From 8067b311fdedc3725fb3c5274aafeab381337489 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 19 Aug 2023 11:27:51 +0200 Subject: [PATCH] update.. --- host_vars/cl-test.oopen.de.yml | 143 +++++++++++++ host_vars/{:q => matomo-01.oopen.de.yml} | 190 +++++++----------- .../mailserver/etc/postfix/postfwd.bl-hosts | 1 + .../mailserver/etc/postfix/postfwd.bl-nets | 3 +- .../mailserver/etc/postfix/postfwd.bl-sender | 1 + roles/common/tasks/systemd-resolved.yml | 8 +- .../templates/etc/apt/sources.list.Debian.j2 | 2 +- 7 files changed, 225 insertions(+), 123 deletions(-) create mode 100644 host_vars/cl-test.oopen.de.yml rename host_vars/{:q => matomo-01.oopen.de.yml} (62%) diff --git a/host_vars/cl-test.oopen.de.yml b/host_vars/cl-test.oopen.de.yml new file mode 100644 index 0000000..f75dcb3 --- /dev/null +++ b/host_vars/cl-test.oopen.de.yml @@ -0,0 +1,143 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_permit_root_login: !!str "prohibit-password" + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 195.201.179.131 + - 95.217.204.204 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - oopen.de + +resolved_dnssec: true + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_privileges: + - name: back + entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/host_vars/:q b/host_vars/matomo-01.oopen.de.yml similarity index 62% rename from host_vars/:q rename to host_vars/matomo-01.oopen.de.yml index 6051135..23d0b02 100644 --- a/host_vars/:q +++ b/host_vars/matomo-01.oopen.de.yml @@ -5,126 +5,6 @@ # --- -# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted -network_manage_devices: True - -# Should the interfaces be reloaded after config change? -network_interface_reload: False - -network_interface_path: /etc/network/interfaces.d -network_interface_required_packages: - - vlan - - bridge-utils - - ifmetric - - ifupdown - - ifenslave - - resolvconf - - -network_interfaces: - - - device: br0 - # use only once per device (for the first device entry) - headline: br0 - bridge over device enp35s0 - - # auto & allow are only used for the first device entry - allow: [] # array of allow-[stanzas] eg. allow-hotplug - auto: true - - family: inet - method: static - hwaddress: a8:a1:59:0f:29:d9 - description: - address: 95.217.204.218 - netmask: 255.255.255.192 - gateway: 95.217.204.193 - metric: - pointopoint: - mtu: - scope: - - # additional user by dhcp method - # - hostname: - leasehours: - leasetime: - vendor: - client: - - # additional used by bootp method - # - bootfile: - server: - hwaddr: - - # optional dns settings nameservers: [] - # - # nameservers: - # - 194.150.168.168 # dns.as250.net - # - 91.239.100.100 # anycast.censurfridns.dk - # search: warenform.de - # - nameservers: - - 213.133.100.100 - - 213.133.98.98 - search: - - # optional additional subnets/ips subnets: [] - # subnets: - # - '192.168.123.0/24' - # - '192.168.124.11/32' - - # optional bridge parameters bridge: {} - # bridge: - # ports: - # stp: - # fd: - # maxwait: - # waitport: - bridge: - ports: enp35s0 # for mor devices support a blank separated list - stp: !!str off - fd: 5 - hello: 2 - maxage: 12 - - # optional bonding parameters bond: {} - # bond: - # master - # primary - # slave - # method: - # miimon: - # lacp-rate: - # ad-select-rate: - # master: - # slaves: - bond: {} - - # optional vlan settings | vlan: {} - # vlan: {} - # raw-device: 'eth0' - vlan: {} - - # inline hook scripts - pre-up: [] # pre-up script lines - up: - - !!str "route add -net 95.217.204.192 netmask 255.255.255.192 gw 95.217.204.193 dev br0" # up script lines - post-up: [] # post-up script lines (alias for up) - pre-down: [] # pre-down script lines (alias for down) - down: [] # down script lines - post-down: [] # post-down script lines - - - - - device: br0 - family: inet6 - method: static - address: 2a01:4f9:4a:47e5::2 - netmask: 64 - gateway: fe80::1 - - # --- # vars used by roles/ansible_dependencies # --- @@ -150,6 +30,76 @@ network_interfaces: # --- +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 195.201.179.131 + - 95.217.204.204 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - oopen.de + +resolved_dnssec: true + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts index 414f74f..6d8d3da 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -79,3 +79,4 @@ mailer-service\.de$ hunshachang\.com$ likelark\.com$ mlmlh\.xyz$ +osdh\.net$ diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets index 078da38..1317092 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -164,4 +164,5 @@ # CZ 176.102.65.0/24 46.36.39.0/24 - +# US +91.193.19.0/24 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender index 035f11b..08c5f60 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender @@ -109,3 +109,4 @@ livingoncookies\.com$ joshua24\.com$ cityboxing\.com$ clotheswithoutlimits\.com$ +distrowatch\.com$ diff --git a/roles/common/tasks/systemd-resolved.yml b/roles/common/tasks/systemd-resolved.yml index bc6504f..fc7062b 100644 --- a/roles/common/tasks/systemd-resolved.yml +++ b/roles/common/tasks/systemd-resolved.yml @@ -73,4 +73,10 @@ owner: root group: root mode: 0644 - notify: "Restart systemd-resolved" + +- name: Restart systemd-resolved service + ansible.builtin.service: + name: systemd-resolved + state: restarted + + diff --git a/roles/common/templates/etc/apt/sources.list.Debian.j2 b/roles/common/templates/etc/apt/sources.list.Debian.j2 index c568805..5cb85e6 100644 --- a/roles/common/templates/etc/apt/sources.list.Debian.j2 +++ b/roles/common/templates/etc/apt/sources.list.Debian.j2 @@ -50,7 +50,7 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware {% else %} -deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free +deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free {% endif %} {% endif %}