From e1f5243d11e75ddfdb2ba5b3134b9b54ec0e8485 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Tue, 23 Sep 2025 18:04:54 +0200
Subject: [PATCH] update..

---
 host_vars/zapata.opp.netz.yml           |  6 +++
 hosts                                   |  3 --
 roles/modify-ipt-gateway/tasks/main.yml | 70 ++++++++++++++-----------
 3 files changed, 46 insertions(+), 33 deletions(-)

diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml
index 84ed7f2..1adaccc 100644
--- a/host_vars/zapata.opp.netz.yml
+++ b/host_vars/zapata.opp.netz.yml
@@ -260,6 +260,12 @@ samba_user:
           6631333038306462610a356535633265633563633962333137326533633834636331343562633765
           3631
 
+  - name: carlotta
+    groups:
+      - buero
+      - beratung
+    password: '20_car-lotta.25%'
+
   - name: cristina
     groups:
       - buero
diff --git a/hosts b/hosts
index e7b1bf5..dd8d312 100644
--- a/hosts
+++ b/hosts
@@ -41,7 +41,6 @@ gw-123.oopen.de
 gw-ah.oopen.de
 gw-ak.oopen.de
 gw-akb.oopen.de
-172.16.82.2
 gw-dissens.oopen.de
 gw-ebs.oopen.de
 gw-fm.oopen.de
@@ -495,7 +494,6 @@ gw-ak.oopen.de
 
 # AKB
 gw-akb.oopen.de
-172.16.82.2
 
 # Dissens
 gw-dissens.oopen.de
@@ -1888,7 +1886,6 @@ gw-elster.oopen.de
 gw-blkr.oopen.de
 gw-ak.oopen.de
 gw-akb.oopen.de
-172.16.82.2
 gw-dissens.oopen.de
 gw-ckubu.local.netz
 gw-flr.oopen.de
diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml
index e9d956b..27c8442 100644
--- a/roles/modify-ipt-gateway/tasks/main.yml
+++ b/roles/modify-ipt-gateway/tasks/main.yml
@@ -141,52 +141,62 @@
 # Add additional SMTP ports OUT
 # ---
 
-- name: Check if String 'smtpd_additional_outgoung_ports..' (IPv4) is present
-  shell: grep -q -E "^#?smtpd_additional_outgoung_ports=" /etc/ipt-firewall/main_ipv4.conf
-  register: smtpd_additional_outgoung_ports_ipv4_present
+- name: Check if String 'allow_ipmi_request_in..' (IPv4) is present
+  shell: grep -q -E "^#?allow_ipmi_request_in=" /etc/ipt-firewall/main_ipv4.conf
+  register: allow_ipmi_request_in_ipv4_present
   when: main_ipv4_exists.stat.exists
-  failed_when: "smtpd_additional_outgoung_ports_ipv4_present.rc > 1"
-  changed_when: "smtpd_additional_outgoung_ports_ipv4_present.rc > 0"
+  failed_when: "allow_ipmi_request_in_ipv4_present.rc > 1"
+  changed_when: "allow_ipmi_request_in_ipv4_present.rc > 0"
 
-- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (FreeIPA Service)
+- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_ipmi_request_in)
   blockinfile:
     path: /etc/ipt-firewall/main_ipv4.conf
-    insertafter: '^#?\s*mail_user_ports'
+    insertafter: '^#?\s*ipmi_tcp_ports='
     block: |
-
-      # Additional Ports for outgoing smtp traffic
-      #
-      # blank separated list of ports
-      #
-      smtpd_additional_outgoung_ports=""
-    marker: "# Marker set by modify-ipt-gateway.yml (FreeIPA Service)"
+      # - Allow Access to IPMI Interfaces from outside
+      # -
+      # - Note:
+      # -    In addition, ports
+      # -
+      # -       TCP :443, 3520, 5900
+      # -       UDP: 623
+      # -
+      # -    must be forwarded to the IP address of the IPMI network interface in the router (e.g., Fritzbox).
+      # -
+      allow_ipmi_request_in=false
+    marker: "# Marker set by modify-ipt-gateway.yml (allow_ipmi_request_in)"
   when: 
     - main_ipv4_exists.stat.exists
-    - smtpd_additional_outgoung_ports_ipv4_present is changed
+    - allow_ipmi_request_in_ipv4_present is changed
 
 
-- name: Check if String 'smtpd_additional_outgoung_ports..' (IPv6) is present
-  shell: grep -q -E "^#?smtpd_additional_outgoung_ports=" /etc/ipt-firewall/main_ipv6.conf
-  register: smtpd_additional_outgoung_ports_ipv6_present
+- name: Check if String 'allow_ipmi_request_in..' (IPv6) is present
+  shell: grep -q -E "^#?allow_ipmi_request_in=" /etc/ipt-firewall/main_ipv6.conf
+  register: allow_ipmi_request_in_ipv6_present
   when: main_ipv6_exists.stat.exists
-  failed_when: "smtpd_additional_outgoung_ports_ipv6_present.rc > 1"
-  changed_when: "smtpd_additional_outgoung_ports_ipv6_present.rc > 0"
+  failed_when: "allow_ipmi_request_in_ipv6_present.rc > 1"
+  changed_when: "allow_ipmi_request_in_ipv6_present.rc > 0"
 
-- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (FreeIPA Service)
+- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_ipmi_request_in)
   blockinfile:
     path: /etc/ipt-firewall/main_ipv6.conf
-    insertafter: '^#?\s*mail_user_ports='
+    insertafter: '^#?\s*ipmi_tcp_ports='
     block: |
-
-      # Additional Ports for outgoing smtp traffic
-      #
-      # blank separated list of ports
-      #
-      smtpd_additional_outgoung_ports=""
-    marker: "# Marker set by modify-ipt-gateway.yml (FreeIPA Service)"
+      # - Allow Access to IPMI Interfaces from outside
+      # -
+      # - Note:
+      # -    In addition, ports
+      # -
+      # -       TCP :443, 3520, 5900
+      # -       UDP: 623
+      # -
+      # -    must be forwarded to the IP address of the IPMI network interface in the router (e.g., Fritzbox).
+      # -
+      allow_ipmi_request_in=false
+    marker: "# Marker set by modify-ipt-gateway.yml (allow_ipmi_request_in)"
   when: 
     - main_ipv6_exists.stat.exists
-    - smtpd_additional_outgoung_ports_ipv6_present is changed
+    - allow_ipmi_request_in_ipv6_present is changed
 
 
 # ---