From 65f6725f19f75bbd8cb916ff9604ef62d4624233 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 25 Apr 2024 18:55:48 +0200 Subject: [PATCH] update.. --- host_vars/file-ah.kanzlei-kiel.netz.yml | 208 +++++++++++++----- host_vars/ga-st-mail.ga.netz.yml | 8 +- host_vars/gw-ak.oopen.de.yml | 9 - host_vars/o17.oopen.de.yml | 10 +- host_vars/o20.oopen.de.yml | 5 + host_vars/o21.oopen.de.yml | 10 +- host_vars/o22.oopen.de.yml | 10 +- host_vars/o23.oopen.de.yml | 15 +- host_vars/o24.oopen.de.yml | 10 +- host_vars/o25.oopen.de.yml | 10 +- host_vars/o27.oopen.de.yml | 10 +- host_vars/o28.oopen.de.yml | 10 +- host_vars/o29.oopen.de.yml | 10 +- host_vars/o30.oopen.de.yml | 15 +- host_vars/o31.oopen.de.yml | 10 +- host_vars/o32.oopen.de.yml | 10 +- host_vars/o34.oopen.de.yml | 10 +- host_vars/o35.oopen.de.yml | 10 +- host_vars/o36.oopen.de.yml | 10 +- host_vars/o38.oopen.de.yml | 10 +- host_vars/o39.oopen.de.yml | 10 +- host_vars/server18.warenform.de.yml | 10 +- host_vars/server22.warenform.de.yml | 10 +- host_vars/server23.warenform.de.yml | 10 +- host_vars/server24.warenform.de.yml | 10 +- host_vars/server25.warenform.de.yml | 10 +- host_vars/server26.warenform.de.yml | 10 +- host_vars/server27.warenform.de.yml | 10 +- host_vars/server28.warenform.de.yml | 7 +- host_vars/zapata.opp.netz.yml | 6 + .../files/ga-st-mail/etc/postfix/postfwd.cf | 177 +++++++++++++++ 31 files changed, 478 insertions(+), 192 deletions(-) create mode 100644 roles/common/files/ga-st-mail/etc/postfix/postfwd.cf diff --git a/host_vars/file-ah.kanzlei-kiel.netz.yml b/host_vars/file-ah.kanzlei-kiel.netz.yml index f1de305..174d9dd 100644 --- a/host_vars/file-ah.kanzlei-kiel.netz.yml +++ b/host_vars/file-ah.kanzlei-kiel.netz.yml @@ -275,49 +275,20 @@ samba_groups: group_id: 122 - name: gubitz-partner group_id: 123 + - name: sysadm + group_id: 1050 + - name: install + group_id: 1070 samba_user: - - name: buero - groups: - - verwaltung - - intern - password: 'buero2011' + - name: axel groups: - intern - verwaltung - hoffmann-elberling password: 'ah-kiel.2018' - - name: bjoern - groups: - - intern - - verwaltung - - hoffmann-elberling - password: 'bjoern2011' - - name: gubitz - groups: - - intern - - verwaltung - - gubitz-partner - password: '20gubitz12' - - name: schaar - groups: - - intern - - verwaltung - - gubitz-partner - password: '20schaar12' - - name: molkentin - groups: - - intern - - verwaltung - - gubitz-partner - password: 20molkentin12 - - name: buerooben - groups: - - intern - - verwaltung - - hoffmann-elberling - password: 'buero2013' + - name: back groups: [] password: !vault | @@ -327,34 +298,34 @@ samba_user: 61313164643061306433643738643563303036646334376536626531383965303036386162393832 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 3631 + + - name: bjoern + groups: + - intern + - verwaltung + - hoffmann-elberling + password: 'bjoern2011' + - name: buchholz groups: - - buero - - intern - - verwaltung + - buero + - intern + - verwaltung password: '20-buch_holz-20' - - name: schmidt + + - name: buero + groups: + - verwaltung + - intern + password: 'buero2011' + + - name: buerooben groups: - intern - verwaltung - - gubitz-partner - password: '20-schmidt_21%' - - name: kiel-nb1 - groups: - - buero - - intern - - verwaltung - - gubitz-partner - hoffmann-elberling - password: '20-note%book1-20' - - name: kiel-nb2 - groups: - - buero - - intern - - verwaltung - - gubitz-partner - - hoffmann-elberling - password: '20-note%book2-20' + password: 'buero2013' + - name: chris groups: - buero @@ -370,6 +341,118 @@ samba_user: 6631333038306462610a356535633265633563633962333137326533633834636331343562633765 3631 + - name: gubitz + groups: + - intern + - verwaltung + - gubitz-partner + password: '20gubitz12' + + - name: heckert + groups: + - intern + - gubitz-partner + password: '0-heckert.22%' + + - name: hh-jaenicke + groups: [] + password: '20-th.jaenicke_%20' + + - name: hh-kanzlei + groups: [] + password: '20-HH_18-Kanzlei' + + - name: hh-lucke + groups: [] + password: 'Ole20Steffen_17' + + - name: hh-kell + groups: [] + password: '20-an.kell-%24' + + - name: hh-neumann + groups: [] + password: '20.neu-mann_%24' + + - name: hh-pueschel + groups: [] + password: '20-HH_caro.pueschel-%21' + + - name: kiel-nb1 + groups: + - buero + - intern + - verwaltung + - gubitz-partner + - hoffmann-elberling + password: '20-note%book1-20' + + - name: kiel-nb2 + groups: + - buero + - intern + - verwaltung + - gubitz-partner + - hoffmann-elberling + password: '20-note%book2-20' + + - name: molkentin + groups: + - intern + - verwaltung + - gubitz-partner + password: 20molkentin12 + + - name: schaar + groups: + - intern + - verwaltung + - gubitz-partner + password: '20schaar12' + + - name: schmidt + groups: + - intern + - verwaltung + - gubitz-partner + password: '20-schmidt_21%' + + - name: simone.schnoenmehl + groups: + - intern + - gubitz-partner + password: '20-simone-schnoenmehl-22%' + + # password: 9xFXkdPR_2 + - name: sysadm + groups: + - buero + - install + - intern + - verwaltung + - gubitz-partner + - hoffmann-elberling + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 35323634653231353634343232326436393435386366396364373766306135636536323165656362 + 3138366263316231333038343930313134333565373566640a363932616535343538376333313335 + 64326566643163366533356464326339653236636562363336633738656631626433306661323835 + 3337663865333636660a626131366161636433613561613235333831653733383365623564313431 + 6439 + + # password: Iar-zrq4wG.2 + - name: winadm + groups: + - sysadm + - install + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31326630303038396164656266623339353031336434376531383133643266656133363165316532 + 6364343131656235313432356230646337373362343938660a393031323561326438653935393632 + 34373464313666343433626635656261323933353631393632626166643738386333636639303334 + 3661613165626230640a306236363161356239306232633565336131303066383464626164636133 + 3038 + base_home: /home # remove_samba_users: @@ -434,6 +517,15 @@ samba_shares: vfs_object_recycle: true recycle_path: '@Recycle' + - name: Install + path: /data/samba/shares/install + group_valid_users: install + group_write_list: install + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + # --- # - This share will be written by Windows Server 2016 configured at # - "Windows Zubehör" -> "Windows Server-Sicherung" @@ -441,8 +533,8 @@ samba_shares: - name: WinServer2016-Backup comment: WinServer2016-Backup on Fileserver path: /data/samba/shares/WinServer2016-Backup - group_valid_users: {} - group_write_list: {} + group_valid_users: sysadm + group_write_list: sysadm file_create_mask: !!str 664 dir_create_mask: !!str 2775 guest_ok: !!str yes diff --git a/host_vars/ga-st-mail.ga.netz.yml b/host_vars/ga-st-mail.ga.netz.yml index f543658..5e00f2f 100644 --- a/host_vars/ga-st-mail.ga.netz.yml +++ b/host_vars/ga-st-mail.ga.netz.yml @@ -183,13 +183,13 @@ copy_plain_files: dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf -copy_plain_files_postfwd_host_specific: [] +copy_plain_files_postfwd_host_specific: # Postfix Firewall postfwd # - #- name: postfwd.wl-user - # src_path: ga-st-mail/etc/postfix/postfwd.wl-user - # dest_path: /etc/postfix/postfwd.wl-user + - name: postfwd.wl-user + src_path: ga-st-mail/etc/postfix/postfwd.cf + dest_path: /etc/postfix/postfwd.cf #copy_template_files: [] diff --git a/host_vars/gw-ak.oopen.de.yml b/host_vars/gw-ak.oopen.de.yml index dbedaf3..2b3408d 100644 --- a/host_vars/gw-ak.oopen.de.yml +++ b/host_vars/gw-ak.oopen.de.yml @@ -268,15 +268,6 @@ bind9_gateway_listen_on_v6: bind9_gateway_listen_on: - any -# --- -# vars used by roles/common/tasks/git.yml -# --- - -git_firewall_repository: - name: ipt-gateway - repo: https://git.oopen.de/firewall/ipt-gateway - dest: /usr/local/src/ipt-gateway - # ============================== diff --git a/host_vars/o17.oopen.de.yml b/host_vars/o17.oopen.de.yml index ceee4af..81f6f39 100644 --- a/host_vars/o17.oopen.de.yml +++ b/host_vars/o17.oopen.de.yml @@ -154,11 +154,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -192,6 +187,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Clean up Samba Trash Dirs" minute: '02' hour: '23' diff --git a/host_vars/o20.oopen.de.yml b/host_vars/o20.oopen.de.yml index d3480d8..5d73a9d 100644 --- a/host_vars/o20.oopen.de.yml +++ b/host_vars/o20.oopen.de.yml @@ -141,6 +141,11 @@ cron_user_entries: hour: '*' job: /root/bin/postfix/check-postfix-fatal-errors.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Optimize mysql tables" minute: '51' hour: '04' diff --git a/host_vars/o21.oopen.de.yml b/host_vars/o21.oopen.de.yml index 7a70ab2..d1b1dc0 100644 --- a/host_vars/o21.oopen.de.yml +++ b/host_vars/o21.oopen.de.yml @@ -237,11 +237,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -280,6 +275,11 @@ cron_user_entries: hour: '*' job: /root/bin/postfix/check-postfix-fatal-errors.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Optimize mysql tables" minute: '53' hour: '04' diff --git a/host_vars/o22.oopen.de.yml b/host_vars/o22.oopen.de.yml index 2f25477..cf106fa 100644 --- a/host_vars/o22.oopen.de.yml +++ b/host_vars/o22.oopen.de.yml @@ -234,11 +234,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -249,6 +244,11 @@ cron_user_special_time_entries: job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" insertafter: PATH + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check if Check if all autostart LX-Container are running." special_time: reboot job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh" diff --git a/host_vars/o23.oopen.de.yml b/host_vars/o23.oopen.de.yml index 71b1d02..bb1057e 100644 --- a/host_vars/o23.oopen.de.yml +++ b/host_vars/o23.oopen.de.yml @@ -235,11 +235,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -278,11 +273,21 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' job: /root/bin/admin-stuff/check-disc-usage.sh -c 85 + - name: "Restart Jitsi Meet Service" + minute: '51' + hour: '6' + job: /usr/bin/lxc-stop -n meet ; sleep 5 ; /usr/bin/lxc-start -n meet + # --- diff --git a/host_vars/o24.oopen.de.yml b/host_vars/o24.oopen.de.yml index 41ddce5..3f0a706 100644 --- a/host_vars/o24.oopen.de.yml +++ b/host_vars/o24.oopen.de.yml @@ -237,11 +237,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -280,6 +275,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/o25.oopen.de.yml b/host_vars/o25.oopen.de.yml index 717592f..92f843b 100644 --- a/host_vars/o25.oopen.de.yml +++ b/host_vars/o25.oopen.de.yml @@ -345,11 +345,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -378,6 +373,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check Postfix E-Mail LOG file for 'fatal' errors.." minute: '*/5' hour: '*' diff --git a/host_vars/o27.oopen.de.yml b/host_vars/o27.oopen.de.yml index 894a5af..56f9f39 100644 --- a/host_vars/o27.oopen.de.yml +++ b/host_vars/o27.oopen.de.yml @@ -237,11 +237,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -280,6 +275,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/o28.oopen.de.yml b/host_vars/o28.oopen.de.yml index 0b8144c..1be6261 100644 --- a/host_vars/o28.oopen.de.yml +++ b/host_vars/o28.oopen.de.yml @@ -344,11 +344,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -377,6 +372,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Backup internet hosts and then print out hdd-usage for all backuped hosts" minute: '06' hour: '00' diff --git a/host_vars/o29.oopen.de.yml b/host_vars/o29.oopen.de.yml index 32a6daf..a529697 100644 --- a/host_vars/o29.oopen.de.yml +++ b/host_vars/o29.oopen.de.yml @@ -233,11 +233,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -271,6 +266,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/o30.oopen.de.yml b/host_vars/o30.oopen.de.yml index c32c579..d7cea06 100644 --- a/host_vars/o30.oopen.de.yml +++ b/host_vars/o30.oopen.de.yml @@ -223,11 +223,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -266,11 +261,21 @@ cron_user_entries: hour: '*' job: /root/bin/postfix/check-postfix-fatal-errors.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' job: /root/bin/admin-stuff/check-disc-usage.sh -c 85 + - name: "Restart Jitsi Meet Service" + minute: '51' + hour: '6' + job: /usr/bin/lxc-stop -n meet ; sleep 5 ; /usr/bin/lxc-start -n meet + # --- # vars used by roles/common/tasks/users.yml diff --git a/host_vars/o31.oopen.de.yml b/host_vars/o31.oopen.de.yml index 730db2d..ee6d5f5 100644 --- a/host_vars/o31.oopen.de.yml +++ b/host_vars/o31.oopen.de.yml @@ -236,11 +236,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -279,6 +274,11 @@ cron_user_entries: hour: '*' job: /root/bin/postfix/check-postfix-fatal-errors.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/o32.oopen.de.yml b/host_vars/o32.oopen.de.yml index 9d7eec2..3856363 100644 --- a/host_vars/o32.oopen.de.yml +++ b/host_vars/o32.oopen.de.yml @@ -234,11 +234,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -277,6 +272,11 @@ cron_user_entries: hour: '*' job: /root/bin/postfix/check-postfix-fatal-errors.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Optimize mysql tables" minute: '53' hour: '04' diff --git a/host_vars/o34.oopen.de.yml b/host_vars/o34.oopen.de.yml index 90d99e0..c38b3a5 100644 --- a/host_vars/o34.oopen.de.yml +++ b/host_vars/o34.oopen.de.yml @@ -232,11 +232,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -275,6 +270,11 @@ cron_user_entries: hour: '*' job: /root/bin/postfix/check-postfix-fatal-errors.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Optimize mysql tables" minute: '53' hour: '04' diff --git a/host_vars/o35.oopen.de.yml b/host_vars/o35.oopen.de.yml index 3ac3daa..e6eff22 100644 --- a/host_vars/o35.oopen.de.yml +++ b/host_vars/o35.oopen.de.yml @@ -237,11 +237,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -275,6 +270,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/o36.oopen.de.yml b/host_vars/o36.oopen.de.yml index e2f6144..7c49ca7 100644 --- a/host_vars/o36.oopen.de.yml +++ b/host_vars/o36.oopen.de.yml @@ -230,11 +230,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -268,6 +263,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/o38.oopen.de.yml b/host_vars/o38.oopen.de.yml index 86821c8..6532f78 100644 --- a/host_vars/o38.oopen.de.yml +++ b/host_vars/o38.oopen.de.yml @@ -232,11 +232,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -270,6 +265,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/o39.oopen.de.yml b/host_vars/o39.oopen.de.yml index 9000f43..2b74c5d 100644 --- a/host_vars/o39.oopen.de.yml +++ b/host_vars/o39.oopen.de.yml @@ -232,11 +232,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -270,6 +265,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + # --- diff --git a/host_vars/server18.warenform.de.yml b/host_vars/server18.warenform.de.yml index ec55569..00d902c 100644 --- a/host_vars/server18.warenform.de.yml +++ b/host_vars/server18.warenform.de.yml @@ -234,11 +234,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -272,6 +267,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/server22.warenform.de.yml b/host_vars/server22.warenform.de.yml index c39fe4f..637ee2f 100644 --- a/host_vars/server22.warenform.de.yml +++ b/host_vars/server22.warenform.de.yml @@ -221,11 +221,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -259,6 +254,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/server23.warenform.de.yml b/host_vars/server23.warenform.de.yml index 72b2aa8..f62e0a0 100644 --- a/host_vars/server23.warenform.de.yml +++ b/host_vars/server23.warenform.de.yml @@ -221,11 +221,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -259,6 +254,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/server24.warenform.de.yml b/host_vars/server24.warenform.de.yml index 6ae0ae7..4b9ca7e 100644 --- a/host_vars/server24.warenform.de.yml +++ b/host_vars/server24.warenform.de.yml @@ -228,11 +228,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -266,6 +261,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/server25.warenform.de.yml b/host_vars/server25.warenform.de.yml index 2ef68f1..3c5572c 100644 --- a/host_vars/server25.warenform.de.yml +++ b/host_vars/server25.warenform.de.yml @@ -229,11 +229,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -267,6 +262,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/server26.warenform.de.yml b/host_vars/server26.warenform.de.yml index fb9e8d7..c34baa7 100644 --- a/host_vars/server26.warenform.de.yml +++ b/host_vars/server26.warenform.de.yml @@ -244,11 +244,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -282,6 +277,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/server27.warenform.de.yml b/host_vars/server27.warenform.de.yml index 5d12841..a597b1f 100644 --- a/host_vars/server27.warenform.de.yml +++ b/host_vars/server27.warenform.de.yml @@ -251,11 +251,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" @@ -289,6 +284,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' diff --git a/host_vars/server28.warenform.de.yml b/host_vars/server28.warenform.de.yml index 2d6f8ae..3a24700 100644 --- a/host_vars/server28.warenform.de.yml +++ b/host_vars/server28.warenform.de.yml @@ -273,6 +273,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if NTP service 'ntpsec' is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_ntpsec_service.sh + - name: "Check hard disc usage." minute: '43' hour: '6' @@ -281,7 +286,7 @@ cron_user_entries: - name: "Check if cert(s) for Prosody service are up-zp-date" minute: '13' hour: '05' - job: /root/bin/monitoring/check_cert_for_service.sh + job: /root/bin/monitoring/check_cert_for_prosody.sh - name: "Check if cert for coTURN service is up-to-date" minute: '39' diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index 1aea62b..80e7d07 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -435,6 +435,12 @@ samba_user: - beratung password: '20_martin_18' + - name: marvin + groups: + - buero + - beratung + password: 'm4rv!n*6urg_24' + - name: miriam groups: - buero diff --git a/roles/common/files/ga-st-mail/etc/postfix/postfwd.cf b/roles/common/files/ga-st-mail/etc/postfix/postfwd.cf new file mode 100644 index 0000000..ceba5b6 --- /dev/null +++ b/roles/common/files/ga-st-mail/etc/postfix/postfwd.cf @@ -0,0 +1,177 @@ +# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** + +#======= Definitions ============ + +# Match messages with an associated SASL username +&&SASL_AUTH { + sasl_username!~^$ +} + +# Trusted networks +&&TRUSTED_NETS { + client_address==file:/etc/postfix/postfwd.wl-nets +} + +# Trusted hostnames +# client_name~=.warenform.de$ +&&TRUSTED_HOSTS { + client_name=~file:/etc/postfix/postfwd.wl-hosts +} + +# Trusted users +&&TRUSTED_USERS { + sasl_username==file:/etc/postfix/postfwd.wl-user +} + +# Trusted senders +&&TRUSTED_SENDERS { + sender=~file:/etc/postfix/postfwd.wl-sender +} + +# Blacklist networks +&&BLOCK_NETS { + client_address==file:/etc/postfix/postfwd.bl-nets +} + +# Blacklist hostnames +&&BLOCK_HOSTS { + client_name=~file:/etc/postfix/postfwd.bl-hosts +} + +# Blacklist users +&&BLOCK_USERS { + sasl_username==file:/etc/postfix/postfwd.bl-user +} + +# Blacklist sender adresses +&&BLOCK_SENDER { + # =~ + # using '=~' allows also matching entries for domains (i.e. @acieu.co.uk) + sender=~file:/etc/postfix/postfwd.bl-sender +} + +# Inbound emails only +&&INCOMING { + client_address!=127.0.0.1 +} + + +#======= Rule Sets ============ + +# --- +# +# Processing of the Rule Sets +# +# The parser checks the elements of a policy delegation request against the postfwd set +# of rules and, if necessary, triggers the configured action (action=). Similar to a +# classic firewall, a rule is considered true if every element of the set of rules (or +# one from every element list) applies to the comparison. I.e. the following rule: +# +# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT +# +# triggers a REJECT if the +# +# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' +# +# +# Note: +# If an element occurs more than once, an element list is formed: +# +# The following rule set is equivalent to the above: +# +# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT +# +# +# triggers a REJECT if (as above) the +# +# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' +# +# --- + +# Whitelists + +# Whitelist trusted networks +id=WHL_NETS + &&TRUSTED_NETS + action=DUNNO + +# Whitelist trusted hostnames +id=WHL_HOSTS + &&TRUSTED_HOSTS + action=DUNNO + +# Whitelist sasl users +id=WHL_USERS + &&TRUSTED_USERS + action=DUNNO + +# Whitelist senders +id=WHL_SENDERS + &&INCOMING + &&TRUSTED_SENDERS + action=DUNNO + + +# Blacklists + +# Block networks +id=BL_NETS + &&BLOCK_NETS + action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS + +# Block hostname +id=BL_HOSTS + &&BLOCK_HOSTS + action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS + +# Block users +id=BL_USERS + &&BLOCK_USERS + action=REJECT User is blocked by Mailserver admins. Error: BL_USERS + +# Blacklist sender +# +# Claim successful delivery and silently discard the message. +# +id=BL_SENDER + &&BLOCK_SENDER + #action=DISCARD + action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER + + +# Rate Limits + +# Throttle unknown clients to 5 recipients per 5 minutes: +id=RATE_UNKNOWN_CLIENT_ADDR + sasl_username =~ /^$/ + client_name==unknown + action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed) + +# Changed from default 'more than 50 messages per minute' (/50/60/421 421) +# +# Block clients (ip-addresses) sending more than 150 messages per minute exceeded. Error:RATE_CLIENT) +id=RATE_CLIENT_ADDR + &&INCOMING + action=rate($$client_address/150/60/421 421 4.7.0 Too many connections from $$client_address) + +# Block messages with more than 50 recipients +id=BLOCK_MSG_RCPT + &&INCOMING + &&SASL_AUTH + recipient_count=50 + action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT + +# Changed from default '50 messages/hour' (/50/3600/450) +# +# Block users sending more than 200 messages/hour +id=RATE_MSG + &&INCOMING + &&SASL_AUTH + action=rate($$sasl_username/200/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG) + +# Block users sending more than 250 recipients total/hour +id=RATE_RCPT + &&INCOMING + &&SASL_AUTH + action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT) +