update..

group_vars/all/main.yml

@@ -2253,6 +2253,15 @@ bind9_gateway_allow_recursion:
 # vars used by roles/common/tasks/git.yml
 # ---
 
+
+# ---
+# vars used by roles/common/tasks/ntp.yml
+# ---
+
+local_ntp_service: false
+
+ntp_server: {}
+
 # ---
 # Firewall repository
 # ---

group_vars/oopen_office.yml

@@ -110,6 +110,12 @@ sudo_users:
 # vars used by roles/common/tasks/git.yml
 # ---
 
+
+# ---
+# vars used by roles/common/tasks/ntp.yml
+# ---
+
+
 # ==============================
 
 

host_vars/backup.warenform.de.yml

@@ -170,16 +170,6 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/postfix/check-postfix-fatal-errors.sh
 
-  - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
-    minute: '23'
-    hour: '05'
-    job: /var/lib/dehydrated/cron/dehydrated_cron.sh
-
-  - name: "Check whether all certificates are included in the VHOST configurations"
-    minute: '33'
-    hour: '05'
-    job: /var/lib/dehydrated/tools/update_ssl_directives.sh
-
   - name: "Check if remote website is online"
     minute: '*/15'
     hour: '7-23'

host_vars/cl-dissens.oopen.de.yml

@@ -0,0 +1,151 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+sshd_permit_root_login: !!str "prohibit-password"
+
+# ---
+# vars used by apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 185.12.64.2
+  - 2a01:4ff:ff00::add:1
+  - 185.12.64.1
+  - 2a01:4ff:ff00::add:2
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+sudo_users:
+  - chris
+  - sysadm
+  - localadmin
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+sudoers_file_user_privileges:
+  - name: back
+    entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+

host_vars/file-dissens.dissens.netz.yml

@@ -184,7 +184,7 @@ cron_user_special_time_entries:
 
 sudoers_file_user_aliases:
    - name: MAIN_USER
-     entry: 'malte.taeubrich, ulla.wittenzellner, sarah.klemm, bernard.koennecke, elenor.faellgrem,mario.freidank '
+     entry: 'malte.taeubrich, ulla.wittenzellner, sarah.klemm, bernard.koennecke, elenor.faellgren, mario.freidank '
 
 sudoers_file_cmnd_aliases:
    - name: REBOOT 
@@ -219,6 +219,15 @@ sudoers_file_user_privileges:
 # ---
 
 
+# ---
+# vars used by roles/common/tasks/ntp.yml
+# ---
+
+local_ntp_service: true
+
+ntp_server: gw-dissens.dissens.netz
+
+
 # ---
 # vars used by roles/common/tasks/nfs.yml
 # ---
@@ -264,9 +273,9 @@ samba_groups:
   - name: projekte
     group_id: 1110
   - name: verwaltung
-    group_id: 1120
+    group_id: 1200
   - name: gf
-    group_id: 1120
+    group_id: 1300
 
 samba_user:
   - name: bernard.koennecke
@@ -296,62 +305,99 @@ samba_user:
       - projekte
       - team
       - verwaltung
-    password: '20-da-v1d.g3lh44r_24%'
+    password: '20-dav1d.g3lh44r_24%'
 
-  - name: elenor.faellgrem
+  - name: elenor.faellgren
     groups:
       - projekte
       - team
-    password: '20/313n0r-g3l.h4r/24?'
+    password: '20/3l3n0r-fa3llg3em/24?'
+
   - name: johanna.hess
     groups:
-      - buero
+      - projekte
-      - verwaltung
+      - team
-    password: '20_j0.h4nn4_h3ss-24+'
+    password: '20_j0h4nn4_h3ss-24+'
 
-  - name: leonie
+  - name: johanna.ruekgauer
     groups:
-      - buero
+      - projekte
+    password: '20.j0hanna.ru3kgau3r+24!'
+
+  - name: laura.sasse
+    groups:
+      - projekte
+      - team
+    password: '20/l4ur4-s4sse-24?'
+
+  - name: maite.gabriel
+    groups:
+      - projekte
+    password: '20+m4ite.g4briel-24+'
+
+  - name: malte.taeubrich
+    groups:
+      - gf
+      - projekte
+      - team
       - verwaltung
-    password: '6.4aVX7rQ-9H'
+    password: '20%m4lt3-t3ubrich+24!'
-  - name: philip
+
+  - name: mario.freidank
     groups:
-      - buero
+      - projekte
+      - team
       - verwaltung
-    password: 'fN%749Psv_NR'
+    password: '20-mar1o.fr31dank-24+'
-  - name: buero1
+
+  - name: olaf.stuve
     groups:
-      - buero
+      - projekte
-    password: 'Mfr!7tK+d49C'
+    password: '20-0l4f_stuve_24?"'
-  - name: buero2
+
+  - name: rositsa.mahdi
     groups:
-      - buero
+      - projekte
-    password: 'gW-wg3Pttf4/'
+    password: '20.ros1tsa-mahd1+24+'
-  - name: buero3
+
+  - name: sarah.klemm
     groups:
-      - buero
+      - gf
-    password: 'Qc-WyMhJ/3-2'
+      - projekte
-  - name: referendariat
+      - team
-    groups:
-      - buero
-    password: '4/zCNXnVF7+i'
-  - name: ref1
-    groups:
-      - buero
-    password: '???'
-  - name: sebastian
-    groups:
-      - buero
       - verwaltung
-    password: 'bhNC.P5eTy-2'
+    password: '20.s4r4h_kl3mm-24!'
-  - name: buero-05
+
+  - name: simon.krugmann
     groups:
-      - buero
+      - projekte
-    password: '5/SXbV-M3vmQ'
+    password: '20%sim0n.krugm4nn.24?'
-  - name: buero-06
+
+  - name: tabea.koepp
     groups:
-      - buero
+      - projekte
-    password: 'N-ba2R+i/2eM'
+      - team
+    password: '20?tab3a/ko3pp.24/'
+
+  - name: till.dahlmueller
+    groups:
+      - projekte
+      - team
+    password: '20.t1ll/d4hlmueller-24!'
+
+  - name: ulla.wittenzellner
+    groups:
+      - gf
+      - projekte
+      - team
+      - verwaltung
+    password: '20+ull4_w1tt3nz3lln3r_24-'
+
+  - name: yannik.markhof
+    groups:
+      - projekte
+      - team
+    password: '20.y4nnik/m4rkhof_24/'
 
 base_home: /data/home
 
@@ -360,14 +406,37 @@ base_home: /data/home
 #   - name: name2
 #
 remove_samba_users: []
+#remove_samba_users: 
+#  - name: elenor.faellgrem
+#  - name: maiken.schiele
 
 samba_shares:
 
-  - name: buero
+  - name: GF
-    comment: Buero auf Fileserver
+    comment: GF auf Fileserver
-    path: /data/samba/shares/buero
+    path: /data/samba/shares/GF
-    group_valid_users: buero
+    group_valid_users: gf
-    group_write_list: buero
+    group_write_list: gf
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+
+  - name: Projekte
+    comment: verwaltung auf Fileserver
+    path: /data/samba/shares/Projekte
+    group_valid_users: projekte
+    group_write_list: projekte
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+
+  - name: Team
+    comment: verwaltung auf Fileserver
+    path: /data/samba/shares/Team
+    group_valid_users: team
+    group_write_list: team
     file_create_mask: !!str 664
     dir_create_mask: !!str 2775
     vfs_object_recycle: true
@@ -375,11 +444,11 @@ samba_shares:
 
   - name: Verwaltung
     comment: verwaltung auf Fileserver
-    path: /data/samba/shares/verwaltung
+    path: /data/samba/shares/Verwaltung
     group_valid_users: verwaltung
     group_write_list: verwaltung
-    file_create_mask: !!str 664
+    file_create_mask: !!str 660
-    dir_create_mask: !!str 2775
+    dir_create_mask: !!str 2770
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 

host_vars/o29.oopen.de.yml

@@ -23,7 +23,7 @@ network_interfaces:
 
   - device: br0
     # use only once per device (for the first device entry)
-    headline: br0 - bridge over device enp35s0
+    headline: br0 - bridge over device enp8s0
 
     # auto & allow are only used for the first device entry
     allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -31,11 +31,11 @@ network_interfaces:
 
     family: inet
     method: static
-    hwaddress: a8:a1:59:3e:bd:b8
+    hwaddress: 9c:6b:00:6d:f5:a1
     description:
-    address: 135.181.136.120
+    address: 65.21.220.154
     netmask: 26
-    gateway: 135.181.136.65
+    gateway: 65.21.220.129
     metric:
     pointopoint:
     mtu:
@@ -80,7 +80,7 @@ network_interfaces:
     #   maxwait:
     #   waitport:
     bridge:
-      ports: enp35s0 # for mor devices support a blank separated list
+      ports: enp8s0 # for mor devices support a blank separated list
       stp: !!str off
       fd: 1
       hello: 2
@@ -107,7 +107,7 @@ network_interfaces:
     # inline hook scripts
     pre-up: [] # pre-up script lines
     up: 
-      - !!str "route add -net 135.181.136.64 netmask 255.255.255.192 gw 135.181.136.65 dev br0" # up script lines
+      - !!str "route add -net 65.21.220.128 netmask 255.255.255.192 gw 65.21.220.129 dev br0" # up script lines
     post-up: [] # post-up script lines (alias for up)
     pre-down: [] # pre-down script lines (alias for down)
     down: [] # down script lines
@@ -118,7 +118,7 @@ network_interfaces:
   - device: br0
     family: inet6
     method: static
-    address: 2a01:4f9:3a:1051::2
+    address: 2a01:4f9:3080:318c::2
     netmask: 64
     gateway: fe80::1
 

host_vars/web0.warenform.de.yml

@@ -142,6 +142,28 @@ ssh_keypair_backup_client:
 #
 # see: roles/common/tasks/vars
 
+sudoers_file_user_aliases:
+   - name: WEB_USER
+     entry: 'webadmin, axel, chris'
+   - name: MAIN_USER
+     entry: 'sysadm, axel, chris'
+
+sudoers_file_cmnd_aliases:
+  - name: REBOOT
+    entry: '/sbin/reboot'
+  - name: MANAGE_SERVICE
+    entry: '/usr/bin/systemctl'
+
+sudoers_file_user_privileges:
+  - name: MAIN_USER
+    entry: ALL = REBOOT, MANAGE_SERVICE
+  - name: WEB_USER
+    entry: ALL = MANAGE_SERVICE
+
+
+
+
+
 
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml

hosts

@@ -62,6 +62,7 @@ file-fhxb.fhxb.netz
 file-km.anw-km.netz
 file-kb.anw-kb.netz
 file-blkr.blkr.netz
+file-dissens.dissens.netz
 zapata.opp.netz
 
 gw-replacement.local.netz
@@ -178,8 +179,9 @@ mail.faire-mobilitaet.de
 o28.oopen.de
 o26.oopen.de
 
-# - o29.oopen.de Backup Server
+# - o29.oopen.de Dissens Host System
 o29.oopen.de
+cl-dissens.oopen.de
 
 # AK - Server Nextcloud/Jitsi Meet
 o30.oopen.de
@@ -374,6 +376,7 @@ o26.oopen.de
 
 # - o29.oopen.de
 o29.oopen.de
+cl-dissens.oopen.de
 
 # AK - Server Nextcloud/Jitsi Meet
 o30.oopen.de
@@ -495,6 +498,9 @@ file-kb.anw-kb.netz
 gw-blkr.oopen.de
 file-blkr.blkr.netz
 
+# Dissens
+file-dissens.dissens.netz
+
 # - Kanzlei EBS Leipzig
 gw-ebs.oopen.de
 file-ebs.ebs.netz
@@ -648,6 +654,9 @@ mail.faire-mobilitaet.de
 o28.oopen.de
 o26.oopen.de
 
+# o29.oopen.de
+cl-dissens.oopen.de
+
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
 
@@ -805,6 +814,9 @@ mm-irights.oopen.de
 
 # Hetzner Cloud CX31 - AK
 
+# o29.oopen.de . Dissens
+cl-dissens.oopen.de
+
 # etventure
 o32.oopen.de
 
@@ -1025,6 +1037,9 @@ cl-fm.oopen.de
 o28.oopen.de
 o26.oopen.de
 
+# o29.oopen.de - Dissens
+cl-dissens.oopen.de
+
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
 
@@ -1132,6 +1147,9 @@ o28.oopen.de
 # o26.oopen.de
 o26.oopen.de
 
+# o29.oopen.de - Dissens
+cl-dissens.oopen.de
+
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
 
@@ -1282,6 +1300,7 @@ file-fhxb.fhxb.netz
 file-km.anw-km.netz
 file-kb.anw-kb.netz
 file-blkr.blkr.netz
+file-dissens.dissens.netz
 zapata.opp.netz
 
 
@@ -1289,6 +1308,7 @@ zapata.opp.netz
 [nfs_server]
 
 file-blkr.blkr.netz
+file-dissens.dissens.netz
 file-ah.kanzlei-kiel.netz
 file-ebs.ebs.netz
 file-fhxb.fhxb.netz
@@ -1480,6 +1500,9 @@ mail.faire-mobilitaet.de
 
 # Hetzner Cloud CX31 - AK
 
+# o29.oopen.de - Dissens
+cl-dissens.oopen.de
+
 # o30.oopen.de - AK Server Nextcloud/Jitsi Meet
 meet.akweb.de
 cloud.akweb.de
@@ -1545,6 +1568,7 @@ file-fhxb.fhxb.netz
 file-km.anw-km.netz
 file-kb.anw-kb.netz
 file-blkr.blkr.netz
+file-dissens.dissens.netz
 zapata.opp.netz
 
 
@@ -1680,6 +1704,10 @@ mail.faire-mobilitaet.de
 o28.oopen.de
 o26.oopen.de
 
+# o29.oopen.de
+o29.oopen.de
+cl-dissens.oopen.de
+
 # AK - Server Nextcloud/Jitsi Meet
 o30.oopen.de
 meet.akweb.de
@@ -1764,6 +1792,7 @@ file-fhxb.fhxb.netz
 file-km.anw-km.netz
 file-kb.anw-kb.netz
 file-blkr.blkr.netz
+file-dissens.dissens.netz
 zapata.opp.netz
 
 

roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts

@@ -20,9 +20,42 @@
 
 # give hostnames to blocke here
 
+# Werkzeug
+katherina-remberg\.de$
+
+# Mehr Energie für Ihre Schritte
+elcoino\.de$
+
+# Wiederherstellung des Sehvermogens ohne Operation
+toonaca\.or\.mg$
+
+# info re_zeptfrei ordern
+radiotrabajandoparacristoirmp\.com$
+
+# HL Group
+group-hire\.com$
+
+# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet!
+mtasv\.net$
+
 # edge.toprains.shop:w
 edge\.toprains\.shop$
 
+# Ideal für Apple- und Samsung-Fans
+sdeals\.shop$
+
+# Spiegel.de
+delpieroacademy\.com$
+
+# Kundensupport - photoTAN
+#mailjet\.com$
+
+# LOTTO-Rabatt
+gdwr\.de$
+
+# info mit ETFs die Millionen knacken?
+movingcompanywheaton\.com$
+
 #  Specht Office
 mta3\.dev\.60cr\.com$
 
@@ -31,3 +64,42 @@ lichtbringer\.shop$
 
 # insights.sternenpfad.shop
 insights\.sternenpfad\.shop$
+
+# info rezeptfre-i Bestellung
+ugms\.org$
+
+# info Herrenmeds anfordern
+fullendoscopy\.mx$
+
+# Premium-Werkzeugwagen:
+minillq\.com$
+
+# zaubermoment.shop
+zaubermoment\.shop$
+
+# Lustexperte
+jetztpower\.shop$
+
+# herzenstone.shop
+herzenstone\.shop$
+
+# Versand - Wichtige Neiuheit (a2hosted.com)
+a2hosted\.com$
+
+# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
+game\.cn$
+
+# Ein Sprühstoß für die sofortige Erektion!
+perfektepower\.shop$
+
+# Home Security / preview.glanzpunkt.shop
+glanzpunkt.shop$
+
+# Phishing IHK
+rightappearance\.com$
+
+# info rezeptf-rei Bestellung
+sectiontrading\.com$
+
+# Sofortiger zweisprachiger Sprachübersetzer
+# - kein Eintrag -

roles/common/files/mailserver/etc/postfix/postfwd.bl-nets

@@ -12,9 +12,45 @@
 #
 # ---
 
+# Werkzeug
+5.135.22.148/30
+
+# Mehr Energie für Ihre Schritte
+5.196.53.204/30
+
+# Wiederherstellung des Sehvermogens ohne Operation
+31.28.27.0/24
+
+# info re_zeptfrei ordern
+45.61.128.0/18
+
+# HL Group
+45.132.181.0/24
+
+# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet!
+50.31.205.0/24
+
 # edge.toprains.shop
 51.89.16.112
 
+# Ideal für Apple- und Samsung-Fans
+51.195.36.112/26
+
+# Bitcoin Boom / GHOSTnet GmbH
+85.93.0.0/19
+
+# Spiegel.de
+85.93.19.234
+
+# Kundensupport - photoTAN
+#87.253.233.0/24
+
+# LOTTO-Rabatt
+89.22.116.0/24
+
+# info mit ETFs die Millionen knacken?
+89.144.4.211
+
 # Specht Office
 91.193.18.0/24
 
@@ -24,5 +60,44 @@
 # insights.sternenpfad.shop
 94.23.152.0/21
 
+# info rezeptfre-i Bestellung
+104.244.72.0/21
+
+# info Herrenmeds anfordern
+107.189.0.0/19
+
+# Premium-Werkzeugwagen:
+162.220.163.128/25
+
+# zaubermoment.shop
+178.32.96.0/19
+
+# Lustexperte
+178.32.136.0/21
+
+# herzenstone.shop
+178.33.112.0/21
+
 # ??
 181.214.99.0/24
+
+# Versand - Wichtige Neiuheit (a2hosted.com)
+185.91.69.0/24
+
+# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
+185.173.235.0/24
+
+# Ein Sprühstoß für die sofortige Erektion!
+188.165.0.0/21
+
+# Home Security / preview.glanzpunkt.shop
+188.165.128.0/21
+
+# Phishing IHK
+191.96.209.0/24
+
+# info rezeptf-rei Bestellung
+198.98.48.0/20
+
+# Sofortiger zweisprachiger Sprachübersetzer
+213.202.222.185

roles/common/files/mailserver/etc/postfix/postfwd.bl-sender

@@ -36,11 +36,45 @@ ludwigpestow@gmail.com
 
 # annoying spammer domains
 @acieu\.co\.uk$
+@inbox\.ru$
 
 # ----
 
+# Werkzeug
+katherina-remberg\.de$
+
+# Mehr Energie für Ihre Schritte
+elcoino\.de$
+
+# Wiederherstellung des Sehvermogens ohne Operation
+toonaca\.or\.mg$
+
+# info re_zeptfrei ordern
+radiotrabajandoparacristoirmp\.com$
+
+# HL Group
+group-hire\.com$
+
+# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet!
+toldfinancialcapital\.com$
+
 # edge.toprains.shop
-@edge.toprains.shop$
+toprains.shop$
+
+# Ideal für Apple- und Samsung-Fans
+sdeals\.shop$
+
+# Spiegel.de
+delpieroacademy\.com$
+
+# Kundensupport - photoTAN
+#@laurash.net
+
+# LOTTO-Rabatt
+gdwr\.de$
+
+# info mit ETFs die Millionen knacken?
+movingcompanywheaton\.com$
 
 # Specht Offic
 officeuf@jxb669\.com$
@@ -53,10 +87,46 @@ officeuf@
 lichtbringer\.shop$
 
 # insights.sternenpfad.shop
-@insights\.sternenpfad\.shop$
+insights\.sternenpfad\.shop$
+
+# info rezeptfre-i Bestellung
+ugms\.org$
+
+# Premium-Werkzeugwagen:
+ezhifeng.co$
+
+# zaubermoment.shop
+zaubermoment\.shop$
+
+# Lustexperte
+jetztpower\.shop$
+
+# herzenstone.shop
+herzenstone\.shop$
 
 # ??  181.214.99.0/24
-imrx4k.com$
+imrx4k\.com$
+
+# Versand - Wichtige Neiuheit (a2hosted.com)
+a2hosted\.com$
+
+# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
+izilian\.com$
+
+# Ein Sprühstoß für die sofortige Erektion!
+perfektepower\.shop$
+
+# Home Security / preview.glanzpunkt.shop
+glanzpunkt\.shop$
+
+# Phishing IHK
+rightappearance\.com$
+
+# info rezeptf-rei Bestellung
+sectiontrading\.com%
+
+# Sofortiger zweisprachiger Sprachübersetzer
+delavers\.de$
 
 # ---
 

roles/common/handlers/main.yml

@@ -93,3 +93,9 @@
   service:
     name: nfs-kernel-server
     state: restarted
+
+- name: Restart ntp
+  service:
+    name: ntpsec
+    daemon_reload: yes
+    state: restarted

roles/common/tasks/main.yml

@@ -148,6 +148,18 @@
   tags: sudoers
 
 
+- import_tasks: motd.yml
+  tags: motd
+
+
+# tags supported inside ntp.yml:
+#
+#    ntp-server
+- import_tasks: ntp.yml
+  tags:
+    - ntp
+
+
 # tags supportetd inside git.yml
 #
 #   git-firewall-repository

roles/common/tasks/motd.yml

@@ -0,0 +1,19 @@
+---
+
+# ----------
+# /etc/motd
+# ----------
+
+- name: (motd.yml) Check if /etc/motd.ORIG exist
+  stat:
+    path: /etc/motd.ORIG
+  register: motd_orig_exist
+
+
+- name: (motd.yml)  Backup existing file /etc/motd
+  command: cp -a /etc/motd /etc/motd.ORIG
+  when: motd_orig_exist.stat.exists == False
+
+- name: (motd.yml) create /etc/motd
+  shell: figlet {{ ansible_hostname }} > /etc/motd
+  when: motd_orig_exist.stat.exists == False

roles/common/tasks/ntp.yml

@@ -0,0 +1,60 @@
+---
+
+# ---
+# NTP Server
+# ---
+
+- name: (ntp.yml) Ensure ntpsec package is installed.
+  apt:
+    name:
+      - ntpsec
+    state: present
+  when:
+    - ansible_os_family == "Debian"
+  tags:
+    - ntp-server
+
+- name: (ntp.yml) Check file '/etc/ntpsec/ntp.conf.ORIG' exists
+  stat:
+    path: /etc/ntpsec/ntp.conf.ORIG
+  register: etc_ntpsec_conf_ORIG
+  when:
+    - ansible_distribution == "Debian"
+  tags:
+    - ntp-server
+
+
+- name: (ntp.yml) Ensure directory '/var/log/ntpsec' is present
+  file:
+    path: /var/log/ntpsec
+    state: directory
+    owner: ntpsec
+    group: ntpsec
+    mode: '0755'
+  when:
+    - ansible_distribution == "Debian"
+
+
+- name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf'
+  command: cp /etc/ntpsec/ntp.conf /etc/ntpsec/ntp.conf.ORIG
+  when:
+    - groups['oopen_office_server']|string is search(inventory_hostname)
+    - etc_ntpsec_conf_ORIG.stat.exists == False
+    - local_ntp_service is defined and local_ntp_service|bool
+  tags:
+    - ntp-server
+
+- name: (ntp.yml) Update '/etc/ntpsec/ntp.conf'
+  template:
+    src: "etc/ntpsec/ntp.conf.j2"
+    dest: /etc/ntpsec/ntp.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart ntp
+  when:
+    - groups['oopen_office_server']|string is search(inventory_hostname)
+    - local_ntp_service is defined and local_ntp_service|bool
+  tags:
+    - ntp-server
+

roles/common/templates/etc/ntpsec/ntp.conf.j2

@@ -0,0 +1,52 @@
+# {{ ansible_managed }}
+
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
+
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
+
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+#tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+#pool 0.debian.pool.ntp.org iburst
+#pool 1.debian.pool.ntp.org iburst
+#pool 2.debian.pool.ntp.org iburst
+#pool 3.debian.pool.ntp.org iburst
+server {{ ntp_server }}
+
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict default kod nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1

roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf

@@ -26,5 +26,5 @@ Domains={{ fact_resolved_domains }}
 {% if (resolved_dnssec is defined) and resolved_dnssec %}
 DNSSEC={{ resolved_dnssec }}
 {% else %}
-#Domains=
+#DNSSEC=allow-downgrade
 {% endif %}