From 97fd7efb1679be3e35ef6327524de123ad12d8a2 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 26 Feb 2024 00:43:42 +0100 Subject: [PATCH] update.. --- files/homedirs/root/_bashrc | 4 +- host_vars/bbb-server.b3-bornim.netz.yml | 2 +- host_vars/file-ah.kanzlei-kiel.netz.yml | 27 ++- ...r.netz.yml => file-blkr-alt.blkr.netz.yml} | 31 +-- host_vars/file-blkr.blkr.netz.yml | 28 ++- host_vars/file-fhxb.fhxb.netz.yml | 2 +- host_vars/ga-al-gw.oopen.de.yml | 12 ++ host_vars/ga-nh-gw.oopen.de.yml | 10 + host_vars/ga-st-gw.ga.netz.yml | 12 ++ host_vars/gw-123.oopen.de.yml | 12 ++ host_vars/gw-ah.oopen.de.yml | 14 ++ host_vars/gw-ak.oopen.de.yml | 12 ++ host_vars/gw-akb.oopen.de.yml | 12 ++ host_vars/gw-b3.oopen.de.yml | 12 ++ host_vars/gw-blkr.oopen.de.yml | 10 + host_vars/gw-ckubu.local.netz.yml | 10 + host_vars/gw-d11.oopen.de.yml | 12 ++ host_vars/gw-ebs.oopen.de.yml | 14 ++ host_vars/gw-elster.oopen.de.yml | 10 + host_vars/gw-fhxb.oopen.de.yml | 12 ++ host_vars/gw-flr.oopen.de.yml | 10 + host_vars/gw-irights.oopen.de.yml | 10 + host_vars/gw-km.oopen.de.yml | 10 + host_vars/gw-opp.oopen.de.yml | 12 ++ host_vars/gw-spr.oopen.de.yml | 12 ++ host_vars/o13-staging-board.oopen.de.yml | 186 ++++++++++++++++++ host_vars/o25.oopen.de.yml | 72 +++++++ host_vars/o35.oopen.de.yml | 2 +- host_vars/zapata.opp.netz.yml | 71 ++++++- hosts | 11 +- .../templates/etc/security/limits.conf.j2 | 62 ++++++ 31 files changed, 663 insertions(+), 53 deletions(-) rename host_vars/{file-blkr-neu.blkr.netz.yml => file-blkr-alt.blkr.netz.yml} (92%) create mode 100644 host_vars/o13-staging-board.oopen.de.yml create mode 100644 roles/common/templates/etc/security/limits.conf.j2 diff --git a/files/homedirs/root/_bashrc b/files/homedirs/root/_bashrc index 3bb4709..dca6a2a 100644 --- a/files/homedirs/root/_bashrc +++ b/files/homedirs/root/_bashrc @@ -35,7 +35,9 @@ alias ls='ls $LS_OPTIONS' alias ll='ls $LS_OPTIONS -l' alias la='ls $LS_OPTIONS -al' alias l='ls $LS_OPTIONS -lA' -# + +alias running_services='systemctl list-units --type=service --state=running' + # Some more alias to avoid making mistakes: #alias rm='rm -i' #alias cp='cp -i' diff --git a/host_vars/bbb-server.b3-bornim.netz.yml b/host_vars/bbb-server.b3-bornim.netz.yml index 806b72b..cf105b6 100644 --- a/host_vars/bbb-server.b3-bornim.netz.yml +++ b/host_vars/bbb-server.b3-bornim.netz.yml @@ -141,7 +141,7 @@ resolved_dnssec: true # dns.as250.net: 194.150.168.168 # resolved_fallback_nameserver: - - 194.150.168.168 + - 172.16.42.254 # --- diff --git a/host_vars/file-ah.kanzlei-kiel.netz.yml b/host_vars/file-ah.kanzlei-kiel.netz.yml index 19f95c6..f1de305 100644 --- a/host_vars/file-ah.kanzlei-kiel.netz.yml +++ b/host_vars/file-ah.kanzlei-kiel.netz.yml @@ -160,7 +160,7 @@ resolved_domains: - ~. - kanzlei-kiel.netz -resolved_dnssec: true +resolved_dnssec: false # dns.as250.net: 194.150.168.168 # @@ -172,12 +172,12 @@ resolved_fallback_nameserver: # vars used by roles/common/tasks/cron.yml # --- -cron_user_special_time_entries: - - - name: "Restart DNS Cache service 'systemd-resolved'" - special_time: reboot - job: "sleep 10 ; /bin/systemctl restart systemd-resolved" - insertafter: PATH +#cron_user_special_time_entries: +# +# - name: "Restart DNS Cache service 'systemd-resolved'" +# special_time: reboot +# job: "sleep 10 ; /bin/systemctl restart systemd-resolved" +# insertafter: PATH @@ -247,6 +247,13 @@ sudo_users: # --- +# --- +# vars used by roles/common/tasks/nfs.yml +# --- + +nfs_server: 192.168.100.10 + + # --- # vars used by roles/common/tasks/samba-config-server.yml # vars used by roles/common/tasks/samba-user.yml @@ -325,7 +332,7 @@ samba_user: - buero - intern - verwaltung - password: + password: '20-buch_holz-20' - name: schmidt groups: - intern @@ -449,8 +456,8 @@ samba_shares: path: /data/samba/shares/Advoware-Backup group_valid_users: back group_write_list: back - file_create_mask: 664 - dir_create_mask: 2775 + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 guest_ok: !!str yes vfs_object_recycle: false diff --git a/host_vars/file-blkr-neu.blkr.netz.yml b/host_vars/file-blkr-alt.blkr.netz.yml similarity index 92% rename from host_vars/file-blkr-neu.blkr.netz.yml rename to host_vars/file-blkr-alt.blkr.netz.yml index 4eea09f..9803d60 100644 --- a/host_vars/file-blkr-neu.blkr.netz.yml +++ b/host_vars/file-blkr-alt.blkr.netz.yml @@ -33,7 +33,7 @@ network_interfaces: family: inet method: static description: - address: 192.168.162.20 + address: 192.168.162.10 netmask: 24 gateway: 192.168.162.254 @@ -244,37 +244,12 @@ sudo_users: # --- -# --- -# vars used by roles/common/tasks/nfs.yml -# --- - -nfs_server: 192.168.162.20 - -# Set 'fs_encrypted' to true if filesystem lives on an encrypted -# partition. -# -# NOTE !! -# Take car to increase 'fsid' in case of more than one export -# -nfs_exports: - - src: 192.168.162.20:/data/samba/shares - path: /data/samba/shares - mount_opts: users,rsize=8192,wsize=8192,hard,intr - export_opt: rw,root_squash,sync,subtree_check - export_networks: - - 192.168.162.0/24 - - 10.0.192.0/24 - - 10.1.192.0/24 - - 192.168.63.0/24 - use_fsid_option: true - - # --- # vars used by roles/common/tasks/samba-config-server.yml # vars used by roles/common/tasks/samba-user.yml # --- -samba_server_ip: 192.168.162.20 +samba_server_ip: 192.168.162.10 samba_server_cidr_prefix: 24 samba_workgroup: BLKR @@ -354,7 +329,7 @@ samba_user: - buero password: 'bhNC.P5eTy-2' -base_home: /data/home +base_home: /home # remove_samba_users: # - name: name1 diff --git a/host_vars/file-blkr.blkr.netz.yml b/host_vars/file-blkr.blkr.netz.yml index 9803d60..c907a3c 100644 --- a/host_vars/file-blkr.blkr.netz.yml +++ b/host_vars/file-blkr.blkr.netz.yml @@ -244,6 +244,31 @@ sudo_users: # --- +# --- +# vars used by roles/common/tasks/nfs.yml +# --- + +nfs_server: 192.168.162.10 + +# Set 'fs_encrypted' to true if filesystem lives on an encrypted +# partition. +# +# NOTE !! +# Take car to increase 'fsid' in case of more than one export +# +nfs_exports: + - src: 192.168.162.10:/data/samba/shares + path: /data/samba/shares + mount_opts: users,rsize=8192,wsize=8192,hard,intr + export_opt: rw,root_squash,sync,subtree_check + export_networks: + - 192.168.162.0/24 + - 10.0.192.0/24 + - 10.1.192.0/24 + - 192.168.63.0/24 + use_fsid_option: true + + # --- # vars used by roles/common/tasks/samba-config-server.yml # vars used by roles/common/tasks/samba-user.yml @@ -294,6 +319,7 @@ samba_user: - name: julius-e groups: - buero + - verwaltung password: '2/kcx3jju-tr' - name: leonie groups: @@ -329,7 +355,7 @@ samba_user: - buero password: 'bhNC.P5eTy-2' -base_home: /home +base_home: /data/home # remove_samba_users: # - name: name1 diff --git a/host_vars/file-fhxb.fhxb.netz.yml b/host_vars/file-fhxb.fhxb.netz.yml index 5283eca..acc2c10 100644 --- a/host_vars/file-fhxb.fhxb.netz.yml +++ b/host_vars/file-fhxb.fhxb.netz.yml @@ -141,7 +141,7 @@ resolved_dnssec: true # dns.as250.net: 194.150.168.168 # resolved_fallback_nameserver: - - 194.150.168.168 + - 172.16.192.254 # --- diff --git a/host_vars/ga-al-gw.oopen.de.yml b/host_vars/ga-al-gw.oopen.de.yml index a99613c..cda95d1 100644 --- a/host_vars/ga-al-gw.oopen.de.yml +++ b/host_vars/ga-al-gw.oopen.de.yml @@ -319,6 +319,18 @@ resolved_fallback_nameserver: - 192.168.11.1 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/ga-nh-gw.oopen.de.yml b/host_vars/ga-nh-gw.oopen.de.yml index a880ea1..3816660 100644 --- a/host_vars/ga-nh-gw.oopen.de.yml +++ b/host_vars/ga-nh-gw.oopen.de.yml @@ -76,6 +76,11 @@ network_interfaces: # vars used by roles/common/tasks/basic.yml # --- + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + cron_user_entries: - name: "Check if Postfix Mailservice is up and running?" @@ -122,6 +127,11 @@ cron_user_special_time_entries: job: "sleep 10 ; /bin/systemctl restart systemd-resolved" insertafter: PATH + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + # --- # vars used by roles/common/tasks/sshd.yml diff --git a/host_vars/ga-st-gw.ga.netz.yml b/host_vars/ga-st-gw.ga.netz.yml index ca1d670..c3e8189 100644 --- a/host_vars/ga-st-gw.ga.netz.yml +++ b/host_vars/ga-st-gw.ga.netz.yml @@ -365,6 +365,18 @@ resolved_fallback_nameserver: - 192.168.10.1 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml diff --git a/host_vars/gw-123.oopen.de.yml b/host_vars/gw-123.oopen.de.yml index a25f5e0..3b9c4e2 100644 --- a/host_vars/gw-123.oopen.de.yml +++ b/host_vars/gw-123.oopen.de.yml @@ -111,6 +111,18 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/gw-ah.oopen.de.yml b/host_vars/gw-ah.oopen.de.yml index 5d356af..aa2a57f 100644 --- a/host_vars/gw-ah.oopen.de.yml +++ b/host_vars/gw-ah.oopen.de.yml @@ -106,6 +106,18 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- @@ -203,6 +215,8 @@ bind9_gateway_acl: entries: - '// Nameserver Kanzlei EBS' - 192.168.182.1 + - '// lokal Nameserver Domän controler' + - 192.168.100.30 bind9_gateway_listen_on_v6: - none diff --git a/host_vars/gw-ak.oopen.de.yml b/host_vars/gw-ak.oopen.de.yml index dde3493..a6582fa 100644 --- a/host_vars/gw-ak.oopen.de.yml +++ b/host_vars/gw-ak.oopen.de.yml @@ -156,6 +156,18 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/gw-akb.oopen.de.yml b/host_vars/gw-akb.oopen.de.yml index 04df971..934a036 100644 --- a/host_vars/gw-akb.oopen.de.yml +++ b/host_vars/gw-akb.oopen.de.yml @@ -111,6 +111,18 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/gw-b3.oopen.de.yml b/host_vars/gw-b3.oopen.de.yml index 1d3131b..31ebe1e 100644 --- a/host_vars/gw-b3.oopen.de.yml +++ b/host_vars/gw-b3.oopen.de.yml @@ -111,6 +111,18 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/gw-blkr.oopen.de.yml b/host_vars/gw-blkr.oopen.de.yml index 485ee28..6067c49 100644 --- a/host_vars/gw-blkr.oopen.de.yml +++ b/host_vars/gw-blkr.oopen.de.yml @@ -76,6 +76,11 @@ network_interfaces: # vars used by roles/common/tasks/basic.yml # --- + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + cron_user_entries: - name: "Check if Postfix Mailservice is up and running?" @@ -127,6 +132,11 @@ cron_user_special_time_entries: job: "sleep 10 ; /bin/systemctl restart systemd-resolved" insertafter: PATH + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + # --- # vars used by roles/common/tasks/sshd.yml diff --git a/host_vars/gw-ckubu.local.netz.yml b/host_vars/gw-ckubu.local.netz.yml index 41d49ca..55645af 100644 --- a/host_vars/gw-ckubu.local.netz.yml +++ b/host_vars/gw-ckubu.local.netz.yml @@ -102,6 +102,16 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH # --- diff --git a/host_vars/gw-d11.oopen.de.yml b/host_vars/gw-d11.oopen.de.yml index 2f82882..ceacde0 100644 --- a/host_vars/gw-d11.oopen.de.yml +++ b/host_vars/gw-d11.oopen.de.yml @@ -111,6 +111,18 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/gw-ebs.oopen.de.yml b/host_vars/gw-ebs.oopen.de.yml index 54cce27..5d1b359 100644 --- a/host_vars/gw-ebs.oopen.de.yml +++ b/host_vars/gw-ebs.oopen.de.yml @@ -157,6 +157,18 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- @@ -256,6 +268,8 @@ bind9_gateway_acl: - 192.168.100.1 - '// Nameserver Kanzlei Elster' - 192.168.202.1 + - '// lokal Nameserver Domän controler' + - 192.168.182.30 bind9_gateway_listen_on_v6: - none diff --git a/host_vars/gw-elster.oopen.de.yml b/host_vars/gw-elster.oopen.de.yml index c88d27a..23c98e8 100644 --- a/host_vars/gw-elster.oopen.de.yml +++ b/host_vars/gw-elster.oopen.de.yml @@ -76,6 +76,11 @@ network_interfaces: # vars used by roles/common/tasks/basic.yml # --- + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + cron_user_entries: - name: "Check if Postfix Mailservice is up and running?" @@ -122,6 +127,11 @@ cron_user_special_time_entries: job: "sleep 10 ; /bin/systemctl restart systemd-resolved" insertafter: PATH + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + # --- # vars used by roles/common/tasks/sshd.yml diff --git a/host_vars/gw-fhxb.oopen.de.yml b/host_vars/gw-fhxb.oopen.de.yml index 6217929..a6b6fe0 100644 --- a/host_vars/gw-fhxb.oopen.de.yml +++ b/host_vars/gw-fhxb.oopen.de.yml @@ -156,6 +156,18 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/gw-flr.oopen.de.yml b/host_vars/gw-flr.oopen.de.yml index 6cdd92b..e6beadc 100644 --- a/host_vars/gw-flr.oopen.de.yml +++ b/host_vars/gw-flr.oopen.de.yml @@ -75,6 +75,11 @@ network_interfaces: # vars used by roles/common/tasks/basic.yml # --- + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + cron_user_entries: - name: "Check if Postfix Mailservice is up and running?" @@ -121,6 +126,11 @@ cron_user_special_time_entries: job: "sleep 10 ; /bin/systemctl restart systemd-resolved" insertafter: PATH + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + # --- # vars used by roles/common/tasks/sshd.yml diff --git a/host_vars/gw-irights.oopen.de.yml b/host_vars/gw-irights.oopen.de.yml index 896cb3c..7f258b1 100644 --- a/host_vars/gw-irights.oopen.de.yml +++ b/host_vars/gw-irights.oopen.de.yml @@ -71,6 +71,11 @@ network_interfaces: # vars used by roles/common/tasks/basic.yml # --- + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + cron_user_entries: - name: "Check if Postfix Mailservice is up and running?" @@ -117,6 +122,11 @@ cron_user_special_time_entries: job: "sleep 10 ; /bin/systemctl restart systemd-resolved" insertafter: PATH + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + # --- # vars used by roles/common/tasks/sshd.yml diff --git a/host_vars/gw-km.oopen.de.yml b/host_vars/gw-km.oopen.de.yml index 26cd940..c5eeff5 100644 --- a/host_vars/gw-km.oopen.de.yml +++ b/host_vars/gw-km.oopen.de.yml @@ -62,6 +62,11 @@ network_interfaces: # vars used by roles/common/tasks/basic.yml # --- + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + cron_user_entries: - name: "Check if Postfix Mailservice is up and running?" @@ -108,6 +113,11 @@ cron_user_special_time_entries: job: "sleep 10 ; /bin/systemctl restart systemd-resolved" insertafter: PATH + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + # --- # vars used by roles/common/tasks/sshd.yml diff --git a/host_vars/gw-opp.oopen.de.yml b/host_vars/gw-opp.oopen.de.yml index d37c7e4..f85a247 100644 --- a/host_vars/gw-opp.oopen.de.yml +++ b/host_vars/gw-opp.oopen.de.yml @@ -156,6 +156,18 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/gw-spr.oopen.de.yml b/host_vars/gw-spr.oopen.de.yml index 0865d13..757d8cd 100644 --- a/host_vars/gw-spr.oopen.de.yml +++ b/host_vars/gw-spr.oopen.de.yml @@ -111,6 +111,18 @@ resolved_fallback_nameserver: - 194.150.168.168 +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart ntpsec" + insertafter: PATH + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/o13-staging-board.oopen.de.yml b/host_vars/o13-staging-board.oopen.de.yml new file mode 100644 index 0000000..c69116f --- /dev/null +++ b/host_vars/o13-staging-board.oopen.de.yml @@ -0,0 +1,186 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + +#apt_manage_sources_list: false + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 212.42.230.1 + - 83.223.66.51 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $y$j9T$myZ6f5/klmH0HDN2mb9tv/$s/bBrr6PEXdEgtn9CZYzBNZsA4.r6gWYYeZ4LAYotp9 + diff --git a/host_vars/o25.oopen.de.yml b/host_vars/o25.oopen.de.yml index 65554c4..51cbb5d 100644 --- a/host_vars/o25.oopen.de.yml +++ b/host_vars/o25.oopen.de.yml @@ -259,6 +259,78 @@ network_interfaces: #apt_manage_sources_list: false +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + - 213.133.100.100 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/o35.oopen.de.yml b/host_vars/o35.oopen.de.yml index 11f6235..397f37c 100644 --- a/host_vars/o35.oopen.de.yml +++ b/host_vars/o35.oopen.de.yml @@ -214,7 +214,7 @@ resolved_domains: - ~. - oopen.de -resolved_dnssec: true +resolved_dnssec: false # dns.as250.net: 194.150.168.168 # diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index 2961529..00783ac 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -18,7 +18,6 @@ network_interface_required_packages: - ifmetric - ifupdown - ifenslave - - resolvconf network_interfaces: @@ -75,6 +74,76 @@ network_interfaces: # --- +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.62.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - opp.netz + +resolved_dnssec: true + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 172.16.62.254 + + # --- # vars used by roles/common/tasks/cron.yml # --- diff --git a/hosts b/hosts index 124620b..9c2d87f 100644 --- a/hosts +++ b/hosts @@ -19,6 +19,7 @@ rage.so36.net ansible_user=ckubu lxc-host-kb.anw-kb.netz o33.oopen.de o25.oopen.de +o13-staging-board.oopen.de [dns_sinma] @@ -56,7 +57,6 @@ file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz -file-blkr-neu.blkr.netz zapata.opp.netz gw-replacement.local.netz @@ -465,7 +465,6 @@ file-km.anw-km.netz # - Kanzlei BLKR gw-blkr.oopen.de file-blkr.blkr.netz -file-blkr-neu.blkr.netz # - Kanzlei EBS Leipzig gw-ebs.oopen.de @@ -1163,7 +1162,6 @@ file-ipa.local.netz server18.warenform.de piwik.warenform.de -server22.warenform.de nd-live.warenform.de nd-epaper.warenform.de nd-archiv.warenform.de @@ -1222,7 +1220,6 @@ file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz -file-blkr-neu.blkr.netz zapata.opp.netz @@ -1230,7 +1227,7 @@ zapata.opp.netz [nfs_server] file-blkr.blkr.netz -file-blkr-neu.blkr.netz +file-ah.kanzlei-kiel.netz file-ebs.ebs.netz file-fhxb.fhxb.netz @@ -1241,7 +1238,6 @@ file-fhxb.fhxb.netz [x2go_server] file-blkr.blkr.netz -file-blkr-neu.blkr.netz [mumble_server] @@ -1318,7 +1314,6 @@ bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz file-km.anw-km.netz file-blkr.blkr.netz -file-blkr-neu.blkr.netz zapata.opp.netz # - GA - Gemeinschaft Altensclirf @@ -1464,7 +1459,6 @@ file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz -file-blkr-neu.blkr.netz zapata.opp.netz file-ipa.local.netz @@ -1671,7 +1665,6 @@ file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz file-blkr.blkr.netz -file-blkr-neu.blkr.netz zapata.opp.netz diff --git a/roles/common/templates/etc/security/limits.conf.j2 b/roles/common/templates/etc/security/limits.conf.j2 new file mode 100644 index 0000000..79cc914 --- /dev/null +++ b/roles/common/templates/etc/security/limits.conf.j2 @@ -0,0 +1,62 @@ +# {{ ansible_managed }} + +# /etc/security/limits.conf +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, must be +# the literal username root. +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) +# +# +# + +#* soft core 0 +#root hard core 100000 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#ftp - chroot /ftp +#@student - maxlogins 4 + +* - nofile 1048576 +root - nofile 1048576 + + +# End of file