From 5fe32c6473c6e2093153b0c6bfac6a7731752500 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 21 Jan 2025 16:53:58 +0100 Subject: [PATCH] update.. --- ansible-dependencies-ububtu-noble-sudo.yml | 8 + environments/ubuntu-server/files | 1 + environments/ubuntu-server/inventory | 37 ++ group_vars/all/main.yml | 124 +++- host_vars/backup.oopen.de.yml | 3 + host_vars/file-blkr.blkr.netz.yml | 4 + host_vars/file-dissens.dissens.netz.yml | 14 + host_vars/file-km.anw-km.netz.yml | 2 + host_vars/ga-st-gw.ga.netz.yml | 13 +- host_vars/ga-st-gw.oopen.de.yml | 551 ------------------ host_vars/mm-migration.oopen.de.yml | 141 +++++ hosts | 39 +- main.yml | 8 +- mm-irights-migration.oopen.de.yml | 147 +++++ playbook.yml | 58 ++ .../tasks/main.yml | 47 ++ .../mailserver/etc/postfix/postfwd.bl-hosts | 2 +- .../mailserver/etc/postfix/postfwd.bl-nets | 2 +- roles/common/tasks/apt.yml | 10 + roles/common/tasks/main.yml | 4 + roles/common/tasks/motd.yml | 9 +- roles/common/tasks/show.yml | 7 + roles/firewall/defaults/main.yml | 4 +- roles/firewall/handlers/main.yml | 6 - roles/ubuntu-server/tasks/main.yml | 49 ++ 25 files changed, 717 insertions(+), 573 deletions(-) create mode 100644 ansible-dependencies-ububtu-noble-sudo.yml create mode 120000 environments/ubuntu-server/files create mode 100644 environments/ubuntu-server/inventory delete mode 100644 host_vars/ga-st-gw.oopen.de.yml create mode 100644 host_vars/mm-migration.oopen.de.yml create mode 100644 mm-irights-migration.oopen.de.yml create mode 100644 playbook.yml create mode 100644 roles/ansible_dependencies-ubuntu-noble/tasks/main.yml create mode 100644 roles/common/tasks/show.yml create mode 100644 roles/ubuntu-server/tasks/main.yml diff --git a/ansible-dependencies-ububtu-noble-sudo.yml b/ansible-dependencies-ububtu-noble-sudo.yml new file mode 100644 index 0000000..30f8f05 --- /dev/null +++ b/ansible-dependencies-ububtu-noble-sudo.yml @@ -0,0 +1,8 @@ +--- + +- hosts: initial_setup + gather_facts: false + + roles: + - ansible_dependencies-ubuntu-noble + - ansible_user_debian diff --git a/environments/ubuntu-server/files b/environments/ubuntu-server/files new file mode 120000 index 0000000..81016f4 --- /dev/null +++ b/environments/ubuntu-server/files @@ -0,0 +1 @@ +../../files \ No newline at end of file diff --git a/environments/ubuntu-server/inventory b/environments/ubuntu-server/inventory new file mode 100644 index 0000000..52adf21 --- /dev/null +++ b/environments/ubuntu-server/inventory @@ -0,0 +1,37 @@ +[ansible_dependencies] +formbricks-nd.oopen.de + +[initial_setup] +formbricks-nd.oopen.de + +[lxc_guest] +formbricks-nd.oopen.de + + +[lxc_host] + + + +[docker_host] + +[kvm_host] + +[oopen_office_server] + +[samba_server] + +[jitsi_meet_server] + +[mysql_server] + +[postgresql_server] + +[apache2_webserver] + +[nextcloud_server] + +[dns_server] + +[mail_server] + +[webadmin] diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 5ccdc96..4d3c03f 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -976,6 +976,122 @@ apt_initial_install_jammy: - ifupdown - socat +apt_initial_install_ubuntu_noble: + - cryptsetup + - dbus + - openssh-server + - rush + - bash + - bash-completion + - vim + - vim-common + - vim-doc + - mc + - screen + - tmux + - cron + - bc + - figlet + - sudo + - rsync + - dselect + - iputils-ping + - apt-utils + - aptitude + - zip + - unzip + - bzip2 + - arj + - locate + - curl + - gawk + - mawk + - lynx + - links + - w3m + - universal-ctags + - file + - coreutils + - moreutils + - less + - sipcalc + - psmisc + - dnsutils + - rblcheck + - whois + - gettext + - gettext-base + - gettext-doc + - debian-keyring + - patch + - patchutils + - recode + - recode-doc + - librecode0 + - librecode-dev + - sharutils + - perl + - perl-modules + - perl-doc + - libperl-dev + - libreadline-dev + - libterm-readline-gnu-perl + - libterm-readline-perl-perl + - libterm-readkey-perl + - libmail-imapclient-perl + - libtime-duration-perl + - libtimedate-perl + - libwww-perl + - libpcre3 + - libio-compress-perl + - re2c + - util-linux + - parted + - lshw + - gdisk + - smartmontools + - tcpdump + - unhide + - lsof + - hdparm + - groff + - iproute2 + - bridge-utils + - vlan + - ethtool + - wipe + - iperf + - mtr + - iptraf + - wget + - logrotate + - rsyslog + - haveged + - rdate + - ntpdate + - wipe + - man + - groff + - iptables + - shellcheck + - ssl-cert + - ssl-cert-check + - git + - ftp + - htop + - net-tools + - lsb-release + - attr + - acl + - quota + - quotatool + - needrestart + - socat + - zsh + - lua5.4 + - btrfs-progs + - fdisk + install_compiler_pkgs: false apt_compiler_pkgs: - g++ @@ -1918,11 +2034,11 @@ tor_hidden_service_port: # vars used by modify-munin-ip.yml # --- -munin_remote_ipv4: 135.181.136.84 -munin_remote_ipv6: 2a01:4f9:3a:1051::84 +munin_remote_ipv4: 37.27.121.227 +munin_remote_ipv6: 2a01:4f9:3070:2bda::227 -munin_remote_ipv4_old: 95.217.64.122 -munin_remote_ipv6_old: 2a01:4f9:4a:2b57::122 +munin_remote_ipv4_old: 135.181.136.84 +munin_remote_ipv6_old: 2a01:4f9:3a:1051::84 # --- diff --git a/host_vars/backup.oopen.de.yml b/host_vars/backup.oopen.de.yml index 5a946c7..748a206 100644 --- a/host_vars/backup.oopen.de.yml +++ b/host_vars/backup.oopen.de.yml @@ -262,8 +262,10 @@ default_user: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMtIXFS9OrKBvBl+fKtYN/lOOKpPuuc02H8HV+++LeBU root@backup' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZkez42c+5KVt/ZOhwslO321ibzV02oMImImRGNBIRD root@backup.warenform.de' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKT+QOy+R6O4ojAeB7y/CRMmfbB19rFstvEW7saHpHMX root@c.mx' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXaxrm1MdUsiGviWJX/LaaaTaHga7+GKXYZPjUr5aBV root@chamaesiphon' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPrJu40Up1x9VCTTac6+ANjJ2NFXfDb5v3dP4pVgm+c root@cl-01' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7JBJ0qQJsTlADj/zMoxGlzPCGlnh0ngDS5+tkyVqgf root@cl-02' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORi7e7u0KhCkCB8iCmPud0hzCwnJVhxpPmy8vFFkFgY root@cl-dissens' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3VloFw13vVt8UAV5h0860Wq/vFJEm5EazOqM+cVe17 root@cl-flr' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRaUsGqBvZBDzyh1kuldC/jdbtuoXFgBZ7PbgSqytSn root@cl-fm' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvmOpsiL+eiJ3qZVDJiUCFVZge0OQJ1hpZgw7pJ8sq5 root@cl-irights' @@ -307,6 +309,7 @@ default_user: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEM1SI7Lwk0G8UycysL7ZPdXm1DRGgPnr01B0ewRGEKi root@o24' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJKfPInE9VjXVe+6DQ+4/H1nQJwXljYEK6gwfmTDgGy root@o26' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9ftVcNMv6pW2HDM12fIbOOEvq1fcd74kbO4LHfhGH root@o28' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtACieGFf34NDepB9GqJjVqji6bf6xrO1LevXgm3aN+ root@o29' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE70FVVu2bsdH2qJITFVSDEPraiI4uSCuzEkYlbl6pRW root@o30' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0+aRoMxzmiQCAIMajNhbTZEumtZ9yCG2Nb4ucqK8lo root@o31' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJvhepf3kho9zJz1QO52aLbr4/Rim/FLdENg1GNKCPx root@o32' diff --git a/host_vars/file-blkr.blkr.netz.yml b/host_vars/file-blkr.blkr.netz.yml index acc7623..79e1409 100644 --- a/host_vars/file-blkr.blkr.netz.yml +++ b/host_vars/file-blkr.blkr.netz.yml @@ -339,6 +339,10 @@ samba_user: groups: - buero password: '4/zCNXnVF7+i' + - name: refa + groups: + - buero + password: 'Mehringdamm40' - name: ref1 groups: - buero diff --git a/host_vars/file-dissens.dissens.netz.yml b/host_vars/file-dissens.dissens.netz.yml index f125078..94661a9 100644 --- a/host_vars/file-dissens.dissens.netz.yml +++ b/host_vars/file-dissens.dissens.netz.yml @@ -311,6 +311,7 @@ samba_user: groups: - projekte - team + - verwaltung password: '20/3l3n0r-fa3llg3em/24?' - name: johanna.hess @@ -355,6 +356,13 @@ samba_user: - projekte password: '20-0l4f_stuve_24?"' + - name: ralph.klesch + groups: + - projekte + - team + - verwaltung + password: '20/r4lph-kl3sch.24-' + - name: rositsa.mahdi groups: - projekte @@ -368,6 +376,12 @@ samba_user: - verwaltung password: '20.s4r4h_kl3mm-24!' + - name: sebastian.scheele + groups: + - projekte + - team + password: '20/s3-bast1an+sch33l3_24-' + - name: simon.krugmann groups: - projekte diff --git a/host_vars/file-km.anw-km.netz.yml b/host_vars/file-km.anw-km.netz.yml index 48cb78d..d366b95 100644 --- a/host_vars/file-km.anw-km.netz.yml +++ b/host_vars/file-km.anw-km.netz.yml @@ -413,6 +413,7 @@ samba_user: - name: irina groups: + - advoware - alle - aulmann - howe @@ -423,6 +424,7 @@ samba_user: - name: jessica groups: + - advoware - alle - aulmann - howe diff --git a/host_vars/ga-st-gw.ga.netz.yml b/host_vars/ga-st-gw.ga.netz.yml index 908b82f..7511c02 100644 --- a/host_vars/ga-st-gw.ga.netz.yml +++ b/host_vars/ga-st-gw.ga.netz.yml @@ -200,8 +200,10 @@ network_interfaces: downdelay: 200 updelay: 200 post-up: - # VLAN 121 - for Ubiquiti UniFi Accesspoints) + # VLAN 121 - for Ubiquiti UniFi Accesspoints - /sbin/ip link add link bond1 name bond1.121 type vlan id 121 + # VLAN 121 - for Ubiquiti UniFi Accesspoints Guests + - /sbin/ip link add link bond1 name bond1.131 type vlan id 131 # Route ??? - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 @@ -215,6 +217,15 @@ network_interfaces: netmask: 20 + - device: bond1.131 + headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints Guest Net + auto: true + family: inet + method: static + address: 10.131.15.254 + netmask: 20 + + - device: bond1:ns headline: bond1:ns - Alias IP on bond1 device for Nameservice auto: true diff --git a/host_vars/ga-st-gw.oopen.de.yml b/host_vars/ga-st-gw.oopen.de.yml deleted file mode 100644 index a50ef20..0000000 --- a/host_vars/ga-st-gw.oopen.de.yml +++ /dev/null @@ -1,551 +0,0 @@ ---- -# --- -# vars used by roles/network_interfaces -# --- - - -# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted -network_manage_devices: True - -# Should the interfaces be reloaded after config change? -network_interface_reload: False - -network_interface_path: /etc/network/interfaces.d -network_interface_required_packages: - - vlan - - bridge-utils - - ifmetric - - ifupdown - - ifenslave - -network_interfaces: - - - device: eth2 - headline: eth2 - Uplink static line (radio) to Altenschlirf - auto: true - family: inet - method: static - address: 172.16.111.254 - netmask: 24 - up: - # - For management Antennas - - /sbin/ip link add link eth2 name eth2.111 type vlan id 111 - post-up: - # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253) - # - - # - Telefon Altenshlirf - - /sbin/ip route add 172.16.210.0/24 via 172.16.111.253 - # User Network Altenshlirf - - /sbin/ip route add 192.168.10.0/24 via 172.16.111.253 - # Management Network Altenschlirf - - /sbin/ip route add 10.10.10.0/24 via 172.16.111.253 - # WLan Router (Accesspoints) Altenshlirf - - /sbin/ip route add 10.122.1.0/24 via 172.16.111.253 - # # WLan Networks Altenshlirf - - /sbin/ip route add 10.123.0.0/16 via 172.16.111.253 - # DSL via Fritzbox Altenschlirf - - /sbin/ip route add 172.16.10.0/24 via 172.16.111.253 - # - WLAN Gemeinschaft Altenschlirf (Unifi routet Network) - - /sbin/ip route add 10.221.0.0/20 via 172.16.111.253 - # VPN home Network Altenschlirf - # - - /sbin/ip route add 10.0.10.0/24 via 172.16.111.253 - # private networks 'ckubu' - # - # connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu), - # so we route them back to that gateway.. - - /sbin/ip route add 192.168.63.0/24 via 172.16.111.253 - - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253 - - - - device: eth2.111 - headline: eth2.111 - network 10.10.111.0 (management antennas) - auto: true - family: inet - method: static - address: 10.10.111.254 - netmask: 24 - - - - device: eth8 - headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen - auto: false - family: inet - method: manual - up: - - /sbin/ip link add link eth8 name eth8.211 type vlan id 211 - - - - device: eth8.211 - headline: eth8.211 - Network Telefons Stockhausen - auto: true - family: inet - method: static - # Note: - # !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon). - # This LANCom Router IS NOT pngable !! - address: 172.16.211.1 - netmask: 24 - pre-up: - - /sbin/ifconfig eth8 up - - - - device: eth9 - headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501) - auto: true - family: inet - method: static - address: 172.16.11.1 - netmask: 24 - gateway: 172.16.11.254 - - - - device: eth10 - headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490 - auto: true - family: inet - method: static - address: 172.16.13.1 - netmask: 24 - gateway: 172.16.13.254 - - - - device: eth11 - headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) - auto: true - family: inet - method: static - address: 172.16.12.1 - netmask: 24 - gateway: 172.16.12.254 - - - # ---------- - # Note: Install the 'ifenslave' package, necessary to enable bonding: - # - # apt-get install ifenslave - # ---------- - - device: bond0 - headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4 - auto: true - family: inet - method: static - address: 10.1.9.254 - netmask: 24 - bond: - slaves: eth0 eth4 - # Mode 4 (802.3ad) - # - # also possible here: - # - Mode 5: balance-tlb - # - Mode 6: balance-alb - mode: 4 - miimon: 100 - lacp-rate: 1 - ad-select: count - downdelay: 200 - updelay: 200 - post-up: - # VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24 - - /sbin/ip link add link bond0 name bond0.11 type vlan id 11 - # VLAN 78 for network Georgshaus 192.168.78.0/24 - - /sbin/ip link add link bond0 name bond0.78 type vlan id 78 - - - - device: bond0.11 - headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen) - auto: true - family: inet - method: static - address: 10.10.11.254 - netmask: 24 - - - - device: bond0.78 - headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?) - auto: true - family: inet - method: static - address: 192.168.78.254 - netmask: 24 - - - # ---------- - # Note: Install the 'ifenslave' package, necessary to enable bonding: - # - # apt-get install ifenslave - # ---------- - - device: bond1 - headline: bond1 - LAG (Link Aggregation) on devices eth1 and eth5 - Main Network Stockhausen - auto: true - family: inet - method: static - address: 192.168.11.254 - netmask: 24 - nameservers: - - 192.168.11.1 - - 192.168.10.3 - search: ga.netz ga.intra - bond: - slaves: eth1 eth5 - # Mode 4 (802.3ad) - # - # also possible here: - # - Mode 5: balance-tlb - # - Mode 6: balance-alb - mode: 4 - miimon: 100 - lacp-rate: 1 - ad-select: count - downdelay: 200 - updelay: 200 - post-up: - # VLAN 121 - for Ubiquiti UniFi Accesspoints) - - /sbin/ip link add link bond1 name bond1.121 type vlan id 121 - # Route ??? - - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 - - - - device: bond1.121 - headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints - auto: true - family: inet - method: static - address: 10.121.15.254 - netmask: 20 - - - - device: bond1:ns - headline: bond1:ns - Alias IP on bond1 device for Nameservice - auto: true - family: inet - method: static - address: 192.168.11.1 - netmask: 32 - - - - device: bond1:1 - headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network - auto: true - family: inet - method: static - address: 10.10.9.254 - netmask: 24 - - - - device: bond1:ap - headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints - auto: true - family: inet - method: static - address: 10.112.1.254 - netmask: 24 - post-up: - # - Wireless Networks routed through appropriate Accesspoints - # - - - /sbin/ip route add 10.113.1.0/24 via 10.112.1.1 - - /sbin/ip route add 10.113.2.0/24 via 10.112.1.2 - - /sbin/ip route add 10.113.3.0/24 via 10.112.1.3 - - /sbin/ip route add 10.113.4.0/24 via 10.112.1.4 - - /sbin/ip route add 10.113.5.0/24 via 10.112.1.5 - - /sbin/ip route add 10.113.6.0/24 via 10.112.1.6 - - /sbin/ip route add 10.113.7.0/24 via 10.112.1.7 - - /sbin/ip route add 10.113.8.0/24 via 10.112.1.8 - - /sbin/ip route add 10.113.9.0/24 via 10.112.1.9 - - /sbin/ip route add 10.113.10.0/24 via 10.112.1.10 - - /sbin/ip route add 10.113.11.0/24 via 10.112.1.11 - - /sbin/ip route add 10.113.12.0/24 via 10.112.1.12 - - /sbin/ip route add 10.113.13.0/24 via 10.112.1.13 - - /sbin/ip route add 10.113.14.0/24 via 10.112.1.14 - - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15 - - - - device: bond1:ipmi - headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen - auto: true - family: inet - method: static - address: 10.11.11.254 - netmask: 24 - - -# --- -# vars used by roles/ansible_dependencies -# --- - - -# --- -# vars used by roles/ansible_user -# --- - - -# --- -# vars used by roles/common/tasks/basic.yml -# --- - - -# --- -# vars used by roles/common/tasks/sshd.yml -# --- - - -# --- -# vars used by roles/common/tasks/apt.yml -# --- - - -# --- -# vars used by roles/common/tasks/systemd-resolved.yml -# --- - -systemd_resolved: true - -# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie -# Primäre DNS-Adresse: 38.132.106.139 -# Sekundäre DNS-Adresse: 194.187.251.67 -# -# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen -# primäre DNS-Adresse -# IPv4: 1.1.1.1 -# IPv6: 2606:4700:4700::1111 -# sekundäre DNS-Adresse -# IPv4: 1.0.0.1 -# IPv6: 2606:4700:4700::1001 -# -# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit -# primäre DNS-Adresse -# IPv4: 8.8.8.8 -# IPv6: 2001:4860:4860::8888 -# sekundäre DNS-Adresse -# IPv4: 8.8.4.4 -# IPv6: 2001:4860:4860::8844 -# -# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug -# primäre DNS-Adresse -# IPv4: 9.9.9.9 -# IPv6: 2620:fe::fe -# sekundäre DNS-Adresse -# IPv4: 149.112.112.112 -# IPv6: 2620:fe::9 -# -# OpenNIC - https://www.opennic.org/ -# IPv4: 195.10.195.195 - ns31.de -# IPv4: 94.16.114.254 - ns28.de -# IPv4: 51.254.162.59 - ns9.de -# IPv4: 194.36.144.87 - ns29.de -# IPv6: 2a00:f826:8:2::195 - ns31.de -# -# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) -# IPv4: 5.1.66.255 -# IPv6: 2001:678:e68:f000:: -# Servername für DNS-over-TLS: dot.ffmuc.net -# IPv4: 185.150.99.255 -# IPv6: 2001:678:ed0:f000:: -# Servername für DNS-over-TLS: dot.ffmuc.net -# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) -resolved_nameserver: - - 127.0.0.1 - -# search domains -# -# If there are more than one search domains, then specify them here in the order in which -# the resolver should also search them -# -#resolved_domains: [] -resolved_domains: - - ~. - - ga.netz - - ga.intra - -resolved_dnssec: false - -# dns.as250.net: 194.150.168.168 -# -resolved_fallback_nameserver: - - 192.168.10.1 - - - -# --- -# vars used by roles/common/tasks/users.yml -# --- - -insert_ssh_keypair_backup_server: false -ssh_keypair_backup_server: - - name: backup - backup_user: back - priv_key_src: root/.ssh/id_rsa.backup.oopen.de - priv_key_dest: /root/.ssh/id_rsa - pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub - pub_key_dest: /root/.ssh/id_rsa.pub - -insert_keypair_backup_client: true -ssh_keypair_backup_client: - - name: backup - priv_key_src: root/.ssh/id_ed25519.oopen-server - priv_key_dest: /root/.ssh/id_ed25519 - pub_key_src: root/.ssh/id_ed25519.oopen-server.pub - pub_key_dest: /root/.ssh/id_ed25519.pub - target: backup.oopen.de - - - -default_user: - - - name: chris - password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - - name: maadmin - password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' - - - name: wadmin - password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - - - name: sysadm - user_id: 1050 - group_id: 1050 - group: sysadm - password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - - - name: back - user_id: 1060 - group_id: 1060 - group: back - password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74 - shell: /bin/bash - ssh_keys: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - -sudo_users: - - chris - - sysadm - - wadmin - - maadmin - - -# --- -# vars used by roles/common/tasks/users-systemfiles.yml -# --- - - -# --- -# vars used by roles/common/tasks/webadmin-user.yml -# --- - - -# --- -# vars used by roles/common/tasks/sudoers.yml -# --- -# -# see: roles/common/tasks/vars - - -# --- -# vars used by roles/common/tasks/caching-nameserver.yml -# --- - -install_bind_packages: true - -bind9_gateway_acl: - - local-net: - name: local-net - entries: - - 127.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - 10.0.0.0/8 - - fc00::/7 - - fe80::/10 - - ::1/128 - - internaldns: - name: internaldns - entries: - - '# Nameserver Gateway Stockhausen' - - 192.168.11.1 - - '# Domain Controller Stockhausen' - - 192.168.10.3 - - '# Nameserver Gateway Altenschlirf' - - 192.168.10.1 - - '# Domain Controller Altenschlirf' - - 192.168.10.3 - - 192.168.10.6 - - 172.16.0.1 - - '# Nameserver Gateway Novalishaus' - - 192.168.81.1 - - 10.2.11.2 - - '# Nameserver wolle' - - 10.113.12.3 - - '# Postfix Mailserver' - - 192.168.11.2 - - '# Mail Relay System' - - 192.168.10.2 - -bind9_gateway_listen_on_v6: - - none - -bind9_gateway_listen_on: - - any - -#bind9_gateway_allow_transfer: {} -bind9_gateway_allow_transfer: - - internaldns - -bind9_transfer_source: !!str "192.168.11.1" -bind9_notify_source: !!str "192.168.11.1" - -#bind9_gateway_allow_query: {} -bind9_gateway_allow_query: - - local-net - -#bind9_gateway_allow_query_cache: {} -bind9_gateway_allow_query_cache: - - local-net - -bind9_gateway_recursion: !!str "yes" -#bind9_gateway_allow_recursion: {} -bind9_gateway_allow_recursion: - - local-net - - -# --- -# vars used by roles/common/tasks/git.yml -# --- - -git_firewall_repository: - name: ipt-gateway - repo: https://git.oopen.de/firewall/ipt-gateway - dest: /usr/local/src/ipt-gateway - -# ============================== - - -# --- -# vars used by scripts/reset_root_passwd.yml -# --- - -root_user: - name: root - password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. - diff --git a/host_vars/mm-migration.oopen.de.yml b/host_vars/mm-migration.oopen.de.yml new file mode 100644 index 0000000..b6b4b5c --- /dev/null +++ b/host_vars/mm-migration.oopen.de.yml @@ -0,0 +1,141 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_permit_root_login: !!str "prohibit-password" + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + - 195.201.179.131 + - 95.217.204.204 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/hosts b/hosts index 99228b0..9c94c04 100644 --- a/hosts +++ b/hosts @@ -1,5 +1,4 @@ - - +formbricks-nd.oopen.de #[so36_server_dehydrated] #comm.so36.net ansible_user=ckubu #noc.so36.net ansible_user=ckubu @@ -133,6 +132,9 @@ o13-pad.oopen.de o13-cryptpad.oopen.de o13-web.oopen.de +# Freiheit für daniela +o14.oopen.de + o17.oopen.de test.mx.oopen.de @@ -160,10 +162,12 @@ cp-01.oopen.de meet.oopen.de mm.oopen.de discourse.oopen.de +mm-migration.oopen.de o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de +mm-irights-migration.oopen.de # IL - PAD o25.oopen.de @@ -323,6 +327,9 @@ o13-cryptpad.oopen.de o13-web.oopen.de o13-git.oopen.de +# Freiheit für daniela +o14.oopen.de + o17.oopen.de test.mx.oopen.de test.mariadb.oopen.de @@ -354,11 +361,13 @@ cp-01.oopen.de meet.oopen.de mm.oopen.de discourse.oopen.de +mm-migration.oopen.de # - o24.oopen.de o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de +mm-irights-migration.oopen.de # IL - PAD o25.oopen.de @@ -446,6 +455,7 @@ mm-rav.oopen.de o43.oopen.de prometheus-nd.oopen.de web-nd.oopen.de +test-nd.oopen.de lxc-host-kb.anw-kb.netz @@ -563,6 +573,9 @@ devel-ruby.wf.netz # o13.oopen.de o13-web.oopen.de +# Freiheit für daniela +o14.oopen.de + # o20.oopen.de (srv-cityslang.cityslang.com) o20.oopen.de @@ -620,6 +633,9 @@ o13-mail.oopen.de o13-mumble.oopen.de o13-web.oopen.de +# Freiheit für daniela +o14.oopen.de + # o17.oopen.de test.mariadb.oopen.de test.mx.oopen.de @@ -808,9 +824,11 @@ o13-cryptpad.oopen.de cp-01.oopen.de meet.oopen.de mm.oopen.de +mm-migration.oopen.de # o24.oopen.de mm-irights.oopen.de +mm-irights-migration.oopen.de # Hetzner Cloud CX31 - AK @@ -936,9 +954,11 @@ o13-mail.oopen.de # o23.oopen.de mm.oopen.de +mm-migration.oopen.de # o24.oopen.de mm-irights.oopen.de +mm-irights-migration.oopen.de # o27.oopen.de mail.faire-mobilitaet.de @@ -1001,6 +1021,9 @@ o13-staging-board.oopen.de o13-mail.oopen.de o13-web.oopen.de +# Freiheit für daniela +o14.oopen.de + # o17.oopen.de test.mx.oopen.de test.mariadb.oopen.de @@ -1023,10 +1046,12 @@ oolm-web.oopen.de # o23.oopen.de cl-01.oopen.de mm.oopen.de +mm-migration.oopen.de # o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de +mm-irights-migration.oopen.de # Hetzner Cloud CX31 - AK @@ -1375,6 +1400,9 @@ o12.oopen.de o13.oopen.de o17.oopen.de +# Freiheit für daniela +o14.oopen.de + # Backup Server O.OPEN o19.oopen.de @@ -1489,10 +1517,12 @@ cp-01.oopen.de meet.oopen.de mm.oopen.de discourse.oopen.de +mm-migration.oopen.de # - o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de +mm-irights-migration.oopen.de # - o27.oopen.de cl-fm.oopen.de @@ -1652,6 +1682,9 @@ o13-cryptpad.oopen.de o13-web.oopen.de o13-git.oopen.de +# Freiheit für daniela +o14.oopen.de + # - o17.oopen.de o17.oopen.de test.mx.oopen.de @@ -1684,11 +1717,13 @@ cp-01.oopen.de meet.oopen.de mm.oopen.de discourse.oopen.de +mm-migration.oopen.de # - o24.oopen.de o24.oopen.de cl-irights.oopen.de mm-irights.oopen.de +mm-irights-migration.oopen.de # IL - PAD o25.oopen.de diff --git a/main.yml b/main.yml index 9d12c14..6e47d34 100644 --- a/main.yml +++ b/main.yml @@ -1908,11 +1908,11 @@ tor_hidden_service_port: # vars used by modify-munin-ip.yml # --- -munin_remote_ipv4: 135.181.136.84 -munin_remote_ipv6: 2a01:4f9:3a:1051::84 +munin_remote_ipv4: 37.27.121.227 +munin_remote_ipv6: 2a01:4f9:3070:2bda::22 -munin_remote_ipv4_old: 95.217.64.122 -munin_remote_ipv6_old: 2a01:4f9:4a:2b57::122 +munin_remote_ipv4_old: 135.181.136.84 +munin_remote_ipv6_old: 2a01:4f9:3a:1051::84 # --- diff --git a/mm-irights-migration.oopen.de.yml b/mm-irights-migration.oopen.de.yml new file mode 100644 index 0000000..2b73172 --- /dev/null +++ b/mm-irights-migration.oopen.de.yml @@ -0,0 +1,147 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/playbook.yml b/playbook.yml new file mode 100644 index 0000000..152fd3a --- /dev/null +++ b/playbook.yml @@ -0,0 +1,58 @@ +--- + +# Intended to be run once for every new server to secure the ssh connection allowing the team access +# with their public keys. This script will lock itself out from every server it is run on. +# Further playbooks are intended to be run by logging in as one of the created users. +# It also ensures python2 is installed as it's necessary for the modules used in this playbook at +# the time of this writing. + +# The used login data depends on the used server provider. In most cases the ansible_user will be +# root, but we can't safely assume anything. +# The following line is an example for securing a new vagrant maching, after running `vagrant up`: +# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key' +# For real providers it could look like: +# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa' +# If you don't have a ssh-key on the server and the server expects password authentication use: +# ansible-playbook first_run.yml -i hosts -u root --ask-pass + +#- hosts: all +# strategy: free +# +## vars_prompt: +## +## - name: ansible_become_password +## prompt: "Give your local Password here:" +# +# roles: +# - common + +- hosts: ansible_dependencies + strategy: free + gather_facts: false + + roles: + - ansible_dependencies-ubuntu-noble + - ansible_user_debian + +- hosts: initial_setup + strategy: free + +# vars_prompt: +# +# - name: ansible_become_password +# prompt: "Give your local Password here:" + + roles: + - ubuntu-server + +#- hosts: debian-server +# strategy: free +# +## vars_prompt: +## +## - name: ansible_become_password +## prompt: "Give your local Password here:" +# +# roles: +# - common + diff --git a/roles/ansible_dependencies-ubuntu-noble/tasks/main.yml b/roles/ansible_dependencies-ubuntu-noble/tasks/main.yml new file mode 100644 index 0000000..e01ece5 --- /dev/null +++ b/roles/ansible_dependencies-ubuntu-noble/tasks/main.yml @@ -0,0 +1,47 @@ +--- + +- name: re-synchronize the package index files from their sources + raw: apt-get update + +- name: Ensure aptitude is present + raw: test -e /usr/bin/aptitude || apt-get install aptitude -y + +- name: Ensure python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3) + +- name: Ensure python-is-python3 is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 && (apt -y update && apt install -y python-is-python3) + +- name: Ensure python-apt-common is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python && (apt -y update && apt install -y python-apt-common) + +- name: Ensure python-apt is present (This is necessary for ansible to work properly) + raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt) + +- name: dpkg --configure -a + command: > + dpkg --configure -a + args: + warn: false + changed_when: _dpkg_configure.stdout_lines | length + register: _dpkg_configure + when: apt_dpkg_configure|bool + tags: + - ansible-dependencies + +- name: apt upgrade + apt: + upgrade: "{{ apt_upgrade_type }}" + update_cache: true + dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}" + when: apt_upgrade|bool + tags: + - ansible-dependencies + +- name: apt install ansible dependencies + apt: + name: "{{ apt_ansible_dependencies }}" + state: "{{ apt_install_state }}" + tags: + - ansible-dependencies + diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts index c50d038..998138f 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -36,7 +36,7 @@ radiotrabajandoparacristoirmp\.com$ group-hire\.com$ # Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet! -mtasv\.net$ +#mtasv\.net$ # edge.toprains.shop:w edge\.toprains\.shop$ diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets index 9376c89..d4ecf78 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -28,7 +28,7 @@ 45.132.181.0/24 # Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet! -50.31.205.0/24 +#50.31.205.0/24 # edge.toprains.shop 51.89.16.112 diff --git a/roles/common/tasks/apt.yml b/roles/common/tasks/apt.yml index 71d82a5..81f3a52 100644 --- a/roles/common/tasks/apt.yml +++ b/roles/common/tasks/apt.yml @@ -135,6 +135,16 @@ tags: - apt-initial-install +- name: (apt.yml) Initial install ubuntu packages (noble) + apt: + name: "{{ apt_initial_install_ubuntu_noble }}" + state: "{{ apt_install_state }}" + when: + - ansible_facts['distribution'] == "Ubuntu" + - ansible_facts['distribution_release'] == "noble" + tags: + - apt-initial-install + # --- # Microcode diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index bac8edf..eec892f 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,5 +1,9 @@ --- +- import_tasks: show.yml + tags: + - show + # tags supported inside basic.yml # # timezone diff --git a/roles/common/tasks/motd.yml b/roles/common/tasks/motd.yml index 80dc2d4..0a49422 100644 --- a/roles/common/tasks/motd.yml +++ b/roles/common/tasks/motd.yml @@ -9,10 +9,17 @@ path: /etc/motd.ORIG register: motd_orig_exist +- name: (motd.yml) Check if /etc/motd exist + stat: + path: /etc/motd + register: motd_exist + - name: (motd.yml) Backup existing file /etc/motd command: cp -a /etc/motd /etc/motd.ORIG - when: motd_orig_exist.stat.exists == False + when: + - motd_exist.stat.exists == True + - motd_orig_exist.stat.exists == False - name: (motd.yml) create /etc/motd shell: figlet {{ ansible_hostname }} > /etc/motd diff --git a/roles/common/tasks/show.yml b/roles/common/tasks/show.yml new file mode 100644 index 0000000..62961b9 --- /dev/null +++ b/roles/common/tasks/show.yml @@ -0,0 +1,7 @@ +--- + +- name: Show hostname + debug: + msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] }}.{{ ansible_fqdn.split('.')[1] | default('NONE') }}.{{ ansible_fqdn.split('.')[2] | default('NONE') }}" +# msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] | join( '.') }} | {{ join ( ansible_fqdn.split('.')[1] ) }}" + diff --git a/roles/firewall/defaults/main.yml b/roles/firewall/defaults/main.yml index bbe2f1b..f49e322 100644 --- a/roles/firewall/defaults/main.yml +++ b/roles/firewall/defaults/main.yml @@ -1,7 +1,7 @@ --- -munin_remote_ipv4: 95.217.64.122 -munin_remote_ipv6: 2a01:4f9:4a:2b57::122 +munin_remote_ipv4: 37.27.121.227 +munin_remote_ipv6: 2a01:4f9:3070:2bda::227 is_dns_server: false diff --git a/roles/firewall/handlers/main.yml b/roles/firewall/handlers/main.yml index 1dbd644..123d35f 100644 --- a/roles/firewall/handlers/main.yml +++ b/roles/firewall/handlers/main.yml @@ -7,14 +7,8 @@ service: name: ipt-firewall state: restarted - when: - - interfaces_ipv4_exists.stat.exists - - main_ipv4_exists.stat.exists - name: Restart IPv6 Firewall service: name: ip6t-firewall state: restarted - when: - - interfaces_ipv6_exists.stat.exists - - main_ipv6_exists.stat.exists diff --git a/roles/ubuntu-server/tasks/main.yml b/roles/ubuntu-server/tasks/main.yml new file mode 100644 index 0000000..6351d4e --- /dev/null +++ b/roles/ubuntu-server/tasks/main.yml @@ -0,0 +1,49 @@ +--- + +- name: show + import_role: + name: common + tasks_from: show.yml + +- name: basic + import_role: + name: common + tasks_from: basic.yml + +- name: apt + import_role: + name: common + tasks_from: apt.yml + +- name: motd + import_role: + name: common + tasks_from: motd.yml + +- name: users + import_role: + name: common + tasks_from: users.yml + tags: + - users + + +- name: users-systemfiles + import_role: + name: common + tasks_from: users-systemfiles + tags: + - users + - users-systemfiles + +- name: sshd + import_role: + name: common + tasks_from: sshd.yml + + +- name: sudoers + import_role: + name: common + tasks_from: sudoers.yml + tags: sudoers