- +git_lxc_guest_repositories: + + # dehydrated-cron + - name: dehydrated-cron + repo: https://git.codecoop.org/so36intern/dehydrated-cron.git + dest: /usr/local/src/dehydrated-cron + + # firewall + - name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# --- +# group [gateway_server] +# --- +git_gateway_repositories: + + # firewall + - name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + + +# --- +# group [apache2_webserver] +# --- +git_apache2_repositories: + # script repositories (destination /root/bin/) + - name: apache2 + repo: https://git.oopen.de/script/apache2 + dest: /root/bin/apache2 + + # install repositories (destination: /usr/local/src/) + - name: apache2 + repo: https://git.oopen.de/install/apache2 + dest: /usr/local/src/apache2 + + - name: php + repo: https://git.oopen.de/install/php + dest: /usr/local/src/php + + +# --- +# group [nginx_webserver] +# --- +git_nginx_repositories: [] + + +# --- +# group [mysql_server] +# --- +git_mysql_repositories: + + # script repositories (destination /root/bin/) + - name: mysql + repo: https://git.oopen.de/script/mysql + dest: /root/bin/mysql + + # install repositories (destination: /usr/local/src/) + - name: mysql + repo: https://git.oopen.de/install/mysql + dest: /usr/local/src/mysql + + +# --- +# group [postgresql_server] +# --- +git_postgresql_repositories: + + # script repositories (destination /root/bin/) + - name: postgres + repo: https://git.oopen.de/script/postgres + dest: /root/bin/postgres + + +# --- +# group [nextcloud_server] +# --- +git_nextcloud_repositories: + + # script repositories (destination /root/bin/) + - name: nextcloud + repo: https://git.oopen.de/script/nextcloud + dest: /root/bin/nextcloud + + # install repositories (destination: /usr/local/src/) + - name: nextcloud + repo: https://git.oopen.de/install/nextcloud + dest: /usr/local/src/nextcloud + + +# --- +# group [dns_server] +# --- +git_dns_repositories: + + # script repositories (destination /root/bin/) + - name: bind + repo: https://git.oopen.de/script/bind + dest: /root/bin/bind + + +# --- +# group [backup_server] +# --- +git_backup_repositories: + + # script repositories (destination /root/bin/) + - name: backup-rcopy + repo: https://git.oopen.de/backup/backup-rcopy + dest: /root/crontab/backup-rcopy + + +# --- +# group [samba_server] +# --- +git_samba_repositories: + + # script repositories (destination /root/bin/) + - name: samba + repo: https://git.oopen.de/script/samba + dest: /root/bin/samba + + +# --- +# group [mail_server] +# --- +git_mailserver_repositories: + + # script repositories (destination /root/bin/) + - name: apache2 + repo: https://git.oopen.de/script/apache2 + dest: /root/bin/apache2 + + - name: postfix + repo: https://git.oopen.de/script/postfix + dest: /root/bin/postfix + + - name: monitoring + repo: https://git.oopen.de/script/monitoring + dest: /root/bin/monitoring + + # install repositories (destination: /usr/local/src/) + - name: apache2 + repo: https://git.oopen.de/install/apache2 + dest: /usr/local/src/apache2 + + - name: php + repo: https://git.oopen.de/install/php + dest: /usr/local/src/php + + - name: mailsystem + repo: https://git.oopen.de/install/mailsystem + dest: /usr/local/src/mailsystem + + - name: fail2ban + repo: https://git.oopen.de/install/fail2ban + dest: /usr/local/src/fail2ban + + # let's encrypt + - name: dehydrated-cron + repo: https://git.codecoop.org/so36intern/dehydrated-cron.git + dest: /usr/local/src/dehydrated-cron + + +# --- +# group [sympa_list_servers] +# --- +git_sympa_repositories: + + # install repositories (destination: /usr/local/src/) + - name: sympa + repo: https://git.oopen.de/install/sympa + dest: /usr/local/src/sympa + + +# --- +# Use this for host specific repositories defined in files git-.yaml # -# see: roles/common/tasks/vars +# Leave empty here +# --- +git_other_repositories: [] # ============================== diff --git a/group_vars/gateway_server.yml b/group_vars/gateway_server.yml new file mode 100644 index 0000000..0e75773 --- /dev/null +++ b/group_vars/gateway_server.yml @@ -0,0 +1,126 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: backup + login: root + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/group_vars/oopen_server.yml b/group_vars/oopen_server.yml index d31f69e..de07cba 100644 --- a/group_vars/oopen_server.yml +++ b/group_vars/oopen_server.yml @@ -107,9 +107,11 @@ sudo_users: # --- # vars used by roles/common/tasks/git.yml # --- -# -# see: roles/common/tasks/vars +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server # ============================== diff --git a/group_vars/warenform_office b/group_vars/warenform_office.yml similarity index 99% rename from group_vars/warenform_office rename to group_vars/warenform_office.yml index 7b369f6..8f859c6 100644 --- a/group_vars/warenform_office +++ b/group_vars/warenform_office.yml @@ -118,8 +118,6 @@ sudo_users: # --- # vars used by roles/common/tasks/git.yml # --- -# -# see: roles/common/tasks/vars # ============================== diff --git a/group_vars/warenform_server.yml b/group_vars/warenform_server.yml index ec1eee9..7adb5c4 100644 --- a/group_vars/warenform_server.yml +++ b/group_vars/warenform_server.yml @@ -119,8 +119,11 @@ sudo_users: # --- # vars used by roles/common/tasks/git.yml # --- -# -# see: roles/common/tasks/vars + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server # ============================== diff --git a/hosts b/hosts index 9241541..daedb88 100644 --- a/hosts +++ b/hosts @@ -11,6 +11,12 @@ dns1.warenform.de a.ns.oopen.de +[extra_hosts] +o25.oopen.de +test.mx.oopen.de +rage.so36.net:1036 ansible_user=ckubu + + [initial_setup] # --- @@ -139,6 +145,12 @@ mail.faire-mobilitaet.de # - Vserver von Sinma a.ns.oopen.de +# --- +# O.OPEN office network +# --- + +gw-ckubu.local.netz + # --- # - Warenform Office @@ -156,9 +168,6 @@ devel-todo.wf.netz devel-wiki.wf.netz -[extra_hosts] - - [apache2_webserver] # --- @@ -257,6 +266,12 @@ devel-todo.wf.netz devel-repos.wf.netz devel-wiki.wf.netz +# --- +# O.OPEN office network +# --- + +ckubu.local.netz + [webadmin] @@ -290,6 +305,43 @@ o13-pad.oopen.de cp-01.oopen.de +[ftp_server] + +# --- +# - O.OPEN Server +# --- + +# o12.oopen.de +initiativenserver.oopen.de + +# o13.oopen.de +o13-web.oopen.de + +# o14.oopen.de +www2.oopen.de + +# o15.oopen.de +www.oopen.de +www3.oopen.de + +# o21.oopen.de +web.cadus.org + +# o20.oopen.de (srv-cityslang.cityslang.com) +o20.oopen.de + +# o22.oopen.de +oolm-web.oopen.de + + +# --- +# Warenform server +# --- + +# server22 +nd.warenform.de + + [mail_server] # --- @@ -571,6 +623,11 @@ backup.warenform.de anita.wf.netz +[mumble_server] + +#test.mx.oopen.de + + [lxc_host] # --- @@ -822,6 +879,15 @@ mail.faire-mobilitaet.de a.ns.oopen.de +[gateway_server] + +# --- +# O.OPEN office network +# --- + +gw-ckubu.local.netz + + [warenform_server] # server16 diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml index 2eb2b57..0380d1b 100644 --- a/roles/common/tasks/apt.yml +++ b/roles/common/tasks/apt.yml @@ -104,7 +104,7 @@ state: "{{ apt_install_state }}" when: apt_install_lxc_host_pkgs|bool tags: - - apt-lxc-hosts-pkgs|bool + - apt-lxc-hosts-pkgs - name: (apt.yml) Install compiler related packages apt: @@ -112,7 +112,7 @@ state: "{{ apt_install_state }}" when: apt_install_compiler_pkgs|bool tags: - - apt-compiler-pkgs|bool + - apt-compiler-pkgs - name: (apt.yml) Install postgresql_server related packages apt: diff --git a/roles/common/tasks/first-run.yml b/roles/common/tasks/first-run.yml new file mode 100644 index 0000000..2a18a71 --- /dev/null +++ b/roles/common/tasks/first-run.yml @@ -0,0 +1,11 @@ +--- + +- hosts: o25.oopen.de + + tasks: + + - name: Ensure aptitude is present + raw: test -e /usr/bin/aptitude || apt-get install aptitude -y + + - name: Ensure python2 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal) diff --git a/roles/common/tasks/git.yml b/roles/common/tasks/git.yml index a8fbdff..5ad9e21 100644 --- a/roles/common/tasks/git.yml +++ b/roles/common/tasks/git.yml @@ -1,28 +1,41 @@ --- -- name: (git.yml) include variables - include_vars: "{{ item }}" - with_first_found: - - "git-{{ inventory_hostname }}.yml" - - "git-{{ ansible_distribution_release }}.yml" - - "git-{{ ansible_distribution | lower }}.yml" - - git-default.yml - tags: - - git-default-repositories - - git-lxc-guest-repositories - - git-apache2-repositories - - git-nginx-repositories - - git-mysql-server-repositories - - git-postgresql-server-repositories - - git-nextcloud-server-repositories - - git-dns-server-repositories - - git-backup-server-repositories - - git-samba-server-repositories - - git-mailservers-repositories - - git-sympa-repositories - - git-other-repositories +#- name: (git.yml) include variables +# include_vars: "{{ item }}" +# with_first_found: +# - "git-{{ inventory_hostname }}.yml" +# - "git-{{ ansible_distribution_release }}.yml" +# - "git-{{ ansible_distribution | lower }}.yml" +# - git-default.yml +# tags: +# - git-default-repositories +# - git-lxc-guest-repositories +# - git-apache2-repositories +# - git-nginx-repositories +# - git-mysql-server-repositories +# - git-postgresql-server-repositories +# - git-nextcloud-server-repositories +# - git-dns-server-repositories +# - git-backup-server-repositories +# - git-samba-server-repositories +# - git-mailservers-repositories +# - git-sympa-repositories +# - git-other-repositories + +# --- +# Firewall repository +# --- + +- name: (git.yml) Install/Update firewall repository + git: + repo: "{{ git_firewall_repository.repo}}" + dest: "{{ git_firewall_repository.dest }}" + when: git_firewall_repository is defined and git_firewall_repository > 0 + tags: + - git-firewall-repository + # --- # Default reposotories # --- @@ -32,6 +45,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_default_repositories }}' + loop_control: + label: "{{ item.name }}" tags: - git-default-repositories @@ -45,6 +60,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_lxc_guest_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['lxc_guest']|string is search(inventory_hostname)" tags: - git-lxc-guest-repositories @@ -59,11 +76,29 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_lxc_host_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['lxc_host']|string is search(inventory_hostname)" tags: - git-lxc-host-repositories +# --- +# Group [gateway_server] reposotories +# --- + +- name: (git.yml) Install/Update gateway repositories + git: + repo: '{{ item.repo }}' + dest: '{{ item.dest }}' + with_items: '{{ git_gateway_repositories }}' + loop_control: + label: "{{ item.name }}" + when: "groups['gateway_server']|string is search(inventory_hostname)" + tags: + - git-gateway-server-repositories + + # --- # Group [apache2_webserver] reposotories # --- @@ -73,6 +108,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_apache2_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['apache2_webserver']|string is search(inventory_hostname)" tags: - git-apache2-repositories @@ -87,6 +124,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_nginx_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['nginx_webserver']|string is search(inventory_hostname)" tags: - git-nginx-repositories @@ -101,6 +140,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_mysql_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['mysql_server']|string is search(inventory_hostname)" tags: - git-mysql-server-repositories @@ -115,6 +156,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_postgresql_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['postgresql_server']|string is search(inventory_hostname)" tags: - git-postgresql-server-repositories @@ -129,6 +172,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_nextcloud_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['nextcloud_server']|string is search(inventory_hostname)" tags: - git-nextcloud-server-repositories @@ -143,6 +188,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_dns_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['dns_server']|string is search(inventory_hostname)" tags: - git-dns-server-repositories @@ -157,6 +204,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_backup_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['backup_server']|string is search(inventory_hostname)" ignore_errors: True tags: @@ -172,6 +221,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_samba_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['samba_server']|string is search(inventory_hostname)" ignore_errors: True tags: @@ -183,18 +234,13 @@ # Group [mail_server] reposotories # --- -#- name: include variables -# include_vars: "git-mailservers.yml" -# tags: -# - initial-setup -# - git -# - git-mailservers - -- name: (git.yml) Install/Update default repositories +- name: (git.yml) Install/Update mail server repositories git: repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_mailserver_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['mail_server']|string is search(inventory_hostname)" tags: - git-mailservers-repositories @@ -209,6 +255,8 @@ repo: '{{ item.repo }}' dest: '{{ item.dest }}' with_items: '{{ git_sympa_repositories }}' + loop_control: + label: "{{ item.name }}" when: "groups['sympa_list_server']|string is search(inventory_hostname)" tags: - git-sympa-repositories @@ -232,6 +280,8 @@ git: repo: '{{ item.repo }}' dest: '{{ item.dest }}' + loop_control: + label: "{{ item.name }}" with_items: '{{ git_other_repositories }}' tags: - git-other-repositories diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c106694..1540441 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -86,8 +86,11 @@ # tags supportetd inside git.yml # +# git-firewall-repository # git-default-repositories +# git-lxc-host-repositories # git-lxc-guest-repositories +# git-gateway-server-repositories # git-apache2-repositories # git-nginx-repositories # git-mysql-server-repositories diff --git a/roles/common/tasks/sudoers.yml b/roles/common/tasks/sudoers.yml index be96ee6..a090e52 100644 --- a/roles/common/tasks/sudoers.yml +++ b/roles/common/tasks/sudoers.yml @@ -1,16 +1,16 @@ --- -- name: (sudoers.yml) include variables - include_vars: "{{ item }}" - with_first_found: - - "sudoers-{{ inventory_hostname }}.yml" - - "sudoers-{{ ansible_distribution_release }}.yml" - - "sudoers-{{ ansible_distribution | lower }}.yml" - - "sudoers-default.yml" - tags: - - sudoers-remove - - sudoers-file-configuration - - sudoers-global-configuration +#- name: (sudoers.yml) include variables +# include_vars: "{{ item }}" +# with_first_found: +# - "sudoers-{{ inventory_hostname }}.yml" +# - "sudoers-{{ ansible_distribution_release }}.yml" +# - "sudoers-{{ ansible_distribution | lower }}.yml" +# - "sudoers-default.yml" +# tags: +# - sudoers-remove +# - sudoers-file-configuration +# - sudoers-global-configuration - name: (sudoers.yml) Remove user entries in file /etc/sudoers lineinfile: diff --git a/roles/common/tasks/users-systemfiles.yml b/roles/common/tasks/users-systemfiles.yml index 8817963..356a1e8 100644 --- a/roles/common/tasks/users-systemfiles.yml +++ b/roles/common/tasks/users-systemfiles.yml @@ -8,13 +8,18 @@ stat: path: "~{{ item.name }}/.bashrc.ORIG" register: bashrc_user_orig_exists - with_items: "{{ default_user }}" + loop: "{{ default_user }}" + loop_control: + label: '{{ item.name }}' tags: - bash - name: (users-systemfiles.yml) Backup existing users .bashrc file command: cp ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG - with_items: "{{ bashrc_user_orig_exists.results }}" + loop: "{{ bashrc_user_orig_exists.results }}" + loop_control: + label: '{{ item.item.name }}' + #with_items: "{{ bashrc_user_orig_exists.results }}" when: item.stat.exists == False tags: - bash @@ -26,7 +31,9 @@ owner: "{{ item.name }}" group: "{{ item.name }}" mode: 0644 - with_items: "{{ default_user }}" + loop: "{{ default_user }}" + loop_control: + label: '{{ item.name }}' when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_bashrc') tags: - bash @@ -63,13 +70,17 @@ stat: path: "~{{ item.name }}/.profile.ORIG" register: profile_user_orig_exists - with_items: "{{ default_user }}" + loop: "{{ default_user }}" + loop_control: + label: '{{ item.name }}' tags: - profile - name: (users-systemfiles.yml) Backup existing users .profile file command: cp ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG - with_items: "{{ profile_user_orig_exists.results }}" + loop: "{{ profile_user_orig_exists.results }}" + loop_control: + label: '{{ item.item.name }}' when: item.stat.exists == False tags: - profile @@ -81,7 +92,9 @@ owner: "{{ item.name }}" group: "{{ item.name }}" mode: 0644 - with_items: "{{ default_user }}" + loop: "{{ default_user }}" + loop_control: + label: '{{ item.name }}' when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_profile') tags: - profile @@ -121,7 +134,9 @@ owner: "{{ item.name }}" group: "{{ item.name }}" mode: 0644 - with_items: "{{ default_user }}" + loop: "{{ default_user }}" + loop_control: + label: '{{ item.name }}' when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_vimrc') tags: - vim diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml index f2876d0..1fdaf44 100644 --- a/roles/common/tasks/users.yml +++ b/roles/common/tasks/users.yml @@ -9,7 +9,9 @@ name: '{{ item.name }}' state: present gid: '{{ item.group_id | default(omit) }}' - with_items: '{{ default_user }}' + loop: "{{ default_user }}" + loop_control: + label: '{{ item.name }}' when: item.group_id is defined tags: - groups-exists @@ -24,7 +26,9 @@ shell: '{{ item.shell|d("/bin/bash") }}' password: "{{ item.password }}" update_password: on_create - with_items: '{{ default_user }}' + loop: "{{ default_user }}" + loop_control: + label: '{{ item.name }}' tags: - users-exists @@ -36,6 +40,8 @@ with_subelements: - '{{ default_user }}' - ssh_keys + loop_control: + label: "{{ item.0.name }}" tags: - authorized_key @@ -48,7 +54,9 @@ name: '{{ item.name }}' state: present gid: '{{ item.group_id | default(omit) }}' - with_items: '{{ extra_user }}' + loop: "{{ default_user }}" + loop_control: + label: '{{ item.name }}' when: - extra_user is defined and extra_user|length > 0 - item.group_id is defined @@ -65,7 +73,9 @@ shell: '{{ item.shell|d("/bin/bash") }}' password: "{{ item.password }}" update_password: on_create - with_items: '{{ extra_user }}' + loop: "{{ default_user }}" + loop_control: + label: '{{ item.name }}' when: extra_user is defined and extra_user|length > 0 tags: - users-exists @@ -78,6 +88,8 @@ with_subelements: - '{{ extra_user }}' - ssh_keys + loop_control: + label: "{{ item.0.name }}" when: extra_user is defined and extra_user|length > 0 tags: - authorized_key @@ -87,14 +99,16 @@ # - Take care backup host has rsa key to connect via ssh to the other hosts # --- -- name: (users.yml) Copy ssh rsa private key to user root of backup server +- name: (users.yml) Copy ssh rsa private key to user root on backup server copy: src: '{{ item.priv_key_src }}' dest: '{{ item.priv_key_dest }}' owner: root group: root mode: '0600' - with_items: '{{ ssh_keypair_backup_server }}' + loop: "{{ ssh_keypair_backup_server }}" + loop_control: + label: '{{ item.priv_key_dest }}' when: - ssh_keypair_backup_server is defined and ssh_keypair_backup_server|length > 0 - insert_ssh_keypair_backup_server|bool @@ -103,14 +117,16 @@ - keypair-backup-server -- name: (users.yml) Copy ssh rsa public key to user root of backup server +- name: (users.yml) Copy ssh rsa public key to user root on backup server copy: src: '{{ item.pub_key_src }}' dest: '{{ item.pub_key_dest }}' owner: root group: root mode: '0644' - with_items: '{{ ssh_keypair_backup_server }}' + loop: "{{ ssh_keypair_backup_server }}" + loop_control: + label: '{{ item.pub_key_dest }}' when: - ssh_keypair_backup_server is defined and ssh_keypair_backup_server|length > 0 - insert_ssh_keypair_backup_server|bool @@ -124,7 +140,9 @@ user: "{{ item.backup_user }}" key: "{{ lookup('file', item.pub_key_src) }}" state: present - with_items: '{{ ssh_keypair_backup_server }}' + loop: "{{ ssh_keypair_backup_server }}" + loop_control: + label: 'authorized_keys - user: {{ item.backup_user }}' when: ssh_keypair_backup_server is defined and ssh_keypair_backup_server|length > 0 tags: - authorized_key @@ -146,7 +164,10 @@ when: - insert_root_ssh_keypair|bool - groups['backup_server']|string is not search(inventory_hostname) - with_items: '{{ root_ssh_keypair }}' + loop: "{{ root_ssh_keypair }}" + loop_control: + label: 'dest: {{ item.priv_key_dest }}' + #with_items: '{{ root_ssh_keypair }}' tags: - insert_root_ssh_keypair - root-defaut-ssh-keypair @@ -158,8 +179,10 @@ owner: root group: root mode: '0644' - with_items: '{{ root_ssh_keypair }}' - #when: groups['oopen_server']|string is search(inventory_hostname) + loop: "{{ root_ssh_keypair }}" + loop_control: + label: 'dest: {{ item.pub_key_dest }}' + #with_items: '{{ root_ssh_keypair }}' when: - insert_root_ssh_keypair|bool - groups['backup_server']|string is not search(inventory_hostname) @@ -172,7 +195,10 @@ user: root key: "{{ lookup('file', item.pub_key_src) }}" state: present - with_items: '{{ root_ssh_keypair }}' + loop: "{{ root_ssh_keypair }}" + loop_control: + label: 'authorized_keys - user: root' + #with_items: '{{ root_ssh_keypair }}' when: inventory_hostname == item.target tags: - authorized_key diff --git a/roles/common/tasks/webadmin-user.yml b/roles/common/tasks/webadmin-user.yml index 8da47d2..a4d0986 100644 --- a/roles/common/tasks/webadmin-user.yml +++ b/roles/common/tasks/webadmin-user.yml @@ -10,6 +10,8 @@ state: present gid: '{{ item.group_id | default(omit) }}' with_items: '{{ webadmin_user }}' + loop_control: + label: "{{ item.name }}" when: - groups['webadmin']|string is search(inventory_hostname) - webadmin_user is defined @@ -29,6 +31,8 @@ password: "{{ item.password }}" update_password: on_create with_items: '{{ webadmin_user }}' + loop_control: + label: "{{ item.name }}" when: - groups['webadmin']|string is search(inventory_hostname) - webadmin_user is defined @@ -44,6 +48,8 @@ with_subelements: - '{{ webadmin_user }}' - ssh_keys + loop_control: + label: "{{ item.0.name }}" when: - groups['webadmin']|string is search(inventory_hostname) - webadmin_user is defined @@ -62,6 +68,8 @@ when: - insert_webadmin_ssh_keypair|bool with_items: '{{ webadmin_ssh_keypair }}' + loop_control: + label: 'dest: {{ item.priv_key_dest }}' tags: - webadmin - webadmin-defaut-ssh-keypair @@ -74,6 +82,8 @@ group: '{{ item.login }}' mode: '0644' with_items: '{{ webadmin_ssh_keypair }}' + loop_control: + label: 'dest: {{ item.pub_key_dest }}' when: - insert_webadmin_ssh_keypair|bool tags: @@ -102,6 +112,8 @@ key: "{{ lookup('file', item.pub_key_src) }}" state: present with_items: '{{ webadmin_ssh_keypair }}' + loop_control: + label: 'authorized_keys - webadmin: root' when: inventory_hostname == item.target tags: - webadmin @@ -118,6 +130,8 @@ path: "~{{ item.name }}/.bashrc.ORIG" register: bashrc_webadmin_orig_exists with_items: "{{ webadmin_user }}" + loop_control: + label: '{{ item.name }}' tags: - webadmin - bash @@ -125,6 +139,8 @@ - name: (webadmin-user.yml) Backup existing webadmin's .bashrc file command: cp ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG with_items: "{{ bashrc_webadmin_orig_exists.results }}" + loop_control: + label: '{{ item.item.name }}' when: item.stat.exists == False tags: - webadmin @@ -138,6 +154,8 @@ group: "{{ item.name }}" mode: 0644 with_items: "{{ webadmin_user }}" + loop_control: + label: '{{ item.name }}' when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_bashrc') tags: - webadmin @@ -152,6 +170,8 @@ path: "~{{ item.name }}/.profile.ORIG" register: profile_webadmin_orig_exists with_items: "{{ webadmin_user }}" + loop_control: + label: '{{ item.name }}' tags: - webadmin - profile @@ -159,6 +179,8 @@ - name: (webadmin-user.yml) Backup existing users .profile file command: cp ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG with_items: "{{ profile_webadmin_orig_exists.results }}" + loop_control: + label: '{{ item.item.name }}' when: item.stat.exists == False tags: - webadmin @@ -172,6 +194,8 @@ group: "{{ item.name }}" mode: 0644 with_items: "{{ webadmin_user }}" + loop_control: + label: '{{ item.name }}' when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_profile') tags: - webadmin @@ -189,6 +213,8 @@ group: "{{ item.name }}" mode: 0644 with_items: "{{ webadmin_user }}" + loop_control: + label: '{{ item.name }}' when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_vimrc') tags: - webadmin diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2 index da348c4..6b52692 100644 --- a/roles/common/templates/etc/ssh/sshd_config.j2 +++ b/roles/common/templates/etc/ssh/sshd_config.j2 @@ -161,7 +161,11 @@ HostbasedAuthentication no # The allow/deny directives are processed in the following order: DenyUsers, # AllowUsers, DenyGroups, and finally AllowGroups. # By default, login is allowed for all users. -#AllowUsers chris cityslang sysadm +{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %} +AllowUsers {{ fact_sshd_allowed_users }} +{% else %} +#AllowUsers back chris sysadm cityslang christoph +{% endif %} # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -184,6 +188,55 @@ UsePAM yes #UseLogin no +#----------------------------- +# Cryptography +#----------------------------- + +# Specifies the available KEX (Key Exchange) algorithms. +# The default is: +## curve25519-sha256@libssh.org, +## ecdh-sha2-nistp256, +## ecdh-sha2-nistp384, +## ecdh-sha2-nistp521, +## diffie-hellman-group-exchange-sha256, +## diffie-hellman-group14-sha1. +{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %} +KexAlgorithms {{ fact_sshd_kexalgorithms }} +{% else %} +#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +{% endif %} + +# Specifies the ciphers allowed for protocol version 2. +# The default is: +## aes128-ctr, +## aes192-ctr, +## aes256-ctr, +## aes128-gcm@openssh.com, +## aes256-gcm@openssh.com, +## chacha20-poly1305@openssh.com. +{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %} +Ciphers {{ fact_sshd_ciphers }} +{% else %} +#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +{% endif %} + +# Specifies the available MAC (message authentication code) algorithms. +# The default is: +## umac-64-etm@openssh.com, +## umac-128-etm@openssh.com, +## hmac-sha2-256-etm@openssh.com, +## hmac-sha2-512-etm@openssh.com, +## umac-64@openssh.com, +## umac-128@openssh.com, +## hmac-sha2-256, +## hmac-sha2-512. +{% if (fact_sshd_macs is defined) and fact_sshd_macs %} +MACs {{ fact_sshd_macs }} +{% else %} +#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +{% endif %} + + #----------------------------- # Logging #----------------------------- diff --git a/roles/common/vars/git-debian.yml b/roles/common/vars/git-debian.yml deleted file mode 100644 index c61dd7c..0000000 --- a/roles/common/vars/git-debian.yml +++ /dev/null @@ -1,218 +0,0 @@ -# vars file for git ---- - -# --- -# all servers -# --- -git_default_repositories: - - # script repositories (destination /root/bin/) - - name: admin-stuff - repo: https://git.oopen.de/script/admin-stuff - dest: /root/bin/admin-stuff - - - name: postfix - repo: https://git.oopen.de/script/postfix - dest: /root/bin/postfix - - # install repositories (destination: /usr/local/src/) - - name: mailsystem - repo: https://git.oopen.de/install/mailsystem - dest: /usr/local/src/mailsystem - -# --- -# group [lxc_host] -# --- -git_lxc_host_repositories: - - # Monitoring - - name: monitoring - repo: https://git.oopen.de/script/monitoring - dest: /root/bin/monitoring - - # LXC - - name: LXC - repo: https://git.oopen.de/script/LXC - dest: /root/bin/LXC - - # firewall - - name: ipt-server - repo: https://git.oopen.de/firewall/ipt-server - dest: /usr/local/src/ipt-server - -# --- -# group [lxc_guest] -# --- -git_lxc_guest_repositories: - - # dehydrated-cron - - name: dehydrated-cron - repo: https://git.codecoop.org/so36intern/dehydrated-cron.git - dest: /usr/local/src/dehydrated-cron - - # firewall - - name: ipt-server - repo: https://git.oopen.de/firewall/ipt-server - dest: /usr/local/src/ipt-server - - -# --- -# group [apache2_webserver] -# --- -git_apache2_repositories: - # script repositories (destination /root/bin/) - - name: apache2 - repo: https://git.oopen.de/script/apache2 - dest: /root/bin/apache2 - - # install repositories (destination: /usr/local/src/) - - name: apache2 - repo: https://git.oopen.de/install/apache2 - dest: /usr/local/src/apache2 - - - name: php - repo: https://git.oopen.de/install/php - dest: /usr/local/src/php - - -# --- -# group [nginx_webserver] -# --- -git_nginx_repositories: [] - - -# --- -# group [mysql_server] -# --- -git_mysql_repositories: - - # script repositories (destination /root/bin/) - - name: mysql - repo: https://git.oopen.de/script/mysql - dest: /root/bin/mysql - - # install repositories (destination: /usr/local/src/) - - name: mysql - repo: https://git.oopen.de/install/mysql - dest: /usr/local/src/mysql - - -# --- -# group [postgresql_server] -# --- -git_postgresql_repositories: - - # script repositories (destination /root/bin/) - - name: postgres - repo: https://git.oopen.de/script/postgres - dest: /root/bin/postgres - - -# --- -# group [nextcloud_server] -# --- -git_nextcloud_repositories: - - # script repositories (destination /root/bin/) - - name: nextcloud - repo: https://git.oopen.de/script/nextcloud - dest: /root/bin/nextcloud - - # install repositories (destination: /usr/local/src/) - - name: nextcloud - repo: https://git.oopen.de/install/nextcloud - dest: /usr/local/src/nextcloud - - -# --- -# group [dns_server] -# --- -git_dns_repositories: - - # script repositories (destination /root/bin/) - - name: bind - repo: https://git.oopen.de/script/bind - dest: /root/bin/bind - - -# --- -# group [backup_server] -# --- -git_backup_repositories: - - # script repositories (destination /root/bin/) - - name: backup-rcopy - repo: https://git.oopen.de/backup/backup-rcopy - dest: /root/crontab/backup-rcopy - - -# --- -# group [samba_server] -# --- -git_samba_repositories: - - # script repositories (destination /root/bin/) - - name: samba - repo: https://git.oopen.de/script/samba - dest: /root/bin/samba - - -# --- -# group [mail_server] -# --- -git_mailserver_repositories: - - # script repositories (destination /root/bin/) - - name: apache2 - repo: https://git.oopen.de/script/apache2 - dest: /root/bin/apache2 - - - name: postfix - repo: https://git.oopen.de/script/postfix - dest: /root/bin/postfix - - - name: monitoring - repo: https://git.oopen.de/script/monitoring - dest: /root/bin/monitoring - - # install repositories (destination: /usr/local/src/) - - name: apache2 - repo: https://git.oopen.de/install/apache2 - dest: /usr/local/src/apache2 - - - name: php - repo: https://git.oopen.de/install/php - dest: /usr/local/src/php - - - name: mailsystem - repo: https://git.oopen.de/install/mailsystem - dest: /usr/local/src/mailsystem - - # let's encrypt - - name: dehydrated-cron - repo: https://git.codecoop.org/so36intern/dehydrated-cron.git - dest: /usr/local/src/dehydrated-cron - - # firewall - - name: ipt-server - repo: https://git.oopen.de/firewall/ipt-server - dest: /usr/local/src/ipt-server - - -# --- -# group [sympa_list_servers] -# --- -git_sympa_repositories: - - # install repositories (destination: /usr/local/src/) - - name: sympa - repo: https://git.oopen.de/install/sympa - dest: /usr/local/src/sympa - - -# --- -# Use this for host specific repositories defined in files git-.yaml -# -# Leave empty here -# --- -git_other_repositories: [] diff --git a/roles/common/vars/sudoers-debian.yml b/roles/common/vars/sudoers-debian.yml deleted file mode 100644 index af1417f..0000000 --- a/roles/common/vars/sudoers-debian.yml +++ /dev/null @@ -1,87 +0,0 @@ -# vars file for sudoers ---- - -# --- -# /etc/sudoers -# --- - -sudoers_defaults: - - env_reset - - mail_badpass - - 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' - -sudoers_host_aliases: [] - -sudoers_user_aliases: [] - -sudoers_cmnd_aliases: [] - -sudoers_runas_aliases: [] - -sudoers_user_privileges: - - name: root - entry: 'ALL=(ALL:ALL) ALL' - -sudoers_group_privileges: [] - -sudoers_remove_user: - - back - - www-data - - -# --- -# /etc/sudoers.d/50-user -# --- - -sudoers_file_defaults: [] - -sudoers_file_host_aliases: [] - -sudoers_file_user_aliases: [] - -sudoers_file_cmnd_aliases: [] - -sudoers_file_runas_aliases: [] - -sudoers_file_user_back_privileges: - - 'ALL=(root) NOPASSWD: /usr/bin/rsync' - - 'ALL=(root) NOPASSWD: /usr/bin/find' - - 'ALL=(root) NOPASSWD: /usr/bin/realpath' - -sudoers_file_user_back_postgres_privileges: - - 'ALL=(postgres) NOPASSWD: /usr/bin/psql' - - 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dump' - - 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dumpall' - -sudoers_file_user_back_disk_privileges: - - 'ALL=(root) NOPASSWD: /usr/bin/which' - - 'ALL=(root) NOPASSWD: /sbin/hdparm -I /dev/*' - - 'ALL=(root) NOPASSWD: /sbin/fdisk' - - 'ALL=(root) NOPASSWD: /sbin/sgdisk' - - 'ALL=(root) NOPASSWD: /sbin/sfdisk -d /dev/*' - - 'ALL=(root) NOPASSWD: /bin/dd if=/dev/*' - - 'ALL=(root) NOPASSWD: /sbin/parted' - - 'ALL=(root) NOPASSWD: /sbin/gdisk' - -sudoers_file_user_webadmin_disk_privileges: - - 'ALL=(root) NOPASSWD: /usr/bin/mailq' - - 'ALL=(root) NOPASSWD: /usr/bin/tail' - - 'ALL=(root) NOPASSWD: /usr/bin/view' - -sudoers_file_dns_server_privileges: - - name: manage-bind - entry: 'ALL=(root) NOPASSWD: /usr/local/bin/bind_*' - - name: manage-bind - entry: 'ALL=(root) NOPASSWD: /root/bin/bind/bind_*' - - name: chris - entry: 'ALL=(root) NOPASSWD: /root/bin/bind/*' - -sudoers_file_postfixadmin_privileges: - - name: www-data - entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-mailbox-postdeletion.sh' - - name: www-data - entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-domain-postdeletion.sh' - -sudoers_file_user_privileges: [] - -sudoers_file_group_privileges: [] diff --git a/scripts/first-run.retry b/scripts/first-run.retry deleted file mode 100644 index c5d1a7e..0000000 --- a/scripts/first-run.retry +++ /dev/null @@ -1 +0,0 @@ -o25.oopen.de diff --git a/scripts/first-run.yml b/scripts/first-run.yml index 2a18a71..66e4c33 100644 --- a/scripts/first-run.yml +++ b/scripts/first-run.yml @@ -1,11 +1,118 @@ --- -- hosts: o25.oopen.de +- hosts: extra_hosts tasks: - - name: Ensure aptitude is present - raw: test -e /usr/bin/aptitude || apt-get install aptitude -y + - name: (apt.yml) apt update + apt: + update_cache: true + cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}" + when: apt_update|bool + + - name: (apt.yml) dpkg --configure + command: > + dpkg --configure -a + args: + warn: false + changed_when: _dpkg_configure.stdout_lines | length + register: _dpkg_configure + when: apt_dpkg_configure|bool + + - name: Install ulogd2 + apt: + name: ulogd2 + state: present + default_release: "{{ ansible_distribution_release }}" + tags: + - ulogd + - apt-ulogd + + - name: Check if file '/etc/ulogd.conf.ORIG' exists + stat: + path: /etc/ulogd.conf.ORIG + register: ulogd_conf_orig_exists + tags: + - ulogd + + - name: Backup existing file /etc/ulogd.conf + command: cp /etc/ulogd.conf /etc/ulogd.conf.ORIG + when: ulogd_conf_orig_exists.stat.exists == False + tags: + - ulogd + + - name: Adjust file '/etc/ulogd.conf' 1/2 + blockinfile: + path: /etc/ulogd.conf + insertafter: '^#?\s*plugin="/usr/lib' + block: | + + # ==================================================================== + # Define two new plugin stacks inside for iptables logging + # ==================================================================== + # - + # - firewall11 - for IPv4 Firewall + # - firewall12 - for IPv6 Firewall + # - + stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU + stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU + + marker: "# {mark} ANSIBLE MANAGED BLOCK 1/2" + state: present + register: ulogd_conf_1 + notify: Restart ulogd + + - name: Adjust file '/etc/ulogd.conf' 2/2 + blockinfile: + path: /etc/ulogd.conf + insertafter: EOF + block: | + + # ========================================================= + # Define input plugins using specified netlink group inside + # ========================================================= + [firewall11] + group=11 + + [firewall12] + group=12 + + + # ===================== + # Define output plugins + # ===================== + + [emu11] + file="/var/log/ulog/iptables.log" + sync=1 + + [emu12] + file="/var/log/ulog/ip6tables.log" + sync=1 + + marker: "# {mark} ANSIBLE MANAGED BLOCK 2/2" + state: present + register: ulogd_conf_1 + notify: Restart ulogd + + - name: Insert Headline to file '/etc/ulogd.conf' + blockinfile: + path: /etc/ulogd.conf + insertbefore: BOF + block: | + # + # -------------------------- + # ** DO NOT EDIT DIRECTLY ** + # -------------------------- + # Ansible managed file + # + marker: "# {mark}" + + + handlers: + + - name: Restart ulogd + service: + name: ulogd + state: restarted - - name: Ensure python2 is present (This is necessary for ansible to work properly) - raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal) diff --git a/scripts/first-run.yml.BAK b/scripts/first-run.yml.BAK new file mode 100644 index 0000000..ae61a00 --- /dev/null +++ b/scripts/first-run.yml.BAK @@ -0,0 +1,46 @@ +--- + +- hosts: extra_hosts + + tasks: + + - name: Install ulogd2 + apt: + name: ulogd2 + state: present + default_release: "{{ ansible_distribution_release }}" + tags: + - ulogd + - apt-ulogd + + - name: Check if file '/etc/ulogd.conf.ORIG' exists + stat: + path: /etc/ulogd.conf.ORIG + register: ulogd_conf_orig_exists + tags: + - ulogd + + - name: Backup existing file /etc/ulogd.conf + command: cp /etc/ulogd.conf /etc/ulogd.conf.ORIG + when: ulogd_conf_orig_exists.stat.exists == False + tags: + - ulogd + + - name: Adjust file '/etc/ulogd.conf' 1/2 + lineinfile: + path: /etc/ulogd.conf + insertafter: '^plugin="/usr/lib' + block: | + {{ item.entry }} + with_items: + - { entry: '' } + - { entry: '# ====================================================================' } + - { entry: '# Define two new plugin stacks inside for iptables logging' } + - { entry: '# ====================================================================' } + - { entry: '# -' } + - { entry: '# - firewall11 - for IPv4 Firewall' } + - { entry: '# - firewall12 - for IPv6 Firewall' } + - { entry: '# -' } + - { entry: 'stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU' } + - { entry: 'stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU' } + - { entry: '' } diff --git a/scripts/install-firewall.yml b/scripts/install-firewall.yml new file mode 100644 index 0000000..d8f4af6 --- /dev/null +++ b/scripts/install-firewall.yml @@ -0,0 +1,455 @@ +--- + +- hosts: all + + tasks: + + # --- + # Create firewall config directory '/etc/ipt/firewall' if not exists + # --- + # + - name: Install/update firewall repository + git: + repo: '{{ git_firewall_repository.repo }}' + dest: '{{ git_firewall_repository.dest }}' + when: git_firewall_repository is defined and git_firewall_repository > 0 + tags: + - git-firewall-repository + + - name: Create directory /etc/ipt-firewall if not exists + file: + path: /etc/ipt-firewall + state: directory + + # --- + # Get information about network devices + # --- + + - name: define traditional ethernet facts + set_fact: + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' + - inventory_hostname not in groups['lxc_host']|string + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + + - name: define traditional ibridge facts + set_fact: + #ansible_netdev: "{% set ansible_netdev = ansible_br|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_br|list }}" + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' + - "groups['lxc_host']|string is search(inventory_hostname)" + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + + - name: Debug message + debug: + msg: + - "index: {{ idx + 1 }}" + - "device: {{ item.device }}" + - "ipv4-address {{ item.ipv4.address }} " + - "ipv6-address: {{ item.ipv6.0.address }}" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + + # --- + # Check presence of files + # --- + + - name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present + stat: + path: /etc/ipt-firewall/interfaces_ipv4.conf + register: interfaces_ipv4_exists + + - name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present + stat: + path: /etc/ipt-firewall/interfaces_ipv6.conf + register: interfaces_ipv6_exists + + - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv4.conf + register: main_ipv4_exists + + - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv6.conf + register: main_ipv6_exists + + - name: Check if /etc/ipt-firewall/ban_ipv4.list are present + stat: + path: /etc/ipt-firewall/ban_ipv4.list + register: ban_ipv4_exists + + - name: Check if /etc/ipt-firewall/ban_ipv6.list are present + stat: + path: /etc/ipt-firewall/ban_ipv6.list + register: ban_ipv6_exists + + # === + # Update/Modify firewall + # === + + # --- + # Host specific configuration files + # --- + + # /etc/ipt-firewall/interfaces_ipv[4|6].conf + # + - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf' + command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf + when: not interfaces_ipv4_exists.stat.exists + register: new_interfaces_ipv4 + + + - name: Configure interfaces_ipv4.conf 1/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: '^ext_if_{{ idx + 1 }}=' + line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"' + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - not interfaces_ipv4_exists.stat.exists + - new_interfaces_ipv4 is changed + + - name: Configure interfaces_ipv4.conf 2/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: '^ext_{{ idx + 1 }}_ip=' + line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv4.address }}"' + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - not interfaces_ipv4_exists.stat.exists + - new_interfaces_ipv4 is changed + + - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' + command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf + when: not interfaces_ipv6_exists.stat.exists + register: new_interfaces_ipv6 + + - name: Configure interfaces_ipv6.conf 1/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: '^ext_if_{{ idx + 1 }}=' + line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"' + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - not interfaces_ipv6_exists.stat.exists + - new_interfaces_ipv6 is changed + + - name: Configure interfaces_ipv4.conf 2/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: '^ext_{{ idx + 1 }}_ip=' + line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }}"' + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - not interfaces_ipv6_exists.stat.exists + - new_interfaces_ipv6 is changed + + # /etc/ipt-firewall/ban_ipv[4|6].list + # + - name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list' + command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list + when: not ban_ipv4_exists.stat.exists + + - name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list' + command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list + when: not ban_ipv6_exists.stat.exists + + # /etc/ipt-firewall/main_ipv[4|6].conf + # + - name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf' + command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf + when: not main_ipv4_exists.stat.exists + register: cp_main_ipv4 + + - name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf' + command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf + when: not main_ipv6_exists.stat.exists + register: cp_main_ipv6 + + # Configure main_ipv4.conf + # + - name: Configure main_ipv4.conf (dns_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*dns_server_ips' + line: dns_server_ips="$ext_ips" + state: present + when: + - "groups['dns_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (ssh_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*ssh_server_ips' + line: ssh_server_ips="$ext_ips" + state: present + when: + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (http_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*http_server_ips=' + line: http_server_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (mail_client_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mail_client_ips=' + line: mail_client_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (smtpd_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*smtpd_ips=' + line: smtpd_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (mail_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mail_server_ips=' + line: mail_server_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (ftp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*ftp_server_ips=' + line: ftp_server_ips="$ext_1_ip" + state: present + when: + - "groups['ftp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (mumble_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mumble_server_ips=' + line: mumble_server_ips="$ext_1_ip" + state: present + when: + - "groups['mumble_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + # Configure main_ipv6.conf + # + - name: Configure main_ipv6.conf (dns_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*dns_server_ips' + line: dns_server_ips="$ext_ips" + state: present + when: + - "groups['dns_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (ssh_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*ssh_server_ips' + line: ssh_server_ips="$ext_ips" + state: present + when: + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (http_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*http_server_ips=' + line: http_server_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (mail_client_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mail_client_ips=' + line: mail_client_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (smtpd_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*smtpd_ips=' + line: smtpd_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (mail_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mail_server_ips=' + line: mail_server_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (ftp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*ftp_server_ips=' + line: ftp_server_ips="$ext_1_ip" + state: present + when: + - "groups['ftp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (mumble_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mumble_server_ips=' + line: mumble_server_ips="$ext_1_ip" + state: present + when: + - "groups['mumble_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + # --- + # Host independet configuration files + # --- + + - name: Check if common configuration files are latest + shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' + changed_when: "diff_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - default_ports.conf + - post_decalrations.conf + register: diff_output + + - name: Ensure common configuration files are latest + command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} + loop: + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - default_ports.conf + - post_decalrations.conf + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + + # --- + # Firewall scripts + # --- + + - name: Check if firewall scripts are latest + shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - ipt-firewall-server + - ip6t-firewall-server + register: diff_script_output + + - name: Ensure firewall scripts are latest + command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} + loop: + - ipt-firewall-server + - ip6t-firewall-server + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + + handlers: + + - name: Restart ulogd + service: + name: ulogd + state: restarted + + - name: Restart IPv4 Firewall + service: + name: ipt-firewall + state: restarted + + - name: Restart IPv6 Firewall + service: + name: ip6t-firewall + state: restarted diff --git a/scripts/install-ulogd.yml b/scripts/install-ulogd.yml new file mode 100644 index 0000000..51f3bdc --- /dev/null +++ b/scripts/install-ulogd.yml @@ -0,0 +1,132 @@ +--- + +- hosts: extra_hosts + + tasks: + + - name: (apt.yml) apt update + apt: + update_cache: true + cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}" + when: apt_update|bool + + - name: (apt.yml) dpkg --configure + command: > + dpkg --configure -a + args: + warn: false + changed_when: _dpkg_configure.stdout_lines | length + register: _dpkg_configure + when: apt_dpkg_configure|bool + + - name: Install ulogd2 + apt: + name: ulogd2 + state: present + default_release: "{{ ansible_distribution_release }}" + tags: + - ulogd + - apt-ulogd + + - name: Check if file '/etc/ulogd.conf.ORIG' exists + stat: + path: /etc/ulogd.conf.ORIG + register: ulogd_conf_orig_exists + tags: + - ulogd + + - name: Backup existing file /etc/ulogd.conf + command: cp /etc/ulogd.conf /etc/ulogd.conf.ORIG + when: ulogd_conf_orig_exists.stat.exists == False + tags: + - ulogd + + - name: Check if String 'stack=firewall11=..' is present + shell: grep -q -E "^\s*stack=firewall11" /etc/ulogd.conf + register: stack_firewall11_present + failed_when: "stack_firewall11_present.rc > 1" + changed_when: "stack_firewall11_present.rc > 0" + + + - name: Adjust file '/etc/ulogd.conf' 1/2 + blockinfile: + path: /etc/ulogd.conf + insertafter: '^#?\s*plugin="/usr/lib' + block: | + + # ==================================================================== + # Define two new plugin stacks inside for iptables logging + # ==================================================================== + # - + # - firewall11 - for IPv4 Firewall + # - firewall12 - for IPv6 Firewall + # - + stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU + stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU + + marker: "# {mark} ANSIBLE MANAGED BLOCK 1/2" + state: present + #register: ulogd_conf_1 + when: stack_firewall11_present is changed + notify: Restart ulogd + + - name: Check if String '[firewall11]' is present + shell: grep -q -E "^\s*\[firewall11\]" /etc/ulogd.conf + register: stack_group_firewall11_present + failed_when: "stack_group_firewall11_present.rc > 1" + changed_when: "stack_group_firewall11_present.rc > 0" + + - name: Adjust file '/etc/ulogd.conf' 2/2 + blockinfile: + path: /etc/ulogd.conf + insertafter: EOF + block: | + + # ========================================================= + # Define input plugins using specified netlink group inside + # ========================================================= + [firewall11] + group=11 + + [firewall12] + group=12 + + + # ===================== + # Define output plugins + # ===================== + + [emu11] + file="/var/log/ulog/iptables.log" + sync=1 + + [emu12] + file="/var/log/ulog/ip6tables.log" + sync=1 + + marker: "# {mark} ANSIBLE MANAGED BLOCK 2/2" + state: present + #register: ulogd_conf_2 + when: stack_group_firewall11_present is changed + notify: Restart ulogd + + # --- + # Remove Marker set by blockinfile + # --- + + - name: Remove marker + replace : + path: /etc/ulogd.conf + regexp: "^#.*ANSIBLE MANAGED BLOCK.*$" + replace: "" + #register: marker_ipv4_removed + + + + handlers: + + - name: Restart ulogd + service: + name: ulogd + state: restarted + diff --git a/scripts/install-update-firewall.yml b/scripts/install-update-firewall.yml new file mode 100644 index 0000000..a7a99f3 --- /dev/null +++ b/scripts/install-update-firewall.yml @@ -0,0 +1,947 @@ +--- + +- hosts: all + + tasks: + + # --- + # Create firewall config directory '/etc/ipt/firewall' if not exists + # --- + # + - name: Install/update firewall repository + git: + repo: '{{ git_firewall_repository.repo }}' + dest: '{{ git_firewall_repository.dest }}' + when: git_firewall_repository is defined and git_firewall_repository > 0 + tags: + - git-firewall-repository + + - name: Create directory /etc/ipt-firewall if not exists + file: + path: /etc/ipt-firewall + state: directory + + # --- + # Check presence of files + # --- + + - name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present + stat: + path: /etc/ipt-firewall/interfaces_ipv4.conf + register: interfaces_ipv4_exists + + - name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present + stat: + path: /etc/ipt-firewall/interfaces_ipv6.conf + register: interfaces_ipv6_exists + + - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv4.conf + register: main_ipv4_exists + + - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv6.conf + register: main_ipv6_exists + + - name: Check if /etc/ipt-firewall/ban_ipv4.list are present + stat: + path: /etc/ipt-firewall/ban_ipv4.list + register: ban_ipv4_exists + + - name: Check if /etc/ipt-firewall/ban_ipv6.list are present + stat: + path: /etc/ipt-firewall/ban_ipv6.list + register: ban_ipv6_exists + + # --- + # Get information about network devices + # --- + + - name: define traditional ethernet facts + set_fact: + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - not interfaces_ipv4_exists.stat.exists + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' + - inventory_hostname not in groups['lxc_host']|string + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + + - name: define traditional ibridge facts + set_fact: + #ansible_netdev: "{% set ansible_netdev = ansible_br|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_br|list }}" + ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}" + when: + - not interfaces_ipv4_exists.stat.exists + - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge' + - "groups['lxc_host']|string is search(inventory_hostname)" + with_items: + - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + + - name: Debug message + debug: + msg: + - "index: {{ idx + 1 }}" + - "device: {{ item.device }}" + - "ipv4-address {{ item.ipv4.address }} " + - "ipv6-address: {{ item.ipv6.0.address }}" + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - not interfaces_ipv4_exists.stat.exists + + # --- + # Get sshd ports + # --- + + - name: Get sshd ports as blank separated list + set_fact: + fw_sshd_ports: "{{ sshd_ports | join (' ') }}" + when: + - sshd_ports is defined and sshd_ports | length > 0 + - sshd_ports|join() != "22" + + - name: Set default sshd ports + set_fact: + fw_sshd_ports: "$standard_ssh_port" + when: + - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22" + + # === + # Modify main_ipv[4|].conf - add port definitionios + # === + + # --- + # vpn_ports + # --- + + - name: Check if String 'vpn_ports=..' is present + shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf + register: vpn_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "vpn_ports_ipv4_present.rc > 1" + changed_when: "vpn_ports_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_vpn_server_ips' + block: | + # - VPN Port(s) used by local Services + # - + # - blank separated list + # - + vpn_ports="$standard_vpn_port" + + marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" + when: + - main_ipv4_exists.stat.exists + - vpn_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + - name: Check if String 'vpn_ports=..' is present + shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf + register: vpn_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "vpn_ports_ipv6_present.rc > 1" + changed_when: "vpn_ports_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_vpn_server_ips' + block: | + # - VPN Port(s) used by local Services + # - + # - blank separated list + # - + vpn_ports="$standard_vpn_port" + + marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" + when: + - main_ipv6_exists.stat.exists + - vpn_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + # --- + # ssh_ports + # --- + + - name: Check if String 'ssh_ports=..' is present + shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf + register: ssh_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ssh_ports_ipv4_present.rc > 1" + changed_when: "ssh_ports_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_ssh_server_ips' + block: | + # - SSH Port(s) used by local Services + # - + # - blank separated list + # - + ssh_ports="{{ fw_sshd_ports }}" + + marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" + when: + - main_ipv4_exists.stat.exists + - ssh_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + - name: Check if String 'ssh_ports=..' is present + shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf + register: ssh_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "ssh_ports_ipv6_present.rc > 1" + changed_when: "ssh_ports_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_ssh_server_ips' + block: | + # - SSH Port(s) used by local Services + # - + # - blank separated list + # - + ssh_ports="{{ fw_sshd_ports }}" + + marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" + when: + - main_ipv6_exists.stat.exists + - ssh_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + # --- + # http_ports + # --- + + - name: Check if String 'http_ports=..' is present + shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf + register: http_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "http_ports_ipv4_present.rc > 1" + changed_when: "http_ports_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_http_server_ips' + block: | + # - HTTP(S) Ports used by local Services + # - + # - comma separated list + # - + http_ports="$standard_http_ports" + + marker: "# Marker set by modify-ipt-server.yml (http_ports)" + when: + - main_ipv4_exists.stat.exists + - http_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + - name: Check if String 'http_ports=..' is present + shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf + register: http_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "http_ports_ipv6_present.rc > 1" + changed_when: "http_ports_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_http_server_ips' + block: | + # - HTTP(S) Ports used by local Services + # - + # - comma separated list + # - + http_ports="$standard_http_ports" + + marker: "# Marker set by modify-ipt-server.yml (http_ports)" + when: + - main_ipv6_exists.stat.exists + - http_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + # --- + # mail_user_ports + # --- + + - name: Check if String 'mail_user_ports=..' is present + shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf + register: mail_user_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mail_user_ports_ipv4_present.rc > 1" + changed_when: "mail_user_ports_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mail_server_ips' + block: | + # - Client Ports used by local Mail Services + # - + # - comma separated list + # - + mail_user_ports="$standard_mailuser_ports" + + marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" + when: + - main_ipv4_exists.stat.exists + - mail_user_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + - name: Check if String 'mail_user_ports=..' is present + shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf + register: mail_user_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "mail_user_ports_ipv6_present.rc > 1" + changed_when: "mail_user_ports_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mail_server_ips' + block: | + # - Client Ports used by local Mail Services + # - + # - comma separated list + # - + mail_user_ports="$standard_mailuser_ports" + + marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" + when: + - main_ipv6_exists.stat.exists + - mail_user_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + # --- + # ftp_passive_port_range + # --- + + - name: Check if String 'ftp_passive_port_range=..' is present + shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf + register: ftp_passive_port_range_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" + changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_ftp_server_ips' + block: | + # - FTP passive port range use by local ftp service(s) + # - + # - example: ftp_passive_port_range="50000:50400" + # - + ftp_passive_port_range="50000:50400" + + marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" + when: + - main_ipv4_exists.stat.exists + - ftp_passive_port_range_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + - name: Check if String 'ftp_passive_port_range=..' is present + shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf + register: ftp_passive_port_range_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" + changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_ftp_server_ips' + block: | + # - FTP passive port range use by local ftp service(s) + # - + # - example: ftp_passive_port_range="50000:50400" + # - + ftp_passive_port_range="50000:50400" + + marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" + when: + - main_ipv6_exists.stat.exists + - ftp_passive_port_range_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + # --- + # munin_remote_port + # --- + + - name: Check if String 'munin_remote_port=..' is present + shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf + register: munin_remote_port_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "munin_remote_port_ipv4_present.rc > 1" + changed_when: "munin_remote_port_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_munin_server_ips' + block: | + # - Port used by clients hosted on this (local) Munin Services + # - + # - !! Only one port is possible !! + # - + munin_remote_port="$standard_munin_port" + + marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" + when: + - main_ipv4_exists.stat.exists + - munin_remote_port_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + - name: Check if String 'munin_remote_port=..' is present + shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf + register: munin_remote_port_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "munin_remote_port_ipv6_present.rc > 1" + changed_when: "munin_remote_port_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_munin_server_ips' + block: | + # - Ports used by clients hosted on this (local) Munin Services + # - + # - !! Only one port is possible !! + # - + munin_remote_port="$standard_munin_port" + + marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" + when: + - main_ipv6_exists.stat.exists + - munin_remote_port_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + # --- + # xymon_port + # --- + + - name: Check if String 'xymon_port=..' is present + shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf + register: xymon_port_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "xymon_port_ipv4_present.rc > 1" + changed_when: "xymon_port_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*local_xymon_client' + block: | + # - Port used by local Xymon Services + # - + # - !! Only one port is possible !! + # - + xymon_port="$standard_xymon_port" + + marker: "# Marker set by modify-ipt-server.yml (xymon_port)" + when: + - main_ipv4_exists.stat.exists + - xymon_port_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + - name: Check if String 'xymon_port=..' is present + shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf + register: xymon_port_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "xymon_port_ipv6_present.rc > 1" + changed_when: "xymon_port_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*local_xymon_client' + block: | + # - Port used by local Xymon Services + # - + # - !! Only one port is possible !! + # - + xymon_port="$standard_xymon_port" + + marker: "# Marker set by modify-ipt-server.yml (xymon_port)" + when: + - main_ipv6_exists.stat.exists + - xymon_port_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + # --- + # mumble_ports + # --- + + - name: Check if String 'mumble_ports=..' is present + shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf + register: mumble_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mumble_ports_ipv4_present.rc > 1" + changed_when: "mumble_ports_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mumble_server_ips' + block: | + # - Ports used by local Mumble Services + # - + # - comma separated list + # - + mumble_ports="$standard_mumble_port" + + marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" + when: + - main_ipv4_exists.stat.exists + - mumble_ports_ipv4_present is changed + notify: + - Restart IPv4 Firewall + + - name: Check if String 'mumble_ports=..' is present + shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf + register: mumble_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "mumble_ports_ipv6_present.rc > 1" + changed_when: "mumble_ports_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mumble_server_ips' + block: | + # - Ports used by local Mumble Services + # - + # - comma separated list + # - + mumble_ports="$standard_mumble_port" + + marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" + when: + - main_ipv6_exists.stat.exists + - mumble_ports_ipv6_present is changed + notify: + - Restart IPv6 Firewall + + # --- + # Remove Marker set by blockinfile + # --- + + - name: Remove marker IPv4 + replace : + path: /etc/ipt-firewall/main_ipv4.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - main_ipv4_exists.stat.exists + + - name: Remove marker IPv6 + replace : + path: /etc/ipt-firewall/main_ipv6.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - main_ipv6_exists.stat.exists + + + # === + # Update/Modify firewall + # === + + # --- + # Host specific configuration files + # --- + + # /etc/ipt-firewall/interfaces_ipv[4|6].conf + # + - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf' + command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf + when: not interfaces_ipv4_exists.stat.exists + register: new_interfaces_ipv4 + notify: + - Restart IPv4 Firewall + + + - name: Configure interfaces_ipv4.conf 1/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: '^ext_if_{{ idx + 1 }}=' + line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"' + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - not interfaces_ipv4_exists.stat.exists + - new_interfaces_ipv4 is changed + + - name: Configure interfaces_ipv4.conf 2/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: '^ext_{{ idx + 1 }}_ip=' + line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv4.address }}"' + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - not interfaces_ipv4_exists.stat.exists + - new_interfaces_ipv4 is changed + + - name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf' + command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf + when: not interfaces_ipv6_exists.stat.exists + register: new_interfaces_ipv6 + notify: + - Restart IPv6 Firewall + + - name: Configure interfaces_ipv6.conf 1/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: '^ext_if_{{ idx + 1 }}=' + line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"' + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - not interfaces_ipv6_exists.stat.exists + - new_interfaces_ipv6 is changed + + - name: Configure interfaces_ipv4.conf 2/2 + lineinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: '^ext_{{ idx + 1 }}_ip=' + line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }}"' + loop: "{{ ansible_netdev }}" + loop_control: + label: "{{ item.device }}" + index_var: idx + when: + - not interfaces_ipv6_exists.stat.exists + - new_interfaces_ipv6 is changed + + # /etc/ipt-firewall/ban_ipv[4|6].list + # + - name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list' + command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list + when: not ban_ipv4_exists.stat.exists + + - name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list' + command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list + when: not ban_ipv6_exists.stat.exists + + # /etc/ipt-firewall/main_ipv[4|6].conf + # + - name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf' + command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf + when: not main_ipv4_exists.stat.exists + register: cp_main_ipv4 + notify: + - Restart IPv4 Firewall + + - name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf' + command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf + when: not main_ipv6_exists.stat.exists + register: cp_main_ipv6 + notify: + - Restart IPv6 Firewall + + # Configure main_ipv4.conf + # + - name: Configure main_ipv4.conf (dns_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*dns_server_ips' + line: dns_server_ips="$ext_ips" + state: present + when: + - "groups['dns_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (ssh_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*ssh_server_ips' + line: ssh_server_ips="$ext_ips" + state: present + when: + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (http_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*http_server_ips=' + line: http_server_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (mail_client_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mail_client_ips=' + line: mail_client_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (smtpd_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*smtpd_ips=' + line: smtpd_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (mail_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mail_server_ips=' + line: mail_server_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (ftp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*ftp_server_ips=' + line: ftp_server_ips="$ext_1_ip" + state: present + when: + - "groups['ftp_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + - name: Configure main_ipv4.conf (mumble_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^\s*mumble_server_ips=' + line: mumble_server_ips="$ext_1_ip" + state: present + when: + - "groups['mumble_server']|string is search(inventory_hostname)" + - not main_ipv4_exists.stat.exists + - cp_main_ipv4 is changed + + # Configure main_ipv6.conf + # + - name: Configure main_ipv6.conf (dns_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*dns_server_ips' + line: dns_server_ips="$ext_ips" + state: present + when: + - "groups['dns_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (ssh_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*ssh_server_ips' + line: ssh_server_ips="$ext_ips" + state: present + when: + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (http_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*http_server_ips=' + line: http_server_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (mail_client_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mail_client_ips=' + line: mail_client_ips="$ext_1_ip" + state: present + when: + - "groups['apache2_webserver']|string is search(inventory_hostname) or + groups['nginx_webserver']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (smtpd_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*smtpd_ips=' + line: smtpd_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (mail_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mail_server_ips=' + line: mail_server_ips="$ext_1_ip" + state: present + when: + - "groups['mail_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (ftp_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*ftp_server_ips=' + line: ftp_server_ips="$ext_1_ip" + state: present + when: + - "groups['ftp_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + - name: Configure main_ipv6.conf (mumble_server_ips) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^\s*mumble_server_ips=' + line: mumble_server_ips="$ext_1_ip" + state: present + when: + - "groups['mumble_server']|string is search(inventory_hostname)" + - not main_ipv6_exists.stat.exists + - cp_main_ipv6 is changed + + # --- + # Host independet configuration files + # --- + + - name: Check if common configuration files are latest + shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' + changed_when: "diff_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - default_ports.conf + - post_decalrations.conf + register: diff_output + + - name: Ensure common configuration files are latest + command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} + loop: + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - default_ports.conf + - post_decalrations.conf + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + + # --- + # Firewall scripts + # --- + + - name: Check if firewall scripts are latest + shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - ipt-firewall-server + - ip6t-firewall-server + register: diff_script_output + + - name: Ensure firewall scripts are latest + command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} + loop: + - ipt-firewall-server + - ip6t-firewall-server + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + + handlers: + + - name: Restart ulogd + service: + name: ulogd + state: restarted + + - name: Restart IPv4 Firewall + service: + name: ipt-firewall + state: restarted + + - name: Restart IPv6 Firewall + service: + name: ip6t-firewall + state: restarted diff --git a/scripts/modify-ipt-server.yml b/scripts/modify-ipt-server.yml new file mode 100644 index 0000000..e9b9e47 --- /dev/null +++ b/scripts/modify-ipt-server.yml @@ -0,0 +1,441 @@ +--- + +- hosts: all + + tasks: + + - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv6.conf + register: main_ipv4_exists + + - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv4.conf + register: main_ipv6_exists + + # --- + # vpn_ports + # --- + + - name: Check if String 'vpn_ports=..' is present + shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf + register: vpn_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "vpn_ports_ipv4_present.rc > 1" + changed_when: "vpn_ports_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_vpn_server_ips' + block: | + # - VPN Port(s) used by local Services + # - + # - blank separated list + # - + vpn_ports="$standard_vpn_port" + + marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" + when: + - main_ipv4_exists.stat.exists + - vpn_ports_ipv4_present is changed + + - name: Check if String 'vpn_ports=..' is present + shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf + register: vpn_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "vpn_ports_ipv6_present.rc > 1" + changed_when: "vpn_ports_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_vpn_server_ips' + block: | + # - VPN Port(s) used by local Services + # - + # - blank separated list + # - + vpn_ports="$standard_vpn_port" + + marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" + when: + - main_ipv6_exists.stat.exists + - vpn_ports_ipv6_present is changed + + # --- + # ssh_ports + # --- + + - name: Check if String 'ssh_ports=..' is present + shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf + register: ssh_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ssh_ports_ipv4_present.rc > 1" + changed_when: "ssh_ports_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_ssh_server_ips' + block: | + # - SSH Port(s) used by local Services + # - + # - blank separated list + # - + ssh_ports="$standard_ssh_port" + + marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" + when: + - main_ipv4_exists.stat.exists + - ssh_ports_ipv4_present is changed + + - name: Check if String 'ssh_ports=..' is present + shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf + register: ssh_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "ssh_ports_ipv6_present.rc > 1" + changed_when: "ssh_ports_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_ssh_server_ips' + block: | + # - SSH Port(s) used by local Services + # - + # - blank separated list + # - + ssh_ports="$standard_ssh_port" + + marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" + when: + - main_ipv6_exists.stat.exists + - ssh_ports_ipv6_present is changed + + # --- + # http_ports + # --- + + - name: Check if String 'http_ports=..' is present + shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf + register: http_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "http_ports_ipv4_present.rc > 1" + changed_when: "http_ports_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_http_server_ips' + block: | + # - HTTP(S) Ports used by local Services + # - + # - comma separated list + # - + http_ports="$standard_http_ports" + + marker: "# Marker set by modify-ipt-server.yml (http_ports)" + when: + - main_ipv4_exists.stat.exists + - http_ports_ipv4_present is changed + + - name: Check if String 'http_ports=..' is present + shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf + register: http_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "http_ports_ipv6_present.rc > 1" + changed_when: "http_ports_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_http_server_ips' + block: | + # - HTTP(S) Ports used by local Services + # - + # - comma separated list + # - + http_ports="$standard_http_ports" + + marker: "# Marker set by modify-ipt-server.yml (http_ports)" + when: + - main_ipv6_exists.stat.exists + - http_ports_ipv6_present is changed + + # --- + # mail_user_ports + # --- + + - name: Check if String 'mail_user_ports=..' is present + shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf + register: mail_user_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mail_user_ports_ipv4_present.rc > 1" + changed_when: "mail_user_ports_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mail_server_ips' + block: | + # - Client Ports used by local Mail Services + # - + # - comma separated list + # - + mail_user_ports="$standard_mailuser_ports" + + marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" + when: + - main_ipv4_exists.stat.exists + - mail_user_ports_ipv4_present is changed + + - name: Check if String 'mail_user_ports=..' is present + shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf + register: mail_user_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "mail_user_ports_ipv6_present.rc > 1" + changed_when: "mail_user_ports_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mail_server_ips' + block: | + # - Client Ports used by local Mail Services + # - + # - comma separated list + # - + mail_user_ports="$standard_mailuser_ports" + + marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" + when: + - main_ipv6_exists.stat.exists + - mail_user_ports_ipv6_present is changed + + # --- + # ftp_passive_port_range + # --- + + - name: Check if String 'ftp_passive_port_range=..' is present + shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf + register: ftp_passive_port_range_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" + changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_ftp_server_ips' + block: | + # - FTP passive port range use by local ftp service(s) + # - + # - example: ftp_passive_port_range="50000:50400" + # - + ftp_passive_port_range="50000:50400" + + marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" + when: + - main_ipv4_exists.stat.exists + - ftp_passive_port_range_ipv4_present is changed + + - name: Check if String 'ftp_passive_port_range=..' is present + shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf + register: ftp_passive_port_range_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" + changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_ftp_server_ips' + block: | + # - FTP passive port range use by local ftp service(s) + # - + # - example: ftp_passive_port_range="50000:50400" + # - + ftp_passive_port_range="50000:50400" + + marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" + when: + - main_ipv6_exists.stat.exists + - ftp_passive_port_range_ipv6_present is changed + + # --- + # munin_remote_port + # --- + + - name: Check if String 'munin_remote_port=..' is present + shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf + register: munin_remote_port_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "munin_remote_port_ipv4_present.rc > 1" + changed_when: "munin_remote_port_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_munin_server_ips' + block: | + # - Port used by clients hosted on this (local) Munin Services + # - + # - !! Only one port is possible !! + # - + munin_remote_port="$standard_munin_port" + + marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" + when: + - main_ipv4_exists.stat.exists + - munin_remote_port_ipv4_present is changed + + - name: Check if String 'munin_remote_port=..' is present + shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf + register: munin_remote_port_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "munin_remote_port_ipv6_present.rc > 1" + changed_when: "munin_remote_port_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_munin_server_ips' + block: | + # - Ports used by clients hosted on this (local) Munin Services + # - + # - !! Only one port is possible !! + # - + munin_remote_port="$standard_munin_port" + + marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" + when: + - main_ipv6_exists.stat.exists + - munin_remote_port_ipv6_present is changed + + # --- + # xymon_port + # --- + + - name: Check if String 'xymon_port=..' is present + shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf + register: xymon_port_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "xymon_port_ipv4_present.rc > 1" + changed_when: "xymon_port_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*local_xymon_client' + block: | + # - Port used by local Xymon Services + # - + # - !! Only one port is possible !! + # - + xymon_port="$standard_xymon_port" + + marker: "# Marker set by modify-ipt-server.yml (xymon_port)" + when: + - main_ipv4_exists.stat.exists + - xymon_port_ipv4_present is changed + + - name: Check if String 'xymon_port=..' is present + shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf + register: xymon_port_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "xymon_port_ipv6_present.rc > 1" + changed_when: "xymon_port_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*local_xymon_client' + block: | + # - Port used by local Xymon Services + # - + # - !! Only one port is possible !! + # - + xymon_port="$standard_xymon_port" + + marker: "# Marker set by modify-ipt-server.yml (xymon_port)" + when: + - main_ipv6_exists.stat.exists + - xymon_port_ipv6_present is changed + + # --- + # mumble_ports + # --- + + - name: Check if String 'mumble_ports=..' is present + shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf + register: mumble_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mumble_ports_ipv4_present.rc > 1" + changed_when: "mumble_ports_ipv4_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mumble_server_ips' + block: | + # - Ports used by local Mumble Services + # - + # - comma separated list + # - + mumble_ports="$standard_mumble_port" + + marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" + when: + - main_ipv4_exists.stat.exists + - mumble_ports_ipv4_present is changed + + - name: Check if String 'mumble_ports=..' is present + shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf + register: mumble_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "mumble_ports_ipv6_present.rc > 1" + changed_when: "mumble_ports_ipv6_present.rc > 0" + + - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mumble_server_ips' + block: | + # - Ports used by local Mumble Services + # - + # - comma separated list + # - + mumble_ports="$standard_mumble_port" + + marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" + when: + - main_ipv6_exists.stat.exists + - mumble_ports_ipv6_present is changed + + # --- + # Remove Marker set by blockinfile + # --- + + - name: Remove marker IPv4 + replace : + path: /etc/ipt-firewall/main_ipv4.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - main_ipv4_exists.stat.exists + + - name: Remove marker IPv6 + replace : + path: /etc/ipt-firewall/main_ipv6.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - main_ipv6_exists.stat.exists diff --git a/scripts/test.yml b/scripts/test.yml index c113857..d27b29e 100644 --- a/scripts/test.yml +++ b/scripts/test.yml @@ -1,19 +1,19 @@ --- -- hosts: o25.oopen.de +- hosts: all + tasks: - - - name: debug print all interface ipv4 data - when: "hostvars[ansible_fqdn]['ansible_'~item]['ipv4'] is defined" - debug: - msg="{{ hostvars[ansible_fqdn]['ansible_'~item]['ipv4'] | pprint }}" - with_items: - - "{{ ansible_interfaces | map('replace', '-','_') | list }}" - - - name: define traditional ethernet facts + + - name: Get sshd ports as blank separated list set_fact: - ansible_eth: "{% set ansible_eth = ansible_eth|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_eth|list }}" - when: hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether' - with_items: - - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}" + fw_sshd_ports: "{{ sshd_ports | join (' ') }}" + when: + - sshd_ports is defined and sshd_ports | length > 0 + - sshd_ports|join() != "22" + + - name: Set default sshd ports + set_fact: + fw_sshd_ports: "$standard_ssh_port" + when: + - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22"