diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index d6e70f9..8247d9f 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2064,6 +2064,8 @@ sshd_use_privilege_separation: !!str "sandbox" sshd_permit_root_login: !!str "prohibit-password" +sshd_login_grace_time: 120 + sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2" sshd_pubkey_authentication: !!str "yes" diff --git a/host_vars/file-kb.anw-kb.netz.yml b/host_vars/file-kb.anw-kb.netz.yml new file mode 100644 index 0000000..7fecfeb --- /dev/null +++ b/host_vars/file-kb.anw-kb.netz.yml @@ -0,0 +1,196 @@ +--- + +# --- +# vars used by roles/network_interfaces +# --- + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.2.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - anw-km.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 172.16.122.254 + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_special_time_entries: + + - name: "Restart DNS Cache service 'systemd-resolved'" + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + +sudoers_file_user_back_mount_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/mount' + - 'ALL=(root) NOPASSWD: /usr/bin/umount' + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + + +# --- +# vars used by roles/common/tasks/samba-config-server.yml +# vars used by roles/common/tasks/samba-user.yml +# --- + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. diff --git a/host_vars/gw-kb.oopen.de.yml b/host_vars/gw-kb.oopen.de.yml new file mode 100644 index 0000000..bdc9951 --- /dev/null +++ b/host_vars/gw-kb.oopen.de.yml @@ -0,0 +1,309 @@ +--- +# --- +# vars used by roles/network_interfaces +# --- + + +# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted +network_manage_devices: True + +# Should the interfaces be reloaded after config change? +network_interface_reload: False + +network_interface_path: /etc/network/interfaces.d +network_interface_required_packages: + - vlan + - bridge-utils + - ifmetric + - ifupdown + - ifenslave + +network_interfaces: + + - device: eno1 + headline: eno1 - Uplink DSL via Fritz!Box + auto: true + family: inet + method: static + address: 172.16.32.1 + netmask: 24 + gateway: 172.16.32.254 + + + - device: eno2 + headline: eno2 - LAN + auto: true + family: inet + method: static + address: 192.168.2.254 + netmask: 24 + + + - device: eno2:ns + headline: eno2:ns - Alias on eno2 (Nameserver) + auto: true + family: inet + method: static + address: 192.168.2.1 + netmask: 32 + + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/cron.yml +# --- + +cron_user_entries: + + - name: "Check if Postfix Mailservice is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_postfix.sh + + - name: "Check if SSH service is up and running?" + minute: '*/15' + hour: '*' + job: /root/bin/monitoring/check_ssh.sh + + - name: "Check if OpenVPN service is up and running?" + minute: '*/30' + hour: '*' + job: /root/bin/monitoring/check_vpn.sh + + - name: "Check if nameservice (bind) is running?" + minute: '*/10' + hour: '*' + job: /root/bin/monitoring/check_dns.sh + + - name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )" + minute: '0-59/2' + hour: '*' + job: /root/bin/monitoring/check_forwarding.sh + + - name: "Copy gateway configuration" + minute: '09' + hour: '3' + job: /root/bin/manage-gw-config/copy_gateway-config.sh ANW-KB + + +#cron_user_special_time_entries: [] +cron_user_special_time_entries: + + - name: "Check if Postfix Service is running at boot time" + special_time: reboot + job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh" + insertafter: PATH + + - name: "Restart Systemd's resolved at boottime." + special_time: reboot + job: "sleep 10 ; /bin/systemctl restart systemd-resolved" + insertafter: PATH + + - name: "Restart NTP service 'ntpsec'" + special_time: reboot + job: "sleep 15 ; /bin/systemctl restart ntpsec > /dev/null 2>&1" + insertafter: PATH + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_hostkeyalgorithms: + - ssh-ed25519 + - ssh-ed25519-cert-v01@openssh.com + - rsa-sha2-256 + - rsa-sha2-512 + - ecdsa-sha2-nistp256 + - rsa-sha2-256-cert-v01@openssh.com + - rsa-sha2-512-cert-v01@openssh.com + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 127.0.0.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - anw-kb.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 194.150.168.168 + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +install_bind_packages: true + + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/lxc-host-kb.anw-kb.netz.yml b/host_vars/lxc-host-kb.anw-kb.netz.yml index 51da2ab..ebc771b 100644 --- a/host_vars/lxc-host-kb.anw-kb.netz.yml +++ b/host_vars/lxc-host-kb.anw-kb.netz.yml @@ -36,6 +36,76 @@ sshd_password_authentication: !!str "yes" #apt_manage_sources_list: false +# --- +# vars used by roles/common/tasks/systemd-resolved.yml +# --- + +systemd_resolved: true + +# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie +# Primäre DNS-Adresse: 38.132.106.139 +# Sekundäre DNS-Adresse: 194.187.251.67 +# +# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen +# primäre DNS-Adresse +# IPv4: 1.1.1.1 +# IPv6: 2606:4700:4700::1111 +# sekundäre DNS-Adresse +# IPv4: 1.0.0.1 +# IPv6: 2606:4700:4700::1001 +# +# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit +# primäre DNS-Adresse +# IPv4: 8.8.8.8 +# IPv6: 2001:4860:4860::8888 +# sekundäre DNS-Adresse +# IPv4: 8.8.4.4 +# IPv6: 2001:4860:4860::8844 +# +# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug +# primäre DNS-Adresse +# IPv4: 9.9.9.9 +# IPv6: 2620:fe::fe +# sekundäre DNS-Adresse +# IPv4: 149.112.112.112 +# IPv6: 2620:fe::9 +# +# OpenNIC - https://www.opennic.org/ +# IPv4: 195.10.195.195 - ns31.de +# IPv4: 94.16.114.254 - ns28.de +# IPv4: 51.254.162.59 - ns9.de +# IPv4: 194.36.144.87 - ns29.de +# IPv6: 2a00:f826:8:2::195 - ns31.de +# +# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) +# IPv4: 5.1.66.255 +# IPv6: 2001:678:e68:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# IPv4: 185.150.99.255 +# IPv6: 2001:678:ed0:f000:: +# Servername für DNS-over-TLS: dot.ffmuc.net +# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) +resolved_nameserver: + - 192.168.2.1 + +# search domains +# +# If there are more than one search domains, then specify them here in the order in which +# the resolver should also search them +# +#resolved_domains: [] +resolved_domains: + - ~. + - anw-kb.netz + +resolved_dnssec: false + +# dns.as250.net: 194.150.168.168 +# +resolved_fallback_nameserver: + - 172.16.32.254 + + # --- # vars used by roles/common/tasks/users.yml # --- @@ -60,6 +130,8 @@ default_user: password: $6$E/CfbXkLGX4ybZF1$2HGWN1OoNUtc8qiMH1KRY8KR59lF80ODLhHYobuW3VNxNhGCsF7Uze5Ef2WQaR3.LZaz4qLK418HXCFFpuO8/. shell: /bin/bash ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: localadmin user_id: 1051 @@ -69,8 +141,6 @@ default_user: ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it' - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS' - name: back user_id: 1060 diff --git a/host_vars/mail-neu.cadus.org.yml b/host_vars/mail-neu.cadus.org.yml index 895122d..09b9fa5 100644 --- a/host_vars/mail-neu.cadus.org.yml +++ b/host_vars/mail-neu.cadus.org.yml @@ -150,8 +150,8 @@ copy_plain_files_postfwd_host_specific: # --- hostname: mail.cadus.org -ipv4_address: 135.181.22.153 -ipv6_address: 2a01:4f9:4b:46d1::153 +ipv4_address: 135.181.22.161 +ipv6_address: 2a01:4f9:4b:46d1::161 admin_email: it@cadus.org is_relay_host: !!str "false" diff --git a/host_vars/mail.cadus.org.yml b/host_vars/mail.cadus.org.yml index 35f0aca..f9666f1 100644 --- a/host_vars/mail.cadus.org.yml +++ b/host_vars/mail.cadus.org.yml @@ -220,8 +220,8 @@ copy_plain_files_postfwd_host_specific: # --- hostname: mail.cadus.org -ipv4_address: 135.181.22.153 -ipv6_address: 2a01:4f9:4b:46d1::153 +ipv4_address: 135.181.22.161 +ipv6_address: 2a01:4f9:4b:46d1::161 admin_email: admin@cadus.org is_relay_host: !!str "false" diff --git a/host_vars/o32.oopen.de.yml b/host_vars/o32.oopen.de.yml index 25f3229..d7e615b 100644 --- a/host_vars/o32.oopen.de.yml +++ b/host_vars/o32.oopen.de.yml @@ -138,6 +138,8 @@ network_interfaces: # vars used by roles/common/tasks/sshd.yml # --- +sshd_login_grace_time: 0 + # --- # vars used by roles/common/tasks/apt.yml diff --git a/host_vars/web-09.oopen.de.yml b/host_vars/web-09.oopen.de.yml index cb5bd7d..f76878a 100644 --- a/host_vars/web-09.oopen.de.yml +++ b/host_vars/web-09.oopen.de.yml @@ -19,6 +19,8 @@ # vars used by roles/common/tasks/sshd.yml # --- +#sshd_login_grace_time: 0 + # --- # vars used by roles/common/tasks/apt.yml diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml index 544309c..496372e 100644 --- a/host_vars/zapata.opp.netz.yml +++ b/host_vars/zapata.opp.netz.yml @@ -248,6 +248,12 @@ samba_groups: samba_user: + - name: alba + groups: + - buero + - beratung + password: '4l#3a=behandlg' + - name: almut groups: - buero @@ -328,6 +334,12 @@ samba_user: - beratung password: 'Jul14n_2018' + - name: juliana + groups: + - buero + - beratung + password: '24-Jul!ana#OPP' + - name: junia groups: - buero diff --git a/hosts b/hosts index 0ce66c8..794fd03 100644 --- a/hosts +++ b/hosts @@ -59,6 +59,7 @@ file-ah.kanzlei-kiel.netz file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz +file-kb.anw-kb.netz file-blkr.blkr.netz zapata.opp.netz @@ -187,6 +188,7 @@ cloud.akweb.de # o31.oopen.de - Cadus e.V. o31.oopen.de mail.cadus.org +135.181.22.161 web.cadus.org wiki.cadus.org @@ -361,6 +363,7 @@ cloud.akweb.de # o31.oopen.de - Cadus e.V. o31.oopen.de mail.cadus.org +135.181.22.161 web.cadus.org wiki.cadus.org @@ -452,6 +455,7 @@ gw-irights.oopen.de gw-km.oopen.de 172.16.122.2 file-km.anw-km.netz +file-kb.anw-kb.netz # - Kanzlei BLKR gw-blkr.oopen.de @@ -589,6 +593,7 @@ o20.oopen.de web.cadus.org wiki.cadus.org mail.cadus.org +135.181.22.161 # o22.oopen.de oolm-shop-dev.oopen.de @@ -814,6 +819,7 @@ test.mx.oopen.de # o31.oopen.de mail.cadus.org +135.181.22.161 # o27.oopen.de mail.faire-mobilitaet.de @@ -961,6 +967,7 @@ cloud.akweb.de web.cadus.org wiki.cadus.org mail.cadus.org +135.181.22.161 # etventure o32.oopen.de @@ -1109,6 +1116,7 @@ test.mx.oopen.de # o31.oopen.de mail.cadus.org +135.181.22.161 # o27.oopen.de @@ -1199,6 +1207,7 @@ file-ah.kanzlei-kiel.netz file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz +file-kb.anw-kb.netz file-blkr.blkr.netz zapata.opp.netz @@ -1291,6 +1300,7 @@ lxc-host-kb.anw-kb.netz bbb-server.b3-bornim.netz file-ah.kanzlei-kiel.netz file-km.anw-km.netz +file-kb.anw-kb.netz file-blkr.blkr.netz zapata.opp.netz @@ -1344,6 +1354,7 @@ test.mariadb.oopen.de # - o31.oopen.de mail.cadus.org +135.181.22.161 web.cadus.org wiki.cadus.org @@ -1430,6 +1441,7 @@ file-ah.kanzlei-kiel.netz file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz +file-kb.anw-kb.netz file-blkr.blkr.netz zapata.opp.netz @@ -1528,6 +1540,7 @@ o20.oopen.de # - o31.oopen.de o31.oopen.de mail.cadus.org +135.181.22.161 web.cadus.org wiki.cadus.org @@ -1633,6 +1646,7 @@ file-ah.kanzlei-kiel.netz file-ebs.ebs.netz file-fhxb.fhxb.netz file-km.anw-km.netz +file-kb.anw-kb.netz file-blkr.blkr.netz zapata.opp.netz diff --git a/roles/common/files/b.mx/etc/postfix/relay_domains b/roles/common/files/b.mx/etc/postfix/relay_domains index 58fa217..59d56aa 100644 --- a/roles/common/files/b.mx/etc/postfix/relay_domains +++ b/roles/common/files/b.mx/etc/postfix/relay_domains @@ -1,5 +1,9 @@ # *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** +## - cadus.org +## - +cadus.org :[mail.cadus.org] + ## - a.mx.oopen.de ## - ## - create relay-domain list for host a.mx.oopen.de: diff --git a/roles/common/files/mail.cadus/etc/postfix/postfwd.wl-nets b/roles/common/files/mail.cadus/etc/postfix/postfwd.wl-nets index 02ef1ed..3afdf0f 100644 --- a/roles/common/files/mail.cadus/etc/postfix/postfwd.wl-nets +++ b/roles/common/files/mail.cadus/etc/postfix/postfwd.wl-nets @@ -16,3 +16,7 @@ # d.mx.oopen.de (listen server) 95.217.204.227 2a01:4f9:4a:47e5::227 + +# b.mx.oopen.de +162.55.82.73/32 +2a01:4f8:271:1266::73 diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.wl-hosts b/roles/common/files/mailserver/etc/postfix/postfwd.wl-hosts index c425a4e..e4b3a28 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.wl-hosts +++ b/roles/common/files/mailserver/etc/postfix/postfwd.wl-hosts @@ -20,3 +20,9 @@ # give truested hostnames here +# host b.mx.oopen.de +^b\.mx\.oopen\.de$ + +# host d.mx.oopen.de +^d\.mx\.oopen\.de$ + diff --git a/roles/common/files/mailserver/etc/postfix/postfwd.wl-nets b/roles/common/files/mailserver/etc/postfix/postfwd.wl-nets index 02ef1ed..3afdf0f 100644 --- a/roles/common/files/mailserver/etc/postfix/postfwd.wl-nets +++ b/roles/common/files/mailserver/etc/postfix/postfwd.wl-nets @@ -16,3 +16,7 @@ # d.mx.oopen.de (listen server) 95.217.204.227 2a01:4f9:4a:47e5::227 + +# b.mx.oopen.de +162.55.82.73/32 +2a01:4f8:271:1266::73 diff --git a/roles/common/templates/etc/ssh/sshd_config.j2 b/roles/common/templates/etc/ssh/sshd_config.j2 index 8354d57..e564705 100644 --- a/roles/common/templates/etc/ssh/sshd_config.j2 +++ b/roles/common/templates/etc/ssh/sshd_config.j2 @@ -89,7 +89,7 @@ UsePrivilegeSeparation {{ sshd_use_privilege_separation }} # The server disconnects after this time if the user has not # successfully logged in. # The default is 120 seconds. -LoginGraceTime 120 +LoginGraceTime = {{ sshd_login_grace_time | default('120') }} # Specifies whether root can log in using ssh(1). # The default is "yes".