ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph
2025-08-03 01:00:01 +02:00
parent 5d18b79372
commit a81cf75e13
18 changed files with 2303 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
files/homedirs/back/_bashrc
View File

@ -111,3 +111,7 @@ export EDITOR=vim
## - set beep more quiet ## - set beep more quiet
## - ## -
#xset b 10 500 50 #xset b 10 500 50
# turn off the beep (only in bash tab-complete ?)
# only if interactiv shell
[[ "$-" =~ "i" ]] && bind 'set bell-style none'

1
files/homedirs/back/_vimrc
View File

@ -171,3 +171,4 @@ set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\
set laststatus=2 set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue highlight StatusLine cterm=none ctermfg=white ctermbg=blue
set belloff=all

2
files/homedirs/chris/.vimrc
View File

@ -175,4 +175,6 @@ set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\
set laststatus=2 set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue highlight StatusLine cterm=none ctermfg=white ctermbg=blue
set belloff=all
colorscheme PaperColor colorscheme PaperColor

4
files/homedirs/chris/_bashrc
View File

@ -113,3 +113,7 @@ export EDITOR=vim
## - set beep more quiet ## - set beep more quiet
## - ## -
#xset b 10 500 50 #xset b 10 500 50
# turn off the beep (only in bash tab-complete ?)
# only if interactiv shell
[[ "$-" =~ "i" ]] && bind 'set bell-style none'

4
files/homedirs/root/_bashrc
View File

@ -76,3 +76,7 @@ export LINES=64
## - set beep more quiet ## - set beep more quiet
## - ## -
#xset b 10 500 50 #xset b 10 500 50
# turn off the beep (only in bash tab-complete ?)
# only if interactiv shell
[[ "$-" =~ "i" ]] && bind 'set bell-style none'

4
files/homedirs/sysadm/_bashrc
View File

@ -73,3 +73,7 @@ export LINES=64
## - set beep more quiet ## - set beep more quiet
## - ## -
#xset b 10 500 50 #xset b 10 500 50
# turn off the beep (only in bash tab-complete ?)
# only if interactiv shell
[[ "$-" =~ "i" ]] && bind 'set bell-style none'

2
files/homedirs/sysadm/_vimrc
View File

@ -175,4 +175,6 @@ set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\
set laststatus=2 set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue highlight StatusLine cterm=none ctermfg=white ctermbg=blue
set belloff=all
colorscheme PaperColor colorscheme PaperColor

708
host_vars/:q Normal file
View File

@ -0,0 +1,708 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp97s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
description:
address: 192.168.122.10
netmask: 24
gateway: 192.168.122.254
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp97s0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# inline hook scripts
pre-up:
- !!str "ip link set dev enp97s0 up" # pre-up script lines
up: [] #up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.122.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- anw-km.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 172.16.122.254
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_back_mount_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/mount'
- 'ALL=(root) NOPASSWD: /usr/bin/umount'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.122.10
samba_server_cidr_prefix: 24
samba_workgroup: WORKGROUP
samba_netbios_name: FILE-KM
samba_server_min_protocol: !!str NT1
samba_groups:
- name: kanzlei
group_id: 1100
- name: a-jur
group_id: 1110
- name: intern
group_id: 1120
- name: aulmann
group_id: 1130
- name: howe
group_id: 1140
- name: stahmann
group_id: 1150
- name: traine
group_id: 1160
- name: public
group_id: 1170
- name: alle
group_id: 1180
samba_user:
- name: advoware
groups:
- advoware
password: '9WNRbc49m3'
- name: a-jur
groups:
- a-jur
- alle
- intern
- kanzlei
password: 'a-jur'
- name: andrea
groups:
- advoware
- aulmann
- howe
- stahmann
- traine
- public
password: 'fXc3bmK9gj'
- name: andreas
groups:
- a-jur
- advoware
- alle
- kanzlei
password: 'YKQRa.M9-6rL'
- name: aphex2
groups:
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'J3KMRprK9H'
- name: berenice
groups:
- kanzlei
- a-jur
- alle
password: 'berenice'
- name: beuster
groups:
- advoware
- aulmann
- howe
- stahmann
- traine
- public
- alle
password: 'zlm17Kx'
- name: buero
groups:
- kanzlei
- a-jur
- alle
password: 'buero'
- name: buero2
groups:
- kanzlei
- a-jur
- alle
password: 'buero2'
- name: buero3
groups:
- kanzlei
- a-jur
- alle
password: 'buero3'
- name: buero4
groups:
- kanzlei
- a-jur
- alle
password: 'buero4'
- name: buero7
groups:
- kanzlei
- a-jur
- alle
password: 'buero7'
- name: chris
groups:
- a-jur
- advoware
- alle
- aulmann
- intern
- kanzlei
- stahmann
- traine
- public
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
30383265366434633965346530666535363761396165393434643665393137353765653739636364
6330623334353763613065343336306434376335646666380a363030363335656261656236636562
63663763616630383264303039336562626537366634303636356237323630666635356130383165
3837613337343533650a663061366230353531316535656433643162353063383534323833323138
3430
- name: christina
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'qvR7zX4Lhs'
- name: federico
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'zHfj9g3NcC'
# - name: gerhard
# groups:
# - advoware
# - alle
# - aulmann
# - howe
# - stahmann
# - traine
# - public
# password: 'bHdhzWnTj9'
- name: ho-st1
groups:
- alle
- howe
- stahmann
password: '44-Ro-440'
# - name: howe-staff-1
# groups:
# - advoware
# - alle
# - aulmann
# - howe
# password: ''
- name: irina
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'W9NKv39pXW'
- name: jessica
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'bV3pjPtjkR'
# - name: laura
# groups:
# - alle
# - aulmann
# - howe
# - stahmann
# - traine
# password: '99-Hamburg-990'
- name: lenovo3
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'fndvLmrt7W'
- name: lenovo4
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'tpCMmTKj7H'
- name: lenovo5
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'L5Hannover51'
- name: lenovo6
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
password: '66koeln66'
- name: rm-buero1
groups:
- alle
- a-jur
- kanzlei
password: ''
- name: rm-buero2
groups:
- alle
- a-jur
- kanzlei
password: ''
- name: rolf
groups:
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: '4xNVNFXgP4'
- name: sysadm
groups:
- a-jur
- advoware
- alle
- aulmann
- intern
- kanzlei
- stahmann
- traine
- public
password: 'Ax_GSHh5'
- name: thomas
groups:
- advoware
- alle
- traine
password: '55-tho-mas-550'
- name: Tresen
groups:
- a-jur
- advoware
- alle
- kanzlei
- howe
- stahmann
- traine
- public
password: 'maltzwo2'
- name: winadm
groups:
- a-jur
- advoware
- alle
- intern
- kanzlei
- public
password: 'Ax_GSHh5'
base_home: /data/home
remove_samba_users:
- name: howe-staff-1
- name: gerhard
- name: laura
#remove_samba_users: []
#remove_samba_users:
# - name: evren
samba_shares:
- name: a-jur
comment: a-jur Dokumente
path: /data/samba/a-jur
group_valid_users: a-jur
group_write_list: a-jur
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: kanzlei
comment: Kanzlei auf Fileserver
path: /data/samba/kanzlei
group_valid_users: kanzlei
group_write_list: kanzlei
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: install
comment: Install auf Fileserver
path: /data/samba/no-backup-shares/install
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: false
- name: aulmann
comment: Aulmann auf Fileserver
path: /data/samba/Aulmann
group_valid_users: aulmann
group_write_list: aulmann
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: howe
comment: Howe auf Fileserver
path: /data/samba/Howe
group_valid_users: howe
group_write_list: howe
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: stahmann
comment: Stahmann auf Fileserver
path: /data/samba/Stahmann
group_valid_users: stahmann
group_write_list: stahmann
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: traine
comment: Traine auf Fileserver
path: /data/samba/Traine
group_valid_users: traine
group_write_list: traine
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: public
comment: Public auf Fileserver
path: /data/samba/public
group_valid_users: public
group_write_list: public
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: Advoware-Schriftverkehr
comment: Advoware Dokumente
path: /data/samba/Advoware-Schriftverkehr
group_valid_users: advoware
group_write_list: advoware
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: Advoware-Backup
comment: Advoware Dokumente
path: /data/samba/Advoware-Backup
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: false
- name: alle
comment: Alle auf Fileserver
path: /data/samba/Alle
group_valid_users: alle
group_write_list: alle
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
# - name: web
# comment: Web auf Fileserver
# path: /data/samba/Web
# group_valid_users: web
# group_write_list: web
# file_create_mask: !!str 660
# dir_create_mask: !!str 2770
# vfs_object_recycle: true
# recycle_path: '@Recycle'
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

1
host_vars/backup.oopen.de.yml
View File

@ -329,6 +329,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUnxlKIffm8a5BmoQE40h8ut0R6eCxcm+Iewv3evmE9 root@oolm-shop' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUnxlKIffm8a5BmoQE40h8ut0R6eCxcm+Iewv3evmE9 root@oolm-shop'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ylglAkPst7G6kES2lE96ECp0AGXGjzCVkZSqGVru6 root@oolm-shop-dev' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ylglAkPst7G6kES2lE96ECp0AGXGjzCVkZSqGVru6 root@oolm-shop-dev'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZ0WNd3rTqHH1tiXAELwssGw6xUP1ROdhgxKbMinYY root@oolm-web' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZ0WNd3rTqHH1tiXAELwssGw6xUP1ROdhgxKbMinYY root@oolm-web'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJJCzTmrRp0s0qpkf9HYyx4lL+zs1jTAYcCsvqpJ72p root@super-opferhilfefonds'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID82UUUkYKYFbJdmTcMYu+vl3M0FVQznXFbngqPoumP+ root@prometheus-nd' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID82UUUkYKYFbJdmTcMYu+vl3M0FVQznXFbngqPoumP+ root@prometheus-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU5HzfGYZwWeaoAGGFF7/3VQP19ce6Rgn5wcOR98Q3o root@server26' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU5HzfGYZwWeaoAGGFF7/3VQP19ce6Rgn5wcOR98Q3o root@server26'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfCFz6mPdn3TKVCgffHQAKt3LN/0srS/gBsMoOyZpi root@shop-agr' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfCFz6mPdn3TKVCgffHQAKt3LN/0srS/gBsMoOyZpi root@shop-agr'

3
host_vars/backup.warenform.de.yml
View File

@ -252,6 +252,9 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1RkJYM8qcEagoKt9gNVaeBbXZEJscqIBNnhL/KZfSA root@munin.oopen.de' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1RkJYM8qcEagoKt9gNVaeBbXZEJscqIBNnhL/KZfSA root@munin.oopen.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIj2SdZgxG4NCjUiCXY7msCG+Vn6MQ5jsGxrs2qn1QZh root@mx' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIj2SdZgxG4NCjUiCXY7msCG+Vn6MQ5jsGxrs2qn1QZh root@mx'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQAvCK/h7+8h8hPm3WyeEdBbhY4SdOSWJYxuFW24XbM root@nd' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQAvCK/h7+8h8hPm3WyeEdBbhY4SdOSWJYxuFW24XbM root@nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICwG3cYT1S5ttaf7OCB2dfBAg4FFA3OO3HPTkiclaVFi root@server22'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyse/Fby2JiHjM10uotVfsBYO0W1EgmtFG2q+Q1xe38 root@server24'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIH9V1aqgZSqu7vfK9e5qGKm+ICHd8VglRr0Brm4kXfu root@server25'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOOYhdtNPAQP8BlgSYBaMfWl8Yv4Y9ww7SWeLOn0HXH root@web0' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOOYhdtNPAQP8BlgSYBaMfWl8Yv4Y9ww7SWeLOn0HXH root@web0'

85
host_vars/file-ebs.ebs.netz.yml
View File

@ -174,6 +174,67 @@ resolved_fallback_nameserver:
- 172.16.182.254 - 172.16.182.254
# ---
# vars used by roles/common/tasks/users
# ---
default_user:
- name: chris
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
group: localadmin
home: /home/localadmin
password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAMFUnBjVV0WjUlhd2FT49nXlpHUDPEwaJ7bAvRJfB56 root@file-ebs'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBK8Ngbtl8Yjtk1JkT0Xn1HVIAHKdtfh0qicnnJTa3Kx root@gw-ebs'
# --- # ---
# vars used by roles/common/tasks/cron.yml # vars used by roles/common/tasks/cron.yml
# --- # ---
@ -261,6 +322,9 @@ samba_netbios_name: FILE-EBS
samba_groups: samba_groups:
- name: sysadm
group_id: 1050
- name: admin - name: admin
group_id: 1100 group_id: 1100
@ -312,6 +376,12 @@ samba_user:
- recherche - recherche
password: 'IrcR3uo-QJ.5' password: 'IrcR3uo-QJ.5'
- name: winadm
groups:
- admin
- sysadm
password: 'ZbPS.Lh6d-9E'
- name: buero - name: buero
groups: groups:
- alle - alle
@ -452,6 +522,21 @@ samba_shares:
vfs_object_recycle: false vfs_object_recycle: false
# ---
# - This share will be written by Windows Server 2016 configured at
# - "Windows Zubehör" -> "Windows Server-Sicherung"
# ---
- name: WinServer2022-Backup
comment: WinServer2022-Backup on Fileserver
path: /data/samba/shares/WinServer2022-Backup
group_valid_users: sysadm
group_write_list: sysadm
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_recycle: false
# ============================== # ==============================

0
host_vars/ga-st-gw-neu.ga.netz.yml → host_vars/ga-st-gw-neu.ga.netz.yml.00
View File

592
host_vars/ga-st-gw-neu.ga.netz.yml.01 Normal file
View File

@ -0,0 +1,592 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: lan0
headline: lan0 - Temporary LAN network
auto: false
family: inet
method: static
address: 192.168.11.18
gateway: 192.168.11.254
netmask: 24
- device: lan4
headline: lan4 - Uplink static line (radio) to Altenschlirf
auto: true
family: inet
method: static
address: 172.16.111.254
netmask: 24
up:
# - For management Antennas
- /sbin/ip link add link lan4 name lan4.111 type vlan id 111
post-up:
# - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253)
# -
# - Telefon Altenshlirf
- /sbin/ip route add 172.16.210.0/24 via 172.16.111.253
# User Network Altenshlirf
- /sbin/ip route add 192.168.10.0/24 via 172.16.111.253
# Management Network Altenschlirf
- /sbin/ip route add 10.10.10.0/24 via 172.16.111.253
# WLan Router (Accesspoints) Altenshlirf
- /sbin/ip route add 10.122.1.0/24 via 172.16.111.253
# # WLan Networks Altenshlirf
- /sbin/ip route add 10.123.0.0/16 via 172.16.111.253
# DSL via Fritzbox Altenschlirf
- /sbin/ip route add 172.16.10.0/24 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network)
- /sbin/ip route add 10.221.0.0/20 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network)
- /sbin/ip route add 10.231.0.0/20 via 172.16.111.253
# VPN home Network Altenschlirf
#
- /sbin/ip route add 10.0.10.0/24 via 172.16.111.253
# VPN 'gw-ckubu' Network Altenschlirf
#
- /sbin/ip route add 10.1.10.0/24 via 172.16.111.253
# private networks 'ckubu'
#
# connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu),
# so we route them back to that gateway..
- /sbin/ip route add 192.168.63.0/24 via 172.16.111.253
- /sbin/ip route add 192.168.64.0/24 via 172.16.111.253
- device: lan4.111
headline: lan4.111 - network 10.10.111.0 (management antennas)
auto: true
family: inet
method: static
address: 10.10.111.254
netmask: 24
- device: lan6
headline: lan6 - holds VLAN 211 device for Network Telefons Stockhausen
auto: false
family: inet
method: manual
up:
- /sbin/ip link add link lan6 name lan6.211 type vlan id 211
- device: lan6.211
headline: lan6.211 - Network Telefons Stockhausen
auto: true
family: inet
method: static
# Note:
# !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon).
# This LANCom Router IS NOT pngable !!
address: 172.16.211.1
netmask: 24
pre-up:
- /sbin/ifconfig lan6 up
- device: lan8
headline: lan8 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501)
auto: true
family: inet
method: static
address: 172.16.11.1
netmask: 24
gateway: 172.16.11.254
- device: lan9
headline: lan9 - Uplink DSL surf3 via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.13.1
netmask: 24
gateway: 172.16.13.254
- device: lan7
headline: lan7 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
auto: true
family: inet
method: static
address: 172.16.12.1
netmask: 24
gateway: 172.16.12.254
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond0
headline: bond0 - LAG (Link Aggregation) on devices lan2 and lan10
auto: true
family: inet
method: static
address: 10.1.9.254
netmask: 24
bond:
slaves: lan2 lan10
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24
- /sbin/ip link add link bond0 name bond0.11 type vlan id 11
# VLAN 78 for network Georgshaus 192.168.78.0/24
- /sbin/ip link add link bond0 name bond0.78 type vlan id 78
- device: bond0.11
headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen)
auto: true
family: inet
method: static
address: 10.10.11.254
netmask: 24
- device: bond0.78
headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?)
auto: true
family: inet
method: static
address: 192.168.78.254
netmask: 24
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond1
headline: bond1 - LAG (Link Aggregation) on devices lan3 and lan11 - Main Network Stockhausen
auto: true
family: inet
method: static
address: 192.168.11.254
netmask: 24
nameservers:
- 192.168.11.1
- 192.168.10.3
search: ga.netz ga.intra
bond:
slaves: lan3 lan11
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 121 - for Ubiquiti UniFi Accesspoints
- /sbin/ip link add link bond1 name bond1.121 type vlan id 121
# VLAN 121 - for Ubiquiti UniFi Accesspoints Guests
- /sbin/ip link add link bond1 name bond1.131 type vlan id 131
# Route ???
- /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
# Route to management network campus
- /sbin/ip route add 10.72.1.0/24 via 192.168.11.72
# Route to LAN campus
- /sbin/ip route add 192.168.72.0/24 via 192.168.11.72
# Route to WLAN campus
- /sbin/ip route add 192.168.73.0/24 via 192.168.11.72
- device: bond1.121
headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET
auto: true
family: inet
method: static
address: 10.121.15.254
netmask: 20
- device: bond1.131
headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET
auto: true
family: inet
method: static
address: 10.131.15.254
netmask: 20
- device: bond1:ns
headline: bond1:ns - Alias IP on bond1 device for Nameservice
auto: true
family: inet
method: static
address: 192.168.11.1
netmask: 32
- device: bond1:1
headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network
auto: true
family: inet
method: static
address: 10.10.9.254
netmask: 24
- device: bond1:ap
headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints
auto: true
family: inet
method: static
address: 10.112.1.254
netmask: 24
post-up:
# - Wireless Networks routed through appropriate Accesspoints
# -
- /sbin/ip route add 10.113.1.0/24 via 10.112.1.1
- /sbin/ip route add 10.113.2.0/24 via 10.112.1.2
- /sbin/ip route add 10.113.3.0/24 via 10.112.1.3
- /sbin/ip route add 10.113.4.0/24 via 10.112.1.4
- /sbin/ip route add 10.113.5.0/24 via 10.112.1.5
- /sbin/ip route add 10.113.6.0/24 via 10.112.1.6
- /sbin/ip route add 10.113.7.0/24 via 10.112.1.7
- /sbin/ip route add 10.113.8.0/24 via 10.112.1.8
- /sbin/ip route add 10.113.9.0/24 via 10.112.1.9
- /sbin/ip route add 10.113.10.0/24 via 10.112.1.10
- /sbin/ip route add 10.113.11.0/24 via 10.112.1.11
- /sbin/ip route add 10.113.12.0/24 via 10.112.1.12
- /sbin/ip route add 10.113.13.0/24 via 10.112.1.13
- /sbin/ip route add 10.113.14.0/24 via 10.112.1.14
- /sbin/ip route add 10.113.15.0/24 via 10.112.1.15
- device: bond1:ipmi
headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen
auto: true
family: inet
method: static
address: 10.11.11.254
netmask: 24
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 192.168.10.1
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- internaldns
bind9_transfer_source: !!str "192.168.11.1"
bind9_notify_source: !!str "192.168.11.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

105
host_vars/ga-st-gw.ga.netz.yml
View File

@ -20,8 +20,17 @@ network_interface_required_packages:
network_interfaces: network_interfaces:
- device: eth2 - device: lan0
headline: eth2 - Uplink static line (radio) to Altenschlirf headline: lan0 - Temporary LAN network
auto: false
family: inet
method: static
address: 192.168.11.18
#gateway: 192.168.11.254
netmask: 24
- device: lan4
headline: lan4 - Uplink static line (radio) to Altenschlirf
auto: true auto: true
family: inet family: inet
method: static method: static
@ -29,7 +38,7 @@ network_interfaces:
netmask: 24 netmask: 24
up: up:
# - For management Antennas # - For management Antennas
- /sbin/ip link add link eth2 name eth2.111 type vlan id 111 - /sbin/ip link add link lan4 name lan4.111 type vlan id 111
post-up: post-up:
# - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253) # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253)
# - # -
@ -63,8 +72,8 @@ network_interfaces:
- /sbin/ip route add 192.168.64.0/24 via 172.16.111.253 - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253
- device: eth2.111 - device: lan4.111
headline: eth2.111 - network 10.10.111.0 (management antennas) headline: lan4.111 - network 10.10.111.0 (management antennas)
auto: true auto: true
family: inet family: inet
method: static method: static
@ -72,17 +81,17 @@ network_interfaces:
netmask: 24 netmask: 24
- device: eth8 - device: lan6
headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen headline: lan6 - holds VLAN 211 device for Network Telefons Stockhausen
auto: false auto: false
family: inet family: inet
method: manual method: manual
up: up:
- /sbin/ip link add link eth8 name eth8.211 type vlan id 211 - /sbin/ip link add link lan6 name lan6.211 type vlan id 211
- device: eth8.211 - device: lan6.211
headline: eth8.211 - Network Telefons Stockhausen headline: lan6.211 - Network Telefons Stockhausen
auto: true auto: true
family: inet family: inet
method: static method: static
@ -92,11 +101,11 @@ network_interfaces:
address: 172.16.211.1 address: 172.16.211.1
netmask: 24 netmask: 24
pre-up: pre-up:
- /sbin/ifconfig eth8 up - /sbin/ifconfig lan6 up
- device: eth9 - device: lan8
headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501) headline: lan8 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501)
auto: true auto: true
family: inet family: inet
method: static method: static
@ -105,8 +114,8 @@ network_interfaces:
gateway: 172.16.11.254 gateway: 172.16.11.254
- device: eth10 - device: lan9
headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490 headline: lan9 - Uplink DSL surf3 via (static) line to Fritz!Box 7490
auto: true auto: true
family: inet family: inet
method: static method: static
@ -115,8 +124,8 @@ network_interfaces:
gateway: 172.16.13.254 gateway: 172.16.13.254
- device: eth11 - device: lan7
headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) headline: lan7 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
auto: true auto: true
family: inet family: inet
method: static method: static
@ -131,14 +140,14 @@ network_interfaces:
# apt-get install ifenslave # apt-get install ifenslave
# ---------- # ----------
- device: bond0 - device: bond0
headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4 headline: bond0 - LAG (Link Aggregation) on devices lan2 and lan10
auto: true auto: true
family: inet family: inet
method: static method: static
address: 10.1.9.254 address: 10.1.9.254
netmask: 24 netmask: 24
bond: bond:
slaves: eth0 eth4 slaves: lan2 lan10
# Mode 4 (802.3ad) # Mode 4 (802.3ad)
# #
# also possible here: # also possible here:
@ -180,8 +189,8 @@ network_interfaces:
# #
# apt-get install ifenslave # apt-get install ifenslave
# ---------- # ----------
- device: bond1 - device: sfp0
headline: bond1 - LAG (Link Aggregation) on devices eth3 and eth5 - Main Network Stockhausen headline: sfp0 - Main Network Stockhausen
auto: true auto: true
family: inet family: inet
method: static method: static
@ -191,24 +200,24 @@ network_interfaces:
- 192.168.11.1 - 192.168.11.1
- 192.168.10.3 - 192.168.10.3
search: ga.netz ga.intra search: ga.netz ga.intra
bond: #bond:
slaves: eth3 eth5 # slaves: lan3 lan11
# Mode 4 (802.3ad) # # Mode 4 (802.3ad)
# # #
# also possible here: # # also possible here:
# - Mode 5: balance-tlb # # - Mode 5: balance-tlb
# - Mode 6: balance-alb # # - Mode 6: balance-alb
mode: 4 # mode: 4
miimon: 100 # miimon: 100
lacp-rate: 1 # lacp-rate: 1
ad-select: count # ad-select: count
downdelay: 200 # downdelay: 200
updelay: 200 # updelay: 200
post-up: post-up:
# VLAN 121 - for Ubiquiti UniFi Accesspoints # VLAN 121 - for Ubiquiti UniFi Accesspoints
- /sbin/ip link add link bond1 name bond1.121 type vlan id 121 - /sbin/ip link add link sfp0 name sfp0.121 type vlan id 121
# VLAN 121 - for Ubiquiti UniFi Accesspoints Guests # VLAN 121 - for Ubiquiti UniFi Accesspoints Guests
- /sbin/ip link add link bond1 name bond1.131 type vlan id 131 - /sbin/ip link add link sfp0 name sfp0.131 type vlan id 131
# Route ??? # Route ???
- /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
# Route to management network campus # Route to management network campus
@ -219,8 +228,8 @@ network_interfaces:
- /sbin/ip route add 192.168.73.0/24 via 192.168.11.72 - /sbin/ip route add 192.168.73.0/24 via 192.168.11.72
- device: bond1.121 - device: sfp0.121
headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET headline: sfp0.121 - VLAN 121 on interface sfp0 for Ubiquiti UniFi Accesspoints Guest NET
auto: true auto: true
family: inet family: inet
method: static method: static
@ -228,8 +237,8 @@ network_interfaces:
netmask: 20 netmask: 20
- device: bond1.131 - device: sfp0.131
headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET headline: sfp0.131 - VLAN 131 on interface sfp0 for Ubiquiti UniFi Accesspoints private NET
auto: true auto: true
family: inet family: inet
method: static method: static
@ -237,8 +246,8 @@ network_interfaces:
netmask: 20 netmask: 20
- device: bond1:ns - device: sfp0:ns
headline: bond1:ns - Alias IP on bond1 device for Nameservice headline: sfp0:ns - Alias IP on sfp0 device for Nameservice
auto: true auto: true
family: inet family: inet
method: static method: static
@ -246,8 +255,8 @@ network_interfaces:
netmask: 32 netmask: 32
- device: bond1:1 - device: sfp0:1
headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network headline: sfp0:1 - Alias IP on sfp0 device for (depricated) Management Network
auto: true auto: true
family: inet family: inet
method: static method: static
@ -255,8 +264,8 @@ network_interfaces:
netmask: 24 netmask: 24
- device: bond1:ap - device: sfp0:ap
headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints headline: sfp0:ap - Alias IP on sfp0 device for Network Accesspoints
auto: true auto: true
family: inet family: inet
method: static method: static
@ -282,8 +291,8 @@ network_interfaces:
- /sbin/ip route add 10.113.15.0/24 via 10.112.1.15 - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15
- device: bond1:ipmi - device: sfp0:ipmi
headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen headline: sfp0:ipmi - Alias IP on sfp0 for IPMI Addresses Servr Stockhausen
auto: true auto: true
family: inet family: inet
method: static method: static

583
host_vars/ga-st-gw.ga.netz.yml.00 Normal file
View File

@ -0,0 +1,583 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eth2
headline: eth2 - Uplink static line (radio) to Altenschlirf
auto: true
family: inet
method: static
address: 172.16.111.254
netmask: 24
up:
# - For management Antennas
- /sbin/ip link add link eth2 name eth2.111 type vlan id 111
post-up:
# - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253)
# -
# - Telefon Altenshlirf
- /sbin/ip route add 172.16.210.0/24 via 172.16.111.253
# User Network Altenshlirf
- /sbin/ip route add 192.168.10.0/24 via 172.16.111.253
# Management Network Altenschlirf
- /sbin/ip route add 10.10.10.0/24 via 172.16.111.253
# WLan Router (Accesspoints) Altenshlirf
- /sbin/ip route add 10.122.1.0/24 via 172.16.111.253
# # WLan Networks Altenshlirf
- /sbin/ip route add 10.123.0.0/16 via 172.16.111.253
# DSL via Fritzbox Altenschlirf
- /sbin/ip route add 172.16.10.0/24 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network)
- /sbin/ip route add 10.221.0.0/20 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network)
- /sbin/ip route add 10.231.0.0/20 via 172.16.111.253
# VPN home Network Altenschlirf
#
- /sbin/ip route add 10.0.10.0/24 via 172.16.111.253
# VPN 'gw-ckubu' Network Altenschlirf
#
- /sbin/ip route add 10.1.10.0/24 via 172.16.111.253
# private networks 'ckubu'
#
# connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu),
# so we route them back to that gateway..
- /sbin/ip route add 192.168.63.0/24 via 172.16.111.253
- /sbin/ip route add 192.168.64.0/24 via 172.16.111.253
- device: eth2.111
headline: eth2.111 - network 10.10.111.0 (management antennas)
auto: true
family: inet
method: static
address: 10.10.111.254
netmask: 24
- device: eth8
headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen
auto: false
family: inet
method: manual
up:
- /sbin/ip link add link eth8 name eth8.211 type vlan id 211
- device: eth8.211
headline: eth8.211 - Network Telefons Stockhausen
auto: true
family: inet
method: static
# Note:
# !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon).
# This LANCom Router IS NOT pngable !!
address: 172.16.211.1
netmask: 24
pre-up:
- /sbin/ifconfig eth8 up
- device: eth9
headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501)
auto: true
family: inet
method: static
address: 172.16.11.1
netmask: 24
gateway: 172.16.11.254
- device: eth10
headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.13.1
netmask: 24
gateway: 172.16.13.254
- device: eth11
headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
auto: true
family: inet
method: static
address: 172.16.12.1
netmask: 24
gateway: 172.16.12.254
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond0
headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4
auto: true
family: inet
method: static
address: 10.1.9.254
netmask: 24
bond:
slaves: eth0 eth4
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24
- /sbin/ip link add link bond0 name bond0.11 type vlan id 11
# VLAN 78 for network Georgshaus 192.168.78.0/24
- /sbin/ip link add link bond0 name bond0.78 type vlan id 78
- device: bond0.11
headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen)
auto: true
family: inet
method: static
address: 10.10.11.254
netmask: 24
- device: bond0.78
headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?)
auto: true
family: inet
method: static
address: 192.168.78.254
netmask: 24
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond1
headline: bond1 - LAG (Link Aggregation) on devices eth3 and eth5 - Main Network Stockhausen
auto: true
family: inet
method: static
address: 192.168.11.254
netmask: 24
nameservers:
- 192.168.11.1
- 192.168.10.3
search: ga.netz ga.intra
bond:
slaves: eth3 eth5
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 121 - for Ubiquiti UniFi Accesspoints
- /sbin/ip link add link bond1 name bond1.121 type vlan id 121
# VLAN 121 - for Ubiquiti UniFi Accesspoints Guests
- /sbin/ip link add link bond1 name bond1.131 type vlan id 131
# Route ???
- /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
# Route to management network campus
- /sbin/ip route add 10.72.1.0/24 via 192.168.11.72
# Route to LAN campus
- /sbin/ip route add 192.168.72.0/24 via 192.168.11.72
# Route to WLAN campus
- /sbin/ip route add 192.168.73.0/24 via 192.168.11.72
- device: bond1.121
headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET
auto: true
family: inet
method: static
address: 10.121.15.254
netmask: 20
- device: bond1.131
headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET
auto: true
family: inet
method: static
address: 10.131.15.254
netmask: 20
- device: bond1:ns
headline: bond1:ns - Alias IP on bond1 device for Nameservice
auto: true
family: inet
method: static
address: 192.168.11.1
netmask: 32
- device: bond1:1
headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network
auto: true
family: inet
method: static
address: 10.10.9.254
netmask: 24
- device: bond1:ap
headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints
auto: true
family: inet
method: static
address: 10.112.1.254
netmask: 24
post-up:
# - Wireless Networks routed through appropriate Accesspoints
# -
- /sbin/ip route add 10.113.1.0/24 via 10.112.1.1
- /sbin/ip route add 10.113.2.0/24 via 10.112.1.2
- /sbin/ip route add 10.113.3.0/24 via 10.112.1.3
- /sbin/ip route add 10.113.4.0/24 via 10.112.1.4
- /sbin/ip route add 10.113.5.0/24 via 10.112.1.5
- /sbin/ip route add 10.113.6.0/24 via 10.112.1.6
- /sbin/ip route add 10.113.7.0/24 via 10.112.1.7
- /sbin/ip route add 10.113.8.0/24 via 10.112.1.8
- /sbin/ip route add 10.113.9.0/24 via 10.112.1.9
- /sbin/ip route add 10.113.10.0/24 via 10.112.1.10
- /sbin/ip route add 10.113.11.0/24 via 10.112.1.11
- /sbin/ip route add 10.113.12.0/24 via 10.112.1.12
- /sbin/ip route add 10.113.13.0/24 via 10.112.1.13
- /sbin/ip route add 10.113.14.0/24 via 10.112.1.14
- /sbin/ip route add 10.113.15.0/24 via 10.112.1.15
- device: bond1:ipmi
headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen
auto: true
family: inet
method: static
address: 10.11.11.254
netmask: 24
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 192.168.10.1
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- internaldns
bind9_transfer_source: !!str "192.168.11.1"
bind9_notify_source: !!str "192.168.11.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

234
host_vars/gw-fm.oopen.de.yml Normal file
View File

@ -0,0 +1,234 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
headline: eno1 - Uplink DSL via Fritz!Box
auto: true
family: inet
method: static
address: 172.16.222.1
netmask: 24
gateway: 172.16.222.254
- device: eno2
headline: eno2 - LAN
auto: true
family: inet
method: static
address: 192.168.222.254
netmask: 24
- device: eno2:ns
headline: eno2:ns - Alias on eno2 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.222.1
netmask: 32
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_hostkeyalgorithms:
- ssh-ed25519
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-256
- rsa-sha2-512
- ecdsa-sha2-nistp256
- rsa-sha2-256-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- fm.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 172.16.222.254
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

1
host_vars/zapata.opp.netz.yml
View File

@ -384,6 +384,7 @@ samba_user:
groups: groups:
- buero - buero
- beratung - beratung
- verwaltung
password: '20_simon_18!' password: '20_simon_18!'
- name: ute - name: ute

18
hosts
View File

@ -44,6 +44,7 @@ gw-akb.oopen.de
172.16.82.2 172.16.82.2
gw-dissens.oopen.de gw-dissens.oopen.de
gw-ebs.oopen.de gw-ebs.oopen.de
gw-fm.oopen.de
gw-elster.oopen.de gw-elster.oopen.de
gw-fhxb.oopen.de gw-fhxb.oopen.de
gw-ckubu.local.netz gw-ckubu.local.netz
@ -61,6 +62,7 @@ gw-kb.oopen.de
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
@ -142,6 +144,9 @@ o13-web.oopen.de
# Freiheit für daniela # Freiheit für daniela
o14.oopen.de o14.oopen.de
# VBRG - Opferhilfefonds
o15.oopen.de
o17.oopen.de o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
@ -344,6 +349,9 @@ o13-git.oopen.de
# Freiheit für daniela # Freiheit für daniela
o14.oopen.de o14.oopen.de
# VBRG - Opferhilfefonds
o15.oopen.de
o17.oopen.de o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
test.mariadb.oopen.de test.mariadb.oopen.de
@ -536,6 +544,11 @@ file-dissens.dissens.netz
gw-ebs.oopen.de gw-ebs.oopen.de
file-ebs.ebs.netz file-ebs.ebs.netz
# Faire Mobilitaet
gw-fm.oopen.de
file-fm.fm.netz
# Kanzlei Elster Jena # Kanzlei Elster Jena
gw-elster.oopen.de gw-elster.oopen.de
@ -1359,6 +1372,7 @@ at-10-neu.ak.netz
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
@ -1374,6 +1388,7 @@ file-blkr.blkr.netz
file-dissens.dissens.netz file-dissens.dissens.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
@ -1642,6 +1657,7 @@ at-10-neu.ak.netz
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
@ -1881,6 +1897,7 @@ at-10-neu.ak.netz
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
@ -1904,6 +1921,7 @@ gw-b3.oopen.de
gw-d11.oopen.de gw-d11.oopen.de
gw-dissens.oopen.de gw-dissens.oopen.de
gw-ebs.oopen.de gw-ebs.oopen.de
gw-fm.oopen.de
gw-elster.oopen.de gw-elster.oopen.de
gw-blkr.oopen.de gw-blkr.oopen.de
gw-ak.oopen.de gw-ak.oopen.de