ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Reduce output from ansible playbooks. Some minor changes.

Browse Source
This commit is contained in:
Christoph 2019-07-03 04:14:14 +02:00
parent 21fcd86115
commit 505cdbf120
25 changed files with 3158 additions and 615 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

778
group_vars/all/main.yml
View File

@ -10,6 +10,10 @@ apt_ansible_dependencies:
- python3
- python3-apt
- lsb-release
- apt-transport-https
- apt-transport-tor
- dbus
- sudo
- vim
@ -66,8 +70,30 @@ sshd_password_authentication: !!str "no"
sshd_print_motd: !!str "no"
# sshd_kexalgorithms
#
# Example:
# sshd_kexalgorithms:
# - curve25519-sha256@libssh.org
# - diffie-hellman-group-exchange-sha256
# - diffie-hellman-group14-sha1
#
sshd_kexalgorithms: {}
# sshd_kexalgorithms
#
# Example:
# sshd_ciphers:
# - chacha20-poly1305@openssh.com
# - aes256-gcm@openssh.com
# - aes256-ctr
sshd_ciphers: {}
sshd_use_dns: !!str "no"
sshd_allowed_users: {}
# ---
# vars used by apt.yml
@ -96,224 +122,230 @@ apt_upgrade_dpkg_options:
- force-confold
apt_initial_install_stretch:
- openssh-server
- rssh
- vim
- vim-common
- vim-doc
- mc
- screen
- tmux
- bc
- figlet
- rcconf
- sudo
- rsync
- dselect
- iputils-ping
- apt-utils
- aptitude
- apt-transport-https
- zip
- unzip
- bzip2
- arj
- locate
- curl
- gawk
- mawk
- lynx
- links
- w3m
- exuberant-ctags
- mime-support
- file
- coreutils
- moreutils
- less
- realpath
- sipcalc
- psmisc
- dnsutils
- rblcheck
- whois
- gettext
- gettext-base
- gettext-doc
- debian-keyring
- patch
- patchutils
- recode
- recode-doc
- librecode0
- librecode-dev
- sharutils
- perl
- perl-modules-5.24
- perl-doc
- libperl-dev
- libterm-readline-gnu-perl
- libterm-readline-perl-perl
- libterm-readkey-perl
- libmail-imapclient-perl
- libtime-duration-perl
- libtimedate-perl
- libwww-perl
- libpcre3
- libreadline5
- re2c
- util-linux
- parted
- lshw
- gdisk
- smartmontools
- tcpdump
- telnet
- unhide
- lsof
- hdparm
- groff
- iproute2
- bridge-utils
- vlan
- ethtool
- wipe
- iperf
- mtr
- iptraf
- wget
- logrotate
- rsyslog
- haveged
- rdate
- ntpdate
- wipe
- man-db
- groff
- iptables
- shellcheck
- ssl-cert
- ssl-cert-check
- git
- ftp
- htop
- net-tools
- lsb-release
- attr
- acl
- quota
- quotatool
- needrestart
- apt-transport-https
- apt-transport-tor
- dbus
- openssh-server
- rssh
- vim
- vim-common
- vim-doc
- mc
- screen
- tmux
- bc
- figlet
- rcconf
- sudo
- rsync
- dselect
- iputils-ping
- apt-utils
- aptitude
- apt-transport-https
- zip
- unzip
- bzip2
- arj
- locate
- curl
- gawk
- mawk
- lynx
- links
- w3m
- exuberant-ctags
- mime-support
- file
- coreutils
- moreutils
- less
- realpath
- sipcalc
- psmisc
- dnsutils
- rblcheck
- whois
- gettext
- gettext-base
- gettext-doc
- debian-keyring
- patch
- patchutils
- recode
- recode-doc
- librecode0
- librecode-dev
- sharutils
- perl
- perl-modules-5.24
- perl-doc
- libperl-dev
- libterm-readline-gnu-perl
- libterm-readline-perl-perl
- libterm-readkey-perl
- libmail-imapclient-perl
- libtime-duration-perl
- libtimedate-perl
- libwww-perl
- libpcre3
- libreadline5
- re2c
- util-linux
- parted
- lshw
- gdisk
- smartmontools
- tcpdump
- telnet
- unhide
- lsof
- hdparm
- groff
- iproute2
- bridge-utils
- vlan
- ethtool
- wipe
- iperf
- mtr
- iptraf
- wget
- logrotate
- rsyslog
- haveged
- rdate
- ntpdate
- wipe
- man-db
- groff
- iptables
- shellcheck
- ssl-cert
- ssl-cert-check
- git
- ftp
- htop
- net-tools
- lsb-release
- attr
- acl
- quota
- quotatool
- needrestart
apt_initial_install_buster:
- openssh-server
- rush
- vim
- vim-common
- vim-doc
- mc
- screen
- tmux
- bc
- figlet
- rcconf
- sudo
- rsync
- dselect
- iputils-ping
- apt-utils
- aptitude
- apt-transport-https
- zip
- unzip
- bzip2
- arj
- locate
- curl
- gawk
- mawk
- lynx
- links
- w3m
- ctags
- mime-support
- file
- coreutils
- moreutils
- less
- sipcalc
- psmisc
- dnsutils
- rblcheck
- whois
- gettext
- gettext-base
- gettext-doc
- debian-keyring
- patch
- patchutils
- recode
- recode-doc
- librecode0
- librecode-dev
- sharutils
- perl
- perl-modules-5.28
- perl-doc
- libperl-dev
- libterm-readline-gnu-perl
- libterm-readline-perl-perl
- libterm-readkey-perl
- libmail-imapclient-perl
- libtime-duration-perl
- libtimedate-perl
- libwww-perl
- libpcre3
- libio-compress-perl
- libreadline5
- re2c
- util-linux
- parted
- lshw
- gdisk
- smartmontools
- tcpdump
- telnet
- unhide
- lsof
- hdparm
- groff
- iproute2
- bridge-utils
- vlan
- ethtool
- wipe
- iperf
- mtr
- iptraf
- wget
- logrotate
- rsyslog
- haveged
- rdate
- ntpdate
- wipe
- man
- groff
- iptables
- shellcheck
- ssl-cert
- ssl-cert-check
- git
- ftp
- htop
- net-tools
- lsb-release
- attr
- acl
- quota
- quotatool
- needrestart
- apt-transport-https
- apt-transport-tor
- dbus
- openssh-server
- rush
- vim
- vim-common
- vim-doc
- mc
- screen
- tmux
- bc
- figlet
- rcconf
- sudo
- rsync
- dselect
- iputils-ping
- apt-utils
- aptitude
- apt-transport-https
- zip
- unzip
- bzip2
- arj
- locate
- curl
- gawk
- mawk
- lynx
- links
- w3m
- ctags
- mime-support
- file
- coreutils
- moreutils
- less
- sipcalc
- psmisc
- dnsutils
- rblcheck
- whois
- gettext
- gettext-base
- gettext-doc
- debian-keyring
- patch
- patchutils
- recode
- recode-doc
- librecode0
- librecode-dev
- sharutils
- perl
- perl-modules-5.28
- perl-doc
- libperl-dev
- libterm-readline-gnu-perl
- libterm-readline-perl-perl
- libterm-readkey-perl
- libmail-imapclient-perl
- libtime-duration-perl
- libtimedate-perl
- libwww-perl
- libpcre3
- libio-compress-perl
- libreadline5
- re2c
- util-linux
- parted
- lshw
- gdisk
- smartmontools
- tcpdump
- telnet
- unhide
- lsof
- hdparm
- groff
- iproute2
- bridge-utils
- vlan
- ethtool
- wipe
- iperf
- mtr
- iptraf
- wget
- logrotate
- rsyslog
- haveged
- rdate
- ntpdate
- wipe
- man
- groff
- iptables
- shellcheck
- ssl-cert
- ssl-cert-check
- git
- ftp
- htop
- net-tools
- lsb-release
- attr
- acl
- quota
- quotatool
- needrestart
apt_install_compiler_pkgs: false
apt_compiler_pkgs:
@ -436,6 +468,7 @@ apt_lxc_host_pkgs:
- lxc
- btrfs-tools
- lua5.3
- ntp
apt_install: {}
apt_install_state: latest
@ -486,8 +519,87 @@ webadmin_user: {}
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
# /etc/sudoers
#
# see: roles/common/tasks/vars
sudoers_defaults:
- env_reset
- mail_badpass
- 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
sudoers_host_aliases: []
sudoers_user_aliases: []
sudoers_cmnd_aliases: []
sudoers_runas_aliases: []
sudoers_user_privileges:
- name: root
entry: 'ALL=(ALL:ALL) ALL'
sudoers_group_privileges: []
sudoers_remove_user:
- back
- www-data
# /etc/sudoers.d/50-user
#
sudoers_file_defaults: []
sudoers_file_host_aliases: []
sudoers_file_user_aliases: []
sudoers_file_cmnd_aliases: []
sudoers_file_runas_aliases: []
sudoers_file_user_back_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/rsync'
- 'ALL=(root) NOPASSWD: /usr/bin/find'
- 'ALL=(root) NOPASSWD: /usr/bin/realpath'
sudoers_file_user_back_postgres_privileges:
- 'ALL=(postgres) NOPASSWD: /usr/bin/psql'
- 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dump'
- 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dumpall'
sudoers_file_user_back_disk_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/which'
- 'ALL=(root) NOPASSWD: /sbin/hdparm -I /dev/*'
- 'ALL=(root) NOPASSWD: /sbin/fdisk'
- 'ALL=(root) NOPASSWD: /sbin/sgdisk'
- 'ALL=(root) NOPASSWD: /sbin/sfdisk -d /dev/*'
- 'ALL=(root) NOPASSWD: /bin/dd if=/dev/*'
- 'ALL=(root) NOPASSWD: /sbin/parted'
- 'ALL=(root) NOPASSWD: /sbin/gdisk'
sudoers_file_user_webadmin_disk_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/mailq'
- 'ALL=(root) NOPASSWD: /usr/bin/tail'
- 'ALL=(root) NOPASSWD: /usr/bin/view'
sudoers_file_dns_server_privileges:
- name: manage-bind
entry: 'ALL=(root) NOPASSWD: /usr/local/bin/bind_*'
- name: manage-bind
entry: 'ALL=(root) NOPASSWD: /root/bin/bind/bind_*'
- name: chris
entry: 'ALL=(root) NOPASSWD: /root/bin/bind/*'
sudoers_file_postfixadmin_privileges:
- name: www-data
entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-mailbox-postdeletion.sh'
- name: www-data
entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-domain-postdeletion.sh'
sudoers_file_user_privileges: []
sudoers_file_group_privileges: []
# ---
@ -500,8 +612,238 @@ acl_caching_nameserver: {}
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# Firewall repository
# ---
git_firewall_repository: []
# ---
# all servers
# ---
git_default_repositories:
# script repositories (destination /root/bin/)
- name: admin-stuff
repo: https://git.oopen.de/script/admin-stuff
dest: /root/bin/admin-stuff
- name: postfix
repo: https://git.oopen.de/script/postfix
dest: /root/bin/postfix
# install repositories (destination: /usr/local/src/)
- name: mailsystem
repo: https://git.oopen.de/install/mailsystem
dest: /usr/local/src/mailsystem
# ---
# group [lxc_host]
# ---
git_lxc_host_repositories:
# Monitoring
- name: monitoring
repo: https://git.oopen.de/script/monitoring
dest: /root/bin/monitoring
# LXC
- name: LXC
repo: https://git.oopen.de/script/LXC
dest: /root/bin/LXC
# firewall
- name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ---
# group [lxc_guest]
# ---
git_lxc_guest_repositories:
# dehydrated-cron
- name: dehydrated-cron
repo: https://git.codecoop.org/so36intern/dehydrated-cron.git
dest: /usr/local/src/dehydrated-cron
# firewall
- name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ---
# group [gateway_server]
# ---
git_gateway_repositories:
# firewall
- name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ---
# group [apache2_webserver]
# ---
git_apache2_repositories:
# script repositories (destination /root/bin/)
- name: apache2
repo: https://git.oopen.de/script/apache2
dest: /root/bin/apache2
# install repositories (destination: /usr/local/src/)
- name: apache2
repo: https://git.oopen.de/install/apache2
dest: /usr/local/src/apache2
- name: php
repo: https://git.oopen.de/install/php
dest: /usr/local/src/php
# ---
# group [nginx_webserver]
# ---
git_nginx_repositories: []
# ---
# group [mysql_server]
# ---
git_mysql_repositories:
# script repositories (destination /root/bin/)
- name: mysql
repo: https://git.oopen.de/script/mysql
dest: /root/bin/mysql
# install repositories (destination: /usr/local/src/)
- name: mysql
repo: https://git.oopen.de/install/mysql
dest: /usr/local/src/mysql
# ---
# group [postgresql_server]
# ---
git_postgresql_repositories:
# script repositories (destination /root/bin/)
- name: postgres
repo: https://git.oopen.de/script/postgres
dest: /root/bin/postgres
# ---
# group [nextcloud_server]
# ---
git_nextcloud_repositories:
# script repositories (destination /root/bin/)
- name: nextcloud
repo: https://git.oopen.de/script/nextcloud
dest: /root/bin/nextcloud
# install repositories (destination: /usr/local/src/)
- name: nextcloud
repo: https://git.oopen.de/install/nextcloud
dest: /usr/local/src/nextcloud
# ---
# group [dns_server]
# ---
git_dns_repositories:
# script repositories (destination /root/bin/)
- name: bind
repo: https://git.oopen.de/script/bind
dest: /root/bin/bind
# ---
# group [backup_server]
# ---
git_backup_repositories:
# script repositories (destination /root/bin/)
- name: backup-rcopy
repo: https://git.oopen.de/backup/backup-rcopy
dest: /root/crontab/backup-rcopy
# ---
# group [samba_server]
# ---
git_samba_repositories:
# script repositories (destination /root/bin/)
- name: samba
repo: https://git.oopen.de/script/samba
dest: /root/bin/samba
# ---
# group [mail_server]
# ---
git_mailserver_repositories:
# script repositories (destination /root/bin/)
- name: apache2
repo: https://git.oopen.de/script/apache2
dest: /root/bin/apache2
- name: postfix
repo: https://git.oopen.de/script/postfix
dest: /root/bin/postfix
- name: monitoring
repo: https://git.oopen.de/script/monitoring
dest: /root/bin/monitoring
# install repositories (destination: /usr/local/src/)
- name: apache2
repo: https://git.oopen.de/install/apache2
dest: /usr/local/src/apache2
- name: php
repo: https://git.oopen.de/install/php
dest: /usr/local/src/php
- name: mailsystem
repo: https://git.oopen.de/install/mailsystem
dest: /usr/local/src/mailsystem
- name: fail2ban
repo: https://git.oopen.de/install/fail2ban
dest: /usr/local/src/fail2ban
# let's encrypt
- name: dehydrated-cron
repo: https://git.codecoop.org/so36intern/dehydrated-cron.git
dest: /usr/local/src/dehydrated-cron
# ---
# group [sympa_list_servers]
# ---
git_sympa_repositories:
# install repositories (destination: /usr/local/src/)
- name: sympa
repo: https://git.oopen.de/install/sympa
dest: /usr/local/src/sympa
# ---
# Use this for host specific repositories defined in files git-<hostname>.yaml
#
# see: roles/common/tasks/vars
# Leave empty here
# ---
git_other_repositories: []
# ==============================

126
group_vars/gateway_server.yml Normal file
View File

@ -0,0 +1,126 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_root_ssh_keypair: true
root_ssh_keypair:
- name: backup
login: root
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
sudo_users:
- chris
- sysadm
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

6
group_vars/oopen_server.yml
View File

@ -107,9 +107,11 @@ sudo_users:
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================

2
group_vars/warenform_office → group_vars/warenform_office.yml
View File

@ -118,8 +118,6 @@ sudo_users:
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================

7
group_vars/warenform_server.yml
View File

@ -119,8 +119,11 @@ sudo_users:
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================

72
hosts
View File

@ -11,6 +11,12 @@ dns1.warenform.de
a.ns.oopen.de
[extra_hosts]
o25.oopen.de
test.mx.oopen.de
rage.so36.net:1036 ansible_user=ckubu
[initial_setup]
# ---
@ -139,6 +145,12 @@ mail.faire-mobilitaet.de
# - Vserver von Sinma
a.ns.oopen.de
# ---
# O.OPEN office network
# ---
gw-ckubu.local.netz
# ---
# - Warenform Office
@ -156,9 +168,6 @@ devel-todo.wf.netz
devel-wiki.wf.netz
[extra_hosts]
[apache2_webserver]
# ---
@ -257,6 +266,12 @@ devel-todo.wf.netz
devel-repos.wf.netz
devel-wiki.wf.netz
# ---
# O.OPEN office network
# ---
ckubu.local.netz
[webadmin]
@ -290,6 +305,43 @@ o13-pad.oopen.de
cp-01.oopen.de
[ftp_server]
# ---
# - O.OPEN Server
# ---
# o12.oopen.de
initiativenserver.oopen.de
# o13.oopen.de
o13-web.oopen.de
# o14.oopen.de
www2.oopen.de
# o15.oopen.de
www.oopen.de
www3.oopen.de
# o21.oopen.de
web.cadus.org
# o20.oopen.de (srv-cityslang.cityslang.com)
o20.oopen.de
# o22.oopen.de
oolm-web.oopen.de
# ---
# Warenform server
# ---
# server22
nd.warenform.de
[mail_server]
# ---
@ -571,6 +623,11 @@ backup.warenform.de
anita.wf.netz
[mumble_server]
#test.mx.oopen.de
[lxc_host]
# ---
@ -822,6 +879,15 @@ mail.faire-mobilitaet.de
a.ns.oopen.de
[gateway_server]
# ---
# O.OPEN office network
# ---
gw-ckubu.local.netz
[warenform_server]
# server16

4
roles/common/tasks/apt.yml
View File

@ -104,7 +104,7 @@
state: "{{ apt_install_state }}"
when: apt_install_lxc_host_pkgs|bool
tags:
- apt-lxc-hosts-pkgs|bool
- apt-lxc-hosts-pkgs
- name: (apt.yml) Install compiler related packages
apt:
@ -112,7 +112,7 @@
state: "{{ apt_install_state }}"
when: apt_install_compiler_pkgs|bool
tags:
- apt-compiler-pkgs|bool
- apt-compiler-pkgs
- name: (apt.yml) Install postgresql_server related packages
apt:

11
roles/common/tasks/first-run.yml Normal file
View File

@ -0,0 +1,11 @@
---
- hosts: o25.oopen.de
tasks:
- name: Ensure aptitude is present
raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
- name: Ensure python2 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)

108
roles/common/tasks/git.yml
View File

@ -1,28 +1,41 @@
---
- name: (git.yml) include variables
include_vars: "{{ item }}"
with_first_found:
- "git-{{ inventory_hostname }}.yml"
- "git-{{ ansible_distribution_release }}.yml"
- "git-{{ ansible_distribution | lower }}.yml"
- git-default.yml
tags:
- git-default-repositories
- git-lxc-guest-repositories
- git-apache2-repositories
- git-nginx-repositories
- git-mysql-server-repositories
- git-postgresql-server-repositories
- git-nextcloud-server-repositories
- git-dns-server-repositories
- git-backup-server-repositories
- git-samba-server-repositories
- git-mailservers-repositories
- git-sympa-repositories
- git-other-repositories
#- name: (git.yml) include variables
# include_vars: "{{ item }}"
# with_first_found:
# - "git-{{ inventory_hostname }}.yml"
# - "git-{{ ansible_distribution_release }}.yml"
# - "git-{{ ansible_distribution | lower }}.yml"
# - git-default.yml
# tags:
# - git-default-repositories
# - git-lxc-guest-repositories
# - git-apache2-repositories
# - git-nginx-repositories
# - git-mysql-server-repositories
# - git-postgresql-server-repositories
# - git-nextcloud-server-repositories
# - git-dns-server-repositories
# - git-backup-server-repositories
# - git-samba-server-repositories
# - git-mailservers-repositories
# - git-sympa-repositories
# - git-other-repositories
# ---
# Firewall repository
# ---
- name: (git.yml) Install/Update firewall repository
git:
repo: "{{ git_firewall_repository.repo}}"
dest: "{{ git_firewall_repository.dest }}"
when: git_firewall_repository is defined and git_firewall_repository > 0
tags:
- git-firewall-repository
# ---
# Default reposotories
# ---
@ -32,6 +45,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_default_repositories }}'
loop_control:
label: "{{ item.name }}"
tags:
- git-default-repositories
@ -45,6 +60,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_lxc_guest_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['lxc_guest']|string is search(inventory_hostname)"
tags:
- git-lxc-guest-repositories
@ -59,11 +76,29 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_lxc_host_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['lxc_host']|string is search(inventory_hostname)"
tags:
- git-lxc-host-repositories
# ---
# Group [gateway_server] reposotories
# ---
- name: (git.yml) Install/Update gateway repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_gateway_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['gateway_server']|string is search(inventory_hostname)"
tags:
- git-gateway-server-repositories
# ---
# Group [apache2_webserver] reposotories
# ---
@ -73,6 +108,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_apache2_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['apache2_webserver']|string is search(inventory_hostname)"
tags:
- git-apache2-repositories
@ -87,6 +124,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_nginx_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['nginx_webserver']|string is search(inventory_hostname)"
tags:
- git-nginx-repositories
@ -101,6 +140,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_mysql_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['mysql_server']|string is search(inventory_hostname)"
tags:
- git-mysql-server-repositories
@ -115,6 +156,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_postgresql_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['postgresql_server']|string is search(inventory_hostname)"
tags:
- git-postgresql-server-repositories
@ -129,6 +172,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_nextcloud_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['nextcloud_server']|string is search(inventory_hostname)"
tags:
- git-nextcloud-server-repositories
@ -143,6 +188,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_dns_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['dns_server']|string is search(inventory_hostname)"
tags:
- git-dns-server-repositories
@ -157,6 +204,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_backup_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['backup_server']|string is search(inventory_hostname)"
ignore_errors: True
tags:
@ -172,6 +221,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_samba_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['samba_server']|string is search(inventory_hostname)"
ignore_errors: True
tags:
@ -183,18 +234,13 @@
# Group [mail_server] reposotories
# ---
#- name: include variables
# include_vars: "git-mailservers.yml"
# tags:
# - initial-setup
# - git
# - git-mailservers
- name: (git.yml) Install/Update default repositories
- name: (git.yml) Install/Update mail server repositories
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_mailserver_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['mail_server']|string is search(inventory_hostname)"
tags:
- git-mailservers-repositories
@ -209,6 +255,8 @@
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
with_items: '{{ git_sympa_repositories }}'
loop_control:
label: "{{ item.name }}"
when: "groups['sympa_list_server']|string is search(inventory_hostname)"
tags:
- git-sympa-repositories
@ -232,6 +280,8 @@
git:
repo: '{{ item.repo }}'
dest: '{{ item.dest }}'
loop_control:
label: "{{ item.name }}"
with_items: '{{ git_other_repositories }}'
tags:
- git-other-repositories

3
roles/common/tasks/main.yml
View File

@ -86,8 +86,11 @@
# tags supportetd inside git.yml
#
# git-firewall-repository
# git-default-repositories
# git-lxc-host-repositories
# git-lxc-guest-repositories
# git-gateway-server-repositories
# git-apache2-repositories
# git-nginx-repositories
# git-mysql-server-repositories

22
roles/common/tasks/sudoers.yml
View File

@ -1,16 +1,16 @@
---
- name: (sudoers.yml) include variables
include_vars: "{{ item }}"
with_first_found:
- "sudoers-{{ inventory_hostname }}.yml"
- "sudoers-{{ ansible_distribution_release }}.yml"
- "sudoers-{{ ansible_distribution | lower }}.yml"
- "sudoers-default.yml"
tags:
- sudoers-remove
- sudoers-file-configuration
- sudoers-global-configuration
#- name: (sudoers.yml) include variables
# include_vars: "{{ item }}"
# with_first_found:
# - "sudoers-{{ inventory_hostname }}.yml"
# - "sudoers-{{ ansible_distribution_release }}.yml"
# - "sudoers-{{ ansible_distribution | lower }}.yml"
# - "sudoers-default.yml"
# tags:
# - sudoers-remove
# - sudoers-file-configuration
# - sudoers-global-configuration
- name: (sudoers.yml) Remove user entries in file /etc/sudoers
lineinfile:

29
roles/common/tasks/users-systemfiles.yml
View File

@ -8,13 +8,18 @@
stat:
path: "~{{ item.name }}/.bashrc.ORIG"
register: bashrc_user_orig_exists
with_items: "{{ default_user }}"
loop: "{{ default_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- bash
- name: (users-systemfiles.yml) Backup existing users .bashrc file
command: cp ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG
with_items: "{{ bashrc_user_orig_exists.results }}"
loop: "{{ bashrc_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
#with_items: "{{ bashrc_user_orig_exists.results }}"
when: item.stat.exists == False
tags:
- bash
@ -26,7 +31,9 @@
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
with_items: "{{ default_user }}"
loop: "{{ default_user }}"
loop_control:
label: '{{ item.name }}'
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_bashrc')
tags:
- bash
@ -63,13 +70,17 @@
stat:
path: "~{{ item.name }}/.profile.ORIG"
register: profile_user_orig_exists
with_items: "{{ default_user }}"
loop: "{{ default_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- profile
- name: (users-systemfiles.yml) Backup existing users .profile file
command: cp ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
with_items: "{{ profile_user_orig_exists.results }}"
loop: "{{ profile_user_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when: item.stat.exists == False
tags:
- profile
@ -81,7 +92,9 @@
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
with_items: "{{ default_user }}"
loop: "{{ default_user }}"
loop_control:
label: '{{ item.name }}'
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_profile')
tags:
- profile
@ -121,7 +134,9 @@
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0644
with_items: "{{ default_user }}"
loop: "{{ default_user }}"
loop_control:
label: '{{ item.name }}'
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_vimrc')
tags:
- vim

52
roles/common/tasks/users.yml
View File

@ -9,7 +9,9 @@
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
with_items: '{{ default_user }}'
loop: "{{ default_user }}"
loop_control:
label: '{{ item.name }}'
when: item.group_id is defined
tags:
- groups-exists
@ -24,7 +26,9 @@
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password }}"
update_password: on_create
with_items: '{{ default_user }}'
loop: "{{ default_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- users-exists
@ -36,6 +40,8 @@
with_subelements:
- '{{ default_user }}'
- ssh_keys
loop_control:
label: "{{ item.0.name }}"
tags:
- authorized_key
@ -48,7 +54,9 @@
name: '{{ item.name }}'
state: present
gid: '{{ item.group_id | default(omit) }}'
with_items: '{{ extra_user }}'
loop: "{{ default_user }}"
loop_control:
label: '{{ item.name }}'
when:
- extra_user is defined and extra_user|length > 0
- item.group_id is defined
@ -65,7 +73,9 @@
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password }}"
update_password: on_create
with_items: '{{ extra_user }}'
loop: "{{ default_user }}"
loop_control:
label: '{{ item.name }}'
when: extra_user is defined and extra_user|length > 0
tags:
- users-exists
@ -78,6 +88,8 @@
with_subelements:
- '{{ extra_user }}'
- ssh_keys
loop_control:
label: "{{ item.0.name }}"
when: extra_user is defined and extra_user|length > 0
tags:
- authorized_key
@ -87,14 +99,16 @@
# - Take care backup host has rsa key to connect via ssh to the other hosts
# ---
- name: (users.yml) Copy ssh rsa private key to user root of backup server
- name: (users.yml) Copy ssh rsa private key to user root on backup server
copy:
src: '{{ item.priv_key_src }}'
dest: '{{ item.priv_key_dest }}'
owner: root
group: root
mode: '0600'
with_items: '{{ ssh_keypair_backup_server }}'
loop: "{{ ssh_keypair_backup_server }}"
loop_control:
label: '{{ item.priv_key_dest }}'
when:
- ssh_keypair_backup_server is defined and ssh_keypair_backup_server|length > 0
- insert_ssh_keypair_backup_server|bool
@ -103,14 +117,16 @@
- keypair-backup-server
- name: (users.yml) Copy ssh rsa public key to user root of backup server
- name: (users.yml) Copy ssh rsa public key to user root on backup server
copy:
src: '{{ item.pub_key_src }}'
dest: '{{ item.pub_key_dest }}'
owner: root
group: root
mode: '0644'
with_items: '{{ ssh_keypair_backup_server }}'
loop: "{{ ssh_keypair_backup_server }}"
loop_control:
label: '{{ item.pub_key_dest }}'
when:
- ssh_keypair_backup_server is defined and ssh_keypair_backup_server|length > 0
- insert_ssh_keypair_backup_server|bool
@ -124,7 +140,9 @@
user: "{{ item.backup_user }}"
key: "{{ lookup('file', item.pub_key_src) }}"
state: present
with_items: '{{ ssh_keypair_backup_server }}'
loop: "{{ ssh_keypair_backup_server }}"
loop_control:
label: 'authorized_keys - user: {{ item.backup_user }}'
when: ssh_keypair_backup_server is defined and ssh_keypair_backup_server|length > 0
tags:
- authorized_key
@ -146,7 +164,10 @@
when:
- insert_root_ssh_keypair|bool
- groups['backup_server']|string is not search(inventory_hostname)
with_items: '{{ root_ssh_keypair }}'
loop: "{{ root_ssh_keypair }}"
loop_control:
label: 'dest: {{ item.priv_key_dest }}'
#with_items: '{{ root_ssh_keypair }}'
tags:
- insert_root_ssh_keypair
- root-defaut-ssh-keypair
@ -158,8 +179,10 @@
owner: root
group: root
mode: '0644'
with_items: '{{ root_ssh_keypair }}'
#when: groups['oopen_server']|string is search(inventory_hostname)
loop: "{{ root_ssh_keypair }}"
loop_control:
label: 'dest: {{ item.pub_key_dest }}'
#with_items: '{{ root_ssh_keypair }}'
when:
- insert_root_ssh_keypair|bool
- groups['backup_server']|string is not search(inventory_hostname)
@ -172,7 +195,10 @@
user: root
key: "{{ lookup('file', item.pub_key_src) }}"
state: present
with_items: '{{ root_ssh_keypair }}'
loop: "{{ root_ssh_keypair }}"
loop_control:
label: 'authorized_keys - user: root'
#with_items: '{{ root_ssh_keypair }}'
when: inventory_hostname == item.target
tags:
- authorized_key

26
roles/common/tasks/webadmin-user.yml
View File

@ -10,6 +10,8 @@
state: present
gid: '{{ item.group_id | default(omit) }}'
with_items: '{{ webadmin_user }}'
loop_control:
label: "{{ item.name }}"
when:
- groups['webadmin']|string is search(inventory_hostname)
- webadmin_user is defined
@ -29,6 +31,8 @@
password: "{{ item.password }}"
update_password: on_create
with_items: '{{ webadmin_user }}'
loop_control:
label: "{{ item.name }}"
when:
- groups['webadmin']|string is search(inventory_hostname)
- webadmin_user is defined
@ -44,6 +48,8 @@
with_subelements:
- '{{ webadmin_user }}'
- ssh_keys
loop_control:
label: "{{ item.0.name }}"
when:
- groups['webadmin']|string is search(inventory_hostname)
- webadmin_user is defined
@ -62,6 +68,8 @@
when:
- insert_webadmin_ssh_keypair|bool
with_items: '{{ webadmin_ssh_keypair }}'
loop_control:
label: 'dest: {{ item.priv_key_dest }}'
tags:
- webadmin
- webadmin-defaut-ssh-keypair
@ -74,6 +82,8 @@
group: '{{ item.login }}'
mode: '0644'
with_items: '{{ webadmin_ssh_keypair }}'
loop_control:
label: 'dest: {{ item.pub_key_dest }}'
when:
- insert_webadmin_ssh_keypair|bool
tags:
@ -102,6 +112,8 @@
key: "{{ lookup('file', item.pub_key_src) }}"
state: present
with_items: '{{ webadmin_ssh_keypair }}'
loop_control:
label: 'authorized_keys - webadmin: root'
when: inventory_hostname == item.target
tags:
- webadmin
@ -118,6 +130,8 @@
path: "~{{ item.name }}/.bashrc.ORIG"
register: bashrc_webadmin_orig_exists
with_items: "{{ webadmin_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- webadmin
- bash
@ -125,6 +139,8 @@
- name: (webadmin-user.yml) Backup existing webadmin's .bashrc file
command: cp ~{{ item.item.name }}/.bashrc ~{{ item.item.name }}/.bashrc.ORIG
with_items: "{{ bashrc_webadmin_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when: item.stat.exists == False
tags:
- webadmin
@ -138,6 +154,8 @@
group: "{{ item.name }}"
mode: 0644
with_items: "{{ webadmin_user }}"
loop_control:
label: '{{ item.name }}'
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_bashrc')
tags:
- webadmin
@ -152,6 +170,8 @@
path: "~{{ item.name }}/.profile.ORIG"
register: profile_webadmin_orig_exists
with_items: "{{ webadmin_user }}"
loop_control:
label: '{{ item.name }}'
tags:
- webadmin
- profile
@ -159,6 +179,8 @@
- name: (webadmin-user.yml) Backup existing users .profile file
command: cp ~{{ item.item.name }}/.profile ~{{ item.item.name }}/.profile.ORIG
with_items: "{{ profile_webadmin_orig_exists.results }}"
loop_control:
label: '{{ item.item.name }}'
when: item.stat.exists == False
tags:
- webadmin
@ -172,6 +194,8 @@
group: "{{ item.name }}"
mode: 0644
with_items: "{{ webadmin_user }}"
loop_control:
label: '{{ item.name }}'
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_profile')
tags:
- webadmin
@ -189,6 +213,8 @@
group: "{{ item.name }}"
mode: 0644
with_items: "{{ webadmin_user }}"
loop_control:
label: '{{ item.name }}'
when: lookup('fileglob', inventory_dir + '/files/homedirs/' + item.name + '/_vimrc')
tags:
- webadmin

55
roles/common/templates/etc/ssh/sshd_config.j2
View File

@ -161,7 +161,11 @@ HostbasedAuthentication no
# The allow/deny directives are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
#AllowUsers chris cityslang sysadm
{% if (fact_sshd_allowed_users is defined) and fact_sshd_allowed_users %}
AllowUsers {{ fact_sshd_allowed_users }}
{% else %}
#AllowUsers back chris sysadm cityslang christoph
{% endif %}
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@ -184,6 +188,55 @@ UsePAM yes
#UseLogin no
#-----------------------------
# Cryptography
#-----------------------------
# Specifies the available KEX (Key Exchange) algorithms.
# The default is:
## curve25519-sha256@libssh.org,
## ecdh-sha2-nistp256,
## ecdh-sha2-nistp384,
## ecdh-sha2-nistp521,
## diffie-hellman-group-exchange-sha256,
## diffie-hellman-group14-sha1.
{% if (fact_sshd_kexalgorithms is defined) and fact_sshd_kexalgorithms %}
KexAlgorithms {{ fact_sshd_kexalgorithms }}
{% else %}
#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
{% endif %}
# Specifies the ciphers allowed for protocol version 2.
# The default is:
## aes128-ctr,
## aes192-ctr,
## aes256-ctr,
## aes128-gcm@openssh.com,
## aes256-gcm@openssh.com,
## chacha20-poly1305@openssh.com.
{% if (fact_sshd_ciphers is defined) and fact_sshd_ciphers %}
Ciphers {{ fact_sshd_ciphers }}
{% else %}
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
{% endif %}
# Specifies the available MAC (message authentication code) algorithms.
# The default is:
## umac-64-etm@openssh.com,
## umac-128-etm@openssh.com,
## hmac-sha2-256-etm@openssh.com,
## hmac-sha2-512-etm@openssh.com,
## umac-64@openssh.com,
## umac-128@openssh.com,
## hmac-sha2-256,
## hmac-sha2-512.
{% if (fact_sshd_macs is defined) and fact_sshd_macs %}
MACs {{ fact_sshd_macs }}
{% else %}
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
{% endif %}
#-----------------------------
# Logging
#-----------------------------

218
roles/common/vars/git-debian.yml
View File

@ -1,218 +0,0 @@
# vars file for git
---
# ---
# all servers
# ---
git_default_repositories:
# script repositories (destination /root/bin/)
- name: admin-stuff
repo: https://git.oopen.de/script/admin-stuff
dest: /root/bin/admin-stuff
- name: postfix
repo: https://git.oopen.de/script/postfix
dest: /root/bin/postfix
# install repositories (destination: /usr/local/src/)
- name: mailsystem
repo: https://git.oopen.de/install/mailsystem
dest: /usr/local/src/mailsystem
# ---
# group [lxc_host]
# ---
git_lxc_host_repositories:
# Monitoring
- name: monitoring
repo: https://git.oopen.de/script/monitoring
dest: /root/bin/monitoring
# LXC
- name: LXC
repo: https://git.oopen.de/script/LXC
dest: /root/bin/LXC
# firewall
- name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ---
# group [lxc_guest]
# ---
git_lxc_guest_repositories:
# dehydrated-cron
- name: dehydrated-cron
repo: https://git.codecoop.org/so36intern/dehydrated-cron.git
dest: /usr/local/src/dehydrated-cron
# firewall
- name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ---
# group [apache2_webserver]
# ---
git_apache2_repositories:
# script repositories (destination /root/bin/)
- name: apache2
repo: https://git.oopen.de/script/apache2
dest: /root/bin/apache2
# install repositories (destination: /usr/local/src/)
- name: apache2
repo: https://git.oopen.de/install/apache2
dest: /usr/local/src/apache2
- name: php
repo: https://git.oopen.de/install/php
dest: /usr/local/src/php
# ---
# group [nginx_webserver]
# ---
git_nginx_repositories: []
# ---
# group [mysql_server]
# ---
git_mysql_repositories:
# script repositories (destination /root/bin/)
- name: mysql
repo: https://git.oopen.de/script/mysql
dest: /root/bin/mysql
# install repositories (destination: /usr/local/src/)
- name: mysql
repo: https://git.oopen.de/install/mysql
dest: /usr/local/src/mysql
# ---
# group [postgresql_server]
# ---
git_postgresql_repositories:
# script repositories (destination /root/bin/)
- name: postgres
repo: https://git.oopen.de/script/postgres
dest: /root/bin/postgres
# ---
# group [nextcloud_server]
# ---
git_nextcloud_repositories:
# script repositories (destination /root/bin/)
- name: nextcloud
repo: https://git.oopen.de/script/nextcloud
dest: /root/bin/nextcloud
# install repositories (destination: /usr/local/src/)
- name: nextcloud
repo: https://git.oopen.de/install/nextcloud
dest: /usr/local/src/nextcloud
# ---
# group [dns_server]
# ---
git_dns_repositories:
# script repositories (destination /root/bin/)
- name: bind
repo: https://git.oopen.de/script/bind
dest: /root/bin/bind
# ---
# group [backup_server]
# ---
git_backup_repositories:
# script repositories (destination /root/bin/)
- name: backup-rcopy
repo: https://git.oopen.de/backup/backup-rcopy
dest: /root/crontab/backup-rcopy
# ---
# group [samba_server]
# ---
git_samba_repositories:
# script repositories (destination /root/bin/)
- name: samba
repo: https://git.oopen.de/script/samba
dest: /root/bin/samba
# ---
# group [mail_server]
# ---
git_mailserver_repositories:
# script repositories (destination /root/bin/)
- name: apache2
repo: https://git.oopen.de/script/apache2
dest: /root/bin/apache2
- name: postfix
repo: https://git.oopen.de/script/postfix
dest: /root/bin/postfix
- name: monitoring
repo: https://git.oopen.de/script/monitoring
dest: /root/bin/monitoring
# install repositories (destination: /usr/local/src/)
- name: apache2
repo: https://git.oopen.de/install/apache2
dest: /usr/local/src/apache2
- name: php
repo: https://git.oopen.de/install/php
dest: /usr/local/src/php
- name: mailsystem
repo: https://git.oopen.de/install/mailsystem
dest: /usr/local/src/mailsystem
# let's encrypt
- name: dehydrated-cron
repo: https://git.codecoop.org/so36intern/dehydrated-cron.git
dest: /usr/local/src/dehydrated-cron
# firewall
- name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ---
# group [sympa_list_servers]
# ---
git_sympa_repositories:
# install repositories (destination: /usr/local/src/)
- name: sympa
repo: https://git.oopen.de/install/sympa
dest: /usr/local/src/sympa
# ---
# Use this for host specific repositories defined in files git-<hostname>.yaml
#
# Leave empty here
# ---
git_other_repositories: []

87
roles/common/vars/sudoers-debian.yml
View File

@ -1,87 +0,0 @@
# vars file for sudoers
---
# ---
# /etc/sudoers
# ---
sudoers_defaults:
- env_reset
- mail_badpass
- 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
sudoers_host_aliases: []
sudoers_user_aliases: []
sudoers_cmnd_aliases: []
sudoers_runas_aliases: []
sudoers_user_privileges:
- name: root
entry: 'ALL=(ALL:ALL) ALL'
sudoers_group_privileges: []
sudoers_remove_user:
- back
- www-data
# ---
# /etc/sudoers.d/50-user
# ---
sudoers_file_defaults: []
sudoers_file_host_aliases: []
sudoers_file_user_aliases: []
sudoers_file_cmnd_aliases: []
sudoers_file_runas_aliases: []
sudoers_file_user_back_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/rsync'
- 'ALL=(root) NOPASSWD: /usr/bin/find'
- 'ALL=(root) NOPASSWD: /usr/bin/realpath'
sudoers_file_user_back_postgres_privileges:
- 'ALL=(postgres) NOPASSWD: /usr/bin/psql'
- 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dump'
- 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dumpall'
sudoers_file_user_back_disk_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/which'
- 'ALL=(root) NOPASSWD: /sbin/hdparm -I /dev/*'
- 'ALL=(root) NOPASSWD: /sbin/fdisk'
- 'ALL=(root) NOPASSWD: /sbin/sgdisk'
- 'ALL=(root) NOPASSWD: /sbin/sfdisk -d /dev/*'
- 'ALL=(root) NOPASSWD: /bin/dd if=/dev/*'
- 'ALL=(root) NOPASSWD: /sbin/parted'
- 'ALL=(root) NOPASSWD: /sbin/gdisk'
sudoers_file_user_webadmin_disk_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/mailq'
- 'ALL=(root) NOPASSWD: /usr/bin/tail'
- 'ALL=(root) NOPASSWD: /usr/bin/view'
sudoers_file_dns_server_privileges:
- name: manage-bind
entry: 'ALL=(root) NOPASSWD: /usr/local/bin/bind_*'
- name: manage-bind
entry: 'ALL=(root) NOPASSWD: /root/bin/bind/bind_*'
- name: chris
entry: 'ALL=(root) NOPASSWD: /root/bin/bind/*'
sudoers_file_postfixadmin_privileges:
- name: www-data
entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-mailbox-postdeletion.sh'
- name: www-data
entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-domain-postdeletion.sh'
sudoers_file_user_privileges: []
sudoers_file_group_privileges: []

1
scripts/first-run.retry
View File

@ -1 +0,0 @@
o25.oopen.de

117
scripts/first-run.yml
View File

@ -1,11 +1,118 @@
---
- hosts: o25.oopen.de
- hosts: extra_hosts
tasks:
- name: Ensure aptitude is present
raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
- name: (apt.yml) apt update
apt:
update_cache: true
cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
when: apt_update|bool
- name: (apt.yml) dpkg --configure
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
- name: Install ulogd2
apt:
name: ulogd2
state: present
default_release: "{{ ansible_distribution_release }}"
tags:
- ulogd
- apt-ulogd
- name: Check if file '/etc/ulogd.conf.ORIG' exists
stat:
path: /etc/ulogd.conf.ORIG
register: ulogd_conf_orig_exists
tags:
- ulogd
- name: Backup existing file /etc/ulogd.conf
command: cp /etc/ulogd.conf /etc/ulogd.conf.ORIG
when: ulogd_conf_orig_exists.stat.exists == False
tags:
- ulogd
- name: Adjust file '/etc/ulogd.conf' 1/2
blockinfile:
path: /etc/ulogd.conf
insertafter: '^#?\s*plugin="/usr/lib'
block: |
# ====================================================================
# Define two new plugin stacks inside for iptables logging
# ====================================================================
# -
# - firewall11 - for IPv4 Firewall
# - firewall12 - for IPv6 Firewall
# -
stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU
stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU
marker: "# {mark} ANSIBLE MANAGED BLOCK 1/2"
state: present
register: ulogd_conf_1
notify: Restart ulogd
- name: Adjust file '/etc/ulogd.conf' 2/2
blockinfile:
path: /etc/ulogd.conf
insertafter: EOF
block: |
# =========================================================
# Define input plugins using specified netlink group inside
# =========================================================
[firewall11]
group=11
[firewall12]
group=12
# =====================
# Define output plugins
# =====================
[emu11]
file="/var/log/ulog/iptables.log"
sync=1
[emu12]
file="/var/log/ulog/ip6tables.log"
sync=1
marker: "# {mark} ANSIBLE MANAGED BLOCK 2/2"
state: present
register: ulogd_conf_1
notify: Restart ulogd
- name: Insert Headline to file '/etc/ulogd.conf'
blockinfile:
path: /etc/ulogd.conf
insertbefore: BOF
block: |
#
# --------------------------
# ** DO NOT EDIT DIRECTLY **
# --------------------------
# Ansible managed file
#
marker: "# {mark}"
handlers:
- name: Restart ulogd
service:
name: ulogd
state: restarted
- name: Ensure python2 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)

46
scripts/first-run.yml.BAK Normal file
View File

@ -0,0 +1,46 @@
---
- hosts: extra_hosts
tasks:
- name: Install ulogd2
apt:
name: ulogd2
state: present
default_release: "{{ ansible_distribution_release }}"
tags:
- ulogd
- apt-ulogd
- name: Check if file '/etc/ulogd.conf.ORIG' exists
stat:
path: /etc/ulogd.conf.ORIG
register: ulogd_conf_orig_exists
tags:
- ulogd
- name: Backup existing file /etc/ulogd.conf
command: cp /etc/ulogd.conf /etc/ulogd.conf.ORIG
when: ulogd_conf_orig_exists.stat.exists == False
tags:
- ulogd
- name: Adjust file '/etc/ulogd.conf' 1/2
lineinfile:
path: /etc/ulogd.conf
insertafter: '^plugin="/usr/lib'
block: |
{{ item.entry }}
with_items:
- { entry: '' }
- { entry: '# ====================================================================' }
- { entry: '# Define two new plugin stacks inside for iptables logging' }
- { entry: '# ====================================================================' }
- { entry: '# -' }
- { entry: '# - firewall11 - for IPv4 Firewall' }
- { entry: '# - firewall12 - for IPv6 Firewall' }
- { entry: '# -' }
- { entry: 'stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU' }
- { entry: 'stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU' }
- { entry: '' }

455
scripts/install-firewall.yml Normal file
View File

@ -0,0 +1,455 @@
---
- hosts: all
tasks:
# ---
# Create firewall config directory '/etc/ipt/firewall' if not exists
# ---
#
- name: Install/update firewall repository
git:
repo: '{{ git_firewall_repository.repo }}'
dest: '{{ git_firewall_repository.dest }}'
when: git_firewall_repository is defined and git_firewall_repository > 0
tags:
- git-firewall-repository
- name: Create directory /etc/ipt-firewall if not exists
file:
path: /etc/ipt-firewall
state: directory
# ---
# Get information about network devices
# ---
- name: define traditional ethernet facts
set_fact:
ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
when:
- hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
- inventory_hostname not in groups['lxc_host']|string
with_items:
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
- name: define traditional ibridge facts
set_fact:
#ansible_netdev: "{% set ansible_netdev = ansible_br|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_br|list }}"
ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
when:
- hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge'
- "groups['lxc_host']|string is search(inventory_hostname)"
with_items:
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
- name: Debug message
debug:
msg:
- "index: {{ idx + 1 }}"
- "device: {{ item.device }}"
- "ipv4-address {{ item.ipv4.address }} "
- "ipv6-address: {{ item.ipv6.0.address }}"
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
# ---
# Check presence of files
# ---
- name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present
stat:
path: /etc/ipt-firewall/interfaces_ipv4.conf
register: interfaces_ipv4_exists
- name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present
stat:
path: /etc/ipt-firewall/interfaces_ipv6.conf
register: interfaces_ipv6_exists
- name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists
stat:
path: /etc/ipt-firewall/main_ipv4.conf
register: main_ipv4_exists
- name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists
stat:
path: /etc/ipt-firewall/main_ipv6.conf
register: main_ipv6_exists
- name: Check if /etc/ipt-firewall/ban_ipv4.list are present
stat:
path: /etc/ipt-firewall/ban_ipv4.list
register: ban_ipv4_exists
- name: Check if /etc/ipt-firewall/ban_ipv6.list are present
stat:
path: /etc/ipt-firewall/ban_ipv6.list
register: ban_ipv6_exists
# ===
# Update/Modify firewall
# ===
# ---
# Host specific configuration files
# ---
# /etc/ipt-firewall/interfaces_ipv[4|6].conf
#
- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf'
command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf
when: not interfaces_ipv4_exists.stat.exists
register: new_interfaces_ipv4
- name: Configure interfaces_ipv4.conf 1/2
lineinfile:
path: /etc/ipt-firewall/interfaces_ipv4.conf
regexp: '^ext_if_{{ idx + 1 }}='
line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"'
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when:
- not interfaces_ipv4_exists.stat.exists
- new_interfaces_ipv4 is changed
- name: Configure interfaces_ipv4.conf 2/2
lineinfile:
path: /etc/ipt-firewall/interfaces_ipv4.conf
regexp: '^ext_{{ idx + 1 }}_ip='
line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv4.address }}"'
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when:
- not interfaces_ipv4_exists.stat.exists
- new_interfaces_ipv4 is changed
- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf'
command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf
when: not interfaces_ipv6_exists.stat.exists
register: new_interfaces_ipv6
- name: Configure interfaces_ipv6.conf 1/2
lineinfile:
path: /etc/ipt-firewall/interfaces_ipv6.conf
regexp: '^ext_if_{{ idx + 1 }}='
line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"'
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when:
- not interfaces_ipv6_exists.stat.exists
- new_interfaces_ipv6 is changed
- name: Configure interfaces_ipv4.conf 2/2
lineinfile:
path: /etc/ipt-firewall/interfaces_ipv6.conf
regexp: '^ext_{{ idx + 1 }}_ip='
line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }}"'
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when:
- not interfaces_ipv6_exists.stat.exists
- new_interfaces_ipv6 is changed
# /etc/ipt-firewall/ban_ipv[4|6].list
#
- name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list'
command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list
when: not ban_ipv4_exists.stat.exists
- name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list'
command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list
when: not ban_ipv6_exists.stat.exists
# /etc/ipt-firewall/main_ipv[4|6].conf
#
- name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf'
command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf
when: not main_ipv4_exists.stat.exists
register: cp_main_ipv4
- name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf'
command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf
when: not main_ipv6_exists.stat.exists
register: cp_main_ipv6
# Configure main_ipv4.conf
#
- name: Configure main_ipv4.conf (dns_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*dns_server_ips'
line: dns_server_ips="$ext_ips"
state: present
when:
- "groups['dns_server']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (ssh_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*ssh_server_ips'
line: ssh_server_ips="$ext_ips"
state: present
when:
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (http_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*http_server_ips='
line: http_server_ips="$ext_1_ip"
state: present
when:
- "groups['apache2_webserver']|string is search(inventory_hostname) or
groups['nginx_webserver']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (mail_client_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*mail_client_ips='
line: mail_client_ips="$ext_1_ip"
state: present
when:
- "groups['apache2_webserver']|string is search(inventory_hostname) or
groups['nginx_webserver']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (smtpd_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*smtpd_ips='
line: smtpd_ips="$ext_1_ip"
state: present
when:
- "groups['mail_server']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (mail_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*mail_server_ips='
line: mail_server_ips="$ext_1_ip"
state: present
when:
- "groups['mail_server']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (ftp_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*ftp_server_ips='
line: ftp_server_ips="$ext_1_ip"
state: present
when:
- "groups['ftp_server']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (mumble_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*mumble_server_ips='
line: mumble_server_ips="$ext_1_ip"
state: present
when:
- "groups['mumble_server']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
# Configure main_ipv6.conf
#
- name: Configure main_ipv6.conf (dns_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*dns_server_ips'
line: dns_server_ips="$ext_ips"
state: present
when:
- "groups['dns_server']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (ssh_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*ssh_server_ips'
line: ssh_server_ips="$ext_ips"
state: present
when:
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (http_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*http_server_ips='
line: http_server_ips="$ext_1_ip"
state: present
when:
- "groups['apache2_webserver']|string is search(inventory_hostname) or
groups['nginx_webserver']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (mail_client_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*mail_client_ips='
line: mail_client_ips="$ext_1_ip"
state: present
when:
- "groups['apache2_webserver']|string is search(inventory_hostname) or
groups['nginx_webserver']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (smtpd_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*smtpd_ips='
line: smtpd_ips="$ext_1_ip"
state: present
when:
- "groups['mail_server']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (mail_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*mail_server_ips='
line: mail_server_ips="$ext_1_ip"
state: present
when:
- "groups['mail_server']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (ftp_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*ftp_server_ips='
line: ftp_server_ips="$ext_1_ip"
state: present
when:
- "groups['ftp_server']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (mumble_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*mumble_server_ips='
line: mumble_server_ips="$ext_1_ip"
state: present
when:
- "groups['mumble_server']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
# ---
# Host independet configuration files
# ---
- name: Check if common configuration files are latest
shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1'
changed_when: "diff_output.rc > 0"
# diff_output.rc
# 0 -> unchanged
# 1 -> changed
# 2 -> not present
failed_when: "diff_output.rc > 2"
when: git_firewall_repository is defined and git_firewall_repository > 0
loop:
- include_functions.conf
- load_modules_ipv4.conf
- load_modules_ipv6.conf
- logging_ipv4.conf
- logging_ipv6.conf
- default_ports.conf
- post_decalrations.conf
register: diff_output
- name: Ensure common configuration files are latest
command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }}
loop:
- include_functions.conf
- load_modules_ipv4.conf
- load_modules_ipv6.conf
- logging_ipv4.conf
- logging_ipv6.conf
- default_ports.conf
- post_decalrations.conf
when:
- git_firewall_repository is defined and git_firewall_repository > 0
- diff_output.changed
notify:
- Restart IPv4 Firewall
- Restart IPv6 Firewall
# ---
# Firewall scripts
# ---
- name: Check if firewall scripts are latest
shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1'
changed_when: "diff_script_output.rc > 0"
# diff_output.rc
# 0 -> unchanged
# 1 -> changed
# 2 -> not present
failed_when: "diff_script_output.rc > 2"
when: git_firewall_repository is defined and git_firewall_repository > 0
loop:
- ipt-firewall-server
- ip6t-firewall-server
register: diff_script_output
- name: Ensure firewall scripts are latest
command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }}
loop:
- ipt-firewall-server
- ip6t-firewall-server
when:
- git_firewall_repository is defined and git_firewall_repository > 0
- diff_script_output.changed
notify:
- Restart IPv4 Firewall
- Restart IPv6 Firewall
handlers:
- name: Restart ulogd
service:
name: ulogd
state: restarted
- name: Restart IPv4 Firewall
service:
name: ipt-firewall
state: restarted
- name: Restart IPv6 Firewall
service:
name: ip6t-firewall
state: restarted

132
scripts/install-ulogd.yml Normal file
View File

@ -0,0 +1,132 @@
---
- hosts: extra_hosts
tasks:
- name: (apt.yml) apt update
apt:
update_cache: true
cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
when: apt_update|bool
- name: (apt.yml) dpkg --configure
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
- name: Install ulogd2
apt:
name: ulogd2
state: present
default_release: "{{ ansible_distribution_release }}"
tags:
- ulogd
- apt-ulogd
- name: Check if file '/etc/ulogd.conf.ORIG' exists
stat:
path: /etc/ulogd.conf.ORIG
register: ulogd_conf_orig_exists
tags:
- ulogd
- name: Backup existing file /etc/ulogd.conf
command: cp /etc/ulogd.conf /etc/ulogd.conf.ORIG
when: ulogd_conf_orig_exists.stat.exists == False
tags:
- ulogd
- name: Check if String 'stack=firewall11=..' is present
shell: grep -q -E "^\s*stack=firewall11" /etc/ulogd.conf
register: stack_firewall11_present
failed_when: "stack_firewall11_present.rc > 1"
changed_when: "stack_firewall11_present.rc > 0"
- name: Adjust file '/etc/ulogd.conf' 1/2
blockinfile:
path: /etc/ulogd.conf
insertafter: '^#?\s*plugin="/usr/lib'
block: |
# ====================================================================
# Define two new plugin stacks inside for iptables logging
# ====================================================================
# -
# - firewall11 - for IPv4 Firewall
# - firewall12 - for IPv6 Firewall
# -
stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU
stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU
marker: "# {mark} ANSIBLE MANAGED BLOCK 1/2"
state: present
#register: ulogd_conf_1
when: stack_firewall11_present is changed
notify: Restart ulogd
- name: Check if String '[firewall11]' is present
shell: grep -q -E "^\s*\[firewall11\]" /etc/ulogd.conf
register: stack_group_firewall11_present
failed_when: "stack_group_firewall11_present.rc > 1"
changed_when: "stack_group_firewall11_present.rc > 0"
- name: Adjust file '/etc/ulogd.conf' 2/2
blockinfile:
path: /etc/ulogd.conf
insertafter: EOF
block: |
# =========================================================
# Define input plugins using specified netlink group inside
# =========================================================
[firewall11]
group=11
[firewall12]
group=12
# =====================
# Define output plugins
# =====================
[emu11]
file="/var/log/ulog/iptables.log"
sync=1
[emu12]
file="/var/log/ulog/ip6tables.log"
sync=1
marker: "# {mark} ANSIBLE MANAGED BLOCK 2/2"
state: present
#register: ulogd_conf_2
when: stack_group_firewall11_present is changed
notify: Restart ulogd
# ---
# Remove Marker set by blockinfile
# ---
- name: Remove marker
replace :
path: /etc/ulogd.conf
regexp: "^#.*ANSIBLE MANAGED BLOCK.*$"
replace: ""
#register: marker_ipv4_removed
handlers:
- name: Restart ulogd
service:
name: ulogd
state: restarted

947
scripts/install-update-firewall.yml Normal file
View File

@ -0,0 +1,947 @@
---
- hosts: all
tasks:
# ---
# Create firewall config directory '/etc/ipt/firewall' if not exists
# ---
#
- name: Install/update firewall repository
git:
repo: '{{ git_firewall_repository.repo }}'
dest: '{{ git_firewall_repository.dest }}'
when: git_firewall_repository is defined and git_firewall_repository > 0
tags:
- git-firewall-repository
- name: Create directory /etc/ipt-firewall if not exists
file:
path: /etc/ipt-firewall
state: directory
# ---
# Check presence of files
# ---
- name: Check if /etc/ipt-firewall/interfaces_ipv4.conf are present
stat:
path: /etc/ipt-firewall/interfaces_ipv4.conf
register: interfaces_ipv4_exists
- name: Check if /etc/ipt-firewall/interfaces_ipv6.conf are present
stat:
path: /etc/ipt-firewall/interfaces_ipv6.conf
register: interfaces_ipv6_exists
- name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists
stat:
path: /etc/ipt-firewall/main_ipv4.conf
register: main_ipv4_exists
- name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists
stat:
path: /etc/ipt-firewall/main_ipv6.conf
register: main_ipv6_exists
- name: Check if /etc/ipt-firewall/ban_ipv4.list are present
stat:
path: /etc/ipt-firewall/ban_ipv4.list
register: ban_ipv4_exists
- name: Check if /etc/ipt-firewall/ban_ipv6.list are present
stat:
path: /etc/ipt-firewall/ban_ipv6.list
register: ban_ipv6_exists
# ---
# Get information about network devices
# ---
- name: define traditional ethernet facts
set_fact:
ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
when:
- not interfaces_ipv4_exists.stat.exists
- hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
- inventory_hostname not in groups['lxc_host']|string
with_items:
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
- name: define traditional ibridge facts
set_fact:
#ansible_netdev: "{% set ansible_netdev = ansible_br|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_br|list }}"
ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
when:
- not interfaces_ipv4_exists.stat.exists
- hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge'
- "groups['lxc_host']|string is search(inventory_hostname)"
with_items:
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
- name: Debug message
debug:
msg:
- "index: {{ idx + 1 }}"
- "device: {{ item.device }}"
- "ipv4-address {{ item.ipv4.address }} "
- "ipv6-address: {{ item.ipv6.0.address }}"
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when:
- not interfaces_ipv4_exists.stat.exists
# ---
# Get sshd ports
# ---
- name: Get sshd ports as blank separated list
set_fact:
fw_sshd_ports: "{{ sshd_ports | join (' ') }}"
when:
- sshd_ports is defined and sshd_ports | length > 0
- sshd_ports|join() != "22"
- name: Set default sshd ports
set_fact:
fw_sshd_ports: "$standard_ssh_port"
when:
- sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22"
# ===
# Modify main_ipv[4|].conf - add port definitionios
# ===
# ---
# vpn_ports
# ---
- name: Check if String 'vpn_ports=..' is present
shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf
register: vpn_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "vpn_ports_ipv4_present.rc > 1"
changed_when: "vpn_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_vpn_server_ips'
block: |
# - VPN Port(s) used by local Services
# -
# - blank separated list
# -
vpn_ports="$standard_vpn_port"
marker: "# Marker set by modify-ipt-server.yml (vpn_ports)"
when:
- main_ipv4_exists.stat.exists
- vpn_ports_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'vpn_ports=..' is present
shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf
register: vpn_ports_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "vpn_ports_ipv6_present.rc > 1"
changed_when: "vpn_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_vpn_server_ips'
block: |
# - VPN Port(s) used by local Services
# -
# - blank separated list
# -
vpn_ports="$standard_vpn_port"
marker: "# Marker set by modify-ipt-server.yml (vpn_ports)"
when:
- main_ipv6_exists.stat.exists
- vpn_ports_ipv6_present is changed
notify:
- Restart IPv6 Firewall
# ---
# ssh_ports
# ---
- name: Check if String 'ssh_ports=..' is present
shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf
register: ssh_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "ssh_ports_ipv4_present.rc > 1"
changed_when: "ssh_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_ssh_server_ips'
block: |
# - SSH Port(s) used by local Services
# -
# - blank separated list
# -
ssh_ports="{{ fw_sshd_ports }}"
marker: "# Marker set by modify-ipt-server.yml (ssh_ports)"
when:
- main_ipv4_exists.stat.exists
- ssh_ports_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'ssh_ports=..' is present
shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf
register: ssh_ports_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "ssh_ports_ipv6_present.rc > 1"
changed_when: "ssh_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_ssh_server_ips'
block: |
# - SSH Port(s) used by local Services
# -
# - blank separated list
# -
ssh_ports="{{ fw_sshd_ports }}"
marker: "# Marker set by modify-ipt-server.yml (ssh_ports)"
when:
- main_ipv6_exists.stat.exists
- ssh_ports_ipv6_present is changed
notify:
- Restart IPv6 Firewall
# ---
# http_ports
# ---
- name: Check if String 'http_ports=..' is present
shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf
register: http_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "http_ports_ipv4_present.rc > 1"
changed_when: "http_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_http_server_ips'
block: |
# - HTTP(S) Ports used by local Services
# -
# - comma separated list
# -
http_ports="$standard_http_ports"
marker: "# Marker set by modify-ipt-server.yml (http_ports)"
when:
- main_ipv4_exists.stat.exists
- http_ports_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'http_ports=..' is present
shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf
register: http_ports_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "http_ports_ipv6_present.rc > 1"
changed_when: "http_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_http_server_ips'
block: |
# - HTTP(S) Ports used by local Services
# -
# - comma separated list
# -
http_ports="$standard_http_ports"
marker: "# Marker set by modify-ipt-server.yml (http_ports)"
when:
- main_ipv6_exists.stat.exists
- http_ports_ipv6_present is changed
notify:
- Restart IPv6 Firewall
# ---
# mail_user_ports
# ---
- name: Check if String 'mail_user_ports=..' is present
shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf
register: mail_user_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "mail_user_ports_ipv4_present.rc > 1"
changed_when: "mail_user_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_mail_server_ips'
block: |
# - Client Ports used by local Mail Services
# -
# - comma separated list
# -
mail_user_ports="$standard_mailuser_ports"
marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)"
when:
- main_ipv4_exists.stat.exists
- mail_user_ports_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'mail_user_ports=..' is present
shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf
register: mail_user_ports_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "mail_user_ports_ipv6_present.rc > 1"
changed_when: "mail_user_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_mail_server_ips'
block: |
# - Client Ports used by local Mail Services
# -
# - comma separated list
# -
mail_user_ports="$standard_mailuser_ports"
marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)"
when:
- main_ipv6_exists.stat.exists
- mail_user_ports_ipv6_present is changed
notify:
- Restart IPv6 Firewall
# ---
# ftp_passive_port_range
# ---
- name: Check if String 'ftp_passive_port_range=..' is present
shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf
register: ftp_passive_port_range_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "ftp_passive_port_range_ipv4_present.rc > 1"
changed_when: "ftp_passive_port_range_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_ftp_server_ips'
block: |
# - FTP passive port range use by local ftp service(s)
# -
# - example: ftp_passive_port_range="50000:50400"
# -
ftp_passive_port_range="50000:50400"
marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)"
when:
- main_ipv4_exists.stat.exists
- ftp_passive_port_range_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'ftp_passive_port_range=..' is present
shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf
register: ftp_passive_port_range_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "ftp_passive_port_range_ipv6_present.rc > 1"
changed_when: "ftp_passive_port_range_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_ftp_server_ips'
block: |
# - FTP passive port range use by local ftp service(s)
# -
# - example: ftp_passive_port_range="50000:50400"
# -
ftp_passive_port_range="50000:50400"
marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)"
when:
- main_ipv6_exists.stat.exists
- ftp_passive_port_range_ipv6_present is changed
notify:
- Restart IPv6 Firewall
# ---
# munin_remote_port
# ---
- name: Check if String 'munin_remote_port=..' is present
shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf
register: munin_remote_port_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "munin_remote_port_ipv4_present.rc > 1"
changed_when: "munin_remote_port_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_munin_server_ips'
block: |
# - Port used by clients hosted on this (local) Munin Services
# -
# - !! Only one port is possible !!
# -
munin_remote_port="$standard_munin_port"
marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)"
when:
- main_ipv4_exists.stat.exists
- munin_remote_port_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'munin_remote_port=..' is present
shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf
register: munin_remote_port_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "munin_remote_port_ipv6_present.rc > 1"
changed_when: "munin_remote_port_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_munin_server_ips'
block: |
# - Ports used by clients hosted on this (local) Munin Services
# -
# - !! Only one port is possible !!
# -
munin_remote_port="$standard_munin_port"
marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)"
when:
- main_ipv6_exists.stat.exists
- munin_remote_port_ipv6_present is changed
notify:
- Restart IPv6 Firewall
# ---
# xymon_port
# ---
- name: Check if String 'xymon_port=..' is present
shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf
register: xymon_port_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "xymon_port_ipv4_present.rc > 1"
changed_when: "xymon_port_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*local_xymon_client'
block: |
# - Port used by local Xymon Services
# -
# - !! Only one port is possible !!
# -
xymon_port="$standard_xymon_port"
marker: "# Marker set by modify-ipt-server.yml (xymon_port)"
when:
- main_ipv4_exists.stat.exists
- xymon_port_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'xymon_port=..' is present
shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf
register: xymon_port_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "xymon_port_ipv6_present.rc > 1"
changed_when: "xymon_port_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*local_xymon_client'
block: |
# - Port used by local Xymon Services
# -
# - !! Only one port is possible !!
# -
xymon_port="$standard_xymon_port"
marker: "# Marker set by modify-ipt-server.yml (xymon_port)"
when:
- main_ipv6_exists.stat.exists
- xymon_port_ipv6_present is changed
notify:
- Restart IPv6 Firewall
# ---
# mumble_ports
# ---
- name: Check if String 'mumble_ports=..' is present
shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf
register: mumble_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "mumble_ports_ipv4_present.rc > 1"
changed_when: "mumble_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_mumble_server_ips'
block: |
# - Ports used by local Mumble Services
# -
# - comma separated list
# -
mumble_ports="$standard_mumble_port"
marker: "# Marker set by modify-ipt-server.yml (mumble_ports)"
when:
- main_ipv4_exists.stat.exists
- mumble_ports_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'mumble_ports=..' is present
shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf
register: mumble_ports_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "mumble_ports_ipv6_present.rc > 1"
changed_when: "mumble_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_mumble_server_ips'
block: |
# - Ports used by local Mumble Services
# -
# - comma separated list
# -
mumble_ports="$standard_mumble_port"
marker: "# Marker set by modify-ipt-server.yml (mumble_ports)"
when:
- main_ipv6_exists.stat.exists
- mumble_ports_ipv6_present is changed
notify:
- Restart IPv6 Firewall
# ---
# Remove Marker set by blockinfile
# ---
- name: Remove marker IPv4
replace :
path: /etc/ipt-firewall/main_ipv4.conf
regexp: "^# Marker set by modify-ipt-server.yml.*$"
replace: ""
register: marker_ipv4_removed
#failed_when: "marker_ipv4_removed.rc > 1"
#changed_when: "marker_ipv4_removed.rc < 1"
when:
- main_ipv4_exists.stat.exists
- name: Remove marker IPv6
replace :
path: /etc/ipt-firewall/main_ipv6.conf
regexp: "^# Marker set by modify-ipt-server.yml.*$"
replace: ""
register: marker_ipv6_removed
#failed_when: "marker_ipv6_removed.rc > 1"
#changed_when: "marker_ipv6_removed.rc < 1"
when:
- main_ipv6_exists.stat.exists
# ===
# Update/Modify firewall
# ===
# ---
# Host specific configuration files
# ---
# /etc/ipt-firewall/interfaces_ipv[4|6].conf
#
- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf'
command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/interfaces_ipv4.conf
when: not interfaces_ipv4_exists.stat.exists
register: new_interfaces_ipv4
notify:
- Restart IPv4 Firewall
- name: Configure interfaces_ipv4.conf 1/2
lineinfile:
path: /etc/ipt-firewall/interfaces_ipv4.conf
regexp: '^ext_if_{{ idx + 1 }}='
line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"'
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when:
- not interfaces_ipv4_exists.stat.exists
- new_interfaces_ipv4 is changed
- name: Configure interfaces_ipv4.conf 2/2
lineinfile:
path: /etc/ipt-firewall/interfaces_ipv4.conf
regexp: '^ext_{{ idx + 1 }}_ip='
line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv4.address }}"'
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when:
- not interfaces_ipv4_exists.stat.exists
- new_interfaces_ipv4 is changed
- name: Place new configuration file '/etc/ipt-firewall/interfaces_ipv6.conf'
command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf
when: not interfaces_ipv6_exists.stat.exists
register: new_interfaces_ipv6
notify:
- Restart IPv6 Firewall
- name: Configure interfaces_ipv6.conf 1/2
lineinfile:
path: /etc/ipt-firewall/interfaces_ipv6.conf
regexp: '^ext_if_{{ idx + 1 }}='
line: 'ext_if_{{ idx + 1 }}="{{ item.device }}"'
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when:
- not interfaces_ipv6_exists.stat.exists
- new_interfaces_ipv6 is changed
- name: Configure interfaces_ipv4.conf 2/2
lineinfile:
path: /etc/ipt-firewall/interfaces_ipv6.conf
regexp: '^ext_{{ idx + 1 }}_ip='
line: 'ext_{{ idx + 1 }}_ip="{{ item.ipv6.0.address }}"'
loop: "{{ ansible_netdev }}"
loop_control:
label: "{{ item.device }}"
index_var: idx
when:
- not interfaces_ipv6_exists.stat.exists
- new_interfaces_ipv6 is changed
# /etc/ipt-firewall/ban_ipv[4|6].list
#
- name: Place new configuration file '/etc/ipt-firewall/ban_ipv4.list'
command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list
when: not ban_ipv4_exists.stat.exists
- name: Place new configuration file '/etc/ipt-firewall/ban_ipv6.list'
command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list
when: not ban_ipv6_exists.stat.exists
# /etc/ipt-firewall/main_ipv[4|6].conf
#
- name: Place new configuration file '/etc/ipt-firewall/main_ipv4.conf'
command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample /etc/ipt-firewall/main_ipv4.conf
when: not main_ipv4_exists.stat.exists
register: cp_main_ipv4
notify:
- Restart IPv4 Firewall
- name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf'
command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf
when: not main_ipv6_exists.stat.exists
register: cp_main_ipv6
notify:
- Restart IPv6 Firewall
# Configure main_ipv4.conf
#
- name: Configure main_ipv4.conf (dns_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*dns_server_ips'
line: dns_server_ips="$ext_ips"
state: present
when:
- "groups['dns_server']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (ssh_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*ssh_server_ips'
line: ssh_server_ips="$ext_ips"
state: present
when:
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (http_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*http_server_ips='
line: http_server_ips="$ext_1_ip"
state: present
when:
- "groups['apache2_webserver']|string is search(inventory_hostname) or
groups['nginx_webserver']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (mail_client_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*mail_client_ips='
line: mail_client_ips="$ext_1_ip"
state: present
when:
- "groups['apache2_webserver']|string is search(inventory_hostname) or
groups['nginx_webserver']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (smtpd_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*smtpd_ips='
line: smtpd_ips="$ext_1_ip"
state: present
when:
- "groups['mail_server']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (mail_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*mail_server_ips='
line: mail_server_ips="$ext_1_ip"
state: present
when:
- "groups['mail_server']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (ftp_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*ftp_server_ips='
line: ftp_server_ips="$ext_1_ip"
state: present
when:
- "groups['ftp_server']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
- name: Configure main_ipv4.conf (mumble_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^\s*mumble_server_ips='
line: mumble_server_ips="$ext_1_ip"
state: present
when:
- "groups['mumble_server']|string is search(inventory_hostname)"
- not main_ipv4_exists.stat.exists
- cp_main_ipv4 is changed
# Configure main_ipv6.conf
#
- name: Configure main_ipv6.conf (dns_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*dns_server_ips'
line: dns_server_ips="$ext_ips"
state: present
when:
- "groups['dns_server']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (ssh_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*ssh_server_ips'
line: ssh_server_ips="$ext_ips"
state: present
when:
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (http_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*http_server_ips='
line: http_server_ips="$ext_1_ip"
state: present
when:
- "groups['apache2_webserver']|string is search(inventory_hostname) or
groups['nginx_webserver']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (mail_client_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*mail_client_ips='
line: mail_client_ips="$ext_1_ip"
state: present
when:
- "groups['apache2_webserver']|string is search(inventory_hostname) or
groups['nginx_webserver']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (smtpd_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*smtpd_ips='
line: smtpd_ips="$ext_1_ip"
state: present
when:
- "groups['mail_server']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (mail_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*mail_server_ips='
line: mail_server_ips="$ext_1_ip"
state: present
when:
- "groups['mail_server']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (ftp_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*ftp_server_ips='
line: ftp_server_ips="$ext_1_ip"
state: present
when:
- "groups['ftp_server']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
- name: Configure main_ipv6.conf (mumble_server_ips)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^\s*mumble_server_ips='
line: mumble_server_ips="$ext_1_ip"
state: present
when:
- "groups['mumble_server']|string is search(inventory_hostname)"
- not main_ipv6_exists.stat.exists
- cp_main_ipv6 is changed
# ---
# Host independet configuration files
# ---
- name: Check if common configuration files are latest
shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1'
changed_when: "diff_output.rc > 0"
# diff_output.rc
# 0 -> unchanged
# 1 -> changed
# 2 -> not present
failed_when: "diff_output.rc > 2"
when: git_firewall_repository is defined and git_firewall_repository > 0
loop:
- include_functions.conf
- load_modules_ipv4.conf
- load_modules_ipv6.conf
- logging_ipv4.conf
- logging_ipv6.conf
- default_ports.conf
- post_decalrations.conf
register: diff_output
- name: Ensure common configuration files are latest
command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }}
loop:
- include_functions.conf
- load_modules_ipv4.conf
- load_modules_ipv6.conf
- logging_ipv4.conf
- logging_ipv6.conf
- default_ports.conf
- post_decalrations.conf
when:
- git_firewall_repository is defined and git_firewall_repository > 0
- diff_output.changed
notify:
- Restart IPv4 Firewall
- Restart IPv6 Firewall
# ---
# Firewall scripts
# ---
- name: Check if firewall scripts are latest
shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1'
changed_when: "diff_script_output.rc > 0"
# diff_output.rc
# 0 -> unchanged
# 1 -> changed
# 2 -> not present
failed_when: "diff_script_output.rc > 2"
when: git_firewall_repository is defined and git_firewall_repository > 0
loop:
- ipt-firewall-server
- ip6t-firewall-server
register: diff_script_output
- name: Ensure firewall scripts are latest
command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }}
loop:
- ipt-firewall-server
- ip6t-firewall-server
when:
- git_firewall_repository is defined and git_firewall_repository > 0
- diff_script_output.changed
notify:
- Restart IPv4 Firewall
- Restart IPv6 Firewall
handlers:
- name: Restart ulogd
service:
name: ulogd
state: restarted
- name: Restart IPv4 Firewall
service:
name: ipt-firewall
state: restarted
- name: Restart IPv6 Firewall
service:
name: ip6t-firewall
state: restarted

441
scripts/modify-ipt-server.yml Normal file
View File

@ -0,0 +1,441 @@
---
- hosts: all
tasks:
- name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists
stat:
path: /etc/ipt-firewall/main_ipv6.conf
register: main_ipv4_exists
- name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists
stat:
path: /etc/ipt-firewall/main_ipv4.conf
register: main_ipv6_exists
# ---
# vpn_ports
# ---
- name: Check if String 'vpn_ports=..' is present
shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf
register: vpn_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "vpn_ports_ipv4_present.rc > 1"
changed_when: "vpn_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_vpn_server_ips'
block: |
# - VPN Port(s) used by local Services
# -
# - blank separated list
# -
vpn_ports="$standard_vpn_port"
marker: "# Marker set by modify-ipt-server.yml (vpn_ports)"
when:
- main_ipv4_exists.stat.exists
- vpn_ports_ipv4_present is changed
- name: Check if String 'vpn_ports=..' is present
shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf
register: vpn_ports_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "vpn_ports_ipv6_present.rc > 1"
changed_when: "vpn_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_vpn_server_ips'
block: |
# - VPN Port(s) used by local Services
# -
# - blank separated list
# -
vpn_ports="$standard_vpn_port"
marker: "# Marker set by modify-ipt-server.yml (vpn_ports)"
when:
- main_ipv6_exists.stat.exists
- vpn_ports_ipv6_present is changed
# ---
# ssh_ports
# ---
- name: Check if String 'ssh_ports=..' is present
shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf
register: ssh_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "ssh_ports_ipv4_present.rc > 1"
changed_when: "ssh_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_ssh_server_ips'
block: |
# - SSH Port(s) used by local Services
# -
# - blank separated list
# -
ssh_ports="$standard_ssh_port"
marker: "# Marker set by modify-ipt-server.yml (ssh_ports)"
when:
- main_ipv4_exists.stat.exists
- ssh_ports_ipv4_present is changed
- name: Check if String 'ssh_ports=..' is present
shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf
register: ssh_ports_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "ssh_ports_ipv6_present.rc > 1"
changed_when: "ssh_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_ssh_server_ips'
block: |
# - SSH Port(s) used by local Services
# -
# - blank separated list
# -
ssh_ports="$standard_ssh_port"
marker: "# Marker set by modify-ipt-server.yml (ssh_ports)"
when:
- main_ipv6_exists.stat.exists
- ssh_ports_ipv6_present is changed
# ---
# http_ports
# ---
- name: Check if String 'http_ports=..' is present
shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf
register: http_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "http_ports_ipv4_present.rc > 1"
changed_when: "http_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_http_server_ips'
block: |
# - HTTP(S) Ports used by local Services
# -
# - comma separated list
# -
http_ports="$standard_http_ports"
marker: "# Marker set by modify-ipt-server.yml (http_ports)"
when:
- main_ipv4_exists.stat.exists
- http_ports_ipv4_present is changed
- name: Check if String 'http_ports=..' is present
shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf
register: http_ports_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "http_ports_ipv6_present.rc > 1"
changed_when: "http_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_http_server_ips'
block: |
# - HTTP(S) Ports used by local Services
# -
# - comma separated list
# -
http_ports="$standard_http_ports"
marker: "# Marker set by modify-ipt-server.yml (http_ports)"
when:
- main_ipv6_exists.stat.exists
- http_ports_ipv6_present is changed
# ---
# mail_user_ports
# ---
- name: Check if String 'mail_user_ports=..' is present
shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf
register: mail_user_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "mail_user_ports_ipv4_present.rc > 1"
changed_when: "mail_user_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_mail_server_ips'
block: |
# - Client Ports used by local Mail Services
# -
# - comma separated list
# -
mail_user_ports="$standard_mailuser_ports"
marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)"
when:
- main_ipv4_exists.stat.exists
- mail_user_ports_ipv4_present is changed
- name: Check if String 'mail_user_ports=..' is present
shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf
register: mail_user_ports_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "mail_user_ports_ipv6_present.rc > 1"
changed_when: "mail_user_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_mail_server_ips'
block: |
# - Client Ports used by local Mail Services
# -
# - comma separated list
# -
mail_user_ports="$standard_mailuser_ports"
marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)"
when:
- main_ipv6_exists.stat.exists
- mail_user_ports_ipv6_present is changed
# ---
# ftp_passive_port_range
# ---
- name: Check if String 'ftp_passive_port_range=..' is present
shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf
register: ftp_passive_port_range_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "ftp_passive_port_range_ipv4_present.rc > 1"
changed_when: "ftp_passive_port_range_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_ftp_server_ips'
block: |
# - FTP passive port range use by local ftp service(s)
# -
# - example: ftp_passive_port_range="50000:50400"
# -
ftp_passive_port_range="50000:50400"
marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)"
when:
- main_ipv4_exists.stat.exists
- ftp_passive_port_range_ipv4_present is changed
- name: Check if String 'ftp_passive_port_range=..' is present
shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf
register: ftp_passive_port_range_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "ftp_passive_port_range_ipv6_present.rc > 1"
changed_when: "ftp_passive_port_range_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_ftp_server_ips'
block: |
# - FTP passive port range use by local ftp service(s)
# -
# - example: ftp_passive_port_range="50000:50400"
# -
ftp_passive_port_range="50000:50400"
marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)"
when:
- main_ipv6_exists.stat.exists
- ftp_passive_port_range_ipv6_present is changed
# ---
# munin_remote_port
# ---
- name: Check if String 'munin_remote_port=..' is present
shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf
register: munin_remote_port_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "munin_remote_port_ipv4_present.rc > 1"
changed_when: "munin_remote_port_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_munin_server_ips'
block: |
# - Port used by clients hosted on this (local) Munin Services
# -
# - !! Only one port is possible !!
# -
munin_remote_port="$standard_munin_port"
marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)"
when:
- main_ipv4_exists.stat.exists
- munin_remote_port_ipv4_present is changed
- name: Check if String 'munin_remote_port=..' is present
shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf
register: munin_remote_port_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "munin_remote_port_ipv6_present.rc > 1"
changed_when: "munin_remote_port_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_munin_server_ips'
block: |
# - Ports used by clients hosted on this (local) Munin Services
# -
# - !! Only one port is possible !!
# -
munin_remote_port="$standard_munin_port"
marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)"
when:
- main_ipv6_exists.stat.exists
- munin_remote_port_ipv6_present is changed
# ---
# xymon_port
# ---
- name: Check if String 'xymon_port=..' is present
shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf
register: xymon_port_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "xymon_port_ipv4_present.rc > 1"
changed_when: "xymon_port_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*local_xymon_client'
block: |
# - Port used by local Xymon Services
# -
# - !! Only one port is possible !!
# -
xymon_port="$standard_xymon_port"
marker: "# Marker set by modify-ipt-server.yml (xymon_port)"
when:
- main_ipv4_exists.stat.exists
- xymon_port_ipv4_present is changed
- name: Check if String 'xymon_port=..' is present
shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf
register: xymon_port_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "xymon_port_ipv6_present.rc > 1"
changed_when: "xymon_port_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*local_xymon_client'
block: |
# - Port used by local Xymon Services
# -
# - !! Only one port is possible !!
# -
xymon_port="$standard_xymon_port"
marker: "# Marker set by modify-ipt-server.yml (xymon_port)"
when:
- main_ipv6_exists.stat.exists
- xymon_port_ipv6_present is changed
# ---
# mumble_ports
# ---
- name: Check if String 'mumble_ports=..' is present
shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf
register: mumble_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "mumble_ports_ipv4_present.rc > 1"
changed_when: "mumble_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_mumble_server_ips'
block: |
# - Ports used by local Mumble Services
# -
# - comma separated list
# -
mumble_ports="$standard_mumble_port"
marker: "# Marker set by modify-ipt-server.yml (mumble_ports)"
when:
- main_ipv4_exists.stat.exists
- mumble_ports_ipv4_present is changed
- name: Check if String 'mumble_ports=..' is present
shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf
register: mumble_ports_ipv6_present
when: main_ipv4_exists.stat.exists
failed_when: "mumble_ports_ipv6_present.rc > 1"
changed_when: "mumble_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_mumble_server_ips'
block: |
# - Ports used by local Mumble Services
# -
# - comma separated list
# -
mumble_ports="$standard_mumble_port"
marker: "# Marker set by modify-ipt-server.yml (mumble_ports)"
when:
- main_ipv6_exists.stat.exists
- mumble_ports_ipv6_present is changed
# ---
# Remove Marker set by blockinfile
# ---
- name: Remove marker IPv4
replace :
path: /etc/ipt-firewall/main_ipv4.conf
regexp: "^# Marker set by modify-ipt-server.yml.*$"
replace: ""
register: marker_ipv4_removed
#failed_when: "marker_ipv4_removed.rc > 1"
#changed_when: "marker_ipv4_removed.rc < 1"
when:
- main_ipv4_exists.stat.exists
- name: Remove marker IPv6
replace :
path: /etc/ipt-firewall/main_ipv6.conf
regexp: "^# Marker set by modify-ipt-server.yml.*$"
replace: ""
register: marker_ipv6_removed
#failed_when: "marker_ipv6_removed.rc > 1"
#changed_when: "marker_ipv6_removed.rc < 1"
when:
- main_ipv6_exists.stat.exists

28
scripts/test.yml
View File

@ -1,19 +1,19 @@
---
- hosts: o25.oopen.de
- hosts: all
tasks:
- name: debug print all interface ipv4 data
when: "hostvars[ansible_fqdn]['ansible_'~item]['ipv4'] is defined"
debug:
msg="{{ hostvars[ansible_fqdn]['ansible_'~item]['ipv4'] | pprint }}"
with_items:
- "{{ ansible_interfaces | map('replace', '-','_') | list }}"
- name: define traditional ethernet facts
- name: Get sshd ports as blank separated list
set_fact:
ansible_eth: "{% set ansible_eth = ansible_eth|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_eth|list }}"
when: hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
with_items:
- "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"
fw_sshd_ports: "{{ sshd_ports | join (' ') }}"
when:
- sshd_ports is defined and sshd_ports | length > 0
- sshd_ports|join() != "22"
- name: Set default sshd ports
set_fact:
fw_sshd_ports: "$standard_ssh_port"
when:
- sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22"