ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ansible:5fe32c6473c6e2093153b0c6bfac6a7731752500
Branches Tags
ansible:master
..
compare: ansible:f61e2ff73c052833a79b75d55fba2d1b6e99a2e6
Branches Tags
ansible:master

No commits in common. "5fe32c6473c6e2093153b0c6bfac6a7731752500" and "f61e2ff73c052833a79b75d55fba2d1b6e99a2e6" have entirely different histories.
5fe32c6473 ... f61e2ff73c

35 changed files with 642 additions and 1428 deletions
Show Stats Expand all files Collapse all files

8
ansible-dependencies-ububtu-noble-sudo.yml
View File

@ -1,8 +0,0 @@
---
- hosts: initial_setup
gather_facts: false
roles:
- ansible_dependencies-ubuntu-noble
- ansible_user_debian

1
environments/ubuntu-server/files
View File

@ -1 +0,0 @@
../../files

37
environments/ubuntu-server/inventory
View File

@ -1,37 +0,0 @@
[ansible_dependencies]
formbricks-nd.oopen.de
[initial_setup]
formbricks-nd.oopen.de
[lxc_guest]
formbricks-nd.oopen.de
[lxc_host]
[docker_host]
[kvm_host]
[oopen_office_server]
[samba_server]
[jitsi_meet_server]
[mysql_server]
[postgresql_server]
[apache2_webserver]
[nextcloud_server]
[dns_server]
[mail_server]
[webadmin]

133
group_vars/all/main.yml
View File

@ -976,122 +976,6 @@ apt_initial_install_jammy:
- ifupdown - ifupdown
- socat - socat
apt_initial_install_ubuntu_noble:
- cryptsetup
- dbus
- openssh-server
- rush
- bash
- bash-completion
- vim
- vim-common
- vim-doc
- mc
- screen
- tmux
- cron
- bc
- figlet
- sudo
- rsync
- dselect
- iputils-ping
- apt-utils
- aptitude
- zip
- unzip
- bzip2
- arj
- locate
- curl
- gawk
- mawk
- lynx
- links
- w3m
- universal-ctags
- file
- coreutils
- moreutils
- less
- sipcalc
- psmisc
- dnsutils
- rblcheck
- whois
- gettext
- gettext-base
- gettext-doc
- debian-keyring
- patch
- patchutils
- recode
- recode-doc
- librecode0
- librecode-dev
- sharutils
- perl
- perl-modules
- perl-doc
- libperl-dev
- libreadline-dev
- libterm-readline-gnu-perl
- libterm-readline-perl-perl
- libterm-readkey-perl
- libmail-imapclient-perl
- libtime-duration-perl
- libtimedate-perl
- libwww-perl
- libpcre3
- libio-compress-perl
- re2c
- util-linux
- parted
- lshw
- gdisk
- smartmontools
- tcpdump
- unhide
- lsof
- hdparm
- groff
- iproute2
- bridge-utils
- vlan
- ethtool
- wipe
- iperf
- mtr
- iptraf
- wget
- logrotate
- rsyslog
- haveged
- rdate
- ntpdate
- wipe
- man
- groff
- iptables
- shellcheck
- ssl-cert
- ssl-cert-check
- git
- ftp
- htop
- net-tools
- lsb-release
- attr
- acl
- quota
- quotatool
- needrestart
- socat
- zsh
- lua5.4
- btrfs-progs
- fdisk
install_compiler_pkgs: false install_compiler_pkgs: false
apt_compiler_pkgs: apt_compiler_pkgs:
- g++ - g++
@ -2034,11 +1918,11 @@ tor_hidden_service_port:
# vars used by modify-munin-ip.yml # vars used by modify-munin-ip.yml
# --- # ---
munin_remote_ipv4: 37.27.121.227 munin_remote_ipv4: 135.181.136.84
munin_remote_ipv6: 2a01:4f9:3070:2bda::227 munin_remote_ipv6: 2a01:4f9:3a:1051::84
munin_remote_ipv4_old: 135.181.136.84 munin_remote_ipv4_old: 95.217.64.122
munin_remote_ipv6_old: 2a01:4f9:3a:1051::84 munin_remote_ipv6_old: 2a01:4f9:4a:2b57::122
# --- # ---
@ -2369,15 +2253,6 @@ bind9_gateway_allow_recursion:
# vars used by roles/common/tasks/git.yml # vars used by roles/common/tasks/git.yml
# --- # ---
# ---
# vars used by roles/common/tasks/ntp.yml
# ---
local_ntp_service: false
ntp_server: {}
# --- # ---
# Firewall repository # Firewall repository
# --- # ---

6
group_vars/oopen_office.yml
View File

@ -110,12 +110,6 @@ sudo_users:
# vars used by roles/common/tasks/git.yml # vars used by roles/common/tasks/git.yml
# --- # ---
# ---
# vars used by roles/common/tasks/ntp.yml
# ---
# ============================== # ==============================

3
host_vars/backup.oopen.de.yml
View File

@ -262,10 +262,8 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMtIXFS9OrKBvBl+fKtYN/lOOKpPuuc02H8HV+++LeBU root@backup' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMtIXFS9OrKBvBl+fKtYN/lOOKpPuuc02H8HV+++LeBU root@backup'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZkez42c+5KVt/ZOhwslO321ibzV02oMImImRGNBIRD root@backup.warenform.de' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZkez42c+5KVt/ZOhwslO321ibzV02oMImImRGNBIRD root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKT+QOy+R6O4ojAeB7y/CRMmfbB19rFstvEW7saHpHMX root@c.mx' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKT+QOy+R6O4ojAeB7y/CRMmfbB19rFstvEW7saHpHMX root@c.mx'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXaxrm1MdUsiGviWJX/LaaaTaHga7+GKXYZPjUr5aBV root@chamaesiphon'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPrJu40Up1x9VCTTac6+ANjJ2NFXfDb5v3dP4pVgm+c root@cl-01' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPrJu40Up1x9VCTTac6+ANjJ2NFXfDb5v3dP4pVgm+c root@cl-01'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7JBJ0qQJsTlADj/zMoxGlzPCGlnh0ngDS5+tkyVqgf root@cl-02' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7JBJ0qQJsTlADj/zMoxGlzPCGlnh0ngDS5+tkyVqgf root@cl-02'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORi7e7u0KhCkCB8iCmPud0hzCwnJVhxpPmy8vFFkFgY root@cl-dissens'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3VloFw13vVt8UAV5h0860Wq/vFJEm5EazOqM+cVe17 root@cl-flr' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3VloFw13vVt8UAV5h0860Wq/vFJEm5EazOqM+cVe17 root@cl-flr'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRaUsGqBvZBDzyh1kuldC/jdbtuoXFgBZ7PbgSqytSn root@cl-fm' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRaUsGqBvZBDzyh1kuldC/jdbtuoXFgBZ7PbgSqytSn root@cl-fm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvmOpsiL+eiJ3qZVDJiUCFVZge0OQJ1hpZgw7pJ8sq5 root@cl-irights' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvmOpsiL+eiJ3qZVDJiUCFVZge0OQJ1hpZgw7pJ8sq5 root@cl-irights'
@ -309,7 +307,6 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEM1SI7Lwk0G8UycysL7ZPdXm1DRGgPnr01B0ewRGEKi root@o24' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEM1SI7Lwk0G8UycysL7ZPdXm1DRGgPnr01B0ewRGEKi root@o24'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJKfPInE9VjXVe+6DQ+4/H1nQJwXljYEK6gwfmTDgGy root@o26' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJKfPInE9VjXVe+6DQ+4/H1nQJwXljYEK6gwfmTDgGy root@o26'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9ftVcNMv6pW2HDM12fIbOOEvq1fcd74kbO4LHfhGH root@o28' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9ftVcNMv6pW2HDM12fIbOOEvq1fcd74kbO4LHfhGH root@o28'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtACieGFf34NDepB9GqJjVqji6bf6xrO1LevXgm3aN+ root@o29'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE70FVVu2bsdH2qJITFVSDEPraiI4uSCuzEkYlbl6pRW root@o30' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE70FVVu2bsdH2qJITFVSDEPraiI4uSCuzEkYlbl6pRW root@o30'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0+aRoMxzmiQCAIMajNhbTZEumtZ9yCG2Nb4ucqK8lo root@o31' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0+aRoMxzmiQCAIMajNhbTZEumtZ9yCG2Nb4ucqK8lo root@o31'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJvhepf3kho9zJz1QO52aLbr4/Rim/FLdENg1GNKCPx root@o32' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJvhepf3kho9zJz1QO52aLbr4/Rim/FLdENg1GNKCPx root@o32'

10
host_vars/backup.warenform.de.yml
View File

@ -170,6 +170,16 @@ cron_user_entries:
hour: '*' hour: '*'
job: /root/bin/postfix/check-postfix-fatal-errors.sh job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
- name: "Check if remote website is online" - name: "Check if remote website is online"
minute: '*/15' minute: '*/15'
hour: '7-23' hour: '7-23'

151
host_vars/cl-dissens.oopen.de.yml
View File

@ -1,151 +0,0 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 185.12.64.1
- 2a01:4ff:ff00::add:2
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_privileges:
- name: back
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

4
host_vars/file-blkr.blkr.netz.yml
View File

@ -339,10 +339,6 @@ samba_user:
groups: groups:
- buero - buero
password: '4/zCNXnVF7+i' password: '4/zCNXnVF7+i'
- name: refa
groups:
- buero
password: 'Mehringdamm40'
- name: ref1 - name: ref1
groups: groups:
- buero - buero

183
host_vars/file-dissens.dissens.netz.yml
View File

@ -184,7 +184,7 @@ cron_user_special_time_entries:
sudoers_file_user_aliases: sudoers_file_user_aliases:
- name: MAIN_USER - name: MAIN_USER
entry: 'malte.taeubrich, ulla.wittenzellner, sarah.klemm, bernard.koennecke, elenor.faellgren, mario.freidank ' entry: 'malte.taeubrich, ulla.wittenzellner, sarah.klemm, bernard.koennecke, elenor.faellgrem,mario.freidank '
sudoers_file_cmnd_aliases: sudoers_file_cmnd_aliases:
- name: REBOOT - name: REBOOT
@ -219,15 +219,6 @@ sudoers_file_user_privileges:
# --- # ---
# ---
# vars used by roles/common/tasks/ntp.yml
# ---
local_ntp_service: true
ntp_server: gw-dissens.dissens.netz
# --- # ---
# vars used by roles/common/tasks/nfs.yml # vars used by roles/common/tasks/nfs.yml
# --- # ---
@ -273,9 +264,9 @@ samba_groups:
- name: projekte - name: projekte
group_id: 1110 group_id: 1110
- name: verwaltung - name: verwaltung
group_id: 1200 group_id: 1120
- name: gf - name: gf
group_id: 1300 group_id: 1120
samba_user: samba_user:
- name: bernard.koennecke - name: bernard.koennecke
@ -305,113 +296,62 @@ samba_user:
- projekte - projekte
- team - team
- verwaltung - verwaltung
password: '20-dav1d.g3lh44r_24%' password: '20-da-v1d.g3lh44r_24%'
- name: elenor.faellgren - name: elenor.faellgrem
groups: groups:
- projekte - projekte
- team - team
- verwaltung password: '20/313n0r-g3l.h4r/24?'
password: '20/3l3n0r-fa3llg3em/24?'
- name: johanna.hess - name: johanna.hess
groups: groups:
- projekte - buero
- team
password: '20_j0h4nn4_h3ss-24+'
- name: johanna.ruekgauer
groups:
- projekte
password: '20.j0hanna.ru3kgau3r+24!'
- name: laura.sasse
groups:
- projekte
- team
password: '20/l4ur4-s4sse-24?'
- name: maite.gabriel
groups:
- projekte
password: '20+m4ite.g4briel-24+'
- name: malte.taeubrich
groups:
- gf
- projekte
- team
- verwaltung - verwaltung
password: '20%m4lt3-t3ubrich+24!' password: '20_j0.h4nn4_h3ss-24+'
- name: mario.freidank - name: leonie
groups: groups:
- projekte - buero
- team
- verwaltung - verwaltung
password: '20-mar1o.fr31dank-24+' password: '6.4aVX7rQ-9H'
- name: philip
- name: olaf.stuve
groups: groups:
- projekte - buero
password: '20-0l4f_stuve_24?"'
- name: ralph.klesch
groups:
- projekte
- team
- verwaltung - verwaltung
password: '20/r4lph-kl3sch.24-' password: 'fN%749Psv_NR'
- name: buero1
- name: rositsa.mahdi
groups: groups:
- projekte - buero
password: '20.ros1tsa-mahd1+24+' password: 'Mfr!7tK+d49C'
- name: buero2
- name: sarah.klemm
groups: groups:
- gf - buero
- projekte password: 'gW-wg3Pttf4/'
- team - name: buero3
groups:
- buero
password: 'Qc-WyMhJ/3-2'
- name: referendariat
groups:
- buero
password: '4/zCNXnVF7+i'
- name: ref1
groups:
- buero
password: '???'
- name: sebastian
groups:
- buero
- verwaltung - verwaltung
password: '20.s4r4h_kl3mm-24!' password: 'bhNC.P5eTy-2'
- name: buero-05
- name: sebastian.scheele
groups: groups:
- projekte - buero
- team password: '5/SXbV-M3vmQ'
password: '20/s3-bast1an+sch33l3_24-' - name: buero-06
- name: simon.krugmann
groups: groups:
- projekte - buero
password: '20%sim0n.krugm4nn.24?' password: 'N-ba2R+i/2eM'
- name: tabea.koepp
groups:
- projekte
- team
password: '20?tab3a/ko3pp.24/'
- name: till.dahlmueller
groups:
- projekte
- team
password: '20.t1ll/d4hlmueller-24!'
- name: ulla.wittenzellner
groups:
- gf
- projekte
- team
- verwaltung
password: '20+ull4_w1tt3nz3lln3r_24-'
- name: yannik.markhof
groups:
- projekte
- team
password: '20.y4nnik/m4rkhof_24/'
base_home: /data/home base_home: /data/home
@ -420,37 +360,14 @@ base_home: /data/home
# - name: name2 # - name: name2
# #
remove_samba_users: [] remove_samba_users: []
#remove_samba_users:
# - name: elenor.faellgrem
# - name: maiken.schiele
samba_shares: samba_shares:
- name: GF - name: buero
comment: GF auf Fileserver comment: Buero auf Fileserver
path: /data/samba/shares/GF path: /data/samba/shares/buero
group_valid_users: gf group_valid_users: buero
group_write_list: gf group_write_list: buero
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Projekte
comment: verwaltung auf Fileserver
path: /data/samba/shares/Projekte
group_valid_users: projekte
group_write_list: projekte
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Team
comment: verwaltung auf Fileserver
path: /data/samba/shares/Team
group_valid_users: team
group_write_list: team
file_create_mask: !!str 664 file_create_mask: !!str 664
dir_create_mask: !!str 2775 dir_create_mask: !!str 2775
vfs_object_recycle: true vfs_object_recycle: true
@ -458,11 +375,11 @@ samba_shares:
- name: Verwaltung - name: Verwaltung
comment: verwaltung auf Fileserver comment: verwaltung auf Fileserver
path: /data/samba/shares/Verwaltung path: /data/samba/shares/verwaltung
group_valid_users: verwaltung group_valid_users: verwaltung
group_write_list: verwaltung group_write_list: verwaltung
file_create_mask: !!str 660 file_create_mask: !!str 664
dir_create_mask: !!str 2770 dir_create_mask: !!str 2775
vfs_object_recycle: true vfs_object_recycle: true
recycle_path: '@Recycle' recycle_path: '@Recycle'

2
host_vars/file-km.anw-km.netz.yml
View File

@ -413,7 +413,6 @@ samba_user:
- name: irina - name: irina
groups: groups:
- advoware
- alle - alle
- aulmann - aulmann
- howe - howe
@ -424,7 +423,6 @@ samba_user:
- name: jessica - name: jessica
groups: groups:
- advoware
- alle - alle
- aulmann - aulmann
- howe - howe

13
host_vars/ga-st-gw.ga.netz.yml
View File

@ -200,10 +200,8 @@ network_interfaces:
downdelay: 200 downdelay: 200
updelay: 200 updelay: 200
post-up: post-up:
# VLAN 121 - for Ubiquiti UniFi Accesspoints # VLAN 121 - for Ubiquiti UniFi Accesspoints)
- /sbin/ip link add link bond1 name bond1.121 type vlan id 121 - /sbin/ip link add link bond1 name bond1.121 type vlan id 121
# VLAN 121 - for Ubiquiti UniFi Accesspoints Guests
- /sbin/ip link add link bond1 name bond1.131 type vlan id 131
# Route ??? # Route ???
- /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
@ -217,15 +215,6 @@ network_interfaces:
netmask: 20 netmask: 20
- device: bond1.131
headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints Guest Net
auto: true
family: inet
method: static
address: 10.131.15.254
netmask: 20
- device: bond1:ns - device: bond1:ns
headline: bond1:ns - Alias IP on bond1 device for Nameservice headline: bond1:ns - Alias IP on bond1 device for Nameservice
auto: true auto: true

551
host_vars/ga-st-gw.oopen.de.yml Normal file
View File

@ -0,0 +1,551 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eth2
headline: eth2 - Uplink static line (radio) to Altenschlirf
auto: true
family: inet
method: static
address: 172.16.111.254
netmask: 24
up:
# - For management Antennas
- /sbin/ip link add link eth2 name eth2.111 type vlan id 111
post-up:
# - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253)
# -
# - Telefon Altenshlirf
- /sbin/ip route add 172.16.210.0/24 via 172.16.111.253
# User Network Altenshlirf
- /sbin/ip route add 192.168.10.0/24 via 172.16.111.253
# Management Network Altenschlirf
- /sbin/ip route add 10.10.10.0/24 via 172.16.111.253
# WLan Router (Accesspoints) Altenshlirf
- /sbin/ip route add 10.122.1.0/24 via 172.16.111.253
# # WLan Networks Altenshlirf
- /sbin/ip route add 10.123.0.0/16 via 172.16.111.253
# DSL via Fritzbox Altenschlirf
- /sbin/ip route add 172.16.10.0/24 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf (Unifi routet Network)
- /sbin/ip route add 10.221.0.0/20 via 172.16.111.253
# VPN home Network Altenschlirf
#
- /sbin/ip route add 10.0.10.0/24 via 172.16.111.253
# private networks 'ckubu'
#
# connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu),
# so we route them back to that gateway..
- /sbin/ip route add 192.168.63.0/24 via 172.16.111.253
- /sbin/ip route add 192.168.64.0/24 via 172.16.111.253
- device: eth2.111
headline: eth2.111 - network 10.10.111.0 (management antennas)
auto: true
family: inet
method: static
address: 10.10.111.254
netmask: 24
- device: eth8
headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen
auto: false
family: inet
method: manual
up:
- /sbin/ip link add link eth8 name eth8.211 type vlan id 211
- device: eth8.211
headline: eth8.211 - Network Telefons Stockhausen
auto: true
family: inet
method: static
# Note:
# !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon).
# This LANCom Router IS NOT pngable !!
address: 172.16.211.1
netmask: 24
pre-up:
- /sbin/ifconfig eth8 up
- device: eth9
headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501)
auto: true
family: inet
method: static
address: 172.16.11.1
netmask: 24
gateway: 172.16.11.254
- device: eth10
headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.13.1
netmask: 24
gateway: 172.16.13.254
- device: eth11
headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
auto: true
family: inet
method: static
address: 172.16.12.1
netmask: 24
gateway: 172.16.12.254
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond0
headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4
auto: true
family: inet
method: static
address: 10.1.9.254
netmask: 24
bond:
slaves: eth0 eth4
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24
- /sbin/ip link add link bond0 name bond0.11 type vlan id 11
# VLAN 78 for network Georgshaus 192.168.78.0/24
- /sbin/ip link add link bond0 name bond0.78 type vlan id 78
- device: bond0.11
headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen)
auto: true
family: inet
method: static
address: 10.10.11.254
netmask: 24
- device: bond0.78
headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?)
auto: true
family: inet
method: static
address: 192.168.78.254
netmask: 24
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond1
headline: bond1 - LAG (Link Aggregation) on devices eth1 and eth5 - Main Network Stockhausen
auto: true
family: inet
method: static
address: 192.168.11.254
netmask: 24
nameservers:
- 192.168.11.1
- 192.168.10.3
search: ga.netz ga.intra
bond:
slaves: eth1 eth5
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 121 - for Ubiquiti UniFi Accesspoints)
- /sbin/ip link add link bond1 name bond1.121 type vlan id 121
# Route ???
- /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
- device: bond1.121
headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints
auto: true
family: inet
method: static
address: 10.121.15.254
netmask: 20
- device: bond1:ns
headline: bond1:ns - Alias IP on bond1 device for Nameservice
auto: true
family: inet
method: static
address: 192.168.11.1
netmask: 32
- device: bond1:1
headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network
auto: true
family: inet
method: static
address: 10.10.9.254
netmask: 24
- device: bond1:ap
headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints
auto: true
family: inet
method: static
address: 10.112.1.254
netmask: 24
post-up:
# - Wireless Networks routed through appropriate Accesspoints
# -
- /sbin/ip route add 10.113.1.0/24 via 10.112.1.1
- /sbin/ip route add 10.113.2.0/24 via 10.112.1.2
- /sbin/ip route add 10.113.3.0/24 via 10.112.1.3
- /sbin/ip route add 10.113.4.0/24 via 10.112.1.4
- /sbin/ip route add 10.113.5.0/24 via 10.112.1.5
- /sbin/ip route add 10.113.6.0/24 via 10.112.1.6
- /sbin/ip route add 10.113.7.0/24 via 10.112.1.7
- /sbin/ip route add 10.113.8.0/24 via 10.112.1.8
- /sbin/ip route add 10.113.9.0/24 via 10.112.1.9
- /sbin/ip route add 10.113.10.0/24 via 10.112.1.10
- /sbin/ip route add 10.113.11.0/24 via 10.112.1.11
- /sbin/ip route add 10.113.12.0/24 via 10.112.1.12
- /sbin/ip route add 10.113.13.0/24 via 10.112.1.13
- /sbin/ip route add 10.113.14.0/24 via 10.112.1.14
- /sbin/ip route add 10.113.15.0/24 via 10.112.1.15
- device: bond1:ipmi
headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen
auto: true
family: inet
method: static
address: 10.11.11.254
netmask: 24
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 192.168.10.1
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- wadmin
- maadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- internaldns
bind9_transfer_source: !!str "192.168.11.1"
bind9_notify_source: !!str "192.168.11.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

141
host_vars/mm-migration.oopen.de.yml
View File

@ -1,141 +0,0 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 195.201.179.131
- 95.217.204.204
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

14
host_vars/o29.oopen.de.yml
View File

@ -23,7 +23,7 @@ network_interfaces:
- device: br0 - device: br0
# use only once per device (for the first device entry) # use only once per device (for the first device entry)
headline: br0 - bridge over device enp8s0 headline: br0 - bridge over device enp35s0
# auto & allow are only used for the first device entry # auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug allow: [] # array of allow-[stanzas] eg. allow-hotplug
@ -31,11 +31,11 @@ network_interfaces:
family: inet family: inet
method: static method: static
hwaddress: 9c:6b:00:6d:f5:a1 hwaddress: a8:a1:59:3e:bd:b8
description: description:
address: 65.21.220.154 address: 135.181.136.120
netmask: 26 netmask: 26
gateway: 65.21.220.129 gateway: 135.181.136.65
metric: metric:
pointopoint: pointopoint:
mtu: mtu:
@ -80,7 +80,7 @@ network_interfaces:
# maxwait: # maxwait:
# waitport: # waitport:
bridge: bridge:
ports: enp8s0 # for mor devices support a blank separated list ports: enp35s0 # for mor devices support a blank separated list
stp: !!str off stp: !!str off
fd: 1 fd: 1
hello: 2 hello: 2
@ -107,7 +107,7 @@ network_interfaces:
# inline hook scripts # inline hook scripts
pre-up: [] # pre-up script lines pre-up: [] # pre-up script lines
up: up:
- !!str "route add -net 65.21.220.128 netmask 255.255.255.192 gw 65.21.220.129 dev br0" # up script lines - !!str "route add -net 135.181.136.64 netmask 255.255.255.192 gw 135.181.136.65 dev br0" # up script lines
post-up: [] # post-up script lines (alias for up) post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down) pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines down: [] # down script lines
@ -118,7 +118,7 @@ network_interfaces:
- device: br0 - device: br0
family: inet6 family: inet6
method: static method: static
address: 2a01:4f9:3080:318c::2 address: 2a01:4f9:3a:1051::2
netmask: 64 netmask: 64
gateway: fe80::1 gateway: fe80::1

22
host_vars/web0.warenform.de.yml
View File

@ -142,28 +142,6 @@ ssh_keypair_backup_client:
# #
# see: roles/common/tasks/vars # see: roles/common/tasks/vars
sudoers_file_user_aliases:
- name: WEB_USER
entry: 'webadmin, axel, chris'
- name: MAIN_USER
entry: 'sysadm, axel, chris'
sudoers_file_cmnd_aliases:
- name: REBOOT
entry: '/sbin/reboot'
- name: MANAGE_SERVICE
entry: '/usr/bin/systemctl'
sudoers_file_user_privileges:
- name: MAIN_USER
entry: ALL = REBOOT, MANAGE_SERVICE
- name: WEB_USER
entry: ALL = MANAGE_SERVICE
# --- # ---
# vars used by roles/common/tasks/caching-nameserver.yml # vars used by roles/common/tasks/caching-nameserver.yml

70
hosts
View File

@ -1,4 +1,5 @@
formbricks-nd.oopen.de
#[so36_server_dehydrated] #[so36_server_dehydrated]
#comm.so36.net ansible_user=ckubu #comm.so36.net ansible_user=ckubu
#noc.so36.net ansible_user=ckubu #noc.so36.net ansible_user=ckubu
@ -61,7 +62,6 @@ file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
file-blkr.blkr.netz file-blkr.blkr.netz
file-dissens.dissens.netz
zapata.opp.netz zapata.opp.netz
gw-replacement.local.netz gw-replacement.local.netz
@ -132,9 +132,6 @@ o13-pad.oopen.de
o13-cryptpad.oopen.de o13-cryptpad.oopen.de
o13-web.oopen.de o13-web.oopen.de
# Freiheit für daniela
o14.oopen.de
o17.oopen.de o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
@ -162,12 +159,10 @@ cp-01.oopen.de
meet.oopen.de meet.oopen.de
mm.oopen.de mm.oopen.de
discourse.oopen.de discourse.oopen.de
mm-migration.oopen.de
o24.oopen.de o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de
# IL - PAD # IL - PAD
o25.oopen.de o25.oopen.de
@ -183,9 +178,8 @@ mail.faire-mobilitaet.de
o28.oopen.de o28.oopen.de
o26.oopen.de o26.oopen.de
# - o29.oopen.de Dissens Host System # - o29.oopen.de Backup Server
o29.oopen.de o29.oopen.de
cl-dissens.oopen.de
# AK - Server Nextcloud/Jitsi Meet # AK - Server Nextcloud/Jitsi Meet
o30.oopen.de o30.oopen.de
@ -327,9 +321,6 @@ o13-cryptpad.oopen.de
o13-web.oopen.de o13-web.oopen.de
o13-git.oopen.de o13-git.oopen.de
# Freiheit für daniela
o14.oopen.de
o17.oopen.de o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
test.mariadb.oopen.de test.mariadb.oopen.de
@ -361,13 +352,11 @@ cp-01.oopen.de
meet.oopen.de meet.oopen.de
mm.oopen.de mm.oopen.de
discourse.oopen.de discourse.oopen.de
mm-migration.oopen.de
# - o24.oopen.de # - o24.oopen.de
o24.oopen.de o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de
# IL - PAD # IL - PAD
o25.oopen.de o25.oopen.de
@ -385,7 +374,6 @@ o26.oopen.de
# - o29.oopen.de # - o29.oopen.de
o29.oopen.de o29.oopen.de
cl-dissens.oopen.de
# AK - Server Nextcloud/Jitsi Meet # AK - Server Nextcloud/Jitsi Meet
o30.oopen.de o30.oopen.de
@ -455,7 +443,6 @@ mm-rav.oopen.de
o43.oopen.de o43.oopen.de
prometheus-nd.oopen.de prometheus-nd.oopen.de
web-nd.oopen.de web-nd.oopen.de
test-nd.oopen.de
lxc-host-kb.anw-kb.netz lxc-host-kb.anw-kb.netz
@ -508,9 +495,6 @@ file-kb.anw-kb.netz
gw-blkr.oopen.de gw-blkr.oopen.de
file-blkr.blkr.netz file-blkr.blkr.netz
# Dissens
file-dissens.dissens.netz
# - Kanzlei EBS Leipzig # - Kanzlei EBS Leipzig
gw-ebs.oopen.de gw-ebs.oopen.de
file-ebs.ebs.netz file-ebs.ebs.netz
@ -573,9 +557,6 @@ devel-ruby.wf.netz
# o13.oopen.de # o13.oopen.de
o13-web.oopen.de o13-web.oopen.de
# Freiheit für daniela
o14.oopen.de
# o20.oopen.de (srv-cityslang.cityslang.com) # o20.oopen.de (srv-cityslang.cityslang.com)
o20.oopen.de o20.oopen.de
@ -633,9 +614,6 @@ o13-mail.oopen.de
o13-mumble.oopen.de o13-mumble.oopen.de
o13-web.oopen.de o13-web.oopen.de
# Freiheit für daniela
o14.oopen.de
# o17.oopen.de # o17.oopen.de
test.mariadb.oopen.de test.mariadb.oopen.de
test.mx.oopen.de test.mx.oopen.de
@ -670,9 +648,6 @@ mail.faire-mobilitaet.de
o28.oopen.de o28.oopen.de
o26.oopen.de o26.oopen.de
# o29.oopen.de
cl-dissens.oopen.de
# o30.oopen.de - AK server Jitsi Meet/Nextcloud # o30.oopen.de - AK server Jitsi Meet/Nextcloud
cloud.akweb.de cloud.akweb.de
@ -824,17 +799,12 @@ o13-cryptpad.oopen.de
cp-01.oopen.de cp-01.oopen.de
meet.oopen.de meet.oopen.de
mm.oopen.de mm.oopen.de
mm-migration.oopen.de
# o24.oopen.de # o24.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de
# Hetzner Cloud CX31 - AK # Hetzner Cloud CX31 - AK
# o29.oopen.de . Dissens
cl-dissens.oopen.de
# etventure # etventure
o32.oopen.de o32.oopen.de
@ -954,11 +924,9 @@ o13-mail.oopen.de
# o23.oopen.de # o23.oopen.de
mm.oopen.de mm.oopen.de
mm-migration.oopen.de
# o24.oopen.de # o24.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de
# o27.oopen.de # o27.oopen.de
mail.faire-mobilitaet.de mail.faire-mobilitaet.de
@ -1021,9 +989,6 @@ o13-staging-board.oopen.de
o13-mail.oopen.de o13-mail.oopen.de
o13-web.oopen.de o13-web.oopen.de
# Freiheit für daniela
o14.oopen.de
# o17.oopen.de # o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
test.mariadb.oopen.de test.mariadb.oopen.de
@ -1046,12 +1011,10 @@ oolm-web.oopen.de
# o23.oopen.de # o23.oopen.de
cl-01.oopen.de cl-01.oopen.de
mm.oopen.de mm.oopen.de
mm-migration.oopen.de
# o24.oopen.de # o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de
# Hetzner Cloud CX31 - AK # Hetzner Cloud CX31 - AK
@ -1062,9 +1025,6 @@ cl-fm.oopen.de
o28.oopen.de o28.oopen.de
o26.oopen.de o26.oopen.de
# o29.oopen.de - Dissens
cl-dissens.oopen.de
# o30.oopen.de - AK server Jitsi Meet/Nextcloud # o30.oopen.de - AK server Jitsi Meet/Nextcloud
cloud.akweb.de cloud.akweb.de
@ -1172,9 +1132,6 @@ o28.oopen.de
# o26.oopen.de # o26.oopen.de
o26.oopen.de o26.oopen.de
# o29.oopen.de - Dissens
cl-dissens.oopen.de
# o30.oopen.de - AK server Jitsi Meet/Nextcloud # o30.oopen.de - AK server Jitsi Meet/Nextcloud
cloud.akweb.de cloud.akweb.de
@ -1325,7 +1282,6 @@ file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
file-blkr.blkr.netz file-blkr.blkr.netz
file-dissens.dissens.netz
zapata.opp.netz zapata.opp.netz
@ -1333,7 +1289,6 @@ zapata.opp.netz
[nfs_server] [nfs_server]
file-blkr.blkr.netz file-blkr.blkr.netz
file-dissens.dissens.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
@ -1400,9 +1355,6 @@ o12.oopen.de
o13.oopen.de o13.oopen.de
o17.oopen.de o17.oopen.de
# Freiheit für daniela
o14.oopen.de
# Backup Server O.OPEN # Backup Server O.OPEN
o19.oopen.de o19.oopen.de
@ -1517,12 +1469,10 @@ cp-01.oopen.de
meet.oopen.de meet.oopen.de
mm.oopen.de mm.oopen.de
discourse.oopen.de discourse.oopen.de
mm-migration.oopen.de
# - o24.oopen.de # - o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de
# - o27.oopen.de # - o27.oopen.de
cl-fm.oopen.de cl-fm.oopen.de
@ -1530,9 +1480,6 @@ mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK # Hetzner Cloud CX31 - AK
# o29.oopen.de - Dissens
cl-dissens.oopen.de
# o30.oopen.de - AK Server Nextcloud/Jitsi Meet # o30.oopen.de - AK Server Nextcloud/Jitsi Meet
meet.akweb.de meet.akweb.de
cloud.akweb.de cloud.akweb.de
@ -1598,7 +1545,6 @@ file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
file-blkr.blkr.netz file-blkr.blkr.netz
file-dissens.dissens.netz
zapata.opp.netz zapata.opp.netz
@ -1682,9 +1628,6 @@ o13-cryptpad.oopen.de
o13-web.oopen.de o13-web.oopen.de
o13-git.oopen.de o13-git.oopen.de
# Freiheit für daniela
o14.oopen.de
# - o17.oopen.de # - o17.oopen.de
o17.oopen.de o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
@ -1717,13 +1660,11 @@ cp-01.oopen.de
meet.oopen.de meet.oopen.de
mm.oopen.de mm.oopen.de
discourse.oopen.de discourse.oopen.de
mm-migration.oopen.de
# - o24.oopen.de # - o24.oopen.de
o24.oopen.de o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de
# IL - PAD # IL - PAD
o25.oopen.de o25.oopen.de
@ -1739,10 +1680,6 @@ mail.faire-mobilitaet.de
o28.oopen.de o28.oopen.de
o26.oopen.de o26.oopen.de
# o29.oopen.de
o29.oopen.de
cl-dissens.oopen.de
# AK - Server Nextcloud/Jitsi Meet # AK - Server Nextcloud/Jitsi Meet
o30.oopen.de o30.oopen.de
meet.akweb.de meet.akweb.de
@ -1827,7 +1764,6 @@ file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
file-blkr.blkr.netz file-blkr.blkr.netz
file-dissens.dissens.netz
zapata.opp.netz zapata.opp.netz

8
main.yml
View File

@ -1908,11 +1908,11 @@ tor_hidden_service_port:
# vars used by modify-munin-ip.yml # vars used by modify-munin-ip.yml
# --- # ---
munin_remote_ipv4: 37.27.121.227 munin_remote_ipv4: 135.181.136.84
munin_remote_ipv6: 2a01:4f9:3070:2bda::22 munin_remote_ipv6: 2a01:4f9:3a:1051::84
munin_remote_ipv4_old: 135.181.136.84 munin_remote_ipv4_old: 95.217.64.122
munin_remote_ipv6_old: 2a01:4f9:3a:1051::84 munin_remote_ipv6_old: 2a01:4f9:4a:2b57::122
# --- # ---

147
mm-irights-migration.oopen.de.yml
View File

@ -1,147 +0,0 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 185.12.64.1
- 2a01:4ff:ff00::add:2
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

58
playbook.yml
View File

@ -1,58 +0,0 @@
---
# Intended to be run once for every new server to secure the ssh connection allowing the team access
# with their public keys. This script will lock itself out from every server it is run on.
# Further playbooks are intended to be run by logging in as one of the created users.
# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
# the time of this writing.
# The used login data depends on the used server provider. In most cases the ansible_user will be
# root, but we can't safely assume anything.
# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
# For real providers it could look like:
# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
# If you don't have a ssh-key on the server and the server expects password authentication use:
# ansible-playbook first_run.yml -i hosts -u root --ask-pass
#- hosts: all
# strategy: free
#
## vars_prompt:
##
## - name: ansible_become_password
## prompt: "Give your local Password here:"
#
# roles:
# - common
- hosts: ansible_dependencies
strategy: free
gather_facts: false
roles:
- ansible_dependencies-ubuntu-noble
- ansible_user_debian
- hosts: initial_setup
strategy: free
# vars_prompt:
#
# - name: ansible_become_password
# prompt: "Give your local Password here:"
roles:
- ubuntu-server
#- hosts: debian-server
# strategy: free
#
## vars_prompt:
##
## - name: ansible_become_password
## prompt: "Give your local Password here:"
#
# roles:
# - common

47
roles/ansible_dependencies-ubuntu-noble/tasks/main.yml
View File

@ -1,47 +0,0 @@
---
- name: re-synchronize the package index files from their sources
raw: apt-get update
- name: Ensure aptitude is present
raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
- name: Ensure python3 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
- name: Ensure python-is-python3 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 && (apt -y update && apt install -y python-is-python3)
- name: Ensure python-apt-common is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python && (apt -y update && apt install -y python-apt-common)
- name: Ensure python-apt is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
- name: dpkg --configure -a
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
tags:
- ansible-dependencies
- name: apt upgrade
apt:
upgrade: "{{ apt_upgrade_type }}"
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade|bool
tags:
- ansible-dependencies
- name: apt install ansible dependencies
apt:
name: "{{ apt_ansible_dependencies }}"
state: "{{ apt_install_state }}"
tags:
- ansible-dependencies

72
roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts
View File

@ -20,42 +20,9 @@
# give hostnames to blocke here # give hostnames to blocke here
# Werkzeug
katherina-remberg\.de$
# Mehr Energie für Ihre Schritte
elcoino\.de$
# Wiederherstellung des Sehvermogens ohne Operation
toonaca\.or\.mg$
# info re_zeptfrei ordern
radiotrabajandoparacristoirmp\.com$
# HL Group
group-hire\.com$
# Erinnerung: Überzahlung entdeckt Ihre Rückerstattung wartet!
#mtasv\.net$
# edge.toprains.shop:w # edge.toprains.shop:w
edge\.toprains\.shop$ edge\.toprains\.shop$
# Ideal für Apple- und Samsung-Fans
sdeals\.shop$
# Spiegel.de
delpieroacademy\.com$
# Kundensupport - photoTAN
#mailjet\.com$
# LOTTO-Rabatt
gdwr\.de$
# info mit ETFs die Millionen knacken?
movingcompanywheaton\.com$
# Specht Office # Specht Office
mta3\.dev\.60cr\.com$ mta3\.dev\.60cr\.com$
@ -64,42 +31,3 @@ lichtbringer\.shop$
# insights.sternenpfad.shop # insights.sternenpfad.shop
insights\.sternenpfad\.shop$ insights\.sternenpfad\.shop$
# info rezeptfre-i Bestellung
ugms\.org$
# info Herrenmeds anfordern
fullendoscopy\.mx$
# Premium-Werkzeugwagen:
minillq\.com$
# zaubermoment.shop
zaubermoment\.shop$
# Lustexperte
jetztpower\.shop$
# herzenstone.shop
herzenstone\.shop$
# Versand - Wichtige Neiuheit (a2hosted.com)
a2hosted\.com$
# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
game\.cn$
# Ein Sprühstoß für die sofortige Erektion!
perfektepower\.shop$
# Home Security / preview.glanzpunkt.shop
glanzpunkt.shop$
# Phishing IHK
rightappearance\.com$
# info rezeptf-rei Bestellung
sectiontrading\.com$
# Sofortiger zweisprachiger Sprachübersetzer
# - kein Eintrag -

75
roles/common/files/mailserver/etc/postfix/postfwd.bl-nets
View File

@ -12,45 +12,9 @@
# #
# --- # ---
# Werkzeug
5.135.22.148/30
# Mehr Energie für Ihre Schritte
5.196.53.204/30
# Wiederherstellung des Sehvermogens ohne Operation
31.28.27.0/24
# info re_zeptfrei ordern
45.61.128.0/18
# HL Group
45.132.181.0/24
# Erinnerung: Überzahlung entdeckt Ihre Rückerstattung wartet!
#50.31.205.0/24
# edge.toprains.shop # edge.toprains.shop
51.89.16.112 51.89.16.112
# Ideal für Apple- und Samsung-Fans
51.195.36.112/26
# Bitcoin Boom / GHOSTnet GmbH
85.93.0.0/19
# Spiegel.de
85.93.19.234
# Kundensupport - photoTAN
#87.253.233.0/24
# LOTTO-Rabatt
89.22.116.0/24
# info mit ETFs die Millionen knacken?
89.144.4.211
# Specht Office # Specht Office
91.193.18.0/24 91.193.18.0/24
@ -60,44 +24,5 @@
# insights.sternenpfad.shop # insights.sternenpfad.shop
94.23.152.0/21 94.23.152.0/21
# info rezeptfre-i Bestellung
104.244.72.0/21
# info Herrenmeds anfordern
107.189.0.0/19
# Premium-Werkzeugwagen:
162.220.163.128/25
# zaubermoment.shop
178.32.96.0/19
# Lustexperte
178.32.136.0/21
# herzenstone.shop
178.33.112.0/21
# ?? # ??
181.214.99.0/24 181.214.99.0/24
# Versand - Wichtige Neiuheit (a2hosted.com)
185.91.69.0/24
# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
185.173.235.0/24
# Ein Sprühstoß für die sofortige Erektion!
188.165.0.0/21
# Home Security / preview.glanzpunkt.shop
188.165.128.0/21
# Phishing IHK
191.96.209.0/24
# info rezeptf-rei Bestellung
198.98.48.0/20
# Sofortiger zweisprachiger Sprachübersetzer
213.202.222.185

76
roles/common/files/mailserver/etc/postfix/postfwd.bl-sender
View File

@ -36,45 +36,11 @@ ludwigpestow@gmail.com
# annoying spammer domains # annoying spammer domains
@acieu\.co\.uk$ @acieu\.co\.uk$
@inbox\.ru$
# ---- # ----
# Werkzeug
katherina-remberg\.de$
# Mehr Energie für Ihre Schritte
elcoino\.de$
# Wiederherstellung des Sehvermogens ohne Operation
toonaca\.or\.mg$
# info re_zeptfrei ordern
radiotrabajandoparacristoirmp\.com$
# HL Group
group-hire\.com$
# Erinnerung: Überzahlung entdeckt Ihre Rückerstattung wartet!
toldfinancialcapital\.com$
# edge.toprains.shop # edge.toprains.shop
toprains.shop$ @edge.toprains.shop$
# Ideal für Apple- und Samsung-Fans
sdeals\.shop$
# Spiegel.de
delpieroacademy\.com$
# Kundensupport - photoTAN
#@laurash.net
# LOTTO-Rabatt
gdwr\.de$
# info mit ETFs die Millionen knacken?
movingcompanywheaton\.com$
# Specht Offic # Specht Offic
officeuf@jxb669\.com$ officeuf@jxb669\.com$
@ -87,46 +53,10 @@ officeuf@
lichtbringer\.shop$ lichtbringer\.shop$
# insights.sternenpfad.shop # insights.sternenpfad.shop
insights\.sternenpfad\.shop$ @insights\.sternenpfad\.shop$
# info rezeptfre-i Bestellung
ugms\.org$
# Premium-Werkzeugwagen:
ezhifeng.co$
# zaubermoment.shop
zaubermoment\.shop$
# Lustexperte
jetztpower\.shop$
# herzenstone.shop
herzenstone\.shop$
# ?? 181.214.99.0/24 # ?? 181.214.99.0/24
imrx4k\.com$ imrx4k.com$
# Versand - Wichtige Neiuheit (a2hosted.com)
a2hosted\.com$
# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
izilian\.com$
# Ein Sprühstoß für die sofortige Erektion!
perfektepower\.shop$
# Home Security / preview.glanzpunkt.shop
glanzpunkt\.shop$
# Phishing IHK
rightappearance\.com$
# info rezeptf-rei Bestellung
sectiontrading\.com%
# Sofortiger zweisprachiger Sprachübersetzer
delavers\.de$
# --- # ---

6
roles/common/handlers/main.yml
View File

@ -93,9 +93,3 @@
service: service:
name: nfs-kernel-server name: nfs-kernel-server
state: restarted state: restarted
- name: Restart ntp
service:
name: ntpsec
daemon_reload: yes
state: restarted

10
roles/common/tasks/apt.yml
View File

@ -135,16 +135,6 @@
tags: tags:
- apt-initial-install - apt-initial-install
- name: (apt.yml) Initial install ubuntu packages (noble)
apt:
name: "{{ apt_initial_install_ubuntu_noble }}"
state: "{{ apt_install_state }}"
when:
- ansible_facts['distribution'] == "Ubuntu"
- ansible_facts['distribution_release'] == "noble"
tags:
- apt-initial-install
# --- # ---
# Microcode # Microcode

16
roles/common/tasks/main.yml
View File

@ -1,9 +1,5 @@
--- ---
- import_tasks: show.yml
tags:
- show
# tags supported inside basic.yml # tags supported inside basic.yml
# #
# timezone # timezone
@ -152,18 +148,6 @@
tags: sudoers tags: sudoers
- import_tasks: motd.yml
tags: motd
# tags supported inside ntp.yml:
#
# ntp-server
- import_tasks: ntp.yml
tags:
- ntp
# tags supportetd inside git.yml # tags supportetd inside git.yml
# #
# git-firewall-repository # git-firewall-repository

26
roles/common/tasks/motd.yml
View File

@ -1,26 +0,0 @@
---
# ----------
# /etc/motd
# ----------
- name: (motd.yml) Check if /etc/motd.ORIG exist
stat:
path: /etc/motd.ORIG
register: motd_orig_exist
- name: (motd.yml) Check if /etc/motd exist
stat:
path: /etc/motd
register: motd_exist
- name: (motd.yml) Backup existing file /etc/motd
command: cp -a /etc/motd /etc/motd.ORIG
when:
- motd_exist.stat.exists == True
- motd_orig_exist.stat.exists == False
- name: (motd.yml) create /etc/motd
shell: figlet {{ ansible_hostname }} > /etc/motd
when: motd_orig_exist.stat.exists == False

60
roles/common/tasks/ntp.yml
View File

@ -1,60 +0,0 @@
---
# ---
# NTP Server
# ---
- name: (ntp.yml) Ensure ntpsec package is installed.
apt:
name:
- ntpsec
state: present
when:
- ansible_os_family == "Debian"
tags:
- ntp-server
- name: (ntp.yml) Check file '/etc/ntpsec/ntp.conf.ORIG' exists
stat:
path: /etc/ntpsec/ntp.conf.ORIG
register: etc_ntpsec_conf_ORIG
when:
- ansible_distribution == "Debian"
tags:
- ntp-server
- name: (ntp.yml) Ensure directory '/var/log/ntpsec' is present
file:
path: /var/log/ntpsec
state: directory
owner: ntpsec
group: ntpsec
mode: '0755'
when:
- ansible_distribution == "Debian"
- name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf'
command: cp /etc/ntpsec/ntp.conf /etc/ntpsec/ntp.conf.ORIG
when:
- groups['oopen_office_server']|string is search(inventory_hostname)
- etc_ntpsec_conf_ORIG.stat.exists == False
- local_ntp_service is defined and local_ntp_service|bool
tags:
- ntp-server
- name: (ntp.yml) Update '/etc/ntpsec/ntp.conf'
template:
src: "etc/ntpsec/ntp.conf.j2"
dest: /etc/ntpsec/ntp.conf
owner: root
group: root
mode: 0644
notify: Restart ntp
when:
- groups['oopen_office_server']|string is search(inventory_hostname)
- local_ntp_service is defined and local_ntp_service|bool
tags:
- ntp-server

7
roles/common/tasks/show.yml
View File

@ -1,7 +0,0 @@
---
- name: Show hostname
debug:
msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] }}.{{ ansible_fqdn.split('.')[1] | default('NONE') }}.{{ ansible_fqdn.split('.')[2] | default('NONE') }}"
# msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] | join( '.') }} | {{ join ( ansible_fqdn.split('.')[1] ) }}"

52
roles/common/templates/etc/ntpsec/ntp.conf.j2
View File

@ -1,52 +0,0 @@
# {{ ansible_managed }}
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# nts enable
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
# This should be maxclock 7, but the pool entries count towards maxclock.
tos maxclock 11
# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
#tos minclock 4 minsane 3
# Specify one or more NTP servers.
# Public NTP servers supporting Network Time Security:
# server time.cloudflare.com nts
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
server {{ ntp_server }}
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict default kod nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

2
roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf
View File

@ -26,5 +26,5 @@ Domains={{ fact_resolved_domains }}
{% if (resolved_dnssec is defined) and resolved_dnssec %} {% if (resolved_dnssec is defined) and resolved_dnssec %}
DNSSEC={{ resolved_dnssec }} DNSSEC={{ resolved_dnssec }}
{% else %} {% else %}
#DNSSEC=allow-downgrade #Domains=
{% endif %} {% endif %}

4
roles/firewall/defaults/main.yml
View File

@ -1,7 +1,7 @@
--- ---
munin_remote_ipv4: 37.27.121.227 munin_remote_ipv4: 95.217.64.122
munin_remote_ipv6: 2a01:4f9:3070:2bda::227 munin_remote_ipv6: 2a01:4f9:4a:2b57::122
is_dns_server: false is_dns_server: false

6
roles/firewall/handlers/main.yml
View File

@ -7,8 +7,14 @@
service: service:
name: ipt-firewall name: ipt-firewall
state: restarted state: restarted
when:
- interfaces_ipv4_exists.stat.exists
- main_ipv4_exists.stat.exists
- name: Restart IPv6 Firewall - name: Restart IPv6 Firewall
service: service:
name: ip6t-firewall name: ip6t-firewall
state: restarted state: restarted
when:
- interfaces_ipv6_exists.stat.exists
- main_ipv6_exists.stat.exists

49
roles/ubuntu-server/tasks/main.yml
View File

@ -1,49 +0,0 @@
---
- name: show
import_role:
name: common
tasks_from: show.yml
- name: basic
import_role:
name: common
tasks_from: basic.yml
- name: apt
import_role:
name: common
tasks_from: apt.yml
- name: motd
import_role:
name: common
tasks_from: motd.yml
- name: users
import_role:
name: common
tasks_from: users.yml
tags:
- users
- name: users-systemfiles
import_role:
name: common
tasks_from: users-systemfiles
tags:
- users
- users-systemfiles
- name: sshd
import_role:
name: common
tasks_from: sshd.yml
- name: sudoers
import_role:
name: common
tasks_from: sudoers.yml
tags: sudoers