update..

host_vars/file-fhxb.fhxb.netz.yml

@@ -550,12 +550,15 @@ samba_user:
     # Natalie Maier
   - name : n.maier
     groups:
+      - administration
+      - altlasten
       - archiv
       - ausstellungen
       - buero
       - forschung
       - gedenken-im-stadtraum
       - intern
+      - leitung
       - museum-organisation
       - presse-orga-oeffentlichkeit
       - projekte
@@ -564,6 +567,7 @@ samba_user:
       - team
       - technik
       - veranstaltungen
+      - vermittlung
       - vermietung
       - vze
       - fhxb-bildarchiv

host_vars/gw-123.oopen.de.yml

@@ -116,15 +116,6 @@ bind9_gateway_listen_on:
 # vars used by roles/common/tasks/git.yml
 # ---
 
-git_firewall_repository:
-  name: ipt-gateway
-  repo: https://git.oopen.de/firewall/ipt-gateway
-  dest: /usr/local/src/ipt-gateway
-
-# ---
-# vars used by roles/common/tasks/git.yml
-# ---
-
 git_firewall_repository:
   name: ipt-gateway
   repo: https://git.oopen.de/firewall/ipt-gateway

host_vars/gw-flr.oopen.de.yml

@@ -142,6 +142,76 @@ sshd_hostkeyalgorithms:
 # ---
 
 
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001
+#
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9
+#      IPv6: 2620:fe::fe
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de
+#      IPv4: 94.16.114.254  - ns28.de
+#      IPv4: 51.254.162.59  - ns9.de
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+#
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 127.0.0.1
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: true
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---

host_vars/o23.oopen.de.yml

@@ -150,6 +150,78 @@ network_interfaces:
 # ---
 
 
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001
+#
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9
+#      IPv6: 2620:fe::fe
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de
+#      IPv4: 94.16.114.254  - ns28.de
+#      IPv4: 51.254.162.59  - ns9.de
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+#
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 195.201.179.131
+  - 95.217.204.204
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: true
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---

host_vars/o35.oopen.de.yml

@@ -150,6 +150,80 @@ network_interfaces:
 # ---
 
 
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001
+#
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9
+#      IPv6: 2620:fe::fe
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de
+#      IPv4: 94.16.114.254  - ns28.de
+#      IPv4: 51.254.162.59  - ns9.de
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+#
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 195.201.179.131
+  - 95.217.204.204
+  - 213.133.100.100
+  - 213.133.98.98
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: true
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+
 # ---
 # vars used by roles/common/tasks/users.yml
 # ---

host_vars/o36.oopen.de.yml

@@ -204,6 +204,7 @@ resolved_nameserver:
 #
 #resolved_domains: []
 resolved_domains:
+  - ~.
   - oopen.de
 
 resolved_dnssec: true

host_vars/zapata.opp.netz.yml

@@ -444,6 +444,12 @@ samba_user:
       - beratung
     password: 't!ne*2018'
 
+  - name: ute
+    groups:
+      - buero
+      - beratung
+    password: '23_ut3*obs'
+
   - name: vali
     groups:
       - buero

roles/common/files/mailserver/etc/postfix/postfwd.bl-nets

@@ -168,3 +168,5 @@
 91.193.19.0/24
 # US
 103.125.147.0/24
+# US
+79.141.173.0/24

roles/modify-ipt-gateway/tasks/main.yml

@@ -122,63 +122,123 @@
 
 
 # ---
-# IP Address Filtering Gaming Devices
+# Restrict VPN Networks
 # ---
 
-- name: Check if String 'gaming_device_ip_addresses..' (IPv4) is present
-  shell: grep -q -E "^#?gaming_device_ip_addresses=" /etc/ipt-firewall/main_ipv4.conf
-  register: gaming_device_ip_addresses_ipv4_present
+- name: Check if String 'restrict_vpn_net_to_local_service..' (IPv4) is present
+  shell: grep -q -E "^#?restrict_vpn_net_to_local_service=" /etc/ipt-firewall/main_ipv4.conf
+  register: restrict_vpn_net_to_local_service_ipv4_present
   when: main_ipv4_exists.stat.exists
-  failed_when: "gaming_device_ip_addresses_ipv4_present.rc > 1"
-  changed_when: "gaming_device_ip_addresses_ipv4_present.rc > 0"
+  failed_when: "restrict_vpn_net_to_local_service_ipv4_present.rc > 1"
+  changed_when: "restrict_vpn_net_to_local_service_ipv4_present.rc > 0"
 
-- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (gaming_device_ip_addresses)
+- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (restrict_vpn_net_to_local_service)
   blockinfile:
     path: /etc/ipt-firewall/main_ipv4.conf
-    insertafter: '^#?\s*gaming_device_mac_addresses='
+    insertafter: '^#?\s*vpn_out_ports='
     block: |
 
-      # =============
-      # -  IP Address Filtering Gaming Devices
-      # =============
+      # -----
+      # - Restrict VPN Network to local Service
+      # -----#
 
-      # - IP adresses here are only allowed connect to internet but NOT to loacl services and networks
+      # - restrict_vpn_net_to_local_service
+      # -
+      # -    allow_ext_net_to_local_service="vpn-net:local-address:port:protocol [vpn-net:local-address:port:protocol] [..]"
+      # -
+      # - Note:
+      # - =====
+      # -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+      # -
+      # - Example:
+      # -   restrict_vpn_net_to_local_service="
+      # -      10.100.112.0/24:192.168.112.192/27:80:tcp
+      # -      10.100.112.0/24:192.168.112.192/27:443:tcp
+      # -    "
       # -
       # - Blank separated list
       # -
-      gaming_device_ip_addresses=""
-    marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_ip_addresses)"
+      restrict_vpn_net_to_local_service=""
+
+
+      # -----
+      # - Restrict VPN Network to local (Sub) network
+      # -----
+
+      # - restrict_vpn_net_to_local_subnet
+      # -
+      # -    restrict_vpn_net_to_local_subnet="<src-vpn-net>:<dst-local-net> [<src-vpn-net>:<dst-local-net>} [..]
+      # -
+      # - Example:
+      # -   restrict_vpn_net_to_local_subnet="
+      # -      10.100.112.0/24:192.168.112.192/27
+      # -    "
+      # -
+      # - Blank separated list
+      # -
+      restrict_vpn_net_to_local_subnet=""
+    marker: "# Marker set by modify-ipt-gateway.yml (restrict_vpn_net_to_local_service)"
   when: 
     - main_ipv4_exists.stat.exists
-    - gaming_device_ip_addresses_ipv4_present is changed
+    - restrict_vpn_net_to_local_service_ipv4_present is changed
 
 
-- name: Check if String 'gaming_device_ip_addresses..' (IPv6) is present
-  shell: grep -q -E "^#?gaming_device_ip_addresses=" /etc/ipt-firewall/main_ipv6.conf
-  register: gaming_device_ip_addresses_ipv6_present
+- name: Check if String 'restrict_vpn_net_to_local_service..' (IPv6) is present
+  shell: grep -q -E "^#?restrict_vpn_net_to_local_service=" /etc/ipt-firewall/main_ipv6.conf
+  register: restrict_vpn_net_to_local_service_ipv6_present
   when: main_ipv6_exists.stat.exists
-  failed_when: "gaming_device_ip_addresses_ipv6_present.rc > 1"
-  changed_when: "gaming_device_ip_addresses_ipv6_present.rc > 0"
+  failed_when: "restrict_vpn_net_to_local_service_ipv6_present.rc > 1"
+  changed_when: "restrict_vpn_net_to_local_service_ipv6_present.rc > 0"
 
-- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (gaming_device_ip_addresses)
+- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (restrict_vpn_net_to_local_service)
   blockinfile:
     path: /etc/ipt-firewall/main_ipv6.conf
-    insertafter: '^#?\s*gaming_device_mac_addresses='
+    insertafter: '^#?\s*vpn_out_ports='
     block: |
 
-      # =============
-      # -  IP Address Filtering Gaming Devices
-      # =============
+      # ----- 
+      # - Restrict VPN Network to local Service
+      # -----#
 
-      # - IP adresses here are only allowed connect to internet but NOT to loacl services and networks
+      # - restrict_vpn_net_to_local_service
+      # -
+      # -    allow_ext_net_to_local_service="vpn-net,local-address,port,protocol [vpn-net,local-address,port,protocol] [..]"
+      # -
+      # - Note:
+      # - =====
+      # -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+      # -
+      # - Example:
+      # -   restrict_vpn_net_to_local_service="
+      # -      2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,80,tcp
+      # -      2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,443,tcp
+      # -    "
       # -
       # - Blank separated list
       # -
-      gaming_device_ip_addresses=""
-    marker: "# Marker set by modify-ipt-gateway.yml (gaming_device_ip_addresses)"
+      restrict_vpn_net_to_local_service=""
+
+
+      # -----
+      # - Restrict VPN Network to local (Sub) network
+      # -----
+
+      # - restrict_vpn_net_to_local_subnet
+      # -
+      # -    restrict_vpn_net_to_local_subnet="<src-vpn-net>,<dst-local-net> [<src-vpn-net>,<dst-local-net>} [..]
+      # -
+      # - Example:
+      # -   restrict_vpn_net_to_local_subnet="
+      # -      2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64
+      # -    "
+      # -
+      # - Blank separated list
+      # -
+      restrict_vpn_net_to_local_subnet=""
+    marker: "# Marker set by modify-ipt-gateway.yml (restrict_vpn_net_to_local_service)"
   when: 
     - main_ipv6_exists.stat.exists
-    - gaming_device_ip_addresses_ipv6_present is changed
+    - restrict_vpn_net_to_local_service_ipv6_present is changed
 
 
 # ---