ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ansible:028b4aa2531b5338721a10cb7a1b2c51e2d491c8
Branches Tags
ansible:master
...
compare: ansible:master
Branches Tags
ansible:master

20 Commits
028b4aa253 ... master

Author SHA1 Message Date
Christoph
f9652dbbf9 update.. 2026-02-10 11:54:07 +01:00
Christoph
b6097221e7 update-- 2026-02-09 14:23:32 +01:00
Christoph
8fe4047694 update.. 2026-02-04 23:25:58 +01:00
Christoph
a41467f6d4 replace more deprecated code. 2026-02-01 14:49:41 +01:00
Christoph
6b2dd6b0bf Fix error on debian.sources file. 2026-02-01 14:49:05 +01:00
Christoph
4e06ed01aa get rid of deprecated code. 2026-02-01 12:30:58 +01:00
Christoph
1feef826b7 update.. 2026-01-23 13:01:28 +01:00
Christoph
41f3af3e4f update.. 2026-01-22 11:27:38 +01:00
Christoph
6e9cb4a88a update.. 2025-12-19 11:38:46 +01:00
Christoph
d28e0fc6a5 update.. 2025-12-16 10:28:54 +01:00
Christoph
b9144ea2b6 update.. 2025-12-15 22:01:57 +01:00
Christoph
179d494aab backup.oopen.de.yml: add public key from o18.oopen.de . 2025-12-12 16:26:15 +01:00
Christoph
871ad4f4a6 o18.oopen.de.yml: fix error in adding route to br0. 2025-12-12 16:01:41 +01:00
Christoph
aa5aec673d correct outdated code. 2025-12-12 16:01:06 +01:00
Christoph
e6573732b2 Merge branch 'master' of git.oopen.de:ansible/oopen-server 2025-12-12 14:25:53 +01:00
Christoph
f2c4794a8f Add hosts 'o10.oopen.de' and 'cl-exil.oopen.de'. 2025-12-12 14:25:21 +01:00
Christoph
97c0f7508a scripts/install-ulogd.yml: correct outdated code. 2025-12-12 14:24:47 +01:00
Christoph
b50b97e240 host_vars/backup.oopen.de.yml: add host ssh key from 'nd-gate.ndhosting.de' to support borg2 backup. 2025-12-10 18:08:31 +01:00
Christoph
6bcc70e8e2 backup.oopen.de.yml: add host 'ga-gh-gw' 2025-12-01 14:14:03 +01:00
Christoph
96737dc01e zapata.opp.netz.yml: Add new user account. 2025-12-01 12:32:38 +01:00
63 changed files with 1226 additions and 6101 deletions
Expand all files Collapse all files

3
files/homedirs/chris/_bashrc
View File

@@ -53,8 +53,7 @@ __hostname="${__hostname%.*}"
__hostname="${__hostname%.*}" __hostname="${__hostname%.*}"
if [ "$color_prompt" = yes ]; then if [ "$color_prompt" = yes ]; then
#PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' #PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
#PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@${__hostname}\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' #PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@${__hostname}:\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
#PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@${__hostname}\[\033[00m\]:\[\033[01;32m\]\w\[\033[00m\]\$ '
PS1='${debian_chroot:+($debian_chroot)}\[\033[32m\]\u@${__hostname}\[\033[00m\]:\[\033[37m\]\w\[\033[00m\]\$ ' PS1='${debian_chroot:+($debian_chroot)}\[\033[32m\]\u@${__hostname}\[\033[00m\]:\[\033[37m\]\w\[\033[00m\]\$ '
else else
#PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' #PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '

89
group_vars/all/main.yml
View File

@@ -745,7 +745,6 @@ apt_initial_install_trixie:
- patchutils - patchutils
- perl - perl
- perl-doc - perl-doc
- perl-modules
- psmisc - psmisc
- quota - quota
- quotatool - quotatool
@@ -1723,6 +1722,94 @@ apt_webserver_pkgs:
- expect-dev - expect-dev
- libexpect-perl - libexpect-perl
- poppler-utils - poppler-utils
- weasyprint
apt_webserver_pkgs_trixie:
- libdb-dev
- zlib1g
- zlib1g-dev
- libssl-dev
- libneon27-dev
- libxml2
- libxml2-dev
- curl
- libcurl4-openssl-dev
- libqdbm-dev
- libgdbm-dev
- libpspell-dev
- libjpeg-dev
- libpng-dev
- libxpm-dev
- libfreetype6-dev
- libwmf-dev
- libtiff-dev
- libpaper-dev
- libmagic-dev
- libgraphics-magick-perl
- libgraphicsmagick++1-dev
- libgraphicsmagick-q16-3
- libgraphicsmagick1-dev
- libgraphviz-dev
- libgsf-1-dev
- libilmbase-dev
- libvpx-dev
- vpx-tools
- libgpm-dev
- libkpathsea-dev
- libopenexr-dev
- librsvg2-dev
- libdjvulibre-dev
- libatm-dev
- libexpat-dev
- imagemagick
- graphicsmagick
- exif
- libexiv2-dev
- re2c
- netpbm
- libnetpbm-dev
- libmcrypt-dev
- mcrypt
- default-libmysqlclient-dev
- libpq-dev
- postgresql-client
- libreadline-dev
- libncurses-dev
- libdb5.3
- libdb5.3++
- libdb5.3++-dev
- libdb5.3-dev
- libxslt1-dev
- libpcre2-dev
- libicu-dev
- libtidy-dev
- libmm-dev
- libgmp-dev
- libkrb5-dev
- libldap-dev
- libmhash-dev
- libgd-dev
- liblua5.3-dev
- libapr1-dev
- libaprutil1-dev
- libsctp-dev
- libcrypto++-dev
- ffmpeg
- libmagickwand-dev
- libgeoip-dev
- libaio-dev
- tk-dev
- tcl-dev
- tclreadline
- expect
- expect-dev
- libexpect-perl
- poppler-utils
- weasyprint
# - libc-client2007e-dev
# - libc-client-dev
install_postgresql_pkgs: false install_postgresql_pkgs: false
apt_postgresql_pkgs: apt_postgresql_pkgs:

4
host_vars/a.mx.oopen.de.yml
View File

@@ -159,10 +159,6 @@ copy_plain_files:
src_path: a.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf src_path: a.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: a.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix # /root/bin/postfix
# #
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf

7
host_vars/b.mx.oopen.de.yml
View File

@@ -151,13 +151,6 @@ root_ssh_keypair:
copy_plain_files: copy_plain_files:
# /root/bin/monitoring
#
- name: monitoring_check_webservice_load.conf
src_path: b.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix # /root/bin/postfix
# #
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf

5
host_vars/backup.oopen.de.yml
View File

@@ -266,9 +266,11 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPrJu40Up1x9VCTTac6+ANjJ2NFXfDb5v3dP4pVgm+c root@cl-01' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPrJu40Up1x9VCTTac6+ANjJ2NFXfDb5v3dP4pVgm+c root@cl-01'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7JBJ0qQJsTlADj/zMoxGlzPCGlnh0ngDS5+tkyVqgf root@cl-02' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7JBJ0qQJsTlADj/zMoxGlzPCGlnh0ngDS5+tkyVqgf root@cl-02'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORi7e7u0KhCkCB8iCmPud0hzCwnJVhxpPmy8vFFkFgY root@cl-dissens' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORi7e7u0KhCkCB8iCmPud0hzCwnJVhxpPmy8vFFkFgY root@cl-dissens'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx9aKkZp3qAdehTY+mdCsB+/c9yDExkg5y1lASCXRmL root@cl-exil'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3VloFw13vVt8UAV5h0860Wq/vFJEm5EazOqM+cVe17 root@cl-flr' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3VloFw13vVt8UAV5h0860Wq/vFJEm5EazOqM+cVe17 root@cl-flr'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRaUsGqBvZBDzyh1kuldC/jdbtuoXFgBZ7PbgSqytSn root@cl-fm' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRaUsGqBvZBDzyh1kuldC/jdbtuoXFgBZ7PbgSqytSn root@cl-fm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvmOpsiL+eiJ3qZVDJiUCFVZge0OQJ1hpZgw7pJ8sq5 root@cl-irights' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvmOpsiL+eiJ3qZVDJiUCFVZge0OQJ1hpZgw7pJ8sq5 root@cl-irights'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjr0aBl2KQTJnlVK03DOs0u+IXSon4VewwAzzSBsmVW root@cl-lubax'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7h6rR+q5bRh/qgzA7ZyiZcRr9vMbo7cxhQsoukWmUn root@cl-vbrg' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7h6rR+q5bRh/qgzA7ZyiZcRr9vMbo7cxhQsoukWmUn root@cl-vbrg'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcHQfSVG8DM1qHp2ce73ZBWXknZGZFur5s27V58T7ON root@cl-opp' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcHQfSVG8DM1qHp2ce73ZBWXknZGZFur5s27V58T7ON root@cl-opp'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClnyNS5RQsbXmgOX7NU7i154DElOlha3y0ybF6FwScT root@cl-test' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClnyNS5RQsbXmgOX7NU7i154DElOlha3y0ybF6FwScT root@cl-test'
@@ -280,6 +282,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMHxvK5kzKgypVi8ZvshveSpyo0eSXiBCnAC5Pcjdgv root@discourse' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMHxvK5kzKgypVi8ZvshveSpyo0eSXiBCnAC5Pcjdgv root@discourse'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDy5WM1qsLE2SRwWG1Y38WJcMYUpL8MuQiraqiXfHzaH root@e.mx' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDy5WM1qsLE2SRwWG1Y38WJcMYUpL8MuQiraqiXfHzaH root@e.mx'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvOkCWNKUJ5o9e+0NhY4IFZv8LA7tkkkEFjr8nqFKhe root@formbricks-nd' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvOkCWNKUJ5o9e+0NhY4IFZv8LA7tkkkEFjr8nqFKhe root@formbricks-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7KbEZApiqEcU4aK3A2J8hy+r1uV7TZupwm4CHGqLPH root@ga-gh-gw'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPbony+4g4iFS32Cv/Bkmet4FsCAsrGTffwWm2eM16x root@git.warenform' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPbony+4g4iFS32Cv/Bkmet4FsCAsrGTffwWm2eM16x root@git.warenform'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqqmBWh3qmnx41NiLCn1LhVG0mn4++IUvRNC0OMh6h6 root@gitoea' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqqmBWh3qmnx41NiLCn1LhVG0mn4++IUvRNC0OMh6h6 root@gitoea'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICR9o0+6jnfmXKOedKP6IZgt5lRIPFSJJ4FbMjz2SPkH root@gw-campus' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICR9o0+6jnfmXKOedKP6IZgt5lRIPFSJJ4FbMjz2SPkH root@gw-campus'
@@ -294,6 +297,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2bxZZNXrlsvERYo0VyXzdW1AZuGmsTNjgF4oQJNfnn root@mm-irights' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2bxZZNXrlsvERYo0VyXzdW1AZuGmsTNjgF4oQJNfnn root@mm-irights'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpKuS8DFuHHvfQZCHOGiurOvzlFkx1unnMfZWEM3wUY root@mm-rav' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpKuS8DFuHHvfQZCHOGiurOvzlFkx1unnMfZWEM3wUY root@mm-rav'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnwSzzSrAQJN3I0Y3xRU0rjlrO2KlHD3tFMgCqEyk0i root@mm' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnwSzzSrAQJN3I0Y3xRU0rjlrO2KlHD3tFMgCqEyk0i root@mm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILXSGiRst5AQ396FQY6jrr1jTCpwGDLWv5akw6SiMUGq root@nd-gate'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBTRzuXg2lzAERsNWpQYHEI1T6dP7VJehBPKF2pAsH4 root@o12' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBTRzuXg2lzAERsNWpQYHEI1T6dP7VJehBPKF2pAsH4 root@o12'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAyyyFaDWqjQjDFgOSW6cs71yxw7DRNFQapWMZXds03 root@o13' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFAyyyFaDWqjQjDFgOSW6cs71yxw7DRNFQapWMZXds03 root@o13'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJN6Z+3zYorB3NKO3TObynG8vn9xi1H8IBmadIOQBPE+ root@o13-cryptpad' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJN6Z+3zYorB3NKO3TObynG8vn9xi1H8IBmadIOQBPE+ root@o13-cryptpad'
@@ -305,6 +309,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaXEVvhblxX045H2/B/6RJmoW77WOKJM5FQfvMUPCIs root@o13-web' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaXEVvhblxX045H2/B/6RJmoW77WOKJM5FQfvMUPCIs root@o13-web'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAp24VDXOsa0MuzGFaFa3CPDUsnA/ASojHAiN344m+dP root@o14' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAp24VDXOsa0MuzGFaFa3CPDUsnA/ASojHAiN344m+dP root@o14'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcQ9MFqTMOmjnec4ftUJAYiAe8p7pp7a5EBSIM0A5ji root@o17' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcQ9MFqTMOmjnec4ftUJAYiAe8p7pp7a5EBSIM0A5ji root@o17'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINgEHwpZASRfcpAEesr8qnytu6pj7qNrQ35i7h/uTUoK root@o18'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFstQOOM/U18SV27+XTtBhso+vICK5L4aOGC83QnvS8+ root@o19' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFstQOOM/U18SV27+XTtBhso+vICK5L4aOGC83QnvS8+ root@o19'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC85aj16Ow1ZPutkp5TmZdxjMsECkhnO64ktc3OYZJHc root@o25-board' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC85aj16Ow1ZPutkp5TmZdxjMsECkhnO64ktc3OYZJHc root@o25-board'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICurG4lWMuEercht716M3x2KgsUYKIwku4VdF52sBu41 root@o21-oolm-db' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICurG4lWMuEercht716M3x2KgsUYKIwku4VdF52sBu41 root@o21-oolm-db'

4
host_vars/c.mx.oopen.de.yml
View File

@@ -164,10 +164,6 @@ copy_plain_files:
src_path: c.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf src_path: c.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: c.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix # /root/bin/postfix
# #
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf

152
host_vars/cl-lubax.oopen.de.yml Normal file
View File

@@ -0,0 +1,152 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
#sshd_permit_root_login: !!str "prohibit-password"
sshd_permit_root_login: !!str "no"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: false
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 185.12.64.1
- 2a01:4ff:ff00::add:2
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_privileges:
- name: back
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

4
host_vars/d.mx.oopen.de.yml
View File

@@ -153,10 +153,6 @@ root_ssh_keypair:
copy_plain_files: copy_plain_files:
- name: monitoring_check_webservice_load.conf
src_path: d.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf
src_path: d.mx/root/bin/postfix/conf/create_opendkim_key.conf src_path: d.mx/root/bin/postfix/conf/create_opendkim_key.conf
dest_path: /root/bin/postfix/conf/create_opendkim_key.conf dest_path: /root/bin/postfix/conf/create_opendkim_key.conf

4
host_vars/e.mx.oopen.de.yml
View File

@@ -157,10 +157,6 @@ copy_plain_files:
src_path: e.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf src_path: e.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: e.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf
src_path: e.mx/root/bin/postfix/conf/create_opendkim_key.conf src_path: e.mx/root/bin/postfix/conf/create_opendkim_key.conf
dest_path: /root/bin/postfix/conf/create_opendkim_key.conf dest_path: /root/bin/postfix/conf/create_opendkim_key.conf

39
host_vars/file-dissens.dissens.netz.yml
View File

@@ -414,11 +414,11 @@ samba_user:
- projekte - projekte
password: '20.j0hanna.ru3kgau3r+24!' password: '20.j0hanna.ru3kgau3r+24!'
- name: laura.sasse # - name: laura.sasse
groups: # groups:
- projekte # - projekte
- team # - team
password: '20/l4ur4-s4sse-24?' # password: '20/l4ur4-s4sse-24?'
- name: lino.koehler - name: lino.koehler
groups: groups:
@@ -458,10 +458,10 @@ samba_user:
- verwaltung - verwaltung
password: '20/r4lph-kl3sch.24-' password: '20/r4lph-kl3sch.24-'
- name: rositsa.mahdi # - name: rositsa.mahdi
groups: # groups:
- projekte # - projekte
password: '20.ros1tsa-mahd1+24+' # password: '20.ros1tsa-mahd1+24+'
- name: selma.albrecht - name: selma.albrecht
groups: groups:
@@ -486,11 +486,11 @@ samba_user:
- team - team
password: '20-sc4n.25!' password: '20-sc4n.25!'
- name: sebastian.scheele # - name: sebastian.scheele
groups: # groups:
- projekte # - projekte
- team # - team
password: '20/s3-bast1an+sch33l3_24-' # password: '20/s3-bast1an+sch33l3_24-'
- name: simon.krugmann - name: simon.krugmann
groups: groups:
@@ -525,14 +525,11 @@ samba_user:
base_home: /data/home base_home: /data/home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: [] remove_samba_users: []
#remove_samba_users: #remove_samba_users:
# - name: elenor.faellgrem # - name: sebastian.scheele
# - name: maiken.schiele # - name: rositsa.mahdi
# - name: laura.sasse
samba_shares: samba_shares:

8
host_vars/file-km.anw-km.netz.yml
View File

@@ -293,6 +293,7 @@ samba_user:
- name: berenice - name: berenice
groups: groups:
- advoware
- kanzlei - kanzlei
- a-jur - a-jur
- alle - alle
@@ -311,6 +312,7 @@ samba_user:
- name: buero - name: buero
groups: groups:
- advoware
- kanzlei - kanzlei
- a-jur - a-jur
- alle - alle
@@ -318,6 +320,7 @@ samba_user:
- name: buero2 - name: buero2
groups: groups:
- advoware
- kanzlei - kanzlei
- a-jur - a-jur
- alle - alle
@@ -325,6 +328,7 @@ samba_user:
- name: buero3 - name: buero3
groups: groups:
- advoware
- kanzlei - kanzlei
- a-jur - a-jur
- alle - alle
@@ -332,6 +336,7 @@ samba_user:
- name: buero4 - name: buero4
groups: groups:
- advoware
- kanzlei - kanzlei
- a-jur - a-jur
- alle - alle
@@ -339,6 +344,7 @@ samba_user:
- name: buero7 - name: buero7
groups: groups:
- advoware
- kanzlei - kanzlei
- a-jur - a-jur
- alle - alle
@@ -487,6 +493,7 @@ samba_user:
- name: rm-buero1 - name: rm-buero1
groups: groups:
- advoware
- alle - alle
- a-jur - a-jur
- kanzlei - kanzlei
@@ -494,6 +501,7 @@ samba_user:
- name: rm-buero2 - name: rm-buero2
groups: groups:
- advoware
- alle - alle
- a-jur - a-jur
- kanzlei - kanzlei

7
host_vars/g.mx.oopen.de.yml
View File

@@ -151,13 +151,6 @@ resolved_fallback_nameserver:
copy_plain_files: copy_plain_files:
# /root/bin/monitoring
#
- name: monitoring_check_webservice_load.conf
src_path: g.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix # /root/bin/postfix
# #
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf

4
host_vars/ga-st-gw.ga.netz.yml
View File

@@ -124,8 +124,8 @@ network_interfaces:
gateway: 172.16.13.254 gateway: 172.16.13.254
- device: lan7 - device: lan11
headline: lan7 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) headline: lan11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
auto: true auto: true
family: inet family: inet
method: static method: static

6
host_vars/ga-st-mail.ga.netz.yml
View File

@@ -214,10 +214,6 @@ copy_plain_files:
src_path: ga-st-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf src_path: ga-st-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix # /root/bin/postfix
# #
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf
@@ -265,6 +261,8 @@ ipv4_address: 192.168.11.2
admin_email: it@gemeinschaft-altenschlirf.org admin_email: it@gemeinschaft-altenschlirf.org
is_relay_host: !!str "false" is_relay_host: !!str "false"
support_dmarc_reporting: !!str "false"
db_in_use: !!str "true" db_in_use: !!str "true"
# postfix_db_type # postfix_db_type
# #

236
host_vars/gw-opp-neu.opp.netz.yml Normal file
View File

@@ -0,0 +1,236 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
headline: eno1 - Uplink DSL via Fritz!Box
auto: true
family: inet
method: static
address: 172.16.62.2
netmask: 24
gateway: 172.16.62.254
#nameservers:
# - 127.0.0.1
# - 192.168.62.1
#search: ebs.netz kanzlei-kiel.netz elster.netz
- device: eno2
headline: eno2 - LAN
auto: true
family: inet
method: static
address: 192.168.62.253
netmask: 24
- device: eno3:ns
headline: eno2:ns - Alias on eno2 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.62.1
netmask: 32
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_hostkeyalgorithms:
- ssh-ed25519
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-256
- rsa-sha2-512
- ecdsa-sha2-nistp256
- rsa-sha2-256-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- opp.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

4
host_vars/lists.mx.warenform.de.yml
View File

@@ -148,10 +148,6 @@ root_ssh_keypair:
copy_plain_files: copy_plain_files:
- name: monitoring_check_webservice_load.conf
src_path: lists.mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf
src_path: lists.mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf src_path: lists.mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf
dest_path: /root/bin/postfix/conf/create_opendkim_key.conf dest_path: /root/bin/postfix/conf/create_opendkim_key.conf

4
host_vars/mail-neu.cadus.org.yml
View File

@@ -89,10 +89,6 @@ copy_plain_files:
src_path: mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf src_path: mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix # /root/bin/postfix
# #
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf

4
host_vars/mail.cadus.org.yml
View File

@@ -159,10 +159,6 @@ copy_plain_files:
src_path: mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf src_path: mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix # /root/bin/postfix
# #
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf

4
host_vars/mail.faire-mobilitaet.de.yml
View File

@@ -159,10 +159,6 @@ copy_plain_files:
src_path: mail.faire-mobilitaet/root/bin/monitoring/conf/check_cert_for_dovecot.conf src_path: mail.faire-mobilitaet/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix # /root/bin/postfix
# #
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf

4
host_vars/mx.warenform.de.yml
View File

@@ -154,10 +154,6 @@ copy_plain_files:
src_path: mx.warenform/root/bin/monitoring/conf/check_cert_for_dovecot.conf src_path: mx.warenform/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix # /root/bin/postfix
# #
- name: postfix_create_opendkim_key.conf - name: postfix_create_opendkim_key.conf

12
host_vars/o13-mail.oopen.de.yml
View File

@@ -154,10 +154,6 @@ copy_plain_files:
src_path: o13-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf src_path: o13-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: o13-mail/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix # /root/bin/postfix
# #
- name: postfix_check-postfix-fatal-errors.conf - name: postfix_check-postfix-fatal-errors.conf
@@ -167,14 +163,6 @@ copy_plain_files:
copy_plain_files_postfwd_host_specific: copy_plain_files_postfwd_host_specific:
- name: header_checks.pcre
src_path: o13-mail/etc/postfix/header_checks.pcre
dest_path: /etc/postfix/header_checks.pcre
- name: postfwd.wl-hosts
src_path: o13-mail/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts
- name: postfwd.wl-hosts - name: postfwd.wl-hosts
src_path: o13-mail/etc/postfix/postfwd.wl-hosts src_path: o13-mail/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts dest_path: /etc/postfix/postfwd.wl-hosts

325
host_vars/o18.oopen.de.yml Normal file
View File

@@ -0,0 +1,325 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp6s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
hwaddress: 9c:6b:00:3e:9a:88
description:
address: 5.9.97.103
netmask: 27
gateway: 5.9.97.97
metric:
pointopoint:
mtu:
scope:
# additional user by dhcp method
#
hostname:
leasehours:
leasetime:
vendor:
client:
# additional used by bootp method
#
bootfile:
server:
hwaddr:
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
# ** MOVED TO systemd-resolved
#
nameservers:
search:
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp6s0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
# master
# primary
# slave
# method:
# miimon:
# lacp-rate:
# ad-select-rate:
# master:
# slaves:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
pre-up: [] # pre-up script lines
up:
- !!str "route add -net 5.9.97.96 netmask 255.255.255.224 gw 5.9.97.97 dev br0" # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
- device: br0
family: inet6
method: static
address: '2a01:4f8:162:2477::2'
netmask: 64
gateway: 'fe80::1'
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 185.12.64.1
- 2a01:4ff:ff00::add:2
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed."
special_time: reboot
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
- name: "Check if Check if all autostart LX-Container are running."
special_time: reboot
job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
insertafter: PATH
cron_user_entries:
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
# - name: "Check connectifity - reboot if needed"
# minute: '*/10'
# hour: '*'
# job: /root/bin/admin-stuff/check-connectivity.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if NTP service 'ntpsec' is up and running?"
minute: '*/30'
hour: '*'
job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
- name: "Check hard disc usage."
minute: '43'
hour: '6'
job: /root/bin/admin-stuff/check-disc-usage.sh -c 85
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

8
host_vars/rage.so36.net.yml
View File

@@ -147,14 +147,6 @@ copy_plain_files:
copy_plain_files_postfwd_host_specific: copy_plain_files_postfwd_host_specific:
- name: header_checks.pcre
src_path: rage/etc/postfix/header_checks.pcre
dest_path: /etc/postfix/header_checks.pcre
- name: postfwd.wl-hosts
src_path: rage/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts
- name: postfwd.wl-hosts - name: postfwd.wl-hosts
src_path: rage/etc/postfix/postfwd.wl-hosts src_path: rage/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts dest_path: /etc/postfix/postfwd.wl-hosts

6
host_vars/zapata.opp.netz.yml
View File

@@ -297,6 +297,12 @@ samba_user:
- buero - buero
password: '20-printer-18' password: '20-printer-18'
- name: hanna
groups:
- buero
- beratung
password: '6UR9+#anna-25'
- name: hannes - name: hannes
groups: groups:
- buero - buero

113
hosts
View File

@@ -2,13 +2,24 @@ formbricks-nd.oopen.de
#[so36_server_dehydrated] #[so36_server_dehydrated]
#comm.so36.net ansible_user=ckubu #comm.so36.net ansible_user=ckubu
#noc.so36.net ansible_user=ckubu #noc.so36.net ansible_user=ckubu
rage.so36.net ansible_user=ckubu
#rubyhost.so36.net ansible_user=ckubu #rubyhost.so36.net ansible_user=ckubu
#sympa.so36.net ansible_user=ckubu #sympa.so36.net ansible_user=ckubu
#schleuder3.so36.net ansible_user=ckubu #schleuder3.so36.net ansible_user=ckubu
#site36.net ansible_user=ckubu #site36.net ansible_user=ckubu
#web.so36.net ansible_user=ckubu #web.so36.net ansible_user=ckubu
[so36_server] [so36_server]
backup.so36.net ansible_user=ckubu
comm.so36.net ansible_user=ckubu
devnull.so36.net ansible_user=ckubu
ns.so36net.de ansible_user=ckubu
rage.so36.net ansible_user=ckubu
resolver-b.so36.net ansible_user=ckubu
resolver-a.so36.net ansible_user=ckubu
schleuder3.so36.net ansible_user=ckubu
shell.so36.net ansible_user=ckubu
site36.net ansible_user=ckubu
sympa.so36.net ansible_user=ckubu
web.so36.net ansible_user=ckubu
#kvm05.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 #kvm05.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036
#kvm13.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036 #kvm13.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036
@@ -19,14 +30,12 @@ lxc-host-kb.anw-kb.netz
o13-git.oopen.de o13-git.oopen.de
o13-staging-board.oopen.de o13-staging-board.oopen.de
o25.oopen.de o25.oopen.de
o33.oopen.de
o41.oopen.de o41.oopen.de
dc-opp.oopen.de dc-opp.oopen.de
discourse.oopen.de discourse.oopen.de
test-nd.oopen.de test-nd.oopen.de
formbricks-nd.oopen.de formbricks-nd.oopen.de
cl-lubax.oopen.de
ga-st-mm.ga.netz
[dns_sinma] [dns_sinma]
@@ -55,6 +64,7 @@ gw-irights.oopen.de
gw-km.oopen.de gw-km.oopen.de
gw-mbr.oopen.de gw-mbr.oopen.de
gw-opp.oopen.de gw-opp.oopen.de
gw-opp-neu.opp.netz
gw-spr.oopen.de gw-spr.oopen.de
gw-kb.oopen.de gw-kb.oopen.de
@@ -86,7 +96,6 @@ ga-gh-gw.oopen.de
gw-campus.oopen.de gw-campus.oopen.de
ga-st-lxc1.ga.netz ga-st-lxc1.ga.netz
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
ga-st-kvm1.ga.netz ga-st-kvm1.ga.netz
ga-al-kvm2.ga.netz ga-al-kvm2.ga.netz
@@ -151,6 +160,10 @@ o15.oopen.de
o17.oopen.de o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
# Exil e.V.
o18.oopen.de
cl-exil.oopen.de
# Backup Server O.OPEN # Backup Server O.OPEN
o19.oopen.de o19.oopen.de
backup.oopen.de backup.oopen.de
@@ -170,7 +183,7 @@ oolm-web.oopen.de
o23.oopen.de o23.oopen.de
a.ns.oopen.de a.ns.oopen.de
cl-01.oopen.de cl-test.oopen.de
cp-01.oopen.de cp-01.oopen.de
meet.oopen.de meet.oopen.de
mm.oopen.de mm.oopen.de
@@ -210,8 +223,10 @@ o31.oopen.de
mail.cadus.org mail.cadus.org
web.cadus.org web.cadus.org
# o32.oopen.de / cl-lubax.oopen.de
cl-lubax.oopen.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -232,7 +247,7 @@ matomo-01.oopen.de
web-01.oopen.de web-01.oopen.de
web-03.oopen.de web-03.oopen.de
web-04.oopen.de web-04.oopen.de
cl-test.oopen.de cl-01.oopen.de
# OPP - dc-01.oopen.de # OPP - dc-01.oopen.de
o38.oopen.de o38.oopen.de
@@ -346,10 +361,18 @@ o14.oopen.de
# VBRG - Opferhilfefonds # VBRG - Opferhilfefonds
o15.oopen.de o15.oopen.de
# Exil e.V.
o18.oopen.de
cl-exil.oopen.de
o17.oopen.de o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
test.mariadb.oopen.de test.mariadb.oopen.de
# Exil e.V.
o18.oopen.de
cl-exil.oopen.de
# Backup Server O.OPEN # Backup Server O.OPEN
o19.oopen.de o19.oopen.de
backup.oopen.de backup.oopen.de
@@ -372,7 +395,7 @@ oolm-web.oopen.de
# - o23.oopen.de # - o23.oopen.de
o23.oopen.de o23.oopen.de
a.ns.oopen.de a.ns.oopen.de
cl-01.oopen.de cl-test.oopen.de
cp-01.oopen.de cp-01.oopen.de
meet.oopen.de meet.oopen.de
mm.oopen.de mm.oopen.de
@@ -383,7 +406,6 @@ mm-migration.oopen.de
o24.oopen.de o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
ga-st-mm.ga.netz
# IL - PAD # IL - PAD
o25.oopen.de o25.oopen.de
@@ -413,8 +435,10 @@ o31.oopen.de
mail.cadus.org mail.cadus.org
web.cadus.org web.cadus.org
# o32.oopen.de / cl-lubax.oopen.de
cl-lubax.oopen.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -436,7 +460,7 @@ matomo-01.oopen.de
web-01.oopen.de web-01.oopen.de
web-03.oopen.de web-03.oopen.de
web-04.oopen.de web-04.oopen.de
cl-test.oopen.de cl-01.oopen.de
# OPP - dc-01.oopen.de # OPP - dc-01.oopen.de
o38.oopen.de o38.oopen.de
@@ -551,6 +575,7 @@ gw-mbr.oopen.de
# OPP # OPP
gw-opp.oopen.de gw-opp.oopen.de
gw-opp-neu.opp.netz
zapata.opp.netz zapata.opp.netz
# Sprachenatelier # Sprachenatelier
@@ -570,7 +595,6 @@ gw-campus.oopen.de
ga-st-lxc1.ga.netz ga-st-lxc1.ga.netz
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
ga-st-services.ga.netz ga-st-services.ga.netz
ga-al-ws1.ga.netz ga-al-ws1.ga.netz
@@ -665,6 +689,9 @@ o14.oopen.de
test.mariadb.oopen.de test.mariadb.oopen.de
test.mx.oopen.de test.mx.oopen.de
# o18.oopen.de
cl-exil.oopen.de
# o19.oopen.de # o19.oopen.de
backup.oopen.de backup.oopen.de
munin.oopen.de munin.oopen.de
@@ -682,7 +709,7 @@ oolm-shop.oopen.de
oolm-web.oopen.de oolm-web.oopen.de
# o23.oopen.de # o23.oopen.de
cl-01.oopen.de cl-test.oopen.de
# o24.oopen.de # o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
@@ -702,6 +729,9 @@ cl-dissens.oopen.de
# o30.oopen.de - AK server Jitsi Meet/Nextcloud # o30.oopen.de - AK server Jitsi Meet/Nextcloud
cloud.akweb.de cloud.akweb.de
# o32.oopen.de / cl-lubax.oopen.de
cl-lubax.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -718,7 +748,7 @@ web-01.oopen.de
web-03.oopen.de web-03.oopen.de
web-04.oopen.de web-04.oopen.de
b.mx.oopen.de b.mx.oopen.de
cl-test.oopen.de cl-01.oopen.de
# o38 dc-opp cl-opp # o38 dc-opp cl-opp
cl-opp.oopen.de cl-opp.oopen.de
@@ -853,7 +883,6 @@ mm-migration.oopen.de
# o24.oopen.de # o24.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
ga-st-mm.ga.netz
# Hetzner Cloud CX31 - AK # Hetzner Cloud CX31 - AK
@@ -871,6 +900,7 @@ web-02.oopen.de
web-01.oopen.de web-01.oopen.de
web-03.oopen.de web-03.oopen.de
web-04.oopen.de web-04.oopen.de
cl-01.oopen.de
# o39 - web-05 # o39 - web-05
web-05.oopen.de web-05.oopen.de
@@ -893,7 +923,6 @@ web-nd.oopen.de
# GA - Gemeinschaft Altensclirf # GA - Gemeinschaft Altensclirf
ga-st-services.ga.netz ga-st-services.ga.netz
ga-st-mm.ga.netz
# --- # ---
# Warenform server # Warenform server
@@ -934,8 +963,7 @@ e.mx.oopen.de
d.mx.oopen.de d.mx.oopen.de
a.mx.oopen.de a.mx.oopen.de
# o36 - b.mx, web-01, web-03,-- # o36 - b.mx
web-01.oopen.de
b.mx.oopen.de b.mx.oopen.de
# o40 - g.mx # o40 - g.mx
@@ -987,7 +1015,6 @@ mm-migration.oopen.de
# o24.oopen.de # o24.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
ga-st-mm.ga.netz
# o27.oopen.de # o27.oopen.de
mail.faire-mobilitaet.de mail.faire-mobilitaet.de
@@ -1012,7 +1039,6 @@ g.mx.oopen.de
# - GA - Gemeinschaft Altensclirf # - GA - Gemeinschaft Altensclirf
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
# --- # ---
@@ -1049,7 +1075,7 @@ stolpersteine.oopen.de
# o13.oopen.de # o13.oopen.de
o13-staging-board.oopen.de o13-staging-board.oopen.de
o13-mail.oopen.de #o13-mail.oopen.de
o13-web.oopen.de o13-web.oopen.de
# Freiheit für daniela # Freiheit für daniela
@@ -1059,11 +1085,13 @@ o14.oopen.de
test.mx.oopen.de test.mx.oopen.de
test.mariadb.oopen.de test.mariadb.oopen.de
# o18.oopen.de - Exil e.V.
cl-exil.oopen.de
# o19.oopen.de # o19.oopen.de
munin.oopen.de munin.oopen.de
backup.oopen.de backup.oopen.de
# o20.oopen.de (srv-cityslang.cityslang.com) # o20.oopen.de (srv-cityslang.cityslang.com)
o20.oopen.de o20.oopen.de
@@ -1083,7 +1111,6 @@ mm-migration.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
ga-st-mm.ga.netz
# Hetzner Cloud CX31 - AK # Hetzner Cloud CX31 - AK
@@ -1104,6 +1131,9 @@ cloud.akweb.de
web.cadus.org web.cadus.org
mail.cadus.org mail.cadus.org
# o32.oopen.de / cl-lubax.oopen.de
cl-lubax.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -1183,11 +1213,14 @@ ga-al-ws1.ga.netz
# O.OPEN # O.OPEN
# --- # ---
# o18.oopen.de
cl-exil.oopen.de
# o19.oopen.de # o19.oopen.de
backup.oopen.de backup.oopen.de
# o23.oopen.de # o23.oopen.de
cl-01.oopen.de cl-test.oopen.de
# o24.oopen.de # o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
@@ -1208,6 +1241,9 @@ cl-dissens.oopen.de
# o30.oopen.de - AK server Jitsi Meet/Nextcloud # o30.oopen.de - AK server Jitsi Meet/Nextcloud
cloud.akweb.de cloud.akweb.de
# o32.oopen.de / cl-lubax.oopen.de
cl-lubax.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -1215,7 +1251,7 @@ o34.oopen.de
cl-02.oopen.de cl-02.oopen.de
# o36.oopen.de # o36.oopen.de
cl-test.oopen.de cl-01.oopen.de
# o38.oopen.de # o38.oopen.de
cl-opp.oopen.de cl-opp.oopen.de
@@ -1435,11 +1471,15 @@ test-nd.oopen.de
o12.oopen.de o12.oopen.de
o13.oopen.de o13.oopen.de
o17.oopen.de
# Freiheit für daniela # Freiheit für daniela
o14.oopen.de o14.oopen.de
o17.oopen.de
# Exil e.V.
o18.oopen.de
# Backup Server O.OPEN # Backup Server O.OPEN
o19.oopen.de o19.oopen.de
@@ -1529,6 +1569,9 @@ o13-git.oopen.de
test.mx.oopen.de test.mx.oopen.de
test.mariadb.oopen.de test.mariadb.oopen.de
# - o18.oopen.de
cl-exil.oopen.de
# o19.oopen.de # o19.oopen.de
backup.oopen.de backup.oopen.de
git.oopen.de git.oopen.de
@@ -1560,7 +1603,6 @@ mm-migration.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
ga-st-mm.ga.netz
# - o27.oopen.de # - o27.oopen.de
cl-fm.oopen.de cl-fm.oopen.de
@@ -1576,7 +1618,6 @@ meet.akweb.de
cloud.akweb.de cloud.akweb.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -1643,7 +1684,6 @@ zapata.opp.netz
# - GA - Gemeinschaft Altensclirf # - GA - Gemeinschaft Altensclirf
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
ga-st-services.ga.netz ga-st-services.ga.netz
@@ -1730,6 +1770,10 @@ o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
test.mariadb.oopen.de test.mariadb.oopen.de
# Exil e.V.
o18.oopen.de
cl-exil.oopen.de
# Backup Server O.OPEN # Backup Server O.OPEN
o19.oopen.de o19.oopen.de
backup.oopen.de backup.oopen.de
@@ -1793,8 +1837,10 @@ o31.oopen.de
mail.cadus.org mail.cadus.org
web.cadus.org web.cadus.org
# o32.oopen.de / cl-lubax.oopen.de
cl-lubax.oopen.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -1853,7 +1899,6 @@ web-nd.oopen.de
test-nd.oopen.de test-nd.oopen.de
# Gemeinchaft Altenschlirf # Gemeinchaft Altenschlirf
ga-st-mm.ga.netz
lxc-host-kb.anw-kb.netz lxc-host-kb.anw-kb.netz
@@ -1905,12 +1950,14 @@ gw-irights.oopen.de
gw-km.oopen.de gw-km.oopen.de
gw-mbr.oopen.de gw-mbr.oopen.de
gw-opp.oopen.de gw-opp.oopen.de
gw-opp-neu.opp.netz
gw-spr.oopen.de gw-spr.oopen.de
gw-kb.oopen.de gw-kb.oopen.de
k1371.dyndns.org k1371.dyndns.org
ga-st-gw-ersatz.ga.netz ga-st-gw-ersatz.ga.netz
ga-st-gw.ga.netz ga-st-gw.ga.netz
ga-st-gw-neu.ga.netz ga-st-gw-neu.ga.netz
@@ -1919,6 +1966,8 @@ ga-nh-gw.oopen.de
ga-gh-gw.oopen.de ga-gh-gw.oopen.de
gw-campus.oopen.de gw-campus.oopen.de
nd-gate.ndhosting.de
# Gateway/Firewall Server office network # Gateway/Firewall Server office network
# #

2917
main.yml
View File

File diff suppressed because it is too large Load Diff

1
modify-ipt-server.yml
View File

@@ -4,5 +4,6 @@
- hosts: - hosts:
- oopen_server - oopen_server
- warenform_server - warenform_server
- so36_server
roles: roles:
- modify-ipt-server - modify-ipt-server

262
roles/common/files/a.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,262 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

154
roles/common/files/b.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,154 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - What to check
# -
check_load=true
check_mysql=false
check_apache=true
check_php_fpm=false
check_website=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
mysql_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions=""
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

263
roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,263 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=true
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

262
roles/common/files/d.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,262 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=true
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=false
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions=""
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

147
roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,147 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
#LOGGING=true
LOGGING=false
# - What to check
# -
check_load=true
check_mysql=false
check_apache=true
check_php_fpm=true
check_website=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
mysql_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.1"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

270
roles/common/files/g.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,270 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=false
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Port of PostgreSQL Service
# -
# - defaults to '5432'
# - postgresql_port=5432
# -
#postgresql_port=5432
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions=""
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

262
roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,262 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

261
roles/common/files/lists.mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,261 +0,0 @@
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=true
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=false
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions=""
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

263
roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,263 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=true
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

262
roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,262 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

67
roles/common/files/mailserver/etc/postfix/header_checks.pcre
View File

@@ -1,43 +1,52 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] *** # *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# --- # ---
# - Replace headers # - Header Checks - /etc/postfix/header_checks
# ---
# - Replace recieved from IPv4 / IPv6 header - hide senders IP address and also 'Authenticated sender'
# #
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4 # Ziel: offensichtlich kaputte RFC-Header ablehnen (wenig False Positives)
#
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address ########################################
# # A) Kaputter From:-Header
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3 ########################################
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5 # 1) From: ist leer
/^From:\s*$/ REJECT Invalid From header (empty) - Spamschutzregel FROM-1001
# --- # 2) Mehr als ein '@' im From:-Header -> syntaktisch kaputt
# - Ignore Headers #/^From:.*@.*@/ REJECT Invalid From header (multiple @) - Spamschutzregel FROM-1002
# ---
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# --- # 3) Mehrere Mailboxen durch Komma getrennt (wie: Die@..., Lions@..., ...)
# - Reject / Discard headers # (Legitime Fälle nutzen i.d.R. Display-Namen/Group-Syntax; dieses Muster ist in Spam sehr häufig)
# --- /^From:\s*[^<>,]+@[^,]+,\s*[^<>,]+@/ REJECT Invalid From header (multiple mailboxes) - Spamschutzregel FROM-1003
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001 # 4) Typische kaputte UTF-8-Fragmente
/^From:.*\xC3\xA2/ REJECT Invalid UTF-8 in From header - Spamschutzregel FROM-1004
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001 ########################################
# B) Optional: sehr spezifische lokale Blacklist
########################################
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001 #/^Reply-To: .+\@inx1and1\..+/ REJECT Possible spam (local pattern)
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002 ########################################
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003 # C) Warn
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004 ########################################
# Date-Rejects sind oft zu aggressiv -> wenn nötig: lieber taggen oder loggen statt reject
/^Date: .* 19[0-9][0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1003
########################################
# Bemerkungen
########################################
# (envelope-from <>) nicht pauschal rejecten:
# echte DSNs/Bounces haben legitimerweise MAIL FROM: <>
#/\(envelope-from <>\)/ REJECT Null envelope-from

4
roles/common/files/rage/etc/postfix/header_checks.pcre → roles/common/files/mailserver/etc/postfix/header_checks.pcre.01
View File

@@ -11,9 +11,9 @@
# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address # - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
# #
/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3 #/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5 #/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
# --- # ---
# - Ignore Headers # - Ignore Headers

262
roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,262 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

43
roles/common/files/o13-mail/etc/postfix/header_checks.pcre
View File

@@ -1,43 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# - Replace headers
# - Replace recieved from IPv4 / IPv6 header - hide senders IP address and also 'Authenticated sender'
#
/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
#
/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
#
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
# ---
# - Ignore Headers
# ---
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# ---
# - Reject / Discard headers
# ---
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004

178
roles/common/files/o13-mail/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,178 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - What to check
# -
check_load=true
check_mysql=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
mysql_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

5
roles/common/files/rage/etc/postfix/postfwd.wl-nets
View File

@@ -16,3 +16,8 @@
# d.mx.oopen.de (listen server) # d.mx.oopen.de (listen server)
95.217.204.227 95.217.204.227
2a01:4f9:4a:47e5::227 2a01:4f9:4a:47e5::227
# b.mx.oopen.de
162.55.82.73/32
2a01:4f8:271:1266::73
~

2
roles/common/handlers/main.yml
View File

@@ -64,7 +64,7 @@
- name: Restart redis-server - name: Restart redis-server
vars: vars:
_daemon: "{{ 'redis' if ansible_distribution == 'CentOS' else 'redis-server' }}" _daemon: "{{ 'redis' if ansible_facts['distribution'] == 'CentOS' else 'redis-server' }}"
service: service:
name: "{{ _daemon }}" name: "{{ _daemon }}"
state: restarted state: restarted

30
roles/common/tasks/apt.yml
View File

@@ -2,7 +2,7 @@
- name: (apt.yml) update configuration file - /etc/apt/sources.list - name: (apt.yml) update configuration file - /etc/apt/sources.list
template: template:
src: "etc/apt/sources.list.{{ ansible_distribution }}.j2" src: "etc/apt/sources.list.{{ ansible_facts['distribution'] }}.j2"
dest: /etc/apt/sources.list dest: /etc/apt/sources.list
owner: root owner: root
group: root group: root
@@ -167,7 +167,7 @@
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}-backports" default_release: "{{ ansible_facts['distribution_release'] }}-backports"
when: when:
- ansible_facts['distribution'] == "Debian" - ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "9" - ansible_facts['distribution_major_version'] == "9"
@@ -181,7 +181,7 @@
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}" default_release: "{{ ansible_facts['distribution_release'] }}"
when: when:
- ansible_facts['distribution'] == "Debian" - ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" or ansible_facts['distribution_major_version'] == "12" or ansible_facts['distribution_major_version'] == "13" - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" or ansible_facts['distribution_major_version'] == "12" or ansible_facts['distribution_major_version'] == "13"
@@ -195,7 +195,7 @@
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}" default_release: "{{ ansible_facts['distribution_release'] }}"
when: when:
- ansible_facts['distribution'] == "Ubuntu" - ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "bionic" - ansible_facts['distribution_release'] == "bionic"
@@ -209,7 +209,7 @@
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}" default_release: "{{ ansible_facts['distribution_release'] }}"
when: when:
- ansible_facts['distribution'] == "Ubuntu" - ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "xenial" - ansible_facts['distribution_release'] == "xenial"
@@ -223,7 +223,7 @@
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}" default_release: "{{ ansible_facts['distribution_release'] }}"
when: when:
- ansible_facts['distribution'] == "Ubuntu" - ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "jammy" - ansible_facts['distribution_release'] == "jammy"
@@ -286,11 +286,25 @@
tags: tags:
- apt-postgresql-server-pkgs - apt-postgresql-server-pkgs
- name: (apt.yml) Install webserver related packages - name: (apt.yml) Install webserver related packages (Debian <= 12)
apt: apt:
name: "{{ apt_webserver_pkgs }}" name: "{{ apt_webserver_pkgs }}"
state: "{{ apt_install_state }}" state: "{{ apt_install_state }}"
when: install_webserver_pkgs|bool when:
- install_webserver_pkgs|bool
- ansible_facts['os_family'] == 'Debian'
- ansible_facts['distribution_major_version'] | int <= 12
tags:
- apt-webserver-pkgs
- name: (apt.yml) Install webserver related packages (Debian >= 13)
apt:
name: "{{ apt_webserver_pkgs_trixie }}"
state: "{{ apt_install_state }}"
when:
- install_webserver_pkgs|bool
- ansible_facts['os_family'] == 'Debian'
- ansible_facts['distribution_major_version'] | int >= 13
tags: tags:
- apt-webserver-pkgs - apt-webserver-pkgs

9
roles/common/tasks/basic.yml
View File

@@ -1,5 +1,14 @@
--- ---
- name: Ensure util-linux-extra is installed on Debian
ansible.builtin.apt:
name: util-linux-extra
state: present
update_cache: yes
when:
- ansible_facts['os_family'] == 'Debian'
- ansible_facts['distribution_major_version'] | int >= 11
- name: (basic.yml) Ensure timezone is is correct - name: (basic.yml) Ensure timezone is is correct
timezone: name={{ time_zone }} timezone: name={{ time_zone }}
tags: tags:

8
roles/common/tasks/main.yml
View File

@@ -51,8 +51,8 @@
# yum-initial-install # yum-initial-install
- import_tasks: yum.yml - import_tasks: yum.yml
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" or ansible_distribution == "Fedora" - ansible_facts.distribution == "CentOS" or ansible_facts.distribution == "Fedora"
tags: yum tags: yum
@@ -293,14 +293,14 @@
- import_tasks: systemd-services_debian_based_OS.yml - import_tasks: systemd-services_debian_based_OS.yml
when: when:
- ansible_os_family == "Debian" - ansible_facts.os_family == "Debian"
tags: tags:
- services - services
- import_tasks: systemd-services_redhat_based_OS.yml - import_tasks: systemd-services_redhat_based_OS.yml
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
tags: tags:
- services - services

4
roles/common/tasks/nfs.yml
View File

@@ -11,7 +11,7 @@
- nfs-kernel-server - nfs-kernel-server
state: present state: present
when: when:
- ansible_os_family == "Debian" - ansible_facts['os_family'] == "Debian"
- "groups['nfs_server']|string is search(inventory_hostname)" - "groups['nfs_server']|string is search(inventory_hostname)"
tags: tags:
- nfs-server - nfs-server
@@ -132,7 +132,7 @@
pkg: nfs-common pkg: nfs-common
state: present state: present
when: when:
- ansible_os_family == "Debian" - ansible_facts['os_family'] == "Debian"
- "groups['nfs_client']|string is search(inventory_hostname)" - "groups['nfs_client']|string is search(inventory_hostname)"
tags: tags:
- nfs-client - nfs-client

6
roles/common/tasks/ntp.yml
View File

@@ -10,7 +10,7 @@
- ntpsec - ntpsec
state: present state: present
when: when:
- ansible_os_family == "Debian" - ansible_facts.os_family == "Debian"
tags: tags:
- ntp-server - ntp-server
@@ -19,7 +19,7 @@
path: /etc/ntpsec/ntp.conf.ORIG path: /etc/ntpsec/ntp.conf.ORIG
register: etc_ntpsec_conf_ORIG register: etc_ntpsec_conf_ORIG
when: when:
- ansible_distribution == "Debian" - ansible_facts.distribution == "Debian"
tags: tags:
- ntp-server - ntp-server
@@ -32,7 +32,7 @@
group: ntpsec group: ntpsec
mode: '0755' mode: '0755'
when: when:
- ansible_distribution == "Debian" - ansible_facts.distribution == "Debian"
- name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf' - name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf'

12
roles/common/tasks/redis-server.yml
View File

@@ -3,7 +3,7 @@
- name: (redis-server.yml) Set var '_redis_conf' - name: (redis-server.yml) Set var '_redis_conf'
set_fact: set_fact:
_redis_conf: "{{ '/etc/redis.conf' if ansible_distribution == 'CentOS' else '/etc/redis/redis.conf' }}" _redis_conf: "{{ '/etc/redis.conf' if ansible_facts['distribution'] == 'CentOS' else '/etc/redis/redis.conf' }}"
- name: (redis-server.yml) update - name: (redis-server.yml) update
apt: apt:
@@ -54,7 +54,7 @@
state: latest state: latest
update_cache: yes update_cache: yes
when: when:
- ansible_os_family == "RedHat" - ansible_facts["os_family"] == "RedHat"
- ansible_distribution == "CentOS" or ansible_distribution == "Fedora" - ansible_distribution == "CentOS" or ansible_distribution == "Fedora"
tags: tags:
- redis-server - redis-server
@@ -80,8 +80,8 @@
- "'www-data' in my_users" - "'www-data' in my_users"
- "'redis' in my_groups" - "'redis' in my_groups"
vars: vars:
my_users: "{{ getent_passwd.keys()|list }}" my_users: "{{ ansible_facts.getent_passwd.keys()|list }}"
my_groups: "{{ getent_group.keys()|list }}" my_groups: "{{ ansible_facts.getent_group.keys()|list }}"
tags: tags:
- redis-server - redis-server
@@ -94,8 +94,8 @@
- "'webadmin' in my_users" - "'webadmin' in my_users"
- "'redis' in my_groups" - "'redis' in my_groups"
vars: vars:
my_users: "{{ getent_passwd.keys()|list }}" my_users: "{{ ansible_facts.getent_passwd.keys()|list }}"
my_groups: "{{ getent_group.keys()|list }}" my_groups: "{{ ansible_facts.getent_group.keys()|list }}"
tags: tags:
- redis-server - redis-server

3
roles/common/tasks/samba-user.yml
View File

@@ -42,7 +42,8 @@
loop_control: loop_control:
label: '{{ item.name }}' label: '{{ item.name }}'
when: when:
- item.name not in getent_passwd - ansible_facts.getent_passwd is defined
- item.name not in ansible_facts.getent_passwd
tags: tags:
- samba-server - samba-server
- samba-user - samba-user

4
roles/common/tasks/show.yml
View File

@@ -2,6 +2,6 @@
- name: Show hostname - name: Show hostname
debug: debug:
msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] }}.{{ ansible_fqdn.split('.')[1] | default('NONE') }}.{{ ansible_fqdn.split('.')[2] | default('NONE') }}" msg: "Host: {{ ansible_facts.fqdn | split('.') | first }} FQDN: {{ ansible_facts.fqdn.split('.')[0] }}.{{ ansible_facts.fqdn.split('.')[1] | default('NONE') }}.{{ ansible_facts.fqdn.split('.')[2] | default('NONE') }}"
# msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] | join( '.') }} | {{ join ( ansible_fqdn.split('.')[1] ) }}" # msg: "Host: {{ ansible_facts.fqdn | split('.') | first }} FQDN: {{ ansible_facts.fqdn.split('.')[0] | join( '.') }} | {{ join ( ansible_facts.fqdn.split('.')[1] ) }}"

4
roles/common/tasks/systemd-services_redhat_based_OS.yml
View File

@@ -8,7 +8,7 @@
with_items: with_items:
- "{{ redhat_services_active_and_started }}" - "{{ redhat_services_active_and_started }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
#- debug: msg="{{ service_exists.results }}" #- debug: msg="{{ service_exists.results }}"
@@ -23,7 +23,7 @@
label: '{{ item.item }}' label: '{{ item.item }}'
when: when:
- item.rc == 0 - item.rc == 0
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
#- debug: msg="{{ service_is_enabled.results }}" #- debug: msg="{{ service_is_enabled.results }}"

2
roles/common/tasks/tor.yml
View File

@@ -6,7 +6,7 @@
- tor - tor
state: present state: present
when: when:
- ansible_os_family == "Debian" - ansible_facts.os_family == "Debian"
tags: tags:
- tor-service - tor-service

64
roles/common/tasks/yum.yml
View File

@@ -7,8 +7,8 @@
update_cache: yes update_cache: yes
#cache_valid_time: 3600 #cache_valid_time: 3600
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" or ansible_distribution == "Fedora" - ansible_facts.distribution == "CentOS" or ansible_facts.distribution == "Fedora"
tags: tags:
- yum-update - yum-update
@@ -18,8 +18,8 @@
name: epel-release name: epel-release
state: latest state: latest
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
# Its more eficient to in # Its more eficient to in
@@ -28,9 +28,9 @@
name: "{{ yum_base_install_centos_7 }}" name: "{{ yum_base_install_centos_7 }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- ansible_distribution_major_version == "7" - ansible_facts.distribution_major_version == "7"
tags: tags:
- yum-base-install - yum-base-install
@@ -39,9 +39,9 @@
name: "{{ yum_initial_install_centos_7 }}" name: "{{ yum_initial_install_centos_7 }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- ansible_distribution_major_version == "7" - ansible_facts.distribution_major_version == "7"
tags: tags:
- yum-initial-install - yum-initial-install
@@ -52,9 +52,9 @@
name: "{{ yum_base_install_fedora_38 }}" name: "{{ yum_base_install_fedora_38 }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- ansible_distribution_major_version == "38" - ansible_facts.distribution_major_version == "38"
tags: tags:
- yum-base-install - yum-base-install
@@ -63,9 +63,9 @@
name: "{{ yum_initial_install_fedora_38 }}" name: "{{ yum_initial_install_fedora_38 }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- ansible_distribution_major_version == "38" - ansible_facts.distribution_major_version == "38"
tags: tags:
- yum-initial-install - yum-initial-install
@@ -75,8 +75,8 @@
name: "{{ yum_lxc_host_pkgs_centos }}" name: "{{ yum_lxc_host_pkgs_centos }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- groups['lxc_host']|string is search(inventory_hostname) - groups['lxc_host']|string is search(inventory_hostname)
tags: tags:
- yum-lxc-hosts-pkgs - yum-lxc-hosts-pkgs
@@ -86,8 +86,8 @@
name: "{{ yum_lxc_host_pkgs_fedora }}" name: "{{ yum_lxc_host_pkgs_fedora }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- groups['lxc_host']|string is search(inventory_hostname) - groups['lxc_host']|string is search(inventory_hostname)
tags: tags:
- yum-lxc-hosts-pkgs - yum-lxc-hosts-pkgs
@@ -98,8 +98,8 @@
name: "{{ yum_postgresql_pkgs_centos }}" name: "{{ yum_postgresql_pkgs_centos }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- install_postgresql_pkgs|bool - install_postgresql_pkgs|bool
tags: tags:
- apt-postgresql-server-pkgs - apt-postgresql-server-pkgs
@@ -109,8 +109,8 @@
name: "{{ yum_postgresql_pkgs_fedora }}" name: "{{ yum_postgresql_pkgs_fedora }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- install_postgresql_pkgs|bool - install_postgresql_pkgs|bool
tags: tags:
- apt-postgresql-server-pkgs - apt-postgresql-server-pkgs
@@ -121,8 +121,8 @@
name: "{{ yum_compiler_pkgs_centos }}" name: "{{ yum_compiler_pkgs_centos }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- install_compiler_pkgs|bool - install_compiler_pkgs|bool
tags: tags:
- yum-compiler-pkgs - yum-compiler-pkgs
@@ -132,8 +132,8 @@
name: "{{ yum_compiler_pkgs_fedora }}" name: "{{ yum_compiler_pkgs_fedora }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- install_compiler_pkgs|bool - install_compiler_pkgs|bool
tags: tags:
- yum-compiler-pkgs - yum-compiler-pkgs
@@ -143,8 +143,8 @@
name: "{{ yum_webserver_pkgs_centos }}" name: "{{ yum_webserver_pkgs_centos }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "CentOS" - ansible_facts.distribution == "CentOS"
- install_webserver_pkgs|bool - install_webserver_pkgs|bool
tags: tags:
- yum-webserver-pkgs - yum-webserver-pkgs
@@ -154,8 +154,8 @@
name: "{{ yum_webserver_pkgs_fedora }}" name: "{{ yum_webserver_pkgs_fedora }}"
state: "{{ yum_install_state }}" state: "{{ yum_install_state }}"
when: when:
- ansible_os_family == "RedHat" - ansible_facts.os_family == "RedHat"
- ansible_distribution == "Fedora" - ansible_facts.distribution == "Fedora"
- install_webserver_pkgs|bool - install_webserver_pkgs|bool
tags: tags:
- yum-webserver-pkgs - yum-webserver-pkgs

56
roles/common/templates/etc/apt/sources.list.Debian.j2
View File

@@ -1,57 +1,57 @@
# {{ ansible_managed }} # {{ ansible_managed }}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} main
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} main
{% if ansible_facts['distribution_major_version'] | int >= 12 %} {% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware deb http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free non-free-firmware
{% elif ansible_facts['distribution_major_version'] | int == 11 %} {% elif ansible_facts['distribution_major_version'] | int == 11 %}
deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free deb http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free
{% else %} {% else %}
deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free deb http://security.debian.org/ {{ ansible_facts["lsb"]["codename"] }}/updates main contrib non-free
{% endif %} {% endif %}
{% if not apt_src_enable %} {% if not apt_src_enable %}
{% if ansible_facts['distribution_major_version'] | int >= 12 %} {% if ansible_facts['distribution_major_version'] | int >= 12 %}
#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware #deb-src http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free non-free-firmware
{% elif ansible_facts['distribution_major_version'] | int == 11 %} {% elif ansible_facts['distribution_major_version'] | int == 11 %}
#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free #deb-src http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free
{% else %} {% else %}
#deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free #deb-src http://security.debian.org/ {{ ansible_facts["lsb"]["codename"] }}/updates main contrib non-free
{% endif %} {% endif %}
{% else %} {% else %}
{% if ansible_facts['distribution_major_version'] | int >= 12 %} {% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware deb-src http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free non-free-firmware
{% elif ansible_facts['distribution_major_version'] | int == 11 %} {% elif ansible_facts['distribution_major_version'] | int == 11 %}
deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free deb-src http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free
{% else %} {% else %}
deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free deb-src http://security.debian.org/ {{ ansible_facts["lsb"]["codename"] }}/updates main contrib non-free
{% endif %} {% endif %}
{% endif %} {% endif %}
# {{ ansible_lsb.codename }}-updates, previously known as 'volatile' # {{ ansible_facts["lsb"]["codename"] }}-updates, previously known as 'volatile'
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates main
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates main
# Contrib packages contain DFSG-compliant software, # Contrib packages contain DFSG-compliant software,
# but have dependencies not in main (possibly packaged for Debian in non-free). # but have dependencies not in main (possibly packaged for Debian in non-free).
# Non-free contains software that does not comply with the DFSG. # Non-free contains software that does not comply with the DFSG.
{% if apt_debian_contrib_nonfree_enable %} {% if apt_debian_contrib_nonfree_enable %}
{% if ansible_facts['distribution_major_version'] | int >= 12 %} {% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} contrib non-free non-free-firmware
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} contrib non-free non-free-firmware
{% else %} {% else %}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} contrib non-free
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if apt_debian_contrib_nonfree_enable %} {% if apt_debian_contrib_nonfree_enable %}
{% if ansible_facts['distribution_major_version'] | int >= 12 %} {% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates contrib non-free non-free-firmware
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates contrib non-free non-free-firmware
{% else %} {% else %}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates contrib non-free
{% endif %} {% endif %}
{% endif %} {% endif %}
@@ -60,14 +60,14 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
# # newer versions of some applications which may provide useful features. # # newer versions of some applications which may provide useful features.
{% if apt_backports_enable %} {% if apt_backports_enable %}
{% if ansible_facts['distribution_major_version'] | int >= 12 %} {% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware deb {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free non-free-firmware
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free non-free-firmware
{% elif ansible_facts['distribution_major_version'] | int == 11 %} {% elif ansible_facts['distribution_major_version'] | int == 11 %}
deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free deb {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free
{% else %} {% else %}
#deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free #deb {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free
#deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free #deb-src {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free
{% endif %} {% endif %}
{% endif %} {% endif %}

8
roles/common/templates/etc/apt/sources.list.Ubuntu.j2
View File

@@ -1,11 +1,11 @@
# {{ ansible_managed }} # {{ ansible_managed }}
deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }} main restricted universe multiverse deb {{ apt_ubuntu_mirror }} {{ ansible_facts["lsb"]["codename"] }} main restricted universe multiverse
deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-updates main restricted universe multiverse deb {{ apt_ubuntu_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu {{ ansible_lsb.codename }}-security main restricted universe multiverse deb http://security.ubuntu.com/ubuntu {{ ansible_facts["lsb"]["codename"] }}-security main restricted universe multiverse
{% if apt_backports_enable %} {% if apt_backports_enable %}
deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-backports main restricted universe multiverse deb {{ apt_ubuntu_mirror }} {{ ansible_facts["lsb"]["codename"] }}-backports main restricted universe multiverse
{% endif %} {% endif %}

10
roles/common/templates/etc/sudoers.d/50-user.j2
View File

@@ -41,7 +41,7 @@ back {{ item }}
{% endfor -%} {% endfor -%}
{%- if ansible_virtualization_role == 'host' %} {%- if ansible_facts['virtualization_role'] == 'host' %}
{% for item in sudoers_file_user_back_disk_privileges | default([]) %} {% for item in sudoers_file_user_back_disk_privileges | default([]) %}
back {{ item }} back {{ item }}
@@ -49,7 +49,7 @@ back {{ item }}
{% endif -%} {% endif -%}
{%- if groups['webadmin']|string is search(inventory_hostname) %} {%- if inventory_hostname in (groups["webadmin"] | default([])) %}
{% for item in sudoers_file_user_webadmin_disk_privileges | default([]) %} {% for item in sudoers_file_user_webadmin_disk_privileges | default([]) %}
webadmin {{ item }} webadmin {{ item }}
@@ -57,7 +57,7 @@ webadmin {{ item }}
{% endif -%} {% endif -%}
{%- if groups['postgresql_server']|string is search(inventory_hostname) %} {%- if inventory_hostname in (groups["postgresql_server"] | default([])) %}
{% for item in sudoers_file_user_back_postgres_privileges | default([]) %} {% for item in sudoers_file_user_back_postgres_privileges | default([]) %}
back {{ item }} back {{ item }}
@@ -66,7 +66,7 @@ back {{ item }}
{# dns server #} {# dns server #}
{%- if groups['dns_server']|string is search(inventory_hostname) %} {%- if inventory_hostname in (groups["dns_server"] | default([])) %}
{% for item in sudoers_file_dns_server_privileges | default([]) %} {% for item in sudoers_file_dns_server_privileges | default([]) %}
{{ item.name }} {{ item.entry }} {{ item.name }} {{ item.entry }}
@@ -75,7 +75,7 @@ back {{ item }}
{# postfixadmin rules #} {# postfixadmin rules #}
{%- if groups['mail_server']|string is search(inventory_hostname) %} {%- if inventory_hostname in (groups["mail_server"] | default([])) %}
{% for item in sudoers_file_postfixadmin_privileges | default([]) %} {% for item in sudoers_file_postfixadmin_privileges | default([]) %}
{{ item.name }} {{ item.entry }} {{ item.name }} {{ item.entry }}

98
roles/modify-ipt-server/tasks/ipt-server.yml
View File

@@ -172,8 +172,8 @@
when: when:
- main_ipv4_exists.stat.exists - main_ipv4_exists.stat.exists
- drop_mndp_ipv4_present is changed - drop_mndp_ipv4_present is changed
notify: # notify:
- Restart IPv4 Firewall # - Restart IPv4 Firewall
- name: Check if String 'drop_mndp=..' is present - name: Check if String 'drop_mndp=..' is present
@@ -246,8 +246,69 @@
when: when:
- main_ipv6_exists.stat.exists - main_ipv6_exists.stat.exists
- drop_mndp_ipv6_present is changed - drop_mndp_ipv6_present is changed
notify: # notify:
- Restart IPv6 Firewall # - Restart IPv6 Firewall
# ---
# Fix section Limit Connections - add limit_new_tcp_connections_per_seconds_ports
# ---
- name: Check if String 'limit_new_tcp_connections_per_seconds_ports=..' is present
shell: grep -q -E "^limit_new_tcp_connections_per_seconds_ports=" /etc/ipt-firewall/main_ipv4.conf
register: drop_limit_new_tcp_connections_per_seconds_ports_present
when: main_ipv4_exists.stat.exists
failed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 1"
changed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (limit_new_tcp_connections_per_seconds_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*limit_new_tcp_connections_per_seconds_per_source_IP'
block: |
# - limit_new_tcp_connections_per_seconds_ports
# -
# - comma separated list of ports
# -
# - Example:
# - limit_new_tcp_connections_per_seconds_ports="80,443"
# - limit_new_tcp_connections_per_seconds_ports="80,110,143,443,465,995"
#
limit_new_tcp_connections_per_seconds_ports=""
marker: "# Marker set by modify-ipt-server.yml (limit_new_tcp_connections_per_seconds_ports)"
when:
- main_ipv4_exists.stat.exists
- drop_limit_new_tcp_connections_per_seconds_ports_present is changed
# notify:
# - Restart IPv4 Firewall
- name: Check if String 'limit_new_tcp_connections_per_seconds_ports=..' is present
shell: grep -q -E "^limit_new_tcp_connections_per_seconds_ports=" /etc/ipt-firewall/main_ipv6.conf
register: drop_limit_new_tcp_connections_per_seconds_ports_present
when: main_ipv6_exists.stat.exists
failed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 1"
changed_when: "drop_limit_new_tcp_connections_per_seconds_ports_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (limit_new_tcp_connections_per_seconds_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*limit_new_tcp_connections_per_seconds_per_source_IP'
block: |
# - limit_new_tcp_connections_per_seconds_ports
# -
# - comma separated list of ports
# -
# - Example:
# - limit_new_tcp_connections_per_seconds_ports="80,443"
# - limit_new_tcp_connections_per_seconds_ports="80,110,143,443,465,995"
#
limit_new_tcp_connections_per_seconds_ports=""
marker: "# Marker set by modify-ipt-server.yml (limit_new_tcp_connections_per_seconds_ports)"
when:
- main_ipv6_exists.stat.exists
- drop_limit_new_tcp_connections_per_seconds_ports_present is changed
# notify:
# - Restart IPv6 Firewall
# === # ===
@@ -318,8 +379,8 @@
when: when:
- main_ipv4_exists.stat.exists - main_ipv4_exists.stat.exists
- per_ip_connection_limit_settings_ipv4_present is changed - per_ip_connection_limit_settings_ipv4_present is changed
notify: # notify:
- Restart IPv4 Firewall # - Restart IPv4 Firewall
- name: Check if String 'per_IP_connection_limit=..' is present - name: Check if String 'per_IP_connection_limit=..' is present
@@ -337,8 +398,8 @@
when: when:
- main_ipv6_exists.stat.exists - main_ipv6_exists.stat.exists
- per_ip_connection_limit_settings_ipv6_present is changed - per_ip_connection_limit_settings_ipv6_present is changed
notify: # notify:
- Restart IPv6 Firewall # - Restart IPv6 Firewall
@@ -363,7 +424,7 @@
- load_modules_ipv6.conf - load_modules_ipv6.conf
- logging_ipv4.conf - logging_ipv4.conf
- logging_ipv6.conf - logging_ipv6.conf
- post_decalrations.conf - post_declarations.conf
register: diff_script_output register: diff_script_output
- name: Ensure configuration files are latest - name: Ensure configuration files are latest
@@ -375,13 +436,13 @@
- load_modules_ipv6.conf - load_modules_ipv6.conf
- logging_ipv4.conf - logging_ipv4.conf
- logging_ipv6.conf - logging_ipv6.conf
- post_decalrations.conf - post_declarations.conf
when: when:
- git_firewall_repository is defined and git_firewall_repository|length > 0 - git_firewall_repository is defined and git_firewall_repository|length > 0
- diff_script_output.changed - diff_script_output.changed
notify: # notify:
- Restart IPv4 Firewall # - Restart IPv4 Firewall
- Restart IPv6 Firewall # - Restart IPv6 Firewall
@@ -412,9 +473,9 @@
when: when:
- git_firewall_repository is defined and git_firewall_repository|length > 0 - git_firewall_repository is defined and git_firewall_repository|length > 0
- diff_script_output.changed - diff_script_output.changed
notify: # notify:
- Restart IPv4 Firewall # - Restart IPv4 Firewall
- Restart IPv6 Firewall # - Restart IPv6 Firewall
@@ -432,3 +493,8 @@
state: absent state: absent
path: /etc/ipt-firewall/ports.conf path: /etc/ipt-firewall/ports.conf
- name: Delete file '/etc/ipt-firewall/ports.conf' ..
file:
state: absent
path: /etc/ipt-firewall/post_decalrations.conf

42
roles/network_interfaces/tasks/interfaces.yml
View File

@@ -21,15 +21,43 @@
tags: tags:
- network-interfaces - network-interfaces
- name: (interfaces.yml) Build interface map by device
ansible.builtin.set_fact:
iface_map: "{{ iface_map | default({}) | combine({ item.device: (iface_map[item.device] | default([])) + [item] }) }}"
loop: "{{ network_interfaces | default([]) }}"
loop_control:
label: "{{ item.device }}"
tags: [network-interfaces]
- name: (interfaces.yml) Ensure imported device files at interfaces.d are latest - name: (interfaces.yml) Ensure imported device files at interfaces.d are latest
template: ansible.builtin.template:
src: "etc/network/interfaces.d/device.j2" src: etc/network/interfaces.d/device.j2
dest: "{{ network_interface_path }}/device-{{ item.0 }}" dest: "{{ network_interface_path }}/device-{{ grp.key }}"
with_items: loop: "{{ iface_map | dict2items }}"
- "{{network_interfaces | default([]) | groupby('device') }}" loop_control:
loop_var: grp
register: network_configuration_result register: network_configuration_result
tags: tags: [network-interfaces]
- network-interfaces
#- name: Ensure imported device files at interfaces.d are latest
# ansible.builtin.template:
# src: etc/network/interfaces.d/device.j2
# dest: "{{ network_interface_path }}/device-{{ grp.0 }}"
# loop: "{{ (network_interfaces | default([]) | groupby('device')) | list }}"
# loop_control:
# loop_var: grp
# register: network_configuration_result
# tags: [network-interfaces]
#- name: (interfaces.yml) Ensure imported device files at interfaces.d are latest
# template:
# src: "etc/network/interfaces.d/device.j2"
# dest: "{{ network_interface_path }}/device-{{ item.0 }}"
# with_items:
# - "{{network_interfaces | default([]) | groupby('device') }}"
# register: network_configuration_result
# tags:
# - network-interfaces
# --- # ---
# Remove device files not configured here # Remove device files not configured here

2
roles/network_interfaces/templates/etc/network/interfaces.d/device.j2
View File

@@ -1,7 +1,7 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
{# {% for config in network_interfaces %} #} {# {% for config in network_interfaces %} #}
{% for config in item.1 %} {% for config in grp.value %}
{% if config.headline is defined and config.headline %} {% if config.headline is defined and config.headline %}
#----------------------------- #-----------------------------

23
scripts/install-ulogd.yml
View File

@@ -10,14 +10,21 @@
cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}" cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
when: apt_update|bool when: apt_update|bool
- name: (apt.yml) dpkg --configure # - name: (apt.yml) dpkg --configure
command: > # command: >
dpkg --configure -a # dpkg --configure -a
args: # args:
warn: false # warn: false
changed_when: _dpkg_configure.stdout_lines | length # changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure # register: _dpkg_configure
when: apt_dpkg_configure|bool # when: apt_dpkg_configure|bool
- name: Fix half-configured packages (dpkg --configure -a)
ansible.builtin.command: dpkg --configure -a
register: dpkg_config
changed_when: (dpkg_config.stdout | default('')) | length > 0
when: (apt_dpkg_configure | default(true)) | bool
tags: [ansible-dependencies]
- name: Install ulogd2 - name: Install ulogd2
apt: apt:

1
templates/apt-migrate-to-trixie/debian.sources.j2
View File

@@ -4,7 +4,6 @@ URIs: {{ debian_mirror }}
Suites: {{ target_release }} {{ target_release }}-updates Suites: {{ target_release }} {{ target_release }}-updates
Components: {{ components }} Components: {{ components }}
Signed-By: default Signed-By: default
EOF
# Verwaltet via Ansible - Debian Basis & Updates für {{ target_release }} # Verwaltet via Ansible - Debian Basis & Updates für {{ target_release }}
Types: deb deb-src Types: deb deb-src
URIs: {{ debian_mirror }} URIs: {{ debian_mirror }}