diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index a75f9f2..cedfa55 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1159,6 +1159,48 @@ sudoers_file_group_privileges: [] acl_caching_nameserver: {} +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - none + +#bind9_transfer_source: !!str "192.168.182.1" +bind9_transfer_source: {} + +#bind9_notify_source: !!str "192.168.182.1" +bind9_notify_source: {} + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + + # --- # vars used by roles/common/tasks/git.yml # --- diff --git a/host_vars/ga-al-gw.oopen.de.yml b/host_vars/ga-al-gw.oopen.de.yml index 25b9c35..4cf7dc4 100644 --- a/host_vars/ga-al-gw.oopen.de.yml +++ b/host_vars/ga-al-gw.oopen.de.yml @@ -335,6 +335,66 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- +apt_install_bind9_packages: true + + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - 192.168.11.1 + - 192.168.10.3 + - 192.168.10.6 + - '# Nameserver Gateway Altenschlirf' + - 192.168.10.1 + - 192.168.10.254 + - 172.16.0.1 + - '# Nameserver Gateway Novalishaus' + - 192.168.81.1 + - 10.2.11.2 + - '# Nameserver wolle' + - 10.113.12.3 + - '# Postfix Mailserver' + - 192.168.11.2 + + + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - none + +bind9_transfer_source: !!str "192.168.10.1" +bind9_notify_source: !!str "192.168.10.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + # --- # vars used by roles/common/tasks/git.yml diff --git a/host_vars/ga-nh-gw.oopen.de.yml b/host_vars/ga-nh-gw.oopen.de.yml index 4257f2f..7bc1964 100644 --- a/host_vars/ga-nh-gw.oopen.de.yml +++ b/host_vars/ga-nh-gw.oopen.de.yml @@ -215,6 +215,63 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- +apt_install_bind9_packages: true + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - 192.168.11.1 + - 192.168.10.3 + - 192.168.10.6 + - '# Nameserver Gateway Altenschlirf' + - 192.168.10.1 + - 192.168.10.254 + - 172.16.0.1 + - '# Nameserver Gateway Novalishaus' + - 192.168.81.1 + - 10.2.11.2 + - '# Nameserver wolle' + - 10.113.12.3 + - '# Postfix Mailserver' + - 192.168.11.2 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - none + +bind9_transfer_source: !!str "192.168.81.1" +bind9_notify_source: !!str "192.168.81.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + # --- # vars used by roles/common/tasks/git.yml diff --git a/host_vars/ga-st-gw-ersatz.ga.netz.yml b/host_vars/ga-st-gw-ersatz.ga.netz.yml index d6c5108..3584b20 100644 --- a/host_vars/ga-st-gw-ersatz.ga.netz.yml +++ b/host_vars/ga-st-gw-ersatz.ga.netz.yml @@ -150,6 +150,63 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- +apt_install_bind9_packages: true + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - 192.168.11.1 + - 192.168.10.3 + - 192.168.10.6 + - '# Nameserver Gateway Altenschlirf' + - 192.168.10.1 + - 192.168.10.254 + - 172.16.0.1 + - '# Nameserver Gateway Novalishaus' + - 192.168.81.1 + - 10.2.11.2 + - '# Nameserver wolle' + - 10.113.12.3 + - '# Postfix Mailserver' + - 192.168.11.2 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - none + +#bind9_transfer_source: !!str "192.168.11.1" +#bind9_notify_source: !!str "192.168.11.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + # --- # vars used by roles/common/tasks/git.yml diff --git a/host_vars/ga-st-gw.oopen.de.yml b/host_vars/ga-st-gw.oopen.de.yml index 7e2bab8..2b3223e 100644 --- a/host_vars/ga-st-gw.oopen.de.yml +++ b/host_vars/ga-st-gw.oopen.de.yml @@ -385,6 +385,63 @@ sudo_users: # vars used by roles/common/tasks/caching-nameserver.yml # --- +apt_install_bind9_packages: true + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - 192.168.11.1 + - 192.168.10.3 + - 192.168.10.6 + - '# Nameserver Gateway Altenschlirf' + - 192.168.10.1 + - 192.168.10.254 + - 172.16.0.1 + - '# Nameserver Gateway Novalishaus' + - 192.168.81.1 + - 10.2.11.2 + - '# Nameserver wolle' + - 10.113.12.3 + - '# Postfix Mailserver' + - 192.168.11.2 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - none + +bind9_transfer_source: !!str "192.168.11.1" +bind9_notify_source: !!str "192.168.11.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + # --- # vars used by roles/common/tasks/git.yml diff --git a/host_vars/gw-ah.oopen.de.yml b/host_vars/gw-ah.oopen.de.yml new file mode 100644 index 0000000..b630e5f --- /dev/null +++ b/host_vars/gw-ah.oopen.de.yml @@ -0,0 +1,173 @@ +--- + +# --- +# vars used by roles/ansible_dependencies +# --- + + +# --- +# vars used by roles/ansible_user +# --- + + +# --- +# vars used by roles/common/tasks/basic.yml +# --- + + +# --- +# vars used by roles/common/tasks/sshd.yml +# --- + +sshd_permit_root_login: !!str "prohibit-password" + + +# --- +# vars used by roles/common/tasks/apt.yml +# --- + + +# --- +# vars used by roles/common/tasks/users.yml +# --- + +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + +default_user: + + - name: chris + password: $6$KHaRubWiBQk1amaA$.adqxBIlrlulGGcdK1EWR0XoGiMiyRwf5LPub/MxVFbTjBrH.m3edIAV2KmO06gVGiTlHUZH3XsvtUOXIptpT0 + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: sysadm + + user_id: 1050 + group_id: 1050 + group: sysadm + password: $6$XI.g9q9bTmzqe35q$tDrpoJFBGsHrmy/mtOAQfrstgIhZEaYGt6hxfTCXI0YvAAUiHT4cJOLR6ivN0CPVNtkv8IFe7dk8NXR/1yScm. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + + - name: back + user_id: 1060 + group_id: 1060 + group: back + password: $6$8v0PKesHmS2Z1xIO$n2a19e2GawIvHNi9U.W4nTxjJCTDtO5AlEP082PnCdp.fw5vIMv1AA.i2RMbXH2XuMdphXU6srSV/wFmp0e0q. + shell: /bin/bash + ssh_keys: + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' + +sudo_users: + - chris + - sysadm + + +# --- +# vars used by roles/common/tasks/users-systemfiles.yml +# --- + + +# --- +# vars used by roles/common/tasks/webadmin-user.yml +# --- + + +# --- +# vars used by roles/common/tasks/sudoers.yml +# --- +# +# see: roles/common/tasks/vars + + +# --- +# vars used by roles/common/tasks/caching-nameserver.yml +# --- + +apt_install_bind9_packages: true + + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - '# Nameserver Kanzlei EBS' + - 192.168.182.1 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - internaldns + +bind9_transfer_source: !!str "192.168.100.1" +bind9_notify_source: !!str "192.168.100.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + +# --- +# vars used by roles/common/tasks/git.yml +# --- + +git_firewall_repository: + name: ipt-gateway + repo: https://git.oopen.de/firewall/ipt-gateway + dest: /usr/local/src/ipt-gateway + +# ============================== + + +# --- +# vars used by scripts/reset_root_passwd.yml +# --- + +root_user: + name: root + password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. + diff --git a/host_vars/gw-ckubu.local.netz.yml b/host_vars/gw-ckubu.local.netz.yml index eceb3c1..dac721e 100644 --- a/host_vars/gw-ckubu.local.netz.yml +++ b/host_vars/gw-ckubu.local.netz.yml @@ -86,6 +86,9 @@ sudo_users: apt_install_bind9_packages: true +bind9_gateway_listen_on_v6: + - any + # --- # vars used by roles/common/tasks/git.yml # --- diff --git a/host_vars/gw-ebs.oopen.de.yml b/host_vars/gw-ebs.oopen.de.yml index 7a74300..3e28d4c 100644 --- a/host_vars/gw-ebs.oopen.de.yml +++ b/host_vars/gw-ebs.oopen.de.yml @@ -29,6 +29,24 @@ # vars used by roles/common/tasks/users.yml # --- +insert_ssh_keypair_backup_server: false +ssh_keypair_backup_server: + - name: backup + backup_user: back + priv_key_src: root/.ssh/id_rsa.backup.oopen.de + priv_key_dest: /root/.ssh/id_rsa + pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub + pub_key_dest: /root/.ssh/id_rsa.pub + +insert_keypair_backup_client: true +ssh_keypair_backup_client: + - name: backup + priv_key_src: root/.ssh/id_ed25519.oopen-server + priv_key_dest: /root/.ssh/id_ed25519 + pub_key_src: root/.ssh/id_ed25519.oopen-server.pub + pub_key_dest: /root/.ssh/id_ed25519.pub + target: backup.oopen.de + default_user: - name: chris @@ -87,6 +105,50 @@ sudo_users: apt_install_bind9_packages: true + +bind9_gateway_acl: + - local-net: + name: local-net + entries: + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 10.0.0.0/8 + - fc00::/7 + - fe80::/10 + - ::1/128 + - internaldns: + name: internaldns + entries: + - '# Nameserver Kanzlei Kiel' + - 192.168.100.1 + +bind9_gateway_listen_on_v6: + - none + +bind9_gateway_listen_on: + - any + +#bind9_gateway_allow_transfer: {} +bind9_gateway_allow_transfer: + - internaldns + +bind9_transfer_source: !!str "192.168.182.1" +bind9_notify_source: !!str "192.168.182.1" + +#bind9_gateway_allow_query: {} +bind9_gateway_allow_query: + - local-net + +#bind9_gateway_allow_query_cache: {} +bind9_gateway_allow_query_cache: + - local-net + +bind9_gateway_recursion: !!str "yes" +#bind9_gateway_allow_recursion: {} +bind9_gateway_allow_recursion: + - local-net + # --- # vars used by roles/common/tasks/git.yml # --- diff --git a/roles/common/tasks/caching-nameserver.yml b/roles/common/tasks/caching-nameserver.yml index 8e53f1d..e4ffe7e 100644 --- a/roles/common/tasks/caching-nameserver.yml +++ b/roles/common/tasks/caching-nameserver.yml @@ -90,7 +90,7 @@ - caching-nameserver when: - inventory_hostname in groups["gateway_server"] - - not file_named_conf_options.stat.exists +# - not file_named_conf_options.stat.exists # -------------------- diff --git a/roles/common/templates/etc/bind/named.conf.options.gateway.j2 b/roles/common/templates/etc/bind/named.conf.options.gateway.j2 index 9d28786..1424638 100644 --- a/roles/common/templates/etc/bind/named.conf.options.gateway.j2 +++ b/roles/common/templates/etc/bind/named.conf.options.gateway.j2 @@ -1,5 +1,14 @@ # {{ ansible_managed }} +{% if bind9_gateway_acl is defined and bind9_gateway_acl|length > 0 %} +{% for acl in bind9_gateway_acl %} +acl {{ acl.name }} { +{% for entry in acl.entries %} + {{ entry }}; +{% endfor %} +}; +{% endfor %} +{% else %} acl local-net { 127.0.0.0/8; 172.16.0.0/12; @@ -9,6 +18,7 @@ acl local-net { fe80::/10; ::1/128; }; +{% endif %} options { directory "/var/cache/bind"; @@ -39,24 +49,77 @@ options { version "not currently available"; // disables all zone transfer requests - allow-transfer{"none";}; +{% if bind9_gateway_allow_transfer is defined and bind9_gateway_allow_transfer|length > 0 %} + allow-transfer { +{% for item in bind9_gateway_allow_transfer %} + {{ item }}; +{% endfor %} + }; +{% else %} + allow-transfer {"none";}; +{% endif %} +{% if bind9_transfer_source is defined and bind9_transfer_source|length > 0 %} + transfer-source {{ bind9_transfer_source }} ; +{% endif %} +{% if bind9_notify_source is defined and bind9_notify_source|length > 0 %} + notify-source {{ bind9_notify_source }} ; +{% endif %} +{% if bind9_gateway_listen_on_v6 is defined and bind9_gateway_listen_on_v6|length > 0 %} + listen-on-v6 { +{% for item in bind9_gateway_listen_on_v6 %} + {{ item }}; +{% endfor %} + }; +{% else %} listen-on-v6 { none; }; +{% endif %} +{% if bind9_gateway_listen_on is defined and bind9_gateway_listen_on|length > 0 %} + listen-on { +{% for item in bind9_gateway_listen_on %} + {{ item }}; +{% endfor %} + }; +{% else %} listen-on { any; }; +{% endif %} +{% if bind9_gateway_allow_query is defined and bind9_gateway_allow_query|length > 0 %} allow-query { - local-net; +{% for item in bind9_gateway_allow_query %} + {{ item }}; +{% endfor %} }; +{% else %} + allow-query { + any; + }; +{% endif %} +{% if bind9_gateway_allow_query_cache is defined and bind9_gateway_allow_query_cache|length > 0 %} allow-query-cache { - local-net; +{% for item in bind9_gateway_allow_query_cache %} + {{ item }}; +{% endfor %} }; +{% endif %} // caching name services +{% if bind9_gateway_recursion is defined and bind9_gateway_recursion|bool %} + recursion {{ bind9_gateway_recursion }}; +{% else %} recursion yes; - +{% endif %} +{% if bind9_gateway_allow_recursion is defined and bind9_gateway_allow_recursion|length > 0 %} + allow-recursion { +{% for item in bind9_gateway_allow_recursion %} + {{ item }}; +{% endfor %} + }; +{% else %} allow-recursion { local-net; }; +{% endif %} };