From c9cee6deaead1346494774f6be51e7b9cfa57d85 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 19 Dec 2024 22:44:32 +0100 Subject: [PATCH] update.. --- group_vars/all/main.yml | 9 + group_vars/oopen_office.yml | 6 + host_vars/backup.warenform.de.yml | 10 -- host_vars/cl-dissens.oopen.de.yml | 151 ++++++++++++++++ host_vars/file-dissens.dissens.netz.yml | 169 ++++++++++++------ host_vars/o29.oopen.de.yml | 14 +- host_vars/web0.warenform.de.yml | 22 +++ hosts | 31 +++- .../mailserver/etc/postfix/postfwd.bl-hosts | 72 ++++++++ .../mailserver/etc/postfix/postfwd.bl-nets | 75 ++++++++ .../mailserver/etc/postfix/postfwd.bl-sender | 76 +++++++- roles/common/handlers/main.yml | 6 + roles/common/tasks/main.yml | 12 ++ roles/common/tasks/motd.yml | 19 ++ roles/common/tasks/ntp.yml | 60 +++++++ roles/common/templates/etc/ntpsec/ntp.conf.j2 | 52 ++++++ .../resolved.conf.d/50-resolved-local.conf | 2 +- 17 files changed, 714 insertions(+), 72 deletions(-) create mode 100644 host_vars/cl-dissens.oopen.de.yml create mode 100644 roles/common/tasks/motd.yml create mode 100644 roles/common/tasks/ntp.yml create mode 100644 roles/common/templates/etc/ntpsec/ntp.conf.j2 diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 39df595..5ccdc96 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2253,6 +2253,15 @@ bind9_gateway_allow_recursion: # vars used by roles/common/tasks/git.yml # --- + +# --- +# vars used by roles/common/tasks/ntp.yml +# --- + +local_ntp_service: false + +ntp_server: {} + # --- # Firewall repository # --- diff --git a/group_vars/oopen_office.yml b/group_vars/oopen_office.yml index 56e02d6..f029802 100644 --- a/group_vars/oopen_office.yml +++ b/group_vars/oopen_office.yml @@ -110,6 +110,12 @@ sudo_users: # vars used by roles/common/tasks/git.yml # --- + +# --- +# vars used by roles/common/tasks/ntp.yml +# --- + + # ============================== diff --git a/host_vars/backup.warenform.de.yml b/host_vars/backup.warenform.de.yml index 234e906..30c58e3 100644 --- a/host_vars/backup.warenform.de.yml +++ b/host_vars/backup.warenform.de.yml @@ -170,16 +170,6 @@ cron_user_entries: hour: '*' job: /root/bin/postfix/check-postfix-fatal-errors.sh - - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)" - minute: '23' - hour: '05' - job: /var/lib/dehydrated/cron/dehydrated_cron.sh - - - name: "Check whether all certificates are included in the VHOST configurations" - minute: '33' - hour: '05' - job: /var/lib/dehydrated/tools/update_ssl_directives.sh - - name: "Check if remote website is online" minute: '*/15' hour: '7-23' diff --git a/host_vars/cl-dissens.oopen.de.yml b/host_vars/cl-dissens.oopen.de.yml new file mode 100644 index 0000000..7aabdf0 --- /dev/null +++ b/host_vars/cl-dissens.oopen.de.yml @@ -0,0 +1,151 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_permit_root_login: !!str "prohibit-password" + +# --- +# vars used by apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 185.12.64.2 + - 2a01:4ff:ff00::add:1 + - 185.12.64.1 + - 2a01:4ff:ff00::add:2 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - oopen.de + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +sudo_users: + - chris + - sysadm + - localadmin + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_privileges: + - name: back + entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- +# +# see: roles/common/tasks/vars + + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + diff --git a/host_vars/file-dissens.dissens.netz.yml b/host_vars/file-dissens.dissens.netz.yml index 7afde19..f125078 100644 --- a/host_vars/file-dissens.dissens.netz.yml +++ b/host_vars/file-dissens.dissens.netz.yml @@ -184,7 +184,7 @@ cron_user_special_time_entries: sudoers_file_user_aliases: - name: MAIN_USER - entry: 'malte.taeubrich, ulla.wittenzellner, sarah.klemm, bernard.koennecke, elenor.faellgrem,mario.freidank ' + entry: 'malte.taeubrich, ulla.wittenzellner, sarah.klemm, bernard.koennecke, elenor.faellgren, mario.freidank ' sudoers_file_cmnd_aliases: - name: REBOOT @@ -219,6 +219,15 @@ sudoers_file_user_privileges: # --- +# --- +# vars used by roles/common/tasks/ntp.yml +# --- + +local_ntp_service: true + +ntp_server: gw-dissens.dissens.netz + + # --- # vars used by roles/common/tasks/nfs.yml # --- @@ -264,9 +273,9 @@ samba_groups: - name: projekte group_id: 1110 - name: verwaltung - group_id: 1120 + group_id: 1200 - name: gf - group_id: 1120 + group_id: 1300 samba_user: - name: bernard.koennecke @@ -296,62 +305,99 @@ samba_user: - projekte - team - verwaltung - password: '20-da-v1d.g3lh44r_24%' + password: '20-dav1d.g3lh44r_24%' - - name: elenor.faellgrem + - name: elenor.faellgren groups: - projekte - team - password: '20/313n0r-g3l.h4r/24?' + password: '20/3l3n0r-fa3llg3em/24?' + - name: johanna.hess groups: - - buero - - verwaltung - password: '20_j0.h4nn4_h3ss-24+' + - projekte + - team + password: '20_j0h4nn4_h3ss-24+' - - name: leonie + - name: johanna.ruekgauer groups: - - buero + - projekte + password: '20.j0hanna.ru3kgau3r+24!' + + - name: laura.sasse + groups: + - projekte + - team + password: '20/l4ur4-s4sse-24?' + + - name: maite.gabriel + groups: + - projekte + password: '20+m4ite.g4briel-24+' + + - name: malte.taeubrich + groups: + - gf + - projekte + - team - verwaltung - password: '6.4aVX7rQ-9H' - - name: philip + password: '20%m4lt3-t3ubrich+24!' + + - name: mario.freidank groups: - - buero + - projekte + - team - verwaltung - password: 'fN%749Psv_NR' - - name: buero1 + password: '20-mar1o.fr31dank-24+' + + - name: olaf.stuve groups: - - buero - password: 'Mfr!7tK+d49C' - - name: buero2 + - projekte + password: '20-0l4f_stuve_24?"' + + - name: rositsa.mahdi groups: - - buero - password: 'gW-wg3Pttf4/' - - name: buero3 + - projekte + password: '20.ros1tsa-mahd1+24+' + + - name: sarah.klemm groups: - - buero - password: 'Qc-WyMhJ/3-2' - - name: referendariat - groups: - - buero - password: '4/zCNXnVF7+i' - - name: ref1 - groups: - - buero - password: '???' - - name: sebastian - groups: - - buero + - gf + - projekte + - team - verwaltung - password: 'bhNC.P5eTy-2' - - name: buero-05 + password: '20.s4r4h_kl3mm-24!' + + - name: simon.krugmann groups: - - buero - password: '5/SXbV-M3vmQ' - - name: buero-06 + - projekte + password: '20%sim0n.krugm4nn.24?' + + - name: tabea.koepp groups: - - buero - password: 'N-ba2R+i/2eM' + - projekte + - team + password: '20?tab3a/ko3pp.24/' + + - name: till.dahlmueller + groups: + - projekte + - team + password: '20.t1ll/d4hlmueller-24!' + + - name: ulla.wittenzellner + groups: + - gf + - projekte + - team + - verwaltung + password: '20+ull4_w1tt3nz3lln3r_24-' + + - name: yannik.markhof + groups: + - projekte + - team + password: '20.y4nnik/m4rkhof_24/' base_home: /data/home @@ -360,14 +406,37 @@ base_home: /data/home # - name: name2 # remove_samba_users: [] +#remove_samba_users: +# - name: elenor.faellgrem +# - name: maiken.schiele samba_shares: - - name: buero - comment: Buero auf Fileserver - path: /data/samba/shares/buero - group_valid_users: buero - group_write_list: buero + - name: GF + comment: GF auf Fileserver + path: /data/samba/shares/GF + group_valid_users: gf + group_write_list: gf + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Projekte + comment: verwaltung auf Fileserver + path: /data/samba/shares/Projekte + group_valid_users: projekte + group_write_list: projekte + file_create_mask: !!str 664 + dir_create_mask: !!str 2775 + vfs_object_recycle: true + recycle_path: '@Recycle' + + - name: Team + comment: verwaltung auf Fileserver + path: /data/samba/shares/Team + group_valid_users: team + group_write_list: team file_create_mask: !!str 664 dir_create_mask: !!str 2775 vfs_object_recycle: true @@ -375,11 +444,11 @@ samba_shares: - name: Verwaltung comment: verwaltung auf Fileserver - path: /data/samba/shares/verwaltung + path: /data/samba/shares/Verwaltung group_valid_users: verwaltung group_write_list: verwaltung - file_create_mask: !!str 664 - dir_create_mask: !!str 2775 + file_create_mask: !!str 660 + dir_create_mask: !!str 2770 vfs_object_recycle: true recycle_path: '@Recycle' diff --git a/host_vars/o29.oopen.de.yml b/host_vars/o29.oopen.de.yml index 64396ae..06b95af 100644 --- a/host_vars/o29.oopen.de.yml +++ b/host_vars/o29.oopen.de.yml @@ -23,7 +23,7 @@ network_interfaces: - device: br0 # use only once per device (for the first device entry) - headline: br0 - bridge over device enp35s0 + headline: br0 - bridge over device enp8s0 # auto & allow are only used for the first device entry allow: [] # array of allow-[stanzas] eg. allow-hotplug @@ -31,11 +31,11 @@ network_interfaces: family: inet method: static - hwaddress: a8:a1:59:3e:bd:b8 + hwaddress: 9c:6b:00:6d:f5:a1 description: - address: 135.181.136.120 + address: 65.21.220.154 netmask: 26 - gateway: 135.181.136.65 + gateway: 65.21.220.129 metric: pointopoint: mtu: @@ -80,7 +80,7 @@ network_interfaces: # maxwait: # waitport: bridge: - ports: enp35s0 # for mor devices support a blank separated list + ports: enp8s0 # for mor devices support a blank separated list stp: !!str off fd: 1 hello: 2 @@ -107,7 +107,7 @@ network_interfaces: # inline hook scripts pre-up: [] # pre-up script lines up: - - !!str "route add -net 135.181.136.64 netmask 255.255.255.192 gw 135.181.136.65 dev br0" # up script lines + - !!str "route add -net 65.21.220.128 netmask 255.255.255.192 gw 65.21.220.129 dev br0" # up script lines post-up: [] # post-up script lines (alias for up) pre-down: [] # pre-down script lines (alias for down) down: [] # down script lines @@ -118,7 +118,7 @@ network_interfaces: - device: br0 family: inet6 method: static - address: 2a01:4f9:3a:1051::2 + address: 2a01:4f9:3080:318c::2 netmask: 64 gateway: fe80::1 diff --git a/host_vars/web0.warenform.de.yml b/host_vars/web0.warenform.de.yml index 4a466cf..1208a58 100644 --- a/host_vars/web0.warenform.de.yml +++ b/host_vars/web0.warenform.de.yml @@ -142,6 +142,28 @@ ssh_keypair_backup_client: # # see: roles/common/tasks/vars +sudoers_file_user_aliases: + - name: WEB_USER + entry: 'webadmin, axel, chris' + - name: MAIN_USER + entry: 'sysadm, axel, chris' + +sudoers_file_cmnd_aliases: + - name: REBOOT + entry: '/sbin/reboot' + - name: MANAGE_SERVICE + entry: '/usr/bin/systemctl' + +sudoers_file_user_privileges: + - name: MAIN_USER + entry: ALL = REBOOT, MANAGE_SERVICE + - name: WEB_USER + entry: ALL = MANAGE_SERVICE + + + + + # --- # vars used by roles/common/tasks/caching-nameserver.yml diff --git a/hosts b/hosts index cf56c41..99228b0 100644 --- a/hosts +++ b/hosts @@ -62,6 +62,7 @@ file-fhxb.fhxb.netz file-km.anw-km.netz file-kb.anw-kb.netz file-blkr.blkr.netz +file-dissens.dissens.netz zapata.opp.netz gw-replacement.local.netz @@ -178,8 +179,9 @@ mail.faire-mobilitaet.de o28.oopen.de o26.oopen.de -# - o29.oopen.de Backup Server +# - o29.oopen.de Dissens Host System o29.oopen.de +cl-dissens.oopen.de # AK - Server Nextcloud/Jitsi Meet o30.oopen.de @@ -374,6 +376,7 @@ o26.oopen.de # - o29.oopen.de o29.oopen.de +cl-dissens.oopen.de # AK - Server Nextcloud/Jitsi Meet o30.oopen.de @@ -495,6 +498,9 @@ file-kb.anw-kb.netz gw-blkr.oopen.de file-blkr.blkr.netz +# Dissens +file-dissens.dissens.netz + # - Kanzlei EBS Leipzig gw-ebs.oopen.de file-ebs.ebs.netz @@ -648,6 +654,9 @@ mail.faire-mobilitaet.de o28.oopen.de o26.oopen.de +# o29.oopen.de +cl-dissens.oopen.de + # o30.oopen.de - AK server Jitsi Meet/Nextcloud cloud.akweb.de @@ -805,6 +814,9 @@ mm-irights.oopen.de # Hetzner Cloud CX31 - AK +# o29.oopen.de . Dissens +cl-dissens.oopen.de + # etventure o32.oopen.de @@ -1025,6 +1037,9 @@ cl-fm.oopen.de o28.oopen.de o26.oopen.de +# o29.oopen.de - Dissens +cl-dissens.oopen.de + # o30.oopen.de - AK server Jitsi Meet/Nextcloud cloud.akweb.de @@ -1132,6 +1147,9 @@ o28.oopen.de # o26.oopen.de o26.oopen.de +# o29.oopen.de - Dissens +cl-dissens.oopen.de + # o30.oopen.de - AK server Jitsi Meet/Nextcloud cloud.akweb.de @@ -1282,6 +1300,7 @@ file-fhxb.fhxb.netz file-km.anw-km.netz file-kb.anw-kb.netz file-blkr.blkr.netz +file-dissens.dissens.netz zapata.opp.netz @@ -1289,6 +1308,7 @@ zapata.opp.netz [nfs_server] file-blkr.blkr.netz +file-dissens.dissens.netz file-ah.kanzlei-kiel.netz file-ebs.ebs.netz file-fhxb.fhxb.netz @@ -1480,6 +1500,9 @@ mail.faire-mobilitaet.de # Hetzner Cloud CX31 - AK +# o29.oopen.de - Dissens +cl-dissens.oopen.de + # o30.oopen.de - AK Server Nextcloud/Jitsi Meet meet.akweb.de cloud.akweb.de @@ -1545,6 +1568,7 @@ file-fhxb.fhxb.netz file-km.anw-km.netz file-kb.anw-kb.netz file-blkr.blkr.netz +file-dissens.dissens.netz zapata.opp.netz @@ -1680,6 +1704,10 @@ mail.faire-mobilitaet.de o28.oopen.de o26.oopen.de +# o29.oopen.de +o29.oopen.de +cl-dissens.oopen.de + # AK - Server Nextcloud/Jitsi Meet o30.oopen.de meet.akweb.de @@ -1764,6 +1792,7 @@ file-fhxb.fhxb.netz file-km.anw-km.netz file-kb.anw-kb.netz file-blkr.blkr.netz +file-dissens.dissens.netz zapata.opp.netz diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts index cf638fd..c50d038 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts @@ -20,9 +20,42 @@ # give hostnames to blocke here +# Werkzeug +katherina-remberg\.de$ + +# Mehr Energie für Ihre Schritte +elcoino\.de$ + +# Wiederherstellung des Sehvermogens ohne Operation +toonaca\.or\.mg$ + +# info re_zeptfrei ordern +radiotrabajandoparacristoirmp\.com$ + +# HL Group +group-hire\.com$ + +# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet! +mtasv\.net$ + # edge.toprains.shop:w edge\.toprains\.shop$ +# Ideal für Apple- und Samsung-Fans +sdeals\.shop$ + +# Spiegel.de +delpieroacademy\.com$ + +# Kundensupport - photoTAN +#mailjet\.com$ + +# LOTTO-Rabatt +gdwr\.de$ + +# info mit ETFs die Millionen knacken? +movingcompanywheaton\.com$ + # Specht Office mta3\.dev\.60cr\.com$ @@ -31,3 +64,42 @@ lichtbringer\.shop$ # insights.sternenpfad.shop insights\.sternenpfad\.shop$ + +# info rezeptfre-i Bestellung +ugms\.org$ + +# info Herrenmeds anfordern +fullendoscopy\.mx$ + +# Premium-Werkzeugwagen: +minillq\.com$ + +# zaubermoment.shop +zaubermoment\.shop$ + +# Lustexperte +jetztpower\.shop$ + +# herzenstone.shop +herzenstone\.shop$ + +# Versand - Wichtige Neiuheit (a2hosted.com) +a2hosted\.com$ + +# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo +game\.cn$ + +# Ein Sprühstoß für die sofortige Erektion! +perfektepower\.shop$ + +# Home Security / preview.glanzpunkt.shop +glanzpunkt.shop$ + +# Phishing IHK +rightappearance\.com$ + +# info rezeptf-rei Bestellung +sectiontrading\.com$ + +# Sofortiger zweisprachiger Sprachübersetzer +# - kein Eintrag - diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets index 6d9f745..9376c89 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets @@ -12,9 +12,45 @@ # # --- +# Werkzeug +5.135.22.148/30 + +# Mehr Energie für Ihre Schritte +5.196.53.204/30 + +# Wiederherstellung des Sehvermogens ohne Operation +31.28.27.0/24 + +# info re_zeptfrei ordern +45.61.128.0/18 + +# HL Group +45.132.181.0/24 + +# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet! +50.31.205.0/24 + # edge.toprains.shop 51.89.16.112 +# Ideal für Apple- und Samsung-Fans +51.195.36.112/26 + +# Bitcoin Boom / GHOSTnet GmbH +85.93.0.0/19 + +# Spiegel.de +85.93.19.234 + +# Kundensupport - photoTAN +#87.253.233.0/24 + +# LOTTO-Rabatt +89.22.116.0/24 + +# info mit ETFs die Millionen knacken? +89.144.4.211 + # Specht Office 91.193.18.0/24 @@ -24,5 +60,44 @@ # insights.sternenpfad.shop 94.23.152.0/21 +# info rezeptfre-i Bestellung +104.244.72.0/21 + +# info Herrenmeds anfordern +107.189.0.0/19 + +# Premium-Werkzeugwagen: +162.220.163.128/25 + +# zaubermoment.shop +178.32.96.0/19 + +# Lustexperte +178.32.136.0/21 + +# herzenstone.shop +178.33.112.0/21 + # ?? 181.214.99.0/24 + +# Versand - Wichtige Neiuheit (a2hosted.com) +185.91.69.0/24 + +# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo +185.173.235.0/24 + +# Ein Sprühstoß für die sofortige Erektion! +188.165.0.0/21 + +# Home Security / preview.glanzpunkt.shop +188.165.128.0/21 + +# Phishing IHK +191.96.209.0/24 + +# info rezeptf-rei Bestellung +198.98.48.0/20 + +# Sofortiger zweisprachiger Sprachübersetzer +213.202.222.185 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender index 6ecdf24..2baf2a8 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender +++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender @@ -36,11 +36,45 @@ ludwigpestow@gmail.com # annoying spammer domains @acieu\.co\.uk$ +@inbox\.ru$ # ---- +# Werkzeug +katherina-remberg\.de$ + +# Mehr Energie für Ihre Schritte +elcoino\.de$ + +# Wiederherstellung des Sehvermogens ohne Operation +toonaca\.or\.mg$ + +# info re_zeptfrei ordern +radiotrabajandoparacristoirmp\.com$ + +# HL Group +group-hire\.com$ + +# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet! +toldfinancialcapital\.com$ + # edge.toprains.shop -@edge.toprains.shop$ +toprains.shop$ + +# Ideal für Apple- und Samsung-Fans +sdeals\.shop$ + +# Spiegel.de +delpieroacademy\.com$ + +# Kundensupport - photoTAN +#@laurash.net + +# LOTTO-Rabatt +gdwr\.de$ + +# info mit ETFs die Millionen knacken? +movingcompanywheaton\.com$ # Specht Offic officeuf@jxb669\.com$ @@ -53,10 +87,46 @@ officeuf@ lichtbringer\.shop$ # insights.sternenpfad.shop -@insights\.sternenpfad\.shop$ +insights\.sternenpfad\.shop$ + +# info rezeptfre-i Bestellung +ugms\.org$ + +# Premium-Werkzeugwagen: +ezhifeng.co$ + +# zaubermoment.shop +zaubermoment\.shop$ + +# Lustexperte +jetztpower\.shop$ + +# herzenstone.shop +herzenstone\.shop$ # ?? 181.214.99.0/24 -imrx4k.com$ +imrx4k\.com$ + +# Versand - Wichtige Neiuheit (a2hosted.com) +a2hosted\.com$ + +# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo +izilian\.com$ + +# Ein Sprühstoß für die sofortige Erektion! +perfektepower\.shop$ + +# Home Security / preview.glanzpunkt.shop +glanzpunkt\.shop$ + +# Phishing IHK +rightappearance\.com$ + +# info rezeptf-rei Bestellung +sectiontrading\.com% + +# Sofortiger zweisprachiger Sprachübersetzer +delavers\.de$ # --- diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 5733ad0..0991f3f 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -93,3 +93,9 @@ service: name: nfs-kernel-server state: restarted + +- name: Restart ntp + service: + name: ntpsec + daemon_reload: yes + state: restarted diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index d6a4878..bac8edf 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -148,6 +148,18 @@ tags: sudoers +- import_tasks: motd.yml + tags: motd + + +# tags supported inside ntp.yml: +# +# ntp-server +- import_tasks: ntp.yml + tags: + - ntp + + # tags supportetd inside git.yml # # git-firewall-repository diff --git a/roles/common/tasks/motd.yml b/roles/common/tasks/motd.yml new file mode 100644 index 0000000..80dc2d4 --- /dev/null +++ b/roles/common/tasks/motd.yml @@ -0,0 +1,19 @@ +--- + +# ---------- +# /etc/motd +# ---------- + +- name: (motd.yml) Check if /etc/motd.ORIG exist + stat: + path: /etc/motd.ORIG + register: motd_orig_exist + + +- name: (motd.yml) Backup existing file /etc/motd + command: cp -a /etc/motd /etc/motd.ORIG + when: motd_orig_exist.stat.exists == False + +- name: (motd.yml) create /etc/motd + shell: figlet {{ ansible_hostname }} > /etc/motd + when: motd_orig_exist.stat.exists == False diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml new file mode 100644 index 0000000..1c6f17c --- /dev/null +++ b/roles/common/tasks/ntp.yml @@ -0,0 +1,60 @@ +--- + +# --- +# NTP Server +# --- + +- name: (ntp.yml) Ensure ntpsec package is installed. + apt: + name: + - ntpsec + state: present + when: + - ansible_os_family == "Debian" + tags: + - ntp-server + +- name: (ntp.yml) Check file '/etc/ntpsec/ntp.conf.ORIG' exists + stat: + path: /etc/ntpsec/ntp.conf.ORIG + register: etc_ntpsec_conf_ORIG + when: + - ansible_distribution == "Debian" + tags: + - ntp-server + + +- name: (ntp.yml) Ensure directory '/var/log/ntpsec' is present + file: + path: /var/log/ntpsec + state: directory + owner: ntpsec + group: ntpsec + mode: '0755' + when: + - ansible_distribution == "Debian" + + +- name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf' + command: cp /etc/ntpsec/ntp.conf /etc/ntpsec/ntp.conf.ORIG + when: + - groups['oopen_office_server']|string is search(inventory_hostname) + - etc_ntpsec_conf_ORIG.stat.exists == False + - local_ntp_service is defined and local_ntp_service|bool + tags: + - ntp-server + +- name: (ntp.yml) Update '/etc/ntpsec/ntp.conf' + template: + src: "etc/ntpsec/ntp.conf.j2" + dest: /etc/ntpsec/ntp.conf + owner: root + group: root + mode: 0644 + notify: Restart ntp + when: + - groups['oopen_office_server']|string is search(inventory_hostname) + - local_ntp_service is defined and local_ntp_service|bool + tags: + - ntp-server + diff --git a/roles/common/templates/etc/ntpsec/ntp.conf.j2 b/roles/common/templates/etc/ntpsec/ntp.conf.j2 new file mode 100644 index 0000000..bd82d6f --- /dev/null +++ b/roles/common/templates/etc/ntpsec/ntp.conf.j2 @@ -0,0 +1,52 @@ +# {{ ansible_managed }} + +driftfile /var/lib/ntpsec/ntp.drift +leapfile /usr/share/zoneinfo/leap-seconds.list + +# To enable Network Time Security support as a server, obtain a certificate +# (e.g. with Let's Encrypt), configure the paths below, and uncomment: +# nts cert CERT_FILE +# nts key KEY_FILE +# nts enable + +# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. +#statsdir /var/log/ntpsec/ +#statistics loopstats peerstats clockstats +#filegen loopstats file loopstats type day enable +#filegen peerstats file peerstats type day enable +#filegen clockstats file clockstats type day enable + +# This should be maxclock 7, but the pool entries count towards maxclock. +tos maxclock 11 + +# Comment this out if you have a refclock and want it to be able to discipline +# the clock by itself (e.g. if the system is not connected to the network). +#tos minclock 4 minsane 3 + +# Specify one or more NTP servers. + +# Public NTP servers supporting Network Time Security: +# server time.cloudflare.com nts + +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: +#pool 0.debian.pool.ntp.org iburst +#pool 1.debian.pool.ntp.org iburst +#pool 2.debian.pool.ntp.org iburst +#pool 3.debian.pool.ntp.org iburst +server {{ ntp_server }} + +# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html +# for details. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict default kod nomodify nopeer noquery limited + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 diff --git a/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf b/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf index f5167c5..9309ca0 100644 --- a/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf +++ b/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf @@ -26,5 +26,5 @@ Domains={{ fact_resolved_domains }} {% if (resolved_dnssec is defined) and resolved_dnssec %} DNSSEC={{ resolved_dnssec }} {% else %} -#Domains= +#DNSSEC=allow-downgrade {% endif %}