update..

2023-01-24 18:54:48 +01:00 · 2023-01-24 18:54:48 +01:00 · 976f497d78
commit 976f497d78
parent 3fb347061c
8 changed files with 239 additions and 439 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -828,6 +828,7 @@ apt_webserver_pkgs:
  - expect
  - expect-dev
  - libexpect-perl
  - poppler-utils
 apt_install_postgresql_pkgs: false
 apt_postgresql_pkgs:
--- a/host_vars/ga-nh-gw.oopen.de.yml.BAK
+++ b/host_vars/ga-nh-gw.oopen.de.yml.BAK
@ -1,210 +0,0 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
 network_manage_devices: True
 # Should the interfaces be reloaded after config change?
 network_interface_reload: False
 network_interface_path: /etc/network/interfaces.d
 network_interface_required_packages:
  - vlan
  - bridge-utils
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
  - device: eno1
    headline: eno1 - holds uplink WiDSL Antenna (ppp line widsl)
    auto: true
    family: inet
    method: static
    address: 10.12.136.254
    netmask: 24
  - device: dsl-widsl
    headline: dsl-widsl - ppp line widsl
    auto: true
    family: inet
    method: ppp
    provider: dsl-widsl
    pre-up:
      - /sbin/ifconfig eno1 up
  - device: eno2
    headline: eno2 - uplink Telekom (static line via digitbox)
    auto: true
    family: inet
    method: static
    address: 172.16.81.1
    netmask: 24
    gateway: 172.16.81.254
    nameservers:
      - 192.168.81.1
      - 192.168.11.1
    search: ga.netz
  - device: eno5
    headline: eno5 -  LAN 
    auto: true
    family: inet
    method: static
    address: 192.168.81.254
    netmask: 24
  - device: eno5:ns
    headline: eno5:ns - Alias on eno5 (Nameserver)
    auto: true
    family: inet
    method: static
    address: 192.168.81.1
    netmask: 32
 # ---
 # vars used by roles/ansible_dependencies
 # ---
 # ---
 # vars used by roles/ansible_user
 # ---
 # ---
 # vars used by roles/common/tasks/basic.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sshd.yml
 # ---
 # ---
 # vars used by roles/common/tasks/apt.yml
 # ---
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---
 insert_ssh_keypair_backup_server: false
 ssh_keypair_backup_server:
  - name: backup
    backup_user: back
    priv_key_src: root/.ssh/id_rsa.backup.oopen.de
    priv_key_dest: /root/.ssh/id_rsa
    pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
    pub_key_dest: /root/.ssh/id_rsa.pub
 insert_keypair_backup_client: true
 ssh_keypair_backup_client:
  - name: backup
    priv_key_src: root/.ssh/id_ed25519.oopen-server
    priv_key_dest: /root/.ssh/id_ed25519
    pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
    pub_key_dest: /root/.ssh/id_ed25519.pub
    target: backup.oopen.de
 default_user:
  - name: chris
    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
  - name: wadmin
    password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
  - name: sysadm
    user_id: 1050
    group_id: 1050
    group: sysadm
    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
  - name: back
    user_id: 1060
    group_id: 1060
    group: back
    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
    shell: /bin/bash
    ssh_keys:
      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
 sudo_users:
  - chris
  - sysadm
  - wadmin
 # ---
 # vars used by roles/common/tasks/users-systemfiles.yml
 # ---
 # ---
 # vars used by roles/common/tasks/webadmin-user.yml
 # ---
 # ---
 # vars used by roles/common/tasks/sudoers.yml
 # ---
 #
 # see: roles/common/tasks/vars
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
 # ---
 # vars used by roles/common/tasks/git.yml
 # ---
 git_firewall_repository:
  name: ipt-gateway
  repo: https://git.oopen.de/firewall/ipt-gateway
  dest: /usr/local/src/ipt-gateway
 # ==============================
 # ---
 # vars used by scripts/reset_root_passwd.yml
 # ---
 root_user:
  name: root
  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
--- a/host_vars/gw-ah.oopen.de.yml
+++ b/host_vars/gw-ah.oopen.de.yml
@ -131,7 +131,7 @@ bind9_gateway_acl:
  - internaldns:
    name: internaldns
    entries:
-      - '# Nameserver Kanzlei EBS'
+      - '// Nameserver Kanzlei EBS'
      - 192.168.182.1
 bind9_gateway_listen_on_v6:
--- a/host_vars/gw-ebs.oopen.de.yml
+++ b/host_vars/gw-ebs.oopen.de.yml
@ -1,5 +1,58 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
 network_manage_devices: True
 # Should the interfaces be reloaded after config change?
 network_interface_reload: False
 network_interface_path: /etc/network/interfaces.d
 network_interface_required_packages:
  - vlan
  - bridge-utils
  - ifmetric
  - ifupdown
  - ifenslave
  - resolvconf
 network_interfaces:
  - device: eno1
    headline: eno1 - Uplink DSL via Fritz!Box
    auto: true
    family: inet
    method: static
    address: 172.16.182.1
    netmask: 24
    gateway: 172.16.182.254
    nameservers:
      - 127.0.0.1
      - 192.168.182.1
    search: ebs.netz kanzlei-kiel.netz elster.netz
  - device: eno2
    headline: eno2 -  LAN 
    auto: true
    family: inet
    method: static
    address: 192.168.182.254
    netmask: 24
  - device: eno2:ns
    headline: eno2:ns - Alias on eno2 (Nameserver)
    auto: true
    family: inet
    method: static
    address: 192.168.182.1
    netmask: 32
 # ---
 # vars used by roles/ansible_dependencies
 # ---
@ -129,9 +182,9 @@ bind9_gateway_acl:
  - internaldns:
    name: internaldns
    entries:
-      - '# Nameserver Kanzlei Kiel'
+      - '// Nameserver Kanzlei Kiel'
      - 192.168.100.1
-      - '# Nameserver Kanzlei Elster'
+      - '// Nameserver Kanzlei Elster'
      - 192.168.202.1
 bind9_gateway_listen_on_v6:
--- a/host_vars/gw-elster.oopen.de.yml
+++ b/host_vars/gw-elster.oopen.de.yml
@ -1,4 +1,5 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
@ -32,7 +33,7 @@ network_interfaces:
    nameservers:
      - 127.0.0.1
      - 192.168.202.1
-    search: elster.netz
+    search: elster.netz ebs.netz
  - device: eno2
@ -234,7 +235,7 @@ bind9_gateway_acl:
  - internaldns:
    name: internaldns
    entries:
-      - '# Nameserver Kanzlei EBS'
+      - '// Nameserver Kanzlei EBS'
      - 192.168.182.1
 bind9_gateway_listen_on_v6:
--- a/host_vars/o25.oopen.de.yml.BAK
+++ b/host_vars/o25.oopen.de.yml.BAK
@ -1,123 +0,0 @@
 ---
 # ---
 # vars used by roles/network_interfaces
 # ---
 # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
 network_manage_devices: True
 # Should the interfaces be reloaded after config change?
 network_interface_reload: False
 network_interface_path: /etc/network/interfaces.d
 network_interface_required_packages:
  - vlan
  - bridge-utils
  - ifmetric
  - ifupdown
  - resolvconf
 network_interfaces:
  - device: br0
    # use only once per device (for the first device entry)
    headline: br0 - bridge over device enp8s0
    # auto & allow are only used for the first device entry
    allow: [] # array of allow-[stanzas] eg. allow-hotplug
    auto: true
    family: inet
    method: static
    hwaddress: 00:d8:61:0e:b9:1c
    description:
    address: 144.76.24.11
    netmask: 27
    gateway: 144.76.24.1
    metric:
    pointopoint:
    mtu:
    scope:
    # additional user by dhcp method
    #
    hostname:
    leasehours:
    leasetime:
    vendor:
    client:
    # additional used by bootp method
    #
    bootfile:
    server:
    hwaddr:
    # optional dns settings nameservers: []
    #
    #    nameservers:
    #      - 194.150.168.168  # dns.as250.net
    #      - 91.239.100.100   # anycast.censurfridns.dk
    #    search: warenform.de
    #
    nameservers:
      - 195.201.179.131
      - 95.217.204.204
    search:
    # optional additional subnets/ips subnets: []
    # subnets: 
    #   - '192.168.123.0/24'
    #   - '192.168.124.11/32'
    # optional bridge parameters bridge: {}
    # bridge:
    #   ports:
    #   stp:
    #   fd:
    #   maxwait:
    #   waitport:
    bridge:
      ports: enp8s0 # for mor devices support a blank separated list
      stp: !!str off
      fd: 5
      hello: 2
      maxage: 12
    #  optional bonding parameters bond: {}
    #  bond:
    #    master
    #    primary
    #    slave
    #    method:
    #    miimon:
    #    lacp-rate:
    #    ad-select-rate:
    #    master:
    #    slaves:
    bond: {}
    # optional vlan settings | vlan: {}
    # vlan: {}
    #   raw-device: 'eth0'
    vlan: {}
    # inline hook scripts
    pre-up: [] # pre-up script lines
    up: [] # up script lines
    post-up: [] # post-up script lines (alias for up)
    pre-down: [] # pre-down script lines (alias for down)
    down: [] # down script lines
    post-down: [] # post-down script lines
  - device: br0
    family: inet6
    method: static
    address: 2a01:4f8:191:b::2
    netmask: 64
    gateway: fe80::1
--- a/101
+++ b/101
@ -19,9 +19,6 @@ dns1.warenform.de
 [extra_hosts]
 backup.oopen.de
 gitea.so36.net
 backup.so36.net
 devel-root.wf.netz
 gw-123.oopen.de
@ -69,11 +66,8 @@ ga-st-kvm5.ga.netz
 ga-al-kvm2.ga.netz
 ga-al-kvm3.ga.netz
 server16.warenform.de
 helden.warenform.de
 server18.warenform.de
 piwik.warenform.de
 server20.warenform.de
 server22.warenform.de
 server23.warenform.de
 server24.warenform.de
@ -81,9 +75,6 @@ server25.warenform.de
 server26.warenform.de
 server27.warenform.de
 # server20.warenform.de
 cloud-giz.warenform.de
 #server22.warenform.de
 nd.warenform.de
 nd-archiv.warenform.de
@ -161,7 +152,6 @@ o25.oopen.de
 # - o27.oopen.de
 o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 mail.faire-mobilitaet.de
 # Hetzner Cloud CX31 - AK
@ -184,9 +174,6 @@ o32.oopen.de
 # BigBlueButton - O.OPEN
 o33.oopen.de
 # Jitsi Meet - AG Beratung
 o34.oopen.de
 o35.oopen.de
 b.ns.oopen.de
 cl-02.oopen.de
@ -214,18 +201,10 @@ lxc-host-kb.anw-kb.netz
 # - Warenform Server
 # ---
 # server16
 server16.warenform.de
 helden.warenform.de
 # server18
 server18.warenform.de
 piwik.warenform.de
 # server20
 server20.warenform.de
 cloud-giz.warenform.de
 # server22
 server22.warenform.de
 nd.warenform.de
@ -325,7 +304,6 @@ o25.oopen.de
 # - o27.oopen.de
 o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 mail.faire-mobilitaet.de
 # Hetzner Cloud CX31 - AK
@ -352,9 +330,6 @@ o32.oopen.de
 # BigBlueButton - O.OPEN
 o33.oopen.de
 # Jitsi Meet - AG Beratung
 o34.oopen.de
 # - o35.oopen.de
 o35.oopen.de
 b.ns.oopen.de
@ -477,14 +452,6 @@ devel-todo.wf.netz
 devel-wiki.wf.netz
 # ---
 # so36.NET
 # ---
 gitea.so36.net
 backup.so36.net
 [apache2_webserver]
 # ---
@ -528,7 +495,6 @@ cl-irights.oopen.de
 # o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 mail.faire-mobilitaet.de
 # Backup Faire Mobilitaet
@ -567,15 +533,9 @@ ga-al-ws1.ga.netz
 # Warenform server
 # ---
 # server16
 helden.warenform.de
 # server18
 piwik.warenform.de
 # server20
 cloud-giz.warenform.de
 # server22
 nd.warenform.de
 nd-archiv.warenform.de
@ -683,9 +643,6 @@ o32.oopen.de
 # BigBlueButton - O.OPEN
 o33.oopen.de
 # Jitsi Meet - AG Beratung
 o34.oopen.de
 # o35.oopen.de
 cl-02.oopen.de
@ -888,7 +845,6 @@ o26.oopen.de
 # o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 # Backup Faire Mobilitaet
 o28.oopen.de
@ -920,15 +876,9 @@ cl-test.oopen.de
 # Warenform
 # ---
 # server16.warenform.de
 helden.warenform.de
 # server18.warenform.de
 piwik.warenform.de
 # server20.warenform.de
 cloud-giz.warenform.de
 # server22.warenform.de
 nd.warenform.de
 nd-archiv.warenform.de
@ -996,10 +946,6 @@ cl-test.oopen.de
 # Warenform
 # ---
 # server20.warenform.de
 cloud-giz.warenform.de
 [dns_server]
 # ---
@ -1061,15 +1007,9 @@ ga-st-mail.ga.netz
 # Warenform
 # ---
 server16.warenform.de
 helden.warenform.de
 server18.warenform.de
 piwik.warenform.de
 # server20.warenform.de
 cloud-giz.warenform.de
 server22.warenform.de
 nd-live.warenform.de
 nd-epaper.warenform.de
@ -1171,9 +1111,6 @@ server28.warenform.de
 # o30.oopen.de - AK Server Nextcloud/Jitsi Meet
 meet.akweb.de
 # Jitsi Meet - AG Beratung
 o34.oopen.de
 [kvm_host]
@ -1225,9 +1162,7 @@ ga-st-lxc1.ga.netz
 # Warenform
 # ---
 server16.warenform.de
 server18.warenform.de
 server20.warenform.de
 server22.warenform.de
 server23.warenform.de
 server24.warenform.de
@ -1293,7 +1228,6 @@ mm-irights.oopen.de
 # - o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 mail.faire-mobilitaet.de
 # Hetzner Cloud CX31 - AK
@ -1315,9 +1249,6 @@ o32.oopen.de
 # BigBlueButton - O.OPEN
 o33.oopen.de
 # Jitsi Meet - AG Beratung
 o34.oopen.de
 # o35.oopen.de
 cl-02.oopen.de
 e.mx.oopen.de
@ -1354,15 +1285,9 @@ ga-st-mail.ga.netz
 # Warenform Server
 # ---
 # server16
 helden.warenform.de
 # server18
 piwik.warenform.de
 # server20
 cloud-giz.warenform.de
 # server22
 nd.warenform.de
 nd-archiv.warenform.de
@ -1413,13 +1338,6 @@ devel-todo.wf.netz
 devel-wiki.wf.netz
 # ---
 # so36.NET
 # ---
 gitea.so36.net
 # All oopen server (except office networks)
 [oopen_server]
@ -1480,7 +1398,6 @@ o25.oopen.de
 # - o27.oopen.de
 o27.oopen.de
 cl-fm.oopen.de
 cl-fm-neu.oopen.de
 mail.faire-mobilitaet.de
 # Hetzner Cloud CX31 - AK
@ -1507,9 +1424,6 @@ o32.oopen.de
 # BigBlueButton - O.OPEN
 o33.oopen.de
 # Jitsi Meet - AG Beratung
 o34.oopen.de
 # - o35.oopen.de
 o35.oopen.de
 cl-02.oopen.de
@ -1531,13 +1445,6 @@ cl-test.oopen.de
 lxc-host-kb.anw-kb.netz
 # ---
 # so36.NET
 # ---
 gitea.so36.net
 [oopen_office]
 bbb.b3-bornim.netz
@ -1596,18 +1503,10 @@ gateway_server_rw
 [warenform_server]
 # server16
 server16.warenform.de
 helden.warenform.de
 # server18
 server18.warenform.de
 piwik.warenform.de
 # server20
 server20.warenform.de
 cloud-giz.warenform.de
 # server22
 server22.warenform.de
 nd.warenform.de
--- a/roles/modify-ipt-server/tasks/main.yml
+++ b/roles/modify-ipt-server/tasks/main.yml
@ -274,6 +274,185 @@
    - Restart IPv6 Firewall
 # ---
 # Mattermost (MM) Service
 # ---
 - name: Check if String 'mm_server_ips=..' is present
  shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv4.conf
  register: mattermost_service_ipv4_present
  when: main_ipv4_exists.stat.exists
  failed_when: "mattermost_service_ipv4_present.rc > 1"
  changed_when: "mattermost_service_ipv4_present.rc > 0"
 - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mattermost_service)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv4.conf
    insertafter: '^#?\s*http_ports'
    block: |
      # - Mattermost (MM) Service
      # -
      mm_server_ips=""
      forward_mm_server_ips=""
      # - UDP Ports IN and OUT used by MM Servive
      # -
      mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
      mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
    marker: "# Marker set by modify-ipt-server.yml (mattermost_service)"
  when:
    - main_ipv4_exists.stat.exists
    - mattermost_service_ipv4_present is changed
  notify:
    - Restart IPv4 Firewall
 - name: Check if String 'mm_server_ips=..' is present
  shell: grep -q -E "^mm_server_ips=" /etc/ipt-firewall/main_ipv6.conf
  register: mattermost_service_ipv6_present
  when: main_ipv6_exists.stat.exists
  failed_when: "mattermost_service_ipv6_present.rc > 1"
  changed_when: "mattermost_service_ipv6_present.rc > 0"
 - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mattermost_service)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv6.conf
    insertafter: '^#?\s*http_ports'
    block: |
      # - Mattermost (MM) Service
      # -
      mm_server_ips=""
      forward_mm_server_ips=""
      # - UDP Ports IN and OUT used by MM Servive
      # -
      mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
      mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
    marker: "# Marker set by modify-ipt-server.yml (mattermost_service)"
  when:
    - main_ipv6_exists.stat.exists
    - mattermost_service_ipv6_present is changed
  notify:
    - Restart IPv6 Firewall
 # ---
 # Protection against and Limit Connections settings
 # ---
 - name: Check if String 'protection_against_syn_flooding=..' is present
  shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv4.conf
  register: protect_settings_ipv4_present
  when: main_ipv4_exists.stat.exists
  failed_when: "protect_settings_ipv4_present.rc > 1"
  changed_when: "protect_settings_ipv4_present.rc > 0"
 - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (protect_settings)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv4.conf
    insertafter: '^#?\s*create_iperf_rules'
    block: |
      # -------------
      # - Protection against ...
      # -------------
      # - Protection against syn-flooding
      # -
      protection_against_syn_flooding=true
      # - Protection against port scanning
      # -
      protection_against_port_scanning=true
      # - Protection against SSH brute-force attacks
      # -
      protection_against_ssh_brute_force_attacks=true
      # -------------
      # - Limit Connections
      # -------------
      # - Limit connections per source IP
      # -
      limit_connections_per_source_IP=true
      # - Limit RST packets
      # -
      limit_rst_packets=true
      # - Limit new TCP connections per second per source IP
      # -
      limit_new_tcp_connections_per_seconds_per_source_IP=true
    marker: "# Marker set by modify-ipt-server.yml (protect_settings)"
  when:
    - main_ipv4_exists.stat.exists
    - protect_settings_ipv4_present is changed
  notify:
    - Restart IPv4 Firewall
 - name: Check if String 'protection_against_syn_flooding=..' is present
  shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv6.conf
  register: protect_settings_ipv6_present
  when: main_ipv6_exists.stat.exists
  failed_when: "protect_settings_ipv6_present.rc > 1"
  changed_when: "protect_settings_ipv6_present.rc > 0"
 - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (protect_settings)
  blockinfile:
    path: /etc/ipt-firewall/main_ipv6.conf
    insertafter: '^#?\s*create_iperf_rules'
    block: |
      # -------------
      # - Protection against ...
      # -------------
      # - Protection against syn-flooding
      # -
      protection_against_syn_flooding=true
      # - Protection against port scanning
      # -
      protection_against_port_scanning=true
      # - Protection against SSH brute-force attacks
      # -
      protection_against_ssh_brute_force_attacks=true
      # -------------
      # - Limit Connections
      # -------------
      # - Limit connections per source IP
      # -
      limit_connections_per_source_IP=true
      # - Limit RST packets
      # -
      limit_rst_packets=true
      # - Limit new TCP connections per second per source IP
      # -
      limit_new_tcp_connections_per_seconds_per_source_IP=true
    marker: "# Marker set by modify-ipt-server.yml (protect_settings)"
  when:
    - main_ipv6_exists.stat.exists
    - protect_settings_ipv6_present is changed
  notify:
    - Restart IPv6 Firewall
 # ===
 # Remove Marker set by blockinfile
 # ===