ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update...

Browse Source
This commit is contained in:
Christoph 2023-05-01 10:47:10 +02:00
parent 9766f7841e
commit bb57e8e555
35 changed files with 1416 additions and 274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
group_vars/all/main.yml
View File

@ -2076,6 +2076,8 @@ nfs_exports: []
copy_plain_files: []
copy_plain_files_postfix_host_specific: []
copy_plain_files_postfwd_host_specific: []
copy_plain_files_postfix:

32
host_vars/b.mx.oopen.de.yml
View File

@ -99,22 +99,24 @@ copy_plain_files:
dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf
copy_plain_files_postfwd_host_specific: []
copy_plain_files_postfix_host_specific:
#copy_plain_files_postfwd_host_specific:
# # Postfix Firewall postfwd
# #
# - name: postfwd.bl-sender
# src_path: b.mx/etc/postfix/postfwd.bl-sender
# dest_path: /etc/postfix/postfwd.bl-sender
#
# - name: postfwd.bl-user
# src_path: b.mx/etc/postfix/postfwd.bl-user
# dest_path: /etc/postfix/postfwd.bl-user
#
# - name: postfwd.wl-user
# src_path: b.mx/etc/postfix/postfwd.wl-user
# dest_path: /etc/postfix/postfwd.wl-user
- name: relay_domains
src_path: b.mx/etc/postfix/relay_domains
dest_path: /etc/postfix/relay_domains
copy_plain_files_postfwd_host_specific:
# Postfix Firewall postfwd
#
- name: postfwd.wl-nets
src_path: b.mx/etc/postfix/postfwd.wl-nets
dest_path: /etc/postfix/postfwd.wl-nets
- name: postfwd.wl-sender
src_path: b.mx/etc/postfix/postfwd.wl-sender
dest_path: /etc/postfix/postfwd.wl-sender
copy_template_files: []

63
host_vars/o13-mail.oopen.de.yml
View File

@ -100,6 +100,69 @@ sudo_users:
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/copy_files.yml
# ---
copy_plain_files:
# /root/bin/monitoring
#
- name: monitoring_check_cert_for_dovecot.conf
src_path: o13-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: o13-mail/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_check-postfix-fatal-errors.conf
src_path: o13-mail/root/bin/postfix/conf/check-postfix-fatal-errors.conf
dest_path: /root/bin/postfix/conf/check-postfix-fatal-errors.conf
copy_plain_files_postfwd_host_specific:
- name: header_checks.pcre
src_path: o13-mail/etc/postfix/header_checks.pcre
dest_path: /etc/postfix/header_checks.pcre
- name: postfwd.wl-hosts
src_path: o13-mail/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts
- name: postfwd.wl-hosts
src_path: o13-mail/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts
- name: postfwd.wl-nets
src_path: o13-mail/etc/postfix/postfwd.wl-nets
dest_path: /etc/postfix/postfwd.wl-nets
- name: postfwd.wl-sender
src_path: o13-mail/etc/postfix/postfwd.wl-sender
dest_path: /etc/postfix/postfwd.wl-sender
- name: postfwd.wl-user
src_path: o13-mail/etc/postfix/postfwd.wl-user
dest_path: /etc/postfix/postfwd.wl-user
# Postfix Firewall postfwd
#
#- name: postfwd.wl-user
# src_path: o13-mail/etc/postfix/postfwd.wl-user
# dest_path: /etc/postfix/postfwd.wl-user
#copy_template_files: []
#
# - name: mailsystem_install_amavis.conf
# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2
# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---

32
host_vars/o34.oopen.de.yml
View File

@ -22,9 +22,9 @@ network_interface_required_packages:
network_interfaces:
- device: eth0
- device: enp6s0
# use only once per device (for the first device entry)
headline: eth0 - primary network interface
headline: enp6s0 - primary network interface
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
@ -34,9 +34,9 @@ network_interfaces:
method: static
hwaddress:
description:
address: 195.128.100.83
netmask: 22
gateway: 195.128.100.1
address: 65.109.158.101
netmask: 26
gateway: 65.109.158.65
metric:
pointopoint:
mtu:
@ -64,9 +64,9 @@ network_interfaces:
# search: warenform.de
#
nameservers:
- 46.38.225.230
- 46.38.252.230
- 2a03:4000:8000::fce6
- 127.0.0.1
- 185.12.64.2
- 2a01:4ff:ff00::add:1
search:
# optional additional subnets/ips subnets: []
@ -98,7 +98,7 @@ network_interfaces:
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
# raw-device: 'enp6s0'
vlan: {}
# inline hook scripts
@ -111,10 +111,10 @@ network_interfaces:
- device: eth0
- device: enp6s0
family: inet6
method: static
address: 2a03:4000:35:761:a438:21ff:fea0:11bc
address: 2a01:4f9:3080:155d::2
netmask: 64
gateway: fe80::1
@ -151,7 +151,7 @@ network_interfaces:
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
password: $y$j9T$4tHDBpAXsLybUcR3EkGsN1$FztD35vOLJ2wkdcMMyWVjx7H6vCYAXK2Sik9RVx6iF6
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
@ -162,7 +162,7 @@ default_user:
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
password: $y$j9T$yvoukGb.97d5zHhCyfsi81$AmUW40NQhF4guOF95AZ/wU52SxmU8pviyqTOKgssLJB
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
@ -171,19 +171,17 @@ default_user:
- name: localadmin
user_id: 1051
group_id: 1051
password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
password: $y$j9T$jS87fYUjhgghnH3Z46quc1$Kc7ywLGc2XidgYNCT3J/cVy5.2JEATyB0oAwxzE92L7
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
password: $y$j9T$Q3MnSpKzmdfYWzmQVheWu/$7RcNMpDKF5aln1hk.5ReYfKSNUeRxfOj1yaHmo6YH95
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'

131
host_vars/rage.so36.net.yml Normal file
View File

@ -0,0 +1,131 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/copy_files.yml
# ---
copy_plain_files:
# /root/bin/monitoring
#
- name: monitoring_check_cert_for_dovecot.conf
src_path: rage/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
# /root/bin/postfix
#
- name: postfix_check-postfix-fatal-errors.conf
src_path: rage/root/bin/postfix/conf/check-postfix-fatal-errors.conf
dest_path: /root/bin/postfix/conf/check-postfix-fatal-errors.conf
- name: postfix_sent_userinfo_postfix.conf
src_path: rage/root/bin/postfix/conf/sent_userinfo_postfix.conf
dest_path: /root/bin/postfix/conf/sent_userinfo_postfix.conf
- name: postfix_get_number_of_deferred_mailqueue.conf
src_path: rage/root/bin/postfix/conf/get_number_of_deferred_mailqueue.conf
dest_path: /root/bin/postfix/conf/get_number_of_deferred_mailqueue.conf
copy_plain_files_postfwd_host_specific:
- name: header_checks.pcre
src_path: rage/etc/postfix/header_checks.pcre
dest_path: /etc/postfix/header_checks.pcre
- name: postfwd.wl-hosts
src_path: rage/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts
- name: postfwd.wl-hosts
src_path: rage/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts
- name: postfwd.wl-nets
src_path: rage/etc/postfix/postfwd.wl-nets
dest_path: /etc/postfix/postfwd.wl-nets
- name: postfwd.wl-sender
src_path: rage/etc/postfix/postfwd.wl-sender
dest_path: /etc/postfix/postfwd.wl-sender
- name: postfwd.wl-user
src_path: rage/etc/postfix/postfwd.wl-user
dest_path: /etc/postfix/postfwd.wl-user
# Postfix Firewall postfwd
#
#- name: postfwd.wl-user
# src_path: rage/etc/postfix/postfwd.wl-user
# dest_path: /etc/postfix/postfwd.wl-user
#copy_template_files: []
#
# - name: mailsystem_install_amavis.conf
# src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2
# dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

8
host_vars/zapata.opp.netz.yml
View File

@ -329,7 +329,13 @@ samba_user:
- beratung
password: '20!lavinia*20'
- name: mahadi
- name: magdalena
groups:
- buero
- beratung
password: 'magdalena_23'
- name: mahadi
groups:
- buero
- beratung

32
hosts
View File

@ -3,7 +3,7 @@
#[so36_server_dehydrated]
#comm.so36.net ansible_user=ckubu
#noc.so36.net ansible_user=ckubu
#rage.so36.net ansible_user=ckubu
rage.so36.net ansible_user=ckubu
#rubyhost.so36.net ansible_user=ckubu
#sympa.so36.net ansible_user=ckubu
#schleuder3.so36.net ansible_user=ckubu
@ -183,6 +183,9 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER
o34.oopen.de
o35.oopen.de
b.ns.oopen.de
cl-02.oopen.de
@ -342,6 +345,9 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER
o34.oopen.de
# - o35.oopen.de
o35.oopen.de
b.ns.oopen.de
@ -520,6 +526,9 @@ backup.oopen.de
# o30.oopen.de - AK server Jitsi Meet/Nextcloud
cloud.akweb.de
# Nextcloud / DokuWiki VBER
o34.oopen.de
# o35.oopen.de
cl-02.oopen.de
e.mx.oopen.de
@ -705,6 +714,9 @@ o26.oopen.de
# etventure
o32.oopen.de
# Nextcloud / DokuWiki VBER
o34.oopen.de
# o35.oopen.de
etherpad.oopen.de
web-02.oopen.de
@ -774,7 +786,7 @@ lists.mx.warenform.de
# so36.net
# ---
#rage.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036
rage.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036
[sympa_list_server]
@ -889,6 +901,9 @@ cloud.akweb.de
# etventure
o32.oopen.de
# Nextcloud / DokuWiki VBER
o34.oopen.de
# o35.oopen.de
cl-02.oopen.de
etherpad.oopen.de
@ -967,6 +982,9 @@ backup.oopen.de
# o30.oopen.de - AK server Jitsi Meet/Nextcloud
cloud.akweb.de
# Nextcloud / DokuWiki VBER
o34.oopen.de
# o35.oopen.de
cl-02.oopen.de
@ -1019,6 +1037,9 @@ o22.oopen.de
# o27.oopen.de
mail.faire-mobilitaet.de
# Nextcloud / DokuWiki VBER
o34.oopen.de
# o35.oopen.de
d.mx.oopen.de
e.mx.oopen.de
@ -1174,6 +1195,7 @@ o29.oopen.de
o30.oopen.de
o31.oopen.de
o32.oopen.de
o34.oopen.de
o35.oopen.de
o36.oopen.de
@ -1286,6 +1308,9 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER
o34.oopen.de
# o35.oopen.de
cl-02.oopen.de
e.mx.oopen.de
@ -1467,6 +1492,9 @@ o32.oopen.de
# BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER
o34.oopen.de
# - o35.oopen.de
o35.oopen.de
cl-02.oopen.de

38
roles/common/files/b.mx/etc/postfix/postfwd.bl-sender
View File

@ -1,38 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Sender addresses blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# @acieu\.co\.uk$
# ^error@mailfrom.com$
#
# instedt of
#
# @acieu.co.uk
# error@mailfrom.com
#
#
# Example:
#
# # # annoying spammer domains
# # block all senders of maildomaindomain 'oopen.de'
# @acieu\.co\.uk$
#
# # annoying spammer addresses
# # block sender address
# error@mailfrom.com
# sqek@eike\.se$
#
# ---
# annoying spammer domains
@acieu\.co\.uk$
# annoying spammer addresses
^error@mailfrom\.com$
^sqek@eike\.se$

13
roles/common/files/b.mx/etc/postfix/postfwd.bl-user
View File

@ -1,13 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# SASL Users blocked by postfwd
#
# Example:
#
# # give SASL usernames to block here
# ckubu@oopen.de
#
# ---
# give SASL usernames to block here

172
roles/common/files/b.mx/etc/postfix/postfwd.cf
View File

@ -1,172 +0,0 @@
#======= Definitions ============
# Match messages with an associated SASL username
&&SASL_AUTH {
sasl_username!~^$
}
# Trusted networks
&&TRUSTED_NETS {
client_address==file:/etc/postfix/postfwd.wl-nets
}
# Trusted hostnames
# client_name~=.warenform.de$
&&TRUSTED_HOSTS {
client_name=~file:/etc/postfix/postfwd.wl-hosts
}
# Trusted users
&&TRUSTED_USERS {
sasl_username==file:/etc/postfix/postfwd.wl-user
}
# Trusted senders
&&TRUSTED_SENDERS {
sender=~file:/etc/postfix/postfwd.wl-sender
}
# Blacklist networks
&&BLOCK_NETS {
client_address==file:/etc/postfix/postfwd.bl-nets
}
# Blacklist hostnames
&&BLOCK_HOSTS {
client_name=~file:/etc/postfix/postfwd.bl-hosts
}
# Blacklist users
&&BLOCK_USERS {
sasl_username==file:/etc/postfix/postfwd.bl-user
}
# Blacklist sender adresses
&&BLOCK_SENDER {
# =~
# using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
sender=~file:/etc/postfix/postfwd.bl-sender
}
# Inbound emails only
&&INCOMING {
client_address!=127.0.0.1
}
#======= Rule Sets ============
# ---
#
# Processing of the Rule Sets
#
# The parser checks the elements of a policy delegation request against the postfwd set
# of rules and, if necessary, triggers the configured action (action=). Similar to a
# classic firewall, a rule is considered true if every element of the set of rules (or
# one from every element list) applies to the comparison. I.e. the following rule:
#
# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT
#
# triggers a REJECT if the
#
# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
#
#
# Note:
# If an element occurs more than once, an element list is formed:
#
# The following rule set is equivalent to the above:
#
# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT
#
#
# triggers a REJECT if (as above) the
#
# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
#
# ---
# Whitelists
# Whitelist trusted networks
id=WHL_NETS
&&TRUSTED_NETS
action=DUNNO
# Whitelist trusted hostnames
id=WHL_HOSTS
&&TRUSTED_HOSTS
action=DUNNO
# Whitelist sasl users
id=WHL_USERS
&&TRUSTED_USERS
action=DUNNO
# Whitelist senders
id=WHL_SENDERS
&&INCOMING
&&TRUSTED_SENDERS
action=DUNNO
# Blacklists
# Block networks
id=BL_NETS
&&BLOCK_NETS
action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS
# Block hostname
id=BL_HOSTS
&&BLOCK_HOSTS
action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS
# Block users
id=BL_USERS
&&BLOCK_USERS
action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
# Blacklist sender
#
# Claim successful delivery and silently discard the message.
#
id=BL_SENDER
&&BLOCK_SENDER
#action=DISCARD
action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
# Rate Limits
# Throttle unknown clients to 5 recipients per 5 minutes:
id=RATE_UNKNOWN_CLIENT_ADDR
sasl_username =~ /^$/
client_name==unknown
action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed)
# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT)
id=RATE_CLIENT_ADDR
&&INCOMING
action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address)
# Block messages with more than 50 recipients
id=BLOCK_MSG_RCPT
&&INCOMING
&&SASL_AUTH
recipient_count=50
action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
# Block users sending more than 50 messages/hour
id=RATE_MSG
&&INCOMING
&&SASL_AUTH
action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
# Block users sending more than 250 recipients total/hour
id=RATE_RCPT
&&INCOMING
&&SASL_AUTH
action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)

4
roles/common/files/b.mx/etc/postfix/postfwd.wl-nets
View File

@ -13,3 +13,7 @@
# ---
# give truested networrk adresses here
# d.mx.oopen.de (listen server)
95.217.204.227
2a01:4f9:4a:47e5::227

3
roles/common/files/b.mx/etc/postfix/postfwd.wl-sender
View File

@ -19,4 +19,7 @@
# ---
# give trusted sender addresses here
^noreply@login\.ubuntu\.com$
^check_local_es_service@oolm-shop\.oopen\.de$
^root@oolm-shop\.oopen\.de$

182
roles/common/files/b.mx/etc/postfix/relay_domains Normal file
View File

@ -0,0 +1,182 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
## - a.mx.oopen.de
## -
## - create relay-domain list for host a.mx.oopen.de:
## - cd /var/vmail
## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[a.mx.oopen.de]" ; done
## -
afa-ost.de :[a.mx.oopen.de]
agberatung-berlin.org :[a.mx.oopen.de]
aku-punkt-berlin.de :[a.mx.oopen.de]
akweb.de :[a.mx.oopen.de]
amberg-dolmetschen.de :[a.mx.oopen.de]
anwaeltinnenbuero.info :[a.mx.oopen.de]
anwaeltinnenbuero.net :[a.mx.oopen.de]
anwaeltinnen.de :[a.mx.oopen.de]
anwalthoffmann.de :[a.mx.oopen.de]
anwalt-klinggraeff.de :[a.mx.oopen.de]
anwalt-schrage.de :[a.mx.oopen.de]
anw-nbg.de :[a.mx.oopen.de]
azzellini.net :[a.mx.oopen.de]
b3-bornim.de :[a.mx.oopen.de]
behrens-boehlo.de :[a.mx.oopen.de]
beitragen-statt-wegnehmen.de :[a.mx.oopen.de]
berliner-register.de :[a.mx.oopen.de]
berlin-gegen-nazis.de :[a.mx.oopen.de]
bildungswege.org :[a.mx.oopen.de]
buelos.de :[a.mx.oopen.de]
cacn.de :[a.mx.oopen.de]
cakebook.de :[a.mx.oopen.de]
christoph-mauler.de :[a.mx.oopen.de]
commonground.community :[a.mx.oopen.de]
fluechtlingsrat-brandenburg.de :[a.mx.oopen.de]
georgrohde.de :[a.mx.oopen.de]
glx-consulting.com :[a.mx.oopen.de]
groenlandpaddel-berlin.de :[a.mx.oopen.de]
gruppe-freital-nebenklage.de :[a.mx.oopen.de]
halbzwei.com :[a.mx.oopen.de]
herrschaftskritik.org :[a.mx.oopen.de]
il-pad.oopen.de :[a.mx.oopen.de]
incredible-dharavi.org :[a.mx.oopen.de]
jo.oopen.de :[a.mx.oopen.de]
k8h.de :[a.mx.oopen.de]
kar-loh.de :[a.mx.oopen.de]
kluuu.com :[a.mx.oopen.de]
koma-elektronik.com :[a.mx.oopen.de]
kottbusserdamm.net :[a.mx.oopen.de]
lubax.de :[a.mx.oopen.de]
mail-ga.de :[a.mx.oopen.de]
mbr-berlin.de :[a.mx.oopen.de]
meet2.oopen.de :[a.mx.oopen.de]
meet.agberatung-berlin.org :[a.mx.oopen.de]
meet.akweb.de :[a.mx.oopen.de]
meet.anwaeltinnenbuero.net :[a.mx.oopen.de]
meet.oopen.de :[a.mx.oopen.de]
meet.reachoutberlin.de :[a.mx.oopen.de]
mimecentrum.de :[a.mx.oopen.de]
mossestrasse.de :[a.mx.oopen.de]
netclimbers.de :[a.mx.oopen.de]
nsu-nebenklage.de :[a.mx.oopen.de]
oopen.de :[a.mx.oopen.de]
opferperspektive.de :[a.mx.oopen.de]
opra-gewalt.de :[a.mx.oopen.de]
pankow-hilft.de :[a.mx.oopen.de]
presserecht-bundesweit.de :[a.mx.oopen.de]
rajus.de :[a.mx.oopen.de]
reachoutberlin.de :[a.mx.oopen.de]
schule-herzogau.de :[a.mx.oopen.de]
socialfiction.de :[a.mx.oopen.de]
spangenberg-supervision.de :[a.mx.oopen.de]
spjw.de :[a.mx.oopen.de]
tabumove.de :[a.mx.oopen.de]
text-arbeit.net :[a.mx.oopen.de]
traversata-film.de :[a.mx.oopen.de]
vdk-berlin.de :[a.mx.oopen.de]
ware-groesse.de :[a.mx.oopen.de]
wissen-ist-relevant.de :[a.mx.oopen.de]
www.oopen.de :[a.mx.oopen.de]
zahlenkollektiv.org :[a.mx.oopen.de]
## - Domains Ilker
## -
alem.social :[mail.alem.social]
egilstein.de :[mail.alem.social]
ungleichgesinnten.de :[mail.alem.social]
## - mx.gemeinschaft-altenschlirf.de
gemeinschaft-altenschlirf.de :[mx.gemeinschaft-altenschlirf.de]
gemeinschaft-altenschlirf.org :[mx.gemeinschaft-altenschlirf.de]
## - lists.oopen.de
## -
## -
## - create relay-domain list for listserver d.mx.oopen.de
## -
## - cd /data/sympa/list_data
## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[d.mx.oopen.de]" ; done
## -
lists.aktionsbuendnis-brandenburg.de :[d.mx.oopen.de]
lists.akweb.de :[d.mx.oopen.de]
lists.bilgisaray.org :[d.mx.oopen.de]
lists.cacn.de :[d.mx.oopen.de]
lists.cadus.org :[d.mx.oopen.de]
lists.faire-mobilitaet.de :[d.mx.oopen.de]
lists.fluechtlingsrat-brandenburg.de :[d.mx.oopen.de]
lists.gemeinschaft-altenschlirf.de :[d.mx.oopen.de]
lists.glx-consult.com :[d.mx.oopen.de]
lists.initiativenserver.de :[d.mx.oopen.de]
lists.kar-loh.de :[d.mx.oopen.de]
lists.mahalle.de :[d.mx.oopen.de]
lists.mbr-berlin.de :[d.mx.oopen.de]
lists.oopen.de :[d.mx.oopen.de]
lists.pankow-hilft.de :[d.mx.oopen.de]
lists.schule-in-not.de :[d.mx.oopen.de]
lists.techworkersberlin.com :[d.mx.oopen.de]
lists.visionen-fuer-pankow.de :[d.mx.oopen.de]
## - c.mx.oopen.de
## -
## - create relay-domain list for host ic.mx.oopen.de:
## - cd /var/vmail
## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[c.mx.oopen.de]" ; done
## -
aktionsbuendnis-brandenburg.de :[c.mx.oopen.de]
brandenburg-nazifrei.de :[c.mx.oopen.de]
haus-der-demokratie-zossen.de :[c.mx.oopen.de]
initiativenserver.de :[c.mx.oopen.de]
kurage.eu :[c.mx.oopen.de]
willkommen-ohv.de :[c.mx.oopen.de]
zossen-zeigt-gesicht.de :[c.mx.oopen.de]
## - so36 - schleuder lists
## -
cryptolists.so36.net :[schleuder3.so36.net]
## - so36 maildomains
## -
## - create relay-domain list for host rage.so36.net:
## - cd /var/vmail
## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[rage.so36.net]" ; done
## -
absent-friends.org :[rage.so36.net]
antifa.de :[rage.so36.net]
antifa-versand.de :[rage.so36.net]
archiv-kiel.de :[rage.so36.net]
az-wuppertal.de :[rage.so36.net]
bamm.de :[rage.so36.net]
cilip.de :[rage.so36.net]
dosto.de :[rage.so36.net]
g20-doku.org :[rage.so36.net]
hotmehl.com :[rage.so36.net]
kamalatta.de :[rage.so36.net]
kreta-film.net :[rage.so36.net]
libertad.so36.net :[rage.so36.net]
mail36.net :[rage.so36.net]
oh21.de :[rage.so36.net]
ostpack.de :[rage.so36.net]
so36.net :[rage.so36.net]
so36net.de :[rage.so36.net]
socialforum-berlin.org :[rage.so36.net]
speakerinnen.org :[rage.so36.net]
uffmucken-schoeneweide.de :[rage.so36.net]
## - so36 lists on sympa.so36.net
## -
## - create relay-domain list for listserver sympa.so36.net
## -
## - cd /data/sympa/list_data
## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[mx.lists36.net]" ; done
## -
lists36.net :[mx.lists36.net]
lists.mail36.net :[mx.lists36.net]
lists.so36.net :[mx.lists36.net]
## - codecoop
## -
codecoop.org :[rage.so36.net]

3
roles/common/files/etc/sysctl.d/10-ddos.conf
View File

@ -12,7 +12,8 @@ kernel.printk = 4 4 1 7
kernel.panic = 10
kernel.sysrq = 0
kernel.shmmax = 4294967296
kernel.shmall = 4194304
#kernel.shmall = 4194304
kernel.shmall = 134217728
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536

12
roles/common/files/mailserver/etc/postfix/header_checks.pcre
View File

@ -3,12 +3,18 @@
# ---
# - Replace headers
# - Replace recieved from IPv4
# - Replace recieved from IPv4 / IPv6 header - hide senders IP address and also 'Authenticated sender'
#
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
# - Replace recieved from IPv6
#
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
#
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
# ---
# - Ignore Headers
# ---

37
roles/common/files/mailserver/etc/postfix/header_checks.pcre.00 Normal file
View File

@ -0,0 +1,37 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# - Replace headers
# - Replace recieved from IPv4
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
# - Replace recieved from IPv6
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
# ---
# - Ignore Headers
# ---
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# ---
# - Reject / Discard headers
# ---
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004

43
roles/common/files/o13-mail/etc/postfix/header_checks.pcre Normal file
View File

@ -0,0 +1,43 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# - Replace headers
# - Replace recieved from IPv4 / IPv6 header - hide senders IP address and also 'Authenticated sender'
#
/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
#
/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
#
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
# ---
# - Ignore Headers
# ---
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# ---
# - Reject / Discard headers
# ---
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004

0
roles/common/files/b.mx/etc/postfix/postfwd.wl-hosts → roles/common/files/o13-mail/etc/postfix/postfwd.wl-hosts
View File

8
roles/common/files/b.mx/etc/postfix/postfwd.bl-nets → roles/common/files/o13-mail/etc/postfix/postfwd.wl-nets
View File

@ -1,7 +1,7 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Networks blocked by postfwd
# Trusted networks whitelisted by postfwd
#
# Example:
#
@ -12,5 +12,7 @@
#
# ---
# give networks to block here
# give truested networrk adresses here
# d.mx.oopen.de (listen server)
95.217.204.227
2a01:4f9:4a:47e5::227

23
roles/common/files/o13-mail/etc/postfix/postfwd.wl-sender Normal file
View File

@ -0,0 +1,23 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted senders whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # all senders of maildomaindomain 'oopen.de'
# @oopen\.de$
#
# # sender address ckubu@oopen.de
# ^ckubu@oopen\.de$
#
# ---
# give trusted sender addresses here
^noreply@login\.ubuntu\.com$

2
roles/common/files/b.mx/etc/postfix/postfwd.wl-user → roles/common/files/o13-mail/etc/postfix/postfwd.wl-user
View File

@ -12,5 +12,3 @@
# ---
# give trusted sasl usernames here
kanzlei-kiel@b.mx.oopen.de

135
roles/common/files/o13-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf Normal file
View File

@ -0,0 +1,135 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings for script check_cert_for_dovecot.sh
#-----------------------------
#---------------------------------------
# - service_domain
# -
# - The main domain for which the certificate was issued
# -
# - Example:
# - service_domain="a.mx.oopen.de"
# - service_domain="mail.cadus.org"
# - service_domain="mx.warenform.de"
# -
#service_domain=""
service_domain="mail.interventionistische-linke.org"
# - service_name
# -
# - Name of service.
# -
# - Note: this var will also be used to determin systemd service file
# - or sysVinit script.
# -
# - Example:
# - service_name="Mumble"
# - service_name="Prosody"
# -
# - Defaults to:
# - service_name="Dovecot"
# -
#service_name=""
# - check_string_ps
# -
# - String wich (clearly) identifies the service at the process list (ps)
# -
# - Example:
# - check_string_ps="[[:digit:]]\ /usr/sbin/murmurd"
# - check_string_ps=""
# -
# - Defaults to:
# - check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot"
# -
#check_string_ps=""
# - service_user
# -
# - User under which the service is running.
# -
# - Example:
# - service_user="mumble-server"
# - service_user="prosody"
# -
# - Defaults to:
# - service_user="prosody"
# -
#service_user=""
# - service_group
# -
# - Group under which the service is running.
# -
# - Example:
# - service_group="mumble-server"
# - service_group="prosody"
# -
# - Defaults to:
# - service_group="prosody"
# -
#service_group=""
# - cert_installed
# -
# - Locataion of certificate read by service
# -
# - Example:
# - cert_installed="/var/lib/mumble-server/fullchain.pem"
# - cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
# -
# - Defaults to:
# - /etc/dovecot/ssl/mailserver.crt
# -
#cert_installed=""
# - key_installed
# -
# - Location of the key read by service
# -
# - Example:
# - key_installed="/var/lib/mumble-server/privkey.pem"
# - key_installed="/etc/prosody/certs/privkey_jabber.so36.pem"
# -
# - Defaults to:
# - /etc/dovecot/ssl/mailserver.key
# -
#key_installed=""
# - cert_newest
# -
# - Location of the newest certificate.
# -
# - Example:
# - cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem"
# - cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
# -
# - Defaults to:
# - /var/lib/dehydrated/certs/${service_domain}/fullchain.pem
# -
#cert_newest=""
# - key_newest
# -
# - Location of the newest Key
# -
# - Example:
# - key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem"
# - key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem"
# -
# - Defaults to:
# - /var/lib/dehydrated/certs/${service_domain}/privkey.pem
# -
#key_newest=""

178
roles/common/files/o13-mail/root/bin/monitoring/conf/check_webservice_load.conf Normal file
View File

@ -0,0 +1,178 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - What to check
# -
check_load=true
check_mysql=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
mysql_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.1"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

54
roles/common/files/o13-mail/root/bin/postfix/conf/check-postfix-fatal-errors.conf Normal file
View File

@ -0,0 +1,54 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---------------------------------------------------------------
# - Parameter Settings for script 'check-postfix-fatal-error.sh'.
# ---------------------------------------------------------------
# MAIL_LOG
#
# Full qualified path to the mail log-file
#
# Defaults to: MAIL_LOG=/var/log/mail.log
#
#MAIL_LOG="/var/log/mail.log"
# ---
# - E-Mail settings for sending script messages
# ---
# - company
# -
# - Example: company="Cadus e.V."
# -
# - Defaults to:
# - company="O.OPEN"
# -
#company="O.OPEN"
company="IL"
# - sender_address
# -
# - Defaults to:
# - sender_address="${script_name%%.*}@$(hostname -f)"
# -
#sender_address="check-postfix-fatal-error@$(hostname -f)"
# - content_type
# -
# - Defaults to:
# - content_type='Content-Type: text/plain;\n charset="utf-8"'
# -
#content_type='Content-Type: text/plain;\n charset="utf-8"'
# - alert_email_addresses
# -
# - blank separated list of e-mail addresses
#
# - Example: alert_email_addresses="ckubu@oopen.de axel@warenform.net"
# -
# - Defaults to:
# - alert_email_addresses="ckubu@oopen.de"
# -
#alert_email_addresses="ckubu@oopen.de"

43
roles/common/files/rage/etc/postfix/header_checks.pcre Normal file
View File

@ -0,0 +1,43 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# - Replace headers
# - Replace recieved from IPv4 / IPv6 header - hide senders IP address and also 'Authenticated sender'
#
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
#
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
#
/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
# ---
# - Ignore Headers
# ---
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# ---
# - Reject / Discard headers
# ---
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004

8
roles/common/files/b.mx/etc/postfix/postfwd.bl-hosts → roles/common/files/rage/etc/postfix/postfwd.wl-hosts
View File

@ -1,7 +1,7 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# hosts blocked by postfwd
# Trusted hosts whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
@ -10,13 +10,13 @@
#
# Example:
#
# # block all hosts of domain 'oopen.de'
# # all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # block host a.mx.oopen.de
# # host a.mx.oopen.de
# ^a\.mx\.oopen\.de$
#
# ---
# give hostnames to blocke here
# give truested hostnames here

18
roles/common/files/rage/etc/postfix/postfwd.wl-nets Normal file
View File

@ -0,0 +1,18 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted networks whitelisted by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give truested networrk adresses here
# d.mx.oopen.de (listen server)
95.217.204.227
2a01:4f9:4a:47e5::227

23
roles/common/files/rage/etc/postfix/postfwd.wl-sender Normal file
View File

@ -0,0 +1,23 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted senders whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # all senders of maildomaindomain 'oopen.de'
# @oopen\.de$
#
# # sender address ckubu@oopen.de
# ^ckubu@oopen\.de$
#
# ---
# give trusted sender addresses here
^noreply@login\.ubuntu\.com$

14
roles/common/files/rage/etc/postfix/postfwd.wl-user Normal file
View File

@ -0,0 +1,14 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# SASL Users whitelisted by postfwd
#
# example:
#
# # give trusted sasl usernames here
# ckubu@oopen.de
# vertrieb@akweb.de
#
# ---
# give trusted sasl usernames here

135
roles/common/files/rage/root/bin/monitoring/conf/check_cert_for_dovecot.conf Normal file
View File

@ -0,0 +1,135 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings for script check_cert_for_dovecot.sh
#-----------------------------
#---------------------------------------
# - service_domain
# -
# - The main domain for which the certificate was issued
# -
# - Example:
# - service_domain="a.mx.oopen.de"
# - service_domain="mail.cadus.org"
# - service_domain="mx.warenform.de"
# -
#service_domain=""
service_domain="rage.so36.net"
# - service_name
# -
# - Name of service.
# -
# - Note: this var will also be used to determin systemd service file
# - or sysVinit script.
# -
# - Example:
# - service_name="Mumble"
# - service_name="Prosody"
# -
# - Defaults to:
# - service_name="Dovecot"
# -
#service_name=""
# - check_string_ps
# -
# - String wich (clearly) identifies the service at the process list (ps)
# -
# - Example:
# - check_string_ps="[[:digit:]]\ /usr/sbin/murmurd"
# - check_string_ps=""
# -
# - Defaults to:
# - check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot"
# -
#check_string_ps=""
# - service_user
# -
# - User under which the service is running.
# -
# - Example:
# - service_user="mumble-server"
# - service_user="prosody"
# -
# - Defaults to:
# - service_user="prosody"
# -
#service_user=""
# - service_group
# -
# - Group under which the service is running.
# -
# - Example:
# - service_group="mumble-server"
# - service_group="prosody"
# -
# - Defaults to:
# - service_group="prosody"
# -
#service_group=""
# - cert_installed
# -
# - Locataion of certificate read by service
# -
# - Example:
# - cert_installed="/var/lib/mumble-server/fullchain.pem"
# - cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
# -
# - Defaults to:
# - /etc/dovecot/ssl/mailserver.crt
# -
#cert_installed=""
# - key_installed
# -
# - Location of the key read by service
# -
# - Example:
# - key_installed="/var/lib/mumble-server/privkey.pem"
# - key_installed="/etc/prosody/certs/privkey_jabber.so36.pem"
# -
# - Defaults to:
# - /etc/dovecot/ssl/mailserver.key
# -
#key_installed=""
# - cert_newest
# -
# - Location of the newest certificate.
# -
# - Example:
# - cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem"
# - cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
# -
# - Defaults to:
# - /var/lib/dehydrated/certs/${service_domain}/fullchain.pem
# -
#cert_newest=""
# - key_newest
# -
# - Location of the newest Key
# -
# - Example:
# - key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem"
# - key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem"
# -
# - Defaults to:
# - /var/lib/dehydrated/certs/${service_domain}/privkey.pem
# -
#key_newest=""

55
roles/common/files/rage/root/bin/postfix/conf/check-postfix-fatal-errors.conf Normal file
View File

@ -0,0 +1,55 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---------------------------------------------------------------
# - Parameter Settings for script 'check-postfix-fatal-error.sh'.
# ---------------------------------------------------------------
# MAIL_LOG
#
# Full qualified path to the mail log-file
#
# Defaults to: MAIL_LOG=/var/log/mail.log
#
#MAIL_LOG="/var/log/mail.log"
# ---
# - E-Mail settings for sending script messages
# ---
# - company
# -
# - Example: company="Cadus e.V."
# -
# - Defaults to:
# - company="O.OPEN"
# -
#company="O.OPEN"
company="so36.NET e.V."
# - sender_address
# -
# - Defaults to:
# - sender_address="${script_name%%.*}@$(hostname -f)"
# -
#sender_address="check-postfix-fatal-error@$(hostname -f)"
# - content_type
# -
# - Defaults to:
# - content_type='Content-Type: text/plain;\n charset="utf-8"'
# -
#content_type='Content-Type: text/plain;\n charset="utf-8"'
# - alert_email_addresses
# -
# - blank separated list of e-mail addresses
#
# - Example: alert_email_addresses="ckubu@oopen.de axel@warenform.net"
# -
# - Defaults to:
# - alert_email_addresses="ckubu@oopen.de"
# -
#alert_email_addresses="ckubu@oopen.de"
alert_email_addresses="roots@so36.net"

27
roles/common/files/rage/root/bin/postfix/conf/get_number_of_deferred_mailqueue.conf Normal file
View File

@ -0,0 +1,27 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ----------------------------------------------------
# ---
# - Parameter Settings for script 'get_number_of_deferred_mailqueue.sh'.
# ---
# ----------------------------------------------------
# - notification_addresses
# -
# - Where to send notifications
# -
# - Defaults to argus@oopen.de
# -
notification_addresses="roots@so36.net"
# - count_warn
# -
# - If number of deferred e-mails exceeds give parameter 'count_warn'
# - an e-mail will be written to adresse(s) given at parameter
# - 'notification_addresses'.
# -
# - Defaults to 100
# -
#count_warn=100

94
roles/common/files/rage/root/bin/postfix/conf/sent_userinfo_postfix.conf Normal file
View File

@ -0,0 +1,94 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ----------------------------------------------------
# ---
# - Parameter Settings for script 'sent_userinfo_postfix.sh'.
# ---
# ----------------------------------------------------
# - message_body_file
# -
# - Full path to file containing the user info. This file must contain
# - the message body WITHOUT e-mail headers. If file is placed in the
# - 'files' directory use '${file_dir}/<file-name>'
# -
# - Defaults to '${file_dir}/sent_userinfo_postfix.message'
# -
#message_body_file="${file_dir}/sent_userinfo_postfix.message"
# - email_from
# -
# - From Address of user info
# -
# - Example: 'oo@oopen.de'
# -
#email_from=""
email_from="support@so36.net"
# - email_from_org
# -
# - Example: email_from_org="O.OPEN"
# -
#email_from_org=""
email_from_org="so36.NET e.V."
# - db_type
# -
# - Type of Postfix Database
# -
# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL)
# -
# - Defaults to: db_type="pgsql"
# -
#db_type="pgsql"
# - db_name
# -
# - Database name for the postfix database
# -
# - Defaults to: db_name="postfix"
# -
#db_name="postfix"
# - mysql_credential_args (root access to MySQL Database)
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - Defaults to:
# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system
# - '/usr/local/mysql/sys-maint.cnf' otherwise
# -
#mysql_credential_args=""
# - mail_user
# -
# - The owner of the mailbox directories and within the e-mails itself.
# -
# - defaults to mail_user="vmail"
# -
#mail_user="vmail"
# - mail_group
# -
# - The group of the mailbox directories
# -
# - defaults to mail_group="vmail"
# -
#mail_group="vmail"
# - mail_basedir - No more needed!
# -
# - The root directory where all mailbox-domains are located.
# -
# - Defaults to '/var/vmail'.
# -
#mail_basedir=/var/vmail

6
roles/common/tasks/basic.yml
View File

@ -105,7 +105,7 @@
group: root
owner: root
when:
- inventory_hostname not in groups['lxc_guest']
- inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
- copy_plain_files_sysctl is defined
- copy_plain_files_sysctl|length > 0
tags:
@ -122,7 +122,7 @@
loop_control:
label: 'dest: {{ item.name }}'
when:
- inventory_hostname not in groups['lxc_guest']
- inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
- copy_plain_files_sysctl is defined
- copy_plain_files_sysctl|length > 0
tags:
@ -139,7 +139,7 @@
loop_control:
label: 'dest: {{ item.name }}'
when:
- inventory_hostname not in groups['lxc_guest']
- inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
- copy_additional_plain_files_sysctl is defined
- copy_additional_plain_files_sysctl|length > 0
tags:

60
roles/common/tasks/copy_files.yml
View File

@ -1,6 +1,23 @@
---
# ---
# Some Checks
# ---
- name: Check if file '/etc/postfix/relay_domains' exists
stat:
path: /etc/postfix/relay_domains
register: relay_domains_actual
- name: (copy_files.yml) Get checksum of '/etc/postfix/relay_domains'
set_fact:
relay_domains_sha1: "{{ relay_domains_actual.stat.checksum }}"
when:
- relay_domains_actual.stat.exists
# ---
# Copy files - main
# ---
- name: (copy_files.yml) Copy plain files
copy:
@ -36,6 +53,26 @@
tags:
- copy-files
- copy-plain-files
notify: "Reload postfwd"
- name: (copy_files.yml) Copy host specific plain files Postfix (/etc/postfix)
copy:
src: '{{ item.src_path }}'
dest: '{{ item.dest_path }}'
owner: root
group: root
mode: '0644'
loop: "{{ copy_plain_files_postfix_host_specific }}"
loop_control:
label: 'dest: {{ item.name }}'
when:
- inventory_hostname in groups['mail_server']
- copy_plain_files_postfix_host_specific is defined
- copy_plain_files_postfix_host_specific|length > 0
tags:
- copy-files
- copy-plain-files
notify: "Reload postfwd"
- name: (copy_files.yml) Copy plain files Postfix Firewall (postfwd)
copy:
@ -92,3 +129,26 @@
tags:
- copy-files
- copy-template-files
# ---
# Some final tasks
# ---
- name: Get checksum oif (possible upodated) file '/etc/postfix/relay_domains' exists
stat:
path: /etc/postfix/relay_domains
register: relay_domains_new
- name: (copy_files.yml) Get checksum of '/etc/postfix/relay_domains'
set_fact:
relay_domains_sha1_new: "{{ relay_domains_new.stat.checksum }}"
when:
- relay_domains_new.stat.exists
- name: (copy_files.yml) Renew database /etc/postfix/relay_domains.db
shell: '/usr/sbin/postmap btree:/etc/postfix/relay_domains'
when:
- relay_domains_actual.stat.exists
- relay_domains_new.stat.exists
- relay_domains_actual.stat.checksum != relay_domains_new.stat.checksum
notify: "Reload postfwd"