ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph 2023-01-24 18:54:48 +01:00
parent 3fb347061c
commit 976f497d78
8 changed files with 239 additions and 439 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
group_vars/all/main.yml
View File

@ -828,6 +828,7 @@ apt_webserver_pkgs:
- expect
- expect-dev
- libexpect-perl
- poppler-utils
apt_install_postgresql_pkgs: false
apt_postgresql_pkgs:

210
host_vars/ga-nh-gw.oopen.de.yml.BAK
View File

@ -1,210 +0,0 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
- resolvconf
network_interfaces:
- device: eno1
headline: eno1 - holds uplink WiDSL Antenna (ppp line widsl)
auto: true
family: inet
method: static
address: 10.12.136.254
netmask: 24
- device: dsl-widsl
headline: dsl-widsl - ppp line widsl
auto: true
family: inet
method: ppp
provider: dsl-widsl
pre-up:
- /sbin/ifconfig eno1 up
- device: eno2
headline: eno2 - uplink Telekom (static line via digitbox)
auto: true
family: inet
method: static
address: 172.16.81.1
netmask: 24
gateway: 172.16.81.254
nameservers:
- 192.168.81.1
- 192.168.11.1
search: ga.netz
- device: eno5
headline: eno5 - LAN
auto: true
family: inet
method: static
address: 192.168.81.254
netmask: 24
- device: eno5:ns
headline: eno5:ns - Alias on eno5 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.81.1
netmask: 32
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

2
host_vars/gw-ah.oopen.de.yml
View File

@ -131,7 +131,7 @@ bind9_gateway_acl:
- internaldns:
name: internaldns
entries:
- '# Nameserver Kanzlei EBS'
- '// Nameserver Kanzlei EBS'
- 192.168.182.1
bind9_gateway_listen_on_v6:

57
host_vars/gw-ebs.oopen.de.yml
View File

@ -1,5 +1,58 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
- resolvconf
network_interfaces:
- device: eno1
headline: eno1 - Uplink DSL via Fritz!Box
auto: true
family: inet
method: static
address: 172.16.182.1
netmask: 24
gateway: 172.16.182.254
nameservers:
- 127.0.0.1
- 192.168.182.1
search: ebs.netz kanzlei-kiel.netz elster.netz
- device: eno2
headline: eno2 - LAN
auto: true
family: inet
method: static
address: 192.168.182.254
netmask: 24
- device: eno2:ns
headline: eno2:ns - Alias on eno2 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.182.1
netmask: 32
# ---
# vars used by roles/ansible_dependencies
# ---
@ -129,9 +182,9 @@ bind9_gateway_acl:
- internaldns:
name: internaldns
entries:
- '# Nameserver Kanzlei Kiel'
- '// Nameserver Kanzlei Kiel'
- 192.168.100.1
- '# Nameserver Kanzlei Elster'
- '// Nameserver Kanzlei Elster'
- 192.168.202.1
bind9_gateway_listen_on_v6:

5
host_vars/gw-elster.oopen.de.yml
View File

@ -1,4 +1,5 @@
---
# ---
# vars used by roles/network_interfaces
# ---
@ -32,7 +33,7 @@ network_interfaces:
nameservers:
- 127.0.0.1
- 192.168.202.1
search: elster.netz
search: elster.netz ebs.netz
- device: eno2
@ -234,7 +235,7 @@ bind9_gateway_acl:
- internaldns:
name: internaldns
entries:
- '# Nameserver Kanzlei EBS'
- '// Nameserver Kanzlei EBS'
- 192.168.182.1
bind9_gateway_listen_on_v6:

123
host_vars/o25.oopen.de.yml.BAK
View File

@ -1,123 +0,0 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- resolvconf
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp8s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
hwaddress: 00:d8:61:0e:b9:1c
description:
address: 144.76.24.11
netmask: 27
gateway: 144.76.24.1
metric:
pointopoint:
mtu:
scope:
# additional user by dhcp method
#
hostname:
leasehours:
leasetime:
vendor:
client:
# additional used by bootp method
#
bootfile:
server:
hwaddr:
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
nameservers:
- 195.201.179.131
- 95.217.204.204
search:
# optional additional subnets/ips subnets: []
# subnets:
# - '192.168.123.0/24'
# - '192.168.124.11/32'
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp8s0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
# master
# primary
# slave
# method:
# miimon:
# lacp-rate:
# ad-select-rate:
# master:
# slaves:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
pre-up: [] # pre-up script lines
up: [] # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
- device: br0
family: inet6
method: static
address: 2a01:4f8:191:b::2
netmask: 64
gateway: fe80::1

101
hosts
View File

@ -19,9 +19,6 @@ dns1.warenform.de
[extra_hosts]
backup.oopen.de
gitea.so36.net
backup.so36.net
devel-root.wf.netz
gw-123.oopen.de
@ -69,11 +66,8 @@ ga-st-kvm5.ga.netz
ga-al-kvm2.ga.netz
ga-al-kvm3.ga.netz
server16.warenform.de
helden.warenform.de
server18.warenform.de
piwik.warenform.de
server20.warenform.de
server22.warenform.de
server23.warenform.de
server24.warenform.de
@ -81,9 +75,6 @@ server25.warenform.de
server26.warenform.de
server27.warenform.de
# server20.warenform.de
cloud-giz.warenform.de
#server22.warenform.de
nd.warenform.de
nd-archiv.warenform.de
@ -161,7 +152,6 @@ o25.oopen.de
# - o27.oopen.de
o27.oopen.de
cl-fm.oopen.de
cl-fm-neu.oopen.de
mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
@ -184,9 +174,6 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
# Jitsi Meet - AG Beratung
o34.oopen.de
o35.oopen.de
b.ns.oopen.de
cl-02.oopen.de
@ -214,18 +201,10 @@ lxc-host-kb.anw-kb.netz
# - Warenform Server
# ---
# server16
server16.warenform.de
helden.warenform.de
# server18
server18.warenform.de
piwik.warenform.de
# server20
server20.warenform.de
cloud-giz.warenform.de
# server22
server22.warenform.de
nd.warenform.de
@ -325,7 +304,6 @@ o25.oopen.de
# - o27.oopen.de
o27.oopen.de
cl-fm.oopen.de
cl-fm-neu.oopen.de
mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
@ -352,9 +330,6 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
# Jitsi Meet - AG Beratung
o34.oopen.de
# - o35.oopen.de
o35.oopen.de
b.ns.oopen.de
@ -477,14 +452,6 @@ devel-todo.wf.netz
devel-wiki.wf.netz
# ---
# so36.NET
# ---
gitea.so36.net
backup.so36.net
[apache2_webserver]
# ---
@ -528,7 +495,6 @@ cl-irights.oopen.de
# o27.oopen.de
cl-fm.oopen.de
cl-fm-neu.oopen.de
mail.faire-mobilitaet.de
# Backup Faire Mobilitaet
@ -567,15 +533,9 @@ ga-al-ws1.ga.netz
# Warenform server
# ---
# server16
helden.warenform.de
# server18
piwik.warenform.de
# server20
cloud-giz.warenform.de
# server22
nd.warenform.de
nd-archiv.warenform.de
@ -683,9 +643,6 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
# Jitsi Meet - AG Beratung
o34.oopen.de
# o35.oopen.de
cl-02.oopen.de
@ -888,7 +845,6 @@ o26.oopen.de
# o27.oopen.de
cl-fm.oopen.de
cl-fm-neu.oopen.de
# Backup Faire Mobilitaet
o28.oopen.de
@ -920,15 +876,9 @@ cl-test.oopen.de
# Warenform
# ---
# server16.warenform.de
helden.warenform.de
# server18.warenform.de
piwik.warenform.de
# server20.warenform.de
cloud-giz.warenform.de
# server22.warenform.de
nd.warenform.de
nd-archiv.warenform.de
@ -996,10 +946,6 @@ cl-test.oopen.de
# Warenform
# ---
# server20.warenform.de
cloud-giz.warenform.de
[dns_server]
# ---
@ -1061,15 +1007,9 @@ ga-st-mail.ga.netz
# Warenform
# ---
server16.warenform.de
helden.warenform.de
server18.warenform.de
piwik.warenform.de
# server20.warenform.de
cloud-giz.warenform.de
server22.warenform.de
nd-live.warenform.de
nd-epaper.warenform.de
@ -1171,9 +1111,6 @@ server28.warenform.de
# o30.oopen.de - AK Server Nextcloud/Jitsi Meet
meet.akweb.de
# Jitsi Meet - AG Beratung
o34.oopen.de
[kvm_host]
@ -1225,9 +1162,7 @@ ga-st-lxc1.ga.netz
# Warenform
# ---
server16.warenform.de
server18.warenform.de
server20.warenform.de
server22.warenform.de
server23.warenform.de
server24.warenform.de
@ -1293,7 +1228,6 @@ mm-irights.oopen.de
# - o27.oopen.de
cl-fm.oopen.de
cl-fm-neu.oopen.de
mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
@ -1315,9 +1249,6 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
# Jitsi Meet - AG Beratung
o34.oopen.de
# o35.oopen.de
cl-02.oopen.de
e.mx.oopen.de
@ -1354,15 +1285,9 @@ ga-st-mail.ga.netz
# Warenform Server
# ---
# server16
helden.warenform.de
# server18
piwik.warenform.de
# server20
cloud-giz.warenform.de
# server22
nd.warenform.de
nd-archiv.warenform.de
@ -1413,13 +1338,6 @@ devel-todo.wf.netz
devel-wiki.wf.netz
# ---
# so36.NET
# ---
gitea.so36.net
# All oopen server (except office networks)
[oopen_server]
@ -1480,7 +1398,6 @@ o25.oopen.de
# - o27.oopen.de
o27.oopen.de
cl-fm.oopen.de
cl-fm-neu.oopen.de
mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
@ -1507,9 +1424,6 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
# Jitsi Meet - AG Beratung
o34.oopen.de
# - o35.oopen.de
o35.oopen.de
cl-02.oopen.de
@ -1531,13 +1445,6 @@ cl-test.oopen.de
lxc-host-kb.anw-kb.netz
# ---
# so36.NET
# ---
gitea.so36.net
[oopen_office]
bbb.b3-bornim.netz
@ -1596,18 +1503,10 @@ gateway_server_rw
[warenform_server]
# server16
server16.warenform.de
helden.warenform.de
# server18
server18.warenform.de
piwik.warenform.de
# server20
server20.warenform.de
cloud-giz.warenform.de
# server22
server22.warenform.de
nd.warenform.de

179
roles/modify-ipt-server/tasks/main.yml
View File

@ -274,6 +274,185 @@
- Restart IPv6 Firewall
# ---
# Mattermost (MM) Service
# ---
- name: Check if String 'mm_server_ips=..' is present
shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv4.conf
register: mattermost_service_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "mattermost_service_ipv4_present.rc > 1"
changed_when: "mattermost_service_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mattermost_service)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*http_ports'
block: |
# - Mattermost (MM) Service
# -
mm_server_ips=""
forward_mm_server_ips=""
# - UDP Ports IN and OUT used by MM Servive
# -
mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
marker: "# Marker set by modify-ipt-server.yml (mattermost_service)"
when:
- main_ipv4_exists.stat.exists
- mattermost_service_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'mm_server_ips=..' is present
shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv6.conf
register: mattermost_service_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "mattermost_service_ipv6_present.rc > 1"
changed_when: "mattermost_service_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mattermost_service)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*http_ports'
block: |
# - Mattermost (MM) Service
# -
mm_server_ips=""
forward_mm_server_ips=""
# - UDP Ports IN and OUT used by MM Servive
# -
mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
marker: "# Marker set by modify-ipt-server.yml (mattermost_service)"
when:
- main_ipv6_exists.stat.exists
- mattermost_service_ipv6_present is changed
notify:
- Restart IPv6 Firewall
# ---
# Protection against and Limit Connections settings
# ---
- name: Check if String 'protection_against_syn_flooding=..' is present
shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv4.conf
register: protect_settings_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "protect_settings_ipv4_present.rc > 1"
changed_when: "protect_settings_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (protect_settings)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*create_iperf_rules'
block: |
# -------------
# - Protection against ...
# -------------
# - Protection against syn-flooding
# -
protection_against_syn_flooding=true
# - Protection against port scanning
# -
protection_against_port_scanning=true
# - Protection against SSH brute-force attacks
# -
protection_against_ssh_brute_force_attacks=true
# -------------
# - Limit Connections
# -------------
# - Limit connections per source IP
# -
limit_connections_per_source_IP=true
# - Limit RST packets
# -
limit_rst_packets=true
# - Limit new TCP connections per second per source IP
# -
limit_new_tcp_connections_per_seconds_per_source_IP=true
marker: "# Marker set by modify-ipt-server.yml (protect_settings)"
when:
- main_ipv4_exists.stat.exists
- protect_settings_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'protection_against_syn_flooding=..' is present
shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv6.conf
register: protect_settings_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "protect_settings_ipv6_present.rc > 1"
changed_when: "protect_settings_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (protect_settings)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*create_iperf_rules'
block: |
# -------------
# - Protection against ...
# -------------
# - Protection against syn-flooding
# -
protection_against_syn_flooding=true
# - Protection against port scanning
# -
protection_against_port_scanning=true
# - Protection against SSH brute-force attacks
# -
protection_against_ssh_brute_force_attacks=true
# -------------
# - Limit Connections
# -------------
# - Limit connections per source IP
# -
limit_connections_per_source_IP=true
# - Limit RST packets
# -
limit_rst_packets=true
# - Limit new TCP connections per second per source IP
# -
limit_new_tcp_connections_per_seconds_per_source_IP=true
marker: "# Marker set by modify-ipt-server.yml (protect_settings)"
when:
- main_ipv6_exists.stat.exists
- protect_settings_ipv6_present is changed
notify:
- Restart IPv6 Firewall
# ===
# Remove Marker set by blockinfile
# ===