Compare commits
22 Commits
56a2c8464f
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
| 3b4ba60bb7 | |||
| e74fca04a2 | |||
| ba5683864a | |||
| 1171d156b7 | |||
| 682a08b53e | |||
| b9e5b0f5e2 | |||
| db2cdabee1 | |||
| 25b0e026f2 | |||
| 48bc4296da | |||
| f149b09892 | |||
| 7db2b7ee9b | |||
| 5a98895b66 | |||
| 92d2c31ecc | |||
| 9798ca9cd6 | |||
| 0158e3738f | |||
| f309e8cb1c | |||
| 84d5a653c5 | |||
| 1c7ad75f47 | |||
| 55bdcba049 | |||
| 86afc6263d | |||
| 78d9822d2f | |||
| 6e086dbac0 |
+14
@@ -1 +1,15 @@
|
||||
# Editor
|
||||
*.swp
|
||||
*.swo
|
||||
*~
|
||||
|
||||
# Python
|
||||
__pycache__/
|
||||
*.py[cod]
|
||||
|
||||
# Ansible
|
||||
*.retry
|
||||
.vault_pass
|
||||
|
||||
# OS
|
||||
.DS_Store
|
||||
|
||||
Executable
+732
@@ -0,0 +1,732 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
Extract ipt-firewall configuration from a host and generate host_vars YAML.
|
||||
|
||||
Reads /etc/ipt-firewall/{interfaces,main}_ipv{4,6}.conf via SSH,
|
||||
maps all variables to Ansible fw_* names, and writes a host_vars file.
|
||||
|
||||
Usage:
|
||||
./extract-fw-host-vars.py <hostname> [--user USER] [--port PORT] [--dry-run]
|
||||
|
||||
Example:
|
||||
./extract-fw-host-vars.py cl-01.oopen.de
|
||||
./extract-fw-host-vars.py cl-01.oopen.de --user root --dry-run
|
||||
"""
|
||||
|
||||
import argparse
|
||||
import re
|
||||
import subprocess
|
||||
import sys
|
||||
from pathlib import Path
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Defaults matching roles/ipt-firewall/defaults/main.yml
|
||||
# Only values that differ from these will be emitted.
|
||||
# ---------------------------------------------------------------------------
|
||||
DEFAULTS = {
|
||||
"fw_do_not_firewall_bridged_traffic": False,
|
||||
"fw_do_not_firewall_lx_guest_systems": False,
|
||||
"fw_drop_icmp": False,
|
||||
"fw_drop_mndp": True,
|
||||
"fw_drop_mdns": True,
|
||||
"fw_allow_all_outgoing_traffic": False,
|
||||
"fw_blocked_ifs": "",
|
||||
"fw_unprotected_ifs": "",
|
||||
"fw_forward_private_ips_v4": "",
|
||||
"fw_forward_private_ips_v6": "",
|
||||
"fw_restrict_local_service_to_net_v4": "",
|
||||
"fw_restrict_local_service_to_net_v6": "",
|
||||
"fw_restrict_local_net_to_net_v4": "",
|
||||
"fw_restrict_local_net_to_net_v6": "",
|
||||
"fw_allow_ext_service_v4": "",
|
||||
"fw_allow_ext_service_v6": "",
|
||||
"fw_allow_ext_net_v4": "",
|
||||
"fw_allow_ext_net_v6": "",
|
||||
"fw_allow_local_service_v4": "",
|
||||
"fw_allow_local_service_v6": "",
|
||||
"fw_allow_local_service_from_networks_v4": "",
|
||||
"fw_allow_local_service_from_networks_v6": "",
|
||||
"fw_vpn_server_ips": "",
|
||||
"fw_forward_vpn_server_ips": "",
|
||||
"fw_vpn_ports": "$standard_vpn_port",
|
||||
"fw_wireguard_server_ips": "",
|
||||
"fw_forward_wireguard_server_ips": "",
|
||||
"fw_wireguard_server_ports": "$standard_wireguard_port",
|
||||
"fw_wireguard_out_ports": "$standard_wireguard_port",
|
||||
"fw_local_ntp_service": False,
|
||||
"fw_ntp_port": "$standard_ntp_port",
|
||||
"fw_ntp_allowed_net": "",
|
||||
"fw_dhcp_server_ifs": "",
|
||||
"fw_dhcp_client_ifs": "",
|
||||
"fw_dns_server_ips": "",
|
||||
"fw_forward_dns_server_ips": "",
|
||||
"fw_local_resolver_service": False,
|
||||
"fw_resolver_port": "$standard_dns_port",
|
||||
"fw_resolver_allowed_networks_v4": "",
|
||||
"fw_resolver_allowed_networks_v6": "",
|
||||
"fw_ssh_server_ips": "$ext_ips",
|
||||
"fw_forward_ssh_server_ips": "",
|
||||
"fw_ssh_ports": "$standard_ssh_port",
|
||||
"fw_http_server_ips": "",
|
||||
"fw_forward_http_server_ips": "",
|
||||
"fw_http_ports": "$standard_http_ports",
|
||||
"fw_log_cgi_traffic_out": False,
|
||||
"fw_cgi_script_users": "",
|
||||
"fw_mm_server_ips": "",
|
||||
"fw_forward_mm_server_ips": "",
|
||||
"fw_smtpd_ips": "",
|
||||
"fw_forward_smtpd_ips": "",
|
||||
"fw_smtpd_additional_listen_ports": "",
|
||||
"fw_smtpd_additional_outgoing_ports": "",
|
||||
"fw_mail_server_ips": "",
|
||||
"fw_forward_mail_server_ips": "",
|
||||
"fw_mail_user_ports": "$standard_mailuser_ports",
|
||||
"fw_mail_client_ips": "",
|
||||
"fw_forward_mail_client_ips": "",
|
||||
"fw_dovecot_auth_service": False,
|
||||
"fw_dovecot_auth_port": "$dovecot_external_auth_port",
|
||||
"fw_dovecot_auth_allowed_networks_v4": "",
|
||||
"fw_dovecot_auth_allowed_networks_v6": "",
|
||||
"fw_ftp_server_ips": "",
|
||||
"fw_forward_ftp_server_ips": "",
|
||||
"fw_ftp_passive_port_range": "50000:50400",
|
||||
"fw_xmpp_server_ips": "",
|
||||
"fw_forward_xmpp_server_ips": "",
|
||||
"fw_xmmp_tcp_in_ports": "5222 5223 5269",
|
||||
"fw_xmmp_tcp_out_ports": "5269",
|
||||
"fw_xmmp_remote_out_services_v4": "",
|
||||
"fw_xmmp_remote_out_services_v6": "",
|
||||
"fw_mumble_server_ips": "",
|
||||
"fw_forward_mumble_server_ips": "",
|
||||
"fw_mumble_ports": "$standard_mumble_port",
|
||||
"fw_jitsi_server_ips": "",
|
||||
"fw_forward_jitsi_server_ips": "",
|
||||
"fw_jitsi_tcp_ports": "$standard_jitsi_tcp_ports",
|
||||
"fw_jitsi_udp_port_range": "$standard_jitsi_udp_port_range",
|
||||
"fw_jitsi_tcp_ports_out": "$standard_turn_service_ports,4443,4444,4445,4446",
|
||||
"fw_jitsi_udp_ports_out": "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446",
|
||||
"fw_jitsi_dovecot_auth": False,
|
||||
"fw_jitsi_dovecot_host": "",
|
||||
"fw_jitsi_jibri_remote_auth": False,
|
||||
"fw_jitsi_jibri_remote_ips": "",
|
||||
"fw_jibri_server_ips": "",
|
||||
"fw_forward_jibri_server_ips": "",
|
||||
"fw_jibri_remote_jitsi_server": "",
|
||||
"fw_nc_turn_server_ips": "",
|
||||
"fw_forward_nc_turn_server_ips": "",
|
||||
"fw_nc_turn_ports": "$standard_turn_service_ports",
|
||||
"fw_nc_turn_udp_ports": "$standard_turn_service_udp_ports",
|
||||
"fw_tftp_server_ips": "",
|
||||
"fw_prometheus_local_server_ips": "",
|
||||
"fw_prometheus_local_client_ips": "",
|
||||
"fw_prometheus_remote_server_ips": "",
|
||||
"fw_munin_server_ips": "",
|
||||
"fw_forward_munin_server_ips": "",
|
||||
"fw_munin_remote_port": "$standard_munin_port",
|
||||
"fw_munin_local_port": "4949",
|
||||
"munin_remote_ipv4": "",
|
||||
"munin_remote_ipv6": "",
|
||||
"fw_xymon_server_ips": "",
|
||||
"fw_local_xymon_client": False,
|
||||
"fw_xymon_port": "$standard_xymon_port",
|
||||
"fw_rsync_out_ips": "",
|
||||
"fw_forward_rsync_out_ips": "",
|
||||
"fw_rsync_ports": "873",
|
||||
"fw_tcp_out_ports": "",
|
||||
"fw_forward_tcp_out_ports": "",
|
||||
"fw_udp_out_ports": "",
|
||||
"fw_forward_udp_out_ports": "",
|
||||
"fw_portforward_tcp_v4": "",
|
||||
"fw_portforward_udp_v4": "",
|
||||
"fw_portforward_tcp_v6": "",
|
||||
"fw_portforward_udp_v6": "",
|
||||
"fw_blocked_ips": "",
|
||||
"fw_block_tcp_ports": "111 113 135 137:139 445",
|
||||
"fw_block_udp_ports": "111 137:139",
|
||||
"fw_create_traffic_counter": True,
|
||||
"fw_create_iperf_rules": True,
|
||||
"fw_protection_against_syn_flooding": True,
|
||||
"fw_protection_against_port_scanning": True,
|
||||
"fw_protection_against_ssh_brute_force_attacks": True,
|
||||
"fw_limit_connections_per_source_IP": True,
|
||||
"fw_per_IP_connection_limit": "$default_per_IP_connection_limit",
|
||||
"fw_limit_new_tcp_connections_per_seconds_per_source_IP": True,
|
||||
"fw_limit_new_tcp_connections_per_seconds_ports": "",
|
||||
"fw_kernel_activate_forwarding": False,
|
||||
"fw_kernel_support_dynaddr": False,
|
||||
"fw_dynaddr_flag": "5",
|
||||
"fw_kernel_reduce_timeouts": True,
|
||||
"fw_kernel_tcp_syncookies": True,
|
||||
"fw_kernel_protect_against_icmp_bogus_messages": True,
|
||||
"fw_kernel_ignore_broadcast_ping": True,
|
||||
"fw_kernel_deactivate_source_route": True,
|
||||
"fw_kernel_dont_accept_redirects": True,
|
||||
"fw_kernel_activate_rp_filter": True,
|
||||
"fw_kernel_log_martians": False,
|
||||
"fw_kernel_forward_between_interfaces": False,
|
||||
"fw_vpn_ifs": "tun+",
|
||||
"fw_wg_ifs": "wg+",
|
||||
"fw_nat_devices": "",
|
||||
}
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Variable mapping: (bash_varname, source) → ansible_varname
|
||||
# source: 'iface_v4', 'iface_v6', 'main_v4', 'main_v6', 'main_shared'
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
# Shared service variables (read from main_ipv4.conf, same in both)
|
||||
MAIN_SHARED = {
|
||||
"do_not_firewall_bridged_traffic": "fw_do_not_firewall_bridged_traffic",
|
||||
"do_not_firewall_lx_guest_systems": "fw_do_not_firewall_lx_guest_systems",
|
||||
"drop_icmp": "fw_drop_icmp",
|
||||
"drop_mndp": "fw_drop_mndp",
|
||||
"drop_mdns": "fw_drop_mdns",
|
||||
"allow_all_outgoing_traffic": "fw_allow_all_outgoing_traffic",
|
||||
"blocked_ifs": "fw_blocked_ifs",
|
||||
"unprotected_ifs": "fw_unprotected_ifs",
|
||||
"vpn_server_ips": "fw_vpn_server_ips",
|
||||
"forward_vpn_server_ips": "fw_forward_vpn_server_ips",
|
||||
"vpn_ports": "fw_vpn_ports",
|
||||
"wireguard_server_ips": "fw_wireguard_server_ips",
|
||||
"forward_wireguard_server_ips": "fw_forward_wireguard_server_ips",
|
||||
"wireguard_server_ports": "fw_wireguard_server_ports",
|
||||
"wireguard_out_ports": "fw_wireguard_out_ports",
|
||||
"local_ntp_service": "fw_local_ntp_service",
|
||||
"ntp_port": "fw_ntp_port",
|
||||
"ntp_allowed_net": "fw_ntp_allowed_net",
|
||||
"dns_server_ips": "fw_dns_server_ips",
|
||||
"forward_dns_server_ips": "fw_forward_dns_server_ips",
|
||||
"local_resolver_service": "fw_local_resolver_service",
|
||||
"resolver_port": "fw_resolver_port",
|
||||
"ssh_server_ips": "fw_ssh_server_ips",
|
||||
"forward_ssh_server_ips": "fw_forward_ssh_server_ips",
|
||||
"ssh_ports": "fw_ssh_ports",
|
||||
"http_server_ips": "fw_http_server_ips",
|
||||
"forward_http_server_ips": "fw_forward_http_server_ips",
|
||||
"http_ports": "fw_http_ports",
|
||||
"log_cgi_traffic_out": "fw_log_cgi_traffic_out",
|
||||
"cgi_script_users": "fw_cgi_script_users",
|
||||
"mm_server_ips": "fw_mm_server_ips",
|
||||
"forward_mm_server_ips": "fw_forward_mm_server_ips",
|
||||
"smtpd_ips": "fw_smtpd_ips",
|
||||
"forward_smtpd_ips": "fw_forward_smtpd_ips",
|
||||
"smtpd_additional_listen_ports": "fw_smtpd_additional_listen_ports",
|
||||
"smtpd_additional_outgoung_ports": "fw_smtpd_additional_outgoing_ports",
|
||||
"mail_server_ips": "fw_mail_server_ips",
|
||||
"forward_mail_server_ips": "fw_forward_mail_server_ips",
|
||||
"mail_user_ports": "fw_mail_user_ports",
|
||||
"mail_client_ips": "fw_mail_client_ips",
|
||||
"forward_mail_client_ips": "fw_forward_mail_client_ips",
|
||||
"dovecot_auth_service": "fw_dovecot_auth_service",
|
||||
"dovecot_auth_port": "fw_dovecot_auth_port",
|
||||
"ftp_server_ips": "fw_ftp_server_ips",
|
||||
"forward_ftp_server_ips": "fw_forward_ftp_server_ips",
|
||||
"ftp_passive_port_range": "fw_ftp_passive_port_range",
|
||||
"xmpp_server_ips": "fw_xmpp_server_ips",
|
||||
"forward_xmpp_server_ips": "fw_forward_xmpp_server_ips",
|
||||
"xmmp_tcp_in_ports": "fw_xmmp_tcp_in_ports",
|
||||
"xmmp_tcp_out_ports": "fw_xmmp_tcp_out_ports",
|
||||
"mumble_server_ips": "fw_mumble_server_ips",
|
||||
"forward_mumble_server_ips": "fw_forward_mumble_server_ips",
|
||||
"mumble_ports": "fw_mumble_ports",
|
||||
"jitsi_server_ips": "fw_jitsi_server_ips",
|
||||
"forward_jitsi_server_ips": "fw_forward_jitsi_server_ips",
|
||||
"jitsi_tcp_ports": "fw_jitsi_tcp_ports",
|
||||
"jitsi_udp_port_range": "fw_jitsi_udp_port_range",
|
||||
"jitsi_tcp_ports_out": "fw_jitsi_tcp_ports_out",
|
||||
"jitsi_udp_ports_out": "fw_jitsi_udp_ports_out",
|
||||
"jitsi_dovecot_auth": "fw_jitsi_dovecot_auth",
|
||||
"jitsi_dovecot_host": "fw_jitsi_dovecot_host",
|
||||
"jitsi_jibri_remote_auth": "fw_jitsi_jibri_remote_auth",
|
||||
"jitsi_jibri_remote_ips": "fw_jitsi_jibri_remote_ips",
|
||||
"jibri_server_ips": "fw_jibri_server_ips",
|
||||
"forward_jibri_server_ips": "fw_forward_jibri_server_ips",
|
||||
"jibri_remote_jitsi_server": "fw_jibri_remote_jitsi_server",
|
||||
"nc_turn_server_ips": "fw_nc_turn_server_ips",
|
||||
"forward_nc_turn_server_ips": "fw_forward_nc_turn_server_ips",
|
||||
"nc_turn_ports": "fw_nc_turn_ports",
|
||||
"nc_turn_udp_ports": "fw_nc_turn_udp_ports",
|
||||
"tftp_server_ips": "fw_tftp_server_ips",
|
||||
"prometheus_local_server_ips": "fw_prometheus_local_server_ips",
|
||||
"prometheus_local_client_ips": "fw_prometheus_local_client_ips",
|
||||
"prometheus_remote_server_ips": "fw_prometheus_remote_server_ips",
|
||||
"munin_server_ips": "fw_munin_server_ips",
|
||||
"forward_munin_server_ips": "fw_forward_munin_server_ips",
|
||||
"munin_remote_port": "fw_munin_remote_port",
|
||||
"munin_local_port": "fw_munin_local_port",
|
||||
"xymon_server_ips": "fw_xymon_server_ips",
|
||||
"local_xymon_client": "fw_local_xymon_client",
|
||||
"xymon_port": "fw_xymon_port",
|
||||
"rsync_out_ips": "fw_rsync_out_ips",
|
||||
"forward_rsync_out_ips": "fw_forward_rsync_out_ips",
|
||||
"rsync_ports": "fw_rsync_ports",
|
||||
"tcp_out_ports": "fw_tcp_out_ports",
|
||||
"forward_tcp_out_ports": "fw_forward_tcp_out_ports",
|
||||
"udp_out_ports": "fw_udp_out_ports",
|
||||
"forward_udp_out_ports": "fw_forward_udp_out_ports",
|
||||
"blocked_ips": "fw_blocked_ips",
|
||||
"block_tcp_ports": "fw_block_tcp_ports",
|
||||
"block_udp_ports": "fw_block_udp_ports",
|
||||
"create_traffic_counter": "fw_create_traffic_counter",
|
||||
"create_iperf_rules": "fw_create_iperf_rules",
|
||||
"protection_against_syn_flooding": "fw_protection_against_syn_flooding",
|
||||
"protection_against_port_scanning": "fw_protection_against_port_scanning",
|
||||
"protection_against_ssh_brute_force_attacks": "fw_protection_against_ssh_brute_force_attacks",
|
||||
"limit_connections_per_source_IP": "fw_limit_connections_per_source_IP",
|
||||
"per_IP_connection_limit": "fw_per_IP_connection_limit",
|
||||
"limit_new_tcp_connections_per_seconds_per_source_IP": "fw_limit_new_tcp_connections_per_seconds_per_source_IP",
|
||||
"limit_new_tcp_connections_per_seconds_ports": "fw_limit_new_tcp_connections_per_seconds_ports",
|
||||
}
|
||||
|
||||
# IPv4-only variables (from main_ipv4.conf)
|
||||
MAIN_V4_ONLY = {
|
||||
"forward_private_ips": "fw_forward_private_ips_v4",
|
||||
"restrict_local_service_to_net": "fw_restrict_local_service_to_net_v4",
|
||||
"restrict_local_net_to_net": "fw_restrict_local_net_to_net_v4",
|
||||
"allow_ext_service": "fw_allow_ext_service_v4",
|
||||
"allow_ext_net": "fw_allow_ext_net_v4",
|
||||
"allow_local_service": "fw_allow_local_service_v4",
|
||||
"allow_local_service_from_networks": "fw_allow_local_service_from_networks_v4",
|
||||
"portforward_tcp": "fw_portforward_tcp_v4",
|
||||
"portforward_udp": "fw_portforward_udp_v4",
|
||||
"munin_remote_ip": "munin_remote_ipv4",
|
||||
"dovecot_auth_allowed_networks": "fw_dovecot_auth_allowed_networks_v4",
|
||||
"xmmp_remote_out_services": "fw_xmmp_remote_out_services_v4",
|
||||
"resolver_allowed_networks": "fw_resolver_allowed_networks_v4",
|
||||
"dhcp_server_ifs": "fw_dhcp_server_ifs",
|
||||
"dhcp_client_ifs": "fw_dhcp_client_ifs",
|
||||
"kernel_activate_forwarding": "fw_kernel_activate_forwarding",
|
||||
"kernel_support_dynaddr": "fw_kernel_support_dynaddr",
|
||||
"dynaddr_flag": "fw_dynaddr_flag",
|
||||
"kernel_reduce_timeouts": "fw_kernel_reduce_timeouts",
|
||||
"kernel_tcp_syncookies": "fw_kernel_tcp_syncookies",
|
||||
"kernel_protect_against_icmp_bogus_messages": "fw_kernel_protect_against_icmp_bogus_messages",
|
||||
"kernel_ignore_broadcast_ping": "fw_kernel_ignore_broadcast_ping",
|
||||
"kernel_activate_rp_filter": "fw_kernel_activate_rp_filter",
|
||||
"kernel_log_martians": "fw_kernel_log_martians",
|
||||
"kernel_deactivate_source_route": "fw_kernel_deactivate_source_route",
|
||||
"kernel_dont_accept_redirects": "fw_kernel_dont_accept_redirects",
|
||||
}
|
||||
|
||||
# IPv6-only variables (from main_ipv6.conf)
|
||||
MAIN_V6_ONLY = {
|
||||
"forward_private_ips": "fw_forward_private_ips_v6",
|
||||
"restrict_local_service_to_net": "fw_restrict_local_service_to_net_v6",
|
||||
"restrict_local_net_to_net": "fw_restrict_local_net_to_net_v6",
|
||||
"allow_ext_service": "fw_allow_ext_service_v6",
|
||||
"allow_ext_net": "fw_allow_ext_net_v6",
|
||||
"allow_local_service": "fw_allow_local_service_v6",
|
||||
"allow_local_service_from_networks": "fw_allow_local_service_from_networks_v6",
|
||||
"portforward_tcp": "fw_portforward_tcp_v6",
|
||||
"portforward_udp": "fw_portforward_udp_v6",
|
||||
"munin_remote_ip": "munin_remote_ipv6",
|
||||
"dovecot_auth_allowed_networks": "fw_dovecot_auth_allowed_networks_v6",
|
||||
"xmmp_remote_out_services": "fw_xmmp_remote_out_services_v6",
|
||||
"resolver_allowed_networks": "fw_resolver_allowed_networks_v6",
|
||||
"kernel_forward_between_interfaces": "fw_kernel_forward_between_interfaces",
|
||||
}
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Parsing
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
def parse_bash_config(text):
|
||||
"""
|
||||
Parse key=value pairs from a bash config file.
|
||||
Handles: var="value", var=value, var=true/false
|
||||
Multiline values (var="line1\n line2\n") are joined as a single string.
|
||||
Returns dict of {varname: value_string}
|
||||
"""
|
||||
result = {}
|
||||
warnings = []
|
||||
|
||||
# Collapse multiline quoted strings: "...\n ..." → "... ..."
|
||||
# Strategy: scan char by char for opening " after =, collect until closing "
|
||||
lines = text.splitlines()
|
||||
i = 0
|
||||
while i < len(lines):
|
||||
line = lines[i].strip()
|
||||
|
||||
# Skip comments and blank lines
|
||||
if not line or line.startswith('#'):
|
||||
i += 1
|
||||
continue
|
||||
|
||||
# Match assignment
|
||||
m = re.match(r'^([A-Za-z_][A-Za-z0-9_]*)=(.*)', line)
|
||||
if not m:
|
||||
i += 1
|
||||
continue
|
||||
|
||||
varname = m.group(1)
|
||||
rest = m.group(2).strip()
|
||||
|
||||
# Quoted value (single or double quotes, may span multiple lines)
|
||||
if rest and rest[0] in ('"', "'"):
|
||||
quote_char = rest[0]
|
||||
collected = rest[1:] # strip opening quote
|
||||
parts = []
|
||||
closed = False
|
||||
|
||||
while True:
|
||||
close_pos = collected.find(quote_char)
|
||||
if close_pos != -1:
|
||||
parts.append(collected[:close_pos])
|
||||
# join all parts; split() collapses whitespace and drops empty lines
|
||||
value = ' '.join(' '.join(parts).split())
|
||||
result[varname] = value
|
||||
closed = True
|
||||
break
|
||||
else:
|
||||
parts.append(collected)
|
||||
i += 1
|
||||
if i >= len(lines):
|
||||
break
|
||||
collected = lines[i].strip()
|
||||
|
||||
if not closed:
|
||||
warnings.append(f" # {varname}: unterminated quoted string — skipped")
|
||||
|
||||
else:
|
||||
# Unquoted value (true, false, $var_ref, number, etc.)
|
||||
# Strip trailing comment
|
||||
value = re.sub(r'\s+#.*$', '', rest).strip()
|
||||
result[varname] = value
|
||||
|
||||
i += 1
|
||||
|
||||
return result, warnings
|
||||
|
||||
|
||||
def ssh_cat(host, user, port, path, sudo_password=None):
|
||||
"""Read a file from a remote host via SSH. Returns file content or None."""
|
||||
ssh_cmd = ["ssh"]
|
||||
if user:
|
||||
ssh_cmd += ["-l", user]
|
||||
if port:
|
||||
ssh_cmd += ["-p", str(port)]
|
||||
ssh_cmd += ["-o", "BatchMode=yes", "-o", "ConnectTimeout=10", host]
|
||||
|
||||
if sudo_password is not None:
|
||||
# Use sudo -S to read password from stdin; -p '' suppresses the prompt
|
||||
ssh_cmd += [f"sudo -S -p '' cat {path}"]
|
||||
stdin_data = sudo_password + "\n"
|
||||
else:
|
||||
ssh_cmd += [f"cat {path}"]
|
||||
stdin_data = None
|
||||
|
||||
try:
|
||||
result = subprocess.run(
|
||||
ssh_cmd, input=stdin_data, capture_output=True, text=True, timeout=30
|
||||
)
|
||||
if result.returncode != 0:
|
||||
print(f" WARNING: could not read {path}: {result.stderr.strip()}", file=sys.stderr)
|
||||
return None
|
||||
return result.stdout
|
||||
except subprocess.TimeoutExpired:
|
||||
print(f" ERROR: SSH timeout reading {path}", file=sys.stderr)
|
||||
return None
|
||||
|
||||
|
||||
def coerce_bool(value):
|
||||
"""Convert bash true/false string to Python bool, or return string."""
|
||||
if value.lower() in ("true", "yes", "1"):
|
||||
return True
|
||||
if value.lower() in ("false", "no", "0"):
|
||||
return False
|
||||
return value # keep as string (e.g. $standard_ssh_port)
|
||||
|
||||
|
||||
def yaml_value(v):
|
||||
"""Format a Python value as a YAML-safe string."""
|
||||
if isinstance(v, bool):
|
||||
return "true" if v else "false"
|
||||
if v == "":
|
||||
return '""'
|
||||
# Quote if contains special YAML characters
|
||||
if any(c in str(v) for c in [':', '#', '{', '}', '[', ']', ',', '&', '*', '?', '|', '-', '<', '>', '=', '!', '%', '@', '`', '"', "'"]):
|
||||
# Use double-quote with escaping
|
||||
escaped = str(v).replace('\\', '\\\\').replace('"', '\\"')
|
||||
return f'"{escaped}"'
|
||||
return str(v)
|
||||
|
||||
|
||||
def build_host_vars(parsed_iface_v4, parsed_iface_v6, parsed_main_v4, parsed_main_v6):
|
||||
"""
|
||||
Map parsed bash variables to Ansible fw_* variables.
|
||||
Returns dict of {ansible_var: value} containing only non-default values.
|
||||
"""
|
||||
result = {}
|
||||
|
||||
# --- Interfaces: extract lists from numbered vars ---
|
||||
def extract_list(parsed, prefix, suffix="", count=3):
|
||||
items = []
|
||||
for i in range(1, count + 1):
|
||||
v = parsed.get(f"{prefix}{i}{suffix}", "").strip()
|
||||
if v:
|
||||
items.append(v)
|
||||
return items
|
||||
|
||||
fw_ext_interfaces = extract_list(parsed_iface_v4, "ext_if_")
|
||||
fw_ext_ips_v4 = extract_list(parsed_iface_v4, "ext_", suffix="_ip") # ext_1_ip, ext_2_ip, ext_3_ip
|
||||
fw_ext_ips_v6 = extract_list(parsed_iface_v6, "ext_", suffix="_ip")
|
||||
fw_local_interfaces = extract_list(parsed_iface_v4, "local_if_")
|
||||
fw_local_ips_v4 = extract_list(parsed_iface_v4, "local_", suffix="_ip")
|
||||
fw_local_ips_v6 = extract_list(parsed_iface_v6, "local_", suffix="_ip")
|
||||
fw_lxc_guest_ips_v4 = extract_list(parsed_iface_v4, "lxc_guest_", suffix="_ip", count=7)
|
||||
fw_lxc_guest_ips_v6 = extract_list(parsed_iface_v6, "lxc_guest_", suffix="_ip", count=7)
|
||||
|
||||
if fw_ext_interfaces:
|
||||
result["fw_ext_interfaces"] = fw_ext_interfaces
|
||||
if fw_ext_ips_v4:
|
||||
result["fw_ext_ips_v4"] = fw_ext_ips_v4
|
||||
if fw_ext_ips_v6:
|
||||
result["fw_ext_ips_v6"] = fw_ext_ips_v6
|
||||
if fw_local_interfaces:
|
||||
result["fw_local_interfaces"] = fw_local_interfaces
|
||||
if fw_local_ips_v4:
|
||||
result["fw_local_ips_v4"] = fw_local_ips_v4
|
||||
if fw_local_ips_v6:
|
||||
result["fw_local_ips_v6"] = fw_local_ips_v6
|
||||
if fw_lxc_guest_ips_v4:
|
||||
result["fw_lxc_guest_ips_v4"] = fw_lxc_guest_ips_v4
|
||||
if fw_lxc_guest_ips_v6:
|
||||
result["fw_lxc_guest_ips_v6"] = fw_lxc_guest_ips_v6
|
||||
|
||||
# vpn_ifs / wg_ifs / nat_devices (same in both interface files)
|
||||
for bash_var, ansible_var in [("vpn_ifs", "fw_vpn_ifs"), ("wg_ifs", "fw_wg_ifs"), ("nat_devices", "fw_nat_devices")]:
|
||||
v = parsed_iface_v4.get(bash_var, "")
|
||||
if v and v != DEFAULTS.get(ansible_var, ""):
|
||||
result[ansible_var] = v
|
||||
|
||||
# --- Shared main variables (read from ipv4) ---
|
||||
for bash_var, ansible_var in MAIN_SHARED.items():
|
||||
raw = parsed_main_v4.get(bash_var)
|
||||
if raw is None:
|
||||
continue
|
||||
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
|
||||
default = DEFAULTS.get(ansible_var)
|
||||
if v != default:
|
||||
result[ansible_var] = v
|
||||
|
||||
# --- IPv4-only main variables ---
|
||||
for bash_var, ansible_var in MAIN_V4_ONLY.items():
|
||||
raw = parsed_main_v4.get(bash_var)
|
||||
if raw is None:
|
||||
continue
|
||||
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
|
||||
default = DEFAULTS.get(ansible_var)
|
||||
if v != default:
|
||||
result[ansible_var] = v
|
||||
|
||||
# --- IPv6-only main variables ---
|
||||
for bash_var, ansible_var in MAIN_V6_ONLY.items():
|
||||
raw = parsed_main_v6.get(bash_var)
|
||||
if raw is None:
|
||||
continue
|
||||
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
|
||||
default = DEFAULTS.get(ansible_var)
|
||||
if v != default:
|
||||
result[ansible_var] = v
|
||||
|
||||
return result
|
||||
|
||||
|
||||
def render_yaml(hostname, host_vars, all_warnings):
|
||||
"""Render the host_vars as YAML text."""
|
||||
lines = [
|
||||
"---",
|
||||
f"# ipt-firewall configuration for {hostname}",
|
||||
"# Generated by extract-fw-host-vars.py - review before committing!",
|
||||
"# Place in: host_vars/<hostname>/ipt_firewall.yml",
|
||||
"",
|
||||
]
|
||||
|
||||
lines.append("fw_manage_config: false")
|
||||
lines.append("")
|
||||
|
||||
if all_warnings:
|
||||
lines.append("# WARNINGS — manual review needed:")
|
||||
for w in all_warnings:
|
||||
lines.append(w)
|
||||
lines.append("")
|
||||
|
||||
# Group output by section
|
||||
sections = [
|
||||
("Network", ["fw_ext_interfaces", "fw_ext_ips_v4", "fw_ext_ips_v6",
|
||||
"fw_local_interfaces", "fw_local_ips_v4", "fw_local_ips_v6",
|
||||
"fw_lxc_guest_ips_v4", "fw_lxc_guest_ips_v6",
|
||||
"fw_vpn_ifs", "fw_wg_ifs", "fw_nat_devices"]),
|
||||
("Munin", ["munin_remote_ipv4", "munin_remote_ipv6", "fw_munin_local_port",
|
||||
"fw_munin_server_ips", "fw_forward_munin_server_ips", "fw_munin_remote_port"]),
|
||||
("Bridged / LXC", ["fw_do_not_firewall_bridged_traffic", "fw_do_not_firewall_lx_guest_systems"]),
|
||||
("Drop policies", ["fw_drop_icmp", "fw_drop_mndp", "fw_drop_mdns"]),
|
||||
("Outgoing / interfaces", ["fw_allow_all_outgoing_traffic", "fw_blocked_ifs", "fw_unprotected_ifs"]),
|
||||
("Forwarding", ["fw_forward_private_ips_v4", "fw_forward_private_ips_v6",
|
||||
"fw_kernel_activate_forwarding", "fw_kernel_forward_between_interfaces"]),
|
||||
("Access control IPv4", ["fw_restrict_local_service_to_net_v4", "fw_restrict_local_net_to_net_v4",
|
||||
"fw_allow_ext_service_v4", "fw_allow_ext_net_v4",
|
||||
"fw_allow_local_service_v4", "fw_allow_local_service_from_networks_v4"]),
|
||||
("Access control IPv6", ["fw_restrict_local_service_to_net_v6", "fw_restrict_local_net_to_net_v6",
|
||||
"fw_allow_ext_service_v6", "fw_allow_ext_net_v6",
|
||||
"fw_allow_local_service_v6", "fw_allow_local_service_from_networks_v6"]),
|
||||
("SSH", ["fw_ssh_server_ips", "fw_forward_ssh_server_ips", "fw_ssh_ports"]),
|
||||
("HTTP", ["fw_http_server_ips", "fw_forward_http_server_ips", "fw_http_ports",
|
||||
"fw_log_cgi_traffic_out", "fw_cgi_script_users"]),
|
||||
("Mail", ["fw_smtpd_ips", "fw_forward_smtpd_ips", "fw_smtpd_additional_listen_ports",
|
||||
"fw_smtpd_additional_outgoing_ports", "fw_mail_server_ips", "fw_forward_mail_server_ips",
|
||||
"fw_mail_user_ports", "fw_mail_client_ips", "fw_forward_mail_client_ips",
|
||||
"fw_dovecot_auth_service", "fw_dovecot_auth_port",
|
||||
"fw_dovecot_auth_allowed_networks_v4", "fw_dovecot_auth_allowed_networks_v6"]),
|
||||
("DNS", ["fw_dns_server_ips", "fw_forward_dns_server_ips",
|
||||
"fw_local_resolver_service", "fw_resolver_port",
|
||||
"fw_resolver_allowed_networks_v4", "fw_resolver_allowed_networks_v6"]),
|
||||
("NTP", ["fw_local_ntp_service", "fw_ntp_port", "fw_ntp_allowed_net"]),
|
||||
("DHCP", ["fw_dhcp_server_ifs", "fw_dhcp_client_ifs"]),
|
||||
("VPN / WireGuard", ["fw_vpn_server_ips", "fw_forward_vpn_server_ips", "fw_vpn_ports",
|
||||
"fw_wireguard_server_ips", "fw_forward_wireguard_server_ips",
|
||||
"fw_wireguard_server_ports", "fw_wireguard_out_ports"]),
|
||||
("FTP", ["fw_ftp_server_ips", "fw_forward_ftp_server_ips", "fw_ftp_passive_port_range"]),
|
||||
("XMPP", ["fw_xmpp_server_ips", "fw_forward_xmpp_server_ips",
|
||||
"fw_xmmp_tcp_in_ports", "fw_xmmp_tcp_out_ports",
|
||||
"fw_xmmp_remote_out_services_v4", "fw_xmmp_remote_out_services_v6"]),
|
||||
("Mumble", ["fw_mumble_server_ips", "fw_forward_mumble_server_ips", "fw_mumble_ports"]),
|
||||
("Jitsi", ["fw_jitsi_server_ips", "fw_forward_jitsi_server_ips",
|
||||
"fw_jitsi_tcp_ports", "fw_jitsi_udp_port_range",
|
||||
"fw_jitsi_tcp_ports_out", "fw_jitsi_udp_ports_out",
|
||||
"fw_jitsi_dovecot_auth", "fw_jitsi_dovecot_host",
|
||||
"fw_jitsi_jibri_remote_auth", "fw_jitsi_jibri_remote_ips",
|
||||
"fw_jibri_server_ips", "fw_forward_jibri_server_ips", "fw_jibri_remote_jitsi_server"]),
|
||||
("TURN / STUN", ["fw_nc_turn_server_ips", "fw_forward_nc_turn_server_ips",
|
||||
"fw_nc_turn_ports", "fw_nc_turn_udp_ports"]),
|
||||
("Mattermost", ["fw_mm_server_ips", "fw_forward_mm_server_ips"]),
|
||||
("Prometheus", ["fw_prometheus_local_server_ips", "fw_prometheus_local_client_ips",
|
||||
"fw_prometheus_remote_server_ips"]),
|
||||
("Xymon", ["fw_xymon_server_ips", "fw_local_xymon_client", "fw_xymon_port"]),
|
||||
("Rsync", ["fw_rsync_out_ips", "fw_forward_rsync_out_ips", "fw_rsync_ports"]),
|
||||
("Out ports", ["fw_tcp_out_ports", "fw_forward_tcp_out_ports",
|
||||
"fw_udp_out_ports", "fw_forward_udp_out_ports"]),
|
||||
("Portforwarding", ["fw_portforward_tcp_v4", "fw_portforward_udp_v4",
|
||||
"fw_portforward_tcp_v6", "fw_portforward_udp_v6"]),
|
||||
("Block", ["fw_blocked_ips", "fw_block_tcp_ports", "fw_block_udp_ports"]),
|
||||
("Protection / limits", ["fw_protection_against_syn_flooding",
|
||||
"fw_protection_against_port_scanning",
|
||||
"fw_protection_against_ssh_brute_force_attacks",
|
||||
"fw_limit_connections_per_source_IP", "fw_per_IP_connection_limit",
|
||||
"fw_limit_new_tcp_connections_per_seconds_per_source_IP",
|
||||
"fw_limit_new_tcp_connections_per_seconds_ports"]),
|
||||
("Kernel IPv4", ["fw_kernel_support_dynaddr", "fw_dynaddr_flag",
|
||||
"fw_kernel_reduce_timeouts", "fw_kernel_tcp_syncookies",
|
||||
"fw_kernel_protect_against_icmp_bogus_messages",
|
||||
"fw_kernel_ignore_broadcast_ping",
|
||||
"fw_kernel_deactivate_source_route", "fw_kernel_dont_accept_redirects",
|
||||
"fw_kernel_activate_rp_filter", "fw_kernel_log_martians"]),
|
||||
("Special", ["fw_create_traffic_counter", "fw_create_iperf_rules"]),
|
||||
]
|
||||
|
||||
emitted = set()
|
||||
for section_name, keys in sections:
|
||||
section_lines = []
|
||||
for k in keys:
|
||||
if k in host_vars:
|
||||
v = host_vars[k]
|
||||
if isinstance(v, list):
|
||||
section_lines.append(f"{k}:")
|
||||
for item in v:
|
||||
section_lines.append(f" - \"{item}\"")
|
||||
elif isinstance(v, bool):
|
||||
section_lines.append(f"{k}: {'true' if v else 'false'}")
|
||||
else:
|
||||
section_lines.append(f"{k}: {yaml_value(str(v))}")
|
||||
emitted.add(k)
|
||||
|
||||
if section_lines:
|
||||
lines.append(f"# --- {section_name}")
|
||||
lines.extend(section_lines)
|
||||
lines.append("")
|
||||
|
||||
# Anything not covered by sections
|
||||
remaining = {k: v for k, v in host_vars.items() if k not in emitted}
|
||||
if remaining:
|
||||
lines.append("# --- Other")
|
||||
for k, v in remaining.items():
|
||||
if isinstance(v, list):
|
||||
lines.append(f"{k}:")
|
||||
for item in v:
|
||||
lines.append(f" - \"{item}\"")
|
||||
elif isinstance(v, bool):
|
||||
lines.append(f"{k}: {'true' if v else 'false'}")
|
||||
else:
|
||||
lines.append(f"{k}: {yaml_value(str(v))}")
|
||||
lines.append("")
|
||||
|
||||
return "\n".join(lines)
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="Extract ipt-firewall host_vars from a remote host")
|
||||
parser.add_argument("hostname", help="Target hostname (must be in SSH config or known_hosts)")
|
||||
parser.add_argument("--user", "-u", default="chris", help="SSH user (default: chris)")
|
||||
parser.add_argument("--port", "-p", type=int, default=None, help="SSH port (default: 22)")
|
||||
parser.add_argument("--output", "-o", default=None, help="Output file (default: stdout)")
|
||||
parser.add_argument("--sudo", "-s", action="store_true",
|
||||
help="Read files via sudo (prompts for sudo password once)")
|
||||
parser.add_argument("--dry-run", action="store_true", help="Print SSH commands without executing")
|
||||
args = parser.parse_args()
|
||||
|
||||
hostname = args.hostname
|
||||
conf_dir = "/etc/ipt-firewall"
|
||||
files = {
|
||||
"iface_v4": f"{conf_dir}/interfaces_ipv4.conf",
|
||||
"iface_v6": f"{conf_dir}/interfaces_ipv6.conf",
|
||||
"main_v4": f"{conf_dir}/main_ipv4.conf",
|
||||
"main_v6": f"{conf_dir}/main_ipv6.conf",
|
||||
}
|
||||
|
||||
if args.dry_run:
|
||||
cmd = "sudo -S -p '' cat" if args.sudo else "cat"
|
||||
for key, path in files.items():
|
||||
print(f"ssh {args.user}@{hostname} {cmd} {path}")
|
||||
return
|
||||
|
||||
sudo_password = None
|
||||
if args.sudo:
|
||||
import getpass
|
||||
sudo_password = getpass.getpass(f"sudo password for {args.user}@{hostname}: ")
|
||||
|
||||
print(f"Connecting to {hostname} as {args.user} ...", file=sys.stderr)
|
||||
|
||||
contents = {}
|
||||
for key, path in files.items():
|
||||
print(f" Reading {path} ...", file=sys.stderr)
|
||||
content = ssh_cat(hostname, args.user, args.port, path, sudo_password=sudo_password)
|
||||
contents[key] = content or ""
|
||||
|
||||
all_warnings = []
|
||||
parsed = {}
|
||||
for key, text in contents.items():
|
||||
p, warnings = parse_bash_config(text)
|
||||
parsed[key] = p
|
||||
if warnings:
|
||||
all_warnings.extend([f" # [{key}] {w}" for w in warnings])
|
||||
|
||||
host_vars = build_host_vars(
|
||||
parsed["iface_v4"], parsed["iface_v6"],
|
||||
parsed["main_v4"], parsed["main_v6"],
|
||||
)
|
||||
|
||||
yaml_text = render_yaml(hostname, host_vars, all_warnings)
|
||||
|
||||
if args.output:
|
||||
out_path = Path(args.output)
|
||||
out_path.parent.mkdir(parents=True, exist_ok=True)
|
||||
out_path.write_text(yaml_text)
|
||||
print(f"Written to {out_path}", file=sys.stderr)
|
||||
else:
|
||||
print(yaml_text)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -1916,7 +1916,6 @@ apt_install: {}
|
||||
apt_install_state: latest
|
||||
|
||||
apt_remove:
|
||||
- rpcbind
|
||||
- apt-transport-tor
|
||||
- tor
|
||||
- tor-geoipdb
|
||||
@@ -3201,6 +3200,9 @@ samba_user: []
|
||||
|
||||
base_home: /home
|
||||
|
||||
# include vfs object 'virusfilter' to (private) homes shares
|
||||
samba_homes_virusfilter: false
|
||||
|
||||
# remove_samba_users:
|
||||
# - name: name1
|
||||
# - name: name2
|
||||
|
||||
@@ -0,0 +1,45 @@
|
||||
---
|
||||
# ipt-firewall configuration for a.mx.oopen.de
|
||||
# Generated by extract-fw-host-vars.py - review before committing!
|
||||
# Place in: host_vars/<hostname>/ipt_firewall.yml
|
||||
|
||||
fw_manage_config: true
|
||||
|
||||
# --- Network
|
||||
fw_ext_interfaces:
|
||||
- "eth0"
|
||||
fw_ext_ips_v4:
|
||||
- "95.217.204.247"
|
||||
fw_ext_ips_v6:
|
||||
- "2a01:4f9:4a:47e5::247"
|
||||
|
||||
# --- Munin
|
||||
munin_remote_ipv4: 37.27.121.227
|
||||
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
|
||||
|
||||
# --- HTTP
|
||||
fw_http_server_ips: $ext_1_ip
|
||||
|
||||
# --- Mail
|
||||
fw_smtpd_ips: $ext_1_ip
|
||||
fw_mail_server_ips: $ext_1_ip
|
||||
fw_mail_client_ips: $ext_1_ip
|
||||
fw_dovecot_auth_service: true
|
||||
|
||||
# - meet.oopen.de -> 159.69.74.155
|
||||
# - meet.akweb.de -> 148.251.14.136
|
||||
# - jo.oopen.de -> 94.16.115.62
|
||||
# -
|
||||
# - meet.akweb.de -> 2a01:4f8:201:7389::136
|
||||
# - meet.oopen.de -> 2a01:4f8:231:19a7::155
|
||||
fw_dovecot_auth_allowed_networks_v4: 159.69.74.155 148.251.14.136 94.16.115.62
|
||||
fw_dovecot_auth_allowed_networks_v6: "2a01:4f8:231:19a7::155 2a01:4f8:201:7389::136"
|
||||
|
||||
# --- Jitsi
|
||||
fw_jitsi_dovecot_auth: true
|
||||
|
||||
# --- Rsync
|
||||
fw_rsync_out_ips: $ext_1_ip
|
||||
|
||||
# --- Protection / limits
|
||||
fw_per_IP_connection_limit: 250
|
||||
@@ -0,0 +1,27 @@
|
||||
---
|
||||
# ipt-firewall configuration for a.ns.oopen.de
|
||||
# Generated by extract-fw-host-vars.py - review before committing!
|
||||
# Place in: host_vars/<hostname>/ipt_firewall.yml
|
||||
|
||||
fw_manage_config: true
|
||||
|
||||
# --- Network
|
||||
fw_ext_interfaces:
|
||||
- "eth0"
|
||||
fw_ext_ips_v4:
|
||||
- "195.201.179.131"
|
||||
fw_ext_ips_v6:
|
||||
- "2a01:4f8:231:19a7::131"
|
||||
|
||||
# --- Munin
|
||||
munin_remote_ipv4: 37.27.121.227
|
||||
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
|
||||
|
||||
# --- DNS
|
||||
fw_dns_server_ips: $ext_ips
|
||||
|
||||
# --- VPN / WireGuard
|
||||
fw_wireguard_server_ips: $ext_ips
|
||||
|
||||
# --- Block
|
||||
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
|
||||
@@ -0,0 +1,142 @@
|
||||
---
|
||||
|
||||
# ---
|
||||
# vars used by roles/ansible_dependencies
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/ansible_user
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/basic.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/sshd.yml
|
||||
# ---
|
||||
|
||||
sshd_permit_root_login: !!str "prohibit-password"
|
||||
|
||||
# ---
|
||||
# vars used by apt.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/systemd-resolved.yml
|
||||
# ---
|
||||
|
||||
systemd_resolved: true
|
||||
|
||||
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
|
||||
# Primäre DNS-Adresse: 38.132.106.139
|
||||
# Sekundäre DNS-Adresse: 194.187.251.67
|
||||
#
|
||||
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 1.1.1.1
|
||||
# IPv6: 2606:4700:4700::1111
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 1.0.0.1
|
||||
# IPv6: 2606:4700:4700::1001
|
||||
#
|
||||
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 8.8.8.8
|
||||
# IPv6: 2001:4860:4860::8888
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 8.8.4.4
|
||||
# IPv6: 2001:4860:4860::8844
|
||||
#
|
||||
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 9.9.9.9
|
||||
# IPv6: 2620:fe::fe
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 149.112.112.112
|
||||
# IPv6: 2620:fe::9
|
||||
#
|
||||
# OpenNIC - https://www.opennic.org/
|
||||
# IPv4: 195.10.195.195 - ns31.de
|
||||
# IPv4: 94.16.114.254 - ns28.de
|
||||
# IPv4: 51.254.162.59 - ns9.de
|
||||
# IPv4: 194.36.144.87 - ns29.de
|
||||
# IPv6: 2a00:f826:8:2::195 - ns31.de
|
||||
#
|
||||
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
|
||||
# IPv4: 5.1.66.255
|
||||
# IPv6: 2001:678:e68:f000::
|
||||
# Servername für DNS-over-TLS: dot.ffmuc.net
|
||||
# IPv4: 185.150.99.255
|
||||
# IPv6: 2001:678:ed0:f000::
|
||||
# Servername für DNS-over-TLS: dot.ffmuc.net
|
||||
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
|
||||
resolved_nameserver:
|
||||
- 185.12.64.2
|
||||
- 2a01:4ff:ff00::add:1
|
||||
- 2a01:4ff:ff00::add:2
|
||||
- 185.12.64.1
|
||||
|
||||
# search domains
|
||||
#
|
||||
# If there are more than one search domains, then specify them here in the order in which
|
||||
# the resolver should also search them
|
||||
#
|
||||
#resolved_domains: []
|
||||
resolved_domains:
|
||||
- ~.
|
||||
- oopen.de
|
||||
|
||||
resolved_dnssec: false
|
||||
|
||||
# dns.as250.net: 194.150.168.168
|
||||
#
|
||||
resolved_fallback_nameserver:
|
||||
- 194.150.168.168
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/users.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/users-systemfiles.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/webadmin-user.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/sudoers.yml
|
||||
# ---
|
||||
#
|
||||
# see: roles/common/tasks/vars
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/caching-nameserver.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/git.yml
|
||||
# ---
|
||||
#
|
||||
# see: roles/common/tasks/vars
|
||||
|
||||
|
||||
# ==============================
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by scripts/reset_root_passwd.yml
|
||||
# ---
|
||||
|
||||
@@ -163,6 +163,127 @@ resolved_fallback_nameserver:
|
||||
# see: roles/common/tasks/vars
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/nfs.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/samba-config-server.yml
|
||||
# vars used by roles/common/tasks/samba-user.yml
|
||||
# ---
|
||||
|
||||
samba_server_ip: 192.168.52.10
|
||||
samba_server_cidr_prefix: 24
|
||||
|
||||
samba_workgroup: WF
|
||||
|
||||
samba_netbios_name: ANITA
|
||||
|
||||
samba_groups:
|
||||
- name: users
|
||||
group_id: 100
|
||||
- name: archive
|
||||
group_id: 1020
|
||||
- name: intern
|
||||
group_id: 1030
|
||||
|
||||
samba_user:
|
||||
|
||||
- name: annette
|
||||
groups:
|
||||
- users
|
||||
- intern
|
||||
password: '20.18-annette%'
|
||||
|
||||
- name: axel
|
||||
groups:
|
||||
- archive
|
||||
- users
|
||||
- intern
|
||||
password: 'axel123'
|
||||
|
||||
- name: chris
|
||||
groups:
|
||||
- users
|
||||
- archive
|
||||
- intern
|
||||
password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
63643330373231636537366333326630333265303265653933613835656262323863363038653234
|
||||
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
|
||||
61313164643061306433643738643563303036646334376536626531383965303036386162393832
|
||||
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
|
||||
3631
|
||||
|
||||
- name: kaya
|
||||
groups:
|
||||
- users
|
||||
- intern
|
||||
password: 'kaya123'
|
||||
|
||||
- name: lalix
|
||||
groups:
|
||||
- users
|
||||
- intern
|
||||
password: 'lalix123'
|
||||
|
||||
- name: mariette
|
||||
groups:
|
||||
- users
|
||||
- intern
|
||||
password: 'mariette123'
|
||||
|
||||
- name: sysadm
|
||||
groups:
|
||||
- users
|
||||
- archive
|
||||
- intern
|
||||
password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31306162383164643133623335323736323837613435333430363336353032323565633130353733
|
||||
3363646437363062313763636333356436666331396131370a393762363931626166326530373261
|
||||
62616332643232663432613662646134613539323861383436636364633562646138646538343863
|
||||
6530336565363934330a363063653533396666373730663062363633363634363337323039363231
|
||||
3130
|
||||
|
||||
base_home: /home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
samba_shares:
|
||||
|
||||
- name: archiv
|
||||
path: /data/samba/archiv
|
||||
group_valid_users: users
|
||||
group_write_list: archive
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
- name: daten2
|
||||
path: /data/samba/daten2
|
||||
group_valid_users: users
|
||||
group_write_list: users
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
- name: verwaltung
|
||||
path: /data/samba/archiv
|
||||
group_valid_users: intern
|
||||
group_write_list: intern
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
|
||||
# ==============================
|
||||
|
||||
|
||||
|
||||
@@ -270,10 +270,10 @@ samba_user:
|
||||
- technik
|
||||
password: 'aS2ifv2.d-FI'
|
||||
|
||||
|
||||
|
||||
base_home: /data/home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
# remove_samba_users:
|
||||
# - name: name1
|
||||
# - name: name2
|
||||
@@ -291,6 +291,7 @@ samba_shares:
|
||||
group_write_list: alle
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -311,6 +312,7 @@ samba_shares:
|
||||
group_write_list: redakteure
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -321,6 +323,7 @@ samba_shares:
|
||||
group_write_list: technik
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -331,6 +334,7 @@ samba_shares:
|
||||
group_write_list: alle
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
|
||||
@@ -257,6 +257,7 @@ default_user:
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmfp+4waTzHxdT5TaxAMsIPDDwNe8Dwuif1jL+9v9GP root@a.mx'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBIyXel+KOTLB6VB2xJwyWaZc0KuCJzocwlziFdovCl root@a.ns'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGi22vcCilahX9KwbqcF8/D0RnzQXvgzTUFTmRHNJsBZ root@anabaena'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5xyeZBGQn4Iz5iV2DMBVll/6n/X0JuoPMDpc8D32ra root@ak-plan'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU1InXFKZX9emaT5QsY4Nr0tr8CzbyV8Js8RzZC9vGk root@b.mx'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPo7hI8oIS+/xufCUNTTgNoz592udJaU+79L0uADzKJY root@b.ns'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMtIXFS9OrKBvBl+fKtYN/lOOKpPuuc02H8HV+++LeBU root@backup'
|
||||
@@ -272,6 +273,7 @@ default_user:
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvmOpsiL+eiJ3qZVDJiUCFVZge0OQJ1hpZgw7pJ8sq5 root@cl-irights'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjr0aBl2KQTJnlVK03DOs0u+IXSon4VewwAzzSBsmVW root@cl-lubax'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhwPCxVHqABXzyXwVuqbH703RCU0N+SC/cx4TuoHhGU root@cl-nd'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEp6BXQ/v/Hf/IJnI0JIS96RC4NGDMFUbwyW8nH3Xq66 root@cl-ndm'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7h6rR+q5bRh/qgzA7ZyiZcRr9vMbo7cxhQsoukWmUn root@cl-vbrg'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcHQfSVG8DM1qHp2ce73ZBWXknZGZFur5s27V58T7ON root@cl-opp'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClnyNS5RQsbXmgOX7NU7i154DElOlha3y0ybF6FwScT root@cl-test'
|
||||
@@ -319,7 +321,8 @@ default_user:
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGcgS05xGLPuECQ7E5zjzfSDxdFBO1mAjkSV2bktxld+ root@o23'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEM1SI7Lwk0G8UycysL7ZPdXm1DRGgPnr01B0ewRGEKi root@o24'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJKfPInE9VjXVe+6DQ+4/H1nQJwXljYEK6gwfmTDgGy root@o26'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9ftVcNMv6pW2HDM12fIbOOEvq1fcd74kbO4LHfhGH root@o28'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9ftVcNMv6pW2HDM12fIbOOEvq1fcd74kbO4LHfhGH root@o28-FM-BAK'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyLS+kyfMX0hlv0rMmGyG6huvuqZlEOOf007xuI6io0 root@o28'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtACieGFf34NDepB9GqJjVqji6bf6xrO1LevXgm3aN+ root@o29'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE70FVVu2bsdH2qJITFVSDEPraiI4uSCuzEkYlbl6pRW root@o30'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0+aRoMxzmiQCAIMajNhbTZEumtZ9yCG2Nb4ucqK8lo root@o31'
|
||||
@@ -339,6 +342,7 @@ default_user:
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZ0WNd3rTqHH1tiXAELwssGw6xUP1ROdhgxKbMinYY root@oolm-web'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJJCzTmrRp0s0qpkf9HYyx4lL+zs1jTAYcCsvqpJ72p root@super-opferhilfefonds'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID82UUUkYKYFbJdmTcMYu+vl3M0FVQznXFbngqPoumP+ root@prometheus-nd'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObY/MOgF4QVWROrQCaKCfBOfAwKVcja3q7Ngwo1MEDt root@psono-ndm'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU5HzfGYZwWeaoAGGFF7/3VQP19ce6Rgn5wcOR98Q3o root@server26'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfCFz6mPdn3TKVCgffHQAKt3LN/0srS/gBsMoOyZpi root@shop-agr'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHbeMf/CvAYIU/4UW8Ql59FgPo/3vcZ3vI3QzK2kOadE root@srv-cityslang'
|
||||
|
||||
@@ -0,0 +1,39 @@
|
||||
---
|
||||
# ipt-firewall configuration for backup.oopen.de
|
||||
# Generated by extract-fw-host-vars.py - review before committing!
|
||||
# Place in: host_vars/<hostname>/ipt_firewall.yml
|
||||
|
||||
fw_manage_config: true
|
||||
|
||||
# --- Network
|
||||
fw_ext_interfaces:
|
||||
- "eth0"
|
||||
fw_ext_ips_v4:
|
||||
- "37.27.121.218"
|
||||
fw_ext_ips_v6:
|
||||
- "2a01:4f9:3070:2bda::218"
|
||||
|
||||
# --- Munin
|
||||
munin_remote_ipv4: 37.27.121.227
|
||||
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
|
||||
|
||||
# --- Access control IPv4
|
||||
fw_allow_ext_service_v4: "138.201.17.150:1036:tcp o32.oopen.de:2222:tcp"
|
||||
|
||||
# --- Access control IPv6
|
||||
fw_allow_ext_service_v6: "2a01:4f8:171:2895::2,1036,tcp o32.oopen.de,2222,tcp"
|
||||
|
||||
# --- HTTP
|
||||
fw_http_server_ips: $ext_ips
|
||||
|
||||
# --- Out ports
|
||||
# -
|
||||
# - TCP Ports
|
||||
# -
|
||||
# - ssh port k1371.dyndns.org: 51372
|
||||
# - ssh port k1371.homelinux.org: 51374
|
||||
# -
|
||||
fw_tcp_out_ports: 51372 51374
|
||||
|
||||
# --- Block
|
||||
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
|
||||
@@ -321,6 +321,8 @@ samba_user:
|
||||
|
||||
base_home: /home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
# remove_samba_users:
|
||||
# - name: name1
|
||||
# - name: name2
|
||||
@@ -337,6 +339,7 @@ samba_shares:
|
||||
guest_ok: !!str no
|
||||
writeable: !!str no
|
||||
group_valid_users: buero
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: false
|
||||
|
||||
- name: bhoch3
|
||||
@@ -345,6 +348,7 @@ samba_shares:
|
||||
group_write_list: buero
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -354,6 +358,7 @@ samba_shares:
|
||||
group_write_list: 'team'
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -363,6 +368,7 @@ samba_shares:
|
||||
group_write_list: 'praktikant'
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -373,6 +379,7 @@ samba_shares:
|
||||
group_write_list: fnr
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -382,6 +389,7 @@ samba_shares:
|
||||
group_write_list: buero
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -392,6 +400,7 @@ samba_shares:
|
||||
group_write_list: gs
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -402,6 +411,7 @@ samba_shares:
|
||||
group_write_list: gf
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -412,6 +422,7 @@ samba_shares:
|
||||
group_write_list: matthias
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
---
|
||||
# ipt-firewall configuration for cl-01.oopen.de
|
||||
# Generated by extract-fw-host-vars.py - review before committing!
|
||||
# Place in: host_vars/<hostname>/ipt_firewall.yml
|
||||
|
||||
fw_manage_config: true
|
||||
|
||||
# --- Network
|
||||
fw_ext_interfaces:
|
||||
- "eth0"
|
||||
fw_ext_ips_v4:
|
||||
- "162.55.82.74"
|
||||
fw_ext_ips_v6:
|
||||
- "2a01:4f8:271:1266::74"
|
||||
|
||||
# --- Munin
|
||||
munin_remote_ipv4: 37.27.121.227
|
||||
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
|
||||
|
||||
# --- HTTP
|
||||
fw_http_server_ips: $ext_1_ip
|
||||
|
||||
# --- Mail
|
||||
fw_mail_client_ips: $ext_1_ip
|
||||
|
||||
# --- Block
|
||||
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
|
||||
@@ -0,0 +1,235 @@
|
||||
---
|
||||
|
||||
# ---
|
||||
# vars used by roles/ansible_dependencies
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/ansible_user
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/basic.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/sshd.yml
|
||||
# ---
|
||||
|
||||
sshd_permit_root_login: !!str "prohibit-password"
|
||||
|
||||
# ---
|
||||
# vars used by apt.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/systemd-resolved.yml
|
||||
# ---
|
||||
|
||||
systemd_resolved: true
|
||||
|
||||
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
|
||||
# Primäre DNS-Adresse: 38.132.106.139
|
||||
# Sekundäre DNS-Adresse: 194.187.251.67
|
||||
#
|
||||
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 1.1.1.1
|
||||
# IPv6: 2606:4700:4700::1111
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 1.0.0.1
|
||||
# IPv6: 2606:4700:4700::1001
|
||||
#
|
||||
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 8.8.8.8
|
||||
# IPv6: 2001:4860:4860::8888
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 8.8.4.4
|
||||
# IPv6: 2001:4860:4860::8844
|
||||
#
|
||||
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 9.9.9.9
|
||||
# IPv6: 2620:fe::fe
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 149.112.112.112
|
||||
# IPv6: 2620:fe::9
|
||||
#
|
||||
# OpenNIC - https://www.opennic.org/
|
||||
# IPv4: 195.10.195.195 - ns31.de
|
||||
# IPv4: 94.16.114.254 - ns28.de
|
||||
# IPv4: 51.254.162.59 - ns9.de
|
||||
# IPv4: 194.36.144.87 - ns29.de
|
||||
# IPv6: 2a00:f826:8:2::195 - ns31.de
|
||||
#
|
||||
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
|
||||
# IPv4: 5.1.66.255
|
||||
# IPv6: 2001:678:e68:f000::
|
||||
# Servername für DNS-over-TLS: dot.ffmuc.net
|
||||
# IPv4: 185.150.99.255
|
||||
# IPv6: 2001:678:ed0:f000::
|
||||
# Servername für DNS-over-TLS: dot.ffmuc.net
|
||||
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
|
||||
resolved_nameserver:
|
||||
- 185.12.64.2
|
||||
- 185.12.64.1
|
||||
- 2a01:4ff:ff00::add:2
|
||||
- 2a01:4ff:ff00::add:1
|
||||
|
||||
# search domains
|
||||
#
|
||||
# If there are more than one search domains, then specify them here in the order in which
|
||||
# the resolver should also search them
|
||||
#
|
||||
#resolved_domains: []
|
||||
resolved_domains:
|
||||
- ~.
|
||||
- oopen.de
|
||||
|
||||
resolved_dnssec: false
|
||||
|
||||
# dns.as250.net: 194.150.168.168
|
||||
#
|
||||
resolved_fallback_nameserver:
|
||||
- 194.150.168.168
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/cron.yml
|
||||
# ---
|
||||
|
||||
cron_env_entries:
|
||||
- name: PATH
|
||||
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
|
||||
- name: SHELL
|
||||
job: /bin/bash
|
||||
insertafter: PATH
|
||||
|
||||
|
||||
cron_user_special_time_entries:
|
||||
|
||||
- name: "Restart DNS Cache service 'systemd-resolved'"
|
||||
special_time: reboot
|
||||
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
|
||||
insertafter: PATH
|
||||
|
||||
|
||||
cron_user_entries:
|
||||
|
||||
- name: "Check if webservices sre running. Restart if necessary"
|
||||
minute: '*/5'
|
||||
hour: '*'
|
||||
job: /root/bin/monitoring/check_webservice_load.sh
|
||||
|
||||
- name: "Check if SSH service is running. Restart service if needed."
|
||||
minute: '*/5'
|
||||
hour: '*'
|
||||
job: /root/bin/monitoring/check_ssh.sh
|
||||
|
||||
- name: "Check if Postfix Mailservice is up and running?"
|
||||
minute: '*/15'
|
||||
hour: '*'
|
||||
job: /root/bin/monitoring/check_postfix.sh
|
||||
|
||||
- name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
|
||||
minute: '*/5'
|
||||
hour: '*'
|
||||
job: /root/bin/postfix/check-postfix-fatal-errors.sh
|
||||
|
||||
- name: "Optimize mysql tables"
|
||||
minute: '53'
|
||||
hour: '04'
|
||||
job: /root/bin/mysql/optimize_mysql_tables.sh
|
||||
|
||||
- name: "Flush query cache for mysql tables"
|
||||
minute: '27'
|
||||
hour: '04'
|
||||
job: /root/bin/mysql/flush_query_cache.sh
|
||||
|
||||
- name: "Flush Host cache"
|
||||
minute: '17'
|
||||
hour: '05'
|
||||
job: /root/bin/mysql/flush_host_cache.sh
|
||||
|
||||
- name: "Run occ file:scan for each cloud account"
|
||||
minute: '02'
|
||||
hour: '23'
|
||||
job: /root/bin/nextcloud/occ_maintenance.sh -s cloud.neuemedienmacher.de
|
||||
|
||||
- name: "Background job for nextcloud instance 'cloud.neuemedienmacher.de"
|
||||
minute: '*/15'
|
||||
hour: '*'
|
||||
job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud.neuemedienmacher.de/htdocs/cron.php
|
||||
|
||||
- name: "Check if certificates for coolwsd service are up to date"
|
||||
minute: '17'
|
||||
hour: '05'
|
||||
job: /root/bin/nextcloud/check_cert_coolwsd.sh
|
||||
|
||||
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
|
||||
minute: '23'
|
||||
hour: '05'
|
||||
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
|
||||
|
||||
- name: "Check whether all certificates are included in the VHOST configurations"
|
||||
minute: '33'
|
||||
hour: '05'
|
||||
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/users.yml
|
||||
# ---
|
||||
|
||||
sudo_users:
|
||||
- chris
|
||||
- sysadm
|
||||
- localadmin
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/users-systemfiles.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/webadmin-user.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/sudoers.yml
|
||||
# ---
|
||||
#
|
||||
# see: roles/common/tasks/vars
|
||||
|
||||
sudoers_file_user_privileges:
|
||||
- name: back
|
||||
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/caching-nameserver.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/git.yml
|
||||
# ---
|
||||
#
|
||||
# see: roles/common/tasks/vars
|
||||
|
||||
|
||||
# ==============================
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by scripts/reset_root_passwd.yml
|
||||
# ---
|
||||
|
||||
@@ -495,6 +495,11 @@ samba_user:
|
||||
- gubitz-partner
|
||||
password: '20.mal-te/26%'
|
||||
|
||||
- name: jovis
|
||||
groups:
|
||||
- intern
|
||||
password: '20.jo-vis_26!'
|
||||
|
||||
- name: hh-lucke
|
||||
groups: []
|
||||
password: 'Ole20Steffen_17'
|
||||
@@ -566,6 +571,8 @@ samba_user:
|
||||
|
||||
base_home: /home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
# remove_samba_users:
|
||||
# - name: name1
|
||||
# - name: name2
|
||||
@@ -580,6 +587,7 @@ samba_shares:
|
||||
group_write_list: intern
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -589,6 +597,7 @@ samba_shares:
|
||||
group_write_list: verwaltung
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -607,6 +616,7 @@ samba_shares:
|
||||
group_write_list: hoffmann-elberling
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -616,6 +626,7 @@ samba_shares:
|
||||
group_write_list: gubitz-partner
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -625,6 +636,7 @@ samba_shares:
|
||||
group_write_list: gubitz
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -634,6 +646,7 @@ samba_shares:
|
||||
group_write_list: install
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
|
||||
@@ -296,6 +296,8 @@ samba_user:
|
||||
|
||||
base_home: /home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
# remove_samba_users:
|
||||
# - name: name1
|
||||
# - name: name2
|
||||
@@ -311,6 +313,7 @@ samba_shares:
|
||||
group_write_list: buero
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -321,6 +324,7 @@ samba_shares:
|
||||
group_write_list: verwaltung
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
|
||||
@@ -446,6 +446,12 @@ samba_user:
|
||||
- verwaltung
|
||||
password: '20-mar1o.fr31dank-24+'
|
||||
|
||||
- name: nano.nowak
|
||||
groups:
|
||||
- projekte
|
||||
- team
|
||||
password: '20-n4n0.n0w4k.26!'
|
||||
|
||||
- name: olaf.stuve
|
||||
groups:
|
||||
- projekte
|
||||
@@ -525,6 +531,8 @@ samba_user:
|
||||
|
||||
base_home: /data/home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
remove_samba_users: []
|
||||
#remove_samba_users:
|
||||
# - name: sebastian.scheele
|
||||
@@ -540,6 +548,7 @@ samba_shares:
|
||||
group_write_list: gf
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -550,6 +559,7 @@ samba_shares:
|
||||
group_write_list: projekte
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -560,6 +570,7 @@ samba_shares:
|
||||
group_write_list: team
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -570,6 +581,7 @@ samba_shares:
|
||||
group_write_list: verwaltung
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
|
||||
@@ -436,10 +436,11 @@ samba_user:
|
||||
- recherche
|
||||
password: 'me-ebs_2022.!'
|
||||
|
||||
|
||||
|
||||
base_home: /data/home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
|
||||
# remove_samba_users:
|
||||
# - name: name1
|
||||
# - name: name2
|
||||
@@ -455,6 +456,7 @@ samba_shares:
|
||||
group_write_list: alle
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle.Bin'
|
||||
|
||||
@@ -465,6 +467,7 @@ samba_shares:
|
||||
group_write_list: akten
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle.Bin'
|
||||
|
||||
@@ -475,6 +478,7 @@ samba_shares:
|
||||
group_write_list: archiv
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle.Bin'
|
||||
|
||||
@@ -485,6 +489,7 @@ samba_shares:
|
||||
group_write_list: kanzlei
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle.Bin'
|
||||
|
||||
@@ -495,6 +500,7 @@ samba_shares:
|
||||
group_write_list: recherche
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle.Bin'
|
||||
|
||||
@@ -519,6 +525,7 @@ samba_shares:
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
guest_ok: !!str yes
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: false
|
||||
|
||||
|
||||
@@ -546,6 +553,7 @@ samba_shares:
|
||||
group_write_list: alle
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: false
|
||||
|
||||
|
||||
|
||||
@@ -708,9 +708,10 @@ samba_user:
|
||||
- fhxb-sammlungen
|
||||
password: 'n7I.fSsR-9vv'
|
||||
|
||||
|
||||
base_home: /home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
# remove_samba_users:
|
||||
# - name: name1
|
||||
# - name: name2
|
||||
@@ -728,6 +729,7 @@ samba_shares:
|
||||
group_write_list: administration
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
|
||||
- name: Altlasten
|
||||
@@ -737,6 +739,7 @@ samba_shares:
|
||||
group_write_list: altlasten
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
|
||||
- name: Archiv
|
||||
@@ -746,6 +749,7 @@ samba_shares:
|
||||
group_write_list: archiv
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -756,6 +760,7 @@ samba_shares:
|
||||
group_write_list: ausstellungen
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -766,6 +771,7 @@ samba_shares:
|
||||
group_write_list: buero
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -776,6 +782,7 @@ samba_shares:
|
||||
group_write_list: forschung
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -786,6 +793,7 @@ samba_shares:
|
||||
group_write_list: gedenken-im-stadtraum
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -796,6 +804,7 @@ samba_shares:
|
||||
group_write_list: intern
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -806,6 +815,7 @@ samba_shares:
|
||||
group_write_list: leitung
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -816,6 +826,7 @@ samba_shares:
|
||||
group_write_list: museum-organisation
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -826,6 +837,7 @@ samba_shares:
|
||||
group_write_list: presse-orga-oeffentlichkeit
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -836,6 +848,7 @@ samba_shares:
|
||||
group_write_list: projekte
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -846,6 +859,7 @@ samba_shares:
|
||||
group_write_list: publikationen
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -856,6 +870,7 @@ samba_shares:
|
||||
group_write_list: stolpersteine
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -866,6 +881,7 @@ samba_shares:
|
||||
group_write_list: team
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -876,6 +892,7 @@ samba_shares:
|
||||
group_write_list: technik
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -886,6 +903,7 @@ samba_shares:
|
||||
group_write_list: vze
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -896,6 +914,7 @@ samba_shares:
|
||||
group_write_list: veranstaltungen
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -906,6 +925,7 @@ samba_shares:
|
||||
group_write_list: vermietung
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -916,6 +936,7 @@ samba_shares:
|
||||
group_write_list: vermittlung
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -926,6 +947,7 @@ samba_shares:
|
||||
group_write_list: fhxb-bildarchiv
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -936,6 +958,7 @@ samba_shares:
|
||||
group_write_list: fhxb-sammlungen
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
|
||||
@@ -473,6 +473,8 @@ samba_user:
|
||||
|
||||
base_home: /data/home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
# remove_samba_users:
|
||||
# - name: name1
|
||||
# - name: name2
|
||||
@@ -491,6 +493,7 @@ samba_shares:
|
||||
group_write_list: buero
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -501,6 +504,7 @@ samba_shares:
|
||||
group_write_list: projekte
|
||||
file_create_mask: !!str 664
|
||||
dir_create_mask: !!str 2775
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -511,6 +515,7 @@ samba_shares:
|
||||
group_write_list: verwaltung
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
|
||||
@@ -24,7 +24,7 @@ network_interfaces:
|
||||
|
||||
- device: br0
|
||||
# use only once per device (for the first device entry)
|
||||
headline: br0 - bridge over device eno1np0
|
||||
headline: br0 - bridge over device enp97s0
|
||||
|
||||
# auto & allow are only used for the first device entry
|
||||
allow: [] # array of allow-[stanzas] eg. allow-hotplug
|
||||
@@ -33,7 +33,7 @@ network_interfaces:
|
||||
family: inet
|
||||
method: static
|
||||
description:
|
||||
address: 192.168.122.210
|
||||
address: 192.168.122.215
|
||||
netmask: 24
|
||||
gateway: 192.168.122.254
|
||||
|
||||
@@ -53,7 +53,7 @@ network_interfaces:
|
||||
# maxwait:
|
||||
# waitport:
|
||||
bridge:
|
||||
ports: eno1np0 # for mor devices support a blank separated list
|
||||
ports: enp97s0 # for mor devices support a blank separated list
|
||||
stp: !!str off
|
||||
fd: 5
|
||||
hello: 2
|
||||
@@ -61,7 +61,7 @@ network_interfaces:
|
||||
|
||||
# inline hook scripts
|
||||
pre-up:
|
||||
- !!str "ip link set dev eno1np0 up" # pre-up script lines
|
||||
- !!str "ip link set dev enp97s0 up" # pre-up script lines
|
||||
up: [] #up script lines
|
||||
post-up: [] # post-up script lines (alias for up)
|
||||
pre-down: [] # pre-down script lines (alias for down)
|
||||
@@ -93,13 +93,6 @@ network_interfaces:
|
||||
# vars used by roles/common/tasks/apt.yml
|
||||
# ---
|
||||
|
||||
apt_install_extra_pkgs:
|
||||
- lvm2
|
||||
- kpartx
|
||||
- ntfs-3g
|
||||
- swtpm
|
||||
- swtpm-tools
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/systemd-resolved.yml
|
||||
@@ -226,56 +219,6 @@ cron_user_entries:
|
||||
# vars used by roles/common/tasks/users.yml
|
||||
# ---
|
||||
|
||||
extra_user:
|
||||
|
||||
- name: advoware
|
||||
user_id: 1115
|
||||
group_id: 1115
|
||||
group: advoware
|
||||
home: / data/home/advoware
|
||||
password: $y$j9T$wuQkVnvJxMIy/2Hvmqm2w/$AlMLFmglx764uNSekaFJ3inN59jiDc8.4F2vhUybF22
|
||||
shell: /bin/bash
|
||||
ssh_keys:
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
|
||||
|
||||
- name: a-jur
|
||||
user_id: 1110
|
||||
group_id: 1110
|
||||
group: a-jur
|
||||
home: / data/home/a-jur
|
||||
password: $y$j9T$wuQkVnvJxMIy/2Hvmqm2w/$AlMLFmglx764uNSekaFJ3inN59jiDc8.4F2vhUybF22
|
||||
shell: /bin/bash
|
||||
ssh_keys:
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
|
||||
|
||||
- name: back
|
||||
user_id: 1060
|
||||
group_id: 1060
|
||||
group: back
|
||||
home: /home/back
|
||||
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
|
||||
shell: /bin/bash
|
||||
ssh_keys:
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
|
||||
|
||||
- name: borg
|
||||
user_id: 1065
|
||||
group_id: 1065
|
||||
group: borg
|
||||
home: /home/borg
|
||||
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
|
||||
shell: /bin/bash
|
||||
ssh_keys:
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsqkTV7RiYPljwlP/MZA+MBeTgiwZI7oCAD77Ujpm1V root@file-km'
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOan+hwlA8B3mk82tsvL1LGlejrF5pqT2J3POrg/QJLX root@gw-km'
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/users-systemfiles.yml
|
||||
# ---
|
||||
@@ -312,12 +255,12 @@ sudoers_file_user_back_mount_privileges:
|
||||
# vars used by roles/common/tasks/samba-user.yml
|
||||
# ---
|
||||
|
||||
samba_server_ip: 192.168.122.210
|
||||
samba_server_ip: 192.168.122.215
|
||||
samba_server_cidr_prefix: 24
|
||||
|
||||
samba_workgroup: ANW-KM
|
||||
samba_workgroup: WORKGROUP
|
||||
|
||||
samba_netbios_name: FILE-KM-01
|
||||
samba_netbios_name: FILE-KM-ALT
|
||||
|
||||
samba_server_min_protocol: !!str NT1
|
||||
|
||||
@@ -326,16 +269,12 @@ samba_groups:
|
||||
group_id: 1100
|
||||
- name: a-jur
|
||||
group_id: 1110
|
||||
- name: advoware
|
||||
group_id: 1115
|
||||
- name: intern
|
||||
group_id: 1120
|
||||
- name: wildvang
|
||||
group_id: 1130
|
||||
#- name: aulmann
|
||||
# group_id: 1130
|
||||
#- name: howe
|
||||
# group_id: 1140
|
||||
- name: eibelshaeuser
|
||||
group_id: 1140
|
||||
- name: stahmann
|
||||
group_id: 1150
|
||||
- name: traine
|
||||
@@ -344,6 +283,8 @@ samba_groups:
|
||||
group_id: 1170
|
||||
- name: alle
|
||||
group_id: 1180
|
||||
- name: install
|
||||
group_id: 1190
|
||||
|
||||
|
||||
|
||||
@@ -352,108 +293,31 @@ samba_user:
|
||||
- name: advoware
|
||||
groups:
|
||||
- advoware
|
||||
has_rdp: false
|
||||
password: '9WNRbc49m3'
|
||||
|
||||
- name: a-jur
|
||||
groups:
|
||||
- a-jur
|
||||
- alle
|
||||
- intern
|
||||
- kanzlei
|
||||
has_rdp: false
|
||||
password: 'a-jur'
|
||||
|
||||
- name: andrea
|
||||
groups:
|
||||
- advoware
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
password: 'fXc3bmK9gj'
|
||||
|
||||
- name: andreas
|
||||
groups:
|
||||
- a-jur
|
||||
- advoware
|
||||
- alle
|
||||
- kanzlei
|
||||
password: 'YKQRa.M9-6rL'
|
||||
|
||||
- name: aphex2
|
||||
groups:
|
||||
- alle
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
password: 'J3KMRprK9H'
|
||||
|
||||
- name: berenice
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
password: 'berenice'
|
||||
|
||||
- name: beuster
|
||||
groups:
|
||||
- advoware
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
- alle
|
||||
password: 'zlm17Kx'
|
||||
|
||||
- name: buero
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
password: 'buero'
|
||||
|
||||
- name: buero2
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
password: 'buero2'
|
||||
|
||||
- name: buero3
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
password: 'buero3'
|
||||
|
||||
- name: buero4
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
password: 'buero4'
|
||||
|
||||
- name: buero7
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
password: 'buero7'
|
||||
|
||||
- name: chris
|
||||
groups:
|
||||
- a-jur
|
||||
- advoware
|
||||
- alle
|
||||
- intern
|
||||
- install
|
||||
- kanzlei
|
||||
- eibelshaeuser
|
||||
- stahmann
|
||||
- traine
|
||||
- wildvang
|
||||
- public
|
||||
has_rdp: true
|
||||
password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
30383265366434633965346530666535363761396165393434643665393137353765653739636364
|
||||
@@ -462,14 +326,202 @@ samba_user:
|
||||
3837613337343533650a663061366230353531316535656433643162353063383534323833323138
|
||||
3430
|
||||
|
||||
- name: christina
|
||||
- name: sysadm
|
||||
groups:
|
||||
- a-jur
|
||||
- advoware
|
||||
- alle
|
||||
- intern
|
||||
- install
|
||||
- kanzlei
|
||||
- eibelshaeuser
|
||||
- stahmann
|
||||
- traine
|
||||
- wildvang
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'Ax_GSHh5'
|
||||
|
||||
- name: winadm
|
||||
groups:
|
||||
- a-jur
|
||||
- advoware
|
||||
- alle
|
||||
- intern
|
||||
- install
|
||||
- kanzlei
|
||||
- eibelshaeuser
|
||||
- stahmann
|
||||
- traine
|
||||
- wildvang
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'Ax_GSHh5'
|
||||
|
||||
# ---
|
||||
# Andreas Eibelhäuser
|
||||
# ---
|
||||
|
||||
- name: andreas
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- eibelshaeuser
|
||||
- public
|
||||
has_rdp: true
|
||||
password: 'YKQRa.M9-6rL'
|
||||
|
||||
- name: philipp
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- eibelshaeuser
|
||||
- public
|
||||
has_rdp: true
|
||||
password: '20-phi.lip.26%'
|
||||
|
||||
- name: ref.eibelshaeuser
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- eibelshaeuser
|
||||
- public
|
||||
has_rdp: true
|
||||
password: '20-ref-eibels.haeuser.26+'
|
||||
|
||||
# ---
|
||||
# Berenice Böhlo
|
||||
# ---
|
||||
|
||||
- name: berenice
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
has_rdp: true
|
||||
password: 'berenice'
|
||||
|
||||
- name: annabel
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
has_rdp: true
|
||||
password: '20+an-na.bel/26!'
|
||||
|
||||
- name: jens-uwe
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
has_rdp: false
|
||||
password: '20_jens-uwe.thomas.26!'
|
||||
|
||||
- name: mariami
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
has_rdp: false
|
||||
password: '20.ma-ri-ami/26!'
|
||||
|
||||
- name: nina
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
has_rdp: true
|
||||
password: '20-ni.ha-ger%26%'
|
||||
|
||||
- name: zeina
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
- wildvang
|
||||
has_rdp: true
|
||||
password: '20/ze.ina-26+'
|
||||
|
||||
- name: rm-buero1
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- a-jur
|
||||
- kanzlei
|
||||
- public
|
||||
has_rdp: false
|
||||
password: '20+rm.buero-1/26!'
|
||||
|
||||
- name: rm-buero2
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- a-jur
|
||||
- kanzlei
|
||||
- public
|
||||
has_rdp: false
|
||||
password: '20_rmbuero.2-26%'
|
||||
|
||||
# ---
|
||||
# Rolf Stahmann
|
||||
# ---
|
||||
|
||||
- name: irina
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
password: 'qvR7zX4Lhs'
|
||||
has_rdp: false
|
||||
password: 'W9NKv39pXW'
|
||||
|
||||
- name: rolf
|
||||
groups:
|
||||
- alle
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: true
|
||||
password: '4xNVNFXgP4'
|
||||
|
||||
- name: Tresen
|
||||
groups:
|
||||
- a-jur
|
||||
- advoware
|
||||
- alle
|
||||
- kanzlei
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'maltzwo2'
|
||||
|
||||
# ---
|
||||
# Federico Traine
|
||||
# ---
|
||||
|
||||
- name: andrea
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: true
|
||||
password: 'fXc3bmK9gj'
|
||||
|
||||
- name: federico
|
||||
groups:
|
||||
@@ -478,8 +530,147 @@ samba_user:
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: true
|
||||
password: 'zHfj9g3NcC'
|
||||
|
||||
- name: thomas
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- traine
|
||||
- public
|
||||
has_rdp: true
|
||||
password: '55-tho-mas-550'
|
||||
|
||||
- name: leonora
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- traine
|
||||
- public
|
||||
has_rdp: true
|
||||
password: '20/le-o-nora.26!'
|
||||
|
||||
- name: kristin
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- traine
|
||||
- public
|
||||
has_rdp: true
|
||||
password: '20.kris_tin-26/'
|
||||
|
||||
- name: jule
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- traine
|
||||
- public
|
||||
has_rdp: true
|
||||
password: '20_ju-le%26!'
|
||||
|
||||
- name: luanda
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- traine
|
||||
- public
|
||||
has_rdp: false
|
||||
password: '20-lu.anda+26!'
|
||||
|
||||
# ---
|
||||
# Wiebke Wildvang
|
||||
# ---
|
||||
|
||||
- name: wiebke
|
||||
groups:
|
||||
- alle
|
||||
- wildvang
|
||||
- public
|
||||
has_rdp: true
|
||||
password: 'uJ5gF/m53p.P'
|
||||
|
||||
|
||||
|
||||
- name: aphex2
|
||||
groups:
|
||||
- alle
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'J3KMRprK9H'
|
||||
|
||||
- name: beuster
|
||||
groups:
|
||||
- advoware
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
- alle
|
||||
has_rdp: false
|
||||
password: 'zlm17Kx'
|
||||
|
||||
- name: buero
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'buero'
|
||||
|
||||
- name: buero2
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'buero2'
|
||||
|
||||
- name: buero3
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'buero3'
|
||||
|
||||
- name: buero4
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'buero4'
|
||||
|
||||
- name: buero7
|
||||
groups:
|
||||
- advoware
|
||||
- kanzlei
|
||||
- a-jur
|
||||
- alle
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'buero7'
|
||||
|
||||
- name: christina
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'qvR7zX4Lhs'
|
||||
|
||||
# - name: gerhard
|
||||
# groups:
|
||||
# - advoware
|
||||
@@ -495,6 +686,8 @@ samba_user:
|
||||
groups:
|
||||
- alle
|
||||
- stahmann
|
||||
- public
|
||||
has_rdp: false
|
||||
password: '44-Ro-440'
|
||||
|
||||
# - name: howe-staff-1
|
||||
@@ -505,15 +698,6 @@ samba_user:
|
||||
# - howe
|
||||
# password: ''
|
||||
|
||||
- name: irina
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
password: 'W9NKv39pXW'
|
||||
|
||||
- name: jessica
|
||||
groups:
|
||||
- advoware
|
||||
@@ -521,6 +705,7 @@ samba_user:
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'bV3pjPtjkR'
|
||||
|
||||
# - name: laura
|
||||
@@ -539,6 +724,7 @@ samba_user:
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'fndvLmrt7W'
|
||||
|
||||
- name: lenovo4
|
||||
@@ -548,6 +734,7 @@ samba_user:
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'tpCMmTKj7H'
|
||||
|
||||
- name: lenovo5
|
||||
@@ -557,6 +744,7 @@ samba_user:
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: false
|
||||
password: 'L5Hannover51'
|
||||
|
||||
- name: lenovo6
|
||||
@@ -565,84 +753,15 @@ samba_user:
|
||||
- alle
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
has_rdp: false
|
||||
password: '66koeln66'
|
||||
|
||||
- name: rm-buero1
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- a-jur
|
||||
- kanzlei
|
||||
password: ''
|
||||
|
||||
- name: rm-buero2
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- a-jur
|
||||
- kanzlei
|
||||
password: ''
|
||||
|
||||
- name: rolf
|
||||
groups:
|
||||
- alle
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
password: '4xNVNFXgP4'
|
||||
|
||||
- name: sysadm
|
||||
groups:
|
||||
- a-jur
|
||||
- advoware
|
||||
- alle
|
||||
- intern
|
||||
- kanzlei
|
||||
- stahmann
|
||||
- traine
|
||||
- wildvang
|
||||
- public
|
||||
password: 'Ax_GSHh5'
|
||||
|
||||
- name: thomas
|
||||
groups:
|
||||
- advoware
|
||||
- alle
|
||||
- traine
|
||||
password: '55-tho-mas-550'
|
||||
|
||||
- name: Tresen
|
||||
groups:
|
||||
- a-jur
|
||||
- advoware
|
||||
- alle
|
||||
- kanzlei
|
||||
- stahmann
|
||||
- traine
|
||||
- public
|
||||
password: 'maltzwo2'
|
||||
|
||||
- name: wiebke
|
||||
groups:
|
||||
- alle
|
||||
- wildvang
|
||||
- public
|
||||
password: 'uJ5gF/m53p.P'
|
||||
|
||||
- name: winadm
|
||||
groups:
|
||||
- a-jur
|
||||
- advoware
|
||||
- alle
|
||||
- intern
|
||||
- kanzlei
|
||||
- public
|
||||
password: 'Ax_GSHh5'
|
||||
|
||||
|
||||
|
||||
base_home: /data/home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
remove_samba_users:
|
||||
- name: howe-staff-1
|
||||
- name: gerhard
|
||||
@@ -681,12 +800,25 @@ samba_shares:
|
||||
- name: install
|
||||
comment: Install auf Fileserver
|
||||
path: /data/samba/no-backup-shares/install
|
||||
group_valid_users: intern
|
||||
group_write_list: intern
|
||||
group_valid_users: install
|
||||
group_write_list: install
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: false
|
||||
|
||||
- name: eibelshaeuser
|
||||
comment: Eibelshaeuser auf Fileserver
|
||||
path: /data/samba/eibelshaeuser
|
||||
group_valid_users: eibelshaeuser
|
||||
group_write_list: eibelshaeuser
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
vfs_object_recycle_is_visible: true
|
||||
|
||||
- name: wildvang
|
||||
comment: Wildvang auf Fileserver
|
||||
path: /data/samba/Wildvang
|
||||
+524
-285
File diff suppressed because it is too large
Load Diff
@@ -21,13 +21,21 @@ network_interface_required_packages:
|
||||
|
||||
network_interfaces:
|
||||
|
||||
# - device: enp0s20f0
|
||||
# headline: enp0s20f0 - Uplink DSL via Fritz!Box
|
||||
# auto: true
|
||||
# family: inet
|
||||
# method: static
|
||||
# address: 172.16.112.1/24
|
||||
# gateway: 172.16.112.254
|
||||
|
||||
- device: enp0s20f0
|
||||
headline: enp0s20f0 - Uplink DSL via Fritz!Box
|
||||
headline: enp0s20f0 - Uplink
|
||||
auto: true
|
||||
family: inet
|
||||
method: static
|
||||
address: 172.16.112.1/24
|
||||
gateway: 172.16.112.254
|
||||
address: 217.6.72.202/30
|
||||
gateway: 217.6.72.201
|
||||
|
||||
|
||||
- device: enp0s20f1
|
||||
@@ -53,6 +61,14 @@ network_interfaces:
|
||||
method: static
|
||||
address: 192.168.113.254/24
|
||||
|
||||
|
||||
- device: enp0s20f1:ipmi
|
||||
headline: enp0s20f1:ipmi - Alias on enp0s20f1 (IPMI)
|
||||
auto: false
|
||||
family: inet
|
||||
method: static
|
||||
address: 172.16.112.254/24
|
||||
|
||||
# ---
|
||||
# vars used by roles/ansible_dependencies
|
||||
# ---
|
||||
|
||||
+49
-197
@@ -22,150 +22,21 @@ network_interface_required_packages:
|
||||
|
||||
network_interfaces:
|
||||
|
||||
# Many device configurations are possible (as many as needed)
|
||||
#
|
||||
- device: enp41s0
|
||||
- device: br0
|
||||
# use only once per device (for the first device entry)
|
||||
headline: enp41s0 - primary device
|
||||
headline: br0 - bridge over device eno1
|
||||
|
||||
# auto & allow are only used for the first entry of that devicei-name)
|
||||
#
|
||||
# auto & allow are only used for the first device entry
|
||||
allow: [] # array of allow-[stanzas] eg. allow-hotplug
|
||||
auto: true
|
||||
|
||||
family: inet
|
||||
|
||||
# The statisc Mode
|
||||
# Options
|
||||
# address <dotted quad address[/netmask]>
|
||||
# gateway <dotted quad address>
|
||||
# pointopoint <Address of other end point (dotted quad). Note the spelling of "point-to">
|
||||
# hwaddress <mac-address>
|
||||
# mtu <size>
|
||||
# scope <Address validity scope. Possible values: global, link, host>
|
||||
#
|
||||
# The manual Method
|
||||
# Options
|
||||
# hwaddress <mac-address>
|
||||
# mtu <size>
|
||||
#
|
||||
# The dhcp Method
|
||||
# Options
|
||||
# hwaddress <mac-address>
|
||||
# hostname <Hostname to be requested (pump, dhcpcd, udhcpc)>
|
||||
# metric <metric>
|
||||
# leasehours <Preferred lease time in hours (pump)>
|
||||
# leasetime <Preferred lease time in seconds (dhcpcd)>
|
||||
# vendor <Vendor class identifier (dhcpcd)>
|
||||
# client <Client identifier (dhcpcd), or "no" (dhclient)>
|
||||
#
|
||||
# The bootp Method
|
||||
# Options
|
||||
# bootfile: <file: Tell the server to use 'file' as the bootfile.>
|
||||
# server: <address: Use the IP address 'address' to communicate with the server.>
|
||||
# hwaddr <mac-address: Use addr as the hardware address instead of whatever it really is.>
|
||||
#
|
||||
method: static
|
||||
|
||||
hwaddress:
|
||||
hwaddress: 08:bf:b8:a4:09:e0
|
||||
description:
|
||||
address: 65.108.238.45
|
||||
# dotted quad or number of bits
|
||||
#
|
||||
# the entry will be: address/netmask
|
||||
netmask: 26
|
||||
gateway: 65.108.238.1
|
||||
metric:
|
||||
pointopoint:
|
||||
mtu:
|
||||
scope:
|
||||
|
||||
# additional user by dhcp method
|
||||
#
|
||||
hostname:
|
||||
leasehours:
|
||||
leasetime:
|
||||
vendor:
|
||||
client:
|
||||
|
||||
# additional used by bootp method
|
||||
#
|
||||
bootfile:
|
||||
server:
|
||||
hwaddr:
|
||||
|
||||
# optional dns settings nameservers: []
|
||||
#
|
||||
# nameservers:
|
||||
# - 194.150.168.168 # dns.as250.net
|
||||
# - 91.239.100.100 # anycast.censurfridns.dk
|
||||
# search: warenform.de
|
||||
#
|
||||
#nameservers:
|
||||
# - 185.12.64.1
|
||||
# - a01:4ff:ff00::add:2
|
||||
#search:
|
||||
|
||||
# optional additional subnets/ips subnets: []
|
||||
# subnets:
|
||||
# - '192.168.123.0/24'
|
||||
# - '192.168.124.11/32'
|
||||
|
||||
# optional bridge parameters bridge: {}
|
||||
# bridge:
|
||||
# ports:
|
||||
# stp:
|
||||
# fd:
|
||||
# maxwait:
|
||||
# waitport:
|
||||
bridge: {}
|
||||
|
||||
# optional bonding parameters bond: {}
|
||||
# bond:
|
||||
# master
|
||||
# primary
|
||||
# slave
|
||||
# mode:
|
||||
# miimon:
|
||||
# lacp-rate:
|
||||
# ad-select-rate:
|
||||
# master:
|
||||
# slaves:
|
||||
bond: {}
|
||||
|
||||
# optional vlan settings | vlan: {}
|
||||
# vlan: {}
|
||||
# raw-device: 'eth0'
|
||||
vlan: {}
|
||||
|
||||
# inline hook scripts
|
||||
#
|
||||
# example:
|
||||
#
|
||||
# up:
|
||||
# - !!str "route add -net 135.181.79.192 netmask 255.255.255.192 gw 135.181.79.193 dev enp41s0"
|
||||
#
|
||||
pre-up: [] # pre-up script lines
|
||||
up:
|
||||
- !!str "route add -net 65.108.238.0 netmask 255.255.255.192 gw 65.108.238.1 dev enp41s0"
|
||||
post-up: [] # post-up script lines (alias for up)
|
||||
pre-down: [] # pre-down script lines (alias for down)
|
||||
down: [] # down script lines
|
||||
post-down: [] # post-down script lines
|
||||
|
||||
- device: enp41s0
|
||||
# use only once per device (for the first device entry)
|
||||
headline:
|
||||
|
||||
# auto & allow are only used for the first device entry
|
||||
allow: [] # array of allow-[stanzas] eg. allow-hotplug
|
||||
auto:
|
||||
|
||||
family: inet6
|
||||
method: static
|
||||
address: 2a01:4f9:1a:b226::2
|
||||
netmask: 64
|
||||
gateway: fe80::1
|
||||
address: 88.198.56.204
|
||||
netmask: 27
|
||||
gateway: 88.198.56.193
|
||||
metric:
|
||||
pointopoint:
|
||||
mtu:
|
||||
@@ -192,14 +63,11 @@ network_interfaces:
|
||||
# - 91.239.100.100 # anycast.censurfridns.dk
|
||||
# search: warenform.de
|
||||
#
|
||||
# ** MOVED TO systemd-resolved
|
||||
#
|
||||
nameservers:
|
||||
search:
|
||||
|
||||
# optional additional subnets/ips subnets: []
|
||||
# subnets:
|
||||
# - '192.168.123.0/24'
|
||||
# - '192.168.124.11/32'
|
||||
|
||||
# optional bridge parameters bridge: {}
|
||||
# bridge:
|
||||
# ports:
|
||||
@@ -207,15 +75,24 @@ network_interfaces:
|
||||
# fd:
|
||||
# maxwait:
|
||||
# waitport:
|
||||
bridge: {}
|
||||
bridge:
|
||||
ports: eno1 # for mor devices support a blank separated list
|
||||
stp: !!str off
|
||||
fd: 5
|
||||
hello: 2
|
||||
maxage: 12
|
||||
|
||||
# optional bonding parameters bond: {}
|
||||
# bond:
|
||||
# mode:
|
||||
# master
|
||||
# primary
|
||||
# slave
|
||||
# method:
|
||||
# miimon:
|
||||
# lacp-rate:
|
||||
# ad-select-rate:
|
||||
# master:
|
||||
# slaves:
|
||||
# lacp-rate:
|
||||
bond: {}
|
||||
|
||||
# optional vlan settings | vlan: {}
|
||||
@@ -224,13 +101,24 @@ network_interfaces:
|
||||
vlan: {}
|
||||
|
||||
# inline hook scripts
|
||||
pre-up: []# pre-up script lines
|
||||
up: [] # up script lines
|
||||
pre-up: [] # pre-up script lines
|
||||
up:
|
||||
- !!str "route add -net 88.198.56.192 netmask 255.255.255.224 gw 88.198.56.193 dev br0" # up script lines
|
||||
post-up: [] # post-up script lines (alias for up)
|
||||
pre-down: [] # pre-down script lines (alias for down)
|
||||
down: [] # down script lines
|
||||
post-down: [] # post-down script lines
|
||||
|
||||
|
||||
|
||||
- device: br0
|
||||
family: inet6
|
||||
method: static
|
||||
address: '2a01:4f8:222:2c2::2'
|
||||
netmask: 64
|
||||
gateway: 'fe80::1'
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/ansible_dependencies
|
||||
# ---
|
||||
@@ -255,8 +143,6 @@ network_interfaces:
|
||||
# vars used by roles/common/tasks/apt.yml
|
||||
# ---
|
||||
|
||||
#apt_manage_sources_list: false
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/systemd-resolved.yml
|
||||
@@ -274,8 +160,8 @@ systemd_resolved: true
|
||||
# IPv6: 2606:4700:4700::1111
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 1.0.0.1
|
||||
# IPv6: 2606:4700:4700::1001
|
||||
#
|
||||
# IPv6: 2606:4700:4700::1001
|
||||
#
|
||||
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 8.8.8.8
|
||||
@@ -286,20 +172,20 @@ systemd_resolved: true
|
||||
#
|
||||
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 9.9.9.9
|
||||
# IPv6: 2620:fe::fe
|
||||
# IPv4: 9.9.9.9
|
||||
# IPv6: 2620:fe::fe
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 149.112.112.112
|
||||
# IPv6: 2620:fe::9
|
||||
#
|
||||
# OpenNIC - https://www.opennic.org/
|
||||
# IPv4: 195.10.195.195 - ns31.de
|
||||
# IPv4: 94.16.114.254 - ns28.de
|
||||
# IPv4: 51.254.162.59 - ns9.de
|
||||
# IPv4: 195.10.195.195 - ns31.de
|
||||
# IPv4: 94.16.114.254 - ns28.de
|
||||
# IPv4: 51.254.162.59 - ns9.de
|
||||
# IPv4: 194.36.144.87 - ns29.de
|
||||
# IPv6: 2a00:f826:8:2::195 - ns31.de
|
||||
#
|
||||
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
|
||||
#
|
||||
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
|
||||
# IPv4: 5.1.66.255
|
||||
# IPv6: 2001:678:e68:f000::
|
||||
# Servername für DNS-over-TLS: dot.ffmuc.net
|
||||
@@ -308,14 +194,14 @@ systemd_resolved: true
|
||||
# Servername für DNS-over-TLS: dot.ffmuc.net
|
||||
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
|
||||
resolved_nameserver:
|
||||
- 185.12.64.1
|
||||
- 2a01:4ff:ff00::add:2
|
||||
- 185.12.64.2
|
||||
- 2a01:4ff:ff00::add:1
|
||||
- 185.12.64.1
|
||||
- 2a01:4ff:ff00::add:2
|
||||
|
||||
# search domains
|
||||
#
|
||||
# If there are more than one search domains, then specify them here in the order in which
|
||||
# If there are more than one search domains, then specify them here in the order in which
|
||||
# the resolver should also search them
|
||||
#
|
||||
#resolved_domains: []
|
||||
@@ -337,7 +223,7 @@ resolved_fallback_nameserver:
|
||||
|
||||
cron_env_entries:
|
||||
- name: PATH
|
||||
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
|
||||
- name: SHELL
|
||||
job: /bin/bash
|
||||
@@ -351,9 +237,9 @@ cron_user_special_time_entries:
|
||||
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
|
||||
insertafter: PATH
|
||||
|
||||
- name: "Check if postfix mailservice is running. Restart service if needed."
|
||||
- name: "Check if Check if all autostart LX-Container are running."
|
||||
special_time: reboot
|
||||
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
|
||||
job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
|
||||
insertafter: PATH
|
||||
|
||||
|
||||
@@ -379,28 +265,6 @@ cron_user_entries:
|
||||
hour: '*'
|
||||
job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
|
||||
|
||||
- name: "Backup internet hosts and then print out hdd-usage for all backuped hosts"
|
||||
minute: '06'
|
||||
hour: '00'
|
||||
weekday: '1-6'
|
||||
job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N
|
||||
|
||||
- name: "On sunday morning also determin diskspace usage"
|
||||
minute: '06'
|
||||
hour: '00'
|
||||
weekday: 7
|
||||
job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup
|
||||
|
||||
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
|
||||
minute: '23'
|
||||
hour: '05'
|
||||
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
|
||||
|
||||
- name: "Check whether all certificates are included in the VHOST configurations"
|
||||
minute: '33'
|
||||
hour: '05'
|
||||
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
|
||||
|
||||
- name: "Check hard disc usage."
|
||||
minute: '43'
|
||||
hour: '6'
|
||||
@@ -411,18 +275,6 @@ cron_user_entries:
|
||||
# vars used by roles/common/tasks/users.yml
|
||||
# ---
|
||||
|
||||
create_sftp_group: true
|
||||
|
||||
extra_system_user:
|
||||
- name: www-data
|
||||
home: /var/www
|
||||
groups: sftp_users
|
||||
|
||||
sudo_users:
|
||||
- chris
|
||||
- sysadm
|
||||
- localadmin
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/users-systemfiles.yml
|
||||
|
||||
@@ -0,0 +1,235 @@
|
||||
---
|
||||
|
||||
# ---
|
||||
# vars used by roles/ansible_dependencies
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/ansible_user
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/basic.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/sshd.yml
|
||||
# ---
|
||||
|
||||
sshd_permit_root_login: !!str "prohibit-password"
|
||||
|
||||
# ---
|
||||
# vars used by apt.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/systemd-resolved.yml
|
||||
# ---
|
||||
|
||||
systemd_resolved: true
|
||||
|
||||
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
|
||||
# Primäre DNS-Adresse: 38.132.106.139
|
||||
# Sekundäre DNS-Adresse: 194.187.251.67
|
||||
#
|
||||
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 1.1.1.1
|
||||
# IPv6: 2606:4700:4700::1111
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 1.0.0.1
|
||||
# IPv6: 2606:4700:4700::1001
|
||||
#
|
||||
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 8.8.8.8
|
||||
# IPv6: 2001:4860:4860::8888
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 8.8.4.4
|
||||
# IPv6: 2001:4860:4860::8844
|
||||
#
|
||||
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
|
||||
# primäre DNS-Adresse
|
||||
# IPv4: 9.9.9.9
|
||||
# IPv6: 2620:fe::fe
|
||||
# sekundäre DNS-Adresse
|
||||
# IPv4: 149.112.112.112
|
||||
# IPv6: 2620:fe::9
|
||||
#
|
||||
# OpenNIC - https://www.opennic.org/
|
||||
# IPv4: 195.10.195.195 - ns31.de
|
||||
# IPv4: 94.16.114.254 - ns28.de
|
||||
# IPv4: 51.254.162.59 - ns9.de
|
||||
# IPv4: 194.36.144.87 - ns29.de
|
||||
# IPv6: 2a00:f826:8:2::195 - ns31.de
|
||||
#
|
||||
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
|
||||
# IPv4: 5.1.66.255
|
||||
# IPv6: 2001:678:e68:f000::
|
||||
# Servername für DNS-over-TLS: dot.ffmuc.net
|
||||
# IPv4: 185.150.99.255
|
||||
# IPv6: 2001:678:ed0:f000::
|
||||
# Servername für DNS-over-TLS: dot.ffmuc.net
|
||||
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
|
||||
resolved_nameserver:
|
||||
- 185.12.64.2
|
||||
- 185.12.64.1
|
||||
- 2a01:4ff:ff00::add:2
|
||||
- 2a01:4ff:ff00::add:1
|
||||
|
||||
# search domains
|
||||
#
|
||||
# If there are more than one search domains, then specify them here in the order in which
|
||||
# the resolver should also search them
|
||||
#
|
||||
#resolved_domains: []
|
||||
resolved_domains:
|
||||
- ~.
|
||||
- oopen.de
|
||||
|
||||
resolved_dnssec: false
|
||||
|
||||
# dns.as250.net: 194.150.168.168
|
||||
#
|
||||
resolved_fallback_nameserver:
|
||||
- 194.150.168.168
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/cron.yml
|
||||
# ---
|
||||
|
||||
cron_env_entries:
|
||||
- name: PATH
|
||||
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
|
||||
- name: SHELL
|
||||
job: /bin/bash
|
||||
insertafter: PATH
|
||||
|
||||
|
||||
#cron_user_special_time_entries:
|
||||
#
|
||||
# - name: "Restart DNS Cache service 'systemd-resolved'"
|
||||
# special_time: reboot
|
||||
# job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
|
||||
# insertafter: PATH
|
||||
#
|
||||
#
|
||||
#cron_user_entries:
|
||||
#
|
||||
# - name: "Check if webservices sre running. Restart if necessary"
|
||||
# minute: '*/5'
|
||||
# hour: '*'
|
||||
# job: /root/bin/monitoring/check_webservice_load.sh
|
||||
#
|
||||
# - name: "Check if SSH service is running. Restart service if needed."
|
||||
# minute: '*/5'
|
||||
# hour: '*'
|
||||
# job: /root/bin/monitoring/check_ssh.sh
|
||||
#
|
||||
# - name: "Check if Postfix Mailservice is up and running?"
|
||||
# minute: '*/15'
|
||||
# hour: '*'
|
||||
# job: /root/bin/monitoring/check_postfix.sh
|
||||
#
|
||||
# - name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
|
||||
# minute: '*/5'
|
||||
# hour: '*'
|
||||
# job: /root/bin/postfix/check-postfix-fatal-errors.sh
|
||||
#
|
||||
# - name: "Optimize mysql tables"
|
||||
# minute: '53'
|
||||
# hour: '04'
|
||||
# job: /root/bin/mysql/optimize_mysql_tables.sh
|
||||
#
|
||||
# - name: "Flush query cache for mysql tables"
|
||||
# minute: '27'
|
||||
# hour: '04'
|
||||
# job: /root/bin/mysql/flush_query_cache.sh
|
||||
#
|
||||
# - name: "Flush Host cache"
|
||||
# minute: '17'
|
||||
# hour: '05'
|
||||
# job: /root/bin/mysql/flush_host_cache.sh
|
||||
#
|
||||
# - name: "Run occ file:scan for each cloud account"
|
||||
# minute: '02'
|
||||
# hour: '23'
|
||||
# job: /root/bin/nextcloud/occ_maintenance.sh -s cloud.neuemedienmacher.de
|
||||
#
|
||||
# - name: "Background job for nextcloud instance 'cloud.neuemedienmacher.de"
|
||||
# minute: '*/15'
|
||||
# hour: '*'
|
||||
# job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud.neuemedienmacher.de/htdocs/cron.php
|
||||
#
|
||||
# - name: "Check if certificates for coolwsd service are up to date"
|
||||
# minute: '17'
|
||||
# hour: '05'
|
||||
# job: /root/bin/nextcloud/check_cert_coolwsd.sh
|
||||
#
|
||||
# - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
|
||||
# minute: '23'
|
||||
# hour: '05'
|
||||
# job: /var/lib/dehydrated/cron/dehydrated_cron.sh
|
||||
#
|
||||
# - name: "Check whether all certificates are included in the VHOST configurations"
|
||||
# minute: '33'
|
||||
# hour: '05'
|
||||
# job: /var/lib/dehydrated/tools/update_ssl_directives.sh
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/users.yml
|
||||
# ---
|
||||
|
||||
sudo_users:
|
||||
- chris
|
||||
- sysadm
|
||||
- localadmin
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/users-systemfiles.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/webadmin-user.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/sudoers.yml
|
||||
# ---
|
||||
#
|
||||
# see: roles/common/tasks/vars
|
||||
|
||||
sudoers_file_user_privileges:
|
||||
- name: back
|
||||
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/caching-nameserver.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by roles/common/tasks/git.yml
|
||||
# ---
|
||||
#
|
||||
# see: roles/common/tasks/vars
|
||||
|
||||
|
||||
# ==============================
|
||||
|
||||
|
||||
# ---
|
||||
# vars used by scripts/reset_root_passwd.yml
|
||||
# ---
|
||||
|
||||
@@ -0,0 +1,39 @@
|
||||
---
|
||||
# ipt-firewall configuration for test.mx.oopen.de
|
||||
# Generated by extract-fw-host-vars.py - review before committing!
|
||||
|
||||
fw_manage_config: true
|
||||
|
||||
# --- Network
|
||||
fw_ext_interfaces:
|
||||
- "eth0"
|
||||
- "eth1"
|
||||
fw_ext_ips_v4:
|
||||
- "83.223.85.205"
|
||||
- "83.223.85.206"
|
||||
fw_ext_ips_v6:
|
||||
- "2a01:30:0:505:2eb:f4ff:feaa:d996 2a01:30:0:13:2eb:f4ff:feaa:d996"
|
||||
- "2a01:30:0:505:2eb:f4ff:feaa:d997 2a01:30:0:13:2eb:f4ff:feaa:d997"
|
||||
|
||||
# --- Munin
|
||||
munin_remote_ipv4: 37.27.121.227
|
||||
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
|
||||
|
||||
# --- HTTP
|
||||
fw_http_server_ips: $ext_1_ip $ext_2_ip
|
||||
|
||||
# --- Mail
|
||||
fw_smtpd_ips: $ext_1_ip
|
||||
fw_mail_server_ips: $ext_1_ip
|
||||
fw_mail_client_ips: $ext_1_ip $ext_2_ip
|
||||
fw_dovecot_auth_service: true
|
||||
fw_dovecot_auth_allowed_networks_v4: 192.68.11.79
|
||||
|
||||
# --- Mumble
|
||||
fw_mumble_server_ips: 138.201.33.54
|
||||
|
||||
# --- Rsync
|
||||
fw_rsync_out_ips: $ext_1_ip
|
||||
|
||||
# --- Block
|
||||
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
|
||||
@@ -297,6 +297,12 @@ samba_user:
|
||||
- buero
|
||||
password: '20-printer-18'
|
||||
|
||||
- name: farina
|
||||
groups:
|
||||
- buero
|
||||
- beratung
|
||||
password: 'ADB_far!na_26'
|
||||
|
||||
- name: hanna
|
||||
groups:
|
||||
- buero
|
||||
@@ -424,6 +430,8 @@ samba_user:
|
||||
|
||||
base_home: /home
|
||||
|
||||
samba_homes_virusfilter: true
|
||||
|
||||
# remove_samba_users:
|
||||
# - name: name1
|
||||
# - name: name2
|
||||
@@ -442,6 +450,7 @@ samba_shares:
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
wide_links: !!str yes
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -452,6 +461,7 @@ samba_shares:
|
||||
group_write_list: beratung
|
||||
file_create_mask: !!str 660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -462,6 +472,7 @@ samba_shares:
|
||||
group_write_list: verwaltung
|
||||
file_create_mask: !!str 0660
|
||||
dir_create_mask: !!str 2770
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: true
|
||||
recycle_path: '@Recycle'
|
||||
|
||||
@@ -474,6 +485,7 @@ samba_shares:
|
||||
guest_ok: !!str no
|
||||
file_create_mask: !!str 0664
|
||||
dir_create_mask: !!str 0755
|
||||
vfs_object_virusfilter: true
|
||||
vfs_object_recycle: false
|
||||
|
||||
|
||||
|
||||
@@ -32,6 +32,7 @@ o13-staging-board.oopen.de
|
||||
o25.oopen.de
|
||||
o41.oopen.de
|
||||
dc-opp.oopen.de
|
||||
ak-plan.oopen.de
|
||||
discourse.oopen.de
|
||||
test-nd.oopen.de
|
||||
formbricks-nd.oopen.de
|
||||
@@ -76,6 +77,7 @@ file-ebs.ebs.netz
|
||||
file-fm.fm.netz
|
||||
file-fhxb.fhxb.netz
|
||||
file-km.anw-km.netz
|
||||
file-km-alt.anw-km.netz
|
||||
file-km-neu.anw-km.netz
|
||||
file-kb.anw-kb.netz
|
||||
file-blkr.blkr.netz
|
||||
@@ -203,16 +205,20 @@ mm-irights.oopen.de
|
||||
# IL - PAD
|
||||
o25.oopen.de
|
||||
|
||||
# Hetzner Cloud CX31 - AK
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
o26.oopen.de
|
||||
|
||||
# - o27.oopen.de
|
||||
o27.oopen.de
|
||||
cl-fm.oopen.de
|
||||
mail.faire-mobilitaet.de
|
||||
|
||||
# Hetzner Cloud CX31 - AK
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
# - o28 NDM - neue deutsche Medienmacher*innen
|
||||
o28.oopen.de
|
||||
o26.oopen.de
|
||||
cl-ndm.oopen.de
|
||||
psono-ndm.oopen.de
|
||||
|
||||
# - o29.oopen.de Dissens Host System
|
||||
o29.oopen.de
|
||||
@@ -222,6 +228,7 @@ cl-dissens.oopen.de
|
||||
o30.oopen.de
|
||||
meet.akweb.de
|
||||
cloud.akweb.de
|
||||
ak-plan.oopen.de
|
||||
|
||||
# o31.oopen.de - Cadus e.V.
|
||||
o31.oopen.de
|
||||
@@ -420,16 +427,20 @@ cl-irights-neu.oopen.de
|
||||
# IL - PAD
|
||||
o25.oopen.de
|
||||
|
||||
# Hetzner Cloud CX31 - AK
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
o26.oopen.de
|
||||
|
||||
# - o27.oopen.de
|
||||
o27.oopen.de
|
||||
cl-fm.oopen.de
|
||||
mail.faire-mobilitaet.de
|
||||
|
||||
# Hetzner Cloud CX31 - AK
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
# - o28 NDM - neue deutsche Medienmacher*innen
|
||||
o28.oopen.de
|
||||
o26.oopen.de
|
||||
cl-ndm.oopen.de
|
||||
psono-ndm.oopen.de
|
||||
|
||||
# - o29.oopen.de
|
||||
o29.oopen.de
|
||||
@@ -439,6 +450,7 @@ cl-dissens.oopen.de
|
||||
o30.oopen.de
|
||||
meet.akweb.de
|
||||
cloud.akweb.de
|
||||
ak-plan.oopen.de
|
||||
|
||||
# o31.oopen.de - Cadus e.V.
|
||||
o31.oopen.de
|
||||
@@ -556,6 +568,7 @@ gw-irights.oopen.de
|
||||
# - Kanzlei Berenice
|
||||
gw-km.oopen.de
|
||||
file-km.anw-km.netz
|
||||
file-km-alt.anw-km.netz
|
||||
file-km-neu.anw-km.netz
|
||||
file-kb.anw-kb.netz
|
||||
|
||||
@@ -734,13 +747,16 @@ cl-test.oopen.de
|
||||
cl-irights.oopen.de
|
||||
cl-irights-neu.oopen.de
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
o26.oopen.de
|
||||
|
||||
# o27.oopen.de
|
||||
cl-fm.oopen.de
|
||||
mail.faire-mobilitaet.de
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
o28.oopen.de
|
||||
o26.oopen.de
|
||||
# - o28 neue deutsche Medienmacher*innen - NDM Host System
|
||||
cl-ndm.oopen.de
|
||||
psono-ndm.oopen.de
|
||||
|
||||
# o29.oopen.de
|
||||
cl-dissens.oopen.de
|
||||
@@ -911,6 +927,10 @@ mm-irights.oopen.de
|
||||
|
||||
# Hetzner Cloud CX31 - AK
|
||||
|
||||
# o28 NDM - neue deutsche Medienmacher*innen
|
||||
cl-ndm.oopen.de
|
||||
psono-ndm.oopen.de
|
||||
|
||||
# o29.oopen.de . Dissens
|
||||
cl-dissens.oopen.de
|
||||
|
||||
@@ -1045,6 +1065,10 @@ mm-irights.oopen.de
|
||||
# o27.oopen.de
|
||||
mail.faire-mobilitaet.de
|
||||
|
||||
# o28.oopen.de
|
||||
cl-ndm.oopen.de
|
||||
psono-ndm.oopen.de
|
||||
|
||||
# o35.oopen.de
|
||||
e.mx.oopen.de
|
||||
d.mx.oopen.de
|
||||
@@ -1141,12 +1165,15 @@ mm-irights.oopen.de
|
||||
|
||||
# Hetzner Cloud CX31 - AK
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
o26.oopen.de
|
||||
|
||||
# o27.oopen.de
|
||||
cl-fm.oopen.de
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
o28.oopen.de
|
||||
o26.oopen.de
|
||||
# - o28 neue deutsche Medienmacher*innen - NDM Host System
|
||||
cl-ndm.oopen.de
|
||||
psono-ndm.oopen.de
|
||||
|
||||
# o29.oopen.de - Dissens
|
||||
cl-dissens.oopen.de
|
||||
@@ -1256,14 +1283,15 @@ cl-test.oopen.de
|
||||
cl-irights.oopen.de
|
||||
cl-irights-neu.oopen.de
|
||||
|
||||
# o26.oopen.de
|
||||
o26.oopen.de
|
||||
|
||||
# o27.oopen.de
|
||||
cl-fm.oopen.de
|
||||
|
||||
# o28.oopen.de
|
||||
o28.oopen.de
|
||||
|
||||
# o26.oopen.de
|
||||
o26.oopen.de
|
||||
# - o28 neue deutsche Medienmacher*innen - NDM Host System
|
||||
cl-ndm.oopen.de
|
||||
psono-ndm.oopen.de
|
||||
|
||||
# o29.oopen.de - Dissens
|
||||
cl-dissens.oopen.de
|
||||
@@ -1394,7 +1422,6 @@ backup.oopen.de
|
||||
devel-root.wf.netz
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
o28.oopen.de
|
||||
o26.oopen.de
|
||||
|
||||
# ---
|
||||
@@ -1411,7 +1438,7 @@ o17.oopen.de
|
||||
# ---
|
||||
# Warenform
|
||||
# ---
|
||||
#anita.wf.netz
|
||||
anita.wf.netz
|
||||
|
||||
# ---
|
||||
# Büro Netzwerke
|
||||
@@ -1425,6 +1452,7 @@ file-ebs.ebs.netz
|
||||
file-fm.fm.netz
|
||||
file-fhxb.fhxb.netz
|
||||
file-km.anw-km.netz
|
||||
file-km-alt.anw-km.netz
|
||||
file-km-neu.anw-km.netz
|
||||
file-kb.anw-kb.netz
|
||||
file-blkr.blkr.netz
|
||||
@@ -1527,6 +1555,7 @@ o22.oopen.de
|
||||
o23.oopen.de
|
||||
o24.oopen.de
|
||||
o27.oopen.de
|
||||
o28.oopen.de
|
||||
o29.oopen.de
|
||||
o30.oopen.de
|
||||
o31.oopen.de
|
||||
@@ -1560,6 +1589,7 @@ file-ah.kanzlei-kiel.netz
|
||||
file-ah-neu.kanzlei-kiel.netz
|
||||
file-ah-alt.kanzlei-kiel.netz
|
||||
file-km.anw-km.netz
|
||||
file-km-alt.anw-km.netz
|
||||
file-km-neu.anw-km.netz
|
||||
file-kb.anw-kb.netz
|
||||
file-blkr.blkr.netz
|
||||
@@ -1656,12 +1686,17 @@ mail.faire-mobilitaet.de
|
||||
|
||||
# Hetzner Cloud CX31 - AK
|
||||
|
||||
# o28.oopen.de NDM - neue deutsche Medienmacher*innen
|
||||
cl-ndm.oopen.de
|
||||
psono-ndm.oopen.de
|
||||
|
||||
# o29.oopen.de - Dissens
|
||||
cl-dissens.oopen.de
|
||||
|
||||
# o30.oopen.de - AK Server Nextcloud/Jitsi Meet
|
||||
meet.akweb.de
|
||||
cloud.akweb.de
|
||||
ak-plan.oopen.de
|
||||
|
||||
# BigBlueButton - O.OPEN
|
||||
|
||||
@@ -1727,6 +1762,7 @@ file-ebs.ebs.netz
|
||||
file-fm.fm.netz
|
||||
file-fhxb.fhxb.netz
|
||||
file-km.anw-km.netz
|
||||
file-km-alt.anw-km.netz
|
||||
file-km-neu.anw-km.netz
|
||||
file-kb.anw-kb.netz
|
||||
file-blkr.blkr.netz
|
||||
@@ -1866,16 +1902,20 @@ mm-irights.oopen.de
|
||||
# IL - PAD
|
||||
o25.oopen.de
|
||||
|
||||
# Hetzner Cloud CX31 - AK
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
o26.oopen.de
|
||||
|
||||
# - o27.oopen.de
|
||||
o27.oopen.de
|
||||
cl-fm.oopen.de
|
||||
mail.faire-mobilitaet.de
|
||||
|
||||
# Hetzner Cloud CX31 - AK
|
||||
|
||||
# Backup Faire Mobilitaet
|
||||
# o28.oopen.de NDM - neue deutsche Medienmacher*innen
|
||||
o28.oopen.de
|
||||
o26.oopen.de
|
||||
cl-ndm.oopen.de
|
||||
psono-ndm.oopen.de
|
||||
|
||||
# o29.oopen.de
|
||||
o29.oopen.de
|
||||
@@ -1885,6 +1925,7 @@ cl-dissens.oopen.de
|
||||
o30.oopen.de
|
||||
meet.akweb.de
|
||||
cloud.akweb.de
|
||||
ak-plan.oopen.de
|
||||
|
||||
# - o31.oopen.de
|
||||
o31.oopen.de
|
||||
@@ -1974,6 +2015,7 @@ file-ebs.ebs.netz
|
||||
file-fm.fm.netz
|
||||
file-fhxb.fhxb.netz
|
||||
file-km.anw-km.netz
|
||||
file-km-alt.anw-km.netz
|
||||
file-km-neu.anw-km.netz
|
||||
file-kb.anw-kb.netz
|
||||
file-blkr.blkr.netz
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
|
||||
- hosts: oopen_server:warenform_server:!no_ipt_firewall
|
||||
roles:
|
||||
- ipt-server
|
||||
@@ -1,24 +1,23 @@
|
||||
---
|
||||
|
||||
# ---
|
||||
# Samba Server
|
||||
# ---
|
||||
|
||||
- name: (samba-install.yml) Ensure samba packages server are installed.
|
||||
- name: (samba-config-server.yml) Ensure samba packages server are installed.
|
||||
package:
|
||||
pkg: '{{ apt_install_server_samba }}'
|
||||
pkg: "{{ apt_install_server_samba }}"
|
||||
state: present
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
tags:
|
||||
- samba-server
|
||||
|
||||
- name: (samba-install.yml) Ensure quarantine directory exists
|
||||
- name: (samba-config-server.yml) Ensure quarantine directory exists
|
||||
file:
|
||||
path: /data/samba/QUARANTINE
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0750'
|
||||
mode: "0750"
|
||||
state: directory
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
@@ -37,7 +36,7 @@
|
||||
recurse: no
|
||||
with_items: "{{ samba_shares }}"
|
||||
loop_control:
|
||||
label: '{{ item.name }}'
|
||||
label: "{{ item.name }}"
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
tags:
|
||||
@@ -47,9 +46,9 @@
|
||||
# Virusfilter (ClamAV) - only when at least one share has vfs_object_virusfilter: true
|
||||
# ---
|
||||
|
||||
- name: (samba-install.yml) Ensure virusfilter (ClamAV) packages are installed
|
||||
- name: (samba-config-server.yml) Ensure virusfilter (ClamAV) packages are installed
|
||||
package:
|
||||
pkg: '{{ apt_install_server_samba_virusfilter }}'
|
||||
pkg: "{{ apt_install_server_samba_virusfilter }}"
|
||||
state: present
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
@@ -58,7 +57,7 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-install.yml) Check if ClamAV virus databases are present
|
||||
- name: (samba-config-server.yml) Check if ClamAV virus databases are present
|
||||
find:
|
||||
paths: /var/lib/clamav
|
||||
patterns:
|
||||
@@ -72,7 +71,7 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-install.yml) Stop clamav-freshclam service before initial database download
|
||||
- name: (samba-config-server.yml) Stop clamav-freshclam service before initial database download
|
||||
service:
|
||||
name: clamav-freshclam
|
||||
state: stopped
|
||||
@@ -85,7 +84,20 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-install.yml) Download initial ClamAV virus databases via freshclam
|
||||
- name: (samba-config-server.yml) Ensure clamav-daemon service is started before database update
|
||||
service:
|
||||
name: clamav-daemon
|
||||
state: started
|
||||
enabled: yes
|
||||
failed_when: false
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Download initial ClamAV virus databases via freshclam
|
||||
command: freshclam
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
@@ -95,13 +107,11 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-install.yml) Ensure clamav-daemon and clamav-freshclam services are enabled
|
||||
- name: (samba-config-server.yml) Ensure clamav-daemon service is enabled and started
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
name: clamav-daemon
|
||||
state: started
|
||||
enabled: yes
|
||||
loop:
|
||||
- clamav-daemon
|
||||
- clamav-freshclam
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
|
||||
@@ -109,7 +119,19 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-install.yml) Ensure clamav user is member of all Samba groups
|
||||
- name: (samba-config-server.yml) Ensure clamav-freshclam service is enabled and started
|
||||
service:
|
||||
name: clamav-freshclam
|
||||
state: started
|
||||
enabled: yes
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Ensure clamav user is member of all Samba groups
|
||||
user:
|
||||
name: clamav
|
||||
groups: "{{ item.name }}"
|
||||
@@ -126,18 +148,65 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-install.yml) Configure AppArmor local profile for clamd (data paths)
|
||||
blockinfile:
|
||||
path: /etc/apparmor.d/local/usr.sbin.clamd
|
||||
create: yes
|
||||
- name: (samba-config-server.yml) Ensure clamav user is member of all Samba user groups (homes virusfilter)
|
||||
user:
|
||||
name: clamav
|
||||
groups: "{{ item.name }}"
|
||||
append: yes
|
||||
loop: "{{ samba_user }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_homes_virusfilter | default(false) | bool
|
||||
- samba_user | length > 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Get home directories of samba users via getent (homes virusfilter)
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
key: "{{ item.name }}"
|
||||
loop: "{{ samba_user }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
register: samba_user_getent
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_homes_virusfilter | default(false) | bool
|
||||
- samba_user | length > 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Ensure home directories are group-traversable for clamd (homes virusfilter)
|
||||
file:
|
||||
path: "{{ item.ansible_facts.getent_passwd[item.item.name][4] }}"
|
||||
mode: "0750"
|
||||
state: directory
|
||||
loop: "{{ samba_user_getent.results | default([]) }}"
|
||||
loop_control:
|
||||
label: "{{ item.item.name }}"
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_homes_virusfilter | default(false) | bool
|
||||
- item.ansible_facts is defined
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
|
||||
- name: (samba-config-server.yml) Configure AppArmor local profile for clamd (data paths)
|
||||
template:
|
||||
src: etc/apparmor.d/local/usr.sbin.clamd.j2
|
||||
dest: /etc/apparmor.d/local/usr.sbin.clamd
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
marker: "# {mark} ANSIBLE MANAGED - smba virusfilter paths"
|
||||
block: |
|
||||
/data/** r,
|
||||
/data/samba/QUARANTINE/** rw,
|
||||
notify: Reload AppArmor profile clamd
|
||||
notify:
|
||||
- Reload AppArmor profile clamd
|
||||
- Restart clamav-daemon
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') |
|
||||
@@ -146,7 +215,7 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-install.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
|
||||
- name: (samba-config-server.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
|
||||
lineinfile:
|
||||
path: /etc/clamav/clamd.conf
|
||||
regexp: "^#?\\s*AllowAllMatchScan\\s"
|
||||
@@ -161,7 +230,6 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
|
||||
# ---
|
||||
# /etc/samba/smb.conf
|
||||
# ---
|
||||
@@ -228,7 +296,7 @@
|
||||
- samba-cron
|
||||
|
||||
- name: (samba-config-server.yml) Adjust configuration for script 'clean_samba_trash.sh'
|
||||
template:
|
||||
template:
|
||||
dest: /root/bin/samba/conf/clean_samba_trash.conf
|
||||
src: root/bin/samba/conf/clean_samba_trash.conf.j2
|
||||
when:
|
||||
@@ -241,7 +309,7 @@
|
||||
- name: (samba-config-server.yml) Check if cleaning up trash dirs is configured
|
||||
ansible.builtin.lineinfile:
|
||||
path: /root/bin/samba/conf/clean_samba_trash.conf
|
||||
regexp: '^trash_dirs=*'
|
||||
regexp: "^trash_dirs=*"
|
||||
state: absent
|
||||
check_mode: true
|
||||
changed_when: false
|
||||
@@ -299,7 +367,5 @@
|
||||
job: "{{ samba_cronjob_permissions.job }}"
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- (clean_samba_trash_dirs.found | int) > 0 # << int -> bool
|
||||
- (clean_samba_trash_dirs.found | int) > 0 # << int -> bool
|
||||
tags: [samba-server, samba-cron]
|
||||
|
||||
|
||||
|
||||
@@ -55,6 +55,7 @@
|
||||
loop: "{{ default_user }}"
|
||||
loop_control:
|
||||
label: '{{ item.name }}'
|
||||
when: item.name != ansible_user
|
||||
tags:
|
||||
- users-exists
|
||||
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
# {{ ansible_managed }}
|
||||
# see: roles/common/tasks/samba-config-server.yml
|
||||
|
||||
/data/** r,
|
||||
/data/samba/QUARANTINE/** rw,
|
||||
{% if samba_homes_virusfilter | default(false) | bool %}
|
||||
{{ base_home }}/** r,
|
||||
{% if base_home != '/home' %}
|
||||
/home/** r,
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
@@ -6,7 +6,7 @@
|
||||
#
|
||||
# This is the main Samba configuration file. You should read the
|
||||
# smb.conf(5) manual page in order to understand the options listed
|
||||
# here. Samba has a huge number of configurable options most of which
|
||||
# here. Samba has a huge number of configurable options most of which
|
||||
# are not shown in this example
|
||||
#
|
||||
# Some options that are often worth tuning have been included as
|
||||
@@ -18,8 +18,8 @@
|
||||
# enough to be mentioned here
|
||||
#
|
||||
# NOTE: Whenever you modify this file you should run the command
|
||||
# "testparm" to check that you have not made any basic syntactic
|
||||
# errors.
|
||||
# "testparm" to check that you have not made any basic syntactic
|
||||
# errors.
|
||||
|
||||
#======================= Global Settings =======================
|
||||
|
||||
@@ -31,11 +31,11 @@
|
||||
; workgroup = WORKGROUP
|
||||
workgroup = {{ samba_workgroup|default('WORKGROUP') }}
|
||||
|
||||
# Option 'netbios name' added to debian's default smb.conf
|
||||
# Option 'netbios name' added to debian's default smb.conf
|
||||
#
|
||||
# This sets the NetBIOS name by which a Samba server is known. By default it
|
||||
# is the same as the first component of the host's DNS name. If a machine is
|
||||
# a browse server or logon server this name (or the first component of the
|
||||
# a browse server or logon server this name (or the first component of the
|
||||
# hosts DNS name) will be the name that these services are advertised under.
|
||||
#
|
||||
# Note that the maximum length for a NetBIOS name is 15 characters.
|
||||
@@ -46,9 +46,9 @@
|
||||
|
||||
{% if samba_server_min_protocol is defined and samba_server_min_protocol|length > 0 %}
|
||||
|
||||
# This setting controls the minimum protocol version that the server will allow
|
||||
# the client to use. Normally this option should not be set as the automatic
|
||||
# negotiation phase in the SMB protocol takes care of choosing the appropriate
|
||||
# This setting controls the minimum protocol version that the server will allow
|
||||
# the client to use. Normally this option should not be set as the automatic
|
||||
# negotiation phase in the SMB protocol takes care of choosing the appropriate
|
||||
# protocol unless you have legacy clients which are SMB1 capable only.
|
||||
#
|
||||
# See Related command: server max protocol for a full list of available protocols.
|
||||
@@ -69,7 +69,7 @@
|
||||
; interfaces = 127.0.0.0/8 eth0
|
||||
interfaces = {{ samba_server_ip }}/{{ samba_server_cidr_prefix }} 127.0.0.1/8
|
||||
|
||||
# Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf
|
||||
# Option 'hosts deny' and 'hosts allow' added to debian's default smb.conf
|
||||
hosts deny = 0.0.0.0/0
|
||||
hosts allow = 192.168.0.0/16 10.0.0.0/8 127.0.0.0/8
|
||||
|
||||
@@ -80,8 +80,8 @@
|
||||
# option cannot handle dynamic or non-broadcast interfaces correctly.
|
||||
#
|
||||
# Notice:
|
||||
# If bind interfaces only is set and the network address 127.0.0.1 is not added to the
|
||||
# interfaces parameter list smbpasswd(8) may not work as expected due to the reasons
|
||||
# If bind interfaces only is set and the network address 127.0.0.1 is not added to the
|
||||
# interfaces parameter list smbpasswd(8) may not work as expected due to the reasons
|
||||
# covered below.
|
||||
#
|
||||
# Default: bind interfaces only = no
|
||||
@@ -103,13 +103,13 @@
|
||||
# Append syslog@1 if you want important messages to be sent to syslog too.
|
||||
logging = file
|
||||
|
||||
# Option 'log level' added to debian's default smb.conf
|
||||
# Option 'log level' added to debian's default smb.conf
|
||||
#
|
||||
# The value of the parameter (a astring) allows the debug level (logging level) to be
|
||||
# The value of the parameter (a astring) allows the debug level (logging level) to be
|
||||
# specified in the smb.conf file.
|
||||
#
|
||||
# This parameter has been extended since the 2.2.x series, now it allows one to specify
|
||||
# the debug level for multiple debug classes. This is to give greater flexibility in
|
||||
# This parameter has been extended since the 2.2.x series, now it allows one to specify
|
||||
# the debug level for multiple debug classes. This is to give greater flexibility in
|
||||
# the configuration of the system.
|
||||
#
|
||||
# See manpage for implemented debug classes
|
||||
@@ -125,7 +125,7 @@
|
||||
|
||||
####### Authentication #######
|
||||
|
||||
# Option 'ntlm auth' added to debian's default smb.conf
|
||||
# Option 'ntlm auth' added to debian's default smb.conf
|
||||
#
|
||||
# This parameter determines whether or not smbd(8) will attempt to authenticate
|
||||
# users using the NTLM encrypted password response for this local passdb (SAM
|
||||
@@ -167,7 +167,7 @@
|
||||
# Server role. Defines in which mode Samba will operate. Possible
|
||||
# values are "standalone server", "member server", "classic primary
|
||||
# domain controller", "classic backup domain controller", "active
|
||||
# directory domain controller".
|
||||
# directory domain controller".
|
||||
#
|
||||
# Most people will want "standalone server" or "member server".
|
||||
# Running as "active directory domain controller" will require first
|
||||
@@ -197,7 +197,7 @@
|
||||
# to anonymous connections
|
||||
map to guest = bad user
|
||||
|
||||
# Option 'username map' added to debian's default smb.conf
|
||||
# Option 'username map' added to debian's default smb.conf
|
||||
#
|
||||
username map = /etc/samba/users.map
|
||||
|
||||
@@ -206,7 +206,7 @@
|
||||
#
|
||||
# The following settings only takes effect if 'server role = primary
|
||||
# classic domain controller', 'server role = backup domain controller'
|
||||
# or 'domain logons' is set
|
||||
# or 'domain logons' is set
|
||||
#
|
||||
|
||||
# It specifies the location of the user's
|
||||
@@ -235,13 +235,13 @@
|
||||
# password; please adapt to your needs
|
||||
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
|
||||
|
||||
# This allows machine accounts to be created on the domain controller via the
|
||||
# SAMR RPC pipe.
|
||||
# This allows machine accounts to be created on the domain controller via the
|
||||
# SAMR RPC pipe.
|
||||
# The following assumes a "machines" group exists on the system
|
||||
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
|
||||
|
||||
# This allows Unix groups to be created on the domain controller via the SAMR
|
||||
# RPC pipe.
|
||||
# RPC pipe.
|
||||
; add group script = /usr/sbin/addgroup --force-badname %g
|
||||
|
||||
############ Misc ############
|
||||
@@ -305,6 +305,14 @@
|
||||
# next parameter to 'no' if you want to be able to write to them.
|
||||
read only = no
|
||||
|
||||
{% if samba_homes_virusfilter | default(false) | bool %}
|
||||
# Virusfilter aktiv: Gruppe benötigt Leserecht, damit clamd (als Gruppenmitglied)
|
||||
# Dateien und Verzeichnisse direkt öffnen kann (SCAN-Kommando an clamd).
|
||||
create mask = 0640
|
||||
force create mode = 0040
|
||||
directory mask = 0750
|
||||
force directory mode = 0050
|
||||
{% else %}
|
||||
# File creation mask is set to 0700 for security reasons. If you want to
|
||||
# create files with group=rw permissions, set next parameter to 0775.
|
||||
create mask = 0700
|
||||
@@ -312,6 +320,7 @@
|
||||
# Directory creation mask is set to 0700 for security reasons. If you want to
|
||||
# create dirs. with group=rw permissions, set next parameter to 0775.
|
||||
directory mask = 0700
|
||||
{% endif %}
|
||||
|
||||
# By default, \\server\username shares can be connected to by anyone
|
||||
# with access to the samba server.
|
||||
@@ -319,6 +328,37 @@
|
||||
# to \\server\username
|
||||
# This might need tweaking when using external authentication schemes
|
||||
valid users = %S
|
||||
{% if samba_homes_virusfilter | default(false) | bool %}
|
||||
|
||||
# --- Virusfilter-Einstellungen [homes] ---
|
||||
|
||||
vfs objects = virusfilter
|
||||
|
||||
virusfilter:scanner = clamav
|
||||
virusfilter:socket path = /var/run/clamav/clamd.ctl
|
||||
|
||||
virusfilter:infected file action = delete
|
||||
|
||||
virusfilter:cache entry limit = 1000
|
||||
virusfilter:cache time limit = 60
|
||||
|
||||
#virusfilter:max file size = 52428800 # 50 MB max
|
||||
#virusfilter:max file size = 26214400 # 25 MB max
|
||||
virusfilter:max file size = 15728640 # 15 MB max
|
||||
virusfilter:min file size = 10
|
||||
|
||||
virusfilter:scan on open = yes
|
||||
virusfilter:scan on close = yes
|
||||
|
||||
# Fehlercode bei infizierter Datei (beim Öffnen)
|
||||
virusfilter:infected file errno on open = EACCES
|
||||
|
||||
# Fehlercode beim Schließen
|
||||
virusfilter:infected file errno on close = EACCES
|
||||
|
||||
virusfilter:connect timeout = 30000
|
||||
virusfilter:io timeout = 60000
|
||||
{% endif %}
|
||||
|
||||
# Un-comment the following and create the netlogon directory for Domain Logons
|
||||
# (you need to configure Samba to act as a domain controller too.)
|
||||
@@ -447,8 +487,8 @@
|
||||
recycle:excludedir = /tmp,/temp,/cache,.Trash
|
||||
recycle:repository = {{ item.recycle_path | default('@Recycle.Bin') }}
|
||||
|
||||
# - This is a list of files and directories that are neither visible nor accessible.
|
||||
# - Each entry in the list must be separated by a '/', which allows spaces to be
|
||||
# - This is a list of files and directories that are neither visible nor accessible.
|
||||
# - Each entry in the list must be separated by a '/', which allows spaces to be
|
||||
# - included in the entry. '*' and '?' can be used to specify multiple files or
|
||||
# - directories as in DOS wildcards.
|
||||
# -
|
||||
@@ -484,12 +524,19 @@
|
||||
|
||||
# Dateigröße: Was wird gescannt?
|
||||
#virusfilter:max file size = 52428800 # 50 MB max
|
||||
virusfilter:max file size = 26214400 # 25 MB max
|
||||
#virusfilter:max file size = 26214400 # 25 MB max
|
||||
virusfilter:max file size = 15728640 # 15 MB max
|
||||
virusfilter:min file size = 10 # unter 10 Byte ignorieren
|
||||
|
||||
# Scan-Zeitpunkt: nur beim Öffnen, nicht beim Schließen
|
||||
virusfilter:scan on open = yes
|
||||
virusfilter:scan on close = no
|
||||
virusfilter:scan on close = yes
|
||||
|
||||
# Fehlercode bei infizierter Datei (beim Öffnen)
|
||||
virusfilter:infected file errno on open = EACCES
|
||||
|
||||
# Fehlercode beim Schließen
|
||||
virusfilter:infected file errno on close = EACCES
|
||||
|
||||
# Timeouts (Millisekunden)
|
||||
virusfilter:connect timeout = 30000
|
||||
|
||||
@@ -0,0 +1,221 @@
|
||||
# ipt-server — Migrationsleitfaden
|
||||
|
||||
Dieser Leitfaden beschreibt, wie ein bestehender Host vom alten Verfahren
|
||||
(manuell verwaltete `/etc/ipt-firewall/`-Dateien, ggf. `firewall`- oder
|
||||
`modify-ipt-server`-Rolle) auf die neue `ipt-server`-Ansible-Rolle umgestellt
|
||||
wird.
|
||||
|
||||
---
|
||||
|
||||
## Überblick
|
||||
|
||||
Das alte Verfahren:
|
||||
|
||||
- Firewall-Skripte und Conf-Dateien wurden manuell oder über die alte `firewall`-Rolle
|
||||
(lineinfile/blockinfile) gepflegt.
|
||||
- Änderungen direkt in `/etc/ipt-firewall/` auf dem Host.
|
||||
|
||||
Das neue Verfahren:
|
||||
|
||||
- Alle Firewall-Einstellungen liegen in `host_vars/${HOSTNAME}/ipt-server.yml`.
|
||||
- Ansible deployt die Config-Dateien aus Jinja2-Templates.
|
||||
- Direktes Editieren auf dem Host ist nicht mehr vorgesehen.
|
||||
|
||||
Die Migration ist **nicht-destruktiv**: Bestehende Config-Dateien werden erst
|
||||
dann überschrieben, wenn die Migration explizit freigegeben wird (`fw_manage_config: true`).
|
||||
|
||||
---
|
||||
|
||||
## Schritt 1 — Aktuellen Stand einfrieren
|
||||
|
||||
Vor jeder anderen Änderung den Zustand der laufenden Firewall-Rules sichern.
|
||||
Das ist der Referenzwert für den späteren Vergleich mit den Ansible-generierten
|
||||
Rules.
|
||||
|
||||
```bash
|
||||
HOSTNAME=<hostname>
|
||||
|
||||
ssh -t ${HOSTNAME} '
|
||||
sudo iptables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
|
||||
> /tmp/fw_before_v4.rules
|
||||
sudo ip6tables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
|
||||
> /tmp/fw_before_v6.rules
|
||||
echo "Stand gesichert."
|
||||
'
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Schritt 2 — Aktuelle Konfiguration auslesen
|
||||
|
||||
Das Skript `extract-fw-host-vars.py` liest die vier Conf-Dateien vom Host via SSH,
|
||||
mappt alle Variablen auf die `fw_*`-Ansible-Variablen und schreibt eine fertige
|
||||
`host_vars`-Datei:
|
||||
|
||||
```bash
|
||||
cd /path/to/ansible/oopen-server
|
||||
HOSTNAME=<hostname>
|
||||
|
||||
./extract-fw-host-vars.py ${HOSTNAME} --sudo \
|
||||
-o host_vars/${HOSTNAME}/ipt-server.yml
|
||||
```
|
||||
|
||||
Das Skript fragt einmalig nach dem `sudo`-Passwort.
|
||||
|
||||
**Ergebnis prüfen:**
|
||||
|
||||
```bash
|
||||
cat host_vars/${HOSTNAME}/ipt-server.yml
|
||||
```
|
||||
|
||||
Kontrollpunkte:
|
||||
|
||||
- Sind `fw_ext_interfaces`, `fw_ext_ips_v4`, `fw_ext_ips_v6` korrekt?
|
||||
- Sind aktivierte Dienste (Mail, HTTP, VPN usw.) vorhanden?
|
||||
- Sind `munin_remote_ipv4` / `munin_remote_ipv6` eingetragen (falls Munin läuft)?
|
||||
|
||||
Fehlende oder falsche Werte können direkt in der YAML-Datei korrigiert werden.
|
||||
Alle Variablen und ihre Bedeutung stehen in `defaults/main.yml`.
|
||||
|
||||
---
|
||||
|
||||
## Schritt 3 — Erste Ausrollung (Safety-Guard aktiv)
|
||||
|
||||
Solange `fw_manage_config` nicht auf `true` gesetzt ist (Default: `false`),
|
||||
überschreibt Ansible **keine** bestehenden Config-Dateien. Es werden nur
|
||||
installiert:
|
||||
|
||||
- Firewall-Skripte → `/usr/local/sbin/`
|
||||
- Geteilte Conf-Dateien → `/etc/ipt-firewall/`
|
||||
- Systemd-Units → `/etc/systemd/system/`
|
||||
|
||||
```bash
|
||||
HOSTNAME=<hostname>
|
||||
|
||||
# Vorschau:
|
||||
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
|
||||
|
||||
# Ausrollen:
|
||||
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
|
||||
```
|
||||
|
||||
Die host-spezifischen Config-Dateien (`main_ipv4.conf`, `main_ipv6.conf`,
|
||||
`interfaces_ipv4.conf`, `interfaces_ipv6.conf`) bleiben unangetastet.
|
||||
|
||||
Ändern sich jedoch Firewall-Skripte, geteilte Conf-Dateien oder Systemd-Units
|
||||
(typisch bei Erstinstallation), **wird die Firewall neu gestartet** — mit den
|
||||
bestehenden Config-Dateien, also ohne inhaltliche Regeländerung.
|
||||
|
||||
---
|
||||
|
||||
## Schritt 4 — Ansible als autoritative Quelle freischalten und verifizieren
|
||||
|
||||
Jetzt wird `fw_manage_config: true` gesetzt, damit Ansible die vier
|
||||
host-spezifischen Config-Dateien aus den Templates schreibt:
|
||||
|
||||
```yaml
|
||||
# host_vars/${HOSTNAME}/ipt-server.yml
|
||||
---
|
||||
fw_manage_config: true # ← hinzufügen / auf true setzen
|
||||
|
||||
fw_ext_interfaces:
|
||||
- "eth0"
|
||||
# ...
|
||||
```
|
||||
|
||||
**Vorschau:** Zeigt genau, was in den Config-Dateien geändert wird — hier
|
||||
sorgfältig prüfen, ob die neuen Werte den alten entsprechen:
|
||||
|
||||
```bash
|
||||
HOSTNAME=<hostname>
|
||||
|
||||
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
|
||||
```
|
||||
|
||||
**Anwenden:** Ansible schreibt die neuen Config-Dateien und startet die Firewall
|
||||
automatisch neu (da sich die Dateien geändert haben):
|
||||
|
||||
```bash
|
||||
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
|
||||
```
|
||||
|
||||
**Verifizieren:** Jetzt die neuen Rules mit dem gesicherten Stand vergleichen:
|
||||
|
||||
```bash
|
||||
ssh -t ${HOSTNAME} '
|
||||
sudo iptables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
|
||||
> /tmp/fw_after_v4.rules
|
||||
sudo ip6tables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
|
||||
> /tmp/fw_after_v6.rules
|
||||
echo "=== IPv4 diff ==="
|
||||
diff /tmp/fw_before_v4.rules /tmp/fw_after_v4.rules
|
||||
echo "=== IPv6 diff ==="
|
||||
diff /tmp/fw_before_v6.rules /tmp/fw_after_v6.rules
|
||||
'
|
||||
```
|
||||
|
||||
**Erwartetes Ergebnis:** Beide Diffs sind leer — die Ansible-generierten
|
||||
Config-Dateien produzieren exakt dieselben Rules wie die bisher händisch
|
||||
verwalteten.
|
||||
|
||||
Falls Unterschiede erscheinen: die abweichenden Rules identifizieren, die
|
||||
entsprechenden Variablen in `host_vars/${HOSTNAME}/ipt-server.yml` nachpflegen,
|
||||
erneut ausrollen und den Diff wiederholen.
|
||||
|
||||
Ab jetzt:
|
||||
|
||||
- Ansible überschreibt die vier Config-Dateien bei jedem Run aus den Templates.
|
||||
- Bei Änderungen an Templates oder host_vars wird die Firewall automatisch
|
||||
neu gestartet.
|
||||
- Direktes Editieren von `/etc/ipt-firewall/interfaces_*.conf` oder `main_*.conf`
|
||||
auf dem Host wird beim nächsten Ansible-Run überschrieben.
|
||||
|
||||
---
|
||||
|
||||
## Schritt 5 — Altes System deaktivieren
|
||||
|
||||
### Altes Ansible-Vorgehen abschalten
|
||||
|
||||
Sicherstellen, dass der Host nicht mehr durch die alte `firewall`-Rolle oder
|
||||
`modify-ipt-server`-Rolle verwaltet wird. Falls der Host in einem Playbook
|
||||
eingetragen ist, das diese Rollen verwendet, den Host dort entfernen oder das
|
||||
Playbook anpassen.
|
||||
|
||||
### Altes git-Repository auf dem Host entfernen (optional)
|
||||
|
||||
Das Repository `/usr/local/src/ipt-server` wird von der neuen Rolle nicht mehr
|
||||
benötigt. Es kann entfernt werden:
|
||||
|
||||
```bash
|
||||
HOSTNAME=<hostname>
|
||||
|
||||
ssh ${HOSTNAME} 'rm -rf /usr/local/src/ipt-server'
|
||||
```
|
||||
|
||||
Vorher prüfen, ob das Verzeichnis noch anderweitig verwendet wird.
|
||||
|
||||
### Sicherstellen, dass niemand mehr direkt editiert
|
||||
|
||||
Da `fw_manage_config: true` gesetzt ist, werden direkte Änderungen in
|
||||
`/etc/ipt-firewall/` beim nächsten Ansible-Run überschrieben. Als zusätzliche
|
||||
Absicherung enthält jede von Ansible generierte Config-Datei oben folgenden
|
||||
Hinweis (via `{{ ansible_managed }}`):
|
||||
|
||||
```ini
|
||||
# Ansible managed
|
||||
# DO NOT EDIT - changes will be overwritten on the next Ansible run.
|
||||
# Edit host_vars/${HOSTNAME}/ipt-server.yml instead.
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Zusammenfassung
|
||||
|
||||
| Schritt | Befehl / Aktion | Wann |
|
||||
| --- | --- | --- |
|
||||
| 1 | Aktuellen Rules-Stand auf dem Host sichern | Einmalig pro Host |
|
||||
| 2 | `extract-fw-host-vars.py` ausführen, Ergebnis prüfen | Einmalig pro Host |
|
||||
| 3 | Erste Ausrollung (Safety-Guard aktiv) — Skripte + Units | Einmalig pro Host |
|
||||
| 4 | `fw_manage_config: true` + `--check --diff` + ausrollen + Rules vergleichen | Einmalig pro Host |
|
||||
| 5 | Alte Rolle deaktivieren, git-Repo auf Host entfernen | Einmalig pro Host |
|
||||
| — | Änderungen: host_vars editieren + `ansible-playbook` | Ab jetzt immer so |
|
||||
@@ -0,0 +1,206 @@
|
||||
# ipt-server — Ansible Role
|
||||
|
||||
Verwaltet die iptables/ip6tables-basierte Firewall (`ipt-firewall-server` /
|
||||
`ip6t-firewall-server`) auf Debian-Hosts.
|
||||
|
||||
Die Rolle ist die **einzige** autorisierte Stelle für Firewall-Änderungen. Direkte
|
||||
Edits in `/etc/ipt-firewall/` auf dem Host werden beim nächsten Ansible-Run
|
||||
überschrieben, sobald `fw_manage_config: true` gesetzt ist.
|
||||
|
||||
---
|
||||
|
||||
## Verzeichnisstruktur
|
||||
|
||||
```
|
||||
roles/ipt-server/
|
||||
├── defaults/main.yml # Alle Variablen mit Defaults
|
||||
├── files/
|
||||
│ ├── etc/ipt-firewall/ # Geteilte Conf-Dateien (nicht host-spezifisch)
|
||||
│ │ ├── default_settings.conf
|
||||
│ │ ├── include_functions.conf
|
||||
│ │ ├── logging_ipv4.conf
|
||||
│ │ ├── logging_ipv6.conf
|
||||
│ │ ├── post_declarations.conf
|
||||
│ │ ├── ban_ipv4.list.sample
|
||||
│ │ └── ban_ipv6.list.sample
|
||||
│ ├── etc/systemd/system/
|
||||
│ │ ├── ipt-firewall.service
|
||||
│ │ └── ip6t-firewall.service
|
||||
│ └── usr/local/sbin/
|
||||
│ ├── ipt-firewall-server # IPv4-Firewall-Skript
|
||||
│ └── ip6t-firewall-server # IPv6-Firewall-Skript
|
||||
├── handlers/main.yml
|
||||
├── tasks/main.yml
|
||||
└── templates/
|
||||
└── etc/ipt-firewall/
|
||||
├── interfaces_ipv4.conf.j2 # Host-spezifisch: Interfaces + IPs
|
||||
├── interfaces_ipv6.conf.j2
|
||||
├── main_ipv4.conf.j2 # Host-spezifisch: Dienste, Regeln
|
||||
└── main_ipv6.conf.j2
|
||||
```
|
||||
|
||||
Host-spezifische Konfiguration liegt ausschließlich in:
|
||||
|
||||
```
|
||||
host_vars/${HOSTNAME}/ipt-server.yml
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Neuen Host aufnehmen
|
||||
|
||||
### Voraussetzungen
|
||||
|
||||
- Host ist im Ansible-Inventory (`hosts`) eingetragen.
|
||||
- SSH-Zugang mit `sudo`-Rechten ist vorhanden.
|
||||
|
||||
### Schritt 1 — host_vars anlegen
|
||||
|
||||
```bash
|
||||
cd /path/to/ansible/oopen-server
|
||||
HOSTNAME=<hostname>
|
||||
|
||||
mkdir -p host_vars/${HOSTNAME}
|
||||
cat > host_vars/${HOSTNAME}/ipt-server.yml << 'EOF'
|
||||
---
|
||||
fw_manage_config: true
|
||||
|
||||
# --- Netzwerk
|
||||
fw_ext_interfaces:
|
||||
- "eth0"
|
||||
fw_ext_ips_v4:
|
||||
- "1.2.3.4"
|
||||
fw_ext_ips_v6:
|
||||
- "2001:db8::1"
|
||||
EOF
|
||||
```
|
||||
|
||||
Alle weiteren Variablen sind optional — sie greifen auf die Defaults in
|
||||
`defaults/main.yml` zurück. Nur abweichende Werte müssen gesetzt werden.
|
||||
|
||||
Für eine vollständige Variablenreferenz: `defaults/main.yml`.
|
||||
|
||||
### Schritt 2 — Dry-run
|
||||
|
||||
```bash
|
||||
HOSTNAME=<hostname>
|
||||
|
||||
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
|
||||
```
|
||||
|
||||
Der Diff zeigt genau, welche Dateien angelegt und welche Config-Werte gesetzt
|
||||
werden. Prüfen, ob Interfaces, IPs und Dienste stimmen.
|
||||
|
||||
### Schritt 3 — Scharf stellen
|
||||
|
||||
```bash
|
||||
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
|
||||
```
|
||||
|
||||
Was passiert:
|
||||
- Firewall-Skripte werden nach `/usr/local/sbin/` kopiert.
|
||||
- Geteilte Conf-Dateien werden nach `/etc/ipt-firewall/` kopiert.
|
||||
- Systemd-Units werden installiert, Dienste werden aktiviert und gestartet.
|
||||
- Config-Dateien (`interfaces_*.conf`, `main_*.conf`) werden aus den Templates
|
||||
erzeugt und die Firewall wird gestartet.
|
||||
|
||||
---
|
||||
|
||||
## Konfiguration ändern
|
||||
|
||||
Alle Änderungen erfolgen ausschließlich in der host_vars-Datei des Hosts:
|
||||
|
||||
```
|
||||
host_vars/${HOSTNAME}/ipt-server.yml
|
||||
```
|
||||
|
||||
Danach:
|
||||
|
||||
```bash
|
||||
HOSTNAME=<hostname>
|
||||
|
||||
# Vorschau:
|
||||
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
|
||||
|
||||
# Anwenden (ändert Config, startet Firewall bei Änderungen neu):
|
||||
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
|
||||
```
|
||||
|
||||
Ansible erkennt automatisch, ob sich eine Config-Datei geändert hat. Nur bei
|
||||
tatsächlichen Änderungen wird die Firewall neu gestartet.
|
||||
|
||||
### Beispiel: HTTP-Server aktivieren
|
||||
|
||||
```yaml
|
||||
# host_vars/${HOSTNAME}/ipt-server.yml
|
||||
fw_http_server_ips: "$ext_ips" # oder konkrete IP
|
||||
```
|
||||
|
||||
### Beispiel: SSH auf bestimmten Port einschränken
|
||||
|
||||
```yaml
|
||||
fw_ssh_ports: "2222"
|
||||
```
|
||||
|
||||
### Beispiel: LXC-Gäste eintragen
|
||||
|
||||
```yaml
|
||||
fw_lxc_guest_ips_v4:
|
||||
- "10.0.3.10"
|
||||
- "10.0.3.11"
|
||||
fw_lxc_guest_ips_v6:
|
||||
- "fd00::10"
|
||||
- "fd00::11"
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Firewall-Skripte aktualisieren
|
||||
|
||||
Wenn `ipt-firewall-server` oder `ip6t-firewall-server` im `ipt-server`-Repository
|
||||
aktualisiert werden, müssen die neuen Versionen manuell in die Rolle übernommen
|
||||
werden:
|
||||
|
||||
```bash
|
||||
SRC=/path/to/ipt-server
|
||||
DST=roles/ipt-server/files/usr/local/sbin
|
||||
|
||||
cp $SRC/ipt-firewall-server $DST/
|
||||
cp $SRC/ip6t-firewall-server $DST/
|
||||
chmod 750 $DST/ipt-firewall-server $DST/ip6t-firewall-server
|
||||
```
|
||||
|
||||
Ebenso für geteilte Conf-Dateien in `roles/ipt-server/files/etc/ipt-firewall/`.
|
||||
|
||||
Nach dem Commit werden die neuen Skripte beim nächsten Ansible-Run auf alle
|
||||
Hosts deployed.
|
||||
|
||||
---
|
||||
|
||||
## Wichtige Variablen
|
||||
|
||||
| Variable | Default | Bedeutung |
|
||||
|---|---|---|
|
||||
| `fw_manage_config` | `false` | `true` = Ansible verwaltet Config-Dateien vollständig |
|
||||
| `fw_ext_interfaces` | `[]` | Externe Netzwerk-Interfaces, z.B. `["eth0"]` |
|
||||
| `fw_ext_ips_v4` | `[]` | Externe IPv4-Adressen |
|
||||
| `fw_ext_ips_v6` | `[]` | Externe IPv6-Adressen |
|
||||
| `fw_ssh_server_ips` | `"$ext_ips"` | IPs auf denen SSH erlaubt ist |
|
||||
| `fw_ssh_ports` | `"$standard_ssh_port"` | SSH-Port(s) |
|
||||
| `fw_http_server_ips` | `""` | IPs auf denen HTTP/HTTPS erlaubt ist |
|
||||
| `munin_remote_ipv4` | `""` | Munin-Server IPv4 |
|
||||
| `munin_remote_ipv6` | `""` | Munin-Server IPv6 |
|
||||
|
||||
Alle Variablen mit Beschreibung und Defaults: `defaults/main.yml`.
|
||||
|
||||
Variablen die mit `$` beginnen (z.B. `$ext_ips`, `$standard_ssh_port`) sind
|
||||
Bash-Variablen — sie werden nicht von Ansible aufgelöst, sondern zur Laufzeit
|
||||
vom Firewall-Skript expandiert.
|
||||
|
||||
---
|
||||
|
||||
## Ban-Listen
|
||||
|
||||
`/etc/ipt-firewall/ban_ipv4.list` und `ban_ipv6.list` werden beim ersten
|
||||
Ausrollen aus den Beispiel-Dateien der Rolle erzeugt und danach **nicht mehr
|
||||
durch Ansible angefasst** — sie können auf dem Host direkt bearbeitet werden.
|
||||
@@ -0,0 +1,376 @@
|
||||
---
|
||||
|
||||
# ---
|
||||
# ipt-firewall role defaults
|
||||
# Override per host in host_vars/<hostname>/ipt_firewall.yml
|
||||
# ---
|
||||
|
||||
|
||||
# ---
|
||||
# Config management mode.
|
||||
# false (default): config files are only deployed when absent (safe for unmanaged hosts).
|
||||
# true: Ansible is authoritative — config is always written from templates and
|
||||
# the firewall is restarted on any change. Set this after migrating a host.
|
||||
# ---
|
||||
|
||||
fw_manage_config: false
|
||||
|
||||
|
||||
# ---
|
||||
# Network interfaces and addresses (set per host in host_vars)
|
||||
# ---
|
||||
|
||||
fw_ext_interfaces: [] # e.g. ["eth0"]
|
||||
fw_ext_ips_v4: [] # e.g. ["83.223.86.98"]
|
||||
fw_ext_ips_v6: [] # e.g. ["2a01:30:0:13:211:84ff:feb7:7f9c"]
|
||||
fw_local_interfaces: []
|
||||
fw_local_ips_v4: []
|
||||
fw_local_ips_v6: []
|
||||
fw_vpn_ifs: "tun+"
|
||||
fw_wg_ifs: "wg+"
|
||||
fw_lxc_guest_ips_v4: []
|
||||
fw_lxc_guest_ips_v6: []
|
||||
fw_nat_devices: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Munin monitoring (often set in group_vars or role defaults)
|
||||
# ---
|
||||
|
||||
munin_remote_ipv4: ""
|
||||
munin_remote_ipv6: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Bridged / LXC traffic
|
||||
# ---
|
||||
|
||||
fw_do_not_firewall_bridged_traffic: false
|
||||
fw_do_not_firewall_lx_guest_systems: false
|
||||
|
||||
|
||||
# ---
|
||||
# Drop policies
|
||||
# ---
|
||||
|
||||
fw_drop_icmp: false
|
||||
fw_drop_mndp: true
|
||||
fw_drop_mdns: true
|
||||
|
||||
|
||||
# ---
|
||||
# Outgoing / interface policy
|
||||
# ---
|
||||
|
||||
fw_allow_all_outgoing_traffic: false
|
||||
fw_blocked_ifs: ""
|
||||
fw_unprotected_ifs: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Forwarding (protocol-specific addresses)
|
||||
# ---
|
||||
|
||||
fw_forward_private_ips_v4: ""
|
||||
fw_forward_private_ips_v6: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Access control (protocol-specific: IPv4 uses ':', IPv6 uses ',')
|
||||
# ---
|
||||
|
||||
fw_restrict_local_service_to_net_v4: ""
|
||||
fw_restrict_local_service_to_net_v6: ""
|
||||
fw_restrict_local_net_to_net_v4: ""
|
||||
fw_restrict_local_net_to_net_v6: ""
|
||||
fw_allow_ext_service_v4: ""
|
||||
fw_allow_ext_service_v6: ""
|
||||
fw_allow_ext_net_v4: ""
|
||||
fw_allow_ext_net_v6: ""
|
||||
fw_allow_local_service_v4: ""
|
||||
fw_allow_local_service_v6: ""
|
||||
fw_allow_local_service_from_networks_v4: ""
|
||||
fw_allow_local_service_from_networks_v6: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Services: VPN / WireGuard
|
||||
# ---
|
||||
|
||||
fw_vpn_server_ips: ""
|
||||
fw_forward_vpn_server_ips: ""
|
||||
fw_vpn_ports: "$standard_vpn_port"
|
||||
fw_wireguard_server_ips: ""
|
||||
fw_forward_wireguard_server_ips: ""
|
||||
fw_wireguard_server_ports: "$standard_wireguard_port"
|
||||
fw_wireguard_out_ports: "$standard_wireguard_port"
|
||||
|
||||
|
||||
# ---
|
||||
# Services: NTP
|
||||
# ---
|
||||
|
||||
fw_local_ntp_service: false
|
||||
fw_ntp_port: "$standard_ntp_port"
|
||||
fw_ntp_allowed_net: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Services: DHCP (IPv4 only)
|
||||
# ---
|
||||
|
||||
fw_dhcp_server_ifs: ""
|
||||
fw_dhcp_client_ifs: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Services: DNS
|
||||
# ---
|
||||
|
||||
fw_dns_server_ips: ""
|
||||
fw_forward_dns_server_ips: ""
|
||||
fw_local_resolver_service: false
|
||||
fw_resolver_port: "$standard_dns_port"
|
||||
fw_resolver_allowed_networks_v4: ""
|
||||
fw_resolver_allowed_networks_v6: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Services: SSH
|
||||
# Uses $ext_ips by default so SSH is always reachable via all external IPs.
|
||||
# Override in host_vars to restrict to specific IPs.
|
||||
# ---
|
||||
|
||||
fw_ssh_server_ips: "$ext_ips"
|
||||
fw_forward_ssh_server_ips: ""
|
||||
fw_ssh_ports: "$standard_ssh_port"
|
||||
|
||||
|
||||
# ---
|
||||
# Services: HTTP(S)
|
||||
# ---
|
||||
|
||||
fw_http_server_ips: ""
|
||||
fw_forward_http_server_ips: ""
|
||||
fw_http_ports: "$standard_http_ports"
|
||||
fw_log_cgi_traffic_out: false
|
||||
fw_cgi_script_users: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Services: Mattermost
|
||||
# ---
|
||||
|
||||
fw_mm_server_ips: ""
|
||||
fw_forward_mm_server_ips: ""
|
||||
fw_mm_udp_ports_in: "$stansard_mattermost_udp_ports_in"
|
||||
fw_mm_udp_ports_out: "$stansard_mattermost_udp_ports_out"
|
||||
|
||||
|
||||
# ---
|
||||
# Services: Mail
|
||||
# ---
|
||||
|
||||
fw_smtpd_ips: ""
|
||||
fw_forward_smtpd_ips: ""
|
||||
fw_smtpd_additional_listen_ports: ""
|
||||
fw_smtpd_additional_outgoing_ports: ""
|
||||
fw_mail_server_ips: ""
|
||||
fw_forward_mail_server_ips: ""
|
||||
fw_mail_user_ports: "$standard_mailuser_ports"
|
||||
fw_mail_client_ips: ""
|
||||
fw_forward_mail_client_ips: ""
|
||||
fw_dovecot_auth_service: false
|
||||
fw_dovecot_auth_port: "$dovecot_external_auth_port"
|
||||
fw_dovecot_auth_allowed_networks_v4: ""
|
||||
fw_dovecot_auth_allowed_networks_v6: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Services: FTP
|
||||
# ---
|
||||
|
||||
fw_ftp_server_ips: ""
|
||||
fw_forward_ftp_server_ips: ""
|
||||
fw_ftp_passive_port_range: "50000:50400"
|
||||
|
||||
|
||||
# ---
|
||||
# Services: XMPP (Jabber / Prosody)
|
||||
# ---
|
||||
|
||||
fw_xmpp_server_ips: ""
|
||||
fw_forward_xmpp_server_ips: ""
|
||||
fw_xmmp_tcp_in_ports: "5222 5223 5269"
|
||||
fw_xmmp_tcp_out_ports: "5269"
|
||||
fw_xmmp_remote_out_services_v4: ""
|
||||
fw_xmmp_remote_out_services_v6: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Services: Mumble
|
||||
# ---
|
||||
|
||||
fw_mumble_server_ips: ""
|
||||
fw_forward_mumble_server_ips: ""
|
||||
fw_mumble_ports: "$standard_mumble_port"
|
||||
|
||||
|
||||
# ---
|
||||
# Services: Jitsi / Jibri
|
||||
# ---
|
||||
|
||||
fw_jitsi_server_ips: ""
|
||||
fw_forward_jitsi_server_ips: ""
|
||||
fw_jitsi_tcp_ports: "$standard_jitsi_tcp_ports"
|
||||
fw_jitsi_udp_port_range: "$standard_jitsi_udp_port_range"
|
||||
fw_jitsi_tcp_ports_out: "$standard_turn_service_ports,4443,4444,4445,4446"
|
||||
fw_jitsi_udp_ports_out: "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446"
|
||||
fw_jitsi_dovecot_auth: false
|
||||
fw_jitsi_dovecot_host: ""
|
||||
fw_jitsi_dovecot_port: "$default_jitsi_dovecout_auth_port"
|
||||
fw_jitsi_jibri_remote_auth: false
|
||||
fw_jitsi_jibri_remote_ips: ""
|
||||
fw_jitsi_jibri_remote_auth_port: "$default_jibri_out_port"
|
||||
fw_jibri_server_ips: ""
|
||||
fw_forward_jibri_server_ips: ""
|
||||
fw_jibri_remote_jitsi_server: ""
|
||||
fw_jibri_remote_auth_port: "$default_jibri_out_port"
|
||||
|
||||
|
||||
# ---
|
||||
# Services: TURN / STUN (Nextcloud Talk)
|
||||
# ---
|
||||
|
||||
fw_nc_turn_server_ips: ""
|
||||
fw_forward_nc_turn_server_ips: ""
|
||||
fw_nc_turn_ports: "$standard_turn_service_ports"
|
||||
fw_nc_turn_udp_ports: "$standard_turn_service_udp_ports"
|
||||
|
||||
|
||||
# ---
|
||||
# Services: TFTP
|
||||
# ---
|
||||
|
||||
fw_tftp_server_ips: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Services: Prometheus
|
||||
# ---
|
||||
|
||||
fw_prometheus_local_server_ips: ""
|
||||
fw_prometheus_remote_client_ports: "$standard_prometheus_ports"
|
||||
fw_prometheus_local_client_ips: ""
|
||||
fw_prometheus_local_client_ports: "$standard_prometheus_ports"
|
||||
fw_prometheus_remote_server_ips: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Services: Munin
|
||||
# ---
|
||||
|
||||
fw_munin_server_ips: ""
|
||||
fw_forward_munin_server_ips: ""
|
||||
fw_munin_remote_port: "$standard_munin_port"
|
||||
fw_munin_local_port: "4949"
|
||||
|
||||
|
||||
# ---
|
||||
# Services: Xymon
|
||||
# ---
|
||||
|
||||
fw_xymon_server_ips: ""
|
||||
fw_local_xymon_client: false
|
||||
fw_xymon_port: "$standard_xymon_port"
|
||||
|
||||
|
||||
# ---
|
||||
# Protocols out: Rsync
|
||||
# ---
|
||||
|
||||
fw_rsync_out_ips: ""
|
||||
fw_forward_rsync_out_ips: ""
|
||||
fw_rsync_ports: "873"
|
||||
|
||||
|
||||
# ---
|
||||
# Special ports (OUT)
|
||||
# ---
|
||||
|
||||
fw_tcp_out_ports: ""
|
||||
fw_forward_tcp_out_ports: ""
|
||||
fw_udp_out_ports: ""
|
||||
fw_forward_udp_out_ports: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Portforwarding (protocol-specific formats)
|
||||
# IPv4: "<device>:<src-ip>:<port-in>:<ip-fwd>:<port-out>"
|
||||
# IPv6: "<device>,<src-ip>,<port-in>,<ip-fwd>,<port-out>"
|
||||
# ---
|
||||
|
||||
fw_portforward_tcp_v4: ""
|
||||
fw_portforward_udp_v4: ""
|
||||
fw_portforward_tcp_v6: ""
|
||||
fw_portforward_udp_v6: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Blocked IPs / ports
|
||||
# ---
|
||||
|
||||
fw_blocked_ips: ""
|
||||
fw_block_tcp_ports: "111 113 135 137:139 445"
|
||||
fw_block_udp_ports: "111 137:139"
|
||||
|
||||
|
||||
# ---
|
||||
# Special / counters
|
||||
# ---
|
||||
|
||||
fw_create_traffic_counter: true
|
||||
fw_create_iperf_rules: true
|
||||
|
||||
|
||||
# ---
|
||||
# Protection
|
||||
# ---
|
||||
|
||||
fw_protection_against_syn_flooding: true
|
||||
fw_protection_against_port_scanning: true
|
||||
fw_protection_against_ssh_brute_force_attacks: true
|
||||
|
||||
|
||||
# ---
|
||||
# Connection limits
|
||||
# ---
|
||||
|
||||
fw_limit_connections_per_source_IP: true
|
||||
fw_per_IP_connection_limit: "$default_per_IP_connection_limit"
|
||||
fw_limit_new_tcp_connections_per_seconds_per_source_IP: true
|
||||
fw_limit_new_tcp_connections_per_seconds_ports: ""
|
||||
|
||||
|
||||
# ---
|
||||
# Kernel parameters — IPv4
|
||||
# ---
|
||||
|
||||
fw_kernel_activate_forwarding: false
|
||||
fw_kernel_support_dynaddr: false
|
||||
fw_dynaddr_flag: "5"
|
||||
fw_kernel_reduce_timeouts: true
|
||||
fw_kernel_tcp_syncookies: true
|
||||
fw_kernel_protect_against_icmp_bogus_messages: true
|
||||
fw_kernel_ignore_broadcast_ping: true
|
||||
fw_kernel_deactivate_source_route: true
|
||||
fw_kernel_dont_accept_redirects: true
|
||||
fw_kernel_activate_rp_filter: true
|
||||
fw_kernel_log_martians: false
|
||||
|
||||
|
||||
# ---
|
||||
# Kernel parameters — IPv6
|
||||
# ---
|
||||
|
||||
fw_kernel_forward_between_interfaces: false
|
||||
@@ -0,0 +1,36 @@
|
||||
# - IPv4 addresses listet here will be completly banned by the firewall
|
||||
# -
|
||||
# - - Line beginning with '#' will be ignored.
|
||||
# - - Blank lines will be ignored
|
||||
# - - Only the first entry (until space sign or end of line) of each line will be considered.
|
||||
# -
|
||||
# - Valid values are:
|
||||
# - complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
|
||||
# - partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
|
||||
# - network/nn CIDR notation like 1.2.3.0/27
|
||||
# - network/netmask notaions like 1.2.3.0/255.255.255.0
|
||||
# - network/partial_netmask like 1.2.3.4/255
|
||||
# -
|
||||
# - Note:
|
||||
# - - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
|
||||
# -
|
||||
# - Example:
|
||||
# - 79.171.81.0/24
|
||||
# - 79.171.81.0/255.255.255.0
|
||||
# - 79.171.81.0/255.255.255
|
||||
# - 79.171.81
|
||||
|
||||
# CHINANET-JS
|
||||
222.184.0.0/13
|
||||
61.160.0.0/16
|
||||
|
||||
# CHINANET-GX
|
||||
116.8.0.0/14
|
||||
|
||||
# BAIDU-HK - Hong Kong
|
||||
103.235.44.0/22
|
||||
# UNICOM-HE - China Unicom Hebei province network
|
||||
110.240.0.0/12
|
||||
# CMNET - China Mobile Communications Corporation
|
||||
39.128.0.0/10
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
# - IPv6 addresses listet here will be completly banned by the firewall
|
||||
# -
|
||||
# - - Line beginning with '#' will be ignored.
|
||||
# - - Blank lines will be ignored
|
||||
# - - Only the first entry (until space sign or end of line) of each line will be considered.
|
||||
# -
|
||||
# - Valid values are:
|
||||
# - complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c
|
||||
# - network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56
|
||||
# -
|
||||
# -
|
||||
# - Note:
|
||||
# - - If no mask is given mask will be set to '64'
|
||||
# - - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored
|
||||
# -
|
||||
# - Example:
|
||||
# - 240e:ec:4ab1:feba:e8b4:4fb1:7984:4c
|
||||
# - 2a01:30:0:13:5054:ff::1
|
||||
# - 2a01:30:0:13:5054:ff::1/56
|
||||
|
||||
@@ -0,0 +1,157 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# -------------
|
||||
# --- Default Parameter / Options
|
||||
# -------------
|
||||
|
||||
default_per_IP_connection_limit=111
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Default Ports for Services out
|
||||
# -------------
|
||||
|
||||
standard_checkmk_port=6556
|
||||
standard_cpan_wait_port=1404
|
||||
standard_dns_port=53
|
||||
standard_ftp_port=21
|
||||
standard_ftp_data_port=20
|
||||
standard_git_port=9418
|
||||
standard_hbci_port=3000
|
||||
standard_http_port=80
|
||||
standard_https_port=443
|
||||
standard_ident_port=113
|
||||
standard_ipp_port=631
|
||||
standard_cups_port=$standard_ipp_port
|
||||
standard_irc_port=6667
|
||||
standard_jabber_port=5222
|
||||
standard_ldap_port=389
|
||||
standard_ldaps_port=636
|
||||
standard_mdns_port=5353
|
||||
standard_mndp_port=5678
|
||||
standard_mumble_port=64738
|
||||
standard_munin_port=4949
|
||||
standard_mysql_port=3306
|
||||
standard_ntp_port=123
|
||||
standard_pgp_keyserver_port=11371
|
||||
standard_print_port=9100
|
||||
standard_print_raw_port=515
|
||||
standard_remote_console_port=5900
|
||||
standard_silc_port=706
|
||||
standard_smtp_port=25
|
||||
standard_snmp_port=161
|
||||
standard_snmp_trap_port=162
|
||||
standard_ssh_port=22
|
||||
standard_telnet_port=23
|
||||
standard_tftp_udp_port=69
|
||||
standard_timeserver_port=37
|
||||
standard_vpn_port=1194
|
||||
standard_wireguard_port=51820
|
||||
standard_whois_port=43
|
||||
standard_xymon_port=1984
|
||||
|
||||
# - Prometheus services
|
||||
# -
|
||||
standard_prometheus_ports="9100,9256"
|
||||
|
||||
# - Mattermost (MM) Service
|
||||
# -
|
||||
stansard_mattermost_udp_ports_in="8443"
|
||||
stansard_mattermost_udp_ports_out="3478"
|
||||
|
||||
# - IPsec - Internet Security Association and
|
||||
# - Key Management Protocol
|
||||
standard_isakmp_port=500
|
||||
standard_ipsec_nat_t=4500
|
||||
|
||||
|
||||
# - Comma separated lists
|
||||
# -
|
||||
standard_http_ports="80,443"
|
||||
standard_mailuser_ports="587,465,110,995,143,993"
|
||||
|
||||
# - Dovecot Service
|
||||
# -
|
||||
dovecot_external_auth_port="44444"
|
||||
|
||||
# - Jitsi Video Conference Service
|
||||
# -
|
||||
standard_jitsi_tcp_ports="$standard_http_ports"
|
||||
standard_jitsi_udp_port_range="10000:20000"
|
||||
default_jitsi_dovecout_auth_port="$dovecot_external_auth_port"
|
||||
|
||||
# - Jibri Service
|
||||
# -
|
||||
default_jibri_out_port=5222
|
||||
# default_outbound_streaming_tcp_ports
|
||||
#
|
||||
# - outbound port 1935/TCP : outbound streaming over RTMP to most
|
||||
# streaming providers such as YouTube Live, Vimeo or Twitch
|
||||
#
|
||||
# - outbound port 1936/TCP : outbound streaming over RTMP to LinkedIn
|
||||
# Live (port 1935 is also used for RTMP streaming to LinkedIn)
|
||||
#
|
||||
# - outbound ports 2935/TCP and 2396/TCP : outbound streaming over
|
||||
# RTMPS to LinkedIn Live
|
||||
#
|
||||
# - outbound port 443/TCP (HTTPS) : used for authentication with the
|
||||
# built-in providers such as YouTube Live, Facebook Live, Ustream,
|
||||
# Livestream, and Twitch
|
||||
#
|
||||
# - outbound port 53/UDP (DNS) used for DNS lookups converting
|
||||
# hostnames to IP addresses
|
||||
#
|
||||
default_outbound_streaming_tcp_ports="1935,1936,2935,2396"
|
||||
|
||||
|
||||
# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
|
||||
# -
|
||||
standard_turn_service_ports="3478:3479,5349:5350"
|
||||
standard_turn_service_udp_ports="49152:65535"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Predefined Ports
|
||||
# -------------
|
||||
|
||||
# - unpriviligierte Ports
|
||||
# -
|
||||
unprivports="1024:65535"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Some IPv4-Address Configuration
|
||||
# -------------
|
||||
|
||||
# - Loopback
|
||||
loopback_ipv4="127.0.0.0/8"
|
||||
|
||||
# - Private Networks
|
||||
priv_class_a="10.0.0.0/8"
|
||||
priv_class_b="172.16.0.0/12"
|
||||
priv_class_c="192.168.0.0/16"
|
||||
|
||||
link_local_rfc_5735="169.254.0.0/16"
|
||||
|
||||
test_net_1_rfc_5735="192.0.2.0/24"
|
||||
this_net_rfc_5735="0.0.0.0/8"
|
||||
|
||||
# - Multicast Addresse
|
||||
class_d_multicast="224.0.0.0/3"
|
||||
|
||||
# Reserved Addresse
|
||||
class_e_reserved="240.0.0.0/5"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Some IPv6-Address Configuration
|
||||
# -------------
|
||||
|
||||
# unique local address (ULA) - private address block
|
||||
ula_block="fc00::/7"
|
||||
link_local_unicast_block="fe80::/10"
|
||||
multicast_ipv6="ff00::/8"
|
||||
|
||||
# - Loopback
|
||||
loopback_ipv6="::1/128"
|
||||
|
||||
@@ -0,0 +1,268 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# - Set firewall command (either iptables or ip6tables)
|
||||
#
|
||||
if [[ -x "${ip6t}" ]] ; then
|
||||
fw_command="${ip6t}"
|
||||
elif [[ -x "${ipt}" ]] ; then
|
||||
fw_command="${ipt}"
|
||||
fi
|
||||
|
||||
# -------------
|
||||
# --- Some functions
|
||||
# -------------
|
||||
|
||||
echononl(){
|
||||
echo X\\c > /tmp/shprompt$$
|
||||
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
|
||||
echo -e -n "$*\\c" 1>&2
|
||||
else
|
||||
echo -e -n "$*" 1>&2
|
||||
fi
|
||||
rm /tmp/shprompt$$
|
||||
}
|
||||
echo_done() {
|
||||
echo -e "\033[75G[ \033[32mdone\033[m ]"
|
||||
}
|
||||
echo_ok() {
|
||||
echo -e "\033[75G[ \033[32mok\033[m ]"
|
||||
}
|
||||
echo_warning() {
|
||||
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
|
||||
}
|
||||
echo_failed(){
|
||||
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
|
||||
}
|
||||
echo_skipped() {
|
||||
echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
|
||||
}
|
||||
|
||||
|
||||
fatal (){
|
||||
echo ""
|
||||
echo -e "fatal Error: $*"
|
||||
echo ""
|
||||
echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
|
||||
echo ""
|
||||
exit 1
|
||||
}
|
||||
|
||||
error(){
|
||||
echo ""
|
||||
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
warn (){
|
||||
echo ""
|
||||
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
info (){
|
||||
echo ""
|
||||
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
## - Check if a given array (parameter 2) contains a given string (parameter 1)
|
||||
## -
|
||||
containsElement () {
|
||||
local e
|
||||
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
|
||||
return 1
|
||||
}
|
||||
|
||||
is_number() {
|
||||
|
||||
return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
|
||||
|
||||
# - also possible
|
||||
# -
|
||||
#[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1
|
||||
#return $([[ ! -z "${1##*[!0-9]*}" ]])
|
||||
}
|
||||
|
||||
trim() {
|
||||
local var="$*"
|
||||
var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters
|
||||
var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters
|
||||
echo -n "$var"
|
||||
}
|
||||
|
||||
|
||||
is_container() {
|
||||
command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1
|
||||
}
|
||||
|
||||
|
||||
# -------------
|
||||
# - IPv6 handling
|
||||
# -------------
|
||||
|
||||
ENABLE_IPV6="auto" # auto | yes | no
|
||||
IPV6_ACTIVE=0
|
||||
|
||||
ipv6_sysctl_enabled() {
|
||||
sysctl -n net.ipv6.conf.all.disable_ipv6 2>/dev/null | grep -qx 0
|
||||
}
|
||||
|
||||
has_ipv6_addr() {
|
||||
ip -6 addr show scope global 2>/dev/null | grep -q "inet6"
|
||||
}
|
||||
|
||||
detect_ipv6() {
|
||||
case "$ENABLE_IPV6" in
|
||||
yes) return 0 ;;
|
||||
no) return 1 ;;
|
||||
auto) ipv6_sysctl_enabled ;;
|
||||
*) return 1 ;;
|
||||
esac
|
||||
}
|
||||
|
||||
|
||||
# -------------
|
||||
# - Network Device Stuff
|
||||
# -------------
|
||||
|
||||
# get virtual ethernet interfaces and the master of the given bridge
|
||||
#
|
||||
get_vth_ports() {
|
||||
local br="$1"
|
||||
# lists virtual interfaces (veth*)) and the master interface of the given bridge
|
||||
ip -o link show master "$br" 2>/dev/null | awk -F': ' '{print $2}'
|
||||
}
|
||||
|
||||
# -------------
|
||||
# - Fail2ban
|
||||
# -------------
|
||||
|
||||
FAIL2BAN_CONFIG_FILE="/etc/fail2ban/jail.local"
|
||||
FAIL2BAN_WAS_RUNNING=false
|
||||
fail2ban_client="$(command -v fail2ban-client 2>/dev/null)"
|
||||
has_fail2ban() {
|
||||
command -v fail2ban-client >/dev/null 2>&1
|
||||
}
|
||||
|
||||
fail2ban_running() {
|
||||
systemctl is-active --quiet fail2ban >/dev/null 2>&1
|
||||
}
|
||||
|
||||
# -------------
|
||||
# - Debian 12/13 compatibility helpers (best effort)
|
||||
# -------------
|
||||
ensure_mod() {
|
||||
|
||||
# ---
|
||||
# Load a kernel module if possible (no hard failure).
|
||||
# NOTE: In containers module loading is not possible; modules must be loaded on the host.
|
||||
# ---
|
||||
|
||||
local m="$1"
|
||||
|
||||
# Already loaded?
|
||||
if lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$m" ; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
# Skip in containers/guests without module loading capability
|
||||
#
|
||||
is_container && return 0
|
||||
|
||||
# Best effort modprobe
|
||||
/sbin/modprobe "$m" >/dev/null 2>&1 || warn "Loading module '$m' failed (ok if not needed on this host)."
|
||||
}
|
||||
|
||||
# --- Feature detection helpers (Debian 12/13 + containers)
|
||||
module_loaded() {
|
||||
lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$1"
|
||||
}
|
||||
|
||||
can_use_recent() {
|
||||
# xt_recent is the kernel module behind "-m recent"
|
||||
# In containers lsmod may be restricted; also accept presence of /proc/net/xt_recent.
|
||||
module_loaded xt_recent && return 0
|
||||
[ -d /proc/net/xt_recent ] && return 0
|
||||
# As a last resort, ask iptables to parse the match (works if userspace has it)
|
||||
"$ipt" -m recent -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_hashlimit() {
|
||||
# xt_hashlimit is the kernel module behind "-m hashlimit"
|
||||
module_loaded xt_hashlimit && return 0
|
||||
[ -d /proc/net/xt_hashlimit ] && return 0
|
||||
"${fw_command}" -m hashlimit -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_connlimit() {
|
||||
# xt_connlimit is the kernel module behind "-m connlimit"
|
||||
module_loaded xt_connlimit && return 0
|
||||
"${fw_command}" -m connlimit -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_owner() {
|
||||
# xt_owner is the kernel module behind "-m owner"
|
||||
module_loaded xt_owner && return 0
|
||||
"${fw_command}" -m owner -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_ct_target() {
|
||||
# Check if iptables CT target exists (iptables-nft should support it when kernel has nf_tables CT support)
|
||||
"${fw_command}" -t raw -j CT -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_helper_match() {
|
||||
# Check if helper match exists
|
||||
"${fw_command}" -m helper -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_nft() {
|
||||
command -v nft >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
setup_ftp_conntrack_helper_output() {
|
||||
# Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
|
||||
if can_use_ct_target ; then
|
||||
"${fw_command}" -A OUTPUT -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
|
||||
return 0
|
||||
fi
|
||||
|
||||
# nft fallback (nft-native helper assignment); keeps us "nft-ready"
|
||||
if can_use_nft ; then
|
||||
# Best-effort; may fail in containers without CAP_NET_ADMIN
|
||||
nft add table ip fwhelper >/dev/null 2>&1 || true
|
||||
nft add chain ip fwhelper output '{ type filter hook output priority raw; policy accept; }' >/dev/null 2>&1 || true
|
||||
nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
|
||||
nft add rule ip fwhelper output tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
|
||||
fi
|
||||
|
||||
warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP active/passive may fail; FTPS workaround relies on recent/port rules."
|
||||
return 1
|
||||
}
|
||||
|
||||
setup_ftp_conntrack_helper_prerouting() {
|
||||
# Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
|
||||
if can_use_ct_target ; then
|
||||
"$ipt" -A PREROUTING -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
|
||||
return 0
|
||||
fi
|
||||
|
||||
# nft fallback (nft-native helper assignment); keeps us "nft-ready"
|
||||
if can_use_nft ; then
|
||||
nft add table ip fwhelper >/dev/null 2>&1 || true
|
||||
nft add chain ip fwhelper prerouting '{ type filter hook prerouting priority raw; policy accept; }' >/dev/null 2>&1 || true
|
||||
nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
|
||||
nft add rule ip fwhelper prerouting tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
|
||||
fi
|
||||
|
||||
warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP server traffic may fail; consider enabling passive port ranges."
|
||||
return 1
|
||||
}
|
||||
|
||||
@@ -0,0 +1,62 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Logging
|
||||
# -------------
|
||||
|
||||
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
|
||||
tag_log_prefix="--nflog-prefix"
|
||||
LOG_TARGET="NFLOG --nflog-group 11"
|
||||
else
|
||||
# - Log using the specified syslog level. 7 (debug) is a good choice
|
||||
# - unless you specifically need something else.
|
||||
# -
|
||||
log_level=debug
|
||||
LOG_TARGET="LOG --log-level $log_level"
|
||||
tag_log_prefix="--log-prefix"
|
||||
fi
|
||||
|
||||
log_all=false
|
||||
|
||||
log_syn_flood=false
|
||||
log_port_scanning=false
|
||||
log_ssh_brute_force=false
|
||||
log_fragments=false
|
||||
log_mdns=false
|
||||
log_mndp=false
|
||||
log_new_not_sync=false
|
||||
log_syn_with_suspicious_mss=false
|
||||
log_invalid_packets=false
|
||||
log_invalid_state=false
|
||||
log_invalid_flags=false
|
||||
log_spoofed=false
|
||||
log_spoofed_out=false
|
||||
log_private_network_out=false
|
||||
log_to_lo=false
|
||||
log_not_wanted=false
|
||||
log_blocked=false
|
||||
log_unprotected=false
|
||||
log_forwarding_priv_ip=false
|
||||
log_prohibited=false
|
||||
log_voip=false
|
||||
log_rejected=true
|
||||
|
||||
log_blocked_ip=false
|
||||
|
||||
log_ssh=false
|
||||
|
||||
# - logging messages
|
||||
# -
|
||||
log_prefix="[ IPv4 ]"
|
||||
|
||||
|
||||
# ---
|
||||
# - Log all traffic for givven ip address
|
||||
# ---
|
||||
|
||||
# - You can also give hostname(s)
|
||||
# -
|
||||
# - Blank seoarated list of ips/hostnames
|
||||
# -
|
||||
log_ips=""
|
||||
@@ -0,0 +1,63 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Logging
|
||||
# -------------
|
||||
|
||||
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
|
||||
tag_log_prefix="--nflog-prefix"
|
||||
LOG_TARGET="NFLOG --nflog-group 12"
|
||||
else
|
||||
# - Log using the specified syslog level. 7 (debug) is a good choice
|
||||
# - unless you specifically need something else.
|
||||
# -
|
||||
log_level=debug
|
||||
LOG_TARGET="LOG --log-level $log_level"
|
||||
tag_log_prefix="--log-prefix"
|
||||
fi
|
||||
|
||||
log_all=false
|
||||
|
||||
log_syn_flood=false
|
||||
log_port_scanning=false
|
||||
log_ssh_brute_force=false
|
||||
log_fragments=false
|
||||
log_mdns=false
|
||||
log_mndp=false
|
||||
log_new_not_sync=false
|
||||
log_syn_with_suspicious_mss=false
|
||||
log_invalid_packets=false
|
||||
log_invalid_state=false
|
||||
log_invalid_flags=false
|
||||
log_spoofed=false
|
||||
log_spoofed_out=false
|
||||
log_private_network_out=false
|
||||
log_to_lo=false
|
||||
log_not_wanted=false
|
||||
log_blocked=false
|
||||
log_unprotected=false
|
||||
log_forwarding_priv_ip=false
|
||||
log_prohibited=false
|
||||
log_voip=false
|
||||
log_rejected=true
|
||||
|
||||
log_blocked_ip=false
|
||||
|
||||
log_ssh=false
|
||||
|
||||
# - logging messages
|
||||
# -
|
||||
log_prefix="[ IPv6 ]"
|
||||
|
||||
|
||||
# ---
|
||||
# - Log all traffic for givven ip address
|
||||
# ---
|
||||
|
||||
# - You can also give hostname(s)
|
||||
# -
|
||||
# - Blank seoarated list of ips/hostnames
|
||||
# -
|
||||
log_ips=""
|
||||
|
||||
@@ -0,0 +1,621 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -----------
|
||||
# --- Define Arrays
|
||||
# -----------
|
||||
|
||||
# ---
|
||||
# NAT (Masquerade) Network interfaces
|
||||
# ---
|
||||
|
||||
declare -a nat_device_arr=()
|
||||
for _dev in $nat_devices ; do
|
||||
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
|
||||
nat_device_arr+=("$_dev")
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# IP Addresses LX Guest System
|
||||
# ---
|
||||
|
||||
declare -a lxc_guest_ip_arr=()
|
||||
for _ip in $lxc_guest_ips ; do
|
||||
lxc_guest_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# local Interfaces
|
||||
# ---
|
||||
|
||||
declare -a local_ip_arr=()
|
||||
for _ip in $local_ips ; do
|
||||
local_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - IP Addresses to log
|
||||
# ---
|
||||
declare -a log_ip_arr
|
||||
for _ip in $log_ips ; do
|
||||
log_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - LOG CGI script Traffic out
|
||||
# ---
|
||||
declare -a cgi_script_user_arr=()
|
||||
for _user in $cgi_script_users ; do
|
||||
cgi_script_user_arr+=($_user)
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - IP-Addresses (Host, Guests (VServer, LX_Container)
|
||||
# ---
|
||||
declare -a ext_ip_arr
|
||||
for _ip in $ext_ips ; do
|
||||
host_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Extern Interfaces
|
||||
# ---
|
||||
declare -a ext_if_arr
|
||||
for _dev in $ext_ifs ; do
|
||||
ext_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - VPN Interfaces
|
||||
# ---
|
||||
declare -a vpn_if_arr
|
||||
for _dev in $vpn_ifs ; do
|
||||
vpn_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - WireGuard Interfaces
|
||||
# ---
|
||||
declare -a wg_if_arr
|
||||
for _dev in $wg_ifs ; do
|
||||
wg_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Local Network Interfaces
|
||||
# ---
|
||||
declare -a local_if_arr
|
||||
for _dev in $local_ifs ; do
|
||||
local_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Network Interfaces completly blocked
|
||||
# ---
|
||||
declare -a blocked_if_arr
|
||||
for _dev in $blocked_ifs ; do
|
||||
blocked_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Network Interfaces not firewalled
|
||||
# ---
|
||||
declare -a unprotected_if_arr
|
||||
for _dev in $unprotected_ifs ; do
|
||||
unprotected_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Restrict local Servive to given IP-Address/Network
|
||||
# ---
|
||||
declare -a restrict_local_service_to_net_arr
|
||||
for _val in $restrict_local_service_to_net ; do
|
||||
restrict_local_service_to_net_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Restrict local Network to given IP-Address/Network
|
||||
# ---
|
||||
declare -a restrict_local_net_to_net_arr
|
||||
for _val in $restrict_local_net_to_net ; do
|
||||
restrict_local_net_to_net_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow extern Service
|
||||
# ---
|
||||
declare -a allow_ext_service_arr
|
||||
for _val in $allow_ext_service ; do
|
||||
allow_ext_service_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow extern IP-Address/Network
|
||||
# ---
|
||||
declare -a allow_ext_net_arr
|
||||
for _net in $allow_ext_net ; do
|
||||
allow_ext_net_arr+=("$_net")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow (non-standard) local Services
|
||||
# ---
|
||||
declare -a allow_local_service_arr
|
||||
for _val in $allow_local_service ; do
|
||||
allow_local_service_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow (non-standard) local Services from specified network
|
||||
# ---
|
||||
declare -a allow_local_service_from_network_arr
|
||||
for _service in $allow_local_service_from_networks ; do
|
||||
allow_local_service_from_network_arr+=("$_service")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Generally block ports
|
||||
# ---
|
||||
declare -a block_tcp_port_arr
|
||||
for _port in $block_tcp_ports ; do
|
||||
block_tcp_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
declare -a block_udp_port_arr
|
||||
for _port in $block_udp_ports ; do
|
||||
block_udp_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Private IPs / IP-Ranges allowed to forward
|
||||
# ---
|
||||
declare -a forward_private_ip_arr
|
||||
for _ip in $forward_private_ips ; do
|
||||
forward_private_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Network Interfaces DHCP Service
|
||||
# ---
|
||||
declare -a dhcp_server_if_arr
|
||||
for _dev in $dhcp_server_ifs ; do
|
||||
dhcp_server_if_arr+=($_dev)
|
||||
done
|
||||
declare -a dhcp_client_if_arr
|
||||
for _dev in $dhcp_client_ifs ; do
|
||||
dhcp_client_if_arr+=($_dev)
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses DNS Server
|
||||
# ---
|
||||
# - local
|
||||
declare -a dns_server_ip_arr
|
||||
for _ip in $dns_server_ips ; do
|
||||
dns_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_dns_server_ip_arr
|
||||
for _ip in $forward_dns_server_ips ; do
|
||||
forward_dns_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Netwoks allowed access to local DNS Resolver
|
||||
# ---
|
||||
declare -a resolver_allowed_network_arr
|
||||
for _net in $resolver_allowed_networks ; do
|
||||
resolver_allowed_network_arr+=("$_net")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses VPN Server
|
||||
# ---
|
||||
# local
|
||||
declare -a vpn_server_ip_arr
|
||||
for _ip in $vpn_server_ips ; do
|
||||
vpn_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_vpn_server_ip_arr
|
||||
for _ip in $forward_vpn_server_ips ; do
|
||||
forward_vpn_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses WireGuard Service
|
||||
# ---
|
||||
# local
|
||||
declare -a wireguard_server_ip_arr
|
||||
for _ip in $wireguard_server_ips ; do
|
||||
wireguard_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_wireguard_server_ip_arr
|
||||
for _ip in $forward_wireguard_server_ips ; do
|
||||
forward_wireguard_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses SSH Server
|
||||
# ---
|
||||
# local
|
||||
declare -a ssh_server_ip_arr
|
||||
for _ip in $ssh_server_ips ; do
|
||||
ssh_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_ssh_server_ip_arr
|
||||
for _ip in $forward_ssh_server_ips ; do
|
||||
forward_ssh_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses HTTP Server
|
||||
# ---
|
||||
# local
|
||||
declare -a http_server_ip_arr
|
||||
for _ip in $http_server_ips ; do
|
||||
http_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_http_server_ip_arr
|
||||
for _ip in $forward_http_server_ips ; do
|
||||
forward_http_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses MatterMost Service
|
||||
# ---
|
||||
# local
|
||||
declare -a mm_server_ip_arr
|
||||
for _ip in $mm_server_ips ; do
|
||||
mm_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mm_server_ip_arr
|
||||
for _ip in $forward_mm_server_ips ; do
|
||||
forward_mm_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses FTP Server
|
||||
# ---
|
||||
# local
|
||||
declare -a ftp_server_ip_arr
|
||||
for _ip in $ftp_server_ips ; do
|
||||
ftp_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_ftp_server_ip_arr
|
||||
for _ip in $forward_ftp_server_ips ; do
|
||||
forward_ftp_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Mail SMTP Server
|
||||
# ---
|
||||
# local
|
||||
declare -a smtpd_ips_arr
|
||||
for _ip in $smtpd_ips ; do
|
||||
smtpd_ips_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_smtpd_ip_arr
|
||||
for _ip in $forward_smtpd_ips ; do
|
||||
forward_smtpd_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# Additional SMTP Listen Ports
|
||||
# ---
|
||||
declare -a smtpd_additional_listen_port_arr
|
||||
for _port in $smtpd_additional_listen_ports ; do
|
||||
smtpd_additional_listen_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# Additional SMTP Outgoing Ports
|
||||
# ---
|
||||
declare -a smtpd_additional_outgoung_port_arr
|
||||
for _port in $smtpd_additional_outgoung_ports ; do
|
||||
smtpd_additional_outgoung_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
|
||||
# ---
|
||||
# - IP Addresses XMPP Service (Jabber - Prosody)
|
||||
# ---
|
||||
declare -a xmpp_server_ip_arr
|
||||
for _ip in $xmpp_server_ips ; do
|
||||
xmpp_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
declare -a forward_xmpp_server_ip_arr
|
||||
for _ip in $forward_xmpp_server_ips ; do
|
||||
forward_xmpp_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - XMPP Remote Dovecote Out Service
|
||||
# ---
|
||||
declare -a xmmp_remote_out_service_arr
|
||||
for _val in $xmmp_remote_out_services ; do
|
||||
xmmp_remote_out_service_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Mail Services (smtps/pop(s)/imap(s)
|
||||
# ---
|
||||
# local
|
||||
declare -a mail_server_ips_arr
|
||||
for _ip in $mail_server_ips ; do
|
||||
mail_server_ips_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mail_server_ip_arr
|
||||
for _ip in $forward_mail_server_ips ; do
|
||||
forward_mail_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Mail client (smtps/pop(s)/imap(s)
|
||||
# ---
|
||||
# local
|
||||
declare -a mail_client_ips_arr
|
||||
for _ip in $mail_client_ips ; do
|
||||
mail_client_ips_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mail_client_ip_arr
|
||||
for _ip in $forward_mail_client_ips ; do
|
||||
forward_mail_client_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - (local) Dovecot auth service
|
||||
# ---
|
||||
declare -a dovecot_auth_allowed_network_arr
|
||||
for _ip in $dovecot_auth_allowed_networks ; do
|
||||
dovecot_auth_allowed_network_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Mumble Server
|
||||
# ---
|
||||
# local
|
||||
declare -a mumble_server_ip_arr
|
||||
for _ip in $mumble_server_ips ; do
|
||||
mumble_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mumble_server_ip_arr
|
||||
for _ip in $forward_mumble_server_ips ; do
|
||||
forward_mumble_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Jitsi Video Conferencing Server
|
||||
# ---
|
||||
declare -a jitsi_server_ip_arr
|
||||
for _ip in $jitsi_server_ips ; do
|
||||
jitsi_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_jitsi_server_ip_arr
|
||||
for _ip in $forward_jitsi_server_ips ; do
|
||||
forward_jitsi_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Remote Jibri Server
|
||||
# ---
|
||||
declare -a jitsi_jibri_remote_ip_arr
|
||||
for _ip in $jitsi_jibri_remote_ips ; do
|
||||
jitsi_jibri_remote_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Jibri Recording / Streaming Server
|
||||
# ---
|
||||
declare -a jibri_server_ip_arr
|
||||
for _ip in $jibri_server_ips ; do
|
||||
jibri_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_jibri_server_ip_arr
|
||||
for _ip in $forward_jibri_server_ips ; do
|
||||
forward_jibri_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses TURN Server (Stun Server) (for Nextcloud 'talk' app)
|
||||
# ---
|
||||
# local
|
||||
declare -a nc_turn_server_ip_arr
|
||||
for _ip in $nc_turn_server_ips ; do
|
||||
nc_turn_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_nc_turn_server_ip_arr
|
||||
for _ip in $forward_nc_turn_server_ips ; do
|
||||
forward_nc_turn_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Telephone Systems
|
||||
# ---
|
||||
declare -a tel_sys_ip_arr
|
||||
for _ip in $tel_sys_ips ; do
|
||||
tel_sys_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Prometheus Monitoring - local Server
|
||||
# ---
|
||||
declare -a prometheus_local_server_ip_arr
|
||||
for _ip in $prometheus_local_server_ips ; do
|
||||
prometheus_local_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Prometheus Monitoring - local Client
|
||||
# ---
|
||||
declare -a prometheus_local_client_ip_arr
|
||||
for _ip in $prometheus_local_client_ips; do
|
||||
prometheus_local_client_ip_arr+=("$_ip")
|
||||
done
|
||||
declare -a prometheus_remote_server_ip_arr
|
||||
for _ip in $prometheus_remote_server_ips ; do
|
||||
prometheus_remote_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - IP Addresses Munin
|
||||
# ---
|
||||
# local
|
||||
declare -a munin_server_ip_arr
|
||||
for _ip in $munin_server_ips ; do
|
||||
munin_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_munin_server_ip_arr
|
||||
for _ip in $forward_munin_server_ips ; do
|
||||
forward_munin_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses XyMon
|
||||
# ---
|
||||
declare -a xymon_server_ip_arr
|
||||
for _ip in $xymon_server_ips ; do
|
||||
xymon_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Rsync Out
|
||||
# ---
|
||||
# local
|
||||
declare -a rsync_out_ip_arr
|
||||
for _ip in $rsync_out_ips ; do
|
||||
rsync_out_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_rsync_out_ip_arr
|
||||
for _ip in $forward_rsync_out_ips ; do
|
||||
forward_rsync_out_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - SSH Ports
|
||||
# ---
|
||||
declare -a ssh_port_arr
|
||||
for _port in $ssh_ports ; do
|
||||
ssh_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - XMPP Service (Jabber - Prosody)
|
||||
# ---
|
||||
declare -a xmmp_tcp_in_port_arr
|
||||
for _port in $xmmp_tcp_in_ports ; do
|
||||
xmmp_tcp_in_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
declare -a xmmp_tcp_out_port_arr
|
||||
for _port in $xmmp_tcp_out_ports ; do
|
||||
xmmp_tcp_out_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - VPN Ports
|
||||
# ---
|
||||
# local
|
||||
declare -a vpn_port_arr
|
||||
for _port in $vpn_ports ; do
|
||||
vpn_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Wireguard Ports (local Service)
|
||||
# ---
|
||||
# local
|
||||
declare -a wireguard_server_port_arr
|
||||
for _port in $wireguard_server_ports ; do
|
||||
wireguard_server_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Wireguard out Ports
|
||||
# ---
|
||||
# local
|
||||
declare -a wireguard_out_port_port_arr
|
||||
for _port in $wireguard_out_ports ; do
|
||||
wireguard_out_port_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - Rsync Out Ports
|
||||
# --
|
||||
declare -a rsync_port_arr
|
||||
for _port in $rsync_ports ; do
|
||||
rsync_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - Special TCP Ports OUT
|
||||
# ---
|
||||
# local
|
||||
declare -a tcp_out_port_arr
|
||||
for _port in $tcp_out_ports ; do
|
||||
tcp_out_port_arr+=("$_port")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_tcp_out_port_arr
|
||||
for _port in $forward_tcp_out_ports ; do
|
||||
forward_tcp_out_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Special UDP Ports OUT
|
||||
# ---
|
||||
# local
|
||||
declare -a udp_out_port_arr
|
||||
for _port in $udp_out_ports ; do
|
||||
udp_out_port_arr+=("$_port")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_udp_out_port_arr
|
||||
for _port in $forward_udp_out_ports ; do
|
||||
forward_udp_out_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - Portforwrds TCP
|
||||
# ---
|
||||
declare -a portforward_tcp_arr
|
||||
for _str in $portforward_tcp ; do
|
||||
portforward_tcp_arr+=("$_str")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Portforwrds UDP
|
||||
# ---
|
||||
declare -a portforward_udp_arr
|
||||
for _str in $portforward_udp ; do
|
||||
portforward_udp_arr+=("$_str")
|
||||
done
|
||||
|
||||
@@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=IPv6 Firewall with ip6tables
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/sbin/ip6t-firewall-server start
|
||||
ExecStop=/usr/local/sbin/ip6t-firewall-server stop
|
||||
User=root
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=IPv4 Firewall with iptables
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/sbin/ipt-firewall-server start
|
||||
ExecStop=/usr/local/sbin/ipt-firewall-server stop
|
||||
User=root
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
+2952
File diff suppressed because it is too large
Load Diff
+3178
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,15 @@
|
||||
---
|
||||
|
||||
- name: Reload systemd daemon
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
|
||||
- name: Restart IPv4 Firewall
|
||||
service:
|
||||
name: ipt-firewall
|
||||
state: restarted
|
||||
|
||||
- name: Restart IPv6 Firewall
|
||||
service:
|
||||
name: ip6t-firewall
|
||||
state: restarted
|
||||
@@ -0,0 +1,215 @@
|
||||
---
|
||||
|
||||
# ===
|
||||
# Ensure /etc/ipt-firewall directory exists
|
||||
# ===
|
||||
|
||||
- name: Create /etc/ipt-firewall if not present
|
||||
file:
|
||||
path: /etc/ipt-firewall
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
|
||||
|
||||
# ===
|
||||
# Check presence of host-specific config files
|
||||
# ===
|
||||
|
||||
- name: Check if interfaces_ipv4.conf exists
|
||||
stat:
|
||||
path: /etc/ipt-firewall/interfaces_ipv4.conf
|
||||
register: interfaces_ipv4_exists
|
||||
|
||||
- name: Check if interfaces_ipv6.conf exists
|
||||
stat:
|
||||
path: /etc/ipt-firewall/interfaces_ipv6.conf
|
||||
register: interfaces_ipv6_exists
|
||||
|
||||
- name: Check if main_ipv4.conf exists
|
||||
stat:
|
||||
path: /etc/ipt-firewall/main_ipv4.conf
|
||||
register: main_ipv4_exists
|
||||
|
||||
- name: Check if main_ipv6.conf exists
|
||||
stat:
|
||||
path: /etc/ipt-firewall/main_ipv6.conf
|
||||
register: main_ipv6_exists
|
||||
|
||||
|
||||
# ===
|
||||
# Deploy host-specific config files from templates.
|
||||
#
|
||||
# Safety guard: by default (fw_manage_config: false) a file is only written
|
||||
# when it does not yet exist on the host — so existing hosts are never touched
|
||||
# accidentally.
|
||||
#
|
||||
# Once a host has been migrated (host_vars populated and diff verified), set
|
||||
# fw_manage_config: true
|
||||
# in its host_vars. From that point on Ansible is the authoritative source and
|
||||
# will update the config on every run, triggering a firewall restart on changes.
|
||||
# ===
|
||||
|
||||
- name: Deploy interfaces_ipv4.conf from template
|
||||
template:
|
||||
src: etc/ipt-firewall/interfaces_ipv4.conf.j2
|
||||
dest: /etc/ipt-firewall/interfaces_ipv4.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
when: fw_manage_config or not interfaces_ipv4_exists.stat.exists
|
||||
notify:
|
||||
- Restart IPv4 Firewall
|
||||
|
||||
- name: Deploy interfaces_ipv6.conf from template
|
||||
template:
|
||||
src: etc/ipt-firewall/interfaces_ipv6.conf.j2
|
||||
dest: /etc/ipt-firewall/interfaces_ipv6.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
when: fw_manage_config or not interfaces_ipv6_exists.stat.exists
|
||||
notify:
|
||||
- Restart IPv6 Firewall
|
||||
|
||||
- name: Deploy main_ipv4.conf from template
|
||||
template:
|
||||
src: etc/ipt-firewall/main_ipv4.conf.j2
|
||||
dest: /etc/ipt-firewall/main_ipv4.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
when: fw_manage_config or not main_ipv4_exists.stat.exists
|
||||
notify:
|
||||
- Restart IPv4 Firewall
|
||||
|
||||
- name: Deploy main_ipv6.conf from template
|
||||
template:
|
||||
src: etc/ipt-firewall/main_ipv6.conf.j2
|
||||
dest: /etc/ipt-firewall/main_ipv6.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
when: fw_manage_config or not main_ipv6_exists.stat.exists
|
||||
notify:
|
||||
- Restart IPv6 Firewall
|
||||
|
||||
|
||||
# ===
|
||||
# Firewall scripts
|
||||
# ===
|
||||
|
||||
- name: Deploy ipt-firewall-server
|
||||
copy:
|
||||
src: usr/local/sbin/ipt-firewall-server
|
||||
dest: /usr/local/sbin/ipt-firewall-server
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
|
||||
- name: Deploy ip6t-firewall-server
|
||||
copy:
|
||||
src: usr/local/sbin/ip6t-firewall-server
|
||||
dest: /usr/local/sbin/ip6t-firewall-server
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
|
||||
|
||||
# ===
|
||||
# Shared conf files (not host-specific — always kept in sync with the role)
|
||||
# ===
|
||||
|
||||
- name: Deploy shared conf files
|
||||
copy:
|
||||
src: "etc/ipt-firewall/{{ item }}"
|
||||
dest: "/etc/ipt-firewall/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
loop:
|
||||
- default_settings.conf
|
||||
- include_functions.conf
|
||||
- logging_ipv4.conf
|
||||
- logging_ipv6.conf
|
||||
- post_declarations.conf
|
||||
|
||||
|
||||
# ===
|
||||
# Ban lists — copy from sample once; the file can be customised per host.
|
||||
# ===
|
||||
|
||||
- name: Check if ban_ipv4.list exists
|
||||
stat:
|
||||
path: /etc/ipt-firewall/ban_ipv4.list
|
||||
register: ban_ipv4_exists
|
||||
|
||||
- name: Copy ban_ipv4.list from sample (first install only)
|
||||
copy:
|
||||
src: etc/ipt-firewall/ban_ipv4.list.sample
|
||||
dest: /etc/ipt-firewall/ban_ipv4.list
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
when: not ban_ipv4_exists.stat.exists
|
||||
|
||||
- name: Check if ban_ipv6.list exists
|
||||
stat:
|
||||
path: /etc/ipt-firewall/ban_ipv6.list
|
||||
register: ban_ipv6_exists
|
||||
|
||||
- name: Copy ban_ipv6.list from sample (first install only)
|
||||
copy:
|
||||
src: etc/ipt-firewall/ban_ipv6.list.sample
|
||||
dest: /etc/ipt-firewall/ban_ipv6.list
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
when: not ban_ipv6_exists.stat.exists
|
||||
|
||||
|
||||
# ===
|
||||
# Systemd service units
|
||||
# ===
|
||||
|
||||
- name: Deploy ipt-firewall.service
|
||||
copy:
|
||||
src: etc/systemd/system/ipt-firewall.service
|
||||
dest: /etc/systemd/system/ipt-firewall.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify:
|
||||
- Reload systemd daemon
|
||||
- Restart IPv4 Firewall
|
||||
|
||||
- name: Deploy ip6t-firewall.service
|
||||
copy:
|
||||
src: etc/systemd/system/ip6t-firewall.service
|
||||
dest: /etc/systemd/system/ip6t-firewall.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify:
|
||||
- Reload systemd daemon
|
||||
- Restart IPv6 Firewall
|
||||
|
||||
|
||||
# ===
|
||||
# Enable and start services
|
||||
# ===
|
||||
|
||||
- name: Enable and start ipt-firewall
|
||||
systemd:
|
||||
name: ipt-firewall
|
||||
enabled: true
|
||||
state: started
|
||||
daemon_reload: true
|
||||
|
||||
- name: Enable and start ip6t-firewall
|
||||
systemd:
|
||||
name: ip6t-firewall
|
||||
enabled: true
|
||||
state: started
|
||||
daemon_reload: true
|
||||
@@ -0,0 +1,74 @@
|
||||
#!/usr/bin/env bash
|
||||
# {{ ansible_managed }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Network Interfaces
|
||||
# -------------
|
||||
|
||||
# - External interface(s)
|
||||
#
|
||||
ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
|
||||
ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
|
||||
ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
|
||||
|
||||
ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
|
||||
|
||||
|
||||
# - VPN Interfaces
|
||||
# - (comma separated list)
|
||||
vpn_ifs="{{ fw_vpn_ifs }}"
|
||||
|
||||
|
||||
# - Wireguard Interfaces
|
||||
# - (comma separated list)
|
||||
wg_ifs="{{ fw_wg_ifs }}"
|
||||
|
||||
|
||||
# - Local Interfaces
|
||||
local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
|
||||
local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
|
||||
local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
|
||||
|
||||
local_ifs="{{ fw_local_interfaces | join(' ') }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- IP-Addresses
|
||||
# -------------
|
||||
|
||||
# - Extern IP Addresses on this Host
|
||||
#
|
||||
ext_1_ip="{{ fw_ext_ips_v4[0] if fw_ext_ips_v4 | length >= 1 else '' }}"
|
||||
ext_2_ip="{{ fw_ext_ips_v4[1] if fw_ext_ips_v4 | length >= 2 else '' }}"
|
||||
ext_3_ip="{{ fw_ext_ips_v4[2] if fw_ext_ips_v4 | length >= 3 else '' }}"
|
||||
|
||||
ext_ips="{{ fw_ext_ips_v4 | join(' ') }}"
|
||||
|
||||
local_1_ip="{{ fw_local_ips_v4[0] if fw_local_ips_v4 | length >= 1 else '' }}"
|
||||
local_2_ip="{{ fw_local_ips_v4[1] if fw_local_ips_v4 | length >= 2 else '' }}"
|
||||
local_3_ip="{{ fw_local_ips_v4[2] if fw_local_ips_v4 | length >= 3 else '' }}"
|
||||
|
||||
local_ips="{{ fw_local_ips_v4 | join(' ') }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- IP-Addresses LXC Guest Systems
|
||||
# -------------
|
||||
|
||||
lxc_guest_1_ip="{{ fw_lxc_guest_ips_v4[0] if fw_lxc_guest_ips_v4 | length >= 1 else '' }}"
|
||||
lxc_guest_2_ip="{{ fw_lxc_guest_ips_v4[1] if fw_lxc_guest_ips_v4 | length >= 2 else '' }}"
|
||||
lxc_guest_3_ip="{{ fw_lxc_guest_ips_v4[2] if fw_lxc_guest_ips_v4 | length >= 3 else '' }}"
|
||||
lxc_guest_4_ip="{{ fw_lxc_guest_ips_v4[3] if fw_lxc_guest_ips_v4 | length >= 4 else '' }}"
|
||||
lxc_guest_5_ip="{{ fw_lxc_guest_ips_v4[4] if fw_lxc_guest_ips_v4 | length >= 5 else '' }}"
|
||||
lxc_guest_6_ip="{{ fw_lxc_guest_ips_v4[5] if fw_lxc_guest_ips_v4 | length >= 6 else '' }}"
|
||||
lxc_guest_7_ip="{{ fw_lxc_guest_ips_v4[6] if fw_lxc_guest_ips_v4 | length >= 7 else '' }}"
|
||||
|
||||
lxc_guest_ips="{{ fw_lxc_guest_ips_v4 | join(' ') }}"
|
||||
|
||||
|
||||
# - Devices given in list "nat_devices" will be natted
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
nat_devices="{{ fw_nat_devices }}"
|
||||
@@ -0,0 +1,67 @@
|
||||
#!/usr/bin/env bash
|
||||
# {{ ansible_managed }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Network Interfaces
|
||||
# -------------
|
||||
|
||||
# - External interface(s)
|
||||
#
|
||||
ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
|
||||
ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
|
||||
ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
|
||||
|
||||
ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
|
||||
|
||||
|
||||
# - VPN Interfaces
|
||||
# - (comma separated list)
|
||||
vpn_ifs="{{ fw_vpn_ifs }}"
|
||||
|
||||
|
||||
# - Wireguard Interfaces
|
||||
# - (comma separated list)
|
||||
wg_ifs="{{ fw_wg_ifs }}"
|
||||
|
||||
|
||||
# - Local Interfaces
|
||||
local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
|
||||
local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
|
||||
local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
|
||||
|
||||
local_ifs="{{ fw_local_interfaces | join(' ') }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- IP-Addresses
|
||||
# -------------
|
||||
|
||||
# - Extern IP Addresses on this Host
|
||||
#
|
||||
ext_1_ip="{{ fw_ext_ips_v6[0] if fw_ext_ips_v6 | length >= 1 else '' }}"
|
||||
ext_2_ip="{{ fw_ext_ips_v6[1] if fw_ext_ips_v6 | length >= 2 else '' }}"
|
||||
ext_3_ip="{{ fw_ext_ips_v6[2] if fw_ext_ips_v6 | length >= 3 else '' }}"
|
||||
|
||||
ext_ips="{{ fw_ext_ips_v6 | join(' ') }}"
|
||||
|
||||
local_1_ip="{{ fw_local_ips_v6[0] if fw_local_ips_v6 | length >= 1 else '' }}"
|
||||
local_2_ip="{{ fw_local_ips_v6[1] if fw_local_ips_v6 | length >= 2 else '' }}"
|
||||
local_3_ip="{{ fw_local_ips_v6[2] if fw_local_ips_v6 | length >= 3 else '' }}"
|
||||
|
||||
local_ips="{{ fw_local_ips_v6 | join(' ') }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- IP-Addresses LXC Guest Systems
|
||||
# -------------
|
||||
|
||||
lxc_guest_1_ip="{{ fw_lxc_guest_ips_v6[0] if fw_lxc_guest_ips_v6 | length >= 1 else '' }}"
|
||||
lxc_guest_2_ip="{{ fw_lxc_guest_ips_v6[1] if fw_lxc_guest_ips_v6 | length >= 2 else '' }}"
|
||||
lxc_guest_3_ip="{{ fw_lxc_guest_ips_v6[2] if fw_lxc_guest_ips_v6 | length >= 3 else '' }}"
|
||||
lxc_guest_4_ip="{{ fw_lxc_guest_ips_v6[3] if fw_lxc_guest_ips_v6 | length >= 4 else '' }}"
|
||||
lxc_guest_5_ip="{{ fw_lxc_guest_ips_v6[4] if fw_lxc_guest_ips_v6 | length >= 5 else '' }}"
|
||||
lxc_guest_6_ip="{{ fw_lxc_guest_ips_v6[5] if fw_lxc_guest_ips_v6 | length >= 6 else '' }}"
|
||||
lxc_guest_7_ip="{{ fw_lxc_guest_ips_v6[6] if fw_lxc_guest_ips_v6 | length >= 7 else '' }}"
|
||||
|
||||
lxc_guest_ips="{{ fw_lxc_guest_ips_v6 | join(' ') }}"
|
||||
@@ -0,0 +1,357 @@
|
||||
#!/usr/bin/env bash
|
||||
# {{ ansible_managed }}
|
||||
|
||||
|
||||
## ----------------------------------------------------------------
|
||||
## --- Main Configurations IPv4 Firewall
|
||||
## ----------------------------------------------------------------
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Bridged / LXC traffic
|
||||
# -------------
|
||||
|
||||
do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
|
||||
do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop ICMP / MNDP / mDNS
|
||||
# -------------
|
||||
|
||||
drop_icmp={{ fw_drop_icmp | lower }}
|
||||
drop_mndp={{ fw_drop_mndp | lower }}
|
||||
drop_mdns={{ fw_drop_mdns | lower }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Outgoing traffic
|
||||
# -------------
|
||||
|
||||
allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Interface policy
|
||||
# -------------
|
||||
|
||||
blocked_ifs="{{ fw_blocked_ifs }}"
|
||||
unprotected_ifs="{{ fw_unprotected_ifs }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Forwarding / Routing
|
||||
# -------------
|
||||
|
||||
# Private IPs to forward (CIDR notation, blank separated)
|
||||
forward_private_ips="{{ fw_forward_private_ips_v4 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Access control (source-based)
|
||||
# -------------
|
||||
|
||||
# restrict_local_service_to_net="ext-net:local-address:port:protocol"
|
||||
restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v4 }}"
|
||||
|
||||
# restrict_local_net_to_net="<src-ext-net>:<dst-local-net>"
|
||||
restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v4 }}"
|
||||
|
||||
# allow_ext_service="<ext-ip>:<ext_port>:<protocol>"
|
||||
allow_ext_service="{{ fw_allow_ext_service_v4 }}"
|
||||
|
||||
# allow_ext_net="<ext-ip/net>" (blank separated)
|
||||
allow_ext_net="{{ fw_allow_ext_net_v4 }}"
|
||||
|
||||
# allow_local_service="<port>:<protocol>" (blank separated)
|
||||
allow_local_service="{{ fw_allow_local_service_v4 }}"
|
||||
|
||||
# allow_local_service_from_networks="<ext-net>:<local-port>:<protocol>"
|
||||
allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v4 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: VPN / WireGuard
|
||||
# -------------
|
||||
|
||||
vpn_server_ips="{{ fw_vpn_server_ips }}"
|
||||
forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
|
||||
vpn_ports="{{ fw_vpn_ports }}"
|
||||
|
||||
wireguard_server_ips="{{ fw_wireguard_server_ips }}"
|
||||
forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
|
||||
wireguard_server_ports="{{ fw_wireguard_server_ports }}"
|
||||
wireguard_out_ports="{{ fw_wireguard_out_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: NTP
|
||||
# -------------
|
||||
|
||||
local_ntp_service={{ fw_local_ntp_service | lower }}
|
||||
ntp_port="{{ fw_ntp_port }}"
|
||||
ntp_allowed_net="{{ fw_ntp_allowed_net }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: DHCP (IPv4 only)
|
||||
# -------------
|
||||
|
||||
# Comma separated list of interfaces providing DHCP
|
||||
dhcp_server_ifs="{{ fw_dhcp_server_ifs }}"
|
||||
|
||||
# Comma separated list of interfaces acting as DHCP clients
|
||||
dhcp_client_ifs="{{ fw_dhcp_client_ifs }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: DNS
|
||||
# -------------
|
||||
|
||||
dns_server_ips="{{ fw_dns_server_ips }}"
|
||||
forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
|
||||
|
||||
local_resolver_service={{ fw_local_resolver_service | lower }}
|
||||
resolver_port="{{ fw_resolver_port }}"
|
||||
# resolver_allowed_networks="192.68.11.64/27 194.150.169.139"
|
||||
resolver_allowed_networks="{{ fw_resolver_allowed_networks_v4 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: SSH
|
||||
# -------------
|
||||
|
||||
ssh_server_ips="{{ fw_ssh_server_ips }}"
|
||||
forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
|
||||
ssh_ports="{{ fw_ssh_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: HTTP(S)
|
||||
# -------------
|
||||
|
||||
http_server_ips="{{ fw_http_server_ips }}"
|
||||
forward_http_server_ips="{{ fw_forward_http_server_ips }}"
|
||||
http_ports="{{ fw_http_ports }}"
|
||||
|
||||
log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
|
||||
cgi_script_users="{{ fw_cgi_script_users }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Mattermost
|
||||
# -------------
|
||||
|
||||
mm_server_ips="{{ fw_mm_server_ips }}"
|
||||
forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
|
||||
mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
|
||||
mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Mail (SMTP / IMAP / POP)
|
||||
# -------------
|
||||
|
||||
smtpd_ips="{{ fw_smtpd_ips }}"
|
||||
forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
|
||||
smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
|
||||
smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
|
||||
|
||||
mail_server_ips="{{ fw_mail_server_ips }}"
|
||||
forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
|
||||
mail_user_ports="{{ fw_mail_user_ports }}"
|
||||
|
||||
mail_client_ips="{{ fw_mail_client_ips }}"
|
||||
forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
|
||||
|
||||
dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
|
||||
dovecot_auth_port="{{ fw_dovecot_auth_port }}"
|
||||
# dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139"
|
||||
dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v4 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: FTP
|
||||
# -------------
|
||||
|
||||
ftp_server_ips="{{ fw_ftp_server_ips }}"
|
||||
forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
|
||||
ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: XMPP (Jabber / Prosody)
|
||||
# -------------
|
||||
|
||||
xmpp_server_ips="{{ fw_xmpp_server_ips }}"
|
||||
forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
|
||||
xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
|
||||
xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
|
||||
# xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444"
|
||||
xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v4 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Mumble
|
||||
# -------------
|
||||
|
||||
mumble_server_ips="{{ fw_mumble_server_ips }}"
|
||||
forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
|
||||
mumble_ports="{{ fw_mumble_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Jitsi / Jibri
|
||||
# -------------
|
||||
|
||||
jitsi_server_ips="{{ fw_jitsi_server_ips }}"
|
||||
forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
|
||||
jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
|
||||
jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
|
||||
jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
|
||||
jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
|
||||
jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
|
||||
jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
|
||||
jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
|
||||
jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
|
||||
jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
|
||||
jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
|
||||
|
||||
jibri_server_ips="{{ fw_jibri_server_ips }}"
|
||||
forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
|
||||
jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
|
||||
jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: TURN / STUN (Nextcloud Talk)
|
||||
# -------------
|
||||
|
||||
nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
|
||||
forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
|
||||
nc_turn_ports="{{ fw_nc_turn_ports }}"
|
||||
nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: TFTP (not yet implemented)
|
||||
# -------------
|
||||
|
||||
tftp_server_ips="{{ fw_tftp_server_ips }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Prometheus
|
||||
# -------------
|
||||
|
||||
prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
|
||||
prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
|
||||
|
||||
prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
|
||||
prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
|
||||
prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Munin
|
||||
# -------------
|
||||
|
||||
munin_server_ips="{{ fw_munin_server_ips }}"
|
||||
forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
|
||||
munin_remote_port="{{ fw_munin_remote_port }}"
|
||||
|
||||
munin_remote_ip="{{ munin_remote_ipv4 }}"
|
||||
munin_local_port="{{ fw_munin_local_port }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Xymon (not yet implemented)
|
||||
# -------------
|
||||
|
||||
xymon_server_ips="{{ fw_xymon_server_ips }}"
|
||||
local_xymon_client={{ fw_local_xymon_client | lower }}
|
||||
xymon_port="{{ fw_xymon_port }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Protocols out: Rsync
|
||||
# -------------
|
||||
|
||||
rsync_out_ips="{{ fw_rsync_out_ips }}"
|
||||
forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
|
||||
rsync_ports="{{ fw_rsync_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Special ports (OUT)
|
||||
# -------------
|
||||
|
||||
tcp_out_ports="{{ fw_tcp_out_ports }}"
|
||||
forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
|
||||
udp_out_ports="{{ fw_udp_out_ports }}"
|
||||
forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
|
||||
|
||||
|
||||
# =============
|
||||
# --- Portforwarding (IPv4)
|
||||
# --- Format: "<device-in>:<src-ip>:<port-in>:<ip-to-forward>:<port-out>"
|
||||
# =============
|
||||
|
||||
portforward_tcp="{{ fw_portforward_tcp_v4 }}"
|
||||
portforward_udp="{{ fw_portforward_udp_v4 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Blocked IPs / Ports
|
||||
# -------------
|
||||
|
||||
blocked_ips="{{ fw_blocked_ips }}"
|
||||
block_tcp_ports="{{ fw_block_tcp_ports }}"
|
||||
block_udp_ports="{{ fw_block_udp_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Special / Counters
|
||||
# -------------
|
||||
|
||||
create_traffic_counter={{ fw_create_traffic_counter | lower }}
|
||||
create_iperf_rules={{ fw_create_iperf_rules | lower }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Protection
|
||||
# -------------
|
||||
|
||||
protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
|
||||
protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
|
||||
protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Connection limits
|
||||
# -------------
|
||||
|
||||
limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
|
||||
per_IP_connection_limit={{ fw_per_IP_connection_limit }}
|
||||
|
||||
limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
|
||||
limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Kernel parameters (IPv4)
|
||||
# -------------
|
||||
|
||||
kernel_activate_forwarding={{ fw_kernel_activate_forwarding | lower }}
|
||||
|
||||
kernel_support_dynaddr={{ fw_kernel_support_dynaddr | lower }}
|
||||
dynaddr_flag="{{ fw_dynaddr_flag }}"
|
||||
|
||||
kernel_reduce_timeouts={{ fw_kernel_reduce_timeouts | lower }}
|
||||
kernel_tcp_syncookies={{ fw_kernel_tcp_syncookies | lower }}
|
||||
kernel_protect_against_icmp_bogus_messages={{ fw_kernel_protect_against_icmp_bogus_messages | lower }}
|
||||
kernel_ignore_broadcast_ping={{ fw_kernel_ignore_broadcast_ping | lower }}
|
||||
kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
|
||||
kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}
|
||||
kernel_activate_rp_filter={{ fw_kernel_activate_rp_filter | lower }}
|
||||
kernel_log_martians={{ fw_kernel_log_martians | lower }}
|
||||
@@ -0,0 +1,337 @@
|
||||
#!/usr/bin/env bash
|
||||
# {{ ansible_managed }}
|
||||
|
||||
|
||||
## ----------------------------------------------------------------
|
||||
## --- Main Configurations IPv6 Firewall
|
||||
## ----------------------------------------------------------------
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Bridged / LXC traffic
|
||||
# -------------
|
||||
|
||||
do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
|
||||
do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop ICMP / MNDP / mDNS
|
||||
# -------------
|
||||
|
||||
drop_icmp={{ fw_drop_icmp | lower }}
|
||||
drop_mndp={{ fw_drop_mndp | lower }}
|
||||
drop_mdns={{ fw_drop_mdns | lower }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Outgoing traffic
|
||||
# -------------
|
||||
|
||||
allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Interface policy
|
||||
# -------------
|
||||
|
||||
blocked_ifs="{{ fw_blocked_ifs }}"
|
||||
unprotected_ifs="{{ fw_unprotected_ifs }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Forwarding / Routing
|
||||
# -------------
|
||||
|
||||
# Private IPs to forward (CIDR notation, blank separated)
|
||||
forward_private_ips="{{ fw_forward_private_ips_v6 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Access control (source-based)
|
||||
# --- Note: IPv6 uses comma as field separator (not colon)
|
||||
# -------------
|
||||
|
||||
# restrict_local_service_to_net="ext-net,local-address,port,protocol"
|
||||
restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v6 }}"
|
||||
|
||||
# restrict_local_net_to_net="<src-ext-net>,<dst-local-net>"
|
||||
restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v6 }}"
|
||||
|
||||
# allow_ext_service="<ext-ip>,<ext_port>,<protocol>"
|
||||
allow_ext_service="{{ fw_allow_ext_service_v6 }}"
|
||||
|
||||
# allow_ext_net="<ext-ip/net>" (blank separated)
|
||||
allow_ext_net="{{ fw_allow_ext_net_v6 }}"
|
||||
|
||||
# allow_local_service="<port>,<protocol>" (blank separated)
|
||||
allow_local_service="{{ fw_allow_local_service_v6 }}"
|
||||
|
||||
# allow_local_service_from_networks="<ext-net>,<local-port>,<protocol>"
|
||||
allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v6 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: VPN / WireGuard
|
||||
# -------------
|
||||
|
||||
vpn_server_ips="{{ fw_vpn_server_ips }}"
|
||||
forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
|
||||
vpn_ports="{{ fw_vpn_ports }}"
|
||||
|
||||
wireguard_server_ips="{{ fw_wireguard_server_ips }}"
|
||||
forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
|
||||
wireguard_server_ports="{{ fw_wireguard_server_ports }}"
|
||||
wireguard_out_ports="{{ fw_wireguard_out_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: NTP
|
||||
# -------------
|
||||
|
||||
local_ntp_service={{ fw_local_ntp_service | lower }}
|
||||
ntp_port="{{ fw_ntp_port }}"
|
||||
ntp_allowed_net="{{ fw_ntp_allowed_net }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: DNS
|
||||
# -------------
|
||||
|
||||
dns_server_ips="{{ fw_dns_server_ips }}"
|
||||
forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
|
||||
|
||||
local_resolver_service={{ fw_local_resolver_service | lower }}
|
||||
resolver_port="{{ fw_resolver_port }}"
|
||||
# resolver_allowed_networks="2001:678:a40:3000::/64"
|
||||
resolver_allowed_networks="{{ fw_resolver_allowed_networks_v6 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: SSH
|
||||
# -------------
|
||||
|
||||
ssh_server_ips="{{ fw_ssh_server_ips }}"
|
||||
forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
|
||||
ssh_ports="{{ fw_ssh_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: HTTP(S)
|
||||
# -------------
|
||||
|
||||
http_server_ips="{{ fw_http_server_ips }}"
|
||||
forward_http_server_ips="{{ fw_forward_http_server_ips }}"
|
||||
http_ports="{{ fw_http_ports }}"
|
||||
|
||||
log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
|
||||
cgi_script_users="{{ fw_cgi_script_users }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Mattermost
|
||||
# -------------
|
||||
|
||||
mm_server_ips="{{ fw_mm_server_ips }}"
|
||||
forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
|
||||
mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
|
||||
mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Mail (SMTP / IMAP / POP)
|
||||
# -------------
|
||||
|
||||
smtpd_ips="{{ fw_smtpd_ips }}"
|
||||
forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
|
||||
smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
|
||||
smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
|
||||
|
||||
mail_server_ips="{{ fw_mail_server_ips }}"
|
||||
forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
|
||||
mail_user_ports="{{ fw_mail_user_ports }}"
|
||||
|
||||
mail_client_ips="{{ fw_mail_client_ips }}"
|
||||
forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
|
||||
|
||||
dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
|
||||
dovecot_auth_port="{{ fw_dovecot_auth_port }}"
|
||||
# dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7"
|
||||
dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v6 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: FTP
|
||||
# -------------
|
||||
|
||||
ftp_server_ips="{{ fw_ftp_server_ips }}"
|
||||
forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
|
||||
ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: XMPP (Jabber / Prosody)
|
||||
# -------------
|
||||
|
||||
xmpp_server_ips="{{ fw_xmpp_server_ips }}"
|
||||
forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
|
||||
xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
|
||||
xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
|
||||
# xmmp_remote_out_services="2a01:4f8:221:3b4e::247,44444"
|
||||
xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v6 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Mumble
|
||||
# -------------
|
||||
|
||||
mumble_server_ips="{{ fw_mumble_server_ips }}"
|
||||
forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
|
||||
mumble_ports="{{ fw_mumble_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Jitsi / Jibri
|
||||
# -------------
|
||||
|
||||
jitsi_server_ips="{{ fw_jitsi_server_ips }}"
|
||||
forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
|
||||
jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
|
||||
jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
|
||||
jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
|
||||
jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
|
||||
jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
|
||||
jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
|
||||
jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
|
||||
jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
|
||||
jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
|
||||
jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
|
||||
|
||||
jibri_server_ips="{{ fw_jibri_server_ips }}"
|
||||
forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
|
||||
jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
|
||||
jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: TURN / STUN (Nextcloud Talk)
|
||||
# -------------
|
||||
|
||||
nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
|
||||
forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
|
||||
nc_turn_ports="{{ fw_nc_turn_ports }}"
|
||||
nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: TFTP (not yet implemented)
|
||||
# -------------
|
||||
|
||||
tftp_server_ips="{{ fw_tftp_server_ips }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Prometheus
|
||||
# -------------
|
||||
|
||||
prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
|
||||
prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
|
||||
|
||||
prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
|
||||
prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
|
||||
prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Munin
|
||||
# -------------
|
||||
|
||||
munin_server_ips="{{ fw_munin_server_ips }}"
|
||||
forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
|
||||
munin_remote_port="{{ fw_munin_remote_port }}"
|
||||
|
||||
munin_remote_ip="{{ munin_remote_ipv6 }}"
|
||||
munin_local_port="{{ fw_munin_local_port }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services: Xymon (not yet implemented)
|
||||
# -------------
|
||||
|
||||
xymon_server_ips="{{ fw_xymon_server_ips }}"
|
||||
local_xymon_client={{ fw_local_xymon_client | lower }}
|
||||
xymon_port="{{ fw_xymon_port }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Protocols out: Rsync
|
||||
# -------------
|
||||
|
||||
rsync_out_ips="{{ fw_rsync_out_ips }}"
|
||||
forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
|
||||
rsync_ports="{{ fw_rsync_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Special ports (OUT)
|
||||
# -------------
|
||||
|
||||
tcp_out_ports="{{ fw_tcp_out_ports }}"
|
||||
forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
|
||||
udp_out_ports="{{ fw_udp_out_ports }}"
|
||||
forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
|
||||
|
||||
|
||||
# =============
|
||||
# --- Portforwarding (IPv6)
|
||||
# --- Format: "<device-in>,<src-ip>,<port-in>,<ip-to-forward>,<port-out>"
|
||||
# =============
|
||||
|
||||
portforward_tcp="{{ fw_portforward_tcp_v6 }}"
|
||||
portforward_udp="{{ fw_portforward_udp_v6 }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Blocked IPs / Ports
|
||||
# -------------
|
||||
|
||||
blocked_ips="{{ fw_blocked_ips }}"
|
||||
block_tcp_ports="{{ fw_block_tcp_ports }}"
|
||||
block_udp_ports="{{ fw_block_udp_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Special / Counters
|
||||
# -------------
|
||||
|
||||
create_traffic_counter={{ fw_create_traffic_counter | lower }}
|
||||
create_iperf_rules={{ fw_create_iperf_rules | lower }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Protection
|
||||
# -------------
|
||||
|
||||
protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
|
||||
protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
|
||||
protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Connection limits
|
||||
# -------------
|
||||
|
||||
limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
|
||||
per_IP_connection_limit={{ fw_per_IP_connection_limit }}
|
||||
|
||||
limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
|
||||
limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Kernel parameters (IPv6)
|
||||
# -------------
|
||||
|
||||
kernel_forward_between_interfaces={{ fw_kernel_forward_between_interfaces | lower }}
|
||||
kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
|
||||
kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}
|
||||
Reference in New Issue
Block a user