update..

2024-12-19 22:44:32 +01:00
parent f61e2ff73c
commit c9cee6deae
17 changed files with 714 additions and 72 deletions
--- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts
@ -20,9 +20,42 @@

 # give hostnames to blocke here

+# Werkzeug
+katherina-remberg\.de$
+
+# Mehr Energie für Ihre Schritte
+elcoino\.de$
+
+# Wiederherstellung des Sehvermogens ohne Operation
+toonaca\.or\.mg$
+
+# info re_zeptfrei ordern
+radiotrabajandoparacristoirmp\.com$
+
+# HL Group
+group-hire\.com$
+
+# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet!
+mtasv\.net$
+
 # edge.toprains.shop:w
 edge\.toprains\.shop$

+# Ideal für Apple- und Samsung-Fans
+sdeals\.shop$
+
+# Spiegel.de
+delpieroacademy\.com$
+
+# Kundensupport - photoTAN
+#mailjet\.com$
+
+# LOTTO-Rabatt
+gdwr\.de$
+
+# info mit ETFs die Millionen knacken?
+movingcompanywheaton\.com$
+
 #  Specht Office
 mta3\.dev\.60cr\.com$

@ -31,3 +64,42 @@ lichtbringer\.shop$

 # insights.sternenpfad.shop
 insights\.sternenpfad\.shop$
+
+# info rezeptfre-i Bestellung
+ugms\.org$
+
+# info Herrenmeds anfordern
+fullendoscopy\.mx$
+
+# Premium-Werkzeugwagen:
+minillq\.com$
+
+# zaubermoment.shop
+zaubermoment\.shop$
+
+# Lustexperte
+jetztpower\.shop$
+
+# herzenstone.shop
+herzenstone\.shop$
+
+# Versand - Wichtige Neiuheit (a2hosted.com)
+a2hosted\.com$
+
+# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
+game\.cn$
+
+# Ein Sprühstoß für die sofortige Erektion!
+perfektepower\.shop$
+
+# Home Security / preview.glanzpunkt.shop
+glanzpunkt.shop$
+
+# Phishing IHK
+rightappearance\.com$
+
+# info rezeptf-rei Bestellung
+sectiontrading\.com$
+
+# Sofortiger zweisprachiger Sprachübersetzer
+# - kein Eintrag -
--- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets
@ -12,9 +12,45 @@
 #
 # ---

+# Werkzeug
+5.135.22.148/30
+
+# Mehr Energie für Ihre Schritte
+5.196.53.204/30
+
+# Wiederherstellung des Sehvermogens ohne Operation
+31.28.27.0/24
+
+# info re_zeptfrei ordern
+45.61.128.0/18
+
+# HL Group
+45.132.181.0/24
+
+# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet!
+50.31.205.0/24
+
 # edge.toprains.shop
 51.89.16.112

+# Ideal für Apple- und Samsung-Fans
+51.195.36.112/26
+
+# Bitcoin Boom / GHOSTnet GmbH
+85.93.0.0/19
+
+# Spiegel.de
+85.93.19.234
+
+# Kundensupport - photoTAN
+#87.253.233.0/24
+
+# LOTTO-Rabatt
+89.22.116.0/24
+
+# info mit ETFs die Millionen knacken?
+89.144.4.211
+
 # Specht Office
 91.193.18.0/24

@ -24,5 +60,44 @@
 # insights.sternenpfad.shop
 94.23.152.0/21

+# info rezeptfre-i Bestellung
+104.244.72.0/21
+
+# info Herrenmeds anfordern
+107.189.0.0/19
+
+# Premium-Werkzeugwagen:
+162.220.163.128/25
+
+# zaubermoment.shop
+178.32.96.0/19
+
+# Lustexperte
+178.32.136.0/21
+
+# herzenstone.shop
+178.33.112.0/21
+
 # ??
 181.214.99.0/24
+
+# Versand - Wichtige Neiuheit (a2hosted.com)
+185.91.69.0/24
+
+# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
+185.173.235.0/24
+
+# Ein Sprühstoß für die sofortige Erektion!
+188.165.0.0/21
+
+# Home Security / preview.glanzpunkt.shop
+188.165.128.0/21
+
+# Phishing IHK
+191.96.209.0/24
+
+# info rezeptf-rei Bestellung
+198.98.48.0/20
+
+# Sofortiger zweisprachiger Sprachübersetzer
+213.202.222.185
--- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender
@ -36,11 +36,45 @@ ludwigpestow@gmail.com

 # annoying spammer domains
@acieu\.co\.uk$
+@inbox\.ru$

 # ----

+# Werkzeug
+katherina-remberg\.de$
+
+# Mehr Energie für Ihre Schritte
+elcoino\.de$
+
+# Wiederherstellung des Sehvermogens ohne Operation
+toonaca\.or\.mg$
+
+# info re_zeptfrei ordern
+radiotrabajandoparacristoirmp\.com$
+
+# HL Group
+group-hire\.com$
+
+# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet!
+toldfinancialcapital\.com$
+
 # edge.toprains.shop
-@edge.toprains.shop$
+toprains.shop$
+
+# Ideal für Apple- und Samsung-Fans
+sdeals\.shop$
+
+# Spiegel.de
+delpieroacademy\.com$
+
+# Kundensupport - photoTAN
+#@laurash.net
+
+# LOTTO-Rabatt
+gdwr\.de$
+
+# info mit ETFs die Millionen knacken?
+movingcompanywheaton\.com$

 # Specht Offic
 officeuf@jxb669\.com$
@ -53,10 +87,46 @@ officeuf@
 lichtbringer\.shop$

 # insights.sternenpfad.shop
-@insights\.sternenpfad\.shop$
+insights\.sternenpfad\.shop$
+
+# info rezeptfre-i Bestellung
+ugms\.org$
+
+# Premium-Werkzeugwagen:
+ezhifeng.co$
+
+# zaubermoment.shop
+zaubermoment\.shop$
+
+# Lustexperte
+jetztpower\.shop$
+
+# herzenstone.shop
+herzenstone\.shop$

 # ??  181.214.99.0/24
-imrx4k.com$
+imrx4k\.com$
+
+# Versand - Wichtige Neiuheit (a2hosted.com)
+a2hosted\.com$
+
+# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
+izilian\.com$
+
+# Ein Sprühstoß für die sofortige Erektion!
+perfektepower\.shop$
+
+# Home Security / preview.glanzpunkt.shop
+glanzpunkt\.shop$
+
+# Phishing IHK
+rightappearance\.com$
+
+# info rezeptf-rei Bestellung
+sectiontrading\.com%
+
+# Sofortiger zweisprachiger Sprachübersetzer
+delavers\.de$

 # ---

--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -93,3 +93,9 @@
  service:
    name: nfs-kernel-server
    state: restarted
+
+- name: Restart ntp
+  service:
+    name: ntpsec
+    daemon_reload: yes
+    state: restarted
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -148,6 +148,18 @@
  tags: sudoers


+- import_tasks: motd.yml
+  tags: motd
+
+
+# tags supported inside ntp.yml:
+#
+#    ntp-server
+- import_tasks: ntp.yml
+  tags:
+    - ntp
+
+
 # tags supportetd inside git.yml
 #
 #   git-firewall-repository
--- a/roles/common/tasks/motd.yml
+++ b/roles/common/tasks/motd.yml
@ -0,0 +1,19 @@
+---
+
+# ----------
+# /etc/motd
+# ----------
+
+- name: (motd.yml) Check if /etc/motd.ORIG exist
+  stat:
+    path: /etc/motd.ORIG
+  register: motd_orig_exist
+
+
+- name: (motd.yml)  Backup existing file /etc/motd
+  command: cp -a /etc/motd /etc/motd.ORIG
+  when: motd_orig_exist.stat.exists == False
+
+- name: (motd.yml) create /etc/motd
+  shell: figlet {{ ansible_hostname }} > /etc/motd
+  when: motd_orig_exist.stat.exists == False
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@ -0,0 +1,60 @@
+---
+
+# ---
+# NTP Server
+# ---
+
+- name: (ntp.yml) Ensure ntpsec package is installed.
+  apt:
+    name:
+      - ntpsec
+    state: present
+  when:
+    - ansible_os_family == "Debian"
+  tags:
+    - ntp-server
+
+- name: (ntp.yml) Check file '/etc/ntpsec/ntp.conf.ORIG' exists
+  stat:
+    path: /etc/ntpsec/ntp.conf.ORIG
+  register: etc_ntpsec_conf_ORIG
+  when:
+    - ansible_distribution == "Debian"
+  tags:
+    - ntp-server
+
+
+- name: (ntp.yml) Ensure directory '/var/log/ntpsec' is present
+  file:
+    path: /var/log/ntpsec
+    state: directory
+    owner: ntpsec
+    group: ntpsec
+    mode: '0755'
+  when:
+    - ansible_distribution == "Debian"
+
+
+- name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf'
+  command: cp /etc/ntpsec/ntp.conf /etc/ntpsec/ntp.conf.ORIG
+  when:
+    - groups['oopen_office_server']|string is search(inventory_hostname)
+    - etc_ntpsec_conf_ORIG.stat.exists == False
+    - local_ntp_service is defined and local_ntp_service|bool
+  tags:
+    - ntp-server
+
+- name: (ntp.yml) Update '/etc/ntpsec/ntp.conf'
+  template:
+    src: "etc/ntpsec/ntp.conf.j2"
+    dest: /etc/ntpsec/ntp.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart ntp
+  when:
+    - groups['oopen_office_server']|string is search(inventory_hostname)
+    - local_ntp_service is defined and local_ntp_service|bool
+  tags:
+    - ntp-server
+
--- a/roles/common/templates/etc/ntpsec/ntp.conf.j2
+++ b/roles/common/templates/etc/ntpsec/ntp.conf.j2
@ -0,0 +1,52 @@
+# {{ ansible_managed }}
+
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
+
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
+
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+#tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+#pool 0.debian.pool.ntp.org iburst
+#pool 1.debian.pool.ntp.org iburst
+#pool 2.debian.pool.ntp.org iburst
+#pool 3.debian.pool.ntp.org iburst
+server {{ ntp_server }}
+
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict default kod nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
--- a/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf
+++ b/roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf
@ -26,5 +26,5 @@ Domains={{ fact_resolved_domains }}
 {% if (resolved_dnssec is defined) and resolved_dnssec %}
 DNSSEC={{ resolved_dnssec }}
 {% else %}
-#Domains=
+#DNSSEC=allow-downgrade
 {% endif %}