From 6125f8d21edbac2637729ba186e7b064413e06ed Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 2 Jul 2024 09:37:09 +0200 Subject: [PATCH] Update.. --- host_vars/172.16.122.2.yml | 309 +++++++++++++++++ host_vars/gw-km.oopen.de.yml | 14 +- host_vars/o26.oopen.de.yml | 509 ++++++++++++++++++++++++++++ host_vars/o28.oopen.de.yml | 4 +- hosts | 56 +++ roles/firewall/tasks/ipt-server.yml | 4 +- 6 files changed, 886 insertions(+), 10 deletions(-) create mode 100644 host_vars/172.16.122.2.yml create mode 100644 host_vars/o26.oopen.de.yml diff --git a/host_vars/172.16.122.2.yml b/host_vars/172.16.122.2.yml new file mode 100644 index 0000000..639e5b0 --- /dev/null +++ b/host_vars/172.16.122.2.yml @@ -0,0 +1,309 @@ +--- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + +network_interfaces: + + - device: eno1 + headline: eno1 - Uplink DSL via Fritz!Box + auto: true + family: inet + method: static + address: 172.16.122.2 + netmask: 24 + gateway: 172.16.122.254 + + + - device: eno2 + headline: eno2 - LAN + auto: true + family: inet + method: static + address: 192.168.122.253 + netmask: 24 + + + - device: eno2:ns + headline: eno2:ns - Alias on eno5 (Nameserver) + auto: true + family: inet + method: static + address: 192.168.122.2 + netmask: 32 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_entries: + + - name: "Check if Postfix Mailservice is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if SSH service is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check if OpenVPN service is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_vpn.sh + + - name: "Check if nameservice (bind) is running?" + minute: '*/10' + hour: '*' + job: /root/bin/monitoring/check_dns.sh + + - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )" + minute: '0-59/2' + hour: '*' + job: /root/bin/monitoring/check_forwarding.sh + + - name: "Copy gateway configuration" + minute: '09' + hour: '3' + job: /root/bin/manage-gw-config/copy_gateway-config.sh ANW-KM + + +#cron_user_special_time_entries: [] +cron_user_special_time_entries: + + - name: "Check if Postfix Service is running at boot time" + special_time: reboot + job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" + insertafter: PATH + + - name: "Restart Systemd's resolved at boottime." + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - ecdsa-sha2-nistp256 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - anw-km.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +install_bind_packages: true + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/gw-km.oopen.de.yml b/host_vars/gw-km.oopen.de.yml index c5eeff5..858da7d 100644 --- a/host_vars/gw-km.oopen.de.yml +++ b/host_vars/gw-km.oopen.de.yml @@ -20,8 +20,8 @@ network_interface_required_packages: network_interfaces: - - device: eno1 - headline: eno1 - Uplink DSL via Fritz!Box + - device: eno6 + headline: eno6 - Uplink DSL via Fritz!Box auto: true family: inet method: static @@ -30,8 +30,8 @@ network_interfaces: gateway: 172.16.122.254 - - device: eno2 - headline: eno2 - LAN + - device: eno5 + headline: eno5 - LAN auto: true family: inet method: static @@ -39,8 +39,8 @@ network_interfaces: netmask: 24 - - device: eno2:ns - headline: eno2:ns - Alias on eno2 (Nameserver) + - device: eno5:ns + headline: eno5:ns - Alias on eno5 (Nameserver) auto: true family: inet method: static @@ -198,7 +198,7 @@ resolved_nameserver: #resolved_domains: [] resolved_domains: - ~. - - flr.netz + - anw-km.netz resolved_dnssec: false diff --git a/host_vars/o26.oopen.de.yml b/host_vars/o26.oopen.de.yml new file mode 100644 index 0000000..381713e --- /dev/null +++ b/host_vars/o26.oopen.de.yml @@ -0,0 +1,509 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + + +network_interfaces: + + # Many device configurations are possible (as many as needed) + # + - device: enp6s0 + # use only once per device (for the first device entry) + headline: enp6s0 - primary device + + # auto & allow are only used for the first entry of that devicei-name) + # + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + + # The statisc Mode + # Options + # address + # gateway + # pointopoint
+ # hwaddress + # mtu + # scope
+ # + # The manual Method + # Options + # hwaddress + # mtu + # + # The dhcp Method + # Options + # hwaddress + # hostname + # metric + # leasehours + # leasetime + # vendor + # client + # + # The bootp Method + # Options + # bootfile: + # server: + # hwaddr + # + method: static + + hwaddress: + description: + address: 37.27.129.85 + # dotted quad or number of bits + # + # the entry will be: address/netmask + netmask: 26 + gateway: 37.27.129.65 + metric: + pointopoint: + mtu: + scope: + + # additional user by dhcp method + # + hostname: + leasehours: + leasetime: + vendor: + client: + + # additional used by bootp method + # + bootfile: + server: + hwaddr: + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + #nameservers: + # - 185.12.64.1 + # - a01:4ff:ff00::add:2 + #search: + + # optional additional subnets/ips subnets: [] + # subnets: + # - '192.168.123.0/24' + # - '192.168.124.11/32' + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: {} + + # optional bonding parameters bond: {} + # bond: + # master + # primary + # slave + # mode: + # miimon: + # lacp-rate: + # ad-select-rate: + # master: + # slaves: + bond: {} + + # optional vlan settings | vlan: {} + # vlan: {} + # raw-device: 'eth0' + vlan: {} + + # inline hook scripts + # + # example: + # + # up: + # - !!str "route add -net 135.181.79.192 netmask 255.255.255.192 gw 135.181.79.193 dev enp6s0" + # + pre-up: [] # pre-up script lines + up: + - !!str "route add -net 37.27.129.64 netmask 255.255.255.192 gw 37.27.129.65 dev enp6s0" + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + - device: enp6s0 + # use only once per device (for the first device entry) + headline: + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: + + family: inet6 + method: static + address: 2a01:4f9:3071:1141::2 + netmask: 64 + gateway: fe80::1 + metric: + pointopoint: + mtu: + scope: + + # additional user by dhcp method + # + hostname: + leasehours: + leasetime: + vendor: + client: + + # additional used by bootp method + # + bootfile: + server: + hwaddr: + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + nameservers: + search: + + # optional additional subnets/ips subnets: [] + # subnets: + # - '192.168.123.0/24' + # - '192.168.124.11/32' + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: {} + + # optional bonding parameters bond: {} + # bond: + # mode: + # miimon: + # master: + # slaves: + # lacp-rate: + bond: {} + + # optional vlan settings | vlan: {} + # vlan: {} + # raw-device: 'eth0' + vlan: {} + + # inline hook scripts + pre-up: []# pre-up script lines + up: [] # up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +#apt_manage_sources_list: false + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_env_entries: + - name: PATH + job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + + - name: SHELL + job: /bin/bash + insertafter: PATH + + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 5 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + - name: "Check if postfix mailservice is running. Restart service if needed." + special_time: reboot + job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" + insertafter: PATH + + +cron_user_entries: + + - name: "Check if SSH service is running. Restart service if needed." + minute: '*/5' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check connectifity - reboot if needed" + minute: '*/10' + hour: '*' + job: /root/bin/admin-stuff/check-connectivity.sh + + - name: "Check if Postfix Mailservice is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1 + + - name: "Backup internet hosts and then print out hdd-usage for all backuped hosts" + minute: '06' + hour: '00' + weekday: '1-6' + job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N + + - name: "On sunday morning also determin diskspace usage" + minute: '06' + hour: '00' + weekday: 7 + job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup + + - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)" + minute: '23' + hour: '05' + job: /var/lib/dehydrated/cron/dehydrated_cron.sh + + - name: "Check whether all certificates are included in the VHOST configurations" + minute: '33' + hour: '05' + job: /var/lib/dehydrated/tools/update_ssl_directives.sh + + - name: "Check hard disc usage." + minute: '43' + hour: '6' + job: /root/bin/admin-stuff/check-disc-usage.sh -c 85 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +create_sftp_group: true + + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + +extra_system_user: + - name: www-data + home: /var/www + groups: sftp_users + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o28.oopen.de.yml b/host_vars/o28.oopen.de.yml index adfa009..b7e4ca1 100644 --- a/host_vars/o28.oopen.de.yml +++ b/host_vars/o28.oopen.de.yml @@ -309,7 +309,9 @@ systemd_resolved: true # für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) resolved_nameserver: - 185.12.64.1 - - a01:4ff:ff00::add:2 + - 2a01:4ff:ff00::add:2 + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 # search domains # diff --git a/hosts b/hosts index 519e5c4..0ce66c8 100644 --- a/hosts +++ b/hosts @@ -48,6 +48,7 @@ gw-d11.oopen.de gw-flr.oopen.de gw-irights.oopen.de gw-km.oopen.de +172.16.122.2 gw-mbr.oopen.de gw-opp.oopen.de gw-spr.oopen.de @@ -171,6 +172,7 @@ mail.faire-mobilitaet.de # Backup Faire Mobilitaet o28.oopen.de +o26.oopen.de # - o29.oopen.de Backup Server o29.oopen.de @@ -343,6 +345,7 @@ mail.faire-mobilitaet.de # Backup Faire Mobilitaet o28.oopen.de +o26.oopen.de # - o29.oopen.de o29.oopen.de @@ -447,6 +450,7 @@ gw-irights.oopen.de # - Kanzlei Berenice gw-km.oopen.de +172.16.122.2 file-km.anw-km.netz # - Kanzlei BLKR @@ -511,6 +515,50 @@ devel-todo.wf.netz devel-wiki.wf.netz devel-ruby.wf.netz + +[ftp_server] + +# o13.oopen.de +o13-web.oopen.de + +# o20.oopen.de (srv-cityslang.cityslang.com) +o20.oopen.de + +# o22.oopen.de +oolm-web.oopen.de + +# o31.oopen.de +web.cadus.org + +# o35.oopen.de +web-02.oopen.de + +# o36 - b.mx, web-01, web-03,-- +web-01.oopen.de +web-03.oopen.de +web-04.oopen.de + +# o39.oopen.de web-05 web-06 +web-05.oopen.de +web-06.oopen.de +web-07.oopen.de +web-08.oopen.de +web-09.oopen.de + +# --- +# Warenform server +# --- + +# server22 +nd.warenform.de + +# server25 +web0.warenform.de +web1.warenform.de +web2.warenform.de + + + [apache2_webserver] # --- @@ -559,6 +607,7 @@ mail.faire-mobilitaet.de # Backup Faire Mobilitaet o28.oopen.de +o26.oopen.de # o29.oopen.de backup.oopen.de @@ -900,6 +949,7 @@ cl-fm.oopen.de # Backup Faire Mobilitaet o28.oopen.de +o26.oopen.de # o29.oopen.de backup.oopen.de @@ -1000,6 +1050,9 @@ cl-fm.oopen.de # o28.oopen.de o28.oopen.de +# o26.oopen.de +o26.oopen.de + # o29.oopen.de backup.oopen.de @@ -1119,6 +1172,7 @@ devel-root.wf.netz # Backup Faire Mobilitaet o28.oopen.de +o26.oopen.de # --- # Warenform @@ -1513,6 +1567,7 @@ mail.faire-mobilitaet.de # Backup Faire Mobilitaet o28.oopen.de +o26.oopen.de # - o29.oopen.de o29.oopen.de @@ -1608,6 +1663,7 @@ gw-replacement3.local.netz gw-replacement4.local.netz gw-irights.oopen.de gw-km.oopen.de +172.16.122.2 gw-mbr.oopen.de gw-opp.oopen.de gw-spr.oopen.de diff --git a/roles/firewall/tasks/ipt-server.yml b/roles/firewall/tasks/ipt-server.yml index bdc5ba3..a23dd77 100644 --- a/roles/firewall/tasks/ipt-server.yml +++ b/roles/firewall/tasks/ipt-server.yml @@ -1783,24 +1783,24 @@ failed_when: "diff_output.rc > 2" when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0) loop: + - default_settings.conf - include_functions.conf - load_modules_ipv4.conf - load_modules_ipv6.conf - logging_ipv4.conf - logging_ipv6.conf - - default_ports.conf - post_decalrations.conf register: diff_output - name: Ensure common configuration files are latest command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} loop: + - default_settings.conf - include_functions.conf - load_modules_ipv4.conf - load_modules_ipv6.conf - logging_ipv4.conf - logging_ipv6.conf - - default_ports.conf - post_decalrations.conf when: - (git_firewall_repository is defined) and (git_firewall_repository|length > 0)