diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 34c0c9b..7ea4b07 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1491,6 +1491,79 @@ yum_initial_install_centos_7: - lua - btrfs-progs + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: false + + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 195.10.195.195 + - 1.1.1.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - oopen.de + +resolved_dnssec: true + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # --- # vars used by tor.yml # --- diff --git a/host_vars/:q b/host_vars/:q new file mode 100644 index 0000000..6051135 --- /dev/null +++ b/host_vars/:q @@ -0,0 +1,245 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + - resolvconf + + +network_interfaces: + + - device: br0 + # use only once per device (for the first device entry) + headline: br0 - bridge over device enp35s0 + + # auto & allow are only used for the first device entry + allow: [] # array of allow-[stanzas] eg. allow-hotplug + auto: true + + family: inet + method: static + hwaddress: a8:a1:59:0f:29:d9 + description: + address: 95.217.204.218 + netmask: 255.255.255.192 + gateway: 95.217.204.193 + metric: + pointopoint: + mtu: + scope: + + # additional user by dhcp method + # + hostname: + leasehours: + leasetime: + vendor: + client: + + # additional used by bootp method + # + bootfile: + server: + hwaddr: + + # optional dns settings nameservers: [] + # + # nameservers: + # - 194.150.168.168 # dns.as250.net + # - 91.239.100.100 # anycast.censurfridns.dk + # search: warenform.de + # + nameservers: + - 213.133.100.100 + - 213.133.98.98 + search: + + # optional additional subnets/ips subnets: [] + # subnets: + # - '192.168.123.0/24' + # - '192.168.124.11/32' + + # optional bridge parameters bridge: {} + # bridge: + # ports: + # stp: + # fd: + # maxwait: + # waitport: + bridge: + ports: enp35s0 # for mor devices support a blank separated list + stp: !!str off + fd: 5 + hello: 2 + maxage: 12 + + # optional bonding parameters bond: {} + # bond: + # master + # primary + # slave + # method: + # miimon: + # lacp-rate: + # ad-select-rate: + # master: + # slaves: + bond: {} + + # optional vlan settings | vlan: {} + # vlan: {} + # raw-device: 'eth0' + vlan: {} + + # inline hook scripts + pre-up: [] # pre-up script lines + up: + - !!str "route add -net 95.217.204.192 netmask 255.255.255.192 gw 95.217.204.193 dev br0" # up script lines + post-up: [] # post-up script lines (alias for up) + pre-down: [] # pre-down script lines (alias for down) + down: [] # down script lines + post-down: [] # post-down script lines + + + + - device: br0 + family: inet6 + method: static + address: 2a01:4f9:4a:47e5::2 + netmask: 64 + gateway: fe80::1 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: localadmin + user_id: 1051 + group_id: 1051 + password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' + - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-server + repo: https://git.oopen.de/firewall/ipt-server + dest: /usr/local/src/ipt-server + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/o35.oopen.de.yml b/host_vars/o35.oopen.de.yml index 51cfd5f..6051135 100644 --- a/host_vars/o35.oopen.de.yml +++ b/host_vars/o35.oopen.de.yml @@ -65,8 +65,8 @@ network_interfaces: # search: warenform.de # nameservers: - - 195.201.179.131 - - 95.217.204.204 + - 213.133.100.100 + - 213.133.98.98 search: # optional additional subnets/ips subnets: [] diff --git a/host_vars/o36.oopen.de.yml b/host_vars/o36.oopen.de.yml index 19e3616..2ade7e9 100644 --- a/host_vars/o36.oopen.de.yml +++ b/host_vars/o36.oopen.de.yml @@ -18,7 +18,6 @@ network_interface_required_packages: - ifmetric - ifupdown - ifenslave - - resolvconf network_interfaces: @@ -64,9 +63,9 @@ network_interfaces: # - 91.239.100.100 # anycast.censurfridns.dk # search: warenform.de # + # ** MOVED TO systemd-resolved + # nameservers: - - 195.201.179.131 - - 95.217.204.204 search: # optional bridge parameters bridge: {} @@ -145,6 +144,76 @@ network_interfaces: # --- +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 195.201.179.131 + - 95.217.204.204 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - oopen.de + +resolved_dnssec: true + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + # --- # vars used by roles/common/tasks/users.yml # --- diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index 4c9f2bb..18aa691 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -360,6 +360,12 @@ samba_user: - beratung password: '20_martin_18' + - name: miriam + groups: + - buero + - beratung + password: 'slh-m1r14m23' + - name: nevena groups: - buero diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 60a2fd4..93b3cba 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -83,3 +83,8 @@ service: name: postfwd state: reloaded + +- name: Restart systemd-resolved + service: + name: systemd-resolved + state: restarted diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 7ba64fc..82586a5 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -41,6 +41,18 @@ tags: yum +# tags supported inside systemd-resolved.yml +# +# systemd-resolved +- import_tasks: systemd-resolved.yml + tags: + - systemd-resolved + when: + - ansible_facts['distribution'] == "Debian" + - ansible_facts['distribution_major_version'] > "11" + - systemd_resolved is defined and systemd_resolved|bool + + - import_tasks: tor.yml when: diff --git a/roles/common/tasks/systemd-resolved.yml b/roles/common/tasks/systemd-resolved.yml new file mode 100644 index 0000000..bc6504f --- /dev/null +++ b/roles/common/tasks/systemd-resolved.yml @@ -0,0 +1,76 @@ +--- + +# --- +# Set some facts +# --- + +- name: (systemd-resolved.yml) Set fact_resolved_nameserver (blank separated list) + set_fact: + fact_resolved_nameserver: "{{ resolved_nameserver | join (' ') }}" + when: + - resolved_nameserver is defined and resolved_nameserver | length > 0 + tags: + - systemd-resolved + +- name: (systemd-resolved.yml) Set fact_resolved_fallback_nameserver (blank separated list) + set_fact: + fact_resolved_fallback_nameserver: "{{ resolved_fallback_nameserver | join (' ') }}" + when: + - resolved_fallback_nameserver is defined and resolved_fallback_nameserver | length > 0 + tags: + - systemd-resolved + +- name: (systemd-resolved.yml) Set fact_resolved_domains (blank separated list) + set_fact: + fact_resolved_domains: "{{ resolved_domains | join (' ') }}" + when: + - resolved_domains is defined and resolved_domains | length > 0 + tags: + - systemd-resolved + + + +# --- +# Install/Enable systemd-resolved package +# --- + +- name: (systemd-resolved.yml) Ensure systemd-resolved package is installed. + package: + pkg: systemd-resolved + state: present + when: + - systemd_resolved is defined and systemd_resolved|bool + tags: + - systemd-resolved + +- name: (systemd-services.yml) Enable service + systemd: + name: systemd-resolved + enabled: true + when: + - systemd_resolved is defined and systemd_resolved|bool + tags: + - systemd-resolved + + + +# --- +# Create configuration for systemd-resolved +# --- + +- name: (systemd-resolved.yml) Ensure directory '/etc/systemd/resolved.conf.d' exists + file: + path: /etc/systemd/resolved.conf.d + state: directory + mode: 0755 + group: root + owner: root + +- name: (systemd-resolved.yml) Create/Update file '/etc/systemd/resolved.conf.d/50-resolved-local.conf' from template sshd_config.j2 + template: + src: etc/systemd/resolved.conf.d/50-resolved-local.conf + dest: /etc/systemd/resolved.conf.d/50-resolved-local.conf + owner: root + group: root + mode: 0644 + notify: "Restart systemd-resolved" diff --git a/roles/common/templates/etc/apt/sources.list.Debian.j2 b/roles/common/templates/etc/apt/sources.list.Debian.j2 index a778aa8..c568805 100644 --- a/roles/common/templates/etc/apt/sources.list.Debian.j2 +++ b/roles/common/templates/etc/apt/sources.list.Debian.j2 @@ -45,6 +45,16 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free {% endif %} {% endif %} +{% if apt_debian_contrib_nonfree_enable %} +{% if ansible_facts['distribution_major_version'] | int >= 12 %} +deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware +{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware +{% else %} +deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free +{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free +{% endif %} +{% endif %} + # # N.B. software from this repository may not have been tested as # # extensively as that contained in the main release, although it includes # # newer versions of some applications which may provide useful features. diff --git a/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf b/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf new file mode 100644 index 0000000..f5167c5 --- /dev/null +++ b/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf @@ -0,0 +1,30 @@ +# *** ---------------------------------------------- *** +# *** *** +# {{ ansible_managed }} +# *** *** +# *** ---------------------------------------------- *** + +[Resolve] +{% if (fact_resolved_nameserver is defined) and fact_resolved_nameserver %} +DNS={{ fact_resolved_nameserver}} +{% else %} +#DNS= +{% endif -%} + +{% if (fact_resolved_fallback_nameserver is defined) and fact_resolved_fallback_nameserver %} +FallbackDNS={{ fact_resolved_fallback_nameserver }} +{% else %} +#FallbackDNS= +{% endif -%} + +{% if (fact_resolved_domains is defined) and fact_resolved_domains %} +Domains={{ fact_resolved_domains }} +{% else %} +#Domains= +{% endif -%} + +{% if (resolved_dnssec is defined) and resolved_dnssec %} +DNSSEC={{ resolved_dnssec }} +{% else %} +#Domains= +{% endif %}