From 5d18b79372b154900d5ddaa0ee00724dcd37ae58 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 15 Jul 2025 00:38:25 +0200 Subject: [PATCH] update.. --- host_vars/backup.oopen.de.yml | 1 + host_vars/file-ah.kanzlei-kiel.netz.yml | 62 +++ host_vars/file-blkr.blkr.netz.yml | 8 + host_vars/file-km.anw-km.netz.yml | 2 +- host_vars/ga-al-gw.oopen.de.yml | 5 +- host_vars/ga-campus-gw-temp.ga.netz.yml | 12 + host_vars/ga-st-gw-neu.ga.netz.yml | 591 ++++++++++++++++++++++++ host_vars/ga-st-gw.ga.netz.yml | 10 +- host_vars/gw-campus.oopen.de.yml | 394 ++++++++++++++++ host_vars/mm-rav.oopen.de.yml | 7 +- host_vars/o17.oopen.de.yml | 286 ++++-------- host_vars/o34.oopen.de.yml | 2 + host_vars/o43.oopen.de.yml | 2 +- hosts | 11 +- 14 files changed, 1175 insertions(+), 218 deletions(-) create mode 100644 host_vars/ga-st-gw-neu.ga.netz.yml create mode 100644 host_vars/gw-campus.oopen.de.yml diff --git a/host_vars/backup.oopen.de.yml b/host_vars/backup.oopen.de.yml index 0ba8363..1ed11ce 100644 --- a/host_vars/backup.oopen.de.yml +++ b/host_vars/backup.oopen.de.yml @@ -282,6 +282,7 @@ default_user: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvOkCWNKUJ5o9e+0NhY4IFZv8LA7tkkkEFjr8nqFKhe root@formbricks-nd' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPbony+4g4iFS32Cv/Bkmet4FsCAsrGTffwWm2eM16x root@git.warenform' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqqmBWh3qmnx41NiLCn1LhVG0mn4++IUvRNC0OMh6h6 root@gitoea' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICR9o0+6jnfmXKOedKP6IZgt5lRIPFSJJ4FbMjz2SPkH root@gw-campus' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBYFe6i0UdPRyENvfaJSJVCHtmnlJmhbqGEsdIlTapsj root@initiativenserver' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ54/I+TdZUA+Xc6bixSa3f0hN5y4kWW+xl9kqSZPBYS root@keycloak-nd' diff --git a/host_vars/file-ah.kanzlei-kiel.netz.yml b/host_vars/file-ah.kanzlei-kiel.netz.yml index 9af20c5..24453a6 100644 --- a/host_vars/file-ah.kanzlei-kiel.netz.yml +++ b/host_vars/file-ah.kanzlei-kiel.netz.yml @@ -168,6 +168,68 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/users +# --- + +default_user: + + - name: chris + password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + group: localadmin + home: /home/localadmin + password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/ + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup' + + + - name: borg + user_id: 1065 + group_id: 1065 + group: borg + home: /home/borg + password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7MKFmJ2kJrNs5DhlPqfizZgz3wNpzFAITo63p/VBOe root@file-ah' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItQLQ7lhBY2USF4Jcp4teF+1NydI73VeHYbQW8q4Mcw root@gw-ah' + + + # --- # vars used by roles/common/tasks/cron.yml # --- diff --git a/host_vars/file-blkr.blkr.netz.yml b/host_vars/file-blkr.blkr.netz.yml index 79e1409..4742a80 100644 --- a/host_vars/file-blkr.blkr.netz.yml +++ b/host_vars/file-blkr.blkr.netz.yml @@ -360,6 +360,14 @@ samba_user: groups: - buero password: 'N-ba2R+i/2eM' + - name: lap-01 + groups: + - buero + password: 'X_2yYs2AIo.E' +# - name: lap-02 +# groups: +# - buero +# password: 'N.i/_UXcG5C9' base_home: /data/home diff --git a/host_vars/file-km.anw-km.netz.yml b/host_vars/file-km.anw-km.netz.yml index 01bc6b8..14424c2 100644 --- a/host_vars/file-km.anw-km.netz.yml +++ b/host_vars/file-km.anw-km.netz.yml @@ -279,7 +279,7 @@ samba_user: - advoware - alle - kanzlei - password: '' + password: 'YKQRa.M9-6rL' - name: aphex2 groups: diff --git a/host_vars/ga-al-gw.oopen.de.yml b/host_vars/ga-al-gw.oopen.de.yml index a961ff7..768a6be 100644 --- a/host_vars/ga-al-gw.oopen.de.yml +++ b/host_vars/ga-al-gw.oopen.de.yml @@ -184,6 +184,9 @@ network_interfaces: # User Networks Stockhausen - /sbin/ip route add 192.168.11.0/24 via 172.16.111.254 - /sbin/ip route add 192.168.78.0/24 via 172.16.111.254 + # User Networks Campus + #- /sbin/ip route add 192.168.72.0/24 via 172.16.111.254 + #- /sbin/ip route add 192.168.73.0/24 via 172.16.111.254 # User Network Novalishaus - /sbin/ip route add 192.168.81.0/24 via 172.16.111.254 # Management Network Stockhausen @@ -197,7 +200,7 @@ network_interfaces: # WLAN privat Novalishaus - /sbin/ip route add 10.31.0.0/20 via 172.16.111.254 # Management Netork Campus - - /sbin/ip route add 10.72.1.0/24 via 172.16.111.254 + #- /sbin/ip route add 10.72.1.0/24 via 172.16.111.254 # WLan Router Stockhausen - /sbin/ip route add 10.112.1.0/24 via 172.16.111.254 # WLan Netz diff --git a/host_vars/ga-campus-gw-temp.ga.netz.yml b/host_vars/ga-campus-gw-temp.ga.netz.yml index 4b18188..04ae8a4 100644 --- a/host_vars/ga-campus-gw-temp.ga.netz.yml +++ b/host_vars/ga-campus-gw-temp.ga.netz.yml @@ -33,6 +33,18 @@ network_interfaces: # - 172.16.81.254 #search: ga.netz ga.intra + - device: eno2 + headline: eno2 - Uplink Lehrer-und Schülerdatenbank (LUSD) + auto: true + family: inet + method: static + address: 192.168.100.254 + netmask: 24 + post-up: + # Traffic zur ehrer-und Schülerdatenbank (LUSD) + - /sbin/ip route add 10.9.131.0/24 via 192.168.100.253 + + - device: eno3 family: inet diff --git a/host_vars/ga-st-gw-neu.ga.netz.yml b/host_vars/ga-st-gw-neu.ga.netz.yml new file mode 100644 index 0000000..f0b006d --- /dev/null +++ b/host_vars/ga-st-gw-neu.ga.netz.yml @@ -0,0 +1,591 @@ +--- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + +network_interfaces: + + - device: eno1np0 + headline: eno1np0 - Temporary LAN network + auto: true + family: inet + method: static + address: 192.168.11.18 + netmask: 24 + + - device: enp129s0f2 + headline: enp129s0f2 - Uplink static line (radio) to Altenschlirf + auto: true + family: inet + method: static + address: 172.16.111.254 + netmask: 24 + up: + # - For management Antennas + - /sbin/ip link add link enp129s0f2 name enp129s0f2.111 type vlan id 111 + post-up: + # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253) + # - + # - Telefon Altenshlirf + - /sbin/ip route add 172.16.210.0/24 via 172.16.111.253 + # User Network Altenshlirf + - /sbin/ip route add 192.168.10.0/24 via 172.16.111.253 + # Management Network Altenschlirf + - /sbin/ip route add 10.10.10.0/24 via 172.16.111.253 + # WLan Router (Accesspoints) Altenshlirf + - /sbin/ip route add 10.122.1.0/24 via 172.16.111.253 + # # WLan Networks Altenshlirf + - /sbin/ip route add 10.123.0.0/16 via 172.16.111.253 + # DSL via Fritzbox Altenschlirf + - /sbin/ip route add 172.16.10.0/24 via 172.16.111.253 + # - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network) + - /sbin/ip route add 10.221.0.0/20 via 172.16.111.253 + # - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network) + - /sbin/ip route add 10.231.0.0/20 via 172.16.111.253 + # VPN home Network Altenschlirf + # + - /sbin/ip route add 10.0.10.0/24 via 172.16.111.253 + # VPN 'gw-ckubu' Network Altenschlirf + # + - /sbin/ip route add 10.1.10.0/24 via 172.16.111.253 + # private networks 'ckubu' + # + # connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu), + # so we route them back to that gateway.. + - /sbin/ip route add 192.168.63.0/24 via 172.16.111.253 + - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253 + + + - device: enp129s0f2.111 + headline: enp129s0f2.111 - network 10.10.111.0 (management antennas) + auto: true + family: inet + method: static + address: 10.10.111.254 + netmask: 24 + + + - device: enp1s0f0 + headline: enp1s0f0 - holds VLAN 211 device for Network Telefons Stockhausen + auto: false + family: inet + method: manual + up: + - /sbin/ip link add link enp1s0f0 name enp1s0f0.211 type vlan id 211 + + + - device: enp1s0f0.211 + headline: enp1s0f0.211 - Network Telefons Stockhausen + auto: true + family: inet + method: static + # Note: + # !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon). + # This LANCom Router IS NOT pngable !! + address: 172.16.211.1 + netmask: 24 + pre-up: + - /sbin/ifconfig enp1s0f0 up + + + - device: enp1s0f2 + headline: enp1s0f2 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501) + auto: true + family: inet + method: static + address: 172.16.11.1 + netmask: 24 + gateway: 172.16.11.254 + + + - device: enp1s0f3 + headline: enp1s0f3 - Uplink DSL surf3 via (static) line to Fritz!Box 7490 + auto: true + family: inet + method: static + address: 172.16.13.1 + netmask: 24 + gateway: 172.16.13.254 + + + - device: enp1s0f1 + headline: enp1s0f1 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) + auto: true + family: inet + method: static + address: 172.16.12.1 + netmask: 24 + gateway: 172.16.12.254 + + + # ---------- + # Note: Install the 'ifenslave' package, necessary to enable bonding: + # + # apt-get install ifenslave + # ---------- + - device: bond0 + headline: bond0 - LAG (Link Aggregation) on devices enp129s0f0 and enp194s0f0 + auto: true + family: inet + method: static + address: 10.1.9.254 + netmask: 24 + bond: + slaves: enp129s0f0 enp194s0f0 + # Mode 4 (802.3ad) + # + # also possible here: + # - Mode 5: balance-tlb + # - Mode 6: balance-alb + mode: 4 + miimon: 100 + lacp-rate: 1 + ad-select: count + downdelay: 200 + updelay: 200 + post-up: + # VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24 + - /sbin/ip link add link bond0 name bond0.11 type vlan id 11 + # VLAN 78 for network Georgshaus 192.168.78.0/24 + - /sbin/ip link add link bond0 name bond0.78 type vlan id 78 + + + - device: bond0.11 + headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen) + auto: true + family: inet + method: static + address: 10.10.11.254 + netmask: 24 + + + - device: bond0.78 + headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?) + auto: true + family: inet + method: static + address: 192.168.78.254 + netmask: 24 + + + # ---------- + # Note: Install the 'ifenslave' package, necessary to enable bonding: + # + # apt-get install ifenslave + # ---------- + - device: bond1 + headline: bond1 - LAG (Link Aggregation) on devices enp129s0f1 and enp194s0f1 - Main Network Stockhausen + auto: true + family: inet + method: static + address: 192.168.11.254 + netmask: 24 + nameservers: + - 192.168.11.1 + - 192.168.10.3 + search: ga.netz ga.intra + bond: + slaves: enp129s0f1 enp194s0f1 + # Mode 4 (802.3ad) + # + # also possible here: + # - Mode 5: balance-tlb + # - Mode 6: balance-alb + mode: 4 + miimon: 100 + lacp-rate: 1 + ad-select: count + downdelay: 200 + updelay: 200 + post-up: + # VLAN 121 - for Ubiquiti UniFi Accesspoints + - /sbin/ip link add link bond1 name bond1.121 type vlan id 121 + # VLAN 121 - for Ubiquiti UniFi Accesspoints Guests + - /sbin/ip link add link bond1 name bond1.131 type vlan id 131 + # Route ??? + - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 + # Route to management network campus + - /sbin/ip route add 10.72.1.0/24 via 192.168.11.72 + # Route to LAN campus + - /sbin/ip route add 192.168.72.0/24 via 192.168.11.72 + # Route to WLAN campus + - /sbin/ip route add 192.168.73.0/24 via 192.168.11.72 + + + - device: bond1.121 + headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET + auto: true + family: inet + method: static + address: 10.121.15.254 + netmask: 20 + + + - device: bond1.131 + headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET + auto: true + family: inet + method: static + address: 10.131.15.254 + netmask: 20 + + + - device: bond1:ns + headline: bond1:ns - Alias IP on bond1 device for Nameservice + auto: true + family: inet + method: static + address: 192.168.11.1 + netmask: 32 + + + - device: bond1:1 + headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network + auto: true + family: inet + method: static + address: 10.10.9.254 + netmask: 24 + + + - device: bond1:ap + headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints + auto: true + family: inet + method: static + address: 10.112.1.254 + netmask: 24 + post-up: + # - Wireless Networks routed through appropriate Accesspoints + # - + - /sbin/ip route add 10.113.1.0/24 via 10.112.1.1 + - /sbin/ip route add 10.113.2.0/24 via 10.112.1.2 + - /sbin/ip route add 10.113.3.0/24 via 10.112.1.3 + - /sbin/ip route add 10.113.4.0/24 via 10.112.1.4 + - /sbin/ip route add 10.113.5.0/24 via 10.112.1.5 + - /sbin/ip route add 10.113.6.0/24 via 10.112.1.6 + - /sbin/ip route add 10.113.7.0/24 via 10.112.1.7 + - /sbin/ip route add 10.113.8.0/24 via 10.112.1.8 + - /sbin/ip route add 10.113.9.0/24 via 10.112.1.9 + - /sbin/ip route add 10.113.10.0/24 via 10.112.1.10 + - /sbin/ip route add 10.113.11.0/24 via 10.112.1.11 + - /sbin/ip route add 10.113.12.0/24 via 10.112.1.12 + - /sbin/ip route add 10.113.13.0/24 via 10.112.1.13 + - /sbin/ip route add 10.113.14.0/24 via 10.112.1.14 + - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15 + + + - device: bond1:ipmi + headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen + auto: true + family: inet + method: static + address: 10.11.11.254 + netmask: 24 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - ga.netz + - ga.intra + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 192.168.10.1 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: maadmin + password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' + + - name: wadmin + password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + +sudo_users: + - chris + - sysadm + - maadmin + - wadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +install_bind_packages: true + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - '# Nameserver Gateway Stockhausen' + - 192.168.11.1 + - '# Domain Controller Stockhausen' + - 192.168.10.3 + - '# Nameserver Gateway Altenschlirf' + - 192.168.10.1 + - '# Domain Controller Altenschlirf' + - 192.168.10.3 + - 192.168.10.6 + - 172.16.0.1 + - '# Nameserver Gateway Novalishaus' + - 192.168.81.1 + - 10.2.11.2 + - '# Nameserver wolle' + - 10.113.12.3 + - '# Postfix Mailserver' + - 192.168.11.2 + - '# Mail Relay System' + - 192.168.10.2 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - internaldns + +bind9_transfer_source: !!str "192.168.11.1" +bind9_notify_source: !!str "192.168.11.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/ga-st-gw.ga.netz.yml b/host_vars/ga-st-gw.ga.netz.yml index b079341..67745f7 100644 --- a/host_vars/ga-st-gw.ga.netz.yml +++ b/host_vars/ga-st-gw.ga.netz.yml @@ -181,7 +181,7 @@ network_interfaces: # apt-get install ifenslave # ---------- - device: bond1 - headline: bond1 - LAG (Link Aggregation) on devices eth1 and eth5 - Main Network Stockhausen + headline: bond1 - LAG (Link Aggregation) on devices eth3 and eth5 - Main Network Stockhausen auto: true family: inet method: static @@ -192,7 +192,7 @@ network_interfaces: - 192.168.10.3 search: ga.netz ga.intra bond: - slaves: eth1 eth5 + slaves: eth3 eth5 # Mode 4 (802.3ad) # # also possible here: @@ -212,7 +212,11 @@ network_interfaces: # Route ??? - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 # Route to management network campus - - /sbin/ip route add 10.72.4.0/24 via 192.168.11.72 + - /sbin/ip route add 10.72.1.0/24 via 192.168.11.72 + # Route to LAN campus + - /sbin/ip route add 192.168.72.0/24 via 192.168.11.72 + # Route to WLAN campus + - /sbin/ip route add 192.168.73.0/24 via 192.168.11.72 - device: bond1.121 diff --git a/host_vars/gw-campus.oopen.de.yml b/host_vars/gw-campus.oopen.de.yml new file mode 100644 index 0000000..790783a --- /dev/null +++ b/host_vars/gw-campus.oopen.de.yml @@ -0,0 +1,394 @@ +--- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + +network_interfaces: + + - device: eno1 + headline: eno1 - Uplink DSL via (static) line to Fritz!Box 7490 + auto: true + family: inet + method: static + address: 172.16.72.1 + netmask: 24 + gateway: 172.16.72.254 + #nameservers: + # - 192.168.81.1 + # - 172.16.81.254 + #search: ga.netz ga.intra + + - device: eno2 + headline: eno2 - Uplink Lehrer-und Schülerdatenbank (LUSD) + auto: true + family: inet + method: static + address: 192.168.100.254 + netmask: 24 + post-up: + # Traffic zur ehrer-und Schülerdatenbank (LUSD) + - /sbin/ip route add 10.9.131.0/24 via 192.168.100.253 + + + + - device: eno3 + family: inet + method: manual + post-up: + # VLAN 10 LAN 1 Campus + - /sbin/ip link add link eno3 name eno3.10 type vlan id 10 + + - device: eno3:ns + headline: eno3:ns - Alias on eno3 (Nameserver) + auto: true + family: inet + method: static + address: 192.168.72.1 + netmask: 32 + + - device: eno3.10 + headline: eno3.10 - LAN 1 Campus - network 192.168.72.0/24 + auto: true + family: inet + method: static + address: 192.168.72.254 + netmask: 24 + pre-up: + - /sbin/ifconfig eno3 up + + + - device: eno4 + family: inet + method: manual + post-up: + # VLAN 20 - LAN 2 Campus including UniFi Accesspoints + - /sbin/ip link add link eno4 name eno4.20 type vlan id 20 + + - device: eno4.20 + headline: eno4.20 - LAN 2 Campus - network 192.168.73.0/24 + auto: true + family: inet + method: static + address: 192.168.73.254 + netmask: 24 + pre-up: + - /sbin/ifconfig eno4 up + + + - device: eno6 + headline: eno6 - Management Network Campus - network 10.72.1.0/24 + auto: true + family: inet + method: static + address: 10.72.1.254 + netmask: 24 + + + - device: eno7 + headline: eno7 - network 192.168.11.0/24 (LAN Stockhausen) + auto: true + family: inet + method: static + address: 192.168.11.72 + #gateway: 192.168.11.254 + netmask: 24 + + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - campus.netz + - campus.intra + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: maadmin + password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' + + - name: wadmin + password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + +sudo_users: + - chris + - sysadm + - maadmin + - wadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +install_bind_packages: true + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - '# Nameserver Gateway Stockhausen' + - 192.168.11.1 + - '# Domain Controller Stockhausen' + - 192.168.10.3 + - '# Nameserver Gateway Altenschlirf' + - 192.168.10.1 + - '# Domain Controller Altenschlirf' + - 192.168.10.3 + - 192.168.10.6 + - 172.16.0.1 + - '# Nameserver Gateway Novalishaus' + - 192.168.81.1 + - 10.2.11.2 + - '# Nameserver wolle' + - 10.113.12.3 + - '# Postfix Mailserver' + - 192.168.11.2 + - '# Mail Relay System' + - 192.168.10.2 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - none + +bind9_transfer_source: !!str "192.168.81.1" +bind9_notify_source: !!str "192.168.81.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/mm-rav.oopen.de.yml b/host_vars/mm-rav.oopen.de.yml index 96b3708..f471eeb 100644 --- a/host_vars/mm-rav.oopen.de.yml +++ b/host_vars/mm-rav.oopen.de.yml @@ -123,11 +123,16 @@ cron_user_special_time_entries: job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" insertafter: PATH + - name: "Check if mattermost service is running. Restart service if needed." + special_time: reboot + job: "sleep 10 ; /root/bin/monitoring/check_local_mattermost_service.sh > /dev/null 2>&1" + insertafter: PATH + cron_user_entries: - name: "Check if mattermost service ist running - Restart Service if needed." - minute: '*/6' + minute: '*/16' hour: '*' job: /root/bin/monitoring/check_local_mattermost_service.sh diff --git a/host_vars/o17.oopen.de.yml b/host_vars/o17.oopen.de.yml index 846d75e..b9597ca 100644 --- a/host_vars/o17.oopen.de.yml +++ b/host_vars/o17.oopen.de.yml @@ -63,8 +63,6 @@ network_interfaces: # search: warenform.de # nameservers: - - 195.201.179.131 - - 95.217.204.204 search: oopen.de warenform.de # optional additional subnets/ips subnets: [] @@ -105,6 +103,13 @@ network_interfaces: vlan: {} # inline hook scripts + # + # example: + # + # up: + # - !!str "ip addr add 83.223.86.115/24 dev br0" + # - !!str "ip route add default via 83.223.86.1" + # pre-up: [] # pre-up script lines up: - !!str "ip addr add 83.223.85.203/24 dev br0" @@ -113,6 +118,7 @@ network_interfaces: pre-down: [] # pre-down script lines (alias for down) down: [] # down script lines post-down: [] # post-down script lines + # --- # vars used by roles/ansible_dependencies @@ -139,6 +145,76 @@ network_interfaces: # --- +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 195.201.179.131 + - 95.217.204.204 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # --- # vars used by roles/common/tasks/cron.yml # --- @@ -156,7 +232,7 @@ cron_user_special_time_entries: - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot - job: "sleep 5 ; /bin/systemctl restart systemd-resolved" + job: "sleep 5 ; /bin/systemctl restart systemd-resolved > /dev/null 2>&1" insertafter: PATH - name: "Check if postfix mailservice is running. Restart service if needed." @@ -250,210 +326,6 @@ git_firewall_repository: # vars used by roles/common/tasks/samba-user.yml # --- -samba_server_ip: 83.223.85.203 -samba_server_cidr_prefix: 24 - -samba_workgroup: AH - -samba_netbios_name: FILE-AH - -samba_groups: - - name: verwaltung - group_id: 1200 - - name: intern - group_id: 1210 - - name: hoffmann-elberling - group_id: 1220 - - name: gubitz-partner - group_id: 1230 - -samba_user: - - name: buero - groups: - - verwaltung - - intern - password: 'buero2011' - - name: axel - groups: - - intern - - verwaltung - - hoffmann-elberling - password: 'ah-kiel.2018' - - name: bjoern - groups: - - intern - - verwaltung - - hoffmann-elberling - password: 'bjoern2011' - - name: gubitz - groups: - - intern - - verwaltung - - gubitz-partner - password: '20gubitz12' - - name: schaar - groups: - - intern - - verwaltung - - gubitz-partner - password: '20schaar12' - - name: molkentin - groups: - - intern - - verwaltung - - gubitz-partner - password: 20molkentin12 - - name: buerooben - groups: - - intern - - verwaltung - - hoffmann-elberling - password: 'buero2013' - - name: back - groups: [] - password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 63643330373231636537366333326630333265303265653933613835656262323863363038653234 - 3462653135633266373439626263356636646637643035340a653466356235346663626163306363 - 61313164643061306433643738643563303036646334376536626531383965303036386162393832 - 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 - 3631 - - name: buchholz - groups: - - buero - - intern - - verwaltung - password: '20-buch_holz-20' - - name: schmidt - groups: - - intern - - verwaltung - - gubitz-partner - password: '20-schmidt_21%' - - name: kiel-nb1 - groups: - - buero - - intern - - verwaltung - - gubitz-partner - - hoffmann-elberling - password: '20-note%book1-20' - - name: kiel-nb2 - groups: - - buero - - intern - - verwaltung - - gubitz-partner - - hoffmann-elberling - password: '20-note%book2-20' - - name: chris - groups: - - buero - - intern - - verwaltung - - gubitz-partner - - hoffmann-elberling - password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 63643330373231636537366333326630333265303265653933613835656262323863363038653234 - 3462653135633266373439626263356636646637643035340a653466356235346663626163306363 - 61313164643061306433643738643563303036646334376536626531383965303036386162393832 - 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 - 3631 - -base_home: /home - -# remove_samba_users: -# - name: name1 -# - name: name2 -# -remove_samba_users: [] - -samba_shares: - - name: profiles-RDP - comment: Users profiles RDP - path: /data/samba/profiles-RDP - guest_ok: !!str no - browseable: !!str no - valid_users: '%S' - file_create_mask: !!str 600 - dir_create_mask: !!str 700 - - - name: Buero - path: /data/samba/shares/Buero - group_valid_users: intern - group_write_list: intern - file_create_mask: !!str 664 - dir_create_mask: !!str 2775 - vfs_object_recycle: true - recycle_path: recycle - - - name: Verwaltung - path: /data/samba/shares/Verwaltung - group_valid_users: verwaltung - group_write_list: verwaltung - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: recycle - - - name: Scans_schnell - path: /data/samba/shares/Scans_schnell - group_valid_users: intern - group_write_list: intern - file_create_mask: !!str 664 - dir_create_mask: !!str 2775 - vfs_object_recycle: true - recycle_path: recycle - - - name: Hoffmann-Elberling - path: /data/samba/shares/Hoffmann-Elberling - group_valid_users: hoffmann-elberling - group_write_list: hoffmann-elberling - file_create_mask: !!str 664 - dir_create_mask: !!str 2775 - vfs_object_recycle: true - recycle_path: recycle - - - name: Gubitz-Partner - path: /data/samba/shares/Gubitz-Partner - group_valid_users: gubitz-partner - group_write_list: gubitz-partner - file_create_mask: !!str 664 - dir_create_mask: !!str 2775 - vfs_object_recycle: true - recycle_path: recycle - - - name: Gubitz-Backup - path: /data/samba/shares/Gubitz-Backup - group_valid_users: gubitz - group_write_list: gubitz - file_create_mask: !!str 660 - dir_create_mask: !!str 2770 - vfs_object_recycle: true - recycle_path: recycle - - - name: WinServer2016-Backup - comment: WinServer2016-Backup on Fileserver - path: /data/samba/shares/WinServer2016-Backup - group_valid_users: {} - group_write_list: {} - file_create_mask: !!str 664 - dir_create_mask: !!str 2775 - guest_ok: !!str yes - vfs_object_recycle: true - recycle_path: {} - - - name: Advoware-Backup - comment: Advoware-Backup (only read) on Fileserver - path: /data/samba/shares/Advoware-Backup - group_valid_users: back - group_write_list: back - file_create_mask: !!str 664 - dir_create_mask: !!str 2775 - guest_ok: !!str yes - vfs_object_recycle: true - # ============================== diff --git a/host_vars/o34.oopen.de.yml b/host_vars/o34.oopen.de.yml index 450fe50..df692f1 100644 --- a/host_vars/o34.oopen.de.yml +++ b/host_vars/o34.oopen.de.yml @@ -345,6 +345,8 @@ cron_user_entries: sudoers_file_user_privileges: - name: back entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php' + - name: www-data + entry: 'ALL=(root) NOPASSWD: /root/bin/nextcloud/add-new-account.sh' # --- diff --git a/host_vars/o43.oopen.de.yml b/host_vars/o43.oopen.de.yml index 3b854f4..f8a9b34 100644 --- a/host_vars/o43.oopen.de.yml +++ b/host_vars/o43.oopen.de.yml @@ -249,7 +249,7 @@ cron_user_special_time_entries: - name: "Restart NTP service 'ntpsec'" special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" + job: "sleep 2 ; /bin/systemctl restart ntpsec > /dev/null 2>&1" insertafter: PATH diff --git a/hosts b/hosts index c5675ed..b62fba1 100644 --- a/hosts +++ b/hosts @@ -77,9 +77,10 @@ at-10-neu.ak.netz ga-st-gw-ersatz.ga.netz ga-st-gw.ga.netz +ga-st-gw-neu.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de -ga-campus-gw-temp.ga.netz +gw-campus.oopen.de ga-st-lxc1.ga.netz ga-st-mail.ga.netz ga-st-mm.ga.netz @@ -561,9 +562,10 @@ gw-d11.oopen.de # - GA - Gemeinschaft Altensclirf ga-st-gw-ersatz.ga.netz ga-st-gw.ga.netz +ga-st-gw-neu.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de -ga-campus-gw-temp.ga.netz +gw-campus.oopen.de ga-st-lxc1.ga.netz ga-st-mail.ga.netz @@ -1925,9 +1927,10 @@ k1371.dyndns.org ga-st-gw-ersatz.ga.netz ga-st-gw.ga.netz +ga-st-gw-neu.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de -ga-campus-gw-temp.ga.netz +gw-campus.oopen.de # Gateway/Firewall Server office network @@ -2007,7 +2010,7 @@ ga-al-kvm2.ga.netz ga-al-kvm3.ga.netz ga-al-relay.ga.netz ga-nh-gw.oopen.de.yml -ga-campus-gw-temp.ga.netz +gw-campus.oopen.de ga-st-lxc1.ga.netz ga-st-mail.ga.netz ga-st-services.ga.netz