From 86a1d988c7dfee4e9685a56c422e7a753f957d58 Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 6 Jun 2025 10:31:05 +0200 Subject: [PATCH] update.. --- host_vars/file-dissens.dissens.netz.yml | 72 +++++++++ host_vars/ga-al-gw.oopen.de.yml | 10 +- ...n.de.yml => ga-campus-gw-temp.ga.netz.yml} | 141 +++++++----------- host_vars/ga-st-gw.ga.netz.yml | 2 + host_vars/gw-dissens.oopen.de.yml | 47 ++++++ host_vars/o12.oopen.de.yml | 5 + host_vars/server28.warenform.de.yml | 5 - hosts | 1 - .../templates/etc/bind/named.conf.options.j2 | 13 ++ 9 files changed, 205 insertions(+), 91 deletions(-) rename host_vars/{ga-campus-gw-temp.oopen.de.yml => ga-campus-gw-temp.ga.netz.yml} (79%) diff --git a/host_vars/file-dissens.dissens.netz.yml b/host_vars/file-dissens.dissens.netz.yml index 4870fb7..65d933e 100644 --- a/host_vars/file-dissens.dissens.netz.yml +++ b/host_vars/file-dissens.dissens.netz.yml @@ -143,6 +143,68 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/users +# --- + +default_user: + + - name: chris + password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + group: localadmin + home: /home/localadmin + password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/ + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup' + +#extra_user: +# +# - name: borg +# user_id: 1065 +# group_id: 1065 +# group: borg +# home: /home/borg +# password: $y$j9T$SZty9T8ZWbnyHR2S85xaG.$GhxHOKG9fKErT9s5TAehXXyZJSkNaIcXY18Rg1iMyhC +# shell: /bin/bash +# ssh_keys: +# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' +# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de' +# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXrNhcgNtZykTgzcwX/L1cL8qpSyQQy75M01UpjdSmA root@file-dissens' +# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens' + + # --- # vars used by roles/common/tasks/cron.yml # --- @@ -400,6 +462,11 @@ samba_user: - projekte password: '20.ros1tsa-mahd1+24+' + - name: selma.albrecht + groups: + - projekte + password: '20-sel-ma.al-brecht/25!' + - name: sarah.klemm groups: - gf @@ -408,6 +475,11 @@ samba_user: - verwaltung password: '20.s4r4h_kl3mm-24!' + - name: selma.albrecht + groups: + - projekte + password: '20-sel-ma.al-brecht/25!' + - name: scan groups: - team diff --git a/host_vars/ga-al-gw.oopen.de.yml b/host_vars/ga-al-gw.oopen.de.yml index cef999d..a961ff7 100644 --- a/host_vars/ga-al-gw.oopen.de.yml +++ b/host_vars/ga-al-gw.oopen.de.yml @@ -192,12 +192,20 @@ network_interfaces: - /sbin/ip route add 10.10.9.0/24 via 172.16.111.254 # IPMI Stockhausen - /sbin/ip route add 10.11.11.0/24 via 172.16.111.254 + # WLAN Gast Novalishaus + - /sbin/ip route add 10.21.0.0/20 via 172.16.111.254 + # WLAN privat Novalishaus + - /sbin/ip route add 10.31.0.0/20 via 172.16.111.254 + # Management Netork Campus + - /sbin/ip route add 10.72.1.0/24 via 172.16.111.254 # WLan Router Stockhausen - /sbin/ip route add 10.112.1.0/24 via 172.16.111.254 # WLan Netz - /sbin/ip route add 10.113.0.0/16 via 172.16.111.254 - # Unifi WLan Netz Stockhausen + # Unifi WLan Netz Stockhausen Gast - /sbin/ip route add 10.121.0.0/20 via 172.16.111.254 + # Unifi WLan Netz Stockhausen privat + - /sbin/ip route add 10.131.0.0/20 via 172.16.111.254 # Richtfunkantennen Stockhausen (2) / Schlechtenwegen / Kirschbaumhaus - /sbin/ip route add 10.10.111.0/24 via 172.16.111.254 # VPN Netz Stockhausen - Novalishaus (Schlechtenwegen) diff --git a/host_vars/ga-campus-gw-temp.oopen.de.yml b/host_vars/ga-campus-gw-temp.ga.netz.yml similarity index 79% rename from host_vars/ga-campus-gw-temp.oopen.de.yml rename to host_vars/ga-campus-gw-temp.ga.netz.yml index f1921ca..4b18188 100644 --- a/host_vars/ga-campus-gw-temp.oopen.de.yml +++ b/host_vars/ga-campus-gw-temp.ga.netz.yml @@ -21,7 +21,7 @@ network_interface_required_packages: network_interfaces: - device: eno1 - headline: eno1 - Uplink WiDSL via (static) line to Fritz!Box 7490 + headline: eno1 - Uplink DSL via (static) line to Fritz!Box 7490 auto: true family: inet method: static @@ -34,45 +34,69 @@ network_interfaces: #search: ga.netz ga.intra - - device: eno5 - headline: eno5 - LAN - auto: true + - device: eno3 family: inet - method: static - address: 192.168.72.254 - netmask: 24 + method: manual post-up: - # VLAN 321 - for Ubiquiti UniFi Accesspoints Guest NET - - /sbin/ip link add link eno5 name eno5.22 type vlan id 21 - # VLAN 331 - for Ubiquiti UniFi Accesspoints private NET - - /sbin/ip link add link eno5 name eno5.32 type vlan id 31 + # VLAN 10 LAN 1 Campus + - /sbin/ip link add link eno3 name eno3.10 type vlan id 10 - - - device: eno5.22 - headline: eno5 - VLAN 22 (Ubiquiti UniFi Accesspoints Guest NET) - auto: true - family: inet - method: static - address: 10.22.15.254 - netmask: 20 - - - device: eno5.32 - headline: eno5 - VLAN 32 (Ubiquiti UniFi Accesspoints private NET) - auto: true - family: inet - method: static - address: 10.32.15.254 - netmask: 20 - - - - device: eno5:ns - headline: eno5:ns - Alias on eno5 (Nameserver) + - device: eno3:ns + headline: eno3:ns - Alias on eno3 (Nameserver) auto: true family: inet method: static address: 192.168.72.1 netmask: 32 + - device: eno3.10 + headline: eno3.10 - LAN 1 Campus - network 192.168.72.0/24 + auto: true + family: inet + method: static + address: 192.168.72.254 + netmask: 24 + pre-up: + - /sbin/ifconfig eno3 up + + + - device: eno4 + family: inet + method: manual + post-up: + # VLAN 20 - LAN 2 Campus including UniFi Accesspoints + - /sbin/ip link add link eno4 name eno4.20 type vlan id 20 + + - device: eno4.20 + headline: eno4.20 - LAN 2 Campus - network 192.168.73.0/24 + auto: true + family: inet + method: static + address: 192.168.73.254 + netmask: 24 + pre-up: + - /sbin/ifconfig eno4 up + + + - device: eno6 + headline: eno6 - Management Network Campus - network 10.72.1.0/24 + auto: true + family: inet + method: static + address: 10.72.1.254 + netmask: 24 + + + - device: eno7 + headline: eno7 - network 192.168.11.0/24 (LAN Stockhausen) + auto: true + family: inet + method: static + address: 192.168.11.72/24 + gateway: 192.168.11.254 + netmask: 24 + + # --- # vars used by roles/ansible_dependencies @@ -93,57 +117,6 @@ network_interfaces: # vars used by roles/common/tasks/cron.yml # --- -cron_user_entries: - - - name: "Check if Postfix Mailservice is up and running?" - minute: "*/15" - hour: '*' - job: /root/bin/monitoring/check_postfix.sh - - - name: "Check if SSH service is up and running?" - minute: "*/15" - hour: '*' - job: /root/bin/monitoring/check_ssh.sh - - - name: "Check if OpenVPN service is up and running?" - minute: "*/30" - hour: '*' - job: /root/bin/monitoring/check_vpn.sh - - - name: "Check if nameservice (bind) is running?" - minute: '*/10' - hour: '*' - job: /root/bin/monitoring/check_dns.sh - - - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )" - minute: "0-59/2" - hour: '*' - job: /root/bin/monitoring/check_forwarding.sh - - - name: "Copy gateway configuration" - minute: "09" - hour: "3" - job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-NH - - -#cron_user_special_time_entries: [] -cron_user_special_time_entries: - - - name: "Check if Postfix Service is running at boot time" - special_time: reboot - job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" - insertafter: PATH - - - name: "Restart Systemd's resolved at boottime." - special_time: reboot - job: "sleep 10 ; /bin/systemctl restart systemd-resolved" - insertafter: PATH - - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 15 ; /bin/systemctl restart ntpsec" - insertafter: PATH - # --- # vars used by roles/common/tasks/sshd.yml @@ -215,8 +188,8 @@ resolved_nameserver: #resolved_domains: [] resolved_domains: - ~. - - ga.netz - - ga.intra + - campus.netz + - campus.intra resolved_dnssec: false diff --git a/host_vars/ga-st-gw.ga.netz.yml b/host_vars/ga-st-gw.ga.netz.yml index 0ed6836..b079341 100644 --- a/host_vars/ga-st-gw.ga.netz.yml +++ b/host_vars/ga-st-gw.ga.netz.yml @@ -211,6 +211,8 @@ network_interfaces: - /sbin/ip link add link bond1 name bond1.131 type vlan id 131 # Route ??? - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 + # Route to management network campus + - /sbin/ip route add 10.72.4.0/24 via 192.168.11.72 - device: bond1.121 diff --git a/host_vars/gw-dissens.oopen.de.yml b/host_vars/gw-dissens.oopen.de.yml index bd1ea94..41b3cb7 100644 --- a/host_vars/gw-dissens.oopen.de.yml +++ b/host_vars/gw-dissens.oopen.de.yml @@ -82,6 +82,53 @@ sshd_hostkeyalgorithms: # --- +# --- +# vars used by roles/common/tasks/users +# --- + +default_user: + + - name: chris + password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + group: localadmin + home: /home/localadmin + password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/ + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup' + + # --- # vars used by roles/common/tasks/systemd-resolved.yml # --- diff --git a/host_vars/o12.oopen.de.yml b/host_vars/o12.oopen.de.yml index 9249a0e..edec3b5 100644 --- a/host_vars/o12.oopen.de.yml +++ b/host_vars/o12.oopen.de.yml @@ -273,6 +273,11 @@ cron_user_entries: hour: '*' job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1 + - name: "Check if all autostart LX-Container are running.?" + minute: '*/10' + hour: '*' + job: /root/bin/LXC/boot-autostart-lx-container.sh + # --- diff --git a/host_vars/server28.warenform.de.yml b/host_vars/server28.warenform.de.yml index d9fcd70..9e4b81e 100644 --- a/host_vars/server28.warenform.de.yml +++ b/host_vars/server28.warenform.de.yml @@ -235,11 +235,6 @@ cron_env_entries: cron_user_special_time_entries: - - name: "Restart NTP service 'ntpsec'" - special_time: reboot - job: "sleep 2 ; /bin/systemctl restart ntpsec" - insertafter: PATH - - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" diff --git a/hosts b/hosts index 858788a..c5675ed 100644 --- a/hosts +++ b/hosts @@ -43,7 +43,6 @@ gw-ak.oopen.de gw-akb.oopen.de 172.16.82.2 gw-dissens.oopen.de -gw-dissens.oopen.de gw-ebs.oopen.de gw-elster.oopen.de gw-fhxb.oopen.de diff --git a/roles/common/templates/etc/bind/named.conf.options.j2 b/roles/common/templates/etc/bind/named.conf.options.j2 index aa1b071..a565981 100644 --- a/roles/common/templates/etc/bind/named.conf.options.j2 +++ b/roles/common/templates/etc/bind/named.conf.options.j2 @@ -52,6 +52,14 @@ options { any; }; + allow-query { + 127.0.0.1; + ::1 ; +{% for acl in acl_caching_nameserver %} + {{ acl.name }}; +{% endfor %} + }; + allow-recursion { 127.0.0.1; ::1 ; @@ -69,6 +77,11 @@ options { ::1; }; + allow-query { + 127.0.0.1; + ::1; + }; + allow-recursion { 127.0.0.1; ::1;