diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 63d22db..2052520 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -665,7 +665,9 @@ apt_remove: apt_remove_purge: false -microcode_package: intel-microcode +microcode_package: + - intel-microcode + - amd64-microcode # --- diff --git a/hosts b/hosts index 268a898..514d766 100644 --- a/hosts +++ b/hosts @@ -789,9 +789,7 @@ o13-mail.oopen.de o13-web.oopen.de # o14.oopen.de -a.mx.oopen.de d.mx.oopen.de -e.mx.oopen.de www2.oopen.de # o15.oopen.de diff --git a/roles/modify-ipt-gateway-ro/tasks/main.yml b/roles/modify-ipt-gateway-ro/tasks/main.yml index fab55b4..73f1239 100644 --- a/roles/modify-ipt-gateway-ro/tasks/main.yml +++ b/roles/modify-ipt-gateway-ro/tasks/main.yml @@ -198,6 +198,7 @@ - alfaview_video_conference_out_ipv6_present is changed + # --- # Allow local services from ALL extern netwoks # --- @@ -288,6 +289,130 @@ - allow_all_ext_traffic_to_local_service_ipv6_present is changed + +# --- +# Allow extern services / networks +# --- + +- name: Check if String 'allow_to_ext_service..' (IPv4) is present + shell: grep -q -E "^allow_to_ext_service=" /ro/etc/ipt-firewall/main_ipv4.conf + register: allow_to_ext_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "allow_to_ext_service_ipv4_present.rc > 1" + changed_when: "allow_to_ext_service_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (allow_to_ext_service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*allow_local_net_to_ext_net' + block: | + + # ============= + # - Allow extern service + # ============= + + # - allow_to_ext_service + # - + # - allow_to_ext_service=" [ext-ip:port:protocol> [.." + # - + # - All traffic to the given (extern) service is allowed + # - + # - Example: + # - allow_to_ext_service="83.223.86.98:3306:tcp + # - 83.223.86.98:10194:udp" + # - + # - Blank separated list + # - + allow_to_ext_service="" + + + + # ============= + # - Allow extern network + # ============= + + # - allow_to_ext_net + # - + # - Allow all traffic to given extern network + # - + # - allow_to_ext_net=" [ [.." + # - + # - All traffic to the given (extern) network is allowed + # - + # - Example: + # - allow_to_ext_net="83.223.86.98/32 + # - 83.223.86.101/32 + # - 192.68.11.81/27" + # - + # - Blank separated list + # - + allow_to_ext_net="" + marker: "# Marker set by modify-ipt-gateway.yml (allow_to_ext_service)" + when: + - main_ipv4_exists.stat.exists + - allow_to_ext_service_ipv4_present is changed + +- name: Check if String 'allow_to_ext_service..' (IPv6) is present + shell: grep -q -E "^allow_to_ext_service=" /ro/etc/ipt-firewall/main_ipv6.conf + register: allow_to_ext_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "allow_to_ext_service_ipv6_present.rc > 1" + changed_when: "allow_to_ext_service_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (allow_to_ext_service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*allow_local_net_to_ext_net' + block: | + + # ============= + # - Allow extern service + # ============= + + # - allow_to_ext_service + # - + # - Allow all traffic to given extern service + # - + # - allow_to_ext_service=" [ext-ip,port,protocol> [.." + # - + # - All traffic to the given (extern) service is allowed + # - + # - Example: + # - allow_to_ext_service="2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp + # - 2a01:30:0:13:211:84ff:feb7:7f9c,10194,tcp" + # - + # - Blank separated list + # - + allow_to_ext_service="" + + + + # ============= + # - Allow extern network + # ============= + + # - allow_to_ext_net + # - + # - Allow all traffic to given extern network + # - + # - allow_to_ext_net=" [ [.." + # - + # - All traffic from the given (local) network to the given (extern) network is allowed + # - + # - Example: + # - allow_to_ext_net="2a01:30:0:13:211:84ff:feb7:7f9c/64 + # - 2001:678:a40:3000::/64" + # - + # - Blank separated list + # - + allow_to_ext_net="" + marker: "# Marker set by modify-ipt-gateway.yml (allow_to_ext_service)" + when: + - main_ipv6_exists.stat.exists + - allow_to_ext_service_ipv6_present is changed + + + # --- # Epson Network Scanner # --- diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml index 70c9dbc..ea1d8b6 100644 --- a/roles/modify-ipt-gateway/tasks/main.yml +++ b/roles/modify-ipt-gateway/tasks/main.yml @@ -338,6 +338,128 @@ - allow_all_ext_traffic_to_local_service_ipv6_present is changed +# --- +# Allow extern services / networks +# --- + +- name: Check if String 'allow_to_ext_service..' (IPv4) is present + shell: grep -q -E "^allow_to_ext_service=" /etc/ipt-firewall/main_ipv4.conf + register: allow_to_ext_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "allow_to_ext_service_ipv4_present.rc > 1" + changed_when: "allow_to_ext_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_to_ext_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*allow_local_net_to_ext_net' + block: | + + # ============= + # - Allow extern service + # ============= + + # - allow_to_ext_service + # - + # - allow_to_ext_service=" [ext-ip:port:protocol> [.." + # - + # - All traffic to the given (extern) service is allowed + # - + # - Example: + # - allow_to_ext_service="83.223.86.98:3306:tcp + # - 83.223.86.98:10194:udp" + # - + # - Blank separated list + # - + allow_to_ext_service="" + + + + # ============= + # - Allow extern network + # ============= + + # - allow_to_ext_net + # - + # - Allow all traffic to given extern network + # - + # - allow_to_ext_net=" [ [.." + # - + # - All traffic to the given (extern) network is allowed + # - + # - Example: + # - allow_to_ext_net="83.223.86.98/32 + # - 83.223.86.101/32 + # - 192.68.11.81/27" + # - + # - Blank separated list + # - + allow_to_ext_net="" + marker: "# Marker set by modify-ipt-gateway.yml (allow_to_ext_service)" + when: + - main_ipv4_exists.stat.exists + - allow_to_ext_service_ipv4_present is changed + + +- name: Check if String 'allow_to_ext_service..' (IPv6) is present + shell: grep -q -E "^allow_to_ext_service=" /etc/ipt-firewall/main_ipv6.conf + register: allow_to_ext_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "allow_to_ext_service_ipv6_present.rc > 1" + changed_when: "allow_to_ext_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_to_ext_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*allow_local_net_to_ext_net' + block: | + + # ============= + # - Allow extern service + # ============= + + # - allow_to_ext_service + # - + # - Allow all traffic to given extern service + # - + # - allow_to_ext_service=" [ext-ip,port,protocol> [.." + # - + # - All traffic to the given (extern) service is allowed + # - + # - Example: + # - allow_to_ext_service="2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp + # - 2a01:30:0:13:211:84ff:feb7:7f9c,10194,tcp" + # - + # - Blank separated list + # - + allow_to_ext_service="" + + + + # ============= + # - Allow extern network + # ============= + + # - allow_to_ext_net + # - + # - Allow all traffic to given extern network + # - + # - allow_to_ext_net=" [ [.." + # - + # - All traffic from the given (local) network to the given (extern) network is allowed + # - + # - Example: + # - allow_to_ext_net="2a01:30:0:13:211:84ff:feb7:7f9c/64 + # - 2001:678:a40:3000::/64" + # - + # - Blank separated list + # - + allow_to_ext_net="" + marker: "# Marker set by modify-ipt-gateway.yml (allow_to_ext_service)" + when: + - main_ipv6_exists.stat.exists + - allow_to_ext_service_ipv6_present is changed + # --- # Epson Network Scanner