update..

2023-12-01 20:11:18 +01:00 · 2023-12-01 20:11:18 +01:00 · 74cb59cda1
commit 74cb59cda1
parent 0c058e1a87
66 changed files with 7363 additions and 294 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -1502,7 +1502,7 @@ apt_lxc_host_pkgs:
  - lxcfs
  - python3-lxc
  - debootstrap
-  - ntp
+  - ntpsec
 yum_lxc_host_pkgs_centos:
  - bridge-utils
@ -1533,7 +1533,13 @@ apt_kvm_host_pkgs:
  - libguestfs-tools
  - kpartx
  - debootstrap
-  - ntp
+  - ntpsec
 apt_gateway_host_pkgs:
  - iptraf
  - speedtest-cli
 # available in debian 10 (buster) but not in debian 11 (bullseye)
 #
@ -1976,6 +1982,17 @@ default_user:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    group: localadmin
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
--- a/host_vars/a.ns.oopen.de.yml
+++ b/host_vars/a.ns.oopen.de.yml
@ -34,7 +34,8 @@ extra_user:
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRIzOUFGlC9R4f2iR3NzJ4syl8hnsxmK3tyPLN8LCCJUY1McVH80zjiB8V+OADZ8rI2NczX5QNG20sayw9DJQOhuPWlKZuz+1pzP+lPANzWVFX7NyqLipdjklFM5D29go1Gq61PhAFACU8XaXZRiPvYkQQwHYPttjlCsD9R4uOfbXaXU1gP2RHkKgseGI7L2vuSxTDSbaFyJ03A6GPViti3YlqpT5H8UGyb1TbiCl/sleJq+2bpyPbPfpmL7fzZ/4gbbmxKN4GAit491/2CcApceTP98F+kv8EbIhkfngUp2KL8IEOM1SzXioSK/4iqIS5ynM47O/sUIIxwCcx4URdE8ax6Alo88ixI7dC+k0VqppASHheyy45l9zs3KjtxmEvbRYOodZfm0yidA5iyB9FW7BTr1XBSvjBL186GakwC/m7t5Z1ez9pQgPf1HclBJt69gULuZ/d+PrWylhcIIicaiucLD+xnZeefdiAVI7z04M+g8wBsQtR2YzK1SZoLb6nzPQT6lZqc1F9M1j32CyJ7cWNgPJ8Lc4IRKSqxSo9JmhfTmMkhiSopgRyk+s36PJiTtK5PgIb0P8vtS7gpzAtOub/x00aX0tYGEX89Dvl99Lps5nj4W4g92DOT27g19+EdJwyeryTISaem7T2oEB5LVqa/ibnCDfADQnLFmoRZQ== root@e.mx-opendkim'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxDvNzF75UIFucvMxUuUsoF+OV7WEEPBMC/Xx1JK+ldzqLLhHVQZahLi2b7wRXy4F13jS++TB0YassM+mWxKp08VpKPnCVGHvMdNhtHCr1EUUueTTG8lCTwetBNX4w0Ajg5/Sep/UlyA8vR3SZy6DuBn2BAJ0UeNwplp+luXgB+uLYKFxId3gcaVeZUxjAz1bhPNZ9q7FphUvGGk79oFDi/k0oUYhiVk38Prsk0DS5Jn+B4aqUJZClUwuHtq9ZHaZ1GjqEdwz2GYXsnVHcZkrNciVIccQjL5+u7sNr4CTa59Yj8/xpjWVCsc6TEr3Wg6TwFP9YgUopXFvLmYj6N07itOf3kdrili8avFM+LLDA7QuanObW2LWJFJXhoUhDsGkUoLNvj+90VSMz9xMjioY1sK/92kBVJG4BxnZPzZApIroWmAQUknq/qmTqgH/0T687Jb7aA4HlG9rmHo6lIhCZtF89tci6MRDqUWapXt1sGt/qeQYaTrF/dknKoULBPL55r1FnVmJeUX6n3FUk+FKIB/Avv4R1+QON9BpLZIkrLWpDD6/aYbfXmGMnMvvL8qiI1w0b1VWsoBzi/SYbt8ez7j5h0wQFG+lyJiB0RVG0kEZ497dHIFLjPCokck/0S/fFQUU/DR1PcVpdEUvN5c4Ld8J4EIzq1vkeRdS6TQPF1w== root@mail.cadus.org-dehydrated'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDM5j1tCRwVGvGatVQVLxUzV4r5E5QERXxkEGcGoasLF8zBQO5KY60iqU/DLDjX0zT2Gju5dlVUd/s1N/eiv0LhfgxOcKK31tWOVm8oX5gsIC+yv9cIbAJouhstVxAgGoUci5m2/is/q2WfURWuvGFoCVzrJReqTh/yMkYegcRpnFSv+/OucIt/qQysOQSHyJ/mrIX6HnTKvWgbHjVnPj0jkicR5xyfGZxPYQYS4osNyeWyR5f5QaIXFUHhWmQd+mw3m75kkkxwo8Qm0/yj7W7KZNaD2AawiFFNyy034QLUEkx/xZkp2gD/8arqLZ5S/mrhH4u7LrN5BeE+8RoKyKVlHWidaXD1y9S6cK6cQ/fO+Gq2Lhc+LghPAaH0yTgfYU7YBCcqNYEyS7sGEMh8u8aQFTYCWOpZai5b+nu9Y6HmDZP7CgfD4bNIBNBl1CsGThWhST7DIDhPoJ4xtoCinuxoqq8RdjbVpAfPUeckvzZinwf6p1ffKcBhTJYI/+aYrNqPoLCn6+pP/0b1A67kyl0G60xO13PnnxJSsRBiTiqD8OYPM6BDmQuftc73XOJZbHxD3VFO0B440k94/S9WQqMNVaH7AAMSabU9drvI8afgwxdfuR7dzQZYMtZVq9xgc/nXibTW6ft87yY2g8eJsPNMLSvOduE8a+VnUmAh+p0SpQ== root@mail.cadus.org-opendkim'
-      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDM5t2IHfT0LF1ac2H0W9xlyJUgUIqSkE5kDmW/uAoJkWTls7+h4DnaYF09f5Q/6HOb8RV8Y5zFQZLG89u6m2kyNJRjWfKKS/g6kCrnctCSAj9PPthUKxqVWBiOj0QScxHpLhxgebeMr1Rd1hQUCFYOuOd+p7daKd/dbr3DhzVfSSB82FtrnLaVazByX/bik7Z2dokD/020r1tUXY+sR7Fe1iF7APCWjcNQLUcByGmuYMViNVnD82ZSYqEUjA4UGdnth4imS47NFTzxz5y+yW5LGh+W16w2WpnhLbiSqF2lGnaCfNzKHBdR1atIJtzYhFwO1vxf440dlsWwgx8wrBW9cVaDtaPVlj0PwSJ0DKLBaqYxVFAo132ezj18QxAMAq4QEcRZ4pZXmXuhy+mg91PcRN5wIchulMhsbtDyQWF+N3S2FDIPoIXNFI/ROPiQofxnmzE7adFK1gqP6SshjDSdx0SmY+EumAMnR9sAVLaHsC2l2ZMiHYfxqCKBrCI/opCAwKnD+HgaLL0evHLyaSpUYNfNbSpcy80vsBF0s/I1ibyhGCkwv34ipDD+w39FHL7Hz8KZJQBU5XU64SzhrsOHCTV3MRTG+0S8YU93L8/7TEy0xIjvL5YAUXQW3RamZHpIG+tE78RxtXpC885dcOXDr0zcf+UuxksYjtQVCvKy3w== root@mail.faire-mobilitaet.de'
+      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDM5t2IHfT0LF1ac2H0W9xlyJUgUIqSkE5kDmW/uAoJkWTls7+h4DnaYF09f5Q/6HOb8RV8Y5zFQZLG89u6m2kyNJRjWfKKS/g6kCrnctCSAj9PPthUKxqVWBiOj0QScxHpLhxgebeMr1Rd1hQUCFYOuOd+p7daKd/dbr3DhzVfSSB82FtrnLaVazByX/bik7Z2dokD/020r1tUXY+sR7Fe1iF7APCWjcNQLUcByGmuYMViNVnD82ZSYqEUjA4UGdnth4imS47NFTzxz5y+yW5LGh+W16w2WpnhLbiSqF2lGnaCfNzKHBdR1atIJtzYhFwO1vxf440dlsWwgx8wrBW9cVaDtaPVlj0PwSJ0DKLBaqYxVFAo132ezj18QxAMAq4QEcRZ4pZXmXuhy+mg91PcRN5wIchulMhsbtDyQWF+N3S2FDIPoIXNFI/ROPiQofxnmzE7adFK1gqP6SshjDSdx0SmY+EumAMnR9sAVLaHsC2l2ZMiHYfxqCKBrCI/opCAwKnD+HgaLL0evHLyaSpUYNfNbSpcy80vsBF0s/I1ibyhGCkwv34ipDD+w39FHL7Hz8KZJQBU5XU64SzhrsOHCTV3MRTG+0S8YU93L8/7TEy0xIjvL5YAUXQW3RamZHpIG+tE78RxtXpC885dcOXDr0zcf+UuxksYjtQVCvKy3w== root@mail.faire-mobilitaet.de-dehydrated'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfld1y5SRwZmm1klawA8sblupBUxZfg2cogm9tOKfrGsN8AZOlotFEhWPmZR0xcLTazYJdO3MghRUUEw3mqc2zmDXP7WGCrQNCXBY0xpHb9B+wnvMQMo0dLsOk6+48Z1TWyteA/7vV0bow/Wi5PfGWhn3BNUVVFw9zPL5F1sCXq79bflw2/M+Q6wAHHhQsNQ8nGlIVqum+tCeDFP4YlwMayq03GmxTGM9kmb/ciNNcmz9jSNLwM9fWVRqLx4QcHwM9TjH/G4Yfmn63DgTeTlh8pFlIUqgQvTPAgASymkmztAR7UoW4taMhlSn05LqnZjASmmox2kb9Q7xk4yJWdA46fAf8647//7N8MUr7WELOLDGxxVnKnRfto2Hh5b+GYtew/fcxc6SpDUqQH/VqpFCHlKe5EU8QsZTJMRRtGpf3uED/qrinoeTuhRKibLJNctAiaakXkXvmMnM8iNejohwy00jERx0dAfZmkHi5w6x677fWzKu0idBsX3tqrqnvQN99VLwdLSNtppfE2EkSDy8g0xDUIAJsavP2/GnpPp4Cw40inL94gfG7nBp9koGbKfIM072PKy6eHzr+4fGTWUGpm4HvaGN8iazKahU1JVse1OcjCTiZvut0S3Y6nOQLtV1cO3yKLhNvPEh4NlRsNoaVbn/kR6e97M0nVDIKYKHt8w== root@mail.faire-mobilitaet.de-opendkim'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCv2rDahAeQBR9NcQkHG5VHbMNGlOzHJPbh5V34ogloAtW0VVO7xnes3Ak3Q/eM0tFbFMG4MRti1M3Un0GJzTV9H2bqN02TmUp5MnDVDcHNfG4L7hqLH2KtwniKeB41IKIeJUdhpKxdFFqM8Z78Xn5EASO5Fu33lQcH+RTbmoYikEr1WrSbQB3wcqtXS+lNveyFUlJD9XJ0MLzanBePQh9boc93CfOa3yFTb90grfB5QjnpL7167MpSH6Oq/DVh5NcnMzvoYjZf9gsMTHuOAUyUKGeUdg2K89gFjkBq2r3S3ouKpDQxPSRXHuNDBSeHJEHy8DP6rOd+0qZVOaPEv3Qi/BRPO9LWcc2aUg8ydI7w1oMd/STaK54PaUJJ7uXV3ZTQsxGyziwZlx+Gq0PNAMjKFdYXAcuGPnlYxDGhVcJJElEuu7DJQqpWfzofov2VEniQQ8Ekknpxd5MFYka0NP038lpIZyMzy13DFJ6KUchbTGfzkHcwKmFX+3vZFEBqq5rZWOuY303qe5gP7eKhsBV/iu47Ne1OtTS2N0QFPTElshk3CLbZKerQo+XLxo3Z15cRDxDsgkdAHtY1PiMjXeX8ZahwXC2vs1ZfBoN4kK2iIH1Gtor4QG+g7chjKa+kZDKqFd4y0EZzeR0IjYCyWt2mNd3hMbEjBtZp75drYmRlqQ== root@ga-st-mail-opendkim'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF7Sx0YJlLjjg3Sm8uiXJyBeKKmZFum3D8Mw2VQZrXJgYOrVB/SVDXO4N5I6NOT5bvxs8c5DLV/4J4ewGP5dGSYiepRnkrRSBUUS6ICwkYfyXremHJ31uREfODRBA4Vnsmpw0SlbQ2I9IpYwsaD3/IDZehDgaCKu4D0/LIprZh0/u+WX7kOGb8Tkm/PBu2SSbAzURaMXn/UtGsUyrickAmEK9qXZDsNYgcwOqZaPtkMZP3mAdix/gKaWV07oU49zxBrouD8gRWAs/yOLvxOe1JDcH2ZExXl81jJYlUffKarBHsWNNE79hUInnH9YTfxP1AEC+MyFXxqKwz3Lk1dQyUo1TFtJTYY+/IHsXT/6KhbOi6twhj7U7uZEqaIWyo6N+WVL9fFhgmbSoVIE6KrBM5VtOdr33A3a+XeNAQGjW6mqOcv3iNUDipTnDTKkEAWQWWnK5YRuaJw1eUCoii/FDp0hRTWIqn+RVCgkOGgEjMIRC8tiQouCXxwfukfcq9zD8S8UCyyQY0uWRHm3uM5GHTmvIJHBXfXBSX/B+PgesSZVwICCiS/6ZSWT+6D5ObBdKGkz12A797YyaMsN7RtJn6OBhPRrGfqQLCIM7lpxJHAoQmTSMiuQp/TjHLedjAm3FvxET2ZvqPWg9QtvSzIoz2JOdKysZHGgbBdC7q6Cssvw== root@ga-st-mail-dehydrated'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQClupkurU+acJRtp2s9GgiC+rANqlup8SfhtulV0a/8z6nobjcpQWrfVq+MNjM7VghnlMAwMjz7tccFGyCmJoSS11RcnFtPmqnSNj0/TI8zyYOZUvZCczPBSeqs/IxawyYz91e3RlPWbpv71Nj+/EHUZApZkkdTkpYHduSJYWtKYA2l2Glzmjd2d2u/IFIkqXhvl1bT3RUMLZJqYdEwYAvlW2JB84EIWNf4ytcGcu6rakXCRP9o62BbRza3AfMgSfa45PLodPi5VpqDiTHSCIBll+VOuLqTgQCBYeANRPClMLbueVXXcMrmEwrDXeC0dpqTdgaF2Tz3xYsrAzTe6bcNJsGgGCQyTtDKpsAgoKb31agsyy68CoZto13Ea4WYsNVx0T3KaRlaDm98KqnUJXHJvXnLegqfXiURL5BpxXmAnFvZ0duHrtRkVpzeu5n5vz41RLnFHyLln2VE6a+IYdiLlPl2hC+7pswb+nBP9yNn6T4WQZNtHp4YssANuYKO+/gJaHpMJ1TqgL/Ip66erK+372M1T/6ibiU3+qHbwW7FbXVfn3Dz2abJGyNkoaZGpQIXtx0UxWYZHF8E35Z0ll9NQo1CnDvV3jA1aMnYVTv9DuSYxqLY34oHWXEFzMyStCRWup4Tfrp3pT61GRhb2h8kZi5dqQur9KrqWmA6HF9D+Q== root@lists.mx'
@ -43,6 +44,7 @@ extra_user:
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIf2ahqowiUbP4f3/qtdC1JmbjIdlF+i+TiWpxWam0yjiGuTPDjI1ud5vj0of2+P4DJy2dkDvF3yK7/Np7qpxIJgsj9HNiwIlGtfrwNCzqGlyPovjNpAr8cCR1P34K9CgHz4BInc//vjxlUXZpK17omOJ4KaVY1f/Eit0G5Y2TJ38BY6MztuUfou8PdJqITM3GM/YOk4iz2OnObDjHAbd6VTSn4yrYTkGT30axiCHdSy0XhvfUgB1yO08PIcOOogGkxRLYkvUAxwhDsFSpGzQBhUb1O5RqGnBs/aR4sxwjTaeO8mP6lpQMp2pz//I6448N3k5P1CwcJAqrkUuOk4o+jHWr5rSO+eKm4SQ74RBnAAM9bA0tpvCmO8kV2tsdbS4Yw94H4GfTgOPZ5Fe6Y8ciTR+bkGdp7sqm5DNtjZNZuwiFmoe2vj7RJlCNDIXhwVEGAWf+lFYCQKp05A13QoRYGg2aebaLSjw9XYBghNtwnmYkSb84xIoELmPKYrvdodO2uHgGxHBls1mFTz8m01kn+A49L3yY+cFZtSua/+YYoZLh1tNLAL4rBRCRVpZs+VHrmz0GCxwYMHkm9ti0SRPrb7jtH9DYwLUdci4pL8z/G4D2M92A66OZqIybgAJkkdl4H4mv9n05FPJ8RxPniD58x3AMTZNtkxGxn8UkTCSSGQ== root@web-01-opendkim'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvy+IDUeoVwLg+cJNcKzls5guOrVUretsf05v3Y2N+Y root@default-oopen-server'
 # ---
@ -60,6 +62,81 @@ extra_user:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.100.100
  - 2a01:4f8:0:1::add:9898
  - 213.133.99.99
  - 2a01:4f8:0:1::add:1010
  - 213.133.98.98
  - 2a01:4f8:0:1::add:9999
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/b.mx.oopen.de.yml
+++ b/host_vars/b.mx.oopen.de.yml
@ -27,6 +27,76 @@
 install_compiler_pkgs: true
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/b.ns.oopen.de.yml
+++ b/host_vars/b.ns.oopen.de.yml
@ -29,7 +29,8 @@ extra_user:
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRIzOUFGlC9R4f2iR3NzJ4syl8hnsxmK3tyPLN8LCCJUY1McVH80zjiB8V+OADZ8rI2NczX5QNG20sayw9DJQOhuPWlKZuz+1pzP+lPANzWVFX7NyqLipdjklFM5D29go1Gq61PhAFACU8XaXZRiPvYkQQwHYPttjlCsD9R4uOfbXaXU1gP2RHkKgseGI7L2vuSxTDSbaFyJ03A6GPViti3YlqpT5H8UGyb1TbiCl/sleJq+2bpyPbPfpmL7fzZ/4gbbmxKN4GAit491/2CcApceTP98F+kv8EbIhkfngUp2KL8IEOM1SzXioSK/4iqIS5ynM47O/sUIIxwCcx4URdE8ax6Alo88ixI7dC+k0VqppASHheyy45l9zs3KjtxmEvbRYOodZfm0yidA5iyB9FW7BTr1XBSvjBL186GakwC/m7t5Z1ez9pQgPf1HclBJt69gULuZ/d+PrWylhcIIicaiucLD+xnZeefdiAVI7z04M+g8wBsQtR2YzK1SZoLb6nzPQT6lZqc1F9M1j32CyJ7cWNgPJ8Lc4IRKSqxSo9JmhfTmMkhiSopgRyk+s36PJiTtK5PgIb0P8vtS7gpzAtOub/x00aX0tYGEX89Dvl99Lps5nj4W4g92DOT27g19+EdJwyeryTISaem7T2oEB5LVqa/ibnCDfADQnLFmoRZQ== root@e.mx-opendkim'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxDvNzF75UIFucvMxUuUsoF+OV7WEEPBMC/Xx1JK+ldzqLLhHVQZahLi2b7wRXy4F13jS++TB0YassM+mWxKp08VpKPnCVGHvMdNhtHCr1EUUueTTG8lCTwetBNX4w0Ajg5/Sep/UlyA8vR3SZy6DuBn2BAJ0UeNwplp+luXgB+uLYKFxId3gcaVeZUxjAz1bhPNZ9q7FphUvGGk79oFDi/k0oUYhiVk38Prsk0DS5Jn+B4aqUJZClUwuHtq9ZHaZ1GjqEdwz2GYXsnVHcZkrNciVIccQjL5+u7sNr4CTa59Yj8/xpjWVCsc6TEr3Wg6TwFP9YgUopXFvLmYj6N07itOf3kdrili8avFM+LLDA7QuanObW2LWJFJXhoUhDsGkUoLNvj+90VSMz9xMjioY1sK/92kBVJG4BxnZPzZApIroWmAQUknq/qmTqgH/0T687Jb7aA4HlG9rmHo6lIhCZtF89tci6MRDqUWapXt1sGt/qeQYaTrF/dknKoULBPL55r1FnVmJeUX6n3FUk+FKIB/Avv4R1+QON9BpLZIkrLWpDD6/aYbfXmGMnMvvL8qiI1w0b1VWsoBzi/SYbt8ez7j5h0wQFG+lyJiB0RVG0kEZ497dHIFLjPCokck/0S/fFQUU/DR1PcVpdEUvN5c4Ld8J4EIzq1vkeRdS6TQPF1w== root@mail.cadus.org-dehydrated'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDM5j1tCRwVGvGatVQVLxUzV4r5E5QERXxkEGcGoasLF8zBQO5KY60iqU/DLDjX0zT2Gju5dlVUd/s1N/eiv0LhfgxOcKK31tWOVm8oX5gsIC+yv9cIbAJouhstVxAgGoUci5m2/is/q2WfURWuvGFoCVzrJReqTh/yMkYegcRpnFSv+/OucIt/qQysOQSHyJ/mrIX6HnTKvWgbHjVnPj0jkicR5xyfGZxPYQYS4osNyeWyR5f5QaIXFUHhWmQd+mw3m75kkkxwo8Qm0/yj7W7KZNaD2AawiFFNyy034QLUEkx/xZkp2gD/8arqLZ5S/mrhH4u7LrN5BeE+8RoKyKVlHWidaXD1y9S6cK6cQ/fO+Gq2Lhc+LghPAaH0yTgfYU7YBCcqNYEyS7sGEMh8u8aQFTYCWOpZai5b+nu9Y6HmDZP7CgfD4bNIBNBl1CsGThWhST7DIDhPoJ4xtoCinuxoqq8RdjbVpAfPUeckvzZinwf6p1ffKcBhTJYI/+aYrNqPoLCn6+pP/0b1A67kyl0G60xO13PnnxJSsRBiTiqD8OYPM6BDmQuftc73XOJZbHxD3VFO0B440k94/S9WQqMNVaH7AAMSabU9drvI8afgwxdfuR7dzQZYMtZVq9xgc/nXibTW6ft87yY2g8eJsPNMLSvOduE8a+VnUmAh+p0SpQ== root@mail.cadus.org-opendkim'
-      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDM5t2IHfT0LF1ac2H0W9xlyJUgUIqSkE5kDmW/uAoJkWTls7+h4DnaYF09f5Q/6HOb8RV8Y5zFQZLG89u6m2kyNJRjWfKKS/g6kCrnctCSAj9PPthUKxqVWBiOj0QScxHpLhxgebeMr1Rd1hQUCFYOuOd+p7daKd/dbr3DhzVfSSB82FtrnLaVazByX/bik7Z2dokD/020r1tUXY+sR7Fe1iF7APCWjcNQLUcByGmuYMViNVnD82ZSYqEUjA4UGdnth4imS47NFTzxz5y+yW5LGh+W16w2WpnhLbiSqF2lGnaCfNzKHBdR1atIJtzYhFwO1vxf440dlsWwgx8wrBW9cVaDtaPVlj0PwSJ0DKLBaqYxVFAo132ezj18QxAMAq4QEcRZ4pZXmXuhy+mg91PcRN5wIchulMhsbtDyQWF+N3S2FDIPoIXNFI/ROPiQofxnmzE7adFK1gqP6SshjDSdx0SmY+EumAMnR9sAVLaHsC2l2ZMiHYfxqCKBrCI/opCAwKnD+HgaLL0evHLyaSpUYNfNbSpcy80vsBF0s/I1ibyhGCkwv34ipDD+w39FHL7Hz8KZJQBU5XU64SzhrsOHCTV3MRTG+0S8YU93L8/7TEy0xIjvL5YAUXQW3RamZHpIG+tE78RxtXpC885dcOXDr0zcf+UuxksYjtQVCvKy3w== root@mail.faire-mobilitaet.de'
+      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDM5t2IHfT0LF1ac2H0W9xlyJUgUIqSkE5kDmW/uAoJkWTls7+h4DnaYF09f5Q/6HOb8RV8Y5zFQZLG89u6m2kyNJRjWfKKS/g6kCrnctCSAj9PPthUKxqVWBiOj0QScxHpLhxgebeMr1Rd1hQUCFYOuOd+p7daKd/dbr3DhzVfSSB82FtrnLaVazByX/bik7Z2dokD/020r1tUXY+sR7Fe1iF7APCWjcNQLUcByGmuYMViNVnD82ZSYqEUjA4UGdnth4imS47NFTzxz5y+yW5LGh+W16w2WpnhLbiSqF2lGnaCfNzKHBdR1atIJtzYhFwO1vxf440dlsWwgx8wrBW9cVaDtaPVlj0PwSJ0DKLBaqYxVFAo132ezj18QxAMAq4QEcRZ4pZXmXuhy+mg91PcRN5wIchulMhsbtDyQWF+N3S2FDIPoIXNFI/ROPiQofxnmzE7adFK1gqP6SshjDSdx0SmY+EumAMnR9sAVLaHsC2l2ZMiHYfxqCKBrCI/opCAwKnD+HgaLL0evHLyaSpUYNfNbSpcy80vsBF0s/I1ibyhGCkwv34ipDD+w39FHL7Hz8KZJQBU5XU64SzhrsOHCTV3MRTG+0S8YU93L8/7TEy0xIjvL5YAUXQW3RamZHpIG+tE78RxtXpC885dcOXDr0zcf+UuxksYjtQVCvKy3w== root@mail.faire-mobilitaet.de-dehydrated'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfld1y5SRwZmm1klawA8sblupBUxZfg2cogm9tOKfrGsN8AZOlotFEhWPmZR0xcLTazYJdO3MghRUUEw3mqc2zmDXP7WGCrQNCXBY0xpHb9B+wnvMQMo0dLsOk6+48Z1TWyteA/7vV0bow/Wi5PfGWhn3BNUVVFw9zPL5F1sCXq79bflw2/M+Q6wAHHhQsNQ8nGlIVqum+tCeDFP4YlwMayq03GmxTGM9kmb/ciNNcmz9jSNLwM9fWVRqLx4QcHwM9TjH/G4Yfmn63DgTeTlh8pFlIUqgQvTPAgASymkmztAR7UoW4taMhlSn05LqnZjASmmox2kb9Q7xk4yJWdA46fAf8647//7N8MUr7WELOLDGxxVnKnRfto2Hh5b+GYtew/fcxc6SpDUqQH/VqpFCHlKe5EU8QsZTJMRRtGpf3uED/qrinoeTuhRKibLJNctAiaakXkXvmMnM8iNejohwy00jERx0dAfZmkHi5w6x677fWzKu0idBsX3tqrqnvQN99VLwdLSNtppfE2EkSDy8g0xDUIAJsavP2/GnpPp4Cw40inL94gfG7nBp9koGbKfIM072PKy6eHzr+4fGTWUGpm4HvaGN8iazKahU1JVse1OcjCTiZvut0S3Y6nOQLtV1cO3yKLhNvPEh4NlRsNoaVbn/kR6e97M0nVDIKYKHt8w== root@mail.faire-mobilitaet.de-opendkim'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCv2rDahAeQBR9NcQkHG5VHbMNGlOzHJPbh5V34ogloAtW0VVO7xnes3Ak3Q/eM0tFbFMG4MRti1M3Un0GJzTV9H2bqN02TmUp5MnDVDcHNfG4L7hqLH2KtwniKeB41IKIeJUdhpKxdFFqM8Z78Xn5EASO5Fu33lQcH+RTbmoYikEr1WrSbQB3wcqtXS+lNveyFUlJD9XJ0MLzanBePQh9boc93CfOa3yFTb90grfB5QjnpL7167MpSH6Oq/DVh5NcnMzvoYjZf9gsMTHuOAUyUKGeUdg2K89gFjkBq2r3S3ouKpDQxPSRXHuNDBSeHJEHy8DP6rOd+0qZVOaPEv3Qi/BRPO9LWcc2aUg8ydI7w1oMd/STaK54PaUJJ7uXV3ZTQsxGyziwZlx+Gq0PNAMjKFdYXAcuGPnlYxDGhVcJJElEuu7DJQqpWfzofov2VEniQQ8Ekknpxd5MFYka0NP038lpIZyMzy13DFJ6KUchbTGfzkHcwKmFX+3vZFEBqq5rZWOuY303qe5gP7eKhsBV/iu47Ne1OtTS2N0QFPTElshk3CLbZKerQo+XLxo3Z15cRDxDsgkdAHtY1PiMjXeX8ZahwXC2vs1ZfBoN4kK2iIH1Gtor4QG+g7chjKa+kZDKqFd4y0EZzeR0IjYCyWt2mNd3hMbEjBtZp75drYmRlqQ== root@ga-st-mail-opendkim'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF7Sx0YJlLjjg3Sm8uiXJyBeKKmZFum3D8Mw2VQZrXJgYOrVB/SVDXO4N5I6NOT5bvxs8c5DLV/4J4ewGP5dGSYiepRnkrRSBUUS6ICwkYfyXremHJ31uREfODRBA4Vnsmpw0SlbQ2I9IpYwsaD3/IDZehDgaCKu4D0/LIprZh0/u+WX7kOGb8Tkm/PBu2SSbAzURaMXn/UtGsUyrickAmEK9qXZDsNYgcwOqZaPtkMZP3mAdix/gKaWV07oU49zxBrouD8gRWAs/yOLvxOe1JDcH2ZExXl81jJYlUffKarBHsWNNE79hUInnH9YTfxP1AEC+MyFXxqKwz3Lk1dQyUo1TFtJTYY+/IHsXT/6KhbOi6twhj7U7uZEqaIWyo6N+WVL9fFhgmbSoVIE6KrBM5VtOdr33A3a+XeNAQGjW6mqOcv3iNUDipTnDTKkEAWQWWnK5YRuaJw1eUCoii/FDp0hRTWIqn+RVCgkOGgEjMIRC8tiQouCXxwfukfcq9zD8S8UCyyQY0uWRHm3uM5GHTmvIJHBXfXBSX/B+PgesSZVwICCiS/6ZSWT+6D5ObBdKGkz12A797YyaMsN7RtJn6OBhPRrGfqQLCIM7lpxJHAoQmTSMiuQp/TjHLedjAm3FvxET2ZvqPWg9QtvSzIoz2JOdKysZHGgbBdC7q6Cssvw== root@ga-st-mail-dehydrated'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQClupkurU+acJRtp2s9GgiC+rANqlup8SfhtulV0a/8z6nobjcpQWrfVq+MNjM7VghnlMAwMjz7tccFGyCmJoSS11RcnFtPmqnSNj0/TI8zyYOZUvZCczPBSeqs/IxawyYz91e3RlPWbpv71Nj+/EHUZApZkkdTkpYHduSJYWtKYA2l2Glzmjd2d2u/IFIkqXhvl1bT3RUMLZJqYdEwYAvlW2JB84EIWNf4ytcGcu6rakXCRP9o62BbRza3AfMgSfa45PLodPi5VpqDiTHSCIBll+VOuLqTgQCBYeANRPClMLbueVXXcMrmEwrDXeC0dpqTdgaF2Tz3xYsrAzTe6bcNJsGgGCQyTtDKpsAgoKb31agsyy68CoZto13Ea4WYsNVx0T3KaRlaDm98KqnUJXHJvXnLegqfXiURL5BpxXmAnFvZ0duHrtRkVpzeu5n5vz41RLnFHyLln2VE6a+IYdiLlPl2hC+7pswb+nBP9yNn6T4WQZNtHp4YssANuYKO+/gJaHpMJ1TqgL/Ip66erK+372M1T/6ibiU3+qHbwW7FbXVfn3Dz2abJGyNkoaZGpQIXtx0UxWYZHF8E35Z0ll9NQo1CnDvV3jA1aMnYVTv9DuSYxqLY34oHWXEFzMyStCRWup4Tfrp3pT61GRhb2h8kZi5dqQur9KrqWmA6HF9D+Q== root@lists.mx'
@ -54,6 +55,81 @@ extra_user:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.99.99
  - 2a01:4f8:0:1::add:9898
  - 213.133.100.100
  - 2a01:4f8:0:1::add:1010
  - 213.133.98.98
  - 2a01:4f8:0:1::add:9999
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/backup.oopen.de.yml
+++ b/host_vars/backup.oopen.de.yml
@ -25,6 +25,77 @@
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.2
  - 2a01:4ff:ff00::add:1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@ -49,6 +120,15 @@ default_user:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
@ -62,6 +142,7 @@ default_user:
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
--- a/host_vars/backup.warenform.de.yml
+++ b/host_vars/backup.warenform.de.yml
@ -0,0 +1,213 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 apt_install_extra_pkgs: true
 apt_extra_pkgs:
  - subversion
  - subversion-tools
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.100.100
  - 2a01:4f8:0:1::add:9898
  - 213.133.99.99
  - 2a01:4f8:0:1::add:1010
  - 213.133.98.98
  - 2a01:4f8:0:1::add:9999
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 insert_ssh_keypair_backup_server: false
 ssh_keypair_backup_server:
  - name: backup
    backup_user: back
    priv_key_src: root/.ssh/id_rsa.backup.warenform.de
    priv_key_dest: /root/.ssh/id_rsa
    pub_key_src: root/.ssh/id_rsa.backup.warenform.de.pub
    pub_key_dest: /root/.ssh/id_rsa.pub
 insert_keypair_backup_client: true
 ssh_keypair_backup_client:
  - name: backup
    priv_key_src: root/.ssh/id_ed25519.warenform-server
    priv_key_dest: /root/.ssh/id_ed25519
    pub_key_src: root/.ssh/id_ed25519.warenform-server.pub
    pub_key_dest: /root/.ssh/id_ed25519.pub
    target: backup.warenform.de
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: axel
    password: $6$zUWC465e$XblctxwnBIOa7mPcN6foEQrwChjpwoY7lLtacXJrSsvjZS3I6Ox1mYUtN3/gzkvpbzOPx/9PlRJV.mbl939mD.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICOPnP788dlfeFi9oo8UkS0Chi/jcxUGjsOuQnxW/GR+ axel@wf.netz'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    password: $6$vvccwrTc$Sz1HaSb3ujObprltiG7D6U1Rr3fpgfjkKuDDWYdHzPkPx/0pEofCWC.vyTn78hcemkntl.6wVUOnJnNloKt/E/
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICOPnP788dlfeFi9oo8UkS0Chi/jcxUGjsOuQnxW/GR+ axel@wf.netz'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - axel
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-server
  repo: https://git.oopen.de/firewall/ipt-server
  dest: /usr/local/src/ipt-server
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/bbb-server.b3-bornim.netz.yml
+++ b/host_vars/bbb-server.b3-bornim.netz.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -45,9 +44,9 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 192.168.42.1
+    #  - 192.168.42.1
-    search: b3-bornim.netz
+    #search: b3-bornim.netz
 # ---
@ -75,6 +74,76 @@ network_interfaces:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 192.168.42.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - b3-bornim.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/cron.yml
 # ---
--- a/host_vars/cl-fm.oopen.de.yml
+++ b/host_vars/cl-fm.oopen.de.yml
@ -24,12 +24,132 @@ sshd_permit_root_login: !!str "prohibit-password"
 # ---
 # vars used by apt.yml
 # ---
 :wq
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.2
  - 185.12.64.1
  - 2a01:4ff:ff00::add:2
  - 2a01:4ff:ff00::add:1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    group: localadmin
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
--- a/host_vars/cl-irights.oopen.de.yml
+++ b/host_vars/cl-irights.oopen.de.yml
@ -26,10 +26,129 @@ sshd_permit_root_login: !!str "prohibit-password"
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.2
  - 185.12.64.1
  - 2a01:4ff:ff00::add:2
  - 2a01:4ff:ff00::add:1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    group: localadmin
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
--- a/host_vars/dns0.warenform.de.yml
+++ b/host_vars/dns0.warenform.de.yml
@ -0,0 +1,124 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 83.223.66.51
  - 212.42.230.1
  - 83.223.90.90
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # vars used by scripts/install-update-firewall.yml
 # ---
 git_firewall_repository: {}
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
--- a/host_vars/dns1.warenform.de
+++ b/host_vars/dns1.warenform.de
@ -1,69 +0,0 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # vars used by scripts/install-update-firewall.yml
 # ---
 git_firewall_repository: {}
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
--- a/host_vars/dns1.warenform.de.yml
+++ b/host_vars/dns1.warenform.de.yml
@ -0,0 +1,141 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 83.223.66.51
  - 212.42.230.1
  - 83.223.84.14
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - warenform.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # vars used by scripts/install-update-firewall.yml
 # ---
 git_firewall_repository: {}
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
--- a/host_vars/e.mx.oopen.de.yml
+++ b/host_vars/e.mx.oopen.de.yml
@ -29,10 +29,126 @@ install_compiler_pkgs: true
 install_postgresql_pkgs: true
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    group: localadmin
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 insert_root_ssh_keypair: true
 root_ssh_keypair:
--- a/host_vars/file-ah.kanzlei-kiel.netz.yml
+++ b/host_vars/file-ah.kanzlei-kiel.netz.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -46,9 +45,9 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 192.168.100.1
+    #  - 192.168.100.1
-    search: kanzlei-kiel.netz
+    #search: kanzlei-kiel.netz
    # optional bridge parameters bridge: {}
    # bridge:
@ -99,6 +98,76 @@ network_interfaces:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 192.168.100.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - kanzlei-kiel.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/cron.yml
 # ---
--- a/host_vars/file-blkr.blkr.netz.yml
+++ b/host_vars/file-blkr.blkr.netz.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -45,9 +44,9 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 192.168.162.1
+    #  - 192.168.162.1
-    search: blkr.netz
+    #search: blkr.netz
 # ---
@ -96,6 +95,76 @@ sshd_hostkeyalgorithms:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 192.168.162.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - blkr.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/cron.yml
 # ---
--- a/host_vars/file-ebs.ebs.netz.yml
+++ b/host_vars/file-ebs.ebs.netz.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -46,9 +45,9 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 192.168.182.1
+    #  - 192.168.182.1
-    search: ebs.netz
+    #search: ebs.netz
    # optional bridge parameters bridge: {}
    # bridge:
@ -99,6 +98,76 @@ network_interfaces:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 192.168.182.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - ebs.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/cron.yml
 # ---
--- a/host_vars/file-fhxb.fhxb.netz.yml
+++ b/host_vars/file-fhxb.fhxb.netz.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -45,9 +44,9 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 192.168.192.1
+    #  - 192.168.192.1
-    search: fhxb.netz
+    #search: fhxb.netz
 # ---
@ -75,6 +74,76 @@ network_interfaces:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 192.168.192.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - fhxb.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/cron.yml
 # ---
--- a/host_vars/ga-al-gw.oopen.de.yml
+++ b/host_vars/ga-al-gw.oopen.de.yml
@ -17,7 +17,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -29,10 +28,10 @@ network_interfaces:
    address: 172.16.10.1
    netmask: 24
    gateway: 172.16.10.254
-    nameservers:
+    #nameservers:
-      - 192.168.10.1
+    #  - 192.168.10.1
-      - 192.168.10.3
+    #  - 192.168.10.3
-    search: ga.netz
+    #search: ga.netz
  - device: eth2
@ -249,6 +248,77 @@ network_interfaces:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - ga.netz
  - ga.intra
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 192.168.11.1
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/ga-nh-gw.oopen.de.yml
+++ b/host_vars/ga-nh-gw.oopen.de.yml
@ -17,7 +17,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -29,10 +28,10 @@ network_interfaces:
    address: 172.16.80.1
    netmask: 24
    gateway: 172.16.80.254
-    nameservers:
+    #nameservers:
-      - 192.168.81.1
+    #  - 192.168.81.1
-      - 172.16.81.254
+    #  - 172.16.81.254
-    search: ga.netz ga.intra
+    #search: ga.netz ga.intra
  - device: eno2
@ -81,18 +80,27 @@ cron_user_entries:
  - name: "Check if Postfix Mailservice is up and running?"
    minute: "*/15"
    hour: '*'
    job: /root/bin/monitoring/check_postfix.sh
  - name: "Check if SSH service is up and running?"
    minute: "*/15"
    hour: '*'
    job: /root/bin/monitoring/check_ssh.sh
  - name: "Check if OpenVPN service is up and running?"
    minute: "*/30"
    hour: '*'
    job: /root/bin/monitoring/check_vpn.sh
  - name: "Check if nameservice (bind) is running?"
    minute: '*/10'
    hour: '*'
    job: /root/bin/monitoring/check_dns.sh
  - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
    minute: "0-59/2"
    hour: '*'
    job: /root/bin/monitoring/check_forwarding.sh
  - name: "Copy gateway configuration"
@ -125,6 +133,77 @@ cron_user_special_time_entries:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - ga.netz
  - ga.intra
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/ga-st-gw-ersatz.ga.netz.yml
+++ b/host_vars/ga-st-gw-ersatz.ga.netz.yml
@ -4,37 +4,6 @@
 # ---
 # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
 network_manage_devices: True
 # Should the interfaces be reloaded after config change?
 network_interface_reload: False
 network_interface_path: /etc/network/interfaces.d
 network_interface_required_packages:
  - vlan
  - bridge-utils
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
  - device: eth6
    headline: eth2 - LAN
    auto: true
    family: inet
    method: static
    address: 192.168.11.19
    netmask: 24
    gateway: 192.168.11.254
    nameservers:
      - 192.168.11.1
      - 192.168.10.3
    search: ga.netz ga.intra
 # ---
 # vars used by roles/ansible_dependencies
 # ---
@ -60,6 +29,80 @@ network_interfaces:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 192.168.11.1 
  - 192.168.10.1 
  - 192.168.11.3
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - ga.netz
  - ga.intra
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 127.0.0.1
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@ -189,7 +232,7 @@ bind9_gateway_listen_on:
 #bind9_gateway_allow_transfer: {}
 bind9_gateway_allow_transfer:
-   - none
+   - internaldns
 #bind9_transfer_source:  !!str "192.168.11.1"
 #bind9_notify_source: !!str "192.168.11.1"
--- a/host_vars/ga-st-gw.ga.netz.yml
+++ b/host_vars/ga-st-gw.ga.netz.yml
@ -0,0 +1,536 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
 network_manage_devices: True
 # Should the interfaces be reloaded after config change?
 network_interface_reload: False
 network_interface_path: /etc/network/interfaces.d
 network_interface_required_packages:
  - vlan
  - bridge-utils
  - ifmetric
  - ifupdown
  - ifenslave
 network_interfaces:
  - device: eth2
    headline: eth2 - Uplink static line (radio) to Altenschlirf
    auto: true
    family: inet
    method: static
    address: 172.16.111.254
    netmask: 24
    up:
      # - For management Antennas
      - /sbin/ip link add link eth2 name eth2.111 type vlan id 111
    post-up:
      # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253)
      # -
      # - Telefon Altenshlirf
      - /sbin/ip route add 172.16.210.0/24 via 172.16.111.253
      # User Network Altenshlirf
      - /sbin/ip route add 192.168.10.0/24 via 172.16.111.253
      # Management Network Altenschlirf
      - /sbin/ip route add 10.10.10.0/24 via 172.16.111.253
      # WLan Router (Accesspoints) Altenshlirf
      - /sbin/ip route add 10.122.1.0/24 via 172.16.111.253
      # # WLan Networks Altenshlirf
      - /sbin/ip route add 10.123.0.0/16 via 172.16.111.253
      # DSL via Fritzbox Altenschlirf
      - /sbin/ip route add 172.16.10.0/24 via 172.16.111.253
      # - WLAN Gemeinschaft Altenschlirf (Unifi routet Network)
      - /sbin/ip route add 10.221.0.0/20 via 172.16.111.253
      # VPN home Network Altenschlirf
      #
      - /sbin/ip route add 10.0.10.0/24 via 172.16.111.253
      # private networks 'ckubu'
      #
      # connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu),
      # so we route them back to that gateway..
      - /sbin/ip route add 192.168.63.0/24 via 172.16.111.253
      - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253
  - device: eth2.111
    headline: eth2.111 - network 10.10.111.0 (management antennas)
    auto: true
    family: inet
    method: static
    address: 10.10.111.254
    netmask: 24
  - device: eth8 
    headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen
    auto: false
    family: inet
    method: manual
    up:
      - /sbin/ip link add link eth8 name eth8.211 type vlan id 211
  - device: eth8.211
    headline: eth8.211 - Network Telefons Stockhausen
    auto: true
    family: inet
    method: static
    # Note:
    #    !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon).
    #       This LANCom Router IS NOT pngable                                 !!
    address: 172.16.211.1
    netmask: 24
    pre-up:
      - /sbin/ifconfig eth8 up
  - device: eth9
    headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501)
    auto: true
    family: inet
    method: static
    address: 172.16.11.1
    netmask: 24
    gateway: 172.16.11.254
  - device: eth10
    headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490
    auto: true
    family: inet
    method: static
    address: 172.16.13.1
    netmask: 24
    gateway: 172.16.13.254
  - device: eth11
    headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
    auto: true
    family: inet
    method: static
    address: 172.16.12.1
    netmask: 24
    gateway: 172.16.12.254
    # ----------
    # Note: Install the 'ifenslave' package, necessary to enable bonding:
    # 
    #    apt-get install ifenslave
    # ----------
  - device: bond0
    headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4
    auto: true
    family: inet
    method: static
    address: 10.1.9.254
    netmask: 24
    bond:
      slaves: eth0 eth4
      # Mode 4 (802.3ad)
      #
      #    also possible here:
      #       - Mode 5: balance-tlb
      #       - Mode 6: balance-alb
      mode: 4
      miimon: 100
      lacp-rate: 1
      ad-select: count
      downdelay: 200
      updelay: 200
    post-up:
      # VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24
      - /sbin/ip link add link bond0 name bond0.11 type vlan id 11
      # VLAN 78 for network Georgshaus 192.168.78.0/24
      - /sbin/ip link add link bond0 name bond0.78 type vlan id 78
  - device: bond0.11
    headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen)
    auto: true
    family: inet
    method: static
    address: 10.10.11.254
    netmask: 24
  - device: bond0.78
    headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?)
    auto: true
    family: inet
    method: static
    address: 192.168.78.254
    netmask: 24
    # ----------
    # Note: Install the 'ifenslave' package, necessary to enable bonding:
    # 
    #    apt-get install ifenslave
    # ----------
  - device: bond1
    headline: bond1 - LAG (Link Aggregation) on devices eth1 and eth5 - Main Network Stockhausen
    auto: true
    family: inet
    method: static
    address: 192.168.11.254
    netmask: 24
    nameservers:
      - 192.168.11.1
      - 192.168.10.3
    search: ga.netz ga.intra
    bond:
      slaves: eth1 eth5
      # Mode 4 (802.3ad)
      #
      #    also possible here:
      #       - Mode 5: balance-tlb
      #       - Mode 6: balance-alb
      mode: 4
      miimon: 100
      lacp-rate: 1
      ad-select: count
      downdelay: 200
      updelay: 200
    post-up:
      # VLAN 121 - for Ubiquiti UniFi Accesspoints)
      - /sbin/ip link add link bond1 name bond1.121 type vlan id 121
      # Route ???
      - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
  - device: bond1.121
    headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints
    auto: true
    family: inet
    method: static
    address: 10.121.15.254
    netmask: 20
  - device: bond1:ns
    headline: bond1:ns - Alias IP on bond1 device for Nameservice
    auto: true
    family: inet
    method: static
    address: 192.168.11.1
    netmask: 32
  - device: bond1:1
    headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network
    auto: true
    family: inet
    method: static
    address: 10.10.9.254
    netmask: 24
  - device: bond1:ap
    headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints
    auto: true
    family: inet
    method: static
    address: 10.112.1.254
    netmask: 24
    post-up:
      # - Wireless Networks routed through appropriate Accesspoints
      # -
      - /sbin/ip route add 10.113.1.0/24 via 10.112.1.1
      - /sbin/ip route add 10.113.2.0/24 via 10.112.1.2
      - /sbin/ip route add 10.113.3.0/24 via 10.112.1.3
      - /sbin/ip route add 10.113.4.0/24 via 10.112.1.4
      - /sbin/ip route add 10.113.5.0/24 via 10.112.1.5
      - /sbin/ip route add 10.113.6.0/24 via 10.112.1.6
      - /sbin/ip route add 10.113.7.0/24 via 10.112.1.7
      - /sbin/ip route add 10.113.8.0/24 via 10.112.1.8
      - /sbin/ip route add 10.113.9.0/24 via 10.112.1.9
      - /sbin/ip route add 10.113.10.0/24 via 10.112.1.10
      - /sbin/ip route add 10.113.11.0/24 via 10.112.1.11
      - /sbin/ip route add 10.113.12.0/24 via 10.112.1.12
      - /sbin/ip route add 10.113.13.0/24 via 10.112.1.13
      - /sbin/ip route add 10.113.14.0/24 via 10.112.1.14
      - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15
  - device: bond1:ipmi
    headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen
    auto: true
    family: inet
    method: static
    address: 10.11.11.254
    netmask: 24
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - ga.netz
  - ga.intra
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 192.168.10.1
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 insert_ssh_keypair_backup_server: false
 ssh_keypair_backup_server:
  - name: backup
    backup_user: back
    priv_key_src: root/.ssh/id_rsa.backup.oopen.de
    priv_key_dest: /root/.ssh/id_rsa
    pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
    pub_key_dest: /root/.ssh/id_rsa.pub
 insert_keypair_backup_client: true
 ssh_keypair_backup_client:
  - name: backup
    priv_key_src: root/.ssh/id_ed25519.oopen-server
    priv_key_dest: /root/.ssh/id_ed25519
    pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
    pub_key_dest: /root/.ssh/id_ed25519.pub
    target: backup.oopen.de
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: wadmin
    password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
 sudo_users:
  - chris
  - sysadm
  - wadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 install_bind_packages: true
 bind9_gateway_acl:
  - local-net:
    name: local-net
    entries:
      - 127.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
      - 10.0.0.0/8
      - fc00::/7
      - fe80::/10
      - ::1/128
  - internaldns:
    name: internaldns
    entries:
      - 192.168.11.1
      - 192.168.10.3
      - 192.168.10.6
      - '# Nameserver Gateway Altenschlirf'
      - 192.168.10.1
      - 192.168.10.254
      - 172.16.0.1
      - '# Nameserver Gateway Novalishaus'
      - 192.168.81.1
      - 10.2.11.2
      - '# Nameserver wolle'
      - 10.113.12.3
      - '# Postfix Mailserver'
      - 192.168.11.2
 bind9_gateway_listen_on_v6:
   - none
 bind9_gateway_listen_on:
  - any
 #bind9_gateway_allow_transfer: {}
 bind9_gateway_allow_transfer:
   - internaldns
 bind9_transfer_source:  !!str "192.168.11.1"
 bind9_notify_source: !!str "192.168.11.1"
 #bind9_gateway_allow_query: {}
 bind9_gateway_allow_query:
  - local-net
 #bind9_gateway_allow_query_cache: {}
 bind9_gateway_allow_query_cache:
  - local-net
 bind9_gateway_recursion:  !!str "yes"
 #bind9_gateway_allow_recursion: {}
 bind9_gateway_allow_recursion:
  - local-net
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/ga-st-gw.oopen.de.yml
+++ b/host_vars/ga-st-gw.oopen.de.yml
@ -17,7 +17,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -295,6 +294,78 @@ network_interfaces:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - ga.netz
  - ga.intra
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 192.168.10.1
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@ -424,7 +495,7 @@ bind9_gateway_listen_on:
 #bind9_gateway_allow_transfer: {}
 bind9_gateway_allow_transfer:
-   - none
+   - internaldns
 bind9_transfer_source:  !!str "192.168.11.1"
 bind9_notify_source: !!str "192.168.11.1"
--- a/host_vars/ga-st-lxc1.ga.netz.yml
+++ b/host_vars/ga-st-lxc1.ga.netz.yml
@ -95,10 +95,10 @@ network_interfaces:
    # nameservers:
    #  - "194.150.168.168"  # dns.as250.net
    #  - "91.239.100.100"   # anycast.censurfridns.dk
-    nameservers:
+    #nameservers:
-      - 192.168.11.1
+    #  - 192.168.11.1
-      - 192.168.10.3
+    #  - 192.168.10.3
-    search: ga.netz ga.intra
+    #search: ga.netz ga.intra
 # ---
@ -126,6 +126,79 @@ network_interfaces:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 192.168.11.1 
  - 192.168.10.1 
  - 192.168.11.3
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - ga.netz
  - ga.intra
 resolved_dnssec: false
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/git.oopen.de.yml
+++ b/host_vars/git.oopen.de.yml
@ -25,6 +25,77 @@
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.2
  - 2a01:4ff:ff00::add:1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@ -37,7 +108,6 @@ default_user:
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna'
  - name: sysadm
@ -50,6 +120,15 @@ default_user:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
@ -57,7 +136,8 @@ default_user:
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
-     - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
--- a/host_vars/git.warenform.de.yml
+++ b/host_vars/git.warenform.de.yml
@ -25,6 +25,65 @@
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.100.100
  - 2a01:4f8:0:1::add:9898
  - 213.133.99.99
  - 2a01:4f8:0:1::add:1010
  - 213.133.98.98
  - 2a01:4f8:0:1::add:9999
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/gw-123.oopen.de.yml
+++ b/host_vars/gw-123.oopen.de.yml
@ -41,6 +41,76 @@ sshd_hostkeyalgorithms:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - 123.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@ -107,10 +177,7 @@ bind9_gateway_listen_on_v6:
  - none
 bind9_gateway_listen_on:
-  - 127.0.0.1
+  - any
  - 192.168.142.1
  - 192.168.142.254
  - 172.16.142.1
 # ---
 # vars used by roles/common/tasks/git.yml
--- a/host_vars/gw-ah.oopen.de.yml
+++ b/host_vars/gw-ah.oopen.de.yml
@ -36,6 +36,76 @@ sshd_hostkeyalgorithms:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - kanzlei-kiel.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/gw-ak.oopen.de.yml
+++ b/host_vars/gw-ak.oopen.de.yml
@ -0,0 +1,278 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
 network_manage_devices: True
 # Should the interfaces be reloaded after config change?
 network_interface_reload: False
 network_interface_path: /etc/network/interfaces.d
 network_interface_required_packages:
  - vlan
  - bridge-utils
  - ifmetric
  - ifupdown
  - ifenslave
 network_interfaces:
  - device: eno1
    headline: eno1 - Uplink DSL via Fritz!Box
    auto: true
    family: inet
    method: static
    address: 172.16.0.1
    netmask: 24
    gateway: 172.16.0.254
    #nameservers:
    #  - 127.0.0.1
    #  - 192.168.0.1
    #search: ebs.netz kanzlei-kiel.netz elster.netz
  - device: eno2
    headline: eno2 -  WLAN 
    auto: true
    family: inet
    method: static
    address: 192.168.128.254
    netmask: 24
  - device: eno3
    headline: eno3 - LAN
    auto: true
    family: inet
    method: static
    address: 192.168.0.254
    netmask: 32
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_hostkeyalgorithms:
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - ecdsa-sha2-nistp256
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - ak.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 insert_ssh_keypair_backup_server: false
 ssh_keypair_backup_server:
  - name: backup
    backup_user: back
    priv_key_src: root/.ssh/id_rsa.backup.oopen.de
    priv_key_dest: /root/.ssh/id_rsa
    pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
    pub_key_dest: /root/.ssh/id_rsa.pub
 insert_keypair_backup_client: true
 ssh_keypair_backup_client:
  - name: backup
    priv_key_src: root/.ssh/id_ed25519.oopen-server
    priv_key_dest: /root/.ssh/id_ed25519
    pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
    pub_key_dest: /root/.ssh/id_ed25519.pub
    target: backup.oopen.de
 default_user:
  - name: chris
    password: $6$KHaRubWiBQk1amaA$.adqxBIlrlulGGcdK1EWR0XoGiMiyRwf5LPub/MxVFbTjBrH.m3edIAV2KmO06gVGiTlHUZH3XsvtUOXIptpT0
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$XI.g9q9bTmzqe35q$tDrpoJFBGsHrmy/mtOAQfrstgIhZEaYGt6hxfTCXI0YvAAUiHT4cJOLR6ivN0CPVNtkv8IFe7dk8NXR/1yScm.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$8v0PKesHmS2Z1xIO$n2a19e2GawIvHNi9U.W4nTxjJCTDtO5AlEP082PnCdp.fw5vIMv1AA.i2RMbXH2XuMdphXU6srSV/wFmp0e0q.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 install_bind_packages: true
 bind9_gateway_listen_on_v6:
  - none
 bind9_gateway_listen_on:
  - any
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/gw-akb.oopen.de.yml
+++ b/host_vars/gw-akb.oopen.de.yml
@ -0,0 +1,197 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 copy_additional_plain_files_sysctl:
  - name: enable-ipv6
    src_path: etc/sysctl.d/30-enable-ipv6.conf
    dest_path: /etc/sysctl.d/30-enable-ipv6.conf
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_hostkeyalgorithms:
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - ecdsa-sha2-nistp256
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - akb.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 install_bind_packages: true
 bind9_gateway_listen_on_v6:
  - none
 bind9_gateway_listen_on:
  - any
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $y$j9T$IVBTpn.OrI6YiQ9q3fA8b1$Y1bmID5yXJbKfoLFt1VmQs6LezeTj5/1M9ppZBD2Pn4
--- a/host_vars/gw-b3.oopen.de.yml
+++ b/host_vars/gw-b3.oopen.de.yml
@ -0,0 +1,184 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 copy_additional_plain_files_sysctl:
  - name: enable-ipv6
    src_path: etc/sysctl.d/30-enable-ipv6.conf
    dest_path: /etc/sysctl.d/30-enable-ipv6.conf
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_hostkeyalgorithms:
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - ecdsa-sha2-nistp256
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - b3-bornim.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $y$j9T$IVBTpn.OrI6YiQ9q3fA8b1$Y1bmID5yXJbKfoLFt1VmQs6LezeTj5/1M9ppZBD2Pn4
--- a/host_vars/gw-blkr.oopen.de.yml
+++ b/host_vars/gw-blkr.oopen.de.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -30,10 +29,10 @@ network_interfaces:
    address: 172.16.162.1
    netmask: 24
    gateway: 172.16.162.254
-    nameservers:
+    #nameservers:
-      - 127.0.0.1
+    #  - 127.0.0.1
-      - 192.168.162.1
+    #  - 192.168.162.1
-    search: blkr.netz
+    #search: blkr.netz
  - device: eno2
@ -148,6 +147,76 @@ sshd_hostkeyalgorithms:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - blkr.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@ -226,49 +295,6 @@ sudo_users:
 install_bind_packages: true
 bind9_gateway_acl:
  - local-net:
    name: local-net
    entries:
      - 127.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
      - 10.0.0.0/8
      - fc00::/7
      - fe80::/10
      - ::1/128
  - internaldns:
    name: internaldns
    entries:
      - '// Nameserver Kanzlei EBS'
      - 192.168.182.1
 bind9_gateway_listen_on_v6:
   - none
 bind9_gateway_listen_on:
  - any
 #bind9_gateway_allow_transfer: {}
 bind9_gateway_allow_transfer:
   - internaldns
 bind9_transfer_source:  !!str "192.168.162.1"
 bind9_notify_source: !!str "192.168.162.1"
 #bind9_gateway_allow_query: {}
 bind9_gateway_allow_query:
  - local-net
 #bind9_gateway_allow_query_cache: {}
 bind9_gateway_allow_query_cache:
  - local-net
 bind9_gateway_recursion:  !!str "yes"
 #bind9_gateway_allow_recursion: {}
 bind9_gateway_allow_recursion:
  - local-net
 # ---
 # vars used by roles/common/tasks/git.yml
--- a/host_vars/gw-ckubu.local.netz.yml
+++ b/host_vars/gw-ckubu.local.netz.yml
@ -32,6 +32,78 @@ sshd_hostkeyalgorithms:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - local.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/gw-d11.oopen.de.yml
+++ b/host_vars/gw-d11.oopen.de.yml
@ -0,0 +1,197 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 copy_additional_plain_files_sysctl:
  - name: enable-ipv6
    src_path: etc/sysctl.d/30-enable-ipv6.conf
    dest_path: /etc/sysctl.d/30-enable-ipv6.conf
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_hostkeyalgorithms:
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - ecdsa-sha2-nistp256
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - wf.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 install_bind_packages: true
 bind9_gateway_listen_on_v6:
  - none
 bind9_gateway_listen_on:
  - any
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $y$j9T$IVBTpn.OrI6YiQ9q3fA8b1$Y1bmID5yXJbKfoLFt1VmQs6LezeTj5/1M9ppZBD2Pn4
--- a/host_vars/gw-ebs.oopen.de.yml
+++ b/host_vars/gw-ebs.oopen.de.yml
@ -87,6 +87,76 @@ sshd_hostkeyalgorithms:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - ebs.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/gw-elster.oopen.de.yml
+++ b/host_vars/gw-elster.oopen.de.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -30,10 +29,10 @@ network_interfaces:
    address: 172.16.202.1
    netmask: 24
    gateway: 172.16.202.254
-    nameservers:
+    #nameservers:
-      - 127.0.0.1
+    #  - 127.0.0.1
-      - 192.168.202.1
+    #  - 192.168.202.1
-    search: elster.netz ebs.netz
+    #search: elster.netz ebs.netz
  - device: eno2
@ -143,6 +142,77 @@ sshd_hostkeyalgorithms:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - elster.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/gw-fhxb.oopen.de.yml
+++ b/host_vars/gw-fhxb.oopen.de.yml
@ -0,0 +1,256 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
 network_manage_devices: True
 # Should the interfaces be reloaded after config change?
 network_interface_reload: False
 network_interface_path: /etc/network/interfaces.d
 network_interface_required_packages:
  - vlan
  - bridge-utils
  - ifmetric
  - ifupdown
  - ifenslave
 network_interfaces:
  - device: eno1
    headline: eno1 - Uplink DSL via Fritz!Box
    auto: true
    family: inet
    method: static
    address: 172.16.192.1
    netmask: 24
    gateway: 172.16.192.254
    #nameservers:
    #  - 127.0.0.1
    #  - 192.168.192.1
    #search: ebs.netz kanzlei-kiel.netz elster.netz
  - device: eno2
    headline: eno2 -  LAN 
    auto: true
    family: inet
    method: static
    address: 192.168.192.254
    netmask: 24
  - device: eno2:ns
    headline: eno2:ns - Alias on eno2 (Nameserver)
    auto: true
    family: inet
    method: static
    address: 192.168.192.1
    netmask: 32
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_hostkeyalgorithms:
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - ecdsa-sha2-nistp256
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - fhxb.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 insert_ssh_keypair_backup_server: false
 ssh_keypair_backup_server:
  - name: backup
    backup_user: back
    priv_key_src: root/.ssh/id_rsa.backup.oopen.de
    priv_key_dest: /root/.ssh/id_rsa
    pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
    pub_key_dest: /root/.ssh/id_rsa.pub
 insert_keypair_backup_client: true
 ssh_keypair_backup_client:
  - name: backup
    priv_key_src: root/.ssh/id_ed25519.oopen-server
    priv_key_dest: /root/.ssh/id_ed25519
    pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
    pub_key_dest: /root/.ssh/id_ed25519.pub
    target: backup.oopen.de
 default_user:
  - name: chris
    password: $6$KHaRubWiBQk1amaA$.adqxBIlrlulGGcdK1EWR0XoGiMiyRwf5LPub/MxVFbTjBrH.m3edIAV2KmO06gVGiTlHUZH3XsvtUOXIptpT0
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$XI.g9q9bTmzqe35q$tDrpoJFBGsHrmy/mtOAQfrstgIhZEaYGt6hxfTCXI0YvAAUiHT4cJOLR6ivN0CPVNtkv8IFe7dk8NXR/1yScm.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$8v0PKesHmS2Z1xIO$n2a19e2GawIvHNi9U.W4nTxjJCTDtO5AlEP082PnCdp.fw5vIMv1AA.i2RMbXH2XuMdphXU6srSV/wFmp0e0q.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/gw-flr.oopen.de.yml
+++ b/host_vars/gw-flr.oopen.de.yml
@ -17,7 +17,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -29,10 +28,10 @@ network_interfaces:
    address: 172.16.102.1
    netmask: 24
    gateway: 172.16.102.254
-    nameservers:
+    #nameservers:
-      - 127.0.0.1
+    #  - 127.0.0.1
-      - 172.16.102.254
+    #  - 172.16.102.254
-    search: flr.netz
+    #search: flr.netz
  - device: eno2
@ -202,7 +201,7 @@ resolved_nameserver:
 #resolved_domains: []
 resolved_domains:
  - ~.
-  - oopen.de
+  - flr.netz
 resolved_dnssec: true
--- a/host_vars/gw-irights.oopen.de.yml
+++ b/host_vars/gw-irights.oopen.de.yml
@ -0,0 +1,308 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
 network_manage_devices: True
 # Should the interfaces be reloaded after config change?
 network_interface_reload: False
 network_interface_path: /etc/network/interfaces.d
 network_interface_required_packages:
  - vlan
  - bridge-utils
  - ifmetric
  - ifupdown
  - ifenslave
 network_interfaces:
  - device: eno1
    headline: eno1 - Uplink DSL via Fritz!Box
    auto: true
    family: inet
    method: static
    address: 172.16.172.1
    netmask: 24
    gateway: 172.16.172.254
  - device: eno3
    headline: eno3 -  LAN 
    auto: true
    family: inet
    method: static
    address: 192.168.172.254
    netmask: 24
  - device: eno3:ns
    headline: eno3:ns - Alias on eno2 (Nameserver)
    auto: true
    family: inet
    method: static
    address: 192.168.172.1
    netmask: 32
  - device: eno4
    headline: eno4 - Uplink DSL via mobile data (Fritzbox 6850 5G) 
    auto: true
    family: inet
    method: static
    address: 192.168.173.254
    netmask: 24
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 cron_user_entries:
  - name: "Check if Postfix Mailservice is up and running?"
    minute: '*/15'
    hour: '*'
    job: /root/bin/monitoring/check_postfix.sh
  - name: "Check if SSH service is up and running?"
    minute: '*/15'
    hour: '*'
    job: /root/bin/monitoring/check_ssh.sh
  - name: "Check if OpenVPN service is up and running?"
    minute: '*/30'
    hour: '*'
    job: /root/bin/monitoring/check_vpn.sh
  - name: "Check if nameservice (bind) is running?"
    minute: '*/10'
    hour: '*'
    job: /root/bin/monitoring/check_dns.sh
  - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
    minute: '0-59/2'
    hour: '*'
    job: /root/bin/monitoring/check_forwarding.sh
  - name: "Copy gateway configuration"
    minute: '09'
    hour: '3'
    job: /root/bin/manage-gw-config/copy_gateway-config.sh FLR-BRB
 #cron_user_special_time_entries: []
 cron_user_special_time_entries:
  - name: "Check if Postfix Service is running at boot time"
    special_time: reboot
    job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
    insertafter: PATH
  - name: "Restart Systemd's resolved at boottime."
    special_time: reboot
    job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
    insertafter: PATH
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_hostkeyalgorithms:
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - ecdsa-sha2-nistp256
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 insert_ssh_keypair_backup_server: false
 ssh_keypair_backup_server:
  - name: backup
    backup_user: back
    priv_key_src: root/.ssh/id_rsa.backup.oopen.de
    priv_key_dest: /root/.ssh/id_rsa
    pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
    pub_key_dest: /root/.ssh/id_rsa.pub
 insert_keypair_backup_client: true
 ssh_keypair_backup_client:
  - name: backup
    priv_key_src: root/.ssh/id_ed25519.oopen-server
    priv_key_dest: /root/.ssh/id_ed25519
    pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
    pub_key_dest: /root/.ssh/id_ed25519.pub
    target: backup.oopen.de
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 install_bind_packages: true
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/gw-opp.oopen.de.yml
+++ b/host_vars/gw-opp.oopen.de.yml
@ -0,0 +1,258 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
 network_manage_devices: True
 # Should the interfaces be reloaded after config change?
 network_interface_reload: False
 network_interface_path: /etc/network/interfaces.d
 network_interface_required_packages:
  - vlan
  - bridge-utils
  - ifmetric
  - ifupdown
  - ifenslave
 network_interfaces:
  - device: eno1
    headline: eno1 - Uplink DSL via Fritz!Box
    auto: true
    family: inet
    method: static
    address: 172.16.62.1
    netmask: 24
    gateway: 172.16.62.254
    #nameservers:
    #  - 127.0.0.1
    #  - 192.168.62.1
    #search: ebs.netz kanzlei-kiel.netz elster.netz
  - device: eno3
    headline: eno2 -  LAN 
    auto: true
    family: inet
    method: static
    address: 192.168.62.254
    netmask: 24
  - device: eno3:ns
    headline: eno2:ns - Alias on eno2 (Nameserver)
    auto: true
    family: inet
    method: static
    address: 192.168.62.1
    netmask: 32
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_hostkeyalgorithms:
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - ecdsa-sha2-nistp256
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - opp.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 insert_ssh_keypair_backup_server: false
 ssh_keypair_backup_server:
  - name: backup
    backup_user: back
    priv_key_src: root/.ssh/id_rsa.backup.oopen.de
    priv_key_dest: /root/.ssh/id_rsa
    pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
    pub_key_dest: /root/.ssh/id_rsa.pub
 insert_keypair_backup_client: true
 ssh_keypair_backup_client:
  - name: backup
    priv_key_src: root/.ssh/id_ed25519.oopen-server
    priv_key_dest: /root/.ssh/id_ed25519
    pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
    pub_key_dest: /root/.ssh/id_ed25519.pub
    target: backup.oopen.de
 default_user:
  - name: chris
    password: $6$KHaRubWiBQk1amaA$.adqxBIlrlulGGcdK1EWR0XoGiMiyRwf5LPub/MxVFbTjBrH.m3edIAV2KmO06gVGiTlHUZH3XsvtUOXIptpT0
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$XI.g9q9bTmzqe35q$tDrpoJFBGsHrmy/mtOAQfrstgIhZEaYGt6hxfTCXI0YvAAUiHT4cJOLR6ivN0CPVNtkv8IFe7dk8NXR/1yScm.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$8v0PKesHmS2Z1xIO$n2a19e2GawIvHNi9U.W4nTxjJCTDtO5AlEP082PnCdp.fw5vIMv1AA.i2RMbXH2XuMdphXU6srSV/wFmp0e0q.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 install_bind_packages: true
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/gw-replacment.oopen.de.yml
+++ b/host_vars/gw-replacment.oopen.de.yml
@ -0,0 +1,191 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 copy_additional_plain_files_sysctl:
  - name: enable-ipv6
    src_path: etc/sysctl.d/30-enable-ipv6.conf
    dest_path: /etc/sysctl.d/30-enable-ipv6.conf
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_hostkeyalgorithms:
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - ecdsa-sha2-nistp256
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  -local.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 install_bind_packages: true
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $y$j9T$IVBTpn.OrI6YiQ9q3fA8b1$Y1bmID5yXJbKfoLFt1VmQs6LezeTj5/1M9ppZBD2Pn4
--- a/host_vars/gw-replacment2.oopen.de.yml
+++ b/host_vars/gw-replacment2.oopen.de.yml
@ -0,0 +1,191 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 copy_additional_plain_files_sysctl:
  - name: enable-ipv6
    src_path: etc/sysctl.d/30-enable-ipv6.conf
    dest_path: /etc/sysctl.d/30-enable-ipv6.conf
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_hostkeyalgorithms:
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - ecdsa-sha2-nistp256
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  -local.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 install_bind_packages: true
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $y$j9T$IVBTpn.OrI6YiQ9q3fA8b1$Y1bmID5yXJbKfoLFt1VmQs6LezeTj5/1M9ppZBD2Pn4
--- a/host_vars/gw-replacment3.oopen.de.yml
+++ b/host_vars/gw-replacment3.oopen.de.yml
@ -0,0 +1,191 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 copy_additional_plain_files_sysctl:
  - name: enable-ipv6
    src_path: etc/sysctl.d/30-enable-ipv6.conf
    dest_path: /etc/sysctl.d/30-enable-ipv6.conf
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 sshd_hostkeyalgorithms:
  - ssh-ed25519
  - ssh-ed25519-cert-v01@openssh.com
  - rsa-sha2-256
  - rsa-sha2-512
  - ecdsa-sha2-nistp256
  - rsa-sha2-256-cert-v01@openssh.com
  - rsa-sha2-512-cert-v01@openssh.com
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 127.0.0.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  -local.netz
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 install_bind_packages: true
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $y$j9T$IVBTpn.OrI6YiQ9q3fA8b1$Y1bmID5yXJbKfoLFt1VmQs6LezeTj5/1M9ppZBD2Pn4
--- a/host_vars/meet.oopen.de.yml
+++ b/host_vars/meet.oopen.de.yml
@ -27,6 +27,81 @@
 #apt_manage_sources_list: false
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.100.100
  - 2a01:4f8:0:1::add:9898
  - 213.133.99.99
  - 2a01:4f8:0:1::add:9999
  - 213.133.98.98
  - 2a01:4f8:0:1::add:1010
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@ -59,8 +134,6 @@ default_user:
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
  - name: back
    user_id: 1060
--- a/host_vars/mm-irights.oopen.de.yml
+++ b/host_vars/mm-irights.oopen.de.yml
@ -0,0 +1,195 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.98.98
  - 2a01:4f8:0:1::add:9999
  - 213.133.99.99
  - 2a01:4f8:0:a111::add:9898
  - 213.133.100.100
  - 2a01:4f8:0:a0a1::add:1010
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    group: localadmin
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-server
  repo: https://git.oopen.de/firewall/ipt-server
  dest: /usr/local/src/ipt-server
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/mm.oopen.de.yml
+++ b/host_vars/mm.oopen.de.yml
@ -0,0 +1,198 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.98.98
  - 2a01:4ff:ff00::add:1
  - 213.133.99.99
  - 2a01:4f8:0:a111::add:9898
  - 213.133.100.100
  - 2a01:4f8:0:a0a1::add:1010
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    group: localadmin
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 sudoers_file_user_back_svn_privileges:
  - 'ALL=(root) NOPASSWD: /usr/bin/svnadmin'
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-server
  repo: https://git.oopen.de/firewall/ipt-server
  dest: /usr/local/src/ipt-server
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/munin.oopen.de.yml
+++ b/host_vars/munin.oopen.de.yml
@ -0,0 +1,198 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.2
  - 2a01:4ff:ff00::add:1
  - 213.133.99.99
  - 2a01:4f8:0:a111::add:9898
  - 213.133.100.100
  - 2a01:4f8:0:a0a1::add:1010
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    group: localadmin
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 sudoers_file_user_back_svn_privileges:
  - 'ALL=(root) NOPASSWD: /usr/bin/svnadmin'
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-server
  repo: https://git.oopen.de/firewall/ipt-server
  dest: /usr/local/src/ipt-server
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/o24.oopen.de.yml
+++ b/host_vars/o24.oopen.de.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -64,10 +63,10 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 195.201.179.131
+    #  - 195.201.179.131
-      - 95.217.204.204
+    #  - 95.217.204.204
-    search:
+    #search:
    # optional additional subnets/ips subnets: []
    # subnets: 
@ -150,6 +149,79 @@ network_interfaces:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.2
  - 185.12.64.1
  - 2a01:4ff:ff00::add:2
  - 2a01:4ff:ff00::add:1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@ -182,8 +254,6 @@ default_user:
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
  - name: back
    user_id: 1060
--- a/host_vars/o27.oopen.de.yml
+++ b/host_vars/o27.oopen.de.yml
@ -17,7 +17,6 @@ network_interface_required_packages:
  - bridge-utils
  - ifmetric
  - ifupdown
  - resolvconf
 network_interfaces:
@ -63,12 +62,12 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 185.12.64.1
+    #  - 185.12.64.1
-      - 2a01:4ff:ff00::add:2
+    #  - 2a01:4ff:ff00::add:2
-      - 185.12.64.2
+    #  - 185.12.64.2
-      - 2a01:4ff:ff00::add:1
+    #  - 2a01:4ff:ff00::add:1
-    search:
+    #search:
    # optional additional subnets/ips subnets: []
    # subnets: 
@ -123,3 +122,193 @@ network_interfaces:
    address: 2a01:4f8:261:1994::2
    netmask: 64
    gateway: fe80::1
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.1
  - 2a01:4ff:ff00::add:2
  - 185.12.64.2
  - 2a01:4ff:ff00::add:1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-server
  repo: https://git.oopen.de/firewall/ipt-server
  dest: /usr/local/src/ipt-server
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/o28.oopen.de.yml
+++ b/host_vars/o28.oopen.de.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -102,10 +101,10 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 185.12.64.1
+    #  - 185.12.64.1
-      - a01:4ff:ff00::add:2
+    #  - a01:4ff:ff00::add:2
-    search:
+    #search:
    # optional additional subnets/ips subnets: []
    # subnets: 
@ -256,6 +255,77 @@ network_interfaces:
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.1
  - a01:4ff:ff00::add:2
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 #apt_manage_sources_list: false
@ -294,8 +364,6 @@ default_user:
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
  - name: back
    user_id: 1060
--- a/host_vars/o29.oopen.de.yml
+++ b/host_vars/o29.oopen.de.yml
@ -17,7 +17,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -63,10 +62,10 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 185.12.64.2
+    #  - 185.12.64.2
-      - 2a01:4ff:ff00::add:1
+    #  - 2a01:4ff:ff00::add:1
-    search:
+    #search:
    # optional additional subnets/ips subnets: []
    # subnets: 
@ -148,6 +147,77 @@ network_interfaces:
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 185.12.64.2
  - 2a01:4ff:ff00::add:1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@ -180,8 +250,6 @@ default_user:
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
  - name: back
    user_id: 1060
--- a/host_vars/o34.oopen.de.yml
+++ b/host_vars/o34.oopen.de.yml
@ -17,7 +17,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -63,11 +62,11 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 127.0.0.1
+    #  - 127.0.0.1
-      - 185.12.64.2
+    #  - 185.12.64.2
-      - 2a01:4ff:ff00::add:1
+    #  - 2a01:4ff:ff00::add:1
-    search:
+    #search:
    # optional additional subnets/ips subnets: []
    # subnets: 
--- a/host_vars/o35.oopen.de.yml
+++ b/host_vars/o35.oopen.de.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -64,10 +63,10 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 213.133.100.100
+    #  - 213.133.100.100
-      - 213.133.98.98
+    #  - 213.133.98.98
-    search:
+    #search:
    # optional additional subnets/ips subnets: []
    # subnets: 
--- a/host_vars/rage.so36.net.yml
+++ b/host_vars/rage.so36.net.yml
@ -25,6 +25,77 @@
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 192.68.11.71
  - 192.68.11.78
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - so36.net
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/server18.warenform.de.yml
+++ b/host_vars/server18.warenform.de.yml
@ -17,7 +17,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -63,10 +62,11 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 83.223.66.51
+    #  - 212.42.230.1
-      - 83.223.90.90
+    #  - 83.223.90.90
-    search:
+    #  - 83.223.66.51
    #search:
    # optional additional subnets/ips subnets: []
    # subnets: 
@ -147,6 +147,78 @@ apt_extra_pkgs:
  - subversion-tools
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 212.42.230.1
  - 83.223.90.90
  - 83.223.66.51
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - warenform.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/cron.yml
 # ---
--- a/host_vars/server23.warenform.de.yml
+++ b/host_vars/server23.warenform.de.yml
@ -63,11 +63,11 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 83.223.66.51
+    #  - 83.223.66.51
-      - 83.223.90.90
+    #  - 83.223.90.90
-      - 212.42.230.1
+    #  - 212.42.230.1
-    search: warenform.de
+    #search: warenform.de
    # optional additional subnets/ips subnets: []
    # subnets: 
@ -148,6 +148,78 @@ apt_extra_pkgs:
  - subversion-tools
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 83.223.66.51
  - 83.223.90.90
  - 212.42.230.1
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - warenform.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/server24.warenform.de.yml
+++ b/host_vars/server24.warenform.de.yml
@ -17,7 +17,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -63,10 +62,10 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 212.42.230.1
+    #  - 212.42.230.1
-      - 83.223.66.51
+    #  - 83.223.66.51
-    search:
+    #search:
    # optional bridge parameters bridge: {}
    # bridge:
@ -193,6 +192,7 @@ systemd_resolved: true
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 212.42.230.1
  - 83.223.90.90
  - 83.223.66.51
 # search domains
@ -203,7 +203,7 @@ resolved_nameserver:
 #resolved_domains: []
 resolved_domains:
  - ~.
-  - oopen.de
+  - warenform.de
 resolved_dnssec: true
--- a/host_vars/server26.warenform.de.yml
+++ b/host_vars/server26.warenform.de.yml
@ -17,7 +17,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -63,11 +62,11 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 213.133.100.100
+    #  - 213.133.100.100
-      - 213.133.99.99
+    #  - 213.133.99.99
-      - 213.133.98.98
+    #  - 213.133.98.98
-    search:
+    #search:
    # optional additional subnets/ips subnets: []
    # subnets: 
@ -155,6 +154,81 @@ apt_extra_pkgs:
  - subversion-tools
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.100.100
  - 2a01:4f8:0:1::add:9898
  - 213.133.99.99
  - 2a01:4f8:0:1::add:1010
  - 213.133.98.98
  - 2a01:4f8:0:1::add:9999
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - warenform.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
@ -213,8 +287,6 @@ default_user:
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
  - name: back
    user_id: 1060
--- a/host_vars/server27.warenform.de.yml
+++ b/host_vars/server27.warenform.de.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -64,11 +63,11 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 213.133.100.100
+    #  - 213.133.100.100
-      - 213.133.99.99
+    #  - 213.133.99.99
-      - 213.133.98.98
+    #  - 213.133.98.98
-    search:
+    #search:
    # optional additional subnets/ips subnets: []
    # subnets: 
@ -162,6 +161,81 @@ apt_extra_pkgs:
  - subversion-tools
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.100.100
  - 2a01:4f8:0:1::add:9898
  - 213.133.99.99
  - 2a01:4f8:0:1::add:1010
  - 213.133.98.98
  - 2a01:4f8:0:1::add:9999
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - warenform.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/server28.warenform.de.yml
+++ b/host_vars/server28.warenform.de.yml
@ -18,7 +18,6 @@ network_interface_required_packages:
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
@ -64,11 +63,11 @@ network_interfaces:
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
-    nameservers:
+    #nameservers:
-      - 213.133.99.99
+    #  - 213.133.99.99
-      - 213.133.98.98
+    #  - 213.133.98.98
-      - 213.133.100.100
+    #  - 213.133.100.100
-    search:
+    #search:
    # optional additional subnets/ips subnets: []
    # subnets: 
@ -151,6 +150,81 @@ apt_extra_pkgs:
  - subversion-tools
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.100.100
  - 2a01:4f8:0:1::add:9898
  - 213.133.99.99
  - 2a01:4f8:0:1::add:1010
  - 213.133.98.98
  - 2a01:4f8:0:1::add:9999
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - warenform.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/stolpersteine.oopen.de.yml
+++ b/host_vars/stolpersteine.oopen.de.yml
@ -20,6 +20,77 @@
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001 
 # 
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9  
 #      IPv6: 2620:fe::fe 
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de 
 #      IPv4: 94.16.114.254  - ns28.de 
 #      IPv4: 51.254.162.59  - ns9.de   
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 # 
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 212.42.230.1
  - 83.223.66.51
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which 
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
--- a/host_vars/web-02.oopen.de.yml
+++ b/host_vars/web-02.oopen.de.yml
@ -0,0 +1,193 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.99.99
  - 2a01:4f8:0:1::add:9898
  - 213.133.100.100
  - 2a01:4f8:0:1::add:9999
  - 213.133.98.98
  - 2a01:4f8:0:1::add:1010
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-server
  repo: https://git.oopen.de/firewall/ipt-server
  dest: /usr/local/src/ipt-server
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/web-03.oopen.de.yml
+++ b/host_vars/web-03.oopen.de.yml
@ -0,0 +1,194 @@
 ---
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/systemd-resolved.yml
 # ---
 systemd_resolved: true
 # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
 #   Primäre DNS-Adresse: 38.132.106.139
 #   Sekundäre DNS-Adresse: 194.187.251.67
 #
 # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
 #   primäre DNS-Adresse
 #      IPv4: 1.1.1.1
 #      IPv6: 2606:4700:4700::1111
 #   sekundäre DNS-Adresse
 #      IPv4: 1.0.0.1
 #      IPv6: 2606:4700:4700::1001
 #
 # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
 #   primäre DNS-Adresse
 #      IPv4: 8.8.8.8
 #      IPv6: 2001:4860:4860::8888
 #   sekundäre DNS-Adresse
 #      IPv4: 8.8.4.4
 #      IPv6: 2001:4860:4860::8844
 #
 # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
 #   primäre DNS-Adresse
 #      IPv4: 9.9.9.9
 #      IPv6: 2620:fe::fe
 #   sekundäre DNS-Adresse
 #      IPv4: 149.112.112.112
 #      IPv6: 2620:fe::9
 #
 # OpenNIC - https://www.opennic.org/
 #      IPv4: 195.10.195.195 - ns31.de
 #      IPv4: 94.16.114.254  - ns28.de
 #      IPv4: 51.254.162.59  - ns9.de
 #      IPv4: 194.36.144.87  - ns29.de
 #      IPv6: 2a00:f826:8:2::195 - ns31.de
 #
 # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
 #    IPv4: 5.1.66.255
 #    IPv6: 2001:678:e68:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    IPv4: 185.150.99.255
 #    IPv6: 2001:678:ed0:f000::
 #    Servername für DNS-over-TLS: dot.ffmuc.net
 #    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
 resolved_nameserver:
  - 213.133.99.99
  - 2a01:4f8:0:1::add:9898
  - 213.133.100.100
  - 2a01:4f8:0:1::add:9999
  - 213.133.98.98
  - 2a01:4f8:0:1::add:1010
 # search domains
 #
 # If there are more than one search domains, then specify them here in the order in which
 # the resolver should also search them
 #
 #resolved_domains: []
 resolved_domains:
  - ~.
  - oopen.de
 resolved_dnssec: true
 # dns.as250.net: 194.150.168.168
 #
 resolved_fallback_nameserver:
   - 194.150.168.168
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: localadmin
    user_id: 1051
    group_id: 1051
    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
 sudo_users:
  - chris
  - sysadm
  - localadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-server
  repo: https://git.oopen.de/firewall/ipt-server
  dest: /usr/local/src/ipt-server
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/23
+++ b/23
@ -34,7 +34,7 @@ devel-root.wf.netz
 gw-123.oopen.de
 gw-ah.oopen.de
 gw-ak.oopen.de
-gw-akb.akb.netz
+gw-akb.oopen.de
 gw-ebs.oopen.de
 gw-elster.oopen.de
 gw-fhxb.oopen.de
@ -43,7 +43,7 @@ gw-b3.oopen.de
 gw-blkr.oopen.de
 gw-d11.oopen.de
 gw-flr.oopen.de
-gw-irights.irights.netz
+gw-irights.oopen.de
 gw-km.oopen.de
 gw-mbr.oopen.de
 gw-opp.oopen.de
@ -68,6 +68,7 @@ file-ipa.local.netz
 k1371.dyndns.org
 ga-st-gw-ersatz.ga.netz
 ga-st-gw.oopen.de
 ga-st-gw.ga.netz
 ga-al-gw.oopen.de
 ga-nh-gw.oopen.de
@ -149,7 +150,7 @@ cl-01.oopen.de
 cp-01.oopen.de
 meet.oopen.de
 mm.oopen.de
-moodle.oopen.de
+discourse.oopen.de
 o24.oopen.de
 cl-irights.oopen.de
@ -309,7 +310,7 @@ cl-01.oopen.de
 cp-01.oopen.de
 meet.oopen.de
 mm.oopen.de
-moodle.oopen.de
+discourse.oopen.de
 # - o24.oopen.de
 o24.oopen.de
@ -399,7 +400,7 @@ k1371.dyndns.org
 gw-ak.oopen.de
 # AKB
-gw-akb.akb.netz
+gw-akb.oopen.de
 # B3 Bornim
 gw-b3.oopen.de
@ -413,7 +414,7 @@ file-fhxb.fhxb.netz
 gw-flr.oopen.de
 # iRights
-gw-irights.irights.netz
+gw-irights.oopen.de
 # - Kanzlei Berenice
 gw-km.oopen.de
@ -452,6 +453,7 @@ gw-d11.oopen.de
 # - GA - Gemeinschaft Altensclirf
 ga-st-gw-ersatz.ga.netz
 ga-st-gw.oopen.de
 ga-st-gw.ga.netz
 ga-al-gw.oopen.de
 ga-nh-gw.oopen.de
@ -657,7 +659,6 @@ o13-pad.oopen.de
 cp-01.oopen.de
 meet.oopen.de
 mm.oopen.de
 moodle.oopen.de
 # o24.oopen.de
 mm-irights.oopen.de
@ -879,7 +880,6 @@ oolm-web.oopen.de
 # o23.oopen.de
 cl-01.oopen.de
 mm.oopen.de
 moodle.oopen.de
 # o24.oopen.de
 cl-irights.oopen.de
@ -1282,7 +1282,7 @@ cl-01.oopen.de
 cp-01.oopen.de
 meet.oopen.de
 mm.oopen.de
-moodle.oopen.de
+discourse.oopen.de
 # - o24.oopen.de
 cl-irights.oopen.de
@ -1454,7 +1454,7 @@ cl-01.oopen.de
 cp-01.oopen.de
 meet.oopen.de
 mm.oopen.de
-moodle.oopen.de
+discourse.oopen.de
 # - o24.oopen.de
 o24.oopen.de
@ -1545,7 +1545,7 @@ gw-flr.oopen.de
 gw-replacement.local.netz
 gw-replacement2.local.netz
 gw-replacement3.local.netz
-gw-irights.irights.netz
+gw-irights.oopen.de
 gw-km.oopen.de
 gw-mbr.oopen.de
 gw-opp.oopen.de
@ -1556,6 +1556,7 @@ gw-kb.oopen.de
 k1371.dyndns.org
 ga-st-gw-ersatz.ga.netz
 ga-st-gw.oopen.de
 ga-st-gw.ga.netz
 ga-al-gw.oopen.de
 ga-nh-gw.oopen.de
--- a/roles/common/files/etc/logrotate.d/speedtest
+++ b/roles/common/files/etc/logrotate.d/speedtest
@ -0,0 +1,10 @@
 /var/log/speedtest-cli.log {
   daily
   rotate 14
   start 0
   compress
   delaycompress
   missingok
   notifempty
   create 644 root root
 }
--- a/roles/common/tasks/apt-gateway.yml
+++ b/roles/common/tasks/apt-gateway.yml
@ -0,0 +1,31 @@
 ---
 - name: (apt-gateway.yml) Install gateway related packages
  apt:
    name: "{{ apt_gateway_host_pkgs }}"
    state: "{{ apt_install_state }}"
 - name: (apt-gateway.yml) Check if file '/etc/logrotate.d/speedtest' exists
  stat:
    path: /etc/logrotate.d/speedtest
  register: logrotate_speedtest_exists
 - name: (apt-gateway.yml) Ensure file /etc/logrotate.d/speedtest exists
  copy:
    src: "{{ role_path + '/files/etc/logrotate.d/speedtest' }}"
    dest: /etc/logrotate.d/speedtest
    owner: root
    group: root
    mode: 0644
  when:  
    - logrotate_speedtest_exists.stat.exists == False
 - name: (apt-gateway.yml) Set crontab entry for nightly speedtests
  cron:
    name: 'Speedtest'
    minute: 13
    hour: 0-8
    job: '/root/bin/admin-stuff/speedtest.sh'
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -30,6 +30,17 @@
    - ansible_facts['distribution'] == "Debian"
  tags: apt
 # tags supported inside apt-gateway.yml:
 #
 #
 - import_tasks: apt-gateway.yml
  when: inventory_hostname in groups['gateway_server']
  tags:
    - apt
    - apt-gateway-server
 #
 #    yum-update
 #    yum-base-install