diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 4d3c03f..fa45911 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2094,18 +2094,27 @@ root_ssh_keypair: [] default_user: - name: chris - password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + password: $y$j9T$RY2Nt/UmjMjxuyAhKXxMV0$IPvnS5XkNBluEiOARFmyQLp6GzXA1tY96rW.S9H7U84 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: sysadm - user_id: 1050 group_id: 1050 group: sysadm - password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/ + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + group: sysadm + password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/ shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' @@ -2115,7 +2124,7 @@ default_user: user_id: 1060 group_id: 1060 group: back - password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + password: $y$j9T$FLeyg8Xy09ppHGVbKOr5l1$XJbJdjX7XlS5QeiTzBvl2dMYcC0AxIylkvayJgFR3CC shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' diff --git a/host_vars/172.16.82.197.yml b/host_vars/172.16.82.197.yml new file mode 100644 index 0000000..5e1d84e --- /dev/null +++ b/host_vars/172.16.82.197.yml @@ -0,0 +1,175 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +copy_additional_plain_files_sysctl: + + - name: enable-ipv6 + src_path: etc/sysctl.d/30-enable-ipv6.conf + dest_path: /etc/sysctl.d/30-enable-ipv6.conf + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +#sshd_hostkeyalgorithms: +# - ssh-ed25519 +# - ssh-ed25519-cert-v01@openssh.com +# - rsa-sha2-256 +# - rsa-sha2-512 +# - ecdsa-sha2-nistp256 +# - rsa-sha2-256-cert-v01@openssh.com +# - rsa-sha2-512-cert-v01@openssh.com + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - akb.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +install_bind_packages: true + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $y$j9T$IVBTpn.OrI6YiQ9q3fA8b1$Y1bmID5yXJbKfoLFt1VmQs6LezeTj5/1M9ppZBD2Pn4 + diff --git a/host_vars/anita.wf.netz.yml b/host_vars/anita.wf.netz.yml index 878ed89..744a1fc 100644 --- a/host_vars/anita.wf.netz.yml +++ b/host_vars/anita.wf.netz.yml @@ -55,14 +55,6 @@ extra_user: ssh_keys: - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' - - name: christian - user_id: 1005 - group_id: 1005 - password: $6$2paWmEea$G51JZDzjjDNE75aBl/xuM1dyH.FWYHwNCRHeKWkHhxjUmRRC/v.hhNh5jOk5EbVWDeVh7r5dz1tO2HTZUMftb1 - shell: /bin/bash - ssh_keys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCb6ngLE9Vh0H6IqiHF2yeQX11kCeVE4QaK8Ca0Ogqtz8drC4/3Ugl9ZDtJR+UH+GpP/bOQZDTGF6f+p8dNlfpeoHZ92Yg62yMeD9qx9iQT8NeloLvpHk3B3NV10Lrff/zoeTGP7U8zKvLQsYnCwSPEodKEsxbf5mFcJN13/m+PW3tW0veRtYGvBwhimxidpSr+DLcRTZrZGs2Jf8BVqqAL0BIdH7exuLeKpACQzDAk10+DfLTNEXPgZ5jNBu3MBXqjyNRTTU+wEGAyUmHxv+ZJfjeBIM2Hgkl+lp2Bi5qQlsUduYtbXXrPQZzbgzIk+Rr0yY7/mfYSEXR41Uqv1QLScs2+Dpf713Lyr7H97bf64m1mzLd5vrps94JlqHSmcRzqENsW7HpdRmnpD7R+2lJe2faVX1HIT/mh/PjMItefbOhgV5FtcHcUiINVqi/4bmK68fPTXD+OBLuOHRkp1rYME6Z9pxXa6H6Ji8rIGOAHf2XyGqbvR80pG8n/jMk8AmaZLlvzCk1YAocphZDFAV/jm5zwFiUCzrND6mz4xCWJ8lJb2ZPoQpuGUppg/agoASFPeimbJp5zRuUp9tLL1xra0b9NjAA42M6ju1CkDvvNnRGEk/E9AD/G6v4AxHP5dzzmIlLSS6sNIDADPkdIfRhwe1Y7aF3TrYNq/P97Z1whtQ== schroeder@Christians-MacBook-Pro.local' - - name: annette user_id: 1006 group_id: 1006 @@ -72,6 +64,76 @@ extra_user: - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.52.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - wf.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # --- # vars used by roles/common/tasks/users-systemfiles.yml # --- diff --git a/host_vars/backup.oopen.de.yml b/host_vars/backup.oopen.de.yml index feea9c3..0ba8363 100644 --- a/host_vars/backup.oopen.de.yml +++ b/host_vars/backup.oopen.de.yml @@ -284,6 +284,7 @@ default_user: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqqmBWh3qmnx41NiLCn1LhVG0mn4++IUvRNC0OMh6h6 root@gitoea' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBYFe6i0UdPRyENvfaJSJVCHtmnlJmhbqGEsdIlTapsj root@initiativenserver' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ54/I+TdZUA+Xc6bixSa3f0hN5y4kWW+xl9kqSZPBYS root@keycloak-nd' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO886BNZ/o9aBwkKqHku+MjS5/GEVRBbXXSF76ry7oZR root@mail-cadus' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsPJQGHl1GVZ3yPl3Oi3xlH+EUsN1/EWDY2XAohag/P root@mail-fm' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICM4+Zvs5SY3E2cAMdnta1BujzudGg/97nz+nE5sipVD root@matomo-01' @@ -301,6 +302,7 @@ default_user: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTxl1BwIslVhsiFCZeRlgwoSO2ahaHWwMeiKAIRFJm6 root@o13-pad' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHl2xONyeBX/gnJ4iVeSVoxu/W6ku2VorA5gxAbp95q root@o13-staging-board' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaXEVvhblxX045H2/B/6RJmoW77WOKJM5FQfvMUPCIs root@o13-web' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAp24VDXOsa0MuzGFaFa3CPDUsnA/ASojHAiN344m+dP root@o14' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcQ9MFqTMOmjnec4ftUJAYiAe8p7pp7a5EBSIM0A5ji root@o17' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFstQOOM/U18SV27+XTtBhso+vICK5L4aOGC83QnvS8+ root@o19' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC85aj16Ow1ZPutkp5TmZdxjMsECkhnO64ktc3OYZJHc root@o25-board' diff --git a/host_vars/devel-db.wf.netz.yml b/host_vars/devel-db.wf.netz.yml new file mode 100644 index 0000000..097c1a8 --- /dev/null +++ b/host_vars/devel-db.wf.netz.yml @@ -0,0 +1,163 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.52.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - wf.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + + +# --- +# vars used by roles/common/tasks/nfs.yml +# --- + + + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + + + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/host_vars/devel-php.wf.netz.yml b/host_vars/devel-php.wf.netz.yml new file mode 100644 index 0000000..097c1a8 --- /dev/null +++ b/host_vars/devel-php.wf.netz.yml @@ -0,0 +1,163 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.52.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - wf.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + + +# --- +# vars used by roles/common/tasks/nfs.yml +# --- + + + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + + + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/host_vars/devel-repos.wf.netz.yml b/host_vars/devel-repos.wf.netz.yml new file mode 100644 index 0000000..097c1a8 --- /dev/null +++ b/host_vars/devel-repos.wf.netz.yml @@ -0,0 +1,163 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.52.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - wf.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + + +# --- +# vars used by roles/common/tasks/nfs.yml +# --- + + + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + + + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/host_vars/devel-wiki.wf.netz.yml b/host_vars/devel-wiki.wf.netz.yml new file mode 100644 index 0000000..097c1a8 --- /dev/null +++ b/host_vars/devel-wiki.wf.netz.yml @@ -0,0 +1,163 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.52.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - wf.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + + +# --- +# vars used by roles/common/tasks/nfs.yml +# --- + + + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + + + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/host_vars/file-dissens.dissens.netz.yml b/host_vars/file-dissens.dissens.netz.yml index f412779..4870fb7 100644 --- a/host_vars/file-dissens.dissens.netz.yml +++ b/host_vars/file-dissens.dissens.netz.yml @@ -147,6 +147,39 @@ resolved_fallback_nameserver: # vars used by roles/common/tasks/cron.yml # --- +cron_user_entries: + + - name: "Daily Backup " + minute: "03" + hour: "00" + job: /root/crontab/backup-rborg2/rborg2.sh + + - name: "Check if postfix mailservice is running. Restart service if needed." + minute: "*/5" + hour: "*" + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check Postfix E-Mail LOG file for 'fatal' errors." + minute: "*/30" + hour: "*" + job: /root/bin/postfix/check-postfix-fatal-errors.sh + + - name: "Clean up Samba Trash Dirs" + minute: "02" + hour: "23" + job: /root/bin/samba/clean_samba_trash.sh + + - name: "Set (group and access) Permissons for Samba shares" + minute: "14" + hour: "23" + job: /root/bin/samba/set_permissions_samba_shares.sh + + - name: "Check if ntpsec is running. Restart service if needed." + minute: "*/6" + hour: "*" + job: /root/bin/monitoring/check_ntpsec_service.sh + + cron_user_special_time_entries: - name: "Restart DNS Cache service 'systemd-resolved'" @@ -154,12 +187,6 @@ cron_user_special_time_entries: job: "sleep 10 ; /bin/systemctl restart systemd-resolved" insertafter: PATH - - name: "Restart NTP Service ntpsec" - special_time: reboot - job: "sleep 15 ; /bin/systemctl restart intpsec > /dev/null 2>&1" - insertafter: PATH - - # --- # vars used by roles/common/tasks/users.yml @@ -381,6 +408,11 @@ samba_user: - verwaltung password: '20.s4r4h_kl3mm-24!' + - name: scan + groups: + - team + password: '20-sc4n.25!' + - name: sebastian.scheele groups: - projekte diff --git a/host_vars/file-km.anw-km.netz.yml b/host_vars/file-km.anw-km.netz.yml index d366b95..01bc6b8 100644 --- a/host_vars/file-km.anw-km.netz.yml +++ b/host_vars/file-km.anw-km.netz.yml @@ -385,16 +385,16 @@ samba_user: - public password: 'zHfj9g3NcC' - - name: gerhard - groups: - - advoware - - alle - - aulmann - - howe - - stahmann - - traine - - public - password: 'bHdhzWnTj9' +# - name: gerhard +# groups: +# - advoware +# - alle +# - aulmann +# - howe +# - stahmann +# - traine +# - public +# password: 'bHdhzWnTj9' - name: ho-st1 groups: @@ -403,13 +403,13 @@ samba_user: - stahmann password: '44-Ro-440' - - name: howe-staff-1 - groups: - - advoware - - alle - - aulmann - - howe - password: '' +# - name: howe-staff-1 +# groups: +# - advoware +# - alle +# - aulmann +# - howe +# password: '' - name: irina groups: @@ -433,14 +433,14 @@ samba_user: - public password: 'bV3pjPtjkR' - - name: laura - groups: - - alle - - aulmann - - howe - - stahmann - - traine - password: '99-Hamburg-990' +# - name: laura +# groups: +# - alle +# - aulmann +# - howe +# - stahmann +# - traine +# password: '99-Hamburg-990' - name: lenovo3 groups: @@ -555,11 +555,12 @@ samba_user: base_home: /data/home -# remove_samba_users: -# - name: name1 -# - name: name2 -# -remove_samba_users: [] +remove_samba_users: + - name: howe-staff-1 + - name: gerhard + - name: laura + +#remove_samba_users: [] #remove_samba_users: # - name: evren diff --git a/host_vars/formbricks-nd.oopen.de.yml b/host_vars/formbricks-nd.oopen.de.yml index 283e594..50b3894 100644 --- a/host_vars/formbricks-nd.oopen.de.yml +++ b/host_vars/formbricks-nd.oopen.de.yml @@ -137,6 +137,24 @@ cron_user_entries: # vars used by roles/common/tasks/users.yml # --- +extra_user: + + - name: nd-admin + user_id: 1045 + group_id: 1045 + group: nd-admin + password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de' + +sudo_users: + - chris + - sysadm + - nd-admin + # --- # vars used by roles/common/tasks/users-systemfiles.yml diff --git a/host_vars/ga-al-gw.oopen.de.yml b/host_vars/ga-al-gw.oopen.de.yml index efecbf4..cef999d 100644 --- a/host_vars/ga-al-gw.oopen.de.yml +++ b/host_vars/ga-al-gw.oopen.de.yml @@ -44,6 +44,7 @@ network_interfaces: post-up: # - VLAN 221 (Ubiquiti UniFi Accesspoints) - /sbin/ip link add link eth2 name eth2.221 type vlan id 221 + - /sbin/ip link add link eth2 name eth2.231 type vlan id 231 - device: eth2:ns headline: eth2:ns - Alias on eth2 (Nameserver) @@ -81,7 +82,7 @@ network_interfaces: - device: eth2.221 # use only once per device (for the first device entry) - headline: eth2 - VLAN 221 (Ubiquiti UniFi Accesspoints) + headline: eth2 - VLAN 221 (Ubiquiti UniFi Accesspoints Guest NET) # auto & allow are only used for the first device entry allow: [] # array of allow-[stanzas] eg. allow-hotplug @@ -99,6 +100,14 @@ network_interfaces: mtu: scope: + - device: eth2.231 + headline: eth2 - VLAN 231 (Ubiquiti UniFi Accesspoints private NET) + auto: true + family: inet + method: static + address: 10.231.15.254 + netmask: 20 + # additional user by dhcp method # hostname: diff --git a/host_vars/ga-campus-gw-temp.oopen.de.yml b/host_vars/ga-campus-gw-temp.oopen.de.yml new file mode 100644 index 0000000..f1921ca --- /dev/null +++ b/host_vars/ga-campus-gw-temp.oopen.de.yml @@ -0,0 +1,409 @@ +--- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + +network_interfaces: + + - device: eno1 + headline: eno1 - Uplink WiDSL via (static) line to Fritz!Box 7490 + auto: true + family: inet + method: static + address: 172.16.72.1 + netmask: 24 + gateway: 172.16.72.254 + #nameservers: + # - 192.168.81.1 + # - 172.16.81.254 + #search: ga.netz ga.intra + + + - device: eno5 + headline: eno5 - LAN + auto: true + family: inet + method: static + address: 192.168.72.254 + netmask: 24 + post-up: + # VLAN 321 - for Ubiquiti UniFi Accesspoints Guest NET + - /sbin/ip link add link eno5 name eno5.22 type vlan id 21 + # VLAN 331 - for Ubiquiti UniFi Accesspoints private NET + - /sbin/ip link add link eno5 name eno5.32 type vlan id 31 + + + - device: eno5.22 + headline: eno5 - VLAN 22 (Ubiquiti UniFi Accesspoints Guest NET) + auto: true + family: inet + method: static + address: 10.22.15.254 + netmask: 20 + + - device: eno5.32 + headline: eno5 - VLAN 32 (Ubiquiti UniFi Accesspoints private NET) + auto: true + family: inet + method: static + address: 10.32.15.254 + netmask: 20 + + + - device: eno5:ns + headline: eno5:ns - Alias on eno5 (Nameserver) + auto: true + family: inet + method: static + address: 192.168.72.1 + netmask: 32 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_entries: + + - name: "Check if Postfix Mailservice is up and running?" + minute: "*/15" + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if SSH service is up and running?" + minute: "*/15" + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check if OpenVPN service is up and running?" + minute: "*/30" + hour: '*' + job: /root/bin/monitoring/check_vpn.sh + + - name: "Check if nameservice (bind) is running?" + minute: '*/10' + hour: '*' + job: /root/bin/monitoring/check_dns.sh + + - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )" + minute: "0-59/2" + hour: '*' + job: /root/bin/monitoring/check_forwarding.sh + + - name: "Copy gateway configuration" + minute: "09" + hour: "3" + job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-NH + + +#cron_user_special_time_entries: [] +cron_user_special_time_entries: + + - name: "Check if Postfix Service is running at boot time" + special_time: reboot + job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" + insertafter: PATH + + - name: "Restart Systemd's resolved at boottime." + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - ga.netz + - ga.intra + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: maadmin + password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' + + - name: wadmin + password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + +sudo_users: + - chris + - sysadm + - maadmin + - wadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +install_bind_packages: true + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - '# Nameserver Gateway Stockhausen' + - 192.168.11.1 + - '# Domain Controller Stockhausen' + - 192.168.10.3 + - '# Nameserver Gateway Altenschlirf' + - 192.168.10.1 + - '# Domain Controller Altenschlirf' + - 192.168.10.3 + - 192.168.10.6 + - 172.16.0.1 + - '# Nameserver Gateway Novalishaus' + - 192.168.81.1 + - 10.2.11.2 + - '# Nameserver wolle' + - 10.113.12.3 + - '# Postfix Mailserver' + - 192.168.11.2 + - '# Mail Relay System' + - 192.168.10.2 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - none + +bind9_transfer_source: !!str "192.168.81.1" +bind9_notify_source: !!str "192.168.81.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/ga-nh-gw.oopen.de.yml b/host_vars/ga-nh-gw.oopen.de.yml index de7258d..3d9497e 100644 --- a/host_vars/ga-nh-gw.oopen.de.yml +++ b/host_vars/ga-nh-gw.oopen.de.yml @@ -51,6 +51,28 @@ network_interfaces: method: static address: 192.168.81.254 netmask: 24 + post-up: + # VLAN 321 - for Ubiquiti UniFi Accesspoints Guest NET + - /sbin/ip link add link eno5 name eno5.21 type vlan id 21 + # VLAN 331 - for Ubiquiti UniFi Accesspoints private NET + - /sbin/ip link add link eno5 name eno5.31 type vlan id 31 + + + - device: eno5.21 + headline: eno5 - VLAN 321 (Ubiquiti UniFi Accesspoints Guest NET) + auto: true + family: inet + method: static + address: 10.21.15.254 + netmask: 20 + + - device: eno5.31 + headline: eno5 - VLAN 331 (Ubiquiti UniFi Accesspoints private NET) + auto: true + family: inet + method: static + address: 10.31.15.254 + netmask: 20 - device: eno5:ns diff --git a/host_vars/ga-st-gw.ga.netz.yml b/host_vars/ga-st-gw.ga.netz.yml index 7511c02..0ed6836 100644 --- a/host_vars/ga-st-gw.ga.netz.yml +++ b/host_vars/ga-st-gw.ga.netz.yml @@ -45,11 +45,16 @@ network_interfaces: - /sbin/ip route add 10.123.0.0/16 via 172.16.111.253 # DSL via Fritzbox Altenschlirf - /sbin/ip route add 172.16.10.0/24 via 172.16.111.253 - # - WLAN Gemeinschaft Altenschlirf (Unifi routet Network) + # - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network) - /sbin/ip route add 10.221.0.0/20 via 172.16.111.253 + # - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network) + - /sbin/ip route add 10.231.0.0/20 via 172.16.111.253 # VPN home Network Altenschlirf # - /sbin/ip route add 10.0.10.0/24 via 172.16.111.253 + # VPN 'gw-ckubu' Network Altenschlirf + # + - /sbin/ip route add 10.1.10.0/24 via 172.16.111.253 # private networks 'ckubu' # # connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu), @@ -209,7 +214,7 @@ network_interfaces: - device: bond1.121 - headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints + headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET auto: true family: inet method: static @@ -218,7 +223,7 @@ network_interfaces: - device: bond1.131 - headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints Guest Net + headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET auto: true family: inet method: static diff --git a/host_vars/gw-akb.oopen.de.yml b/host_vars/gw-akb.oopen.de.yml index 53cf9cb..5e1d84e 100644 --- a/host_vars/gw-akb.oopen.de.yml +++ b/host_vars/gw-akb.oopen.de.yml @@ -26,14 +26,14 @@ copy_additional_plain_files_sysctl: # vars used by roles/common/tasks/sshd.yml # --- -sshd_hostkeyalgorithms: - - ssh-ed25519 - - ssh-ed25519-cert-v01@openssh.com - - rsa-sha2-256 - - rsa-sha2-512 - - ecdsa-sha2-nistp256 - - rsa-sha2-256-cert-v01@openssh.com - - rsa-sha2-512-cert-v01@openssh.com +#sshd_hostkeyalgorithms: +# - ssh-ed25519 +# - ssh-ed25519-cert-v01@openssh.com +# - rsa-sha2-256 +# - rsa-sha2-512 +# - ecdsa-sha2-nistp256 +# - rsa-sha2-256-cert-v01@openssh.com +# - rsa-sha2-512-cert-v01@openssh.com # --- diff --git a/host_vars/mm-irights-neu.oopen.de.yml b/host_vars/keycloak-nd.oopen.de.yml similarity index 84% rename from host_vars/mm-irights-neu.oopen.de.yml rename to host_vars/keycloak-nd.oopen.de.yml index 96b3708..5ceb929 100644 --- a/host_vars/mm-irights-neu.oopen.de.yml +++ b/host_vars/keycloak-nd.oopen.de.yml @@ -1,5 +1,10 @@ --- +# --- +# vars used by roles/network_interfaces +# --- + + # --- # vars used by roles/ansible_dependencies # --- @@ -75,10 +80,10 @@ systemd_resolved: true # Servername für DNS-over-TLS: dot.ffmuc.net # für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) resolved_nameserver: - - 185.12.64.2 - - 2a01:4ff:ff00::add:1 - 185.12.64.1 - 2a01:4ff:ff00::add:2 + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 # search domains # @@ -126,11 +131,6 @@ cron_user_special_time_entries: cron_user_entries: - - name: "Check if mattermost service ist running - Restart Service if needed." - minute: '*/6' - hour: '*' - job: /root/bin/monitoring/check_local_mattermost_service.sh - - name: "Check if SSH service is running. Restart service if needed." minute: '*/5' hour: '*' @@ -141,8 +141,13 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_postfix.sh + - name: "Check if cert for Keycloak service is up-to-date" + minute: '51' + hour: '05' + job: /root/bin/monitoring/check_cert_for_keycloak.sh + - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)" - minute: '01' + minute: '23' hour: '05' job: /var/lib/dehydrated/cron/dehydrated_cron.sh @@ -152,10 +157,29 @@ cron_user_entries: job: /var/lib/dehydrated/tools/update_ssl_directives.sh + # --- # vars used by roles/common/tasks/users.yml # --- +extra_user: + + - name: nd-admin + user_id: 1045 + group_id: 1045 + group: nd-admin + password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de' + +sudo_users: + - chris + - sysadm + - nd-admin + # --- # vars used by roles/common/tasks/users-systemfiles.yml diff --git a/host_vars/mm-irights.oopen.de.yml b/host_vars/mm-irights.oopen.de.yml index 39739d4..96b3708 100644 --- a/host_vars/mm-irights.oopen.de.yml +++ b/host_vars/mm-irights.oopen.de.yml @@ -75,12 +75,10 @@ systemd_resolved: true # Servername für DNS-over-TLS: dot.ffmuc.net # für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) resolved_nameserver: - - 213.133.98.98 - - 2a01:4f8:0:1::add:9999 - - 213.133.99.99 - - 2a01:4f8:0:a111::add:9898 - - 213.133.100.100 - - 2a01:4f8:0:a0a1::add:1010 + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 # search domains # diff --git a/host_vars/o23.oopen.de.yml b/host_vars/o23.oopen.de.yml index ada4628..3f5de17 100644 --- a/host_vars/o23.oopen.de.yml +++ b/host_vars/o23.oopen.de.yml @@ -24,7 +24,7 @@ network_interfaces: - device: br0 # use only once per device (for the first device entry) - headline: br0 - bridge over device enp6s0 + headline: br0 - bridge over device enp27s0 # auto & allow are only used for the first device entry allow: [] # array of allow-[stanzas] eg. allow-hotplug @@ -32,7 +32,7 @@ network_interfaces: family: inet method: static - hwaddress: 88:d7:f6:7d:e6:ef + hwaddress: 30:9c:23:63:40:b5 description: address: 159.69.74.150 netmask: 26 @@ -63,10 +63,10 @@ network_interfaces: # - 91.239.100.100 # anycast.censurfridns.dk # search: warenform.de # - nameservers: - - 195.201.179.131 - - 95.217.204.204 - search: + #nameservers: + # - 195.201.179.131 + # - 95.217.204.204 + #search: # optional additional subnets/ips subnets: [] # subnets: @@ -81,7 +81,7 @@ network_interfaces: # maxwait: # waitport: bridge: - ports: enp6s0 # for mor devices support a blank separated list + ports: enp27s0 # for mor devices support a blank separated list stp: !!str off fd: 5 hello: 2 diff --git a/host_vars/o40.oopen.de.yml b/host_vars/o40.oopen.de.yml index b19c9b3..b242ae4 100644 --- a/host_vars/o40.oopen.de.yml +++ b/host_vars/o40.oopen.de.yml @@ -24,7 +24,7 @@ network_interfaces: - device: br0 # use only once per device (for the first device entry) - headline: br0 - bridge over device enp5s0 + headline: br0 - bridge over device enp6s0 # auto & allow are only used for the first device entry allow: [] # array of allow-[stanzas] eg. allow-hotplug @@ -32,7 +32,7 @@ network_interfaces: family: inet method: static - hwaddress: 9c:6b:00:0b:fe:2f + hwaddress: 9c:6b:00:08:9a:30 description: address: 176.9.125.12 netmask: 27 @@ -76,7 +76,7 @@ network_interfaces: # maxwait: # waitport: bridge: - ports: enp5s0 # for mor devices support a blank separated list + ports: enp6s0 # for mor devices support a blank separated list stp: !!str off fd: 5 hello: 2 diff --git a/host_vars/prometheus-nd.oopen.de.yml b/host_vars/prometheus-nd.oopen.de.yml index f08e3be..ea4d6cc 100644 --- a/host_vars/prometheus-nd.oopen.de.yml +++ b/host_vars/prometheus-nd.oopen.de.yml @@ -147,6 +147,24 @@ cron_user_entries: # vars used by roles/common/tasks/users.yml # --- +extra_user: + + - name: nd-admin + user_id: 1045 + group_id: 1045 + group: nd-admin + password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de' + +sudo_users: + - chris + - sysadm + - nd-admin + # --- # vars used by roles/common/tasks/users-systemfiles.yml diff --git a/hosts b/hosts index 8d64c6d..858788a 100644 --- a/hosts +++ b/hosts @@ -16,6 +16,7 @@ rage.so36.net ansible_user=ckubu [no_ipt_firewall] lxc-host-kb.anw-kb.netz +o13-git.oopen.de o13-staging-board.oopen.de o25.oopen.de o33.oopen.de @@ -25,6 +26,7 @@ discourse.oopen.de test-nd.oopen.de formbricks-nd.oopen.de +ga-st-mm.ga.netz [dns_sinma] @@ -39,6 +41,7 @@ gw-123.oopen.de gw-ah.oopen.de gw-ak.oopen.de gw-akb.oopen.de +172.16.82.2 gw-dissens.oopen.de gw-dissens.oopen.de gw-ebs.oopen.de @@ -77,6 +80,7 @@ ga-st-gw-ersatz.ga.netz ga-st-gw.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de +ga-campus-gw-temp.ga.netz ga-st-lxc1.ga.netz ga-st-mail.ga.netz ga-st-mm.ga.netz @@ -171,7 +175,6 @@ o24.oopen.de cl-irights.oopen.de cl-irights-neu.oopen.de mm-irights.oopen.de -mm-irights-neu.oopen.de mm-irights-migration.oopen.de # IL - PAD @@ -261,6 +264,7 @@ mm-rav.oopen.de # ND - prometheus, web o43.oopen.de formbricks-nd.oopen.de +keycloak-nd.oopen.de prometheus-nd.oopen.de web-nd.oopen.de test-nd.oopen.de @@ -378,7 +382,6 @@ o24.oopen.de cl-irights.oopen.de cl-irights-neu.oopen.de ga-st-mm.ga.netz -mm-irights-neu.oopen.de mm-irights-migration.oopen.de # IL - PAD @@ -469,6 +472,7 @@ mm-rav.oopen.de # ND - prometheus, web o43.oopen.de formbricks-nd.oopen.de +keycloak-nd.oopen.de prometheus-nd.oopen.de web-nd.oopen.de test-nd.oopen.de @@ -497,6 +501,7 @@ gw-ak.oopen.de # AKB gw-akb.oopen.de +172.16.82.2 # Dissens gw-dissens.oopen.de @@ -559,6 +564,7 @@ ga-st-gw-ersatz.ga.netz ga-st-gw.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de +ga-campus-gw-temp.ga.netz ga-st-lxc1.ga.netz ga-st-mail.ga.netz @@ -779,7 +785,6 @@ verdi-es.warenform.de devel-php.wf.netz devel-todo.wf.netz -devel-repos.wf.netz devel-wiki.wf.netz devel-ruby.wf.netz @@ -847,7 +852,6 @@ mm-migration.oopen.de # o24.oopen.de mm-irights.oopen.de ga-st-mm.ga.netz -mm-irights-neu.oopen.de mm-irights-migration.oopen.de # Hetzner Cloud CX31 - AK @@ -885,6 +889,7 @@ cp-flr.oopen.de mm-rav.oopen.de # o43 - ND prometheus, web +keycloak-nd.oopen.de prometheus-nd.oopen.de web-nd.oopen.de @@ -899,6 +904,11 @@ ga-st-mm.ga.netz # server22 nd.warenform.de +# --- +# - Warenform Office +# --- +devel-repos.wf.netz + [mail_server] @@ -980,7 +990,6 @@ mm-migration.oopen.de # o24.oopen.de mm-irights.oopen.de ga-st-mm.ga.netz -mm-irights-neu.oopen.de mm-irights-migration.oopen.de # o27.oopen.de @@ -1026,6 +1035,7 @@ verdi-django.warenform.de mm-rav.oopen.de # o43 - ND app +keycloak-nd.oopen.de prometheus-nd.oopen.de @@ -1077,7 +1087,6 @@ cl-irights.oopen.de cl-irights-neu.oopen.de mm-irights.oopen.de ga-st-mm.ga.netz -mm-irights-neu.oopen.de mm-irights-migration.oopen.de # Hetzner Cloud CX31 - AK @@ -1558,7 +1567,6 @@ cl-irights.oopen.de cl-irights-neu.oopen.de mm-irights.oopen.de ga-st-mm.ga.netz -mm-irights-neu.oopen.de mm-irights-migration.oopen.de # - o27.oopen.de @@ -1620,6 +1628,7 @@ cp-flr.oopen.de mm-rav.oopen.de # o43 - ND +keycloak-nd.oopen.de prometheus-nd.oopen.de web-nd.oopen.de test-nd.oopen.de @@ -1763,7 +1772,6 @@ o24.oopen.de cl-irights.oopen.de cl-irights-neu.oopen.de mm-irights.oopen.de -mm-irights-neu.oopen.de mm-irights-migration.oopen.de # IL - PAD @@ -1854,6 +1862,7 @@ mm-rav.oopen.de # ND - prometheus, web o43.oopen.de formbricks-nd.oopen.de +keycloak-nd.oopen.de prometheus-nd.oopen.de web-nd.oopen.de test-nd.oopen.de @@ -1898,6 +1907,7 @@ gw-elster.oopen.de gw-blkr.oopen.de gw-ak.oopen.de gw-akb.oopen.de +172.16.82.2 gw-dissens.oopen.de gw-ckubu.local.netz gw-flr.oopen.de @@ -1918,6 +1928,7 @@ ga-st-gw-ersatz.ga.netz ga-st-gw.ga.netz ga-al-gw.oopen.de ga-nh-gw.oopen.de +ga-campus-gw-temp.ga.netz # Gateway/Firewall Server office network @@ -1997,6 +2008,7 @@ ga-al-kvm2.ga.netz ga-al-kvm3.ga.netz ga-al-relay.ga.netz ga-nh-gw.oopen.de.yml +ga-campus-gw-temp.ga.netz ga-st-lxc1.ga.netz ga-st-mail.ga.netz ga-st-services.ga.netz diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.cf b/roles/common/files/mailserver/etc/postfix/postfwd.cf index 7cb6ea7..80cec69 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.cf +++ b/roles/common/files/mailserver/etc/postfix/postfwd.cf @@ -169,8 +169,8 @@ id=RATE_CLIENT_ADDR id=BLOCK_MSG_RCPT &&INCOMING &&SASL_AUTH - recipient_count=50 - action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT + recipient_count=90 + action=REJECT Too many recipients, please reduce to less than 90 or consider using a mailing list. Error: BLOCK_MSG_RCPT # Block users sending more than 50 messages/hour id=RATE_MSG diff --git a/roles/modify-ipt-server/tasks/ipt-server.yml b/roles/modify-ipt-server/tasks/ipt-server.yml index 2be0c17..e484234 100644 --- a/roles/modify-ipt-server/tasks/ipt-server.yml +++ b/roles/modify-ipt-server/tasks/ipt-server.yml @@ -99,67 +99,153 @@ # === # --- -# Add additional SMTP ports (OUT and IN) +# Add support for MNDP and mDNS Traffic # --- -- name: Check if String 'smtpd_additional_listen_ports=..' is present - shell: grep -q -E "^smtpd_additional_listen_ports=" /etc/ipt-firewall/main_ipv4.conf - register: smtpd_additional_listen_ports_ipv4_present +- name: Check if String 'drop_mndp=..' is present + shell: grep -q -E "^drop_mndp=" /etc/ipt-firewall/main_ipv4.conf + register: drop_mndp_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "smtpd_additional_listen_ports_ipv4_present.rc > 1" - changed_when: "smtpd_additional_listen_ports_ipv4_present.rc > 0" + failed_when: "drop_mndp_ipv4_present.rc > 1" + changed_when: "drop_mndp_ipv4_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (smtpd_additional_listen_ports) +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (drop_mndp) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*forward_smtpd_ips' + insertafter: '^#?\s*drop_icmp' block: | - # Additional Ports on which SMTP Service should lsiten - # - # blank separated list of ports - # - smtpd_additional_listen_ports="" - # Additional Ports for outgoing smtp traffic + # ------------- + # --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic + # --- Drop Tinc VPN Traffic + # ------------- + + # Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic # - # blank separated list of ports + # Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein + # Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private + # Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder + # andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen + # Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen. # - smtpd_additional_outgoung_ports="" - marker: "# Marker set by modify-ipt-server.yml (smtpd_additional_listen_ports)" + # Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol + # (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um + # benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es + # hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne + # dass eine manuelle IP-Konfiguration erforderlich ist. + # + # MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt, + # Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und + # Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders + # nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk. + # + # Zusammengefasst: + # Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch + # für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt. + # + drop_mndp=true + + + # ------------- + # --- Drop Multicast DNS Traffic + # ------------- + + # Multicast Domain Name System (mDNS) protocol + # + # UDP Port 5353/ + # + # Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet. + # mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk + # selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren + # und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei + # Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung + # von mDNS) kommunizieren. + # + # UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that + # allows devices to identify themselves on the local network and register and + # resolve names without central DNS servers. This is often used in local + # networks, e.g. for devices that communicate using Apple's Bonjour or Avahi + # (an open-source implementation of mDNS). + # + drop_mdns=true + marker: "# Marker set by modify-ipt-server.yml (drop_mndp)" when: - main_ipv4_exists.stat.exists - - smtpd_additional_listen_ports_ipv4_present is changed + - drop_mndp_ipv4_present is changed notify: - Restart IPv4 Firewall -- name: Check if String 'smtpd_additional_listen_ports=..' is present - shell: grep -q -E "^smtpd_additional_listen_ports=" /etc/ipt-firewall/main_ipv6.conf - register: smtpd_additional_listen_ports_ipv6_present +- name: Check if String 'drop_mndp=..' is present + shell: grep -q -E "^drop_mndp=" /etc/ipt-firewall/main_ipv6.conf + register: drop_mndp_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "smtpd_additional_listen_ports_ipv6_present.rc > 1" - changed_when: "smtpd_additional_listen_ports_ipv6_present.rc > 0" + failed_when: "drop_mndp_ipv6_present.rc > 1" + changed_when: "drop_mndp_ipv6_present.rc > 0" -- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (smtpd_additional_listen_ports) +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (drop_mndp) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*forward_smtpd_ips' + insertafter: '^#?\s*drop_icmp' block: | - # Additional Ports on which SMTP Service should lsiten - # - # blank separated list of ports - # - smtpd_additional_listen_ports="" - # Additional Ports for outgoing smtp traffic + # ------------- + # --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic + # --- Drop Tinc VPN Traffic + # ------------- + + # Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic # - # blank separated list of ports + # Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein + # Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private + # Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder + # andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen + # Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen. # - smtpd_additional_outgoung_ports="" - marker: "# Marker set by modify-ipt-server.yml (smtpd_additional_listen_ports)" + # Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol + # (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um + # benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es + # hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne + # dass eine manuelle IP-Konfiguration erforderlich ist. + # + # MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt, + # Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und + # Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders + # nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk. + # + # Zusammengefasst: + # Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch + # für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt. + # + drop_mndp=true + + + # ------------- + # --- Drop Multicast DNS Traffic + # ------------- + + # Multicast Domain Name System (mDNS) protocol + # + # UDP Port 5353/ + # + # Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet. + # mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk + # selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren + # und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei + # Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung + # von mDNS) kommunizieren. + # + # UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that + # allows devices to identify themselves on the local network and register and + # resolve names without central DNS servers. This is often used in local + # networks, e.g. for devices that communicate using Apple's Bonjour or Avahi + # (an open-source implementation of mDNS). + # + drop_mdns=true + marker: "# Marker set by modify-ipt-server.yml (drop_mndp)" when: - main_ipv6_exists.stat.exists - - smtpd_additional_listen_ports_ipv6_present is changed + - drop_mndp_ipv6_present is changed notify: - Restart IPv6 Firewall