Compare commits

...

17 Commits

Author SHA1 Message Date
chris 3b4ba60bb7 Add ipt-server.yml for backup.oopen.de with initial firewall configuration 2026-06-29 16:46:15 +02:00
chris e74fca04a2 Update migration guide: add step to freeze current firewall rules and create ipt-server.yml for a.ns.oopen.de with initial configuration 2026-06-29 11:38:20 +02:00
chris ba5683864a Add sudo to iptables-save commands in migration guide for proper permissions 2026-06-29 08:20:02 +02:00
chris 1171d156b7 Add sudo to iptables-save commands in migration guide for proper permissions 2026-06-29 08:16:53 +02:00
chris 682a08b53e Refactor extract-fw-host-vars.py to improve quoted value handling and add fw_manage_config to generated YAML; create ipt-server.yml for a.mx.oopen.de with initial configuration 2026-06-29 08:13:40 +02:00
chris b9e5b0f5e2 ile-dissens.dissens.netz.yml: add user 'nano.nowak'. 2026-06-29 00:53:10 +02:00
chris db2cdabee1 Update ipt-server role: add Jitsi TCP/UDP ports to defaults and remove obsolete entries from host_vars 2026-06-28 11:45:37 +02:00
chris 25b0e026f2 Update ipt-server role: add Jitsi TCP/UDP ports to defaults and remove obsolete entries from host_vars 2026-06-28 11:35:12 +02:00
chris 48bc4296da Add fw_manage_config to ipt-server.yml for cl-01.oopen.de 2026-06-27 22:56:27 +02:00
chris f149b09892 Refactor ipt-server role: update migration and README for hostname variable usage; remove obsolete ipt-server.yml for cloud-01.oopen.de 2026-06-27 22:38:12 +02:00
chris 7db2b7ee9b Update ipt-server role: specify hosts in ipt-server.yml and add configuration for cloud-01.oopen.de 2026-06-27 22:23:49 +02:00
chris 5a98895b66 Role ipt-server: rename 'host_vars/<server-name>/ipt_firewall.yml' to 'host_vars/<server-name>/ipt-server.yml'. 2026-06-27 02:32:15 +02:00
chris 92d2c31ecc Role ipt-server: rename 'host_vars/<server-name>/ipt_firewall.yml' to 'host_vars/<server-name>/ipt-server.yml'. 2026-06-27 02:28:16 +02:00
chris 9798ca9cd6 Add ipt-server role with firewall configuration and management
- Created handlers for reloading systemd and restarting firewall services.
- Implemented tasks to ensure the existence of configuration directories and files.
- Deployed host-specific and shared configuration files using templates.
- Added scripts for managing IPv4 and IPv6 firewalls.
- Configured systemd service units for ipt-firewall and ip6t-firewall.
- Enabled and started firewall services on system boot.
2026-06-26 19:30:01 +02:00
chris 0158e3738f file-km: add group 'wildvang' to uiserb 'zeina'. 2026-06-26 00:52:43 +02:00
chris f309e8cb1c Add new host entry and update Samba configuration
- Added 'file-km-alt.anw-km.netz' to the hosts file in multiple locations.
- Updated Samba configuration to change the maximum file size for virus filtering from 25 MB to 15 MB, with commented-out options for 50 MB and 25 MB.
- Created a new host variable file for 'file-km-alt.anw-km.netz' with detailed network interface and Samba share configurations, including user definitions and permissions.
2026-06-19 11:49:11 +02:00
chris 84d5a653c5 Update network configurations and add new host variables
- Modified network interface settings for gw-mbr.oopen.de, changing IP addresses and adding an alias for IPMI.
- Refactored network interface configuration for o28.oopen.de, consolidating and updating device settings, including bridge configurations and DNS settings.
- Added new user 'farina' to samba_user in zapata.opp.netz.yml.
- Updated hosts file to include new entries for ak-plan.oopen.de and adjusted existing entries for clarity.
- Created new host variable files for ak-plan.oopen.de, cl-ndm.oopen.de, and psono-ndm.oopen.de with comprehensive configurations for systemd-resolved and cron jobs.
2026-06-18 14:15:47 +02:00
42 changed files with 11949 additions and 752 deletions
+14
View File
@@ -1 +1,15 @@
# Editor
*.swp
*.swo
*~
# Python
__pycache__/
*.py[cod]
# Ansible
*.retry
.vault_pass
# OS
.DS_Store
+732
View File
@@ -0,0 +1,732 @@
#!/usr/bin/env python3
"""
Extract ipt-firewall configuration from a host and generate host_vars YAML.
Reads /etc/ipt-firewall/{interfaces,main}_ipv{4,6}.conf via SSH,
maps all variables to Ansible fw_* names, and writes a host_vars file.
Usage:
./extract-fw-host-vars.py <hostname> [--user USER] [--port PORT] [--dry-run]
Example:
./extract-fw-host-vars.py cl-01.oopen.de
./extract-fw-host-vars.py cl-01.oopen.de --user root --dry-run
"""
import argparse
import re
import subprocess
import sys
from pathlib import Path
# ---------------------------------------------------------------------------
# Defaults matching roles/ipt-firewall/defaults/main.yml
# Only values that differ from these will be emitted.
# ---------------------------------------------------------------------------
DEFAULTS = {
"fw_do_not_firewall_bridged_traffic": False,
"fw_do_not_firewall_lx_guest_systems": False,
"fw_drop_icmp": False,
"fw_drop_mndp": True,
"fw_drop_mdns": True,
"fw_allow_all_outgoing_traffic": False,
"fw_blocked_ifs": "",
"fw_unprotected_ifs": "",
"fw_forward_private_ips_v4": "",
"fw_forward_private_ips_v6": "",
"fw_restrict_local_service_to_net_v4": "",
"fw_restrict_local_service_to_net_v6": "",
"fw_restrict_local_net_to_net_v4": "",
"fw_restrict_local_net_to_net_v6": "",
"fw_allow_ext_service_v4": "",
"fw_allow_ext_service_v6": "",
"fw_allow_ext_net_v4": "",
"fw_allow_ext_net_v6": "",
"fw_allow_local_service_v4": "",
"fw_allow_local_service_v6": "",
"fw_allow_local_service_from_networks_v4": "",
"fw_allow_local_service_from_networks_v6": "",
"fw_vpn_server_ips": "",
"fw_forward_vpn_server_ips": "",
"fw_vpn_ports": "$standard_vpn_port",
"fw_wireguard_server_ips": "",
"fw_forward_wireguard_server_ips": "",
"fw_wireguard_server_ports": "$standard_wireguard_port",
"fw_wireguard_out_ports": "$standard_wireguard_port",
"fw_local_ntp_service": False,
"fw_ntp_port": "$standard_ntp_port",
"fw_ntp_allowed_net": "",
"fw_dhcp_server_ifs": "",
"fw_dhcp_client_ifs": "",
"fw_dns_server_ips": "",
"fw_forward_dns_server_ips": "",
"fw_local_resolver_service": False,
"fw_resolver_port": "$standard_dns_port",
"fw_resolver_allowed_networks_v4": "",
"fw_resolver_allowed_networks_v6": "",
"fw_ssh_server_ips": "$ext_ips",
"fw_forward_ssh_server_ips": "",
"fw_ssh_ports": "$standard_ssh_port",
"fw_http_server_ips": "",
"fw_forward_http_server_ips": "",
"fw_http_ports": "$standard_http_ports",
"fw_log_cgi_traffic_out": False,
"fw_cgi_script_users": "",
"fw_mm_server_ips": "",
"fw_forward_mm_server_ips": "",
"fw_smtpd_ips": "",
"fw_forward_smtpd_ips": "",
"fw_smtpd_additional_listen_ports": "",
"fw_smtpd_additional_outgoing_ports": "",
"fw_mail_server_ips": "",
"fw_forward_mail_server_ips": "",
"fw_mail_user_ports": "$standard_mailuser_ports",
"fw_mail_client_ips": "",
"fw_forward_mail_client_ips": "",
"fw_dovecot_auth_service": False,
"fw_dovecot_auth_port": "$dovecot_external_auth_port",
"fw_dovecot_auth_allowed_networks_v4": "",
"fw_dovecot_auth_allowed_networks_v6": "",
"fw_ftp_server_ips": "",
"fw_forward_ftp_server_ips": "",
"fw_ftp_passive_port_range": "50000:50400",
"fw_xmpp_server_ips": "",
"fw_forward_xmpp_server_ips": "",
"fw_xmmp_tcp_in_ports": "5222 5223 5269",
"fw_xmmp_tcp_out_ports": "5269",
"fw_xmmp_remote_out_services_v4": "",
"fw_xmmp_remote_out_services_v6": "",
"fw_mumble_server_ips": "",
"fw_forward_mumble_server_ips": "",
"fw_mumble_ports": "$standard_mumble_port",
"fw_jitsi_server_ips": "",
"fw_forward_jitsi_server_ips": "",
"fw_jitsi_tcp_ports": "$standard_jitsi_tcp_ports",
"fw_jitsi_udp_port_range": "$standard_jitsi_udp_port_range",
"fw_jitsi_tcp_ports_out": "$standard_turn_service_ports,4443,4444,4445,4446",
"fw_jitsi_udp_ports_out": "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446",
"fw_jitsi_dovecot_auth": False,
"fw_jitsi_dovecot_host": "",
"fw_jitsi_jibri_remote_auth": False,
"fw_jitsi_jibri_remote_ips": "",
"fw_jibri_server_ips": "",
"fw_forward_jibri_server_ips": "",
"fw_jibri_remote_jitsi_server": "",
"fw_nc_turn_server_ips": "",
"fw_forward_nc_turn_server_ips": "",
"fw_nc_turn_ports": "$standard_turn_service_ports",
"fw_nc_turn_udp_ports": "$standard_turn_service_udp_ports",
"fw_tftp_server_ips": "",
"fw_prometheus_local_server_ips": "",
"fw_prometheus_local_client_ips": "",
"fw_prometheus_remote_server_ips": "",
"fw_munin_server_ips": "",
"fw_forward_munin_server_ips": "",
"fw_munin_remote_port": "$standard_munin_port",
"fw_munin_local_port": "4949",
"munin_remote_ipv4": "",
"munin_remote_ipv6": "",
"fw_xymon_server_ips": "",
"fw_local_xymon_client": False,
"fw_xymon_port": "$standard_xymon_port",
"fw_rsync_out_ips": "",
"fw_forward_rsync_out_ips": "",
"fw_rsync_ports": "873",
"fw_tcp_out_ports": "",
"fw_forward_tcp_out_ports": "",
"fw_udp_out_ports": "",
"fw_forward_udp_out_ports": "",
"fw_portforward_tcp_v4": "",
"fw_portforward_udp_v4": "",
"fw_portforward_tcp_v6": "",
"fw_portforward_udp_v6": "",
"fw_blocked_ips": "",
"fw_block_tcp_ports": "111 113 135 137:139 445",
"fw_block_udp_ports": "111 137:139",
"fw_create_traffic_counter": True,
"fw_create_iperf_rules": True,
"fw_protection_against_syn_flooding": True,
"fw_protection_against_port_scanning": True,
"fw_protection_against_ssh_brute_force_attacks": True,
"fw_limit_connections_per_source_IP": True,
"fw_per_IP_connection_limit": "$default_per_IP_connection_limit",
"fw_limit_new_tcp_connections_per_seconds_per_source_IP": True,
"fw_limit_new_tcp_connections_per_seconds_ports": "",
"fw_kernel_activate_forwarding": False,
"fw_kernel_support_dynaddr": False,
"fw_dynaddr_flag": "5",
"fw_kernel_reduce_timeouts": True,
"fw_kernel_tcp_syncookies": True,
"fw_kernel_protect_against_icmp_bogus_messages": True,
"fw_kernel_ignore_broadcast_ping": True,
"fw_kernel_deactivate_source_route": True,
"fw_kernel_dont_accept_redirects": True,
"fw_kernel_activate_rp_filter": True,
"fw_kernel_log_martians": False,
"fw_kernel_forward_between_interfaces": False,
"fw_vpn_ifs": "tun+",
"fw_wg_ifs": "wg+",
"fw_nat_devices": "",
}
# ---------------------------------------------------------------------------
# Variable mapping: (bash_varname, source) → ansible_varname
# source: 'iface_v4', 'iface_v6', 'main_v4', 'main_v6', 'main_shared'
# ---------------------------------------------------------------------------
# Shared service variables (read from main_ipv4.conf, same in both)
MAIN_SHARED = {
"do_not_firewall_bridged_traffic": "fw_do_not_firewall_bridged_traffic",
"do_not_firewall_lx_guest_systems": "fw_do_not_firewall_lx_guest_systems",
"drop_icmp": "fw_drop_icmp",
"drop_mndp": "fw_drop_mndp",
"drop_mdns": "fw_drop_mdns",
"allow_all_outgoing_traffic": "fw_allow_all_outgoing_traffic",
"blocked_ifs": "fw_blocked_ifs",
"unprotected_ifs": "fw_unprotected_ifs",
"vpn_server_ips": "fw_vpn_server_ips",
"forward_vpn_server_ips": "fw_forward_vpn_server_ips",
"vpn_ports": "fw_vpn_ports",
"wireguard_server_ips": "fw_wireguard_server_ips",
"forward_wireguard_server_ips": "fw_forward_wireguard_server_ips",
"wireguard_server_ports": "fw_wireguard_server_ports",
"wireguard_out_ports": "fw_wireguard_out_ports",
"local_ntp_service": "fw_local_ntp_service",
"ntp_port": "fw_ntp_port",
"ntp_allowed_net": "fw_ntp_allowed_net",
"dns_server_ips": "fw_dns_server_ips",
"forward_dns_server_ips": "fw_forward_dns_server_ips",
"local_resolver_service": "fw_local_resolver_service",
"resolver_port": "fw_resolver_port",
"ssh_server_ips": "fw_ssh_server_ips",
"forward_ssh_server_ips": "fw_forward_ssh_server_ips",
"ssh_ports": "fw_ssh_ports",
"http_server_ips": "fw_http_server_ips",
"forward_http_server_ips": "fw_forward_http_server_ips",
"http_ports": "fw_http_ports",
"log_cgi_traffic_out": "fw_log_cgi_traffic_out",
"cgi_script_users": "fw_cgi_script_users",
"mm_server_ips": "fw_mm_server_ips",
"forward_mm_server_ips": "fw_forward_mm_server_ips",
"smtpd_ips": "fw_smtpd_ips",
"forward_smtpd_ips": "fw_forward_smtpd_ips",
"smtpd_additional_listen_ports": "fw_smtpd_additional_listen_ports",
"smtpd_additional_outgoung_ports": "fw_smtpd_additional_outgoing_ports",
"mail_server_ips": "fw_mail_server_ips",
"forward_mail_server_ips": "fw_forward_mail_server_ips",
"mail_user_ports": "fw_mail_user_ports",
"mail_client_ips": "fw_mail_client_ips",
"forward_mail_client_ips": "fw_forward_mail_client_ips",
"dovecot_auth_service": "fw_dovecot_auth_service",
"dovecot_auth_port": "fw_dovecot_auth_port",
"ftp_server_ips": "fw_ftp_server_ips",
"forward_ftp_server_ips": "fw_forward_ftp_server_ips",
"ftp_passive_port_range": "fw_ftp_passive_port_range",
"xmpp_server_ips": "fw_xmpp_server_ips",
"forward_xmpp_server_ips": "fw_forward_xmpp_server_ips",
"xmmp_tcp_in_ports": "fw_xmmp_tcp_in_ports",
"xmmp_tcp_out_ports": "fw_xmmp_tcp_out_ports",
"mumble_server_ips": "fw_mumble_server_ips",
"forward_mumble_server_ips": "fw_forward_mumble_server_ips",
"mumble_ports": "fw_mumble_ports",
"jitsi_server_ips": "fw_jitsi_server_ips",
"forward_jitsi_server_ips": "fw_forward_jitsi_server_ips",
"jitsi_tcp_ports": "fw_jitsi_tcp_ports",
"jitsi_udp_port_range": "fw_jitsi_udp_port_range",
"jitsi_tcp_ports_out": "fw_jitsi_tcp_ports_out",
"jitsi_udp_ports_out": "fw_jitsi_udp_ports_out",
"jitsi_dovecot_auth": "fw_jitsi_dovecot_auth",
"jitsi_dovecot_host": "fw_jitsi_dovecot_host",
"jitsi_jibri_remote_auth": "fw_jitsi_jibri_remote_auth",
"jitsi_jibri_remote_ips": "fw_jitsi_jibri_remote_ips",
"jibri_server_ips": "fw_jibri_server_ips",
"forward_jibri_server_ips": "fw_forward_jibri_server_ips",
"jibri_remote_jitsi_server": "fw_jibri_remote_jitsi_server",
"nc_turn_server_ips": "fw_nc_turn_server_ips",
"forward_nc_turn_server_ips": "fw_forward_nc_turn_server_ips",
"nc_turn_ports": "fw_nc_turn_ports",
"nc_turn_udp_ports": "fw_nc_turn_udp_ports",
"tftp_server_ips": "fw_tftp_server_ips",
"prometheus_local_server_ips": "fw_prometheus_local_server_ips",
"prometheus_local_client_ips": "fw_prometheus_local_client_ips",
"prometheus_remote_server_ips": "fw_prometheus_remote_server_ips",
"munin_server_ips": "fw_munin_server_ips",
"forward_munin_server_ips": "fw_forward_munin_server_ips",
"munin_remote_port": "fw_munin_remote_port",
"munin_local_port": "fw_munin_local_port",
"xymon_server_ips": "fw_xymon_server_ips",
"local_xymon_client": "fw_local_xymon_client",
"xymon_port": "fw_xymon_port",
"rsync_out_ips": "fw_rsync_out_ips",
"forward_rsync_out_ips": "fw_forward_rsync_out_ips",
"rsync_ports": "fw_rsync_ports",
"tcp_out_ports": "fw_tcp_out_ports",
"forward_tcp_out_ports": "fw_forward_tcp_out_ports",
"udp_out_ports": "fw_udp_out_ports",
"forward_udp_out_ports": "fw_forward_udp_out_ports",
"blocked_ips": "fw_blocked_ips",
"block_tcp_ports": "fw_block_tcp_ports",
"block_udp_ports": "fw_block_udp_ports",
"create_traffic_counter": "fw_create_traffic_counter",
"create_iperf_rules": "fw_create_iperf_rules",
"protection_against_syn_flooding": "fw_protection_against_syn_flooding",
"protection_against_port_scanning": "fw_protection_against_port_scanning",
"protection_against_ssh_brute_force_attacks": "fw_protection_against_ssh_brute_force_attacks",
"limit_connections_per_source_IP": "fw_limit_connections_per_source_IP",
"per_IP_connection_limit": "fw_per_IP_connection_limit",
"limit_new_tcp_connections_per_seconds_per_source_IP": "fw_limit_new_tcp_connections_per_seconds_per_source_IP",
"limit_new_tcp_connections_per_seconds_ports": "fw_limit_new_tcp_connections_per_seconds_ports",
}
# IPv4-only variables (from main_ipv4.conf)
MAIN_V4_ONLY = {
"forward_private_ips": "fw_forward_private_ips_v4",
"restrict_local_service_to_net": "fw_restrict_local_service_to_net_v4",
"restrict_local_net_to_net": "fw_restrict_local_net_to_net_v4",
"allow_ext_service": "fw_allow_ext_service_v4",
"allow_ext_net": "fw_allow_ext_net_v4",
"allow_local_service": "fw_allow_local_service_v4",
"allow_local_service_from_networks": "fw_allow_local_service_from_networks_v4",
"portforward_tcp": "fw_portforward_tcp_v4",
"portforward_udp": "fw_portforward_udp_v4",
"munin_remote_ip": "munin_remote_ipv4",
"dovecot_auth_allowed_networks": "fw_dovecot_auth_allowed_networks_v4",
"xmmp_remote_out_services": "fw_xmmp_remote_out_services_v4",
"resolver_allowed_networks": "fw_resolver_allowed_networks_v4",
"dhcp_server_ifs": "fw_dhcp_server_ifs",
"dhcp_client_ifs": "fw_dhcp_client_ifs",
"kernel_activate_forwarding": "fw_kernel_activate_forwarding",
"kernel_support_dynaddr": "fw_kernel_support_dynaddr",
"dynaddr_flag": "fw_dynaddr_flag",
"kernel_reduce_timeouts": "fw_kernel_reduce_timeouts",
"kernel_tcp_syncookies": "fw_kernel_tcp_syncookies",
"kernel_protect_against_icmp_bogus_messages": "fw_kernel_protect_against_icmp_bogus_messages",
"kernel_ignore_broadcast_ping": "fw_kernel_ignore_broadcast_ping",
"kernel_activate_rp_filter": "fw_kernel_activate_rp_filter",
"kernel_log_martians": "fw_kernel_log_martians",
"kernel_deactivate_source_route": "fw_kernel_deactivate_source_route",
"kernel_dont_accept_redirects": "fw_kernel_dont_accept_redirects",
}
# IPv6-only variables (from main_ipv6.conf)
MAIN_V6_ONLY = {
"forward_private_ips": "fw_forward_private_ips_v6",
"restrict_local_service_to_net": "fw_restrict_local_service_to_net_v6",
"restrict_local_net_to_net": "fw_restrict_local_net_to_net_v6",
"allow_ext_service": "fw_allow_ext_service_v6",
"allow_ext_net": "fw_allow_ext_net_v6",
"allow_local_service": "fw_allow_local_service_v6",
"allow_local_service_from_networks": "fw_allow_local_service_from_networks_v6",
"portforward_tcp": "fw_portforward_tcp_v6",
"portforward_udp": "fw_portforward_udp_v6",
"munin_remote_ip": "munin_remote_ipv6",
"dovecot_auth_allowed_networks": "fw_dovecot_auth_allowed_networks_v6",
"xmmp_remote_out_services": "fw_xmmp_remote_out_services_v6",
"resolver_allowed_networks": "fw_resolver_allowed_networks_v6",
"kernel_forward_between_interfaces": "fw_kernel_forward_between_interfaces",
}
# ---------------------------------------------------------------------------
# Parsing
# ---------------------------------------------------------------------------
def parse_bash_config(text):
"""
Parse key=value pairs from a bash config file.
Handles: var="value", var=value, var=true/false
Multiline values (var="line1\n line2\n") are joined as a single string.
Returns dict of {varname: value_string}
"""
result = {}
warnings = []
# Collapse multiline quoted strings: "...\n ..." → "... ..."
# Strategy: scan char by char for opening " after =, collect until closing "
lines = text.splitlines()
i = 0
while i < len(lines):
line = lines[i].strip()
# Skip comments and blank lines
if not line or line.startswith('#'):
i += 1
continue
# Match assignment
m = re.match(r'^([A-Za-z_][A-Za-z0-9_]*)=(.*)', line)
if not m:
i += 1
continue
varname = m.group(1)
rest = m.group(2).strip()
# Quoted value (single or double quotes, may span multiple lines)
if rest and rest[0] in ('"', "'"):
quote_char = rest[0]
collected = rest[1:] # strip opening quote
parts = []
closed = False
while True:
close_pos = collected.find(quote_char)
if close_pos != -1:
parts.append(collected[:close_pos])
# join all parts; split() collapses whitespace and drops empty lines
value = ' '.join(' '.join(parts).split())
result[varname] = value
closed = True
break
else:
parts.append(collected)
i += 1
if i >= len(lines):
break
collected = lines[i].strip()
if not closed:
warnings.append(f" # {varname}: unterminated quoted string — skipped")
else:
# Unquoted value (true, false, $var_ref, number, etc.)
# Strip trailing comment
value = re.sub(r'\s+#.*$', '', rest).strip()
result[varname] = value
i += 1
return result, warnings
def ssh_cat(host, user, port, path, sudo_password=None):
"""Read a file from a remote host via SSH. Returns file content or None."""
ssh_cmd = ["ssh"]
if user:
ssh_cmd += ["-l", user]
if port:
ssh_cmd += ["-p", str(port)]
ssh_cmd += ["-o", "BatchMode=yes", "-o", "ConnectTimeout=10", host]
if sudo_password is not None:
# Use sudo -S to read password from stdin; -p '' suppresses the prompt
ssh_cmd += [f"sudo -S -p '' cat {path}"]
stdin_data = sudo_password + "\n"
else:
ssh_cmd += [f"cat {path}"]
stdin_data = None
try:
result = subprocess.run(
ssh_cmd, input=stdin_data, capture_output=True, text=True, timeout=30
)
if result.returncode != 0:
print(f" WARNING: could not read {path}: {result.stderr.strip()}", file=sys.stderr)
return None
return result.stdout
except subprocess.TimeoutExpired:
print(f" ERROR: SSH timeout reading {path}", file=sys.stderr)
return None
def coerce_bool(value):
"""Convert bash true/false string to Python bool, or return string."""
if value.lower() in ("true", "yes", "1"):
return True
if value.lower() in ("false", "no", "0"):
return False
return value # keep as string (e.g. $standard_ssh_port)
def yaml_value(v):
"""Format a Python value as a YAML-safe string."""
if isinstance(v, bool):
return "true" if v else "false"
if v == "":
return '""'
# Quote if contains special YAML characters
if any(c in str(v) for c in [':', '#', '{', '}', '[', ']', ',', '&', '*', '?', '|', '-', '<', '>', '=', '!', '%', '@', '`', '"', "'"]):
# Use double-quote with escaping
escaped = str(v).replace('\\', '\\\\').replace('"', '\\"')
return f'"{escaped}"'
return str(v)
def build_host_vars(parsed_iface_v4, parsed_iface_v6, parsed_main_v4, parsed_main_v6):
"""
Map parsed bash variables to Ansible fw_* variables.
Returns dict of {ansible_var: value} containing only non-default values.
"""
result = {}
# --- Interfaces: extract lists from numbered vars ---
def extract_list(parsed, prefix, suffix="", count=3):
items = []
for i in range(1, count + 1):
v = parsed.get(f"{prefix}{i}{suffix}", "").strip()
if v:
items.append(v)
return items
fw_ext_interfaces = extract_list(parsed_iface_v4, "ext_if_")
fw_ext_ips_v4 = extract_list(parsed_iface_v4, "ext_", suffix="_ip") # ext_1_ip, ext_2_ip, ext_3_ip
fw_ext_ips_v6 = extract_list(parsed_iface_v6, "ext_", suffix="_ip")
fw_local_interfaces = extract_list(parsed_iface_v4, "local_if_")
fw_local_ips_v4 = extract_list(parsed_iface_v4, "local_", suffix="_ip")
fw_local_ips_v6 = extract_list(parsed_iface_v6, "local_", suffix="_ip")
fw_lxc_guest_ips_v4 = extract_list(parsed_iface_v4, "lxc_guest_", suffix="_ip", count=7)
fw_lxc_guest_ips_v6 = extract_list(parsed_iface_v6, "lxc_guest_", suffix="_ip", count=7)
if fw_ext_interfaces:
result["fw_ext_interfaces"] = fw_ext_interfaces
if fw_ext_ips_v4:
result["fw_ext_ips_v4"] = fw_ext_ips_v4
if fw_ext_ips_v6:
result["fw_ext_ips_v6"] = fw_ext_ips_v6
if fw_local_interfaces:
result["fw_local_interfaces"] = fw_local_interfaces
if fw_local_ips_v4:
result["fw_local_ips_v4"] = fw_local_ips_v4
if fw_local_ips_v6:
result["fw_local_ips_v6"] = fw_local_ips_v6
if fw_lxc_guest_ips_v4:
result["fw_lxc_guest_ips_v4"] = fw_lxc_guest_ips_v4
if fw_lxc_guest_ips_v6:
result["fw_lxc_guest_ips_v6"] = fw_lxc_guest_ips_v6
# vpn_ifs / wg_ifs / nat_devices (same in both interface files)
for bash_var, ansible_var in [("vpn_ifs", "fw_vpn_ifs"), ("wg_ifs", "fw_wg_ifs"), ("nat_devices", "fw_nat_devices")]:
v = parsed_iface_v4.get(bash_var, "")
if v and v != DEFAULTS.get(ansible_var, ""):
result[ansible_var] = v
# --- Shared main variables (read from ipv4) ---
for bash_var, ansible_var in MAIN_SHARED.items():
raw = parsed_main_v4.get(bash_var)
if raw is None:
continue
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
default = DEFAULTS.get(ansible_var)
if v != default:
result[ansible_var] = v
# --- IPv4-only main variables ---
for bash_var, ansible_var in MAIN_V4_ONLY.items():
raw = parsed_main_v4.get(bash_var)
if raw is None:
continue
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
default = DEFAULTS.get(ansible_var)
if v != default:
result[ansible_var] = v
# --- IPv6-only main variables ---
for bash_var, ansible_var in MAIN_V6_ONLY.items():
raw = parsed_main_v6.get(bash_var)
if raw is None:
continue
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
default = DEFAULTS.get(ansible_var)
if v != default:
result[ansible_var] = v
return result
def render_yaml(hostname, host_vars, all_warnings):
"""Render the host_vars as YAML text."""
lines = [
"---",
f"# ipt-firewall configuration for {hostname}",
"# Generated by extract-fw-host-vars.py - review before committing!",
"# Place in: host_vars/<hostname>/ipt_firewall.yml",
"",
]
lines.append("fw_manage_config: false")
lines.append("")
if all_warnings:
lines.append("# WARNINGS — manual review needed:")
for w in all_warnings:
lines.append(w)
lines.append("")
# Group output by section
sections = [
("Network", ["fw_ext_interfaces", "fw_ext_ips_v4", "fw_ext_ips_v6",
"fw_local_interfaces", "fw_local_ips_v4", "fw_local_ips_v6",
"fw_lxc_guest_ips_v4", "fw_lxc_guest_ips_v6",
"fw_vpn_ifs", "fw_wg_ifs", "fw_nat_devices"]),
("Munin", ["munin_remote_ipv4", "munin_remote_ipv6", "fw_munin_local_port",
"fw_munin_server_ips", "fw_forward_munin_server_ips", "fw_munin_remote_port"]),
("Bridged / LXC", ["fw_do_not_firewall_bridged_traffic", "fw_do_not_firewall_lx_guest_systems"]),
("Drop policies", ["fw_drop_icmp", "fw_drop_mndp", "fw_drop_mdns"]),
("Outgoing / interfaces", ["fw_allow_all_outgoing_traffic", "fw_blocked_ifs", "fw_unprotected_ifs"]),
("Forwarding", ["fw_forward_private_ips_v4", "fw_forward_private_ips_v6",
"fw_kernel_activate_forwarding", "fw_kernel_forward_between_interfaces"]),
("Access control IPv4", ["fw_restrict_local_service_to_net_v4", "fw_restrict_local_net_to_net_v4",
"fw_allow_ext_service_v4", "fw_allow_ext_net_v4",
"fw_allow_local_service_v4", "fw_allow_local_service_from_networks_v4"]),
("Access control IPv6", ["fw_restrict_local_service_to_net_v6", "fw_restrict_local_net_to_net_v6",
"fw_allow_ext_service_v6", "fw_allow_ext_net_v6",
"fw_allow_local_service_v6", "fw_allow_local_service_from_networks_v6"]),
("SSH", ["fw_ssh_server_ips", "fw_forward_ssh_server_ips", "fw_ssh_ports"]),
("HTTP", ["fw_http_server_ips", "fw_forward_http_server_ips", "fw_http_ports",
"fw_log_cgi_traffic_out", "fw_cgi_script_users"]),
("Mail", ["fw_smtpd_ips", "fw_forward_smtpd_ips", "fw_smtpd_additional_listen_ports",
"fw_smtpd_additional_outgoing_ports", "fw_mail_server_ips", "fw_forward_mail_server_ips",
"fw_mail_user_ports", "fw_mail_client_ips", "fw_forward_mail_client_ips",
"fw_dovecot_auth_service", "fw_dovecot_auth_port",
"fw_dovecot_auth_allowed_networks_v4", "fw_dovecot_auth_allowed_networks_v6"]),
("DNS", ["fw_dns_server_ips", "fw_forward_dns_server_ips",
"fw_local_resolver_service", "fw_resolver_port",
"fw_resolver_allowed_networks_v4", "fw_resolver_allowed_networks_v6"]),
("NTP", ["fw_local_ntp_service", "fw_ntp_port", "fw_ntp_allowed_net"]),
("DHCP", ["fw_dhcp_server_ifs", "fw_dhcp_client_ifs"]),
("VPN / WireGuard", ["fw_vpn_server_ips", "fw_forward_vpn_server_ips", "fw_vpn_ports",
"fw_wireguard_server_ips", "fw_forward_wireguard_server_ips",
"fw_wireguard_server_ports", "fw_wireguard_out_ports"]),
("FTP", ["fw_ftp_server_ips", "fw_forward_ftp_server_ips", "fw_ftp_passive_port_range"]),
("XMPP", ["fw_xmpp_server_ips", "fw_forward_xmpp_server_ips",
"fw_xmmp_tcp_in_ports", "fw_xmmp_tcp_out_ports",
"fw_xmmp_remote_out_services_v4", "fw_xmmp_remote_out_services_v6"]),
("Mumble", ["fw_mumble_server_ips", "fw_forward_mumble_server_ips", "fw_mumble_ports"]),
("Jitsi", ["fw_jitsi_server_ips", "fw_forward_jitsi_server_ips",
"fw_jitsi_tcp_ports", "fw_jitsi_udp_port_range",
"fw_jitsi_tcp_ports_out", "fw_jitsi_udp_ports_out",
"fw_jitsi_dovecot_auth", "fw_jitsi_dovecot_host",
"fw_jitsi_jibri_remote_auth", "fw_jitsi_jibri_remote_ips",
"fw_jibri_server_ips", "fw_forward_jibri_server_ips", "fw_jibri_remote_jitsi_server"]),
("TURN / STUN", ["fw_nc_turn_server_ips", "fw_forward_nc_turn_server_ips",
"fw_nc_turn_ports", "fw_nc_turn_udp_ports"]),
("Mattermost", ["fw_mm_server_ips", "fw_forward_mm_server_ips"]),
("Prometheus", ["fw_prometheus_local_server_ips", "fw_prometheus_local_client_ips",
"fw_prometheus_remote_server_ips"]),
("Xymon", ["fw_xymon_server_ips", "fw_local_xymon_client", "fw_xymon_port"]),
("Rsync", ["fw_rsync_out_ips", "fw_forward_rsync_out_ips", "fw_rsync_ports"]),
("Out ports", ["fw_tcp_out_ports", "fw_forward_tcp_out_ports",
"fw_udp_out_ports", "fw_forward_udp_out_ports"]),
("Portforwarding", ["fw_portforward_tcp_v4", "fw_portforward_udp_v4",
"fw_portforward_tcp_v6", "fw_portforward_udp_v6"]),
("Block", ["fw_blocked_ips", "fw_block_tcp_ports", "fw_block_udp_ports"]),
("Protection / limits", ["fw_protection_against_syn_flooding",
"fw_protection_against_port_scanning",
"fw_protection_against_ssh_brute_force_attacks",
"fw_limit_connections_per_source_IP", "fw_per_IP_connection_limit",
"fw_limit_new_tcp_connections_per_seconds_per_source_IP",
"fw_limit_new_tcp_connections_per_seconds_ports"]),
("Kernel IPv4", ["fw_kernel_support_dynaddr", "fw_dynaddr_flag",
"fw_kernel_reduce_timeouts", "fw_kernel_tcp_syncookies",
"fw_kernel_protect_against_icmp_bogus_messages",
"fw_kernel_ignore_broadcast_ping",
"fw_kernel_deactivate_source_route", "fw_kernel_dont_accept_redirects",
"fw_kernel_activate_rp_filter", "fw_kernel_log_martians"]),
("Special", ["fw_create_traffic_counter", "fw_create_iperf_rules"]),
]
emitted = set()
for section_name, keys in sections:
section_lines = []
for k in keys:
if k in host_vars:
v = host_vars[k]
if isinstance(v, list):
section_lines.append(f"{k}:")
for item in v:
section_lines.append(f" - \"{item}\"")
elif isinstance(v, bool):
section_lines.append(f"{k}: {'true' if v else 'false'}")
else:
section_lines.append(f"{k}: {yaml_value(str(v))}")
emitted.add(k)
if section_lines:
lines.append(f"# --- {section_name}")
lines.extend(section_lines)
lines.append("")
# Anything not covered by sections
remaining = {k: v for k, v in host_vars.items() if k not in emitted}
if remaining:
lines.append("# --- Other")
for k, v in remaining.items():
if isinstance(v, list):
lines.append(f"{k}:")
for item in v:
lines.append(f" - \"{item}\"")
elif isinstance(v, bool):
lines.append(f"{k}: {'true' if v else 'false'}")
else:
lines.append(f"{k}: {yaml_value(str(v))}")
lines.append("")
return "\n".join(lines)
def main():
parser = argparse.ArgumentParser(description="Extract ipt-firewall host_vars from a remote host")
parser.add_argument("hostname", help="Target hostname (must be in SSH config or known_hosts)")
parser.add_argument("--user", "-u", default="chris", help="SSH user (default: chris)")
parser.add_argument("--port", "-p", type=int, default=None, help="SSH port (default: 22)")
parser.add_argument("--output", "-o", default=None, help="Output file (default: stdout)")
parser.add_argument("--sudo", "-s", action="store_true",
help="Read files via sudo (prompts for sudo password once)")
parser.add_argument("--dry-run", action="store_true", help="Print SSH commands without executing")
args = parser.parse_args()
hostname = args.hostname
conf_dir = "/etc/ipt-firewall"
files = {
"iface_v4": f"{conf_dir}/interfaces_ipv4.conf",
"iface_v6": f"{conf_dir}/interfaces_ipv6.conf",
"main_v4": f"{conf_dir}/main_ipv4.conf",
"main_v6": f"{conf_dir}/main_ipv6.conf",
}
if args.dry_run:
cmd = "sudo -S -p '' cat" if args.sudo else "cat"
for key, path in files.items():
print(f"ssh {args.user}@{hostname} {cmd} {path}")
return
sudo_password = None
if args.sudo:
import getpass
sudo_password = getpass.getpass(f"sudo password for {args.user}@{hostname}: ")
print(f"Connecting to {hostname} as {args.user} ...", file=sys.stderr)
contents = {}
for key, path in files.items():
print(f" Reading {path} ...", file=sys.stderr)
content = ssh_cat(hostname, args.user, args.port, path, sudo_password=sudo_password)
contents[key] = content or ""
all_warnings = []
parsed = {}
for key, text in contents.items():
p, warnings = parse_bash_config(text)
parsed[key] = p
if warnings:
all_warnings.extend([f" # [{key}] {w}" for w in warnings])
host_vars = build_host_vars(
parsed["iface_v4"], parsed["iface_v6"],
parsed["main_v4"], parsed["main_v6"],
)
yaml_text = render_yaml(hostname, host_vars, all_warnings)
if args.output:
out_path = Path(args.output)
out_path.parent.mkdir(parents=True, exist_ok=True)
out_path.write_text(yaml_text)
print(f"Written to {out_path}", file=sys.stderr)
else:
print(yaml_text)
if __name__ == "__main__":
main()
-1
View File
@@ -1916,7 +1916,6 @@ apt_install: {}
apt_install_state: latest
apt_remove:
- rpcbind
- apt-transport-tor
- tor
- tor-geoipdb
+45
View File
@@ -0,0 +1,45 @@
---
# ipt-firewall configuration for a.mx.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
# Place in: host_vars/<hostname>/ipt_firewall.yml
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "95.217.204.247"
fw_ext_ips_v6:
- "2a01:4f9:4a:47e5::247"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- HTTP
fw_http_server_ips: $ext_1_ip
# --- Mail
fw_smtpd_ips: $ext_1_ip
fw_mail_server_ips: $ext_1_ip
fw_mail_client_ips: $ext_1_ip
fw_dovecot_auth_service: true
# - meet.oopen.de -> 159.69.74.155
# - meet.akweb.de -> 148.251.14.136
# - jo.oopen.de -> 94.16.115.62
# -
# - meet.akweb.de -> 2a01:4f8:201:7389::136
# - meet.oopen.de -> 2a01:4f8:231:19a7::155
fw_dovecot_auth_allowed_networks_v4: 159.69.74.155 148.251.14.136 94.16.115.62
fw_dovecot_auth_allowed_networks_v6: "2a01:4f8:231:19a7::155 2a01:4f8:201:7389::136"
# --- Jitsi
fw_jitsi_dovecot_auth: true
# --- Rsync
fw_rsync_out_ips: $ext_1_ip
# --- Protection / limits
fw_per_IP_connection_limit: 250
+27
View File
@@ -0,0 +1,27 @@
---
# ipt-firewall configuration for a.ns.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
# Place in: host_vars/<hostname>/ipt_firewall.yml
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "195.201.179.131"
fw_ext_ips_v6:
- "2a01:4f8:231:19a7::131"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- DNS
fw_dns_server_ips: $ext_ips
# --- VPN / WireGuard
fw_wireguard_server_ips: $ext_ips
# --- Block
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
+142
View File
@@ -0,0 +1,142 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 2a01:4ff:ff00::add:2
- 185.12.64.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
+121
View File
@@ -163,6 +163,127 @@ resolved_fallback_nameserver:
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.52.10
samba_server_cidr_prefix: 24
samba_workgroup: WF
samba_netbios_name: ANITA
samba_groups:
- name: users
group_id: 100
- name: archive
group_id: 1020
- name: intern
group_id: 1030
samba_user:
- name: annette
groups:
- users
- intern
password: '20.18-annette%'
- name: axel
groups:
- archive
- users
- intern
password: 'axel123'
- name: chris
groups:
- users
- archive
- intern
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: kaya
groups:
- users
- intern
password: 'kaya123'
- name: lalix
groups:
- users
- intern
password: 'lalix123'
- name: mariette
groups:
- users
- intern
password: 'mariette123'
- name: sysadm
groups:
- users
- archive
- intern
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31306162383164643133623335323736323837613435333430363336353032323565633130353733
3363646437363062313763636333356436666331396131370a393762363931626166326530373261
62616332643232663432613662646134613539323861383436636364633562646138646538343863
6530336565363934330a363063653533396666373730663062363633363634363337323039363231
3130
base_home: /home
samba_homes_virusfilter: true
samba_shares:
- name: archiv
path: /data/samba/archiv
group_valid_users: users
group_write_list: archive
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: daten2
path: /data/samba/daten2
group_valid_users: users
group_write_list: users
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: verwaltung
path: /data/samba/archiv
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
# ==============================
+5 -1
View File
@@ -257,6 +257,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmfp+4waTzHxdT5TaxAMsIPDDwNe8Dwuif1jL+9v9GP root@a.mx'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBIyXel+KOTLB6VB2xJwyWaZc0KuCJzocwlziFdovCl root@a.ns'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGi22vcCilahX9KwbqcF8/D0RnzQXvgzTUFTmRHNJsBZ root@anabaena'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5xyeZBGQn4Iz5iV2DMBVll/6n/X0JuoPMDpc8D32ra root@ak-plan'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU1InXFKZX9emaT5QsY4Nr0tr8CzbyV8Js8RzZC9vGk root@b.mx'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPo7hI8oIS+/xufCUNTTgNoz592udJaU+79L0uADzKJY root@b.ns'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMtIXFS9OrKBvBl+fKtYN/lOOKpPuuc02H8HV+++LeBU root@backup'
@@ -272,6 +273,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvmOpsiL+eiJ3qZVDJiUCFVZge0OQJ1hpZgw7pJ8sq5 root@cl-irights'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjr0aBl2KQTJnlVK03DOs0u+IXSon4VewwAzzSBsmVW root@cl-lubax'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhwPCxVHqABXzyXwVuqbH703RCU0N+SC/cx4TuoHhGU root@cl-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEp6BXQ/v/Hf/IJnI0JIS96RC4NGDMFUbwyW8nH3Xq66 root@cl-ndm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7h6rR+q5bRh/qgzA7ZyiZcRr9vMbo7cxhQsoukWmUn root@cl-vbrg'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcHQfSVG8DM1qHp2ce73ZBWXknZGZFur5s27V58T7ON root@cl-opp'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClnyNS5RQsbXmgOX7NU7i154DElOlha3y0ybF6FwScT root@cl-test'
@@ -319,7 +321,8 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGcgS05xGLPuECQ7E5zjzfSDxdFBO1mAjkSV2bktxld+ root@o23'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEM1SI7Lwk0G8UycysL7ZPdXm1DRGgPnr01B0ewRGEKi root@o24'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJKfPInE9VjXVe+6DQ+4/H1nQJwXljYEK6gwfmTDgGy root@o26'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9ftVcNMv6pW2HDM12fIbOOEvq1fcd74kbO4LHfhGH root@o28'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9ftVcNMv6pW2HDM12fIbOOEvq1fcd74kbO4LHfhGH root@o28-FM-BAK'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyLS+kyfMX0hlv0rMmGyG6huvuqZlEOOf007xuI6io0 root@o28'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtACieGFf34NDepB9GqJjVqji6bf6xrO1LevXgm3aN+ root@o29'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE70FVVu2bsdH2qJITFVSDEPraiI4uSCuzEkYlbl6pRW root@o30'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0+aRoMxzmiQCAIMajNhbTZEumtZ9yCG2Nb4ucqK8lo root@o31'
@@ -339,6 +342,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZ0WNd3rTqHH1tiXAELwssGw6xUP1ROdhgxKbMinYY root@oolm-web'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJJCzTmrRp0s0qpkf9HYyx4lL+zs1jTAYcCsvqpJ72p root@super-opferhilfefonds'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID82UUUkYKYFbJdmTcMYu+vl3M0FVQznXFbngqPoumP+ root@prometheus-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObY/MOgF4QVWROrQCaKCfBOfAwKVcja3q7Ngwo1MEDt root@psono-ndm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU5HzfGYZwWeaoAGGFF7/3VQP19ce6Rgn5wcOR98Q3o root@server26'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfCFz6mPdn3TKVCgffHQAKt3LN/0srS/gBsMoOyZpi root@shop-agr'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHbeMf/CvAYIU/4UW8Ql59FgPo/3vcZ3vI3QzK2kOadE root@srv-cityslang'
+39
View File
@@ -0,0 +1,39 @@
---
# ipt-firewall configuration for backup.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
# Place in: host_vars/<hostname>/ipt_firewall.yml
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "37.27.121.218"
fw_ext_ips_v6:
- "2a01:4f9:3070:2bda::218"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- Access control IPv4
fw_allow_ext_service_v4: "138.201.17.150:1036:tcp o32.oopen.de:2222:tcp"
# --- Access control IPv6
fw_allow_ext_service_v6: "2a01:4f8:171:2895::2,1036,tcp o32.oopen.de,2222,tcp"
# --- HTTP
fw_http_server_ips: $ext_ips
# --- Out ports
# -
# - TCP Ports
# -
# - ssh port k1371.dyndns.org: 51372
# - ssh port k1371.homelinux.org: 51374
# -
fw_tcp_out_ports: 51372 51374
# --- Block
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
+27
View File
@@ -0,0 +1,27 @@
---
# ipt-firewall configuration for cl-01.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
# Place in: host_vars/<hostname>/ipt_firewall.yml
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "162.55.82.74"
fw_ext_ips_v6:
- "2a01:4f8:271:1266::74"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- HTTP
fw_http_server_ips: $ext_1_ip
# --- Mail
fw_mail_client_ips: $ext_1_ip
# --- Block
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
+235
View File
@@ -0,0 +1,235 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
cron_user_entries:
- name: "Check if webservices sre running. Restart if necessary"
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_webservice_load.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
minute: '*/5'
hour: '*'
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Optimize mysql tables"
minute: '53'
hour: '04'
job: /root/bin/mysql/optimize_mysql_tables.sh
- name: "Flush query cache for mysql tables"
minute: '27'
hour: '04'
job: /root/bin/mysql/flush_query_cache.sh
- name: "Flush Host cache"
minute: '17'
hour: '05'
job: /root/bin/mysql/flush_host_cache.sh
- name: "Run occ file:scan for each cloud account"
minute: '02'
hour: '23'
job: /root/bin/nextcloud/occ_maintenance.sh -s cloud.neuemedienmacher.de
- name: "Background job for nextcloud instance 'cloud.neuemedienmacher.de"
minute: '*/15'
hour: '*'
job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud.neuemedienmacher.de/htdocs/cron.php
- name: "Check if certificates for coolwsd service are up to date"
minute: '17'
hour: '05'
job: /root/bin/nextcloud/check_cert_coolwsd.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_privileges:
- name: back
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
+6
View File
@@ -446,6 +446,12 @@ samba_user:
- verwaltung
password: '20-mar1o.fr31dank-24+'
- name: nano.nowak
groups:
- projekte
- team
password: '20-n4n0.n0w4k.26!'
- name: olaf.stuve
groups:
- projekte
@@ -24,7 +24,7 @@ network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device eno1np0
headline: br0 - bridge over device enp97s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -33,7 +33,7 @@ network_interfaces:
family: inet
method: static
description:
address: 192.168.122.210
address: 192.168.122.215
netmask: 24
gateway: 192.168.122.254
@@ -53,7 +53,7 @@ network_interfaces:
# maxwait:
# waitport:
bridge:
ports: eno1np0 # for mor devices support a blank separated list
ports: enp97s0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
@@ -61,7 +61,7 @@ network_interfaces:
# inline hook scripts
pre-up:
- !!str "ip link set dev eno1np0 up" # pre-up script lines
- !!str "ip link set dev enp97s0 up" # pre-up script lines
up: [] #up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
@@ -93,13 +93,6 @@ network_interfaces:
# vars used by roles/common/tasks/apt.yml
# ---
apt_install_extra_pkgs:
- lvm2
- kpartx
- ntfs-3g
- swtpm
- swtpm-tools
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
@@ -226,56 +219,6 @@ cron_user_entries:
# vars used by roles/common/tasks/users.yml
# ---
extra_user:
- name: advoware
user_id: 1115
group_id: 1115
group: advoware
home: / data/home/advoware
password: $y$j9T$wuQkVnvJxMIy/2Hvmqm2w/$AlMLFmglx764uNSekaFJ3inN59jiDc8.4F2vhUybF22
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: a-jur
user_id: 1110
group_id: 1110
group: a-jur
home: / data/home/a-jur
password: $y$j9T$wuQkVnvJxMIy/2Hvmqm2w/$AlMLFmglx764uNSekaFJ3inN59jiDc8.4F2vhUybF22
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
home: /home/back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsqkTV7RiYPljwlP/MZA+MBeTgiwZI7oCAD77Ujpm1V root@file-km'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOan+hwlA8B3mk82tsvL1LGlejrF5pqT2J3POrg/QJLX root@gw-km'
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
@@ -312,12 +255,12 @@ sudoers_file_user_back_mount_privileges:
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.122.210
samba_server_ip: 192.168.122.215
samba_server_cidr_prefix: 24
samba_workgroup: ANW-KM
samba_workgroup: WORKGROUP
samba_netbios_name: FILE-KM-01
samba_netbios_name: FILE-KM-ALT
samba_server_min_protocol: !!str NT1
@@ -326,16 +269,12 @@ samba_groups:
group_id: 1100
- name: a-jur
group_id: 1110
- name: advoware
group_id: 1115
- name: intern
group_id: 1120
- name: wildvang
group_id: 1130
#- name: aulmann
# group_id: 1130
#- name: howe
# group_id: 1140
- name: eibelshaeuser
group_id: 1140
- name: stahmann
group_id: 1150
- name: traine
@@ -344,6 +283,8 @@ samba_groups:
group_id: 1170
- name: alle
group_id: 1180
- name: install
group_id: 1190
@@ -352,108 +293,31 @@ samba_user:
- name: advoware
groups:
- advoware
has_rdp: false
password: '9WNRbc49m3'
- name: a-jur
groups:
- a-jur
- alle
- intern
- kanzlei
has_rdp: false
password: 'a-jur'
- name: andrea
groups:
- advoware
- stahmann
- traine
- public
password: 'fXc3bmK9gj'
- name: andreas
groups:
- a-jur
- advoware
- alle
- kanzlei
password: 'YKQRa.M9-6rL'
- name: aphex2
groups:
- alle
- stahmann
- traine
- public
password: 'J3KMRprK9H'
- name: berenice
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'berenice'
- name: beuster
groups:
- advoware
- stahmann
- traine
- public
- alle
password: 'zlm17Kx'
- name: buero
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero'
- name: buero2
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero2'
- name: buero3
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero3'
- name: buero4
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero4'
- name: buero7
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero7'
- name: chris
groups:
- a-jur
- advoware
- alle
- intern
- install
- kanzlei
- eibelshaeuser
- stahmann
- traine
- wildvang
- public
has_rdp: true
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
30383265366434633965346530666535363761396165393434643665393137353765653739636364
@@ -462,14 +326,202 @@ samba_user:
3837613337343533650a663061366230353531316535656433643162353063383534323833323138
3430
- name: christina
- name: sysadm
groups:
- a-jur
- advoware
- alle
- intern
- install
- kanzlei
- eibelshaeuser
- stahmann
- traine
- wildvang
- public
has_rdp: false
password: 'Ax_GSHh5'
- name: winadm
groups:
- a-jur
- advoware
- alle
- intern
- install
- kanzlei
- eibelshaeuser
- stahmann
- traine
- wildvang
- public
has_rdp: false
password: 'Ax_GSHh5'
# ---
# Andreas Eibelhäuser
# ---
- name: andreas
groups:
- advoware
- alle
- eibelshaeuser
- public
has_rdp: true
password: 'YKQRa.M9-6rL'
- name: philipp
groups:
- advoware
- alle
- eibelshaeuser
- public
has_rdp: true
password: '20-phi.lip.26%'
- name: ref.eibelshaeuser
groups:
- advoware
- alle
- eibelshaeuser
- public
has_rdp: true
password: '20-ref-eibels.haeuser.26+'
# ---
# Berenice Böhlo
# ---
- name: berenice
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: true
password: 'berenice'
- name: annabel
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: true
password: '20+an-na.bel/26!'
- name: jens-uwe
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: '20_jens-uwe.thomas.26!'
- name: mariami
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: '20.ma-ri-ami/26!'
- name: nina
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: true
password: '20-ni.ha-ger%26%'
- name: zeina
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
- wildvang
has_rdp: true
password: '20/ze.ina-26+'
- name: rm-buero1
groups:
- advoware
- alle
- a-jur
- kanzlei
- public
has_rdp: false
password: '20+rm.buero-1/26!'
- name: rm-buero2
groups:
- advoware
- alle
- a-jur
- kanzlei
- public
has_rdp: false
password: '20_rmbuero.2-26%'
# ---
# Rolf Stahmann
# ---
- name: irina
groups:
- advoware
- alle
- stahmann
- traine
- public
password: 'qvR7zX4Lhs'
has_rdp: false
password: 'W9NKv39pXW'
- name: rolf
groups:
- alle
- stahmann
- traine
- public
has_rdp: true
password: '4xNVNFXgP4'
- name: Tresen
groups:
- a-jur
- advoware
- alle
- kanzlei
- stahmann
- traine
- public
has_rdp: false
password: 'maltzwo2'
# ---
# Federico Traine
# ---
- name: andrea
groups:
- advoware
- alle
- stahmann
- traine
- public
has_rdp: true
password: 'fXc3bmK9gj'
- name: federico
groups:
@@ -478,8 +530,147 @@ samba_user:
- stahmann
- traine
- public
has_rdp: true
password: 'zHfj9g3NcC'
- name: thomas
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: '55-tho-mas-550'
- name: leonora
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: '20/le-o-nora.26!'
- name: kristin
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: '20.kris_tin-26/'
- name: jule
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: '20_ju-le%26!'
- name: luanda
groups:
- advoware
- alle
- traine
- public
has_rdp: false
password: '20-lu.anda+26!'
# ---
# Wiebke Wildvang
# ---
- name: wiebke
groups:
- alle
- wildvang
- public
has_rdp: true
password: 'uJ5gF/m53p.P'
- name: aphex2
groups:
- alle
- stahmann
- traine
- public
has_rdp: false
password: 'J3KMRprK9H'
- name: beuster
groups:
- advoware
- stahmann
- traine
- public
- alle
has_rdp: false
password: 'zlm17Kx'
- name: buero
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: 'buero'
- name: buero2
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: 'buero2'
- name: buero3
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: 'buero3'
- name: buero4
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: 'buero4'
- name: buero7
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: 'buero7'
- name: christina
groups:
- advoware
- alle
- stahmann
- traine
- public
has_rdp: false
password: 'qvR7zX4Lhs'
# - name: gerhard
# groups:
# - advoware
@@ -495,6 +686,8 @@ samba_user:
groups:
- alle
- stahmann
- public
has_rdp: false
password: '44-Ro-440'
# - name: howe-staff-1
@@ -505,15 +698,6 @@ samba_user:
# - howe
# password: ''
- name: irina
groups:
- advoware
- alle
- stahmann
- traine
- public
password: 'W9NKv39pXW'
- name: jessica
groups:
- advoware
@@ -521,6 +705,7 @@ samba_user:
- stahmann
- traine
- public
has_rdp: false
password: 'bV3pjPtjkR'
# - name: laura
@@ -539,6 +724,7 @@ samba_user:
- stahmann
- traine
- public
has_rdp: false
password: 'fndvLmrt7W'
- name: lenovo4
@@ -548,6 +734,7 @@ samba_user:
- stahmann
- traine
- public
has_rdp: false
password: 'tpCMmTKj7H'
- name: lenovo5
@@ -557,6 +744,7 @@ samba_user:
- stahmann
- traine
- public
has_rdp: false
password: 'L5Hannover51'
- name: lenovo6
@@ -565,81 +753,10 @@ samba_user:
- alle
- stahmann
- traine
- public
has_rdp: false
password: '66koeln66'
- name: rm-buero1
groups:
- advoware
- alle
- a-jur
- kanzlei
password: ''
- name: rm-buero2
groups:
- advoware
- alle
- a-jur
- kanzlei
password: ''
- name: rolf
groups:
- alle
- stahmann
- traine
- public
password: '4xNVNFXgP4'
- name: sysadm
groups:
- a-jur
- advoware
- alle
- intern
- kanzlei
- stahmann
- traine
- wildvang
- public
password: 'Ax_GSHh5'
- name: thomas
groups:
- advoware
- alle
- traine
password: '55-tho-mas-550'
- name: Tresen
groups:
- a-jur
- advoware
- alle
- kanzlei
- stahmann
- traine
- public
password: 'maltzwo2'
- name: wiebke
groups:
- alle
- wildvang
- public
password: 'uJ5gF/m53p.P'
- name: winadm
groups:
- a-jur
- advoware
- alle
- intern
- kanzlei
- public
password: 'Ax_GSHh5'
base_home: /data/home
@@ -683,12 +800,25 @@ samba_shares:
- name: install
comment: Install auf Fileserver
path: /data/samba/no-backup-shares/install
group_valid_users: intern
group_write_list: intern
group_valid_users: install
group_write_list: install
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: false
- name: eibelshaeuser
comment: Eibelshaeuser auf Fileserver
path: /data/samba/eibelshaeuser
group_valid_users: eibelshaeuser
group_write_list: eibelshaeuser
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: wildvang
comment: Wildvang auf Fileserver
path: /data/samba/Wildvang
+449 -222
View File
@@ -1,10 +1,8 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
@@ -19,12 +17,10 @@ network_interface_required_packages:
- ifupdown
- ifenslave
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp97s0
headline: br0 - bridge over device eno1np0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -53,7 +49,7 @@ network_interfaces:
# maxwait:
# waitport:
bridge:
ports: enp97s0 # for mor devices support a blank separated list
ports: eno1np0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
@@ -61,38 +57,39 @@ network_interfaces:
# inline hook scripts
pre-up:
- !!str "ip link set dev enp97s0 up" # pre-up script lines
- !!str "ip link set dev eno1np0 up" # pre-up script lines
up: [] #up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
apt_install_extra_pkgs:
- lvm2
- kpartx
- ntfs-3g
- swtpm
- swtpm-tools
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
@@ -163,13 +160,11 @@ resolved_dnssec: false
resolved_fallback_nameserver:
- 172.16.122.254
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
@@ -180,12 +175,15 @@ cron_user_special_time_entries:
job: "echo 1 > /sys/kernel/mm/ksm/run"
insertafter: PATH
cron_user_entries:
- name: "Backup file server / gateway"
minute: "03"
hour: "00"
job: /root/crontab/backup-rborg2/rborg2.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
minute: "*/5"
hour: "*"
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if postfix mailservice is running. Restart service if needed."
@@ -213,22 +211,66 @@ cron_user_entries:
hour: "*"
job: /root/bin/monitoring/check_ntpsec_service.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---
extra_user:
- name: advoware
user_id: 1115
group_id: 1115
group: advoware
home: / data/home/advoware
password: $y$j9T$wuQkVnvJxMIy/2Hvmqm2w/$AlMLFmglx764uNSekaFJ3inN59jiDc8.4F2vhUybF22
shell: /bin/bash
ssh_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol"
- name: a-jur
user_id: 1110
group_id: 1110
group: a-jur
home: / data/home/a-jur
password: $y$j9T$wuQkVnvJxMIy/2Hvmqm2w/$AlMLFmglx764uNSekaFJ3inN59jiDc8.4F2vhUybF22
shell: /bin/bash
ssh_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol"
- name: back
user_id: 1060
group_id: 1060
group: back
home: /home/back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de"
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsqkTV7RiYPljwlP/MZA+MBeTgiwZI7oCAD77Ujpm1V root@file-km"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOan+hwlA8B3mk82tsvL1LGlejrF5pqT2J3POrg/QJLX root@gw-km"
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
@@ -236,20 +278,17 @@ cron_user_entries:
# see: roles/common/tasks/vars
sudoers_file_user_back_mount_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/mount'
- 'ALL=(root) NOPASSWD: /usr/bin/umount'
- "ALL=(root) NOPASSWD: /usr/bin/mount"
- "ALL=(root) NOPASSWD: /usr/bin/umount"
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
@@ -258,9 +297,9 @@ sudoers_file_user_back_mount_privileges:
samba_server_ip: 192.168.122.10
samba_server_cidr_prefix: 24
samba_workgroup: WORKGROUP
samba_workgroup: ANW-KM
samba_netbios_name: FILE-KM
samba_netbios_name: FILE-KM-01
samba_server_min_protocol: !!str NT1
@@ -269,14 +308,14 @@ samba_groups:
group_id: 1100
- name: a-jur
group_id: 1110
- name: advoware
group_id: 1115
- name: intern
group_id: 1120
- name: wildvang
group_id: 1130
#- name: aulmann
# group_id: 1130
#- name: howe
# group_id: 1140
- name: eibelshaeuser
group_id: 1140
- name: stahmann
group_id: 1150
- name: traine
@@ -285,104 +324,24 @@ samba_groups:
group_id: 1170
- name: alle
group_id: 1180
- name: install
group_id: 1190
samba_user:
- name: advoware
groups:
- advoware
password: '9WNRbc49m3'
has_rdp: false
password: "9WNRbc49m3"
- name: a-jur
groups:
- a-jur
- alle
- intern
- kanzlei
password: 'a-jur'
- name: andrea
groups:
- advoware
- stahmann
- traine
- public
password: 'fXc3bmK9gj'
- name: andreas
groups:
- a-jur
- advoware
- alle
- kanzlei
password: 'YKQRa.M9-6rL'
- name: aphex2
groups:
- alle
- stahmann
- traine
- public
password: 'J3KMRprK9H'
- name: berenice
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'berenice'
- name: beuster
groups:
- advoware
- stahmann
- traine
- public
- alle
password: 'zlm17Kx'
- name: buero
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero'
- name: buero2
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero2'
- name: buero3
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero3'
- name: buero4
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero4'
- name: buero7
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero7'
has_rdp: false
password: "a-jur"
- name: chris
groups:
@@ -390,11 +349,14 @@ samba_user:
- advoware
- alle
- intern
- install
- kanzlei
- eibelshaeuser
- stahmann
- traine
- wildvang
- public
has_rdp: true
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
30383265366434633965346530666535363761396165393434643665393137353765653739636364
@@ -403,14 +365,202 @@ samba_user:
3837613337343533650a663061366230353531316535656433643162353063383534323833323138
3430
- name: christina
- name: sysadm
groups:
- a-jur
- advoware
- alle
- intern
- install
- kanzlei
- eibelshaeuser
- stahmann
- traine
- wildvang
- public
has_rdp: false
password: "Ax_GSHh5"
- name: winadm
groups:
- a-jur
- advoware
- alle
- intern
- install
- kanzlei
- eibelshaeuser
- stahmann
- traine
- wildvang
- public
has_rdp: false
password: "Ax_GSHh5"
# ---
# Andreas Eibelhäuser
# ---
- name: andreas
groups:
- advoware
- alle
- eibelshaeuser
- public
has_rdp: true
password: "YKQRa.M9-6rL"
- name: philipp
groups:
- advoware
- alle
- eibelshaeuser
- public
has_rdp: true
password: "20-phi.lip.26%"
- name: ref.eibelshaeuser
groups:
- advoware
- alle
- eibelshaeuser
- public
has_rdp: true
password: "20-ref-eibels.haeuser.26+"
# ---
# Berenice Böhlo
# ---
- name: berenice
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: true
password: "berenice"
- name: annabel
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: true
password: "20+an-na.bel/26!"
- name: jens-uwe
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: "20_jens-uwe.thomas.26!"
- name: mariami
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: "20.ma-ri-ami/26!"
- name: nina
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: true
password: "20-ni.ha-ger%26%"
- name: zeina
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
- wildvang
has_rdp: true
password: "20/ze.ina-26+"
- name: rm-buero1
groups:
- advoware
- alle
- a-jur
- kanzlei
- public
has_rdp: false
password: '20+rm.buero-1/26!'
- name: rm-buero2
groups:
- advoware
- alle
- a-jur
- kanzlei
- public
has_rdp: false
password: '20_rmbuero.2-26%'
# ---
# Rolf Stahmann
# ---
- name: irina
groups:
- advoware
- alle
- stahmann
- traine
- public
password: 'qvR7zX4Lhs'
has_rdp: false
password: "W9NKv39pXW"
- name: rolf
groups:
- alle
- stahmann
- traine
- public
has_rdp: true
password: "4xNVNFXgP4"
- name: Tresen
groups:
- a-jur
- advoware
- alle
- kanzlei
- stahmann
- traine
- public
has_rdp: false
password: "maltzwo2"
# ---
# Federico Traine
# ---
- name: andrea
groups:
- advoware
- alle
- stahmann
- traine
- public
has_rdp: true
password: "fXc3bmK9gj"
- name: federico
groups:
@@ -419,7 +569,146 @@ samba_user:
- stahmann
- traine
- public
password: 'zHfj9g3NcC'
has_rdp: true
password: "zHfj9g3NcC"
- name: thomas
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: "55-tho-mas-550"
- name: leonora
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: "20/le-o-nora.26!"
- name: kristin
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: "20.kris_tin-26/"
- name: jule
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: "20_ju-le%26!"
- name: luanda
groups:
- advoware
- alle
- traine
- public
has_rdp: false
password: "20-lu.anda+26!"
# ---
# Wiebke Wildvang
# ---
- name: wiebke
groups:
- alle
- wildvang
- public
has_rdp: true
password: "uJ5gF/m53p.P"
- name: aphex2
groups:
- alle
- stahmann
- traine
- public
has_rdp: false
password: "J3KMRprK9H"
- name: beuster
groups:
- advoware
- stahmann
- traine
- public
- alle
has_rdp: false
password: "zlm17Kx"
- name: buero
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: "buero"
- name: buero2
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: "buero2"
- name: buero3
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: "buero3"
- name: buero4
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: "buero4"
- name: buero7
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: "buero7"
- name: christina
groups:
- advoware
- alle
- stahmann
- traine
- public
has_rdp: false
password: "qvR7zX4Lhs"
# - name: gerhard
# groups:
@@ -436,7 +725,9 @@ samba_user:
groups:
- alle
- stahmann
password: '44-Ro-440'
- public
has_rdp: false
password: "44-Ro-440"
# - name: howe-staff-1
# groups:
@@ -446,15 +737,6 @@ samba_user:
# - howe
# password: ''
- name: irina
groups:
- advoware
- alle
- stahmann
- traine
- public
password: 'W9NKv39pXW'
- name: jessica
groups:
- advoware
@@ -462,7 +744,8 @@ samba_user:
- stahmann
- traine
- public
password: 'bV3pjPtjkR'
has_rdp: false
password: "bV3pjPtjkR"
# - name: laura
# groups:
@@ -480,7 +763,8 @@ samba_user:
- stahmann
- traine
- public
password: 'fndvLmrt7W'
has_rdp: false
password: "fndvLmrt7W"
- name: lenovo4
groups:
@@ -489,7 +773,8 @@ samba_user:
- stahmann
- traine
- public
password: 'tpCMmTKj7H'
has_rdp: false
password: "tpCMmTKj7H"
- name: lenovo5
groups:
@@ -498,7 +783,8 @@ samba_user:
- stahmann
- traine
- public
password: 'L5Hannover51'
has_rdp: false
password: "L5Hannover51"
- name: lenovo6
groups:
@@ -506,80 +792,9 @@ samba_user:
- alle
- stahmann
- traine
password: '66koeln66'
- name: rm-buero1
groups:
- advoware
- alle
- a-jur
- kanzlei
password: ''
- name: rm-buero2
groups:
- advoware
- alle
- a-jur
- kanzlei
password: ''
- name: rolf
groups:
- alle
- stahmann
- traine
- public
password: '4xNVNFXgP4'
- name: sysadm
groups:
- a-jur
- advoware
- alle
- intern
- kanzlei
- stahmann
- traine
- wildvang
- public
password: 'Ax_GSHh5'
- name: thomas
groups:
- advoware
- alle
- traine
password: '55-tho-mas-550'
- name: Tresen
groups:
- a-jur
- advoware
- alle
- kanzlei
- stahmann
- traine
- public
password: 'maltzwo2'
- name: wiebke
groups:
- alle
- wildvang
- public
password: 'uJ5gF/m53p.P'
- name: winadm
groups:
- a-jur
- advoware
- alle
- intern
- kanzlei
- public
password: 'Ax_GSHh5'
has_rdp: false
password: "66koeln66"
base_home: /data/home
@@ -596,7 +811,6 @@ remove_samba_users:
# - name: evren
samba_shares:
- name: a-jur
comment: a-jur Dokumente
path: /data/samba/a-jur
@@ -606,7 +820,7 @@ samba_shares:
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
recycle_path: "@Recycle"
vfs_object_recycle_is_visible: true
- name: kanzlei
@@ -618,19 +832,31 @@ samba_shares:
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
recycle_path: "@Recycle"
vfs_object_recycle_is_visible: true
- name: install
comment: Install auf Fileserver
path: /data/samba/no-backup-shares/install
group_valid_users: intern
group_write_list: intern
group_valid_users: install
group_write_list: install
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: false
- name: eibelshaeuser
comment: Eibelshaeuser auf Fileserver
path: /data/samba/eibelshaeuser
group_valid_users: eibelshaeuser
group_write_list: eibelshaeuser
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: "@Recycle"
vfs_object_recycle_is_visible: true
- name: wildvang
comment: Wildvang auf Fileserver
path: /data/samba/Wildvang
@@ -640,7 +866,7 @@ samba_shares:
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
recycle_path: "@Recycle"
vfs_object_recycle_is_visible: true
# - name: aulmann
@@ -650,6 +876,7 @@ samba_shares:
# group_write_list: aulmann
# file_create_mask: !!str 660
# dir_create_mask: !!str 2770
# vfs_object_virusfilter: true
# vfs_object_recycle: true
# recycle_path: '@Recycle'
# vfs_object_recycle_is_visible: true
@@ -661,6 +888,7 @@ samba_shares:
# group_write_list: howe
# file_create_mask: !!str 660
# dir_create_mask: !!str 2770
# vfs_object_virusfilter: true
# vfs_object_recycle: true
# recycle_path: '@Recycle'
# vfs_object_recycle_is_visible: true
@@ -674,7 +902,7 @@ samba_shares:
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
recycle_path: "@Recycle"
vfs_object_recycle_is_visible: true
- name: traine
@@ -686,7 +914,7 @@ samba_shares:
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
recycle_path: "@Recycle"
vfs_object_recycle_is_visible: true
- name: public
@@ -698,7 +926,7 @@ samba_shares:
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
recycle_path: "@Recycle"
vfs_object_recycle_is_visible: true
- name: Advoware-Schriftverkehr
@@ -710,7 +938,7 @@ samba_shares:
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
recycle_path: "@Recycle"
vfs_object_recycle_is_visible: true
- name: Advoware-Backup
@@ -722,7 +950,7 @@ samba_shares:
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
recycle_path: "@Recycle"
vfs_object_recycle_is_visible: false
- name: alle
@@ -734,7 +962,7 @@ samba_shares:
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
recycle_path: "@Recycle"
vfs_object_recycle_is_visible: true
# - name: web
@@ -744,13 +972,12 @@ samba_shares:
# group_write_list: web
# file_create_mask: !!str 660
# dir_create_mask: !!str 2770
# vfs_object_virusfilter: true
# vfs_object_recycle: true
# recycle_path: '@Recycle'
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
+19 -3
View File
@@ -21,13 +21,21 @@ network_interface_required_packages:
network_interfaces:
# - device: enp0s20f0
# headline: enp0s20f0 - Uplink DSL via Fritz!Box
# auto: true
# family: inet
# method: static
# address: 172.16.112.1/24
# gateway: 172.16.112.254
- device: enp0s20f0
headline: enp0s20f0 - Uplink DSL via Fritz!Box
headline: enp0s20f0 - Uplink
auto: true
family: inet
method: static
address: 172.16.112.1/24
gateway: 172.16.112.254
address: 217.6.72.202/30
gateway: 217.6.72.201
- device: enp0s20f1
@@ -53,6 +61,14 @@ network_interfaces:
method: static
address: 192.168.113.254/24
- device: enp0s20f1:ipmi
headline: enp0s20f1:ipmi - Alias on enp0s20f1 (IPMI)
auto: false
family: inet
method: static
address: 172.16.112.254/24
# ---
# vars used by roles/ansible_dependencies
# ---
+27 -175
View File
@@ -22,59 +22,21 @@ network_interface_required_packages:
network_interfaces:
# Many device configurations are possible (as many as needed)
#
- device: enp41s0
- device: br0
# use only once per device (for the first device entry)
headline: enp41s0 - primary device
headline: br0 - bridge over device eno1
# auto & allow are only used for the first entry of that devicei-name)
#
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
# The statisc Mode
# Options
# address <dotted quad address[/netmask]>
# gateway <dotted quad address>
# pointopoint <Address of other end point (dotted quad). Note the spelling of "point-to">
# hwaddress <mac-address>
# mtu <size>
# scope <Address validity scope. Possible values: global, link, host>
#
# The manual Method
# Options
# hwaddress <mac-address>
# mtu <size>
#
# The dhcp Method
# Options
# hwaddress <mac-address>
# hostname <Hostname to be requested (pump, dhcpcd, udhcpc)>
# metric <metric>
# leasehours <Preferred lease time in hours (pump)>
# leasetime <Preferred lease time in seconds (dhcpcd)>
# vendor <Vendor class identifier (dhcpcd)>
# client <Client identifier (dhcpcd), or "no" (dhclient)>
#
# The bootp Method
# Options
# bootfile: <file: Tell the server to use 'file' as the bootfile.>
# server: <address: Use the IP address 'address' to communicate with the server.>
# hwaddr <mac-address: Use addr as the hardware address instead of whatever it really is.>
#
method: static
hwaddress:
hwaddress: 08:bf:b8:a4:09:e0
description:
address: 65.108.238.45
# dotted quad or number of bits
#
# the entry will be: address/netmask
netmask: 26
gateway: 65.108.238.1
address: 88.198.56.204
netmask: 27
gateway: 88.198.56.193
metric:
pointopoint:
mtu:
@@ -101,15 +63,10 @@ network_interfaces:
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
#nameservers:
# - 185.12.64.1
# - a01:4ff:ff00::add:2
#search:
# optional additional subnets/ips subnets: []
# subnets:
# - '192.168.123.0/24'
# - '192.168.124.11/32'
# ** MOVED TO systemd-resolved
#
nameservers:
search:
# optional bridge parameters bridge: {}
# bridge:
@@ -118,14 +75,19 @@ network_interfaces:
# fd:
# maxwait:
# waitport:
bridge: {}
bridge:
ports: eno1 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
# master
# primary
# slave
# mode:
# method:
# miimon:
# lacp-rate:
# ad-select-rate:
@@ -139,97 +101,23 @@ network_interfaces:
vlan: {}
# inline hook scripts
#
# example:
#
# up:
# - !!str "route add -net 135.181.79.192 netmask 255.255.255.192 gw 135.181.79.193 dev enp41s0"
#
pre-up: [] # pre-up script lines
up:
- !!str "route add -net 65.108.238.0 netmask 255.255.255.192 gw 65.108.238.1 dev enp41s0"
- !!str "route add -net 88.198.56.192 netmask 255.255.255.224 gw 88.198.56.193 dev br0" # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
- device: enp41s0
# use only once per device (for the first device entry)
headline:
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto:
- device: br0
family: inet6
method: static
address: 2a01:4f9:1a:b226::2
address: '2a01:4f8:222:2c2::2'
netmask: 64
gateway: fe80::1
metric:
pointopoint:
mtu:
scope:
gateway: 'fe80::1'
# additional user by dhcp method
#
hostname:
leasehours:
leasetime:
vendor:
client:
# additional used by bootp method
#
bootfile:
server:
hwaddr:
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
nameservers:
search:
# optional additional subnets/ips subnets: []
# subnets:
# - '192.168.123.0/24'
# - '192.168.124.11/32'
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge: {}
# optional bonding parameters bond: {}
# bond:
# mode:
# miimon:
# master:
# slaves:
# lacp-rate:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
pre-up: []# pre-up script lines
up: [] # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
@@ -255,8 +143,6 @@ network_interfaces:
# vars used by roles/common/tasks/apt.yml
# ---
#apt_manage_sources_list: false
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
@@ -308,10 +194,10 @@ systemd_resolved: true
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 185.12.64.1
- 2a01:4ff:ff00::add:2
# search domains
#
@@ -337,7 +223,7 @@ resolved_fallback_nameserver:
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
@@ -351,9 +237,9 @@ cron_user_special_time_entries:
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed."
- name: "Check if Check if all autostart LX-Container are running."
special_time: reboot
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
insertafter: PATH
@@ -379,28 +265,6 @@ cron_user_entries:
hour: '*'
job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
- name: "Backup internet hosts and then print out hdd-usage for all backuped hosts"
minute: '06'
hour: '00'
weekday: '1-6'
job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N
- name: "On sunday morning also determin diskspace usage"
minute: '06'
hour: '00'
weekday: 7
job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
- name: "Check hard disc usage."
minute: '43'
hour: '6'
@@ -411,18 +275,6 @@ cron_user_entries:
# vars used by roles/common/tasks/users.yml
# ---
create_sftp_group: true
extra_system_user:
- name: www-data
home: /var/www
groups: sftp_users
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
+235
View File
@@ -0,0 +1,235 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
#cron_user_special_time_entries:
#
# - name: "Restart DNS Cache service 'systemd-resolved'"
# special_time: reboot
# job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
# insertafter: PATH
#
#
#cron_user_entries:
#
# - name: "Check if webservices sre running. Restart if necessary"
# minute: '*/5'
# hour: '*'
# job: /root/bin/monitoring/check_webservice_load.sh
#
# - name: "Check if SSH service is running. Restart service if needed."
# minute: '*/5'
# hour: '*'
# job: /root/bin/monitoring/check_ssh.sh
#
# - name: "Check if Postfix Mailservice is up and running?"
# minute: '*/15'
# hour: '*'
# job: /root/bin/monitoring/check_postfix.sh
#
# - name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
# minute: '*/5'
# hour: '*'
# job: /root/bin/postfix/check-postfix-fatal-errors.sh
#
# - name: "Optimize mysql tables"
# minute: '53'
# hour: '04'
# job: /root/bin/mysql/optimize_mysql_tables.sh
#
# - name: "Flush query cache for mysql tables"
# minute: '27'
# hour: '04'
# job: /root/bin/mysql/flush_query_cache.sh
#
# - name: "Flush Host cache"
# minute: '17'
# hour: '05'
# job: /root/bin/mysql/flush_host_cache.sh
#
# - name: "Run occ file:scan for each cloud account"
# minute: '02'
# hour: '23'
# job: /root/bin/nextcloud/occ_maintenance.sh -s cloud.neuemedienmacher.de
#
# - name: "Background job for nextcloud instance 'cloud.neuemedienmacher.de"
# minute: '*/15'
# hour: '*'
# job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud.neuemedienmacher.de/htdocs/cron.php
#
# - name: "Check if certificates for coolwsd service are up to date"
# minute: '17'
# hour: '05'
# job: /root/bin/nextcloud/check_cert_coolwsd.sh
#
# - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
# minute: '23'
# hour: '05'
# job: /var/lib/dehydrated/cron/dehydrated_cron.sh
#
# - name: "Check whether all certificates are included in the VHOST configurations"
# minute: '33'
# hour: '05'
# job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_privileges:
- name: back
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
+39
View File
@@ -0,0 +1,39 @@
---
# ipt-firewall configuration for test.mx.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
- "eth1"
fw_ext_ips_v4:
- "83.223.85.205"
- "83.223.85.206"
fw_ext_ips_v6:
- "2a01:30:0:505:2eb:f4ff:feaa:d996 2a01:30:0:13:2eb:f4ff:feaa:d996"
- "2a01:30:0:505:2eb:f4ff:feaa:d997 2a01:30:0:13:2eb:f4ff:feaa:d997"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- HTTP
fw_http_server_ips: $ext_1_ip $ext_2_ip
# --- Mail
fw_smtpd_ips: $ext_1_ip
fw_mail_server_ips: $ext_1_ip
fw_mail_client_ips: $ext_1_ip $ext_2_ip
fw_dovecot_auth_service: true
fw_dovecot_auth_allowed_networks_v4: 192.68.11.79
# --- Mumble
fw_mumble_server_ips: 138.201.33.54
# --- Rsync
fw_rsync_out_ips: $ext_1_ip
# --- Block
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
+6
View File
@@ -297,6 +297,12 @@ samba_user:
- buero
password: '20-printer-18'
- name: farina
groups:
- buero
- beratung
password: 'ADB_far!na_26'
- name: hanna
groups:
- buero
+67 -25
View File
@@ -32,6 +32,7 @@ o13-staging-board.oopen.de
o25.oopen.de
o41.oopen.de
dc-opp.oopen.de
ak-plan.oopen.de
discourse.oopen.de
test-nd.oopen.de
formbricks-nd.oopen.de
@@ -76,6 +77,7 @@ file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
@@ -203,16 +205,20 @@ mm-irights.oopen.de
# IL - PAD
o25.oopen.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
o26.oopen.de
# - o27.oopen.de
o27.oopen.de
cl-fm.oopen.de
mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
# - o28 NDM - neue deutsche Medienmacher*innen
o28.oopen.de
o26.oopen.de
cl-ndm.oopen.de
psono-ndm.oopen.de
# - o29.oopen.de Dissens Host System
o29.oopen.de
@@ -222,6 +228,7 @@ cl-dissens.oopen.de
o30.oopen.de
meet.akweb.de
cloud.akweb.de
ak-plan.oopen.de
# o31.oopen.de - Cadus e.V.
o31.oopen.de
@@ -420,16 +427,20 @@ cl-irights-neu.oopen.de
# IL - PAD
o25.oopen.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
o26.oopen.de
# - o27.oopen.de
o27.oopen.de
cl-fm.oopen.de
mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
# - o28 NDM - neue deutsche Medienmacher*innen
o28.oopen.de
o26.oopen.de
cl-ndm.oopen.de
psono-ndm.oopen.de
# - o29.oopen.de
o29.oopen.de
@@ -439,6 +450,7 @@ cl-dissens.oopen.de
o30.oopen.de
meet.akweb.de
cloud.akweb.de
ak-plan.oopen.de
# o31.oopen.de - Cadus e.V.
o31.oopen.de
@@ -556,6 +568,7 @@ gw-irights.oopen.de
# - Kanzlei Berenice
gw-km.oopen.de
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
@@ -734,13 +747,16 @@ cl-test.oopen.de
cl-irights.oopen.de
cl-irights-neu.oopen.de
# Backup Faire Mobilitaet
o26.oopen.de
# o27.oopen.de
cl-fm.oopen.de
mail.faire-mobilitaet.de
# Backup Faire Mobilitaet
o28.oopen.de
o26.oopen.de
# - o28 neue deutsche Medienmacher*innen - NDM Host System
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de
cl-dissens.oopen.de
@@ -911,6 +927,10 @@ mm-irights.oopen.de
# Hetzner Cloud CX31 - AK
# o28 NDM - neue deutsche Medienmacher*innen
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de . Dissens
cl-dissens.oopen.de
@@ -1045,6 +1065,10 @@ mm-irights.oopen.de
# o27.oopen.de
mail.faire-mobilitaet.de
# o28.oopen.de
cl-ndm.oopen.de
psono-ndm.oopen.de
# o35.oopen.de
e.mx.oopen.de
d.mx.oopen.de
@@ -1141,12 +1165,15 @@ mm-irights.oopen.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
o26.oopen.de
# o27.oopen.de
cl-fm.oopen.de
# Backup Faire Mobilitaet
o28.oopen.de
o26.oopen.de
# - o28 neue deutsche Medienmacher*innen - NDM Host System
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de - Dissens
cl-dissens.oopen.de
@@ -1256,14 +1283,15 @@ cl-test.oopen.de
cl-irights.oopen.de
cl-irights-neu.oopen.de
# o26.oopen.de
o26.oopen.de
# o27.oopen.de
cl-fm.oopen.de
# o28.oopen.de
o28.oopen.de
# o26.oopen.de
o26.oopen.de
# - o28 neue deutsche Medienmacher*innen - NDM Host System
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de - Dissens
cl-dissens.oopen.de
@@ -1394,7 +1422,6 @@ backup.oopen.de
devel-root.wf.netz
# Backup Faire Mobilitaet
o28.oopen.de
o26.oopen.de
# ---
@@ -1411,7 +1438,7 @@ o17.oopen.de
# ---
# Warenform
# ---
#anita.wf.netz
anita.wf.netz
# ---
# Büro Netzwerke
@@ -1425,6 +1452,7 @@ file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
@@ -1527,6 +1555,7 @@ o22.oopen.de
o23.oopen.de
o24.oopen.de
o27.oopen.de
o28.oopen.de
o29.oopen.de
o30.oopen.de
o31.oopen.de
@@ -1560,6 +1589,7 @@ file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ah-alt.kanzlei-kiel.netz
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
@@ -1656,12 +1686,17 @@ mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
# o28.oopen.de NDM - neue deutsche Medienmacher*innen
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de - Dissens
cl-dissens.oopen.de
# o30.oopen.de - AK Server Nextcloud/Jitsi Meet
meet.akweb.de
cloud.akweb.de
ak-plan.oopen.de
# BigBlueButton - O.OPEN
@@ -1727,6 +1762,7 @@ file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
@@ -1866,16 +1902,20 @@ mm-irights.oopen.de
# IL - PAD
o25.oopen.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
o26.oopen.de
# - o27.oopen.de
o27.oopen.de
cl-fm.oopen.de
mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
# o28.oopen.de NDM - neue deutsche Medienmacher*innen
o28.oopen.de
o26.oopen.de
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de
o29.oopen.de
@@ -1885,6 +1925,7 @@ cl-dissens.oopen.de
o30.oopen.de
meet.akweb.de
cloud.akweb.de
ak-plan.oopen.de
# - o31.oopen.de
o31.oopen.de
@@ -1974,6 +2015,7 @@ file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
+5
View File
@@ -0,0 +1,5 @@
---
- hosts: oopen_server:warenform_server:!no_ipt_firewall
roles:
- ipt-server
+5 -2
View File
@@ -342,7 +342,9 @@
virusfilter:cache entry limit = 1000
virusfilter:cache time limit = 60
virusfilter:max file size = 26214400
#virusfilter:max file size = 52428800 # 50 MB max
#virusfilter:max file size = 26214400 # 25 MB max
virusfilter:max file size = 15728640 # 15 MB max
virusfilter:min file size = 10
virusfilter:scan on open = yes
@@ -522,7 +524,8 @@
# Dateigröße: Was wird gescannt?
#virusfilter:max file size = 52428800 # 50 MB max
virusfilter:max file size = 26214400 # 25 MB max
#virusfilter:max file size = 26214400 # 25 MB max
virusfilter:max file size = 15728640 # 15 MB max
virusfilter:min file size = 10 # unter 10 Byte ignorieren
# Scan-Zeitpunkt: nur beim Öffnen, nicht beim Schließen
+221
View File
@@ -0,0 +1,221 @@
# ipt-server — Migrationsleitfaden
Dieser Leitfaden beschreibt, wie ein bestehender Host vom alten Verfahren
(manuell verwaltete `/etc/ipt-firewall/`-Dateien, ggf. `firewall`- oder
`modify-ipt-server`-Rolle) auf die neue `ipt-server`-Ansible-Rolle umgestellt
wird.
---
## Überblick
Das alte Verfahren:
- Firewall-Skripte und Conf-Dateien wurden manuell oder über die alte `firewall`-Rolle
(lineinfile/blockinfile) gepflegt.
- Änderungen direkt in `/etc/ipt-firewall/` auf dem Host.
Das neue Verfahren:
- Alle Firewall-Einstellungen liegen in `host_vars/${HOSTNAME}/ipt-server.yml`.
- Ansible deployt die Config-Dateien aus Jinja2-Templates.
- Direktes Editieren auf dem Host ist nicht mehr vorgesehen.
Die Migration ist **nicht-destruktiv**: Bestehende Config-Dateien werden erst
dann überschrieben, wenn die Migration explizit freigegeben wird (`fw_manage_config: true`).
---
## Schritt 1 — Aktuellen Stand einfrieren
Vor jeder anderen Änderung den Zustand der laufenden Firewall-Rules sichern.
Das ist der Referenzwert für den späteren Vergleich mit den Ansible-generierten
Rules.
```bash
HOSTNAME=<hostname>
ssh -t ${HOSTNAME} '
sudo iptables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_before_v4.rules
sudo ip6tables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_before_v6.rules
echo "Stand gesichert."
'
```
---
## Schritt 2 — Aktuelle Konfiguration auslesen
Das Skript `extract-fw-host-vars.py` liest die vier Conf-Dateien vom Host via SSH,
mappt alle Variablen auf die `fw_*`-Ansible-Variablen und schreibt eine fertige
`host_vars`-Datei:
```bash
cd /path/to/ansible/oopen-server
HOSTNAME=<hostname>
./extract-fw-host-vars.py ${HOSTNAME} --sudo \
-o host_vars/${HOSTNAME}/ipt-server.yml
```
Das Skript fragt einmalig nach dem `sudo`-Passwort.
**Ergebnis prüfen:**
```bash
cat host_vars/${HOSTNAME}/ipt-server.yml
```
Kontrollpunkte:
- Sind `fw_ext_interfaces`, `fw_ext_ips_v4`, `fw_ext_ips_v6` korrekt?
- Sind aktivierte Dienste (Mail, HTTP, VPN usw.) vorhanden?
- Sind `munin_remote_ipv4` / `munin_remote_ipv6` eingetragen (falls Munin läuft)?
Fehlende oder falsche Werte können direkt in der YAML-Datei korrigiert werden.
Alle Variablen und ihre Bedeutung stehen in `defaults/main.yml`.
---
## Schritt 3 — Erste Ausrollung (Safety-Guard aktiv)
Solange `fw_manage_config` nicht auf `true` gesetzt ist (Default: `false`),
überschreibt Ansible **keine** bestehenden Config-Dateien. Es werden nur
installiert:
- Firewall-Skripte → `/usr/local/sbin/`
- Geteilte Conf-Dateien → `/etc/ipt-firewall/`
- Systemd-Units → `/etc/systemd/system/`
```bash
HOSTNAME=<hostname>
# Vorschau:
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
# Ausrollen:
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
```
Die host-spezifischen Config-Dateien (`main_ipv4.conf`, `main_ipv6.conf`,
`interfaces_ipv4.conf`, `interfaces_ipv6.conf`) bleiben unangetastet.
Ändern sich jedoch Firewall-Skripte, geteilte Conf-Dateien oder Systemd-Units
(typisch bei Erstinstallation), **wird die Firewall neu gestartet** — mit den
bestehenden Config-Dateien, also ohne inhaltliche Regeländerung.
---
## Schritt 4 — Ansible als autoritative Quelle freischalten und verifizieren
Jetzt wird `fw_manage_config: true` gesetzt, damit Ansible die vier
host-spezifischen Config-Dateien aus den Templates schreibt:
```yaml
# host_vars/${HOSTNAME}/ipt-server.yml
---
fw_manage_config: true # ← hinzufügen / auf true setzen
fw_ext_interfaces:
- "eth0"
# ...
```
**Vorschau:** Zeigt genau, was in den Config-Dateien geändert wird — hier
sorgfältig prüfen, ob die neuen Werte den alten entsprechen:
```bash
HOSTNAME=<hostname>
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
```
**Anwenden:** Ansible schreibt die neuen Config-Dateien und startet die Firewall
automatisch neu (da sich die Dateien geändert haben):
```bash
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
```
**Verifizieren:** Jetzt die neuen Rules mit dem gesicherten Stand vergleichen:
```bash
ssh -t ${HOSTNAME} '
sudo iptables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_after_v4.rules
sudo ip6tables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_after_v6.rules
echo "=== IPv4 diff ==="
diff /tmp/fw_before_v4.rules /tmp/fw_after_v4.rules
echo "=== IPv6 diff ==="
diff /tmp/fw_before_v6.rules /tmp/fw_after_v6.rules
'
```
**Erwartetes Ergebnis:** Beide Diffs sind leer — die Ansible-generierten
Config-Dateien produzieren exakt dieselben Rules wie die bisher händisch
verwalteten.
Falls Unterschiede erscheinen: die abweichenden Rules identifizieren, die
entsprechenden Variablen in `host_vars/${HOSTNAME}/ipt-server.yml` nachpflegen,
erneut ausrollen und den Diff wiederholen.
Ab jetzt:
- Ansible überschreibt die vier Config-Dateien bei jedem Run aus den Templates.
- Bei Änderungen an Templates oder host_vars wird die Firewall automatisch
neu gestartet.
- Direktes Editieren von `/etc/ipt-firewall/interfaces_*.conf` oder `main_*.conf`
auf dem Host wird beim nächsten Ansible-Run überschrieben.
---
## Schritt 5 — Altes System deaktivieren
### Altes Ansible-Vorgehen abschalten
Sicherstellen, dass der Host nicht mehr durch die alte `firewall`-Rolle oder
`modify-ipt-server`-Rolle verwaltet wird. Falls der Host in einem Playbook
eingetragen ist, das diese Rollen verwendet, den Host dort entfernen oder das
Playbook anpassen.
### Altes git-Repository auf dem Host entfernen (optional)
Das Repository `/usr/local/src/ipt-server` wird von der neuen Rolle nicht mehr
benötigt. Es kann entfernt werden:
```bash
HOSTNAME=<hostname>
ssh ${HOSTNAME} 'rm -rf /usr/local/src/ipt-server'
```
Vorher prüfen, ob das Verzeichnis noch anderweitig verwendet wird.
### Sicherstellen, dass niemand mehr direkt editiert
Da `fw_manage_config: true` gesetzt ist, werden direkte Änderungen in
`/etc/ipt-firewall/` beim nächsten Ansible-Run überschrieben. Als zusätzliche
Absicherung enthält jede von Ansible generierte Config-Datei oben folgenden
Hinweis (via `{{ ansible_managed }}`):
```ini
# Ansible managed
# DO NOT EDIT - changes will be overwritten on the next Ansible run.
# Edit host_vars/${HOSTNAME}/ipt-server.yml instead.
```
---
## Zusammenfassung
| Schritt | Befehl / Aktion | Wann |
| --- | --- | --- |
| 1 | Aktuellen Rules-Stand auf dem Host sichern | Einmalig pro Host |
| 2 | `extract-fw-host-vars.py` ausführen, Ergebnis prüfen | Einmalig pro Host |
| 3 | Erste Ausrollung (Safety-Guard aktiv) — Skripte + Units | Einmalig pro Host |
| 4 | `fw_manage_config: true` + `--check --diff` + ausrollen + Rules vergleichen | Einmalig pro Host |
| 5 | Alte Rolle deaktivieren, git-Repo auf Host entfernen | Einmalig pro Host |
| — | Änderungen: host_vars editieren + `ansible-playbook` | Ab jetzt immer so |
+206
View File
@@ -0,0 +1,206 @@
# ipt-server — Ansible Role
Verwaltet die iptables/ip6tables-basierte Firewall (`ipt-firewall-server` /
`ip6t-firewall-server`) auf Debian-Hosts.
Die Rolle ist die **einzige** autorisierte Stelle für Firewall-Änderungen. Direkte
Edits in `/etc/ipt-firewall/` auf dem Host werden beim nächsten Ansible-Run
überschrieben, sobald `fw_manage_config: true` gesetzt ist.
---
## Verzeichnisstruktur
```
roles/ipt-server/
├── defaults/main.yml # Alle Variablen mit Defaults
├── files/
│ ├── etc/ipt-firewall/ # Geteilte Conf-Dateien (nicht host-spezifisch)
│ │ ├── default_settings.conf
│ │ ├── include_functions.conf
│ │ ├── logging_ipv4.conf
│ │ ├── logging_ipv6.conf
│ │ ├── post_declarations.conf
│ │ ├── ban_ipv4.list.sample
│ │ └── ban_ipv6.list.sample
│ ├── etc/systemd/system/
│ │ ├── ipt-firewall.service
│ │ └── ip6t-firewall.service
│ └── usr/local/sbin/
│ ├── ipt-firewall-server # IPv4-Firewall-Skript
│ └── ip6t-firewall-server # IPv6-Firewall-Skript
├── handlers/main.yml
├── tasks/main.yml
└── templates/
└── etc/ipt-firewall/
├── interfaces_ipv4.conf.j2 # Host-spezifisch: Interfaces + IPs
├── interfaces_ipv6.conf.j2
├── main_ipv4.conf.j2 # Host-spezifisch: Dienste, Regeln
└── main_ipv6.conf.j2
```
Host-spezifische Konfiguration liegt ausschließlich in:
```
host_vars/${HOSTNAME}/ipt-server.yml
```
---
## Neuen Host aufnehmen
### Voraussetzungen
- Host ist im Ansible-Inventory (`hosts`) eingetragen.
- SSH-Zugang mit `sudo`-Rechten ist vorhanden.
### Schritt 1 — host_vars anlegen
```bash
cd /path/to/ansible/oopen-server
HOSTNAME=<hostname>
mkdir -p host_vars/${HOSTNAME}
cat > host_vars/${HOSTNAME}/ipt-server.yml << 'EOF'
---
fw_manage_config: true
# --- Netzwerk
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "1.2.3.4"
fw_ext_ips_v6:
- "2001:db8::1"
EOF
```
Alle weiteren Variablen sind optional — sie greifen auf die Defaults in
`defaults/main.yml` zurück. Nur abweichende Werte müssen gesetzt werden.
Für eine vollständige Variablenreferenz: `defaults/main.yml`.
### Schritt 2 — Dry-run
```bash
HOSTNAME=<hostname>
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
```
Der Diff zeigt genau, welche Dateien angelegt und welche Config-Werte gesetzt
werden. Prüfen, ob Interfaces, IPs und Dienste stimmen.
### Schritt 3 — Scharf stellen
```bash
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
```
Was passiert:
- Firewall-Skripte werden nach `/usr/local/sbin/` kopiert.
- Geteilte Conf-Dateien werden nach `/etc/ipt-firewall/` kopiert.
- Systemd-Units werden installiert, Dienste werden aktiviert und gestartet.
- Config-Dateien (`interfaces_*.conf`, `main_*.conf`) werden aus den Templates
erzeugt und die Firewall wird gestartet.
---
## Konfiguration ändern
Alle Änderungen erfolgen ausschließlich in der host_vars-Datei des Hosts:
```
host_vars/${HOSTNAME}/ipt-server.yml
```
Danach:
```bash
HOSTNAME=<hostname>
# Vorschau:
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
# Anwenden (ändert Config, startet Firewall bei Änderungen neu):
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
```
Ansible erkennt automatisch, ob sich eine Config-Datei geändert hat. Nur bei
tatsächlichen Änderungen wird die Firewall neu gestartet.
### Beispiel: HTTP-Server aktivieren
```yaml
# host_vars/${HOSTNAME}/ipt-server.yml
fw_http_server_ips: "$ext_ips" # oder konkrete IP
```
### Beispiel: SSH auf bestimmten Port einschränken
```yaml
fw_ssh_ports: "2222"
```
### Beispiel: LXC-Gäste eintragen
```yaml
fw_lxc_guest_ips_v4:
- "10.0.3.10"
- "10.0.3.11"
fw_lxc_guest_ips_v6:
- "fd00::10"
- "fd00::11"
```
---
## Firewall-Skripte aktualisieren
Wenn `ipt-firewall-server` oder `ip6t-firewall-server` im `ipt-server`-Repository
aktualisiert werden, müssen die neuen Versionen manuell in die Rolle übernommen
werden:
```bash
SRC=/path/to/ipt-server
DST=roles/ipt-server/files/usr/local/sbin
cp $SRC/ipt-firewall-server $DST/
cp $SRC/ip6t-firewall-server $DST/
chmod 750 $DST/ipt-firewall-server $DST/ip6t-firewall-server
```
Ebenso für geteilte Conf-Dateien in `roles/ipt-server/files/etc/ipt-firewall/`.
Nach dem Commit werden die neuen Skripte beim nächsten Ansible-Run auf alle
Hosts deployed.
---
## Wichtige Variablen
| Variable | Default | Bedeutung |
|---|---|---|
| `fw_manage_config` | `false` | `true` = Ansible verwaltet Config-Dateien vollständig |
| `fw_ext_interfaces` | `[]` | Externe Netzwerk-Interfaces, z.B. `["eth0"]` |
| `fw_ext_ips_v4` | `[]` | Externe IPv4-Adressen |
| `fw_ext_ips_v6` | `[]` | Externe IPv6-Adressen |
| `fw_ssh_server_ips` | `"$ext_ips"` | IPs auf denen SSH erlaubt ist |
| `fw_ssh_ports` | `"$standard_ssh_port"` | SSH-Port(s) |
| `fw_http_server_ips` | `""` | IPs auf denen HTTP/HTTPS erlaubt ist |
| `munin_remote_ipv4` | `""` | Munin-Server IPv4 |
| `munin_remote_ipv6` | `""` | Munin-Server IPv6 |
Alle Variablen mit Beschreibung und Defaults: `defaults/main.yml`.
Variablen die mit `$` beginnen (z.B. `$ext_ips`, `$standard_ssh_port`) sind
Bash-Variablen — sie werden nicht von Ansible aufgelöst, sondern zur Laufzeit
vom Firewall-Skript expandiert.
---
## Ban-Listen
`/etc/ipt-firewall/ban_ipv4.list` und `ban_ipv6.list` werden beim ersten
Ausrollen aus den Beispiel-Dateien der Rolle erzeugt und danach **nicht mehr
durch Ansible angefasst** — sie können auf dem Host direkt bearbeitet werden.
+376
View File
@@ -0,0 +1,376 @@
---
# ---
# ipt-firewall role defaults
# Override per host in host_vars/<hostname>/ipt_firewall.yml
# ---
# ---
# Config management mode.
# false (default): config files are only deployed when absent (safe for unmanaged hosts).
# true: Ansible is authoritative — config is always written from templates and
# the firewall is restarted on any change. Set this after migrating a host.
# ---
fw_manage_config: false
# ---
# Network interfaces and addresses (set per host in host_vars)
# ---
fw_ext_interfaces: [] # e.g. ["eth0"]
fw_ext_ips_v4: [] # e.g. ["83.223.86.98"]
fw_ext_ips_v6: [] # e.g. ["2a01:30:0:13:211:84ff:feb7:7f9c"]
fw_local_interfaces: []
fw_local_ips_v4: []
fw_local_ips_v6: []
fw_vpn_ifs: "tun+"
fw_wg_ifs: "wg+"
fw_lxc_guest_ips_v4: []
fw_lxc_guest_ips_v6: []
fw_nat_devices: ""
# ---
# Munin monitoring (often set in group_vars or role defaults)
# ---
munin_remote_ipv4: ""
munin_remote_ipv6: ""
# ---
# Bridged / LXC traffic
# ---
fw_do_not_firewall_bridged_traffic: false
fw_do_not_firewall_lx_guest_systems: false
# ---
# Drop policies
# ---
fw_drop_icmp: false
fw_drop_mndp: true
fw_drop_mdns: true
# ---
# Outgoing / interface policy
# ---
fw_allow_all_outgoing_traffic: false
fw_blocked_ifs: ""
fw_unprotected_ifs: ""
# ---
# Forwarding (protocol-specific addresses)
# ---
fw_forward_private_ips_v4: ""
fw_forward_private_ips_v6: ""
# ---
# Access control (protocol-specific: IPv4 uses ':', IPv6 uses ',')
# ---
fw_restrict_local_service_to_net_v4: ""
fw_restrict_local_service_to_net_v6: ""
fw_restrict_local_net_to_net_v4: ""
fw_restrict_local_net_to_net_v6: ""
fw_allow_ext_service_v4: ""
fw_allow_ext_service_v6: ""
fw_allow_ext_net_v4: ""
fw_allow_ext_net_v6: ""
fw_allow_local_service_v4: ""
fw_allow_local_service_v6: ""
fw_allow_local_service_from_networks_v4: ""
fw_allow_local_service_from_networks_v6: ""
# ---
# Services: VPN / WireGuard
# ---
fw_vpn_server_ips: ""
fw_forward_vpn_server_ips: ""
fw_vpn_ports: "$standard_vpn_port"
fw_wireguard_server_ips: ""
fw_forward_wireguard_server_ips: ""
fw_wireguard_server_ports: "$standard_wireguard_port"
fw_wireguard_out_ports: "$standard_wireguard_port"
# ---
# Services: NTP
# ---
fw_local_ntp_service: false
fw_ntp_port: "$standard_ntp_port"
fw_ntp_allowed_net: ""
# ---
# Services: DHCP (IPv4 only)
# ---
fw_dhcp_server_ifs: ""
fw_dhcp_client_ifs: ""
# ---
# Services: DNS
# ---
fw_dns_server_ips: ""
fw_forward_dns_server_ips: ""
fw_local_resolver_service: false
fw_resolver_port: "$standard_dns_port"
fw_resolver_allowed_networks_v4: ""
fw_resolver_allowed_networks_v6: ""
# ---
# Services: SSH
# Uses $ext_ips by default so SSH is always reachable via all external IPs.
# Override in host_vars to restrict to specific IPs.
# ---
fw_ssh_server_ips: "$ext_ips"
fw_forward_ssh_server_ips: ""
fw_ssh_ports: "$standard_ssh_port"
# ---
# Services: HTTP(S)
# ---
fw_http_server_ips: ""
fw_forward_http_server_ips: ""
fw_http_ports: "$standard_http_ports"
fw_log_cgi_traffic_out: false
fw_cgi_script_users: ""
# ---
# Services: Mattermost
# ---
fw_mm_server_ips: ""
fw_forward_mm_server_ips: ""
fw_mm_udp_ports_in: "$stansard_mattermost_udp_ports_in"
fw_mm_udp_ports_out: "$stansard_mattermost_udp_ports_out"
# ---
# Services: Mail
# ---
fw_smtpd_ips: ""
fw_forward_smtpd_ips: ""
fw_smtpd_additional_listen_ports: ""
fw_smtpd_additional_outgoing_ports: ""
fw_mail_server_ips: ""
fw_forward_mail_server_ips: ""
fw_mail_user_ports: "$standard_mailuser_ports"
fw_mail_client_ips: ""
fw_forward_mail_client_ips: ""
fw_dovecot_auth_service: false
fw_dovecot_auth_port: "$dovecot_external_auth_port"
fw_dovecot_auth_allowed_networks_v4: ""
fw_dovecot_auth_allowed_networks_v6: ""
# ---
# Services: FTP
# ---
fw_ftp_server_ips: ""
fw_forward_ftp_server_ips: ""
fw_ftp_passive_port_range: "50000:50400"
# ---
# Services: XMPP (Jabber / Prosody)
# ---
fw_xmpp_server_ips: ""
fw_forward_xmpp_server_ips: ""
fw_xmmp_tcp_in_ports: "5222 5223 5269"
fw_xmmp_tcp_out_ports: "5269"
fw_xmmp_remote_out_services_v4: ""
fw_xmmp_remote_out_services_v6: ""
# ---
# Services: Mumble
# ---
fw_mumble_server_ips: ""
fw_forward_mumble_server_ips: ""
fw_mumble_ports: "$standard_mumble_port"
# ---
# Services: Jitsi / Jibri
# ---
fw_jitsi_server_ips: ""
fw_forward_jitsi_server_ips: ""
fw_jitsi_tcp_ports: "$standard_jitsi_tcp_ports"
fw_jitsi_udp_port_range: "$standard_jitsi_udp_port_range"
fw_jitsi_tcp_ports_out: "$standard_turn_service_ports,4443,4444,4445,4446"
fw_jitsi_udp_ports_out: "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446"
fw_jitsi_dovecot_auth: false
fw_jitsi_dovecot_host: ""
fw_jitsi_dovecot_port: "$default_jitsi_dovecout_auth_port"
fw_jitsi_jibri_remote_auth: false
fw_jitsi_jibri_remote_ips: ""
fw_jitsi_jibri_remote_auth_port: "$default_jibri_out_port"
fw_jibri_server_ips: ""
fw_forward_jibri_server_ips: ""
fw_jibri_remote_jitsi_server: ""
fw_jibri_remote_auth_port: "$default_jibri_out_port"
# ---
# Services: TURN / STUN (Nextcloud Talk)
# ---
fw_nc_turn_server_ips: ""
fw_forward_nc_turn_server_ips: ""
fw_nc_turn_ports: "$standard_turn_service_ports"
fw_nc_turn_udp_ports: "$standard_turn_service_udp_ports"
# ---
# Services: TFTP
# ---
fw_tftp_server_ips: ""
# ---
# Services: Prometheus
# ---
fw_prometheus_local_server_ips: ""
fw_prometheus_remote_client_ports: "$standard_prometheus_ports"
fw_prometheus_local_client_ips: ""
fw_prometheus_local_client_ports: "$standard_prometheus_ports"
fw_prometheus_remote_server_ips: ""
# ---
# Services: Munin
# ---
fw_munin_server_ips: ""
fw_forward_munin_server_ips: ""
fw_munin_remote_port: "$standard_munin_port"
fw_munin_local_port: "4949"
# ---
# Services: Xymon
# ---
fw_xymon_server_ips: ""
fw_local_xymon_client: false
fw_xymon_port: "$standard_xymon_port"
# ---
# Protocols out: Rsync
# ---
fw_rsync_out_ips: ""
fw_forward_rsync_out_ips: ""
fw_rsync_ports: "873"
# ---
# Special ports (OUT)
# ---
fw_tcp_out_ports: ""
fw_forward_tcp_out_ports: ""
fw_udp_out_ports: ""
fw_forward_udp_out_ports: ""
# ---
# Portforwarding (protocol-specific formats)
# IPv4: "<device>:<src-ip>:<port-in>:<ip-fwd>:<port-out>"
# IPv6: "<device>,<src-ip>,<port-in>,<ip-fwd>,<port-out>"
# ---
fw_portforward_tcp_v4: ""
fw_portforward_udp_v4: ""
fw_portforward_tcp_v6: ""
fw_portforward_udp_v6: ""
# ---
# Blocked IPs / ports
# ---
fw_blocked_ips: ""
fw_block_tcp_ports: "111 113 135 137:139 445"
fw_block_udp_ports: "111 137:139"
# ---
# Special / counters
# ---
fw_create_traffic_counter: true
fw_create_iperf_rules: true
# ---
# Protection
# ---
fw_protection_against_syn_flooding: true
fw_protection_against_port_scanning: true
fw_protection_against_ssh_brute_force_attacks: true
# ---
# Connection limits
# ---
fw_limit_connections_per_source_IP: true
fw_per_IP_connection_limit: "$default_per_IP_connection_limit"
fw_limit_new_tcp_connections_per_seconds_per_source_IP: true
fw_limit_new_tcp_connections_per_seconds_ports: ""
# ---
# Kernel parameters — IPv4
# ---
fw_kernel_activate_forwarding: false
fw_kernel_support_dynaddr: false
fw_dynaddr_flag: "5"
fw_kernel_reduce_timeouts: true
fw_kernel_tcp_syncookies: true
fw_kernel_protect_against_icmp_bogus_messages: true
fw_kernel_ignore_broadcast_ping: true
fw_kernel_deactivate_source_route: true
fw_kernel_dont_accept_redirects: true
fw_kernel_activate_rp_filter: true
fw_kernel_log_martians: false
# ---
# Kernel parameters — IPv6
# ---
fw_kernel_forward_between_interfaces: false
@@ -0,0 +1,36 @@
# - IPv4 addresses listet here will be completly banned by the firewall
# -
# - - Line beginning with '#' will be ignored.
# - - Blank lines will be ignored
# - - Only the first entry (until space sign or end of line) of each line will be considered.
# -
# - Valid values are:
# - complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
# - partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
# - network/nn CIDR notation like 1.2.3.0/27
# - network/netmask notaions like 1.2.3.0/255.255.255.0
# - network/partial_netmask like 1.2.3.4/255
# -
# - Note:
# - - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
# -
# - Example:
# - 79.171.81.0/24
# - 79.171.81.0/255.255.255.0
# - 79.171.81.0/255.255.255
# - 79.171.81
# CHINANET-JS
222.184.0.0/13
61.160.0.0/16
# CHINANET-GX
116.8.0.0/14
# BAIDU-HK - Hong Kong
103.235.44.0/22
# UNICOM-HE - China Unicom Hebei province network
110.240.0.0/12
# CMNET - China Mobile Communications Corporation
39.128.0.0/10
@@ -0,0 +1,20 @@
# - IPv6 addresses listet here will be completly banned by the firewall
# -
# - - Line beginning with '#' will be ignored.
# - - Blank lines will be ignored
# - - Only the first entry (until space sign or end of line) of each line will be considered.
# -
# - Valid values are:
# - complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c
# - network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56
# -
# -
# - Note:
# - - If no mask is given mask will be set to '64'
# - - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored
# -
# - Example:
# - 240e:ec:4ab1:feba:e8b4:4fb1:7984:4c
# - 2a01:30:0:13:5054:ff::1
# - 2a01:30:0:13:5054:ff::1/56
@@ -0,0 +1,157 @@
#!/usr/bin/env bash
# -------------
# --- Default Parameter / Options
# -------------
default_per_IP_connection_limit=111
# -------------
# --- Default Ports for Services out
# -------------
standard_checkmk_port=6556
standard_cpan_wait_port=1404
standard_dns_port=53
standard_ftp_port=21
standard_ftp_data_port=20
standard_git_port=9418
standard_hbci_port=3000
standard_http_port=80
standard_https_port=443
standard_ident_port=113
standard_ipp_port=631
standard_cups_port=$standard_ipp_port
standard_irc_port=6667
standard_jabber_port=5222
standard_ldap_port=389
standard_ldaps_port=636
standard_mdns_port=5353
standard_mndp_port=5678
standard_mumble_port=64738
standard_munin_port=4949
standard_mysql_port=3306
standard_ntp_port=123
standard_pgp_keyserver_port=11371
standard_print_port=9100
standard_print_raw_port=515
standard_remote_console_port=5900
standard_silc_port=706
standard_smtp_port=25
standard_snmp_port=161
standard_snmp_trap_port=162
standard_ssh_port=22
standard_telnet_port=23
standard_tftp_udp_port=69
standard_timeserver_port=37
standard_vpn_port=1194
standard_wireguard_port=51820
standard_whois_port=43
standard_xymon_port=1984
# - Prometheus services
# -
standard_prometheus_ports="9100,9256"
# - Mattermost (MM) Service
# -
stansard_mattermost_udp_ports_in="8443"
stansard_mattermost_udp_ports_out="3478"
# - IPsec - Internet Security Association and
# - Key Management Protocol
standard_isakmp_port=500
standard_ipsec_nat_t=4500
# - Comma separated lists
# -
standard_http_ports="80,443"
standard_mailuser_ports="587,465,110,995,143,993"
# - Dovecot Service
# -
dovecot_external_auth_port="44444"
# - Jitsi Video Conference Service
# -
standard_jitsi_tcp_ports="$standard_http_ports"
standard_jitsi_udp_port_range="10000:20000"
default_jitsi_dovecout_auth_port="$dovecot_external_auth_port"
# - Jibri Service
# -
default_jibri_out_port=5222
# default_outbound_streaming_tcp_ports
#
# - outbound port 1935/TCP : outbound streaming over RTMP to most
# streaming providers such as YouTube Live, Vimeo or Twitch
#
# - outbound port 1936/TCP : outbound streaming over RTMP to LinkedIn
# Live (port 1935 is also used for RTMP streaming to LinkedIn)
#
# - outbound ports 2935/TCP and 2396/TCP : outbound streaming over
# RTMPS to LinkedIn Live
#
# - outbound port 443/TCP (HTTPS) : used for authentication with the
# built-in providers such as YouTube Live, Facebook Live, Ustream,
# Livestream, and Twitch
#
# - outbound port 53/UDP (DNS) used for DNS lookups converting
# hostnames to IP addresses
#
default_outbound_streaming_tcp_ports="1935,1936,2935,2396"
# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
# -
standard_turn_service_ports="3478:3479,5349:5350"
standard_turn_service_udp_ports="49152:65535"
# -------------
# --- Predefined Ports
# -------------
# - unpriviligierte Ports
# -
unprivports="1024:65535"
# -------------
# --- Some IPv4-Address Configuration
# -------------
# - Loopback
loopback_ipv4="127.0.0.0/8"
# - Private Networks
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"
link_local_rfc_5735="169.254.0.0/16"
test_net_1_rfc_5735="192.0.2.0/24"
this_net_rfc_5735="0.0.0.0/8"
# - Multicast Addresse
class_d_multicast="224.0.0.0/3"
# Reserved Addresse
class_e_reserved="240.0.0.0/5"
# -------------
# --- Some IPv6-Address Configuration
# -------------
# unique local address (ULA) - private address block
ula_block="fc00::/7"
link_local_unicast_block="fe80::/10"
multicast_ipv6="ff00::/8"
# - Loopback
loopback_ipv6="::1/128"
@@ -0,0 +1,268 @@
#!/usr/bin/env bash
# - Set firewall command (either iptables or ip6tables)
#
if [[ -x "${ip6t}" ]] ; then
fw_command="${ip6t}"
elif [[ -x "${ipt}" ]] ; then
fw_command="${ipt}"
fi
# -------------
# --- Some functions
# -------------
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
echo_done() {
echo -e "\033[75G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[75G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
}
fatal (){
echo ""
echo -e "fatal Error: $*"
echo ""
echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
return 1
}
is_number() {
return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
# - also possible
# -
#[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1
#return $([[ ! -z "${1##*[!0-9]*}" ]])
}
trim() {
local var="$*"
var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters
var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters
echo -n "$var"
}
is_container() {
command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1
}
# -------------
# - IPv6 handling
# -------------
ENABLE_IPV6="auto" # auto | yes | no
IPV6_ACTIVE=0
ipv6_sysctl_enabled() {
sysctl -n net.ipv6.conf.all.disable_ipv6 2>/dev/null | grep -qx 0
}
has_ipv6_addr() {
ip -6 addr show scope global 2>/dev/null | grep -q "inet6"
}
detect_ipv6() {
case "$ENABLE_IPV6" in
yes) return 0 ;;
no) return 1 ;;
auto) ipv6_sysctl_enabled ;;
*) return 1 ;;
esac
}
# -------------
# - Network Device Stuff
# -------------
# get virtual ethernet interfaces and the master of the given bridge
#
get_vth_ports() {
local br="$1"
# lists virtual interfaces (veth*)) and the master interface of the given bridge
ip -o link show master "$br" 2>/dev/null | awk -F': ' '{print $2}'
}
# -------------
# - Fail2ban
# -------------
FAIL2BAN_CONFIG_FILE="/etc/fail2ban/jail.local"
FAIL2BAN_WAS_RUNNING=false
fail2ban_client="$(command -v fail2ban-client 2>/dev/null)"
has_fail2ban() {
command -v fail2ban-client >/dev/null 2>&1
}
fail2ban_running() {
systemctl is-active --quiet fail2ban >/dev/null 2>&1
}
# -------------
# - Debian 12/13 compatibility helpers (best effort)
# -------------
ensure_mod() {
# ---
# Load a kernel module if possible (no hard failure).
# NOTE: In containers module loading is not possible; modules must be loaded on the host.
# ---
local m="$1"
# Already loaded?
if lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$m" ; then
return 0
fi
# Skip in containers/guests without module loading capability
#
is_container && return 0
# Best effort modprobe
/sbin/modprobe "$m" >/dev/null 2>&1 || warn "Loading module '$m' failed (ok if not needed on this host)."
}
# --- Feature detection helpers (Debian 12/13 + containers)
module_loaded() {
lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$1"
}
can_use_recent() {
# xt_recent is the kernel module behind "-m recent"
# In containers lsmod may be restricted; also accept presence of /proc/net/xt_recent.
module_loaded xt_recent && return 0
[ -d /proc/net/xt_recent ] && return 0
# As a last resort, ask iptables to parse the match (works if userspace has it)
"$ipt" -m recent -h >/dev/null 2>&1 && return 0
return 1
}
can_use_hashlimit() {
# xt_hashlimit is the kernel module behind "-m hashlimit"
module_loaded xt_hashlimit && return 0
[ -d /proc/net/xt_hashlimit ] && return 0
"${fw_command}" -m hashlimit -h >/dev/null 2>&1 && return 0
return 1
}
can_use_connlimit() {
# xt_connlimit is the kernel module behind "-m connlimit"
module_loaded xt_connlimit && return 0
"${fw_command}" -m connlimit -h >/dev/null 2>&1 && return 0
return 1
}
can_use_owner() {
# xt_owner is the kernel module behind "-m owner"
module_loaded xt_owner && return 0
"${fw_command}" -m owner -h >/dev/null 2>&1 && return 0
return 1
}
can_use_ct_target() {
# Check if iptables CT target exists (iptables-nft should support it when kernel has nf_tables CT support)
"${fw_command}" -t raw -j CT -h >/dev/null 2>&1 && return 0
return 1
}
can_use_helper_match() {
# Check if helper match exists
"${fw_command}" -m helper -h >/dev/null 2>&1 && return 0
return 1
}
can_use_nft() {
command -v nft >/dev/null 2>&1 && return 0
return 1
}
setup_ftp_conntrack_helper_output() {
# Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
if can_use_ct_target ; then
"${fw_command}" -A OUTPUT -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
return 0
fi
# nft fallback (nft-native helper assignment); keeps us "nft-ready"
if can_use_nft ; then
# Best-effort; may fail in containers without CAP_NET_ADMIN
nft add table ip fwhelper >/dev/null 2>&1 || true
nft add chain ip fwhelper output '{ type filter hook output priority raw; policy accept; }' >/dev/null 2>&1 || true
nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
nft add rule ip fwhelper output tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
fi
warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP active/passive may fail; FTPS workaround relies on recent/port rules."
return 1
}
setup_ftp_conntrack_helper_prerouting() {
# Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
if can_use_ct_target ; then
"$ipt" -A PREROUTING -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
return 0
fi
# nft fallback (nft-native helper assignment); keeps us "nft-ready"
if can_use_nft ; then
nft add table ip fwhelper >/dev/null 2>&1 || true
nft add chain ip fwhelper prerouting '{ type filter hook prerouting priority raw; policy accept; }' >/dev/null 2>&1 || true
nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
nft add rule ip fwhelper prerouting tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
fi
warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP server traffic may fail; consider enabling passive port ranges."
return 1
}
@@ -0,0 +1,62 @@
#!/usr/bin/env bash
# -------------
# --- Logging
# -------------
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
tag_log_prefix="--nflog-prefix"
LOG_TARGET="NFLOG --nflog-group 11"
else
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
LOG_TARGET="LOG --log-level $log_level"
tag_log_prefix="--log-prefix"
fi
log_all=false
log_syn_flood=false
log_port_scanning=false
log_ssh_brute_force=false
log_fragments=false
log_mdns=false
log_mndp=false
log_new_not_sync=false
log_syn_with_suspicious_mss=false
log_invalid_packets=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_private_network_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_forwarding_priv_ip=false
log_prohibited=false
log_voip=false
log_rejected=true
log_blocked_ip=false
log_ssh=false
# - logging messages
# -
log_prefix="[ IPv4 ]"
# ---
# - Log all traffic for givven ip address
# ---
# - You can also give hostname(s)
# -
# - Blank seoarated list of ips/hostnames
# -
log_ips=""
@@ -0,0 +1,63 @@
#!/usr/bin/env bash
# -------------
# --- Logging
# -------------
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
tag_log_prefix="--nflog-prefix"
LOG_TARGET="NFLOG --nflog-group 12"
else
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
LOG_TARGET="LOG --log-level $log_level"
tag_log_prefix="--log-prefix"
fi
log_all=false
log_syn_flood=false
log_port_scanning=false
log_ssh_brute_force=false
log_fragments=false
log_mdns=false
log_mndp=false
log_new_not_sync=false
log_syn_with_suspicious_mss=false
log_invalid_packets=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_private_network_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_forwarding_priv_ip=false
log_prohibited=false
log_voip=false
log_rejected=true
log_blocked_ip=false
log_ssh=false
# - logging messages
# -
log_prefix="[ IPv6 ]"
# ---
# - Log all traffic for givven ip address
# ---
# - You can also give hostname(s)
# -
# - Blank seoarated list of ips/hostnames
# -
log_ips=""
@@ -0,0 +1,621 @@
#!/usr/bin/env bash
# -----------
# --- Define Arrays
# -----------
# ---
# NAT (Masquerade) Network interfaces
# ---
declare -a nat_device_arr=()
for _dev in $nat_devices ; do
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
nat_device_arr+=("$_dev")
fi
done
# ---
# IP Addresses LX Guest System
# ---
declare -a lxc_guest_ip_arr=()
for _ip in $lxc_guest_ips ; do
lxc_guest_ip_arr+=("$_ip")
done
# ---
# local Interfaces
# ---
declare -a local_ip_arr=()
for _ip in $local_ips ; do
local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses to log
# ---
declare -a log_ip_arr
for _ip in $log_ips ; do
log_ip_arr+=("$_ip")
done
# ---
# - LOG CGI script Traffic out
# ---
declare -a cgi_script_user_arr=()
for _user in $cgi_script_users ; do
cgi_script_user_arr+=($_user)
done
# ---
# - IP-Addresses (Host, Guests (VServer, LX_Container)
# ---
declare -a ext_ip_arr
for _ip in $ext_ips ; do
host_ip_arr+=("$_ip")
done
# ---
# - Extern Interfaces
# ---
declare -a ext_if_arr
for _dev in $ext_ifs ; do
ext_if_arr+=("$_dev")
done
# ---
# - VPN Interfaces
# ---
declare -a vpn_if_arr
for _dev in $vpn_ifs ; do
vpn_if_arr+=("$_dev")
done
# ---
# - WireGuard Interfaces
# ---
declare -a wg_if_arr
for _dev in $wg_ifs ; do
wg_if_arr+=("$_dev")
done
# ---
# - Local Network Interfaces
# ---
declare -a local_if_arr
for _dev in $local_ifs ; do
local_if_arr+=("$_dev")
done
# ---
# - Network Interfaces completly blocked
# ---
declare -a blocked_if_arr
for _dev in $blocked_ifs ; do
blocked_if_arr+=("$_dev")
done
# ---
# - Network Interfaces not firewalled
# ---
declare -a unprotected_if_arr
for _dev in $unprotected_ifs ; do
unprotected_if_arr+=("$_dev")
done
# ---
# - Restrict local Servive to given IP-Address/Network
# ---
declare -a restrict_local_service_to_net_arr
for _val in $restrict_local_service_to_net ; do
restrict_local_service_to_net_arr+=("$_val")
done
# ---
# - Restrict local Network to given IP-Address/Network
# ---
declare -a restrict_local_net_to_net_arr
for _val in $restrict_local_net_to_net ; do
restrict_local_net_to_net_arr+=("$_val")
done
# ---
# - Allow extern Service
# ---
declare -a allow_ext_service_arr
for _val in $allow_ext_service ; do
allow_ext_service_arr+=("$_val")
done
# ---
# - Allow extern IP-Address/Network
# ---
declare -a allow_ext_net_arr
for _net in $allow_ext_net ; do
allow_ext_net_arr+=("$_net")
done
# ---
# - Allow (non-standard) local Services
# ---
declare -a allow_local_service_arr
for _val in $allow_local_service ; do
allow_local_service_arr+=("$_val")
done
# ---
# - Allow (non-standard) local Services from specified network
# ---
declare -a allow_local_service_from_network_arr
for _service in $allow_local_service_from_networks ; do
allow_local_service_from_network_arr+=("$_service")
done
# ---
# - Generally block ports
# ---
declare -a block_tcp_port_arr
for _port in $block_tcp_ports ; do
block_tcp_port_arr+=("$_port")
done
declare -a block_udp_port_arr
for _port in $block_udp_ports ; do
block_udp_port_arr+=("$_port")
done
# ---
# - Private IPs / IP-Ranges allowed to forward
# ---
declare -a forward_private_ip_arr
for _ip in $forward_private_ips ; do
forward_private_ip_arr+=("$_ip")
done
# ---
# - Network Interfaces DHCP Service
# ---
declare -a dhcp_server_if_arr
for _dev in $dhcp_server_ifs ; do
dhcp_server_if_arr+=($_dev)
done
declare -a dhcp_client_if_arr
for _dev in $dhcp_client_ifs ; do
dhcp_client_if_arr+=($_dev)
done
# ---
# - IP Addresses DNS Server
# ---
# - local
declare -a dns_server_ip_arr
for _ip in $dns_server_ips ; do
dns_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_dns_server_ip_arr
for _ip in $forward_dns_server_ips ; do
forward_dns_server_ip_arr+=("$_ip")
done
# ---
# - Netwoks allowed access to local DNS Resolver
# ---
declare -a resolver_allowed_network_arr
for _net in $resolver_allowed_networks ; do
resolver_allowed_network_arr+=("$_net")
done
# ---
# - IP Addresses VPN Server
# ---
# local
declare -a vpn_server_ip_arr
for _ip in $vpn_server_ips ; do
vpn_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_vpn_server_ip_arr
for _ip in $forward_vpn_server_ips ; do
forward_vpn_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses WireGuard Service
# ---
# local
declare -a wireguard_server_ip_arr
for _ip in $wireguard_server_ips ; do
wireguard_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_wireguard_server_ip_arr
for _ip in $forward_wireguard_server_ips ; do
forward_wireguard_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses SSH Server
# ---
# local
declare -a ssh_server_ip_arr
for _ip in $ssh_server_ips ; do
ssh_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_ssh_server_ip_arr
for _ip in $forward_ssh_server_ips ; do
forward_ssh_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses HTTP Server
# ---
# local
declare -a http_server_ip_arr
for _ip in $http_server_ips ; do
http_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_http_server_ip_arr
for _ip in $forward_http_server_ips ; do
forward_http_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses MatterMost Service
# ---
# local
declare -a mm_server_ip_arr
for _ip in $mm_server_ips ; do
mm_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_mm_server_ip_arr
for _ip in $forward_mm_server_ips ; do
forward_mm_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses FTP Server
# ---
# local
declare -a ftp_server_ip_arr
for _ip in $ftp_server_ips ; do
ftp_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_ftp_server_ip_arr
for _ip in $forward_ftp_server_ips ; do
forward_ftp_server_ip_arr+=("$_ip")
done
# ---
# - Mail SMTP Server
# ---
# local
declare -a smtpd_ips_arr
for _ip in $smtpd_ips ; do
smtpd_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_smtpd_ip_arr
for _ip in $forward_smtpd_ips ; do
forward_smtpd_ip_arr+=("$_ip")
done
# ---
# Additional SMTP Listen Ports
# ---
declare -a smtpd_additional_listen_port_arr
for _port in $smtpd_additional_listen_ports ; do
smtpd_additional_listen_port_arr+=("$_port")
done
# ---
# Additional SMTP Outgoing Ports
# ---
declare -a smtpd_additional_outgoung_port_arr
for _port in $smtpd_additional_outgoung_ports ; do
smtpd_additional_outgoung_port_arr+=("$_port")
done
# ---
# - IP Addresses XMPP Service (Jabber - Prosody)
# ---
declare -a xmpp_server_ip_arr
for _ip in $xmpp_server_ips ; do
xmpp_server_ip_arr+=("$_ip")
done
declare -a forward_xmpp_server_ip_arr
for _ip in $forward_xmpp_server_ips ; do
forward_xmpp_server_ip_arr+=("$_ip")
done
# ---
# - XMPP Remote Dovecote Out Service
# ---
declare -a xmmp_remote_out_service_arr
for _val in $xmmp_remote_out_services ; do
xmmp_remote_out_service_arr+=("$_val")
done
# ---
# - Mail Services (smtps/pop(s)/imap(s)
# ---
# local
declare -a mail_server_ips_arr
for _ip in $mail_server_ips ; do
mail_server_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_mail_server_ip_arr
for _ip in $forward_mail_server_ips ; do
forward_mail_server_ip_arr+=("$_ip")
done
# ---
# - Mail client (smtps/pop(s)/imap(s)
# ---
# local
declare -a mail_client_ips_arr
for _ip in $mail_client_ips ; do
mail_client_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_mail_client_ip_arr
for _ip in $forward_mail_client_ips ; do
forward_mail_client_ip_arr+=("$_ip")
done
# ---
# - (local) Dovecot auth service
# ---
declare -a dovecot_auth_allowed_network_arr
for _ip in $dovecot_auth_allowed_networks ; do
dovecot_auth_allowed_network_arr+=("$_ip")
done
# ---
# - IP Addresses Mumble Server
# ---
# local
declare -a mumble_server_ip_arr
for _ip in $mumble_server_ips ; do
mumble_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_mumble_server_ip_arr
for _ip in $forward_mumble_server_ips ; do
forward_mumble_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Jitsi Video Conferencing Server
# ---
declare -a jitsi_server_ip_arr
for _ip in $jitsi_server_ips ; do
jitsi_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_jitsi_server_ip_arr
for _ip in $forward_jitsi_server_ips ; do
forward_jitsi_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Remote Jibri Server
# ---
declare -a jitsi_jibri_remote_ip_arr
for _ip in $jitsi_jibri_remote_ips ; do
jitsi_jibri_remote_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Jibri Recording / Streaming Server
# ---
declare -a jibri_server_ip_arr
for _ip in $jibri_server_ips ; do
jibri_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_jibri_server_ip_arr
for _ip in $forward_jibri_server_ips ; do
forward_jibri_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses TURN Server (Stun Server) (for Nextcloud 'talk' app)
# ---
# local
declare -a nc_turn_server_ip_arr
for _ip in $nc_turn_server_ips ; do
nc_turn_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_nc_turn_server_ip_arr
for _ip in $forward_nc_turn_server_ips ; do
forward_nc_turn_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Telephone Systems
# ---
declare -a tel_sys_ip_arr
for _ip in $tel_sys_ips ; do
tel_sys_ip_arr+=("$_ip")
done
# ---
# - Prometheus Monitoring - local Server
# ---
declare -a prometheus_local_server_ip_arr
for _ip in $prometheus_local_server_ips ; do
prometheus_local_server_ip_arr+=("$_ip")
done
# ---
# - Prometheus Monitoring - local Client
# ---
declare -a prometheus_local_client_ip_arr
for _ip in $prometheus_local_client_ips; do
prometheus_local_client_ip_arr+=("$_ip")
done
declare -a prometheus_remote_server_ip_arr
for _ip in $prometheus_remote_server_ips ; do
prometheus_remote_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Munin
# ---
# local
declare -a munin_server_ip_arr
for _ip in $munin_server_ips ; do
munin_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_munin_server_ip_arr
for _ip in $forward_munin_server_ips ; do
forward_munin_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses XyMon
# ---
declare -a xymon_server_ip_arr
for _ip in $xymon_server_ips ; do
xymon_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Rsync Out
# ---
# local
declare -a rsync_out_ip_arr
for _ip in $rsync_out_ips ; do
rsync_out_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_rsync_out_ip_arr
for _ip in $forward_rsync_out_ips ; do
forward_rsync_out_ip_arr+=("$_ip")
done
# ---
# - SSH Ports
# ---
declare -a ssh_port_arr
for _port in $ssh_ports ; do
ssh_port_arr+=("$_port")
done
# ---
# - XMPP Service (Jabber - Prosody)
# ---
declare -a xmmp_tcp_in_port_arr
for _port in $xmmp_tcp_in_ports ; do
xmmp_tcp_in_port_arr+=("$_port")
done
declare -a xmmp_tcp_out_port_arr
for _port in $xmmp_tcp_out_ports ; do
xmmp_tcp_out_port_arr+=("$_port")
done
# ---
# - VPN Ports
# ---
# local
declare -a vpn_port_arr
for _port in $vpn_ports ; do
vpn_port_arr+=("$_port")
done
# ---
# - Wireguard Ports (local Service)
# ---
# local
declare -a wireguard_server_port_arr
for _port in $wireguard_server_ports ; do
wireguard_server_port_arr+=("$_port")
done
# ---
# - Wireguard out Ports
# ---
# local
declare -a wireguard_out_port_port_arr
for _port in $wireguard_out_ports ; do
wireguard_out_port_port_arr+=("$_port")
done
# ---
# - Rsync Out Ports
# --
declare -a rsync_port_arr
for _port in $rsync_ports ; do
rsync_port_arr+=("$_port")
done
# ---
# - Special TCP Ports OUT
# ---
# local
declare -a tcp_out_port_arr
for _port in $tcp_out_ports ; do
tcp_out_port_arr+=("$_port")
done
# DMZ
declare -a forward_tcp_out_port_arr
for _port in $forward_tcp_out_ports ; do
forward_tcp_out_port_arr+=("$_port")
done
# ---
# - Special UDP Ports OUT
# ---
# local
declare -a udp_out_port_arr
for _port in $udp_out_ports ; do
udp_out_port_arr+=("$_port")
done
# DMZ
declare -a forward_udp_out_port_arr
for _port in $forward_udp_out_ports ; do
forward_udp_out_port_arr+=("$_port")
done
# ---
# - Portforwrds TCP
# ---
declare -a portforward_tcp_arr
for _str in $portforward_tcp ; do
portforward_tcp_arr+=("$_str")
done
# ---
# - Portforwrds UDP
# ---
declare -a portforward_udp_arr
for _str in $portforward_udp ; do
portforward_udp_arr+=("$_str")
done
@@ -0,0 +1,13 @@
[Unit]
Description=IPv6 Firewall with ip6tables
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ip6t-firewall-server start
ExecStop=/usr/local/sbin/ip6t-firewall-server stop
User=root
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,13 @@
[Unit]
Description=IPv4 Firewall with iptables
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ipt-firewall-server start
ExecStop=/usr/local/sbin/ipt-firewall-server stop
User=root
[Install]
WantedBy=multi-user.target
File diff suppressed because it is too large Load Diff
File diff suppressed because it is too large Load Diff
+15
View File
@@ -0,0 +1,15 @@
---
- name: Reload systemd daemon
systemd:
daemon_reload: true
- name: Restart IPv4 Firewall
service:
name: ipt-firewall
state: restarted
- name: Restart IPv6 Firewall
service:
name: ip6t-firewall
state: restarted
+215
View File
@@ -0,0 +1,215 @@
---
# ===
# Ensure /etc/ipt-firewall directory exists
# ===
- name: Create /etc/ipt-firewall if not present
file:
path: /etc/ipt-firewall
state: directory
owner: root
group: root
mode: "0750"
# ===
# Check presence of host-specific config files
# ===
- name: Check if interfaces_ipv4.conf exists
stat:
path: /etc/ipt-firewall/interfaces_ipv4.conf
register: interfaces_ipv4_exists
- name: Check if interfaces_ipv6.conf exists
stat:
path: /etc/ipt-firewall/interfaces_ipv6.conf
register: interfaces_ipv6_exists
- name: Check if main_ipv4.conf exists
stat:
path: /etc/ipt-firewall/main_ipv4.conf
register: main_ipv4_exists
- name: Check if main_ipv6.conf exists
stat:
path: /etc/ipt-firewall/main_ipv6.conf
register: main_ipv6_exists
# ===
# Deploy host-specific config files from templates.
#
# Safety guard: by default (fw_manage_config: false) a file is only written
# when it does not yet exist on the host — so existing hosts are never touched
# accidentally.
#
# Once a host has been migrated (host_vars populated and diff verified), set
# fw_manage_config: true
# in its host_vars. From that point on Ansible is the authoritative source and
# will update the config on every run, triggering a firewall restart on changes.
# ===
- name: Deploy interfaces_ipv4.conf from template
template:
src: etc/ipt-firewall/interfaces_ipv4.conf.j2
dest: /etc/ipt-firewall/interfaces_ipv4.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not interfaces_ipv4_exists.stat.exists
notify:
- Restart IPv4 Firewall
- name: Deploy interfaces_ipv6.conf from template
template:
src: etc/ipt-firewall/interfaces_ipv6.conf.j2
dest: /etc/ipt-firewall/interfaces_ipv6.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not interfaces_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
- name: Deploy main_ipv4.conf from template
template:
src: etc/ipt-firewall/main_ipv4.conf.j2
dest: /etc/ipt-firewall/main_ipv4.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not main_ipv4_exists.stat.exists
notify:
- Restart IPv4 Firewall
- name: Deploy main_ipv6.conf from template
template:
src: etc/ipt-firewall/main_ipv6.conf.j2
dest: /etc/ipt-firewall/main_ipv6.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not main_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
# ===
# Firewall scripts
# ===
- name: Deploy ipt-firewall-server
copy:
src: usr/local/sbin/ipt-firewall-server
dest: /usr/local/sbin/ipt-firewall-server
owner: root
group: root
mode: "0750"
- name: Deploy ip6t-firewall-server
copy:
src: usr/local/sbin/ip6t-firewall-server
dest: /usr/local/sbin/ip6t-firewall-server
owner: root
group: root
mode: "0750"
# ===
# Shared conf files (not host-specific — always kept in sync with the role)
# ===
- name: Deploy shared conf files
copy:
src: "etc/ipt-firewall/{{ item }}"
dest: "/etc/ipt-firewall/{{ item }}"
owner: root
group: root
mode: "0640"
loop:
- default_settings.conf
- include_functions.conf
- logging_ipv4.conf
- logging_ipv6.conf
- post_declarations.conf
# ===
# Ban lists — copy from sample once; the file can be customised per host.
# ===
- name: Check if ban_ipv4.list exists
stat:
path: /etc/ipt-firewall/ban_ipv4.list
register: ban_ipv4_exists
- name: Copy ban_ipv4.list from sample (first install only)
copy:
src: etc/ipt-firewall/ban_ipv4.list.sample
dest: /etc/ipt-firewall/ban_ipv4.list
owner: root
group: root
mode: "0640"
when: not ban_ipv4_exists.stat.exists
- name: Check if ban_ipv6.list exists
stat:
path: /etc/ipt-firewall/ban_ipv6.list
register: ban_ipv6_exists
- name: Copy ban_ipv6.list from sample (first install only)
copy:
src: etc/ipt-firewall/ban_ipv6.list.sample
dest: /etc/ipt-firewall/ban_ipv6.list
owner: root
group: root
mode: "0640"
when: not ban_ipv6_exists.stat.exists
# ===
# Systemd service units
# ===
- name: Deploy ipt-firewall.service
copy:
src: etc/systemd/system/ipt-firewall.service
dest: /etc/systemd/system/ipt-firewall.service
owner: root
group: root
mode: "0644"
notify:
- Reload systemd daemon
- Restart IPv4 Firewall
- name: Deploy ip6t-firewall.service
copy:
src: etc/systemd/system/ip6t-firewall.service
dest: /etc/systemd/system/ip6t-firewall.service
owner: root
group: root
mode: "0644"
notify:
- Reload systemd daemon
- Restart IPv6 Firewall
# ===
# Enable and start services
# ===
- name: Enable and start ipt-firewall
systemd:
name: ipt-firewall
enabled: true
state: started
daemon_reload: true
- name: Enable and start ip6t-firewall
systemd:
name: ip6t-firewall
enabled: true
state: started
daemon_reload: true
@@ -0,0 +1,74 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
# -------------
# --- Network Interfaces
# -------------
# - External interface(s)
#
ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
# - VPN Interfaces
# - (comma separated list)
vpn_ifs="{{ fw_vpn_ifs }}"
# - Wireguard Interfaces
# - (comma separated list)
wg_ifs="{{ fw_wg_ifs }}"
# - Local Interfaces
local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
local_ifs="{{ fw_local_interfaces | join(' ') }}"
# -------------
# --- IP-Addresses
# -------------
# - Extern IP Addresses on this Host
#
ext_1_ip="{{ fw_ext_ips_v4[0] if fw_ext_ips_v4 | length >= 1 else '' }}"
ext_2_ip="{{ fw_ext_ips_v4[1] if fw_ext_ips_v4 | length >= 2 else '' }}"
ext_3_ip="{{ fw_ext_ips_v4[2] if fw_ext_ips_v4 | length >= 3 else '' }}"
ext_ips="{{ fw_ext_ips_v4 | join(' ') }}"
local_1_ip="{{ fw_local_ips_v4[0] if fw_local_ips_v4 | length >= 1 else '' }}"
local_2_ip="{{ fw_local_ips_v4[1] if fw_local_ips_v4 | length >= 2 else '' }}"
local_3_ip="{{ fw_local_ips_v4[2] if fw_local_ips_v4 | length >= 3 else '' }}"
local_ips="{{ fw_local_ips_v4 | join(' ') }}"
# -------------
# --- IP-Addresses LXC Guest Systems
# -------------
lxc_guest_1_ip="{{ fw_lxc_guest_ips_v4[0] if fw_lxc_guest_ips_v4 | length >= 1 else '' }}"
lxc_guest_2_ip="{{ fw_lxc_guest_ips_v4[1] if fw_lxc_guest_ips_v4 | length >= 2 else '' }}"
lxc_guest_3_ip="{{ fw_lxc_guest_ips_v4[2] if fw_lxc_guest_ips_v4 | length >= 3 else '' }}"
lxc_guest_4_ip="{{ fw_lxc_guest_ips_v4[3] if fw_lxc_guest_ips_v4 | length >= 4 else '' }}"
lxc_guest_5_ip="{{ fw_lxc_guest_ips_v4[4] if fw_lxc_guest_ips_v4 | length >= 5 else '' }}"
lxc_guest_6_ip="{{ fw_lxc_guest_ips_v4[5] if fw_lxc_guest_ips_v4 | length >= 6 else '' }}"
lxc_guest_7_ip="{{ fw_lxc_guest_ips_v4[6] if fw_lxc_guest_ips_v4 | length >= 7 else '' }}"
lxc_guest_ips="{{ fw_lxc_guest_ips_v4 | join(' ') }}"
# - Devices given in list "nat_devices" will be natted
# -
# - Blank separated list
# -
nat_devices="{{ fw_nat_devices }}"
@@ -0,0 +1,67 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
# -------------
# --- Network Interfaces
# -------------
# - External interface(s)
#
ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
# - VPN Interfaces
# - (comma separated list)
vpn_ifs="{{ fw_vpn_ifs }}"
# - Wireguard Interfaces
# - (comma separated list)
wg_ifs="{{ fw_wg_ifs }}"
# - Local Interfaces
local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
local_ifs="{{ fw_local_interfaces | join(' ') }}"
# -------------
# --- IP-Addresses
# -------------
# - Extern IP Addresses on this Host
#
ext_1_ip="{{ fw_ext_ips_v6[0] if fw_ext_ips_v6 | length >= 1 else '' }}"
ext_2_ip="{{ fw_ext_ips_v6[1] if fw_ext_ips_v6 | length >= 2 else '' }}"
ext_3_ip="{{ fw_ext_ips_v6[2] if fw_ext_ips_v6 | length >= 3 else '' }}"
ext_ips="{{ fw_ext_ips_v6 | join(' ') }}"
local_1_ip="{{ fw_local_ips_v6[0] if fw_local_ips_v6 | length >= 1 else '' }}"
local_2_ip="{{ fw_local_ips_v6[1] if fw_local_ips_v6 | length >= 2 else '' }}"
local_3_ip="{{ fw_local_ips_v6[2] if fw_local_ips_v6 | length >= 3 else '' }}"
local_ips="{{ fw_local_ips_v6 | join(' ') }}"
# -------------
# --- IP-Addresses LXC Guest Systems
# -------------
lxc_guest_1_ip="{{ fw_lxc_guest_ips_v6[0] if fw_lxc_guest_ips_v6 | length >= 1 else '' }}"
lxc_guest_2_ip="{{ fw_lxc_guest_ips_v6[1] if fw_lxc_guest_ips_v6 | length >= 2 else '' }}"
lxc_guest_3_ip="{{ fw_lxc_guest_ips_v6[2] if fw_lxc_guest_ips_v6 | length >= 3 else '' }}"
lxc_guest_4_ip="{{ fw_lxc_guest_ips_v6[3] if fw_lxc_guest_ips_v6 | length >= 4 else '' }}"
lxc_guest_5_ip="{{ fw_lxc_guest_ips_v6[4] if fw_lxc_guest_ips_v6 | length >= 5 else '' }}"
lxc_guest_6_ip="{{ fw_lxc_guest_ips_v6[5] if fw_lxc_guest_ips_v6 | length >= 6 else '' }}"
lxc_guest_7_ip="{{ fw_lxc_guest_ips_v6[6] if fw_lxc_guest_ips_v6 | length >= 7 else '' }}"
lxc_guest_ips="{{ fw_lxc_guest_ips_v6 | join(' ') }}"
@@ -0,0 +1,357 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
## ----------------------------------------------------------------
## --- Main Configurations IPv4 Firewall
## ----------------------------------------------------------------
# -------------
# --- Bridged / LXC traffic
# -------------
do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
# -------------
# --- Drop ICMP / MNDP / mDNS
# -------------
drop_icmp={{ fw_drop_icmp | lower }}
drop_mndp={{ fw_drop_mndp | lower }}
drop_mdns={{ fw_drop_mdns | lower }}
# -------------
# --- Outgoing traffic
# -------------
allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
# -------------
# --- Interface policy
# -------------
blocked_ifs="{{ fw_blocked_ifs }}"
unprotected_ifs="{{ fw_unprotected_ifs }}"
# -------------
# --- Forwarding / Routing
# -------------
# Private IPs to forward (CIDR notation, blank separated)
forward_private_ips="{{ fw_forward_private_ips_v4 }}"
# -------------
# --- Access control (source-based)
# -------------
# restrict_local_service_to_net="ext-net:local-address:port:protocol"
restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v4 }}"
# restrict_local_net_to_net="<src-ext-net>:<dst-local-net>"
restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v4 }}"
# allow_ext_service="<ext-ip>:<ext_port>:<protocol>"
allow_ext_service="{{ fw_allow_ext_service_v4 }}"
# allow_ext_net="<ext-ip/net>" (blank separated)
allow_ext_net="{{ fw_allow_ext_net_v4 }}"
# allow_local_service="<port>:<protocol>" (blank separated)
allow_local_service="{{ fw_allow_local_service_v4 }}"
# allow_local_service_from_networks="<ext-net>:<local-port>:<protocol>"
allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v4 }}"
# -------------
# --- Services: VPN / WireGuard
# -------------
vpn_server_ips="{{ fw_vpn_server_ips }}"
forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
vpn_ports="{{ fw_vpn_ports }}"
wireguard_server_ips="{{ fw_wireguard_server_ips }}"
forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
wireguard_server_ports="{{ fw_wireguard_server_ports }}"
wireguard_out_ports="{{ fw_wireguard_out_ports }}"
# -------------
# --- Services: NTP
# -------------
local_ntp_service={{ fw_local_ntp_service | lower }}
ntp_port="{{ fw_ntp_port }}"
ntp_allowed_net="{{ fw_ntp_allowed_net }}"
# -------------
# --- Services: DHCP (IPv4 only)
# -------------
# Comma separated list of interfaces providing DHCP
dhcp_server_ifs="{{ fw_dhcp_server_ifs }}"
# Comma separated list of interfaces acting as DHCP clients
dhcp_client_ifs="{{ fw_dhcp_client_ifs }}"
# -------------
# --- Services: DNS
# -------------
dns_server_ips="{{ fw_dns_server_ips }}"
forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
local_resolver_service={{ fw_local_resolver_service | lower }}
resolver_port="{{ fw_resolver_port }}"
# resolver_allowed_networks="192.68.11.64/27 194.150.169.139"
resolver_allowed_networks="{{ fw_resolver_allowed_networks_v4 }}"
# -------------
# --- Services: SSH
# -------------
ssh_server_ips="{{ fw_ssh_server_ips }}"
forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
ssh_ports="{{ fw_ssh_ports }}"
# -------------
# --- Services: HTTP(S)
# -------------
http_server_ips="{{ fw_http_server_ips }}"
forward_http_server_ips="{{ fw_forward_http_server_ips }}"
http_ports="{{ fw_http_ports }}"
log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
cgi_script_users="{{ fw_cgi_script_users }}"
# -------------
# --- Services: Mattermost
# -------------
mm_server_ips="{{ fw_mm_server_ips }}"
forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
# -------------
# --- Services: Mail (SMTP / IMAP / POP)
# -------------
smtpd_ips="{{ fw_smtpd_ips }}"
forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
mail_server_ips="{{ fw_mail_server_ips }}"
forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
mail_user_ports="{{ fw_mail_user_ports }}"
mail_client_ips="{{ fw_mail_client_ips }}"
forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
dovecot_auth_port="{{ fw_dovecot_auth_port }}"
# dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139"
dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v4 }}"
# -------------
# --- Services: FTP
# -------------
ftp_server_ips="{{ fw_ftp_server_ips }}"
forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
# -------------
# --- Services: XMPP (Jabber / Prosody)
# -------------
xmpp_server_ips="{{ fw_xmpp_server_ips }}"
forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
# xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444"
xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v4 }}"
# -------------
# --- Services: Mumble
# -------------
mumble_server_ips="{{ fw_mumble_server_ips }}"
forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
mumble_ports="{{ fw_mumble_ports }}"
# -------------
# --- Services: Jitsi / Jibri
# -------------
jitsi_server_ips="{{ fw_jitsi_server_ips }}"
forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
jibri_server_ips="{{ fw_jibri_server_ips }}"
forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
# -------------
# --- Services: TURN / STUN (Nextcloud Talk)
# -------------
nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
nc_turn_ports="{{ fw_nc_turn_ports }}"
nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
# -------------
# --- Services: TFTP (not yet implemented)
# -------------
tftp_server_ips="{{ fw_tftp_server_ips }}"
# -------------
# --- Services: Prometheus
# -------------
prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
# -------------
# --- Services: Munin
# -------------
munin_server_ips="{{ fw_munin_server_ips }}"
forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
munin_remote_port="{{ fw_munin_remote_port }}"
munin_remote_ip="{{ munin_remote_ipv4 }}"
munin_local_port="{{ fw_munin_local_port }}"
# -------------
# --- Services: Xymon (not yet implemented)
# -------------
xymon_server_ips="{{ fw_xymon_server_ips }}"
local_xymon_client={{ fw_local_xymon_client | lower }}
xymon_port="{{ fw_xymon_port }}"
# -------------
# --- Protocols out: Rsync
# -------------
rsync_out_ips="{{ fw_rsync_out_ips }}"
forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
rsync_ports="{{ fw_rsync_ports }}"
# -------------
# --- Special ports (OUT)
# -------------
tcp_out_ports="{{ fw_tcp_out_ports }}"
forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
udp_out_ports="{{ fw_udp_out_ports }}"
forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
# =============
# --- Portforwarding (IPv4)
# --- Format: "<device-in>:<src-ip>:<port-in>:<ip-to-forward>:<port-out>"
# =============
portforward_tcp="{{ fw_portforward_tcp_v4 }}"
portforward_udp="{{ fw_portforward_udp_v4 }}"
# -------------
# --- Blocked IPs / Ports
# -------------
blocked_ips="{{ fw_blocked_ips }}"
block_tcp_ports="{{ fw_block_tcp_ports }}"
block_udp_ports="{{ fw_block_udp_ports }}"
# -------------
# --- Special / Counters
# -------------
create_traffic_counter={{ fw_create_traffic_counter | lower }}
create_iperf_rules={{ fw_create_iperf_rules | lower }}
# -------------
# --- Protection
# -------------
protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
# -------------
# --- Connection limits
# -------------
limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
per_IP_connection_limit={{ fw_per_IP_connection_limit }}
limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
# -------------
# --- Kernel parameters (IPv4)
# -------------
kernel_activate_forwarding={{ fw_kernel_activate_forwarding | lower }}
kernel_support_dynaddr={{ fw_kernel_support_dynaddr | lower }}
dynaddr_flag="{{ fw_dynaddr_flag }}"
kernel_reduce_timeouts={{ fw_kernel_reduce_timeouts | lower }}
kernel_tcp_syncookies={{ fw_kernel_tcp_syncookies | lower }}
kernel_protect_against_icmp_bogus_messages={{ fw_kernel_protect_against_icmp_bogus_messages | lower }}
kernel_ignore_broadcast_ping={{ fw_kernel_ignore_broadcast_ping | lower }}
kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}
kernel_activate_rp_filter={{ fw_kernel_activate_rp_filter | lower }}
kernel_log_martians={{ fw_kernel_log_martians | lower }}
@@ -0,0 +1,337 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
## ----------------------------------------------------------------
## --- Main Configurations IPv6 Firewall
## ----------------------------------------------------------------
# -------------
# --- Bridged / LXC traffic
# -------------
do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
# -------------
# --- Drop ICMP / MNDP / mDNS
# -------------
drop_icmp={{ fw_drop_icmp | lower }}
drop_mndp={{ fw_drop_mndp | lower }}
drop_mdns={{ fw_drop_mdns | lower }}
# -------------
# --- Outgoing traffic
# -------------
allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
# -------------
# --- Interface policy
# -------------
blocked_ifs="{{ fw_blocked_ifs }}"
unprotected_ifs="{{ fw_unprotected_ifs }}"
# -------------
# --- Forwarding / Routing
# -------------
# Private IPs to forward (CIDR notation, blank separated)
forward_private_ips="{{ fw_forward_private_ips_v6 }}"
# -------------
# --- Access control (source-based)
# --- Note: IPv6 uses comma as field separator (not colon)
# -------------
# restrict_local_service_to_net="ext-net,local-address,port,protocol"
restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v6 }}"
# restrict_local_net_to_net="<src-ext-net>,<dst-local-net>"
restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v6 }}"
# allow_ext_service="<ext-ip>,<ext_port>,<protocol>"
allow_ext_service="{{ fw_allow_ext_service_v6 }}"
# allow_ext_net="<ext-ip/net>" (blank separated)
allow_ext_net="{{ fw_allow_ext_net_v6 }}"
# allow_local_service="<port>,<protocol>" (blank separated)
allow_local_service="{{ fw_allow_local_service_v6 }}"
# allow_local_service_from_networks="<ext-net>,<local-port>,<protocol>"
allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v6 }}"
# -------------
# --- Services: VPN / WireGuard
# -------------
vpn_server_ips="{{ fw_vpn_server_ips }}"
forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
vpn_ports="{{ fw_vpn_ports }}"
wireguard_server_ips="{{ fw_wireguard_server_ips }}"
forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
wireguard_server_ports="{{ fw_wireguard_server_ports }}"
wireguard_out_ports="{{ fw_wireguard_out_ports }}"
# -------------
# --- Services: NTP
# -------------
local_ntp_service={{ fw_local_ntp_service | lower }}
ntp_port="{{ fw_ntp_port }}"
ntp_allowed_net="{{ fw_ntp_allowed_net }}"
# -------------
# --- Services: DNS
# -------------
dns_server_ips="{{ fw_dns_server_ips }}"
forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
local_resolver_service={{ fw_local_resolver_service | lower }}
resolver_port="{{ fw_resolver_port }}"
# resolver_allowed_networks="2001:678:a40:3000::/64"
resolver_allowed_networks="{{ fw_resolver_allowed_networks_v6 }}"
# -------------
# --- Services: SSH
# -------------
ssh_server_ips="{{ fw_ssh_server_ips }}"
forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
ssh_ports="{{ fw_ssh_ports }}"
# -------------
# --- Services: HTTP(S)
# -------------
http_server_ips="{{ fw_http_server_ips }}"
forward_http_server_ips="{{ fw_forward_http_server_ips }}"
http_ports="{{ fw_http_ports }}"
log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
cgi_script_users="{{ fw_cgi_script_users }}"
# -------------
# --- Services: Mattermost
# -------------
mm_server_ips="{{ fw_mm_server_ips }}"
forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
# -------------
# --- Services: Mail (SMTP / IMAP / POP)
# -------------
smtpd_ips="{{ fw_smtpd_ips }}"
forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
mail_server_ips="{{ fw_mail_server_ips }}"
forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
mail_user_ports="{{ fw_mail_user_ports }}"
mail_client_ips="{{ fw_mail_client_ips }}"
forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
dovecot_auth_port="{{ fw_dovecot_auth_port }}"
# dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7"
dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v6 }}"
# -------------
# --- Services: FTP
# -------------
ftp_server_ips="{{ fw_ftp_server_ips }}"
forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
# -------------
# --- Services: XMPP (Jabber / Prosody)
# -------------
xmpp_server_ips="{{ fw_xmpp_server_ips }}"
forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
# xmmp_remote_out_services="2a01:4f8:221:3b4e::247,44444"
xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v6 }}"
# -------------
# --- Services: Mumble
# -------------
mumble_server_ips="{{ fw_mumble_server_ips }}"
forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
mumble_ports="{{ fw_mumble_ports }}"
# -------------
# --- Services: Jitsi / Jibri
# -------------
jitsi_server_ips="{{ fw_jitsi_server_ips }}"
forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
jibri_server_ips="{{ fw_jibri_server_ips }}"
forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
# -------------
# --- Services: TURN / STUN (Nextcloud Talk)
# -------------
nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
nc_turn_ports="{{ fw_nc_turn_ports }}"
nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
# -------------
# --- Services: TFTP (not yet implemented)
# -------------
tftp_server_ips="{{ fw_tftp_server_ips }}"
# -------------
# --- Services: Prometheus
# -------------
prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
# -------------
# --- Services: Munin
# -------------
munin_server_ips="{{ fw_munin_server_ips }}"
forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
munin_remote_port="{{ fw_munin_remote_port }}"
munin_remote_ip="{{ munin_remote_ipv6 }}"
munin_local_port="{{ fw_munin_local_port }}"
# -------------
# --- Services: Xymon (not yet implemented)
# -------------
xymon_server_ips="{{ fw_xymon_server_ips }}"
local_xymon_client={{ fw_local_xymon_client | lower }}
xymon_port="{{ fw_xymon_port }}"
# -------------
# --- Protocols out: Rsync
# -------------
rsync_out_ips="{{ fw_rsync_out_ips }}"
forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
rsync_ports="{{ fw_rsync_ports }}"
# -------------
# --- Special ports (OUT)
# -------------
tcp_out_ports="{{ fw_tcp_out_ports }}"
forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
udp_out_ports="{{ fw_udp_out_ports }}"
forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
# =============
# --- Portforwarding (IPv6)
# --- Format: "<device-in>,<src-ip>,<port-in>,<ip-to-forward>,<port-out>"
# =============
portforward_tcp="{{ fw_portforward_tcp_v6 }}"
portforward_udp="{{ fw_portforward_udp_v6 }}"
# -------------
# --- Blocked IPs / Ports
# -------------
blocked_ips="{{ fw_blocked_ips }}"
block_tcp_ports="{{ fw_block_tcp_ports }}"
block_udp_ports="{{ fw_block_udp_ports }}"
# -------------
# --- Special / Counters
# -------------
create_traffic_counter={{ fw_create_traffic_counter | lower }}
create_iperf_rules={{ fw_create_iperf_rules | lower }}
# -------------
# --- Protection
# -------------
protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
# -------------
# --- Connection limits
# -------------
limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
per_IP_connection_limit={{ fw_per_IP_connection_limit }}
limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
# -------------
# --- Kernel parameters (IPv6)
# -------------
kernel_forward_between_interfaces={{ fw_kernel_forward_between_interfaces | lower }}
kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}