diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index a497ffe..4f8b222 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -114,6 +114,9 @@ apt_backports_enable: true apt_debian_mirror: http://ftp.de.debian.org/debian/ apt_debian_contrib_nonfree_enable: true +# Ubuntu mirror +apt_ubuntu_mirror: http://archive.ubuntu.com/ubuntu + apt_update_cache_valid_time: 3600 apt_upgrade: true @@ -800,6 +803,8 @@ sudoers_file_user_back_postgres_privileges: - 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dump' - 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dumpall' +sudoers_file_user_back_svn_privileges: [] + sudoers_file_user_back_disk_privileges: - 'ALL=(root) NOPASSWD: /usr/bin/which' - 'ALL=(root) NOPASSWD: /sbin/hdparm -I /dev/*' diff --git a/host_vars/git.oopen.de.yml b/host_vars/git.oopen.de.yml new file mode 100644 index 0000000..6d6db1e --- /dev/null +++ b/host_vars/git.oopen.de.yml @@ -0,0 +1,140 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: backup + login: root + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_back_svn_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/svnadmin' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o28.oopen.de.yml b/host_vars/o28.oopen.de.yml new file mode 100644 index 0000000..aceb4e2 --- /dev/null +++ b/host_vars/o28.oopen.de.yml @@ -0,0 +1,137 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: backup + login: root + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o29.oopen.de.yml b/host_vars/o29.oopen.de.yml new file mode 100644 index 0000000..bcffee4 --- /dev/null +++ b/host_vars/o29.oopen.de.yml @@ -0,0 +1,139 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +#apt_manage_sources_list: false + + +# --- +# vars used by roles/common/tasks/users.yml +# --- +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_root_ssh_keypair: true + +root_ssh_keypair: + - name: backup + login: root + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/hosts b/hosts index 6bb71d3..100d225 100644 --- a/hosts +++ b/hosts @@ -39,8 +39,9 @@ ga-al-gw.ga.netz ga-nh-gw.ga.netz o19.oopen.de -munin.oopen.de backup.oopen.de +git.oopen.de +munin.oopen.de nscache.oopen.de server16.warenform.de @@ -141,6 +142,12 @@ o26.oopen.de # netcup - Jitsi Meet Martin Beck o27.oopen.de +# Backup Server +o28.oopen.de + +# BigBlueButton Mäx +o29.oopen.de + [initial_setup] gw-123.oopen.de @@ -273,6 +280,7 @@ meet2.oopen.de # o19.oopen.de o19.oopen.de backup.oopen.de +git.oopen.de munin.oopen.de nscache.oopen.de @@ -315,6 +323,13 @@ o26.oopen.de # netcup - Jitsi Meet Martin Beck o27.oopen.de +# - o28.oopen.de +o28.oopen.de + +# BigBlueButton Mäx +# - o29.oopen.de +o29.oopen.de + # - Vserver von Sinma a.ns.oopen.de @@ -526,6 +541,9 @@ o26.oopen.de # netcup - Jitsi Meet Martin Beck o27.oopen.de +# BigBlueButton Mäx +o29.oopen.de + [ftp_server] @@ -921,6 +939,7 @@ o22.oopen.de o23.oopen.de o24.oopen.de o25.oopen.de +o28.oopen.de # --- # O.OPEN office network @@ -995,6 +1014,7 @@ meet2.oopen.de # - o19.oopen.de backup.oopen.de +git.oopen.de nscache.oopen.de munin.oopen.de nc-gw.oopen.de @@ -1031,6 +1051,11 @@ o26.oopen.de # netcup - Jitsi Meet Martin Beck o27.oopen.de +o28.oopen.de + +# BigBlueButton Mäx +o29.oopen.de + # - Vserver von Sinma a.ns.oopen.de @@ -1149,6 +1174,7 @@ meet2.oopen.de # - o19.oopen.de o19.oopen.de backup.oopen.de +git.oopen.de nscache.oopen.de munin.oopen.de nc-gw.oopen.de @@ -1193,6 +1219,12 @@ o26.oopen.de # netcup - Jitsi Meet Martin Beck o27.oopen.de +# - o28.oopen.de +o18.oopen.de + +# BigBlueButton Mäx +o29.oopen.de + # - Vserver von Sinma a.ns.oopen.de diff --git a/modify-ipt-server.yml b/modify-ipt-server.yml new file mode 100644 index 0000000..767355c --- /dev/null +++ b/modify-ipt-server.yml @@ -0,0 +1,6 @@ +--- + + +- hosts: all + roles: + - modify-ipt-server diff --git a/roles/common/templates/etc/apt/sources.list.Ubuntu.j2 b/roles/common/templates/etc/apt/sources.list.Ubuntu.j2 new file mode 100644 index 0000000..896a6c5 --- /dev/null +++ b/roles/common/templates/etc/apt/sources.list.Ubuntu.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }} main restricted universe multiverse +deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-updates main restricted universe multiverse + +deb http://security.ubuntu.com/ubuntu {{ ansible_lsb.codename }}-security main restricted universe multiverse + +{% if apt_backports_enable %} +deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-backports main restricted universe multiverse +{% endif %} + diff --git a/roles/common/templates/etc/sudoers.d/50-user.j2 b/roles/common/templates/etc/sudoers.d/50-user.j2 index f55dba4..f07a622 100644 --- a/roles/common/templates/etc/sudoers.d/50-user.j2 +++ b/roles/common/templates/etc/sudoers.d/50-user.j2 @@ -31,6 +31,10 @@ Runas_Alias {{ item.name }} = {{ item.entry }} back {{ item }} {% endfor -%} +{%- for item in sudoers_file_user_back_svn_privileges | default([]) %} +back {{ item }} +{% endfor -%} + {%- if ansible_virtualization_role == 'host' %} diff --git a/roles/firewall/defaults/main.yml b/roles/firewall/defaults/main.yml index f7bc335..bbe2f1b 100644 --- a/roles/firewall/defaults/main.yml +++ b/roles/firewall/defaults/main.yml @@ -1,7 +1,7 @@ --- -munin_remote_ipv4: 138.201.33.54 -munin_remote_ipv6: 2a01:4f8:171:3493::54 +munin_remote_ipv4: 95.217.64.122 +munin_remote_ipv6: 2a01:4f9:4a:2b57::122 is_dns_server: false diff --git a/roles/modify-ipt-server/defaults/main.yml b/roles/modify-ipt-server/defaults/main.yml new file mode 100644 index 0000000..54b3b0a --- /dev/null +++ b/roles/modify-ipt-server/defaults/main.yml @@ -0,0 +1,10 @@ +--- + +munin_remote_ipv4: 95.217.64.122 +munin_remote_ipv6: 2a01:4f9:4a:2b57::122 + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + diff --git a/roles/modify-ipt-server/handlers/main.yml b/roles/modify-ipt-server/handlers/main.yml new file mode 100644 index 0000000..2fe81c6 --- /dev/null +++ b/roles/modify-ipt-server/handlers/main.yml @@ -0,0 +1,20 @@ +- name: Restart IPv4 Firewall + service: + name: ipt-firewall + state: restarted + when: + - main_ipv4_exists.stat.exists + +- name: Restart IPv6 Firewall + service: + name: ip6t-firewall + state: restarted + when: + - main_ipv6_exists.stat.exists + +- name: Restart Munin Node + service: + name: munin-node + state: restarted + when: + - munin_node_exists.stat.exists diff --git a/roles/modify-ipt-server/tasks/main.yml b/roles/modify-ipt-server/tasks/main.yml new file mode 100644 index 0000000..b556b79 --- /dev/null +++ b/roles/modify-ipt-server/tasks/main.yml @@ -0,0 +1,877 @@ +--- + +# --- +# Install/Uodate git firewall repository +# --- + +- name: Install/update firewall repository + git: + repo: '{{ git_firewall_repository.repo }}' + dest: '{{ git_firewall_repository.dest }}' + when: git_firewall_repository is defined and git_firewall_repository|length > 0 + + +# --- +# Some Checks +# --- + +- name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv6.conf + register: main_ipv4_exists + +- name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/main_ipv4.conf + register: main_ipv6_exists + +- name: Check if file '/etc/munin/munin-node.conf' exists + stat: + path: /etc/munin/munin-node.conf + register: munin_node_exists + + +# --- +# Adjust/Correct some values.. +# --- + +- name: addjust line 'munin_remote_ip' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^munin_remote_ip=' + line: 'munin_remote_ip="{{ munin_remote_ipv4 }}"' + when: + - main_ipv4_exists.stat.exists + notify: + - Restart IPv4 Firewall + +- name: addjust line 'munin_remote_ip' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^munin_remote_ip=' + line: 'munin_remote_ip="{{ munin_remote_ipv6 }}"' + when: + - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + +- name: addjust line 'allow ^138..' file '/etc/munin/munin-node.conf' + lineinfile: + path: /etc/munin/munin-node.conf + regexp: '^allow \^138' + line: 'allow ^95\.217\.64\.122$' + when: + - munin_node_exists.stat.exists + notify: + - Restart Munin Node + +- name: addjust line 'allow ^.2a01.' file '/etc/munin/munin-node.conf' + lineinfile: + path: /etc/munin/munin-node.conf + regexp: '^allow \^2a01' + line: 'allow ^2a01:4f9:4a:2b57::122$' + when: + - munin_node_exists.stat.exists + notify: + - Restart Munin Node + + +- name: addjust line 'dovecot_auth_port' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^dovecot_auth_port=' + line: 'dovecot_auth_port="$dovecot_external_auth_port"' + +- name: addjust line 'dovecot_auth_port' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^dovecot_auth_port=' + line: 'dovecot_auth_port="$dovecot_external_auth_port"' + when: + - main_ipv6_exists.stat.exists + +- name: addjust line 'jitsi_tcp_ports' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_tcp_ports=' + line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + +- name: addjust line 'jitsi_tcp_ports' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_tcp_ports=' + line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' + when: + - main_ipv6_exists.stat.exists + +- name: addjust line 'jitsi_udp_ports' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_udp_port_range=' + line: 'jitsi_udp_port_range="$standard_jitsi_udp_port_range"' + +- name: addjust line 'jitsi_udp_ports' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_udp_port_range=' + line: 'jitsi_udp_port_range="$standard_jitsi_udp_port_range"' + when: + - main_ipv6_exists.stat.exists + +- name: addjust line 'jitsi_dovecot_port' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^jitsi_dovecot_port=' + line: 'jitsi_dovecot_port="$default_jitsi_dovecout_auth_port"' + +- name: addjust line 'jitsi_dovecot_port' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^jitsi_dovecot_port=' + line: 'jitsi_dovecot_port="$default_jitsi_dovecout_auth_port"' + when: + - main_ipv6_exists.stat.exists + +- name: addjust line 'nc_turn_ports' (IPv4) + lineinfile: + path: /etc/ipt-firewall/main_ipv4.conf + regexp: '^nc_turn_ports=' + line: 'nc_turn_ports="$standard_turn_service_ports"' + +- name: addjust line 'nc_turn_ports' (IPv6) + lineinfile: + path: /etc/ipt-firewall/main_ipv6.conf + regexp: '^nc_turn_ports=' + line: 'nc_turn_ports="$standard_turn_service_ports"' + when: + - main_ipv6_exists.stat.exists + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc_turn_udp_ports) + lineinfile: + dest: /etc/ipt-firewall/main_ipv4.conf + state: present + regexp: '^nc_turn_udp_ports' + line: 'nc_turn_udp_ports="$standard_turn_service_udp_ports"' + insertafter: '^#?\s*nc_turn_ports' + when: + - main_ipv4_exists.stat.exists + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (nc_turn_udp_ports) + lineinfile: + dest: /etc/ipt-firewall/main_ipv6.conf + state: present + regexp: '^nc_turn_udp_ports' + line: 'nc_turn_udp_ports="$standard_turn_service_udp_ports"' + insertafter: '^#?\s*nc_turn_ports' + when: + - main_ipv4_exists.stat.exists + +# --- +# vpn_ports +# --- + +- name: Check if String 'vpn_ports=..' is present + shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf + register: vpn_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "vpn_ports_ipv4_present.rc > 1" + changed_when: "vpn_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_vpn_server_ips' + block: | + # - VPN Port(s) used by local Services + # - + # - blank separated list + # - + vpn_ports="$standard_vpn_port" + + marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" + when: + - main_ipv4_exists.stat.exists + - vpn_ports_ipv4_present is changed + +- name: Check if String 'vpn_ports=..' is present + shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf + register: vpn_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "vpn_ports_ipv6_present.rc > 1" + changed_when: "vpn_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_vpn_server_ips' + block: | + # - VPN Port(s) used by local Services + # - + # - blank separated list + # - + vpn_ports="$standard_vpn_port" + + marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" + when: + - main_ipv6_exists.stat.exists + - vpn_ports_ipv6_present is changed + +# --- +# ssh_ports +# --- + +- name: Check if String 'ssh_ports=..' is present + shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf + register: ssh_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ssh_ports_ipv4_present.rc > 1" + changed_when: "ssh_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_ssh_server_ips' + block: | + # - SSH Port(s) used by local Services + # - + # - blank separated list + # - + ssh_ports="$standard_ssh_port" + + marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" + when: + - main_ipv4_exists.stat.exists + - ssh_ports_ipv4_present is changed + +- name: Check if String 'ssh_ports=..' is present + shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf + register: ssh_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "ssh_ports_ipv6_present.rc > 1" + changed_when: "ssh_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_ssh_server_ips' + block: | + # - SSH Port(s) used by local Services + # - + # - blank separated list + # - + ssh_ports="$standard_ssh_port" + + marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" + when: + - main_ipv6_exists.stat.exists + - ssh_ports_ipv6_present is changed + +# --- +# http_ports +# --- + +- name: Check if String 'http_ports=..' is present + shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf + register: http_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "http_ports_ipv4_present.rc > 1" + changed_when: "http_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_http_server_ips' + block: | + # - HTTP(S) Ports used by local Services + # - + # - comma separated list + # - + http_ports="$standard_http_ports" + + marker: "# Marker set by modify-ipt-server.yml (http_ports)" + when: + - main_ipv4_exists.stat.exists + - http_ports_ipv4_present is changed + +- name: Check if String 'http_ports=..' is present + shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf + register: http_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "http_ports_ipv6_present.rc > 1" + changed_when: "http_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_http_server_ips' + block: | + # - HTTP(S) Ports used by local Services + # - + # - comma separated list + # - + http_ports="$standard_http_ports" + + marker: "# Marker set by modify-ipt-server.yml (http_ports)" + when: + - main_ipv6_exists.stat.exists + - http_ports_ipv6_present is changed + +# --- +# mail_user_ports +# --- + +- name: Check if String 'mail_user_ports=..' is present + shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf + register: mail_user_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mail_user_ports_ipv4_present.rc > 1" + changed_when: "mail_user_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mail_server_ips' + block: | + # - Client Ports used by local Mail Services + # - + # - comma separated list + # - + mail_user_ports="$standard_mailuser_ports" + + marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" + when: + - main_ipv4_exists.stat.exists + - mail_user_ports_ipv4_present is changed + +- name: Check if String 'mail_user_ports=..' is present + shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf + register: mail_user_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "mail_user_ports_ipv6_present.rc > 1" + changed_when: "mail_user_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mail_server_ips' + block: | + # - Client Ports used by local Mail Services + # - + # - comma separated list + # - + mail_user_ports="$standard_mailuser_ports" + + marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" + when: + - main_ipv6_exists.stat.exists + - mail_user_ports_ipv6_present is changed + +# --- +# ftp_passive_port_range +# --- + +- name: Check if String 'ftp_passive_port_range=..' is present + shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf + register: ftp_passive_port_range_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" + changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_ftp_server_ips' + block: | + # - FTP passive port range use by local ftp service(s) + # - + # - example: ftp_passive_port_range="50000:50400" + # - + ftp_passive_port_range="50000:50400" + + marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" + when: + - main_ipv4_exists.stat.exists + - ftp_passive_port_range_ipv4_present is changed + +- name: Check if String 'ftp_passive_port_range=..' is present + shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf + register: ftp_passive_port_range_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" + changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_ftp_server_ips' + block: | + # - FTP passive port range use by local ftp service(s) + # - + # - example: ftp_passive_port_range="50000:50400" + # - + ftp_passive_port_range="50000:50400" + + marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" + when: + - main_ipv6_exists.stat.exists + - ftp_passive_port_range_ipv6_present is changed + +# --- +# munin_remote_port +# --- + +- name: Check if String 'munin_remote_port=..' is present + shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf + register: munin_remote_port_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "munin_remote_port_ipv4_present.rc > 1" + changed_when: "munin_remote_port_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_munin_server_ips' + block: | + # - Port used by clients hosted on this (local) Munin Services + # - + # - !! Only one port is possible !! + # - + munin_remote_port="$standard_munin_port" + + marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" + when: + - main_ipv4_exists.stat.exists + - munin_remote_port_ipv4_present is changed + +- name: Check if String 'munin_remote_port=..' is present + shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf + register: munin_remote_port_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "munin_remote_port_ipv6_present.rc > 1" + changed_when: "munin_remote_port_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_munin_server_ips' + block: | + # - Ports used by clients hosted on this (local) Munin Services + # - + # - !! Only one port is possible !! + # - + munin_remote_port="$standard_munin_port" + + marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" + when: + - main_ipv6_exists.stat.exists + - munin_remote_port_ipv6_present is changed + +# --- +# xymon_port +# --- + +- name: Check if String 'xymon_port=..' is present + shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf + register: xymon_port_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "xymon_port_ipv4_present.rc > 1" + changed_when: "xymon_port_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*local_xymon_client' + block: | + # - Port used by local Xymon Services + # - + # - !! Only one port is possible !! + # - + xymon_port="$standard_xymon_port" + + marker: "# Marker set by modify-ipt-server.yml (xymon_port)" + when: + - main_ipv4_exists.stat.exists + - xymon_port_ipv4_present is changed + +- name: Check if String 'xymon_port=..' is present + shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf + register: xymon_port_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "xymon_port_ipv6_present.rc > 1" + changed_when: "xymon_port_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*local_xymon_client' + block: | + # - Port used by local Xymon Services + # - + # - !! Only one port is possible !! + # - + xymon_port="$standard_xymon_port" + + marker: "# Marker set by modify-ipt-server.yml (xymon_port)" + when: + - main_ipv6_exists.stat.exists + - xymon_port_ipv6_present is changed + +# --- +# mumble_ports +# --- + +- name: Check if String 'mumble_ports=..' is present + shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf + register: mumble_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "mumble_ports_ipv4_present.rc > 1" + changed_when: "mumble_ports_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*forward_mumble_server_ips' + block: | + # - Ports used by local Mumble Services + # - + # - comma separated list + # - + mumble_ports="$standard_mumble_port" + + marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" + when: + - main_ipv4_exists.stat.exists + - mumble_ports_ipv4_present is changed + +- name: Check if String 'mumble_ports=..' is present + shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf + register: mumble_ports_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "mumble_ports_ipv6_present.rc > 1" + changed_when: "mumble_ports_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*forward_mumble_server_ips' + block: | + # - Ports used by local Mumble Services + # - + # - comma separated list + # - + mumble_ports="$standard_mumble_port" + + marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" + when: + - main_ipv6_exists.stat.exists + - mumble_ports_ipv6_present is changed + +# --- +# jitsi video conference service +# --- + +- name: Check if String 'jitsi_server_ips=..' (IPv4) is present + shell: grep -q -E "^jitsi_server_ips=" /etc/ipt-firewall/main_ipv4.conf + register: jitsi_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_service_ipv4_present.rc > 1" + changed_when: "jitsi_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # - Jitsi Video Conferencing Server + # - + jitsi_server_ips="" + forward_jitsi_server_ips="" + + # - Jitsi (incomming) Ports + # - + # - comma separated list of ports/port ranges) + # - + jitsi_tcp_ports="$standard_jitsi_tcp_ports" + jitsi_udp_port_range="$standard_jitsi_udp_port_range" + marker: "# Marker set by modify-ipt-server.yml (jitsi service)" + when: + - main_ipv4_exists.stat.exists + - jitsi_service_ipv4_present is changed + +- name: Check if String 'jitsi_server_ips=..' (IPv6) is present + shell: grep -q -E "^jitsi_server_ips=" /etc/ipt-firewall/main_ipv6.conf + register: jitsi_service_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_service_ipv6_present.rc > 1" + changed_when: "jitsi_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*mumble_ports' + block: | + + # - Jitsi Video Conferencing Server + # - + jitsi_server_ips="" + forward_jitsi_server_ips="" + + # - Jitsi (incomming) Ports + # - + # - comma separated list of ports/port ranges) + # - + jitsi_tcp_ports="$standard_jitsi_tcp_ports" + jitsi_udp_port_range="$standard_jitsi_udp_port_range" + marker: "# Marker set by modify-ipt-server.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - jitsi_service_ipv6_present is changed + +- name: Check if String 'jitsi_tcp_ports_out=..' (IPv4) is present + shell: grep -q -E "^jitsi_tcp_ports_out=" /etc/ipt-firewall/main_ipv4.conf + register: jitsi_tcp_ports_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_tcp_ports_out_ipv4_present.rc > 1" + changed_when: "jitsi_tcp_ports_out_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi outgoing ports) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*jitsi_udp_port_range' + block: | + # - Jitsi (outgoing) Ports (STUN Services) + # - + jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446" + jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446" + marker: "# Marker set by modify-ipt-server.yml (jitsi outgoing ports)" + when: + - main_ipv4_exists.stat.exists + - jitsi_tcp_ports_out_ipv4_present is changed + +- name: Check if String 'jitsi_tcp_ports_out=..' (IPv6) is present + shell: grep -q -E "^jitsi_tcp_ports_out=" /etc/ipt-firewall/main_ipv6.conf + register: jitsi_tcp_ports_out_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_tcp_ports_out_ipv6_present.rc > 1" + changed_when: "jitsi_tcp_ports_out_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*jitsi_udp_port_range' + block: | + # - Jitsi (outgoing) Ports (STUN Services) + # - + jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446" + jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446" + marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot)" + when: + - main_ipv6_exists.stat.exists + - jitsi_tcp_ports_out_ipv6_present is changed + +- name: Check if String 'jitsi_dovecot_auth=..' (IPv4) is present + shell: grep -q -E "^jitsi_dovecot_auth=" /etc/ipt-firewall/main_ipv4.conf + register: jitsi_dovecot_auth_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_dovecot_auth_ipv4_present.rc > 1" + changed_when: "jitsi_dovecot_auth_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi dovecot auth) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*jitsi_udp_ports_out' + block: | + # - Jitsi Dovecot Authentication + # - + jitsi_dovecot_auth=false + jitsi_dovecot_host="" + jitsi_dovecot_port="$default_jitsi_dovecout_auth_port" + marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot auth)" + when: + - main_ipv4_exists.stat.exists + - jitsi_dovecot_auth_ipv4_present is changed + +- name: Check if String 'jitsi_dovecot_auth=..' (IPv6) is present + shell: grep -q -E "^jitsi_dovecot_auth=" /etc/ipt-firewall/main_ipv6.conf + register: jitsi_dovecot_auth_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "jitsi_dovecot_auth_ipv6_present.rc > 1" + changed_when: "jitsi_dovecot_auth_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi dovecot auth) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*jitsi_udp_ports_out' + block: | + # - Jitsi Dovecot Authentication + # - + jitsi_dovecot_auth=false + jitsi_dovecot_host="" + jitsi_dovecot_port="$default_jitsi_dovecout_auth_port" + marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot auth)" + when: + - main_ipv6_exists.stat.exists + - jitsi_dovecot_auth_ipv6_present is changed + + +# --- +# TURN Server (Stun Server) (for Nextcloud 'talk' app) +# --- + +- name: Check if String 'nc_turn_server_ips=..' (IPv4) is present + shell: grep -q -E "^nc_turn_server_ips=" /etc/ipt-firewall/main_ipv4.conf + register: nc_turn_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_turn_service_ipv4_present.rc > 1" + changed_when: "nc_turn_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*jitsi_dovecot_port' + block: | + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + nc_turn_server_ips="" + forward_nc_turn_server_ips="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="$standard_turn_service_ports" + nc_turn_udp_ports="$standard_turn_service_udp_ports" + + marker: "# Marker set by modify-ipt-server.yml (nc's turn service)" + when: + - main_ipv4_exists.stat.exists + - nc_turn_service_ipv4_present is changed + +- name: Check if String 'nc_turn_server_ips=..' (IPv6) is present + shell: grep -q -E "^nc_turn_server_ips=" /etc/ipt-firewall/main_ipv6.conf + register: nc_turn_service_ipv6_present + when: main_ipv4_exists.stat.exists + failed_when: "nc_turn_service_ipv4_present.rc > 1" + changed_when: "nc_turn_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*jitsi_dovecot_port' + block: | + + # - TURN Server (Stun Server) (for Nextcloud 'talk' app) + # - + nc_turn_server_ips="" + forward_nc_turn_server_ips="" + + # - Ports used by local TURN Server (Stun Server) + # - + # - comma separated list + # - + nc_turn_ports="$standard_turn_service_ports" + nc_turn_udp_ports="$standard_turn_service_udp_ports" + marker: "# Marker set by modify-ipt-server.yml (jitsi service)" + when: + - main_ipv6_exists.stat.exists + - nc_turn_service_ipv6_present is changed + + +# --- +# Remove Marker set by blockinfile +# --- + +- name: Remove marker IPv4 + replace : + path: /etc/ipt-firewall/main_ipv4.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - main_ipv4_exists.stat.exists + +- name: Remove marker IPv6 + replace : + path: /etc/ipt-firewall/main_ipv6.conf + regexp: "^# Marker set by modify-ipt-server.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - main_ipv6_exists.stat.exists + +# --- +# Confiuration Files +# --- + +- name: Check if configuration files are latest + shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - default_ports.conf + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - post_decalrations.conf + register: diff_script_output + +- name: Ensure configuration files are latest + command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} + loop: + - default_ports.conf + - include_functions.conf + - load_modules_ipv4.conf + - load_modules_ipv6.conf + - logging_ipv4.conf + - logging_ipv6.conf + - post_decalrations.conf + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + +# --- +# Firewall scripts +# --- + +- name: Check if firewall scripts are latest + shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - ipt-firewall-server + - ip6t-firewall-server + register: diff_script_output + +- name: Ensure firewall scripts are latest + command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} + loop: + - ipt-firewall-server + - ip6t-firewall-server + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + diff --git a/scripts/modify-ipt-server.yml b/scripts/modify-ipt-server.yml.BAK similarity index 94% rename from scripts/modify-ipt-server.yml rename to scripts/modify-ipt-server.yml.BAK index f226899..6d14f04 100644 --- a/scripts/modify-ipt-server.yml +++ b/scripts/modify-ipt-server.yml.BAK @@ -672,3 +672,53 @@ #changed_when: "marker_ipv6_removed.rc < 1" when: - main_ipv6_exists.stat.exists + + # --- + # Firewall scripts + # --- + + - name: Check if firewall scripts are latest + shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' + changed_when: "diff_script_output.rc > 0" + # diff_output.rc + # 0 -> unchanged + # 1 -> changed + # 2 -> not present + failed_when: "diff_script_output.rc > 2" + when: git_firewall_repository is defined and git_firewall_repository > 0 + loop: + - ipt-firewall-server + - ip6t-firewall-server + register: diff_script_output + + - name: Ensure firewall scripts are latest + command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} + loop: + - ipt-firewall-server + - ip6t-firewall-server + when: + - git_firewall_repository is defined and git_firewall_repository > 0 + - diff_script_output.changed + notify: + - Restart IPv4 Firewall + - Restart IPv6 Firewall + + # === + # Handlers used by this playbook + # === + + handlers: + - name: Restart IPv4 Firewall + service: + name: ipt-firewall + state: restarted + when: + - main_ipv4_exists.stat.exists + + - name: Restart IPv6 Firewall + service: + name: ip6t-firewall + state: restarted + when: + - main_ipv6_exists.stat.exists +