ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ansible:6e60b3718e1f52d6104f1255f375f74077ef19eb
Branches Tags
ansible:master
...
compare: ansible:7ca6f6a2ab36f76daa6a745917e6139e0d6da76f
Branches Tags
ansible:master

2 Commits
6e60b3718e ... 7ca6f6a2ab

Author SHA1 Message Date
Christoph
7ca6f6a2ab update 2025-04-21 11:04:04 +02:00
Christoph
70c0c3bb7c update.. 2025-02-14 11:36:24 +01:00
32 changed files with 2210 additions and 135 deletions
Show Stats Expand all files Collapse all files

17
group_vars/all/main.yml
View File

@ -2094,18 +2094,27 @@ root_ssh_keypair: []
default_user:
- name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
password: $y$j9T$RY2Nt/UmjMjxuyAhKXxMV0$IPvnS5XkNBluEiOARFmyQLp6GzXA1tY96rW.S9H7U84
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
group: sysadm
password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
@ -2115,7 +2124,7 @@ default_user:
user_id: 1060
group_id: 1060
group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
password: $y$j9T$FLeyg8Xy09ppHGVbKOr5l1$XJbJdjX7XlS5QeiTzBvl2dMYcC0AxIylkvayJgFR3CC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'

175
host_vars/172.16.82.197.yml Normal file
View File

@ -0,0 +1,175 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
copy_additional_plain_files_sysctl:
- name: enable-ipv6
src_path: etc/sysctl.d/30-enable-ipv6.conf
dest_path: /etc/sysctl.d/30-enable-ipv6.conf
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
#sshd_hostkeyalgorithms:
# - ssh-ed25519
# - ssh-ed25519-cert-v01@openssh.com
# - rsa-sha2-256
# - rsa-sha2-512
# - ecdsa-sha2-nistp256
# - rsa-sha2-256-cert-v01@openssh.com
# - rsa-sha2-512-cert-v01@openssh.com
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- akb.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $y$j9T$IVBTpn.OrI6YiQ9q3fA8b1$Y1bmID5yXJbKfoLFt1VmQs6LezeTj5/1M9ppZBD2Pn4

78
host_vars/anita.wf.netz.yml
View File

@ -55,14 +55,6 @@ extra_user:
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- name: christian
user_id: 1005
group_id: 1005
password: $6$2paWmEea$G51JZDzjjDNE75aBl/xuM1dyH.FWYHwNCRHeKWkHhxjUmRRC/v.hhNh5jOk5EbVWDeVh7r5dz1tO2HTZUMftb1
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCb6ngLE9Vh0H6IqiHF2yeQX11kCeVE4QaK8Ca0Ogqtz8drC4/3Ugl9ZDtJR+UH+GpP/bOQZDTGF6f+p8dNlfpeoHZ92Yg62yMeD9qx9iQT8NeloLvpHk3B3NV10Lrff/zoeTGP7U8zKvLQsYnCwSPEodKEsxbf5mFcJN13/m+PW3tW0veRtYGvBwhimxidpSr+DLcRTZrZGs2Jf8BVqqAL0BIdH7exuLeKpACQzDAk10+DfLTNEXPgZ5jNBu3MBXqjyNRTTU+wEGAyUmHxv+ZJfjeBIM2Hgkl+lp2Bi5qQlsUduYtbXXrPQZzbgzIk+Rr0yY7/mfYSEXR41Uqv1QLScs2+Dpf713Lyr7H97bf64m1mzLd5vrps94JlqHSmcRzqENsW7HpdRmnpD7R+2lJe2faVX1HIT/mh/PjMItefbOhgV5FtcHcUiINVqi/4bmK68fPTXD+OBLuOHRkp1rYME6Z9pxXa6H6Ji8rIGOAHf2XyGqbvR80pG8n/jMk8AmaZLlvzCk1YAocphZDFAV/jm5zwFiUCzrND6mz4xCWJ8lJb2ZPoQpuGUppg/agoASFPeimbJp5zRuUp9tLL1xra0b9NjAA42M6ju1CkDvvNnRGEk/E9AD/G6v4AxHP5dzzmIlLSS6sNIDADPkdIfRhwe1Y7aF3TrYNq/P97Z1whtQ== schroeder@Christians-MacBook-Pro.local'
- name: annette
user_id: 1006
group_id: 1006
@ -72,6 +64,76 @@ extra_user:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.52.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- wf.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---

2
host_vars/backup.oopen.de.yml
View File

@ -284,6 +284,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqqmBWh3qmnx41NiLCn1LhVG0mn4++IUvRNC0OMh6h6 root@gitoea'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBYFe6i0UdPRyENvfaJSJVCHtmnlJmhbqGEsdIlTapsj root@initiativenserver'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ54/I+TdZUA+Xc6bixSa3f0hN5y4kWW+xl9kqSZPBYS root@keycloak-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO886BNZ/o9aBwkKqHku+MjS5/GEVRBbXXSF76ry7oZR root@mail-cadus'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsPJQGHl1GVZ3yPl3Oi3xlH+EUsN1/EWDY2XAohag/P root@mail-fm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICM4+Zvs5SY3E2cAMdnta1BujzudGg/97nz+nE5sipVD root@matomo-01'
@ -301,6 +302,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTxl1BwIslVhsiFCZeRlgwoSO2ahaHWwMeiKAIRFJm6 root@o13-pad'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHl2xONyeBX/gnJ4iVeSVoxu/W6ku2VorA5gxAbp95q root@o13-staging-board'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaXEVvhblxX045H2/B/6RJmoW77WOKJM5FQfvMUPCIs root@o13-web'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAp24VDXOsa0MuzGFaFa3CPDUsnA/ASojHAiN344m+dP root@o14'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcQ9MFqTMOmjnec4ftUJAYiAe8p7pp7a5EBSIM0A5ji root@o17'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFstQOOM/U18SV27+XTtBhso+vICK5L4aOGC83QnvS8+ root@o19'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC85aj16Ow1ZPutkp5TmZdxjMsECkhnO64ktc3OYZJHc root@o25-board'

84
host_vars/cl-irights.oopen.de.yml
View File

@ -99,6 +99,90 @@ resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
cron_user_entries:
- name: "Check if webservices sre running. Restart if necessary"
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_webservice_load.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
minute: '*/5'
hour: '*'
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Optimize mysql tables"
minute: '53'
hour: '04'
job: /root/bin/mysql/optimize_mysql_tables.sh
- name: "Flush query cache for mysql tables"
minute: '27'
hour: '04'
job: /root/bin/mysql/flush_query_cache.sh
- name: "Flush Host cache"
minute: '17'
hour: '05'
job: /root/bin/mysql/flush_host_cache.sh
- name: "Run occ file:scan for each cloud account"
minute: '02'
hour: '23'
job: /root/bin/nextcloud/occ_maintenance.sh -s cloud-irights.oopen.de
- name: "Background job for nextcloud instance 'cloud-irights.oopen.de"
minute: '*/15'
hour: '*'
job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud-irights.oopen.de/htdocs/cron.php
- name: "Check if certificates for coolwsd service are up to date"
minute: '17'
hour: '05'
job: /root/bin/nextcloud/check_cert_coolwsd.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---

56
host_vars/mm-irights-neu.oopen.de.yml → host_vars/devel-db.wf.netz.yml
View File

@ -1,5 +1,10 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
@ -41,8 +46,8 @@ systemd_resolved: true
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
@ -53,20 +58,20 @@ systemd_resolved: true
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
@ -75,20 +80,17 @@ systemd_resolved: true
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 192.168.52.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
- wf.netz
resolved_dnssec: false
@ -98,6 +100,11 @@ resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
@ -129,10 +136,20 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
# ==============================
@ -144,4 +161,3 @@ git_firewall_repository:
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

163
host_vars/devel-php.wf.netz.yml Normal file
View File

@ -0,0 +1,163 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.52.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- wf.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

163
host_vars/devel-repos.wf.netz.yml Normal file
View File

@ -0,0 +1,163 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.52.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- wf.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

163
host_vars/devel-wiki.wf.netz.yml Normal file
View File

@ -0,0 +1,163 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.52.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- wf.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

49
host_vars/file-dissens.dissens.netz.yml
View File

@ -147,6 +147,39 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Daily Backup "
minute: "03"
hour: "00"
job: /root/crontab/backup-rborg2/rborg2.sh
- name: "Check if postfix mailservice is running. Restart service if needed."
minute: "*/5"
hour: "*"
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors."
minute: "*/30"
hour: "*"
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Clean up Samba Trash Dirs"
minute: "02"
hour: "23"
job: /root/bin/samba/clean_samba_trash.sh
- name: "Set (group and access) Permissons for Samba shares"
minute: "14"
hour: "23"
job: /root/bin/samba/set_permissions_samba_shares.sh
- name: "Check if ntpsec is running. Restart service if needed."
minute: "*/6"
hour: "*"
job: /root/bin/monitoring/check_ntpsec_service.sh
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
@ -154,12 +187,6 @@ cron_user_special_time_entries:
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP Service ntpsec"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart intpsec > /dev/null 2>&1"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
@ -331,6 +358,11 @@ samba_user:
- team
password: '20/l4ur4-s4sse-24?'
- name: lino.koehler
groups:
- projekte
password: '20.l1no-ko3hl3r_25/'
- name: maite.gabriel
groups:
- projekte
@ -376,6 +408,11 @@ samba_user:
- verwaltung
password: '20.s4r4h_kl3mm-24!'
- name: scan
groups:
- team
password: '20-sc4n.25!'
- name: sebastian.scheele
groups:
- projekte

61
host_vars/file-km.anw-km.netz.yml
View File

@ -385,16 +385,16 @@ samba_user:
- public
password: 'zHfj9g3NcC'
- name: gerhard
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'bHdhzWnTj9'
# - name: gerhard
# groups:
# - advoware
# - alle
# - aulmann
# - howe
# - stahmann
# - traine
# - public
# password: 'bHdhzWnTj9'
- name: ho-st1
groups:
@ -403,13 +403,13 @@ samba_user:
- stahmann
password: '44-Ro-440'
- name: howe-staff-1
groups:
- advoware
- alle
- aulmann
- howe
password: ''
# - name: howe-staff-1
# groups:
# - advoware
# - alle
# - aulmann
# - howe
# password: ''
- name: irina
groups:
@ -433,14 +433,14 @@ samba_user:
- public
password: 'bV3pjPtjkR'
- name: laura
groups:
- alle
- aulmann
- howe
- stahmann
- traine
password: '99-Hamburg-990'
# - name: laura
# groups:
# - alle
# - aulmann
# - howe
# - stahmann
# - traine
# password: '99-Hamburg-990'
- name: lenovo3
groups:
@ -555,11 +555,12 @@ samba_user:
base_home: /data/home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: []
remove_samba_users:
- name: howe-staff-1
- name: gerhard
- name: laura
#remove_samba_users: []
#remove_samba_users:
# - name: evren

18
host_vars/formbricks-nd.oopen.de.yml
View File

@ -137,6 +137,24 @@ cron_user_entries:
# vars used by roles/common/tasks/users.yml
# ---
extra_user:
- name: nd-admin
user_id: 1045
group_id: 1045
group: nd-admin
password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de'
sudo_users:
- chris
- sysadm
- nd-admin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml

11
host_vars/ga-al-gw.oopen.de.yml
View File

@ -44,6 +44,7 @@ network_interfaces:
post-up:
# - VLAN 221 (Ubiquiti UniFi Accesspoints)
- /sbin/ip link add link eth2 name eth2.221 type vlan id 221
- /sbin/ip link add link eth2 name eth2.231 type vlan id 231
- device: eth2:ns
headline: eth2:ns - Alias on eth2 (Nameserver)
@ -81,7 +82,7 @@ network_interfaces:
- device: eth2.221
# use only once per device (for the first device entry)
headline: eth2 - VLAN 221 (Ubiquiti UniFi Accesspoints)
headline: eth2 - VLAN 221 (Ubiquiti UniFi Accesspoints Guest NET)
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
@ -99,6 +100,14 @@ network_interfaces:
mtu:
scope:
- device: eth2.231
headline: eth2 - VLAN 231 (Ubiquiti UniFi Accesspoints private NET)
auto: true
family: inet
method: static
address: 10.231.15.254
netmask: 20
# additional user by dhcp method
#
hostname:

409
host_vars/ga-campus-gw-temp.oopen.de.yml Normal file
View File

@ -0,0 +1,409 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
headline: eno1 - Uplink WiDSL via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.72.1
netmask: 24
gateway: 172.16.72.254
#nameservers:
# - 192.168.81.1
# - 172.16.81.254
#search: ga.netz ga.intra
- device: eno5
headline: eno5 - LAN
auto: true
family: inet
method: static
address: 192.168.72.254
netmask: 24
post-up:
# VLAN 321 - for Ubiquiti UniFi Accesspoints Guest NET
- /sbin/ip link add link eno5 name eno5.22 type vlan id 21
# VLAN 331 - for Ubiquiti UniFi Accesspoints private NET
- /sbin/ip link add link eno5 name eno5.32 type vlan id 31
- device: eno5.22
headline: eno5 - VLAN 22 (Ubiquiti UniFi Accesspoints Guest NET)
auto: true
family: inet
method: static
address: 10.22.15.254
netmask: 20
- device: eno5.32
headline: eno5 - VLAN 32 (Ubiquiti UniFi Accesspoints private NET)
auto: true
family: inet
method: static
address: 10.32.15.254
netmask: 20
- device: eno5:ns
headline: eno5:ns - Alias on eno5 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.72.1
netmask: 32
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check if Postfix Mailservice is up and running?"
minute: "*/15"
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: "*/15"
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: "*/30"
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: "0-59/2"
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: "09"
hour: "3"
job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-NH
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- none
bind9_transfer_source: !!str "192.168.81.1"
bind9_notify_source: !!str "192.168.81.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

22
host_vars/ga-nh-gw.oopen.de.yml
View File

@ -51,6 +51,28 @@ network_interfaces:
method: static
address: 192.168.81.254
netmask: 24
post-up:
# VLAN 321 - for Ubiquiti UniFi Accesspoints Guest NET
- /sbin/ip link add link eno5 name eno5.21 type vlan id 21
# VLAN 331 - for Ubiquiti UniFi Accesspoints private NET
- /sbin/ip link add link eno5 name eno5.31 type vlan id 31
- device: eno5.21
headline: eno5 - VLAN 321 (Ubiquiti UniFi Accesspoints Guest NET)
auto: true
family: inet
method: static
address: 10.21.15.254
netmask: 20
- device: eno5.31
headline: eno5 - VLAN 331 (Ubiquiti UniFi Accesspoints private NET)
auto: true
family: inet
method: static
address: 10.31.15.254
netmask: 20
- device: eno5:ns

11
host_vars/ga-st-gw.ga.netz.yml
View File

@ -45,11 +45,16 @@ network_interfaces:
- /sbin/ip route add 10.123.0.0/16 via 172.16.111.253
# DSL via Fritzbox Altenschlirf
- /sbin/ip route add 172.16.10.0/24 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf (Unifi routet Network)
# - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network)
- /sbin/ip route add 10.221.0.0/20 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network)
- /sbin/ip route add 10.231.0.0/20 via 172.16.111.253
# VPN home Network Altenschlirf
#
- /sbin/ip route add 10.0.10.0/24 via 172.16.111.253
# VPN 'gw-ckubu' Network Altenschlirf
#
- /sbin/ip route add 10.1.10.0/24 via 172.16.111.253
# private networks 'ckubu'
#
# connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu),
@ -209,7 +214,7 @@ network_interfaces:
- device: bond1.121
headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints
headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET
auto: true
family: inet
method: static
@ -218,7 +223,7 @@ network_interfaces:
- device: bond1.131
headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints Guest Net
headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET
auto: true
family: inet
method: static

215
host_vars/ga-st-mm.ga.netz.yml Normal file
View File

@ -0,0 +1,215 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
install_compiler_pkgs: true
install_postgresql_pkgs: true
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.11.1
- 192.168.10.3
- 192.168.10.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 192.168.11.3
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_root_ssh_keypair: true
root_ssh_keypair:
- name: id-rsa-dehydrated
priv_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated
priv_key_dest: /root/.ssh/id_rsa-dehydrated
pub_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated.pub
pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub
- name: id-rsa-opendkim
priv_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim
priv_key_dest: /root/.ssh/id_rsa-opendkim
pub_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim.pub
pub_key_dest: /root/.ssh/id_rsa-opendkim.pub
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/copy_files.yml
# ---
# ---
# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml
# ---

16
host_vars/gw-akb.oopen.de.yml
View File

@ -26,14 +26,14 @@ copy_additional_plain_files_sysctl:
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_hostkeyalgorithms:
- ssh-ed25519
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-256
- rsa-sha2-512
- ecdsa-sha2-nistp256
- rsa-sha2-256-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
#sshd_hostkeyalgorithms:
# - ssh-ed25519
# - ssh-ed25519-cert-v01@openssh.com
# - rsa-sha2-256
# - rsa-sha2-512
# - ecdsa-sha2-nistp256
# - rsa-sha2-256-cert-v01@openssh.com
# - rsa-sha2-512-cert-v01@openssh.com
# ---

225
host_vars/keycloak-nd.oopen.de.yml Normal file
View File

@ -0,0 +1,225 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 185.12.64.2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed."
special_time: reboot
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
cron_user_entries:
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if cert for Keycloak service is up-to-date"
minute: '51'
hour: '05'
job: /root/bin/monitoring/check_cert_for_keycloak.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---
extra_user:
- name: nd-admin
user_id: 1045
group_id: 1045
group: nd-admin
password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de'
sudo_users:
- chris
- sysadm
- nd-admin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

64
host_vars/mm-irights.oopen.de.yml
View File

@ -75,12 +75,10 @@ systemd_resolved: true
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 213.133.98.98
- 2a01:4f8:0:1::add:9999
- 213.133.99.99
- 2a01:4f8:0:a111::add:9898
- 213.133.100.100
- 2a01:4f8:0:a0a1::add:1010
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 185.12.64.1
- 2a01:4ff:ff00::add:2
# search domains
#
@ -100,6 +98,60 @@ resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed."
special_time: reboot
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
cron_user_entries:
- name: "Check if mattermost service ist running - Restart Service if needed."
minute: '*/6'
hour: '*'
job: /root/bin/monitoring/check_local_mattermost_service.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '01'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---

14
host_vars/o23.oopen.de.yml
View File

@ -24,7 +24,7 @@ network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp6s0
headline: br0 - bridge over device enp27s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
@ -32,7 +32,7 @@ network_interfaces:
family: inet
method: static
hwaddress: 88:d7:f6:7d:e6:ef
hwaddress: 30:9c:23:63:40:b5
description:
address: 159.69.74.150
netmask: 26
@ -63,10 +63,10 @@ network_interfaces:
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
nameservers:
- 195.201.179.131
- 95.217.204.204
search:
#nameservers:
# - 195.201.179.131
# - 95.217.204.204
#search:
# optional additional subnets/ips subnets: []
# subnets:
@ -81,7 +81,7 @@ network_interfaces:
# maxwait:
# waitport:
bridge:
ports: enp6s0 # for mor devices support a blank separated list
ports: enp27s0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2

6
host_vars/o40.oopen.de.yml
View File

@ -24,7 +24,7 @@ network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp5s0
headline: br0 - bridge over device enp6s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
@ -32,7 +32,7 @@ network_interfaces:
family: inet
method: static
hwaddress: 9c:6b:00:0b:fe:2f
hwaddress: 9c:6b:00:08:9a:30
description:
address: 176.9.125.12
netmask: 27
@ -76,7 +76,7 @@ network_interfaces:
# maxwait:
# waitport:
bridge:
ports: enp5s0 # for mor devices support a blank separated list
ports: enp6s0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2

18
host_vars/prometheus-nd.oopen.de.yml
View File

@ -147,6 +147,24 @@ cron_user_entries:
# vars used by roles/common/tasks/users.yml
# ---
extra_user:
- name: nd-admin
user_id: 1045
group_id: 1045
group: nd-admin
password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de'
sudo_users:
- chris
- sysadm
- nd-admin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml

34
hosts
View File

@ -16,6 +16,7 @@ rage.so36.net ansible_user=ckubu
[no_ipt_firewall]
lxc-host-kb.anw-kb.netz
o13-git.oopen.de
o13-staging-board.oopen.de
o25.oopen.de
o33.oopen.de
@ -25,6 +26,7 @@ discourse.oopen.de
test-nd.oopen.de
formbricks-nd.oopen.de
ga-st-mm.ga.netz
[dns_sinma]
@ -39,6 +41,7 @@ gw-123.oopen.de
gw-ah.oopen.de
gw-ak.oopen.de
gw-akb.oopen.de
172.16.82.2
gw-dissens.oopen.de
gw-dissens.oopen.de
gw-ebs.oopen.de
@ -77,8 +80,10 @@ ga-st-gw-ersatz.ga.netz
ga-st-gw.ga.netz
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
ga-campus-gw-temp.ga.netz
ga-st-lxc1.ga.netz
ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz
ga-st-kvm1.ga.netz
ga-al-kvm2.ga.netz
@ -259,6 +264,7 @@ mm-rav.oopen.de
# ND - prometheus, web
o43.oopen.de
formbricks-nd.oopen.de
keycloak-nd.oopen.de
prometheus-nd.oopen.de
web-nd.oopen.de
test-nd.oopen.de
@ -375,7 +381,7 @@ mm-migration.oopen.de
o24.oopen.de
cl-irights.oopen.de
cl-irights-neu.oopen.de
mm-irights.oopen.de
ga-st-mm.ga.netz
mm-irights-migration.oopen.de
# IL - PAD
@ -466,6 +472,7 @@ mm-rav.oopen.de
# ND - prometheus, web
o43.oopen.de
formbricks-nd.oopen.de
keycloak-nd.oopen.de
prometheus-nd.oopen.de
web-nd.oopen.de
test-nd.oopen.de
@ -494,6 +501,7 @@ gw-ak.oopen.de
# AKB
gw-akb.oopen.de
172.16.82.2
# Dissens
gw-dissens.oopen.de
@ -556,9 +564,11 @@ ga-st-gw-ersatz.ga.netz
ga-st-gw.ga.netz
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
ga-campus-gw-temp.ga.netz
ga-st-lxc1.ga.netz
ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz
ga-st-services.ga.netz
ga-al-ws1.ga.netz
@ -775,7 +785,6 @@ verdi-es.warenform.de
devel-php.wf.netz
devel-todo.wf.netz
devel-repos.wf.netz
devel-wiki.wf.netz
devel-ruby.wf.netz
@ -842,6 +851,7 @@ mm-migration.oopen.de
# o24.oopen.de
mm-irights.oopen.de
ga-st-mm.ga.netz
mm-irights-migration.oopen.de
# Hetzner Cloud CX31 - AK
@ -879,11 +889,13 @@ cp-flr.oopen.de
mm-rav.oopen.de
# o43 - ND prometheus, web
keycloak-nd.oopen.de
prometheus-nd.oopen.de
web-nd.oopen.de
# GA - Gemeinschaft Altensclirf
ga-st-services.ga.netz
ga-st-mm.ga.netz
# ---
# Warenform server
@ -892,6 +904,11 @@ ga-st-services.ga.netz
# server22
nd.warenform.de
# ---
# - Warenform Office
# ---
devel-repos.wf.netz
[mail_server]
@ -972,6 +989,7 @@ mm-migration.oopen.de
# o24.oopen.de
mm-irights.oopen.de
ga-st-mm.ga.netz
mm-irights-migration.oopen.de
# o27.oopen.de
@ -997,6 +1015,7 @@ g.mx.oopen.de
# - GA - Gemeinschaft Altensclirf
ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz
# ---
@ -1016,6 +1035,7 @@ verdi-django.warenform.de
mm-rav.oopen.de
# o43 - ND app
keycloak-nd.oopen.de
prometheus-nd.oopen.de
@ -1066,6 +1086,7 @@ mm-migration.oopen.de
cl-irights.oopen.de
cl-irights-neu.oopen.de
mm-irights.oopen.de
ga-st-mm.ga.netz
mm-irights-migration.oopen.de
# Hetzner Cloud CX31 - AK
@ -1545,6 +1566,7 @@ mm-migration.oopen.de
cl-irights.oopen.de
cl-irights-neu.oopen.de
mm-irights.oopen.de
ga-st-mm.ga.netz
mm-irights-migration.oopen.de
# - o27.oopen.de
@ -1606,6 +1628,7 @@ cp-flr.oopen.de
mm-rav.oopen.de
# o43 - ND
keycloak-nd.oopen.de
prometheus-nd.oopen.de
web-nd.oopen.de
test-nd.oopen.de
@ -1628,6 +1651,7 @@ zapata.opp.netz
# - GA - Gemeinschaft Altensclirf
ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz
ga-st-services.ga.netz
@ -1838,10 +1862,13 @@ mm-rav.oopen.de
# ND - prometheus, web
o43.oopen.de
formbricks-nd.oopen.de
keycloak-nd.oopen.de
prometheus-nd.oopen.de
web-nd.oopen.de
test-nd.oopen.de
# Gemeinchaft Altenschlirf
ga-st-mm.ga.netz
lxc-host-kb.anw-kb.netz
@ -1880,6 +1907,7 @@ gw-elster.oopen.de
gw-blkr.oopen.de
gw-ak.oopen.de
gw-akb.oopen.de
172.16.82.2
gw-dissens.oopen.de
gw-ckubu.local.netz
gw-flr.oopen.de
@ -1900,6 +1928,7 @@ ga-st-gw-ersatz.ga.netz
ga-st-gw.ga.netz
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
ga-campus-gw-temp.ga.netz
# Gateway/Firewall Server office network
@ -1979,6 +2008,7 @@ ga-al-kvm2.ga.netz
ga-al-kvm3.ga.netz
ga-al-relay.ga.netz
ga-nh-gw.oopen.de.yml
ga-campus-gw-temp.ga.netz
ga-st-lxc1.ga.netz
ga-st-mail.ga.netz
ga-st-services.ga.netz

7
roles/common/files/etc/systemd/system/apache2.service.d/limits.conf Normal file
View File

@ -0,0 +1,7 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# Custom Values overrides/adds values in 'mariadb.service'
#
[Service]
LimitNOFILE=1048576
LimitMEMLOCK=infinity

7
roles/common/files/etc/systemd/system/mariadb.service.d/limits.conf Normal file
View File

@ -0,0 +1,7 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# Custom Values overrides/adds values in 'mariadb.service'
#
[Service]
LimitNOFILE=1048576
LimitMEMLOCK=infinity

4
roles/common/files/mailserver/etc/postfix/postfwd.cf
View File

@ -169,8 +169,8 @@ id=RATE_CLIENT_ADDR
id=BLOCK_MSG_RCPT
&&INCOMING
&&SASL_AUTH
recipient_count=50
action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
recipient_count=90
action=REJECT Too many recipients, please reduce to less than 90 or consider using a mailing list. Error: BLOCK_MSG_RCPT
# Block users sending more than 50 messages/hour
id=RATE_MSG

13
roles/common/handlers/main.yml
View File

@ -99,3 +99,16 @@
name: ntpsec
daemon_reload: yes
state: restarted
- name: Restart mariadb
service:
name: mariadb
daemon_reload: yes
state: restarted
- name: Restart apache2
service:
name: apache2
daemon_reload: yes
state: restarted

37
roles/common/tasks/apache2.yml Normal file
View File

@ -0,0 +1,37 @@
---
# ---
# Apache2 Server
# ---
- name: Populate service facts
ansible.builtin.service_facts:
#- name: Print service facts
# ansible.builtin.debug:
# var: ansible_facts.services
# when:
# - ansible_facts['services']['apache2.service']['name'] | default('not-found') != 'not-found'
- name: (apache2.yml) Ensure directory '/etc/systemd/system/apache2.service.d' is present
file:
path: /etc/systemd/system/apache2.service.d
state: directory
owner: root
group: root
mode: '0755'
when:
- ansible_facts['services']['apache2.service']['name'] | default('not-found') != 'not-found'
- name: (apache2.yml) Ensure file '/etc/systemd/system/apache2.service.d/limits.conf' exists
copy:
src: 'etc/systemd/system/apache2.service.d/limits.conf'
dest: '/etc/systemd/system/apache2.service.d/limits.conf'
owner: root
group: root
mode: '0644'
notify: "Restart apache2"
when:
- ansible_facts['services']['apache2.service']['name'] | default('not-found') != 'not-found'

10
roles/common/tasks/main.yml
View File

@ -280,6 +280,16 @@
when: groups['caching_nameserver']|string is search(inventory_hostname)
tags: caching-nameserver
- import_tasks: mysql.yml
when: groups['mysql_server']|string is search(inventory_hostname)
tags:
- mysql
- mariadb
- import_tasks: apache2.yml
when: groups['apache2_webserver']|string is search(inventory_hostname)
tags:
- apache2
- import_tasks: systemd-services_debian_based_OS.yml
when:

37
roles/common/tasks/mysql.yml Normal file
View File

@ -0,0 +1,37 @@
---
# ---
# MySQL / MariaDB Server
# ---
- name: Populate service facts
ansible.builtin.service_facts:
#- name: Print service facts
# ansible.builtin.debug:
# var: ansible_facts.services
# when:
# - ansible_facts['services']['mariadb.service']['name'] | default('not-found') != 'not-found'
- name: (mysql.yml) Ensure directory '/etc/systemd/system/mariadb.service.d' is present
file:
path: /etc/systemd/system/mariadb.service.d
state: directory
owner: root
group: root
mode: '0755'
when:
- ansible_facts['services']['mariadb.service']['name'] | default('not-found') != 'not-found'
- name: (mysql.yml) Ensure file '/etc/systemd/system/mariadb.service.d/limits.conf' exists
copy:
src: 'etc/systemd/system/mariadb.service.d/limits.conf'
dest: '/etc/systemd/system/mariadb.service.d/limits.conf'
owner: root
group: root
mode: '0644'
notify: "Restart mariadb"
when:
- ansible_facts['services']['mariadb.service']['name'] | default('not-found') != 'not-found'

156
roles/modify-ipt-server/tasks/ipt-server.yml
View File

@ -99,67 +99,153 @@
# ===
# ---
# Add additional SMTP ports (OUT and IN)
# Add support for MNDP and mDNS Traffic
# ---
- name: Check if String 'smtpd_additional_listen_ports=..' is present
shell: grep -q -E "^smtpd_additional_listen_ports=" /etc/ipt-firewall/main_ipv4.conf
register: smtpd_additional_listen_ports_ipv4_present
- name: Check if String 'drop_mndp=..' is present
shell: grep -q -E "^drop_mndp=" /etc/ipt-firewall/main_ipv4.conf
register: drop_mndp_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "smtpd_additional_listen_ports_ipv4_present.rc > 1"
changed_when: "smtpd_additional_listen_ports_ipv4_present.rc > 0"
failed_when: "drop_mndp_ipv4_present.rc > 1"
changed_when: "drop_mndp_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (smtpd_additional_listen_ports)
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (drop_mndp)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_smtpd_ips'
insertafter: '^#?\s*drop_icmp'
block: |
# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""
# Additional Ports for outgoing smtp traffic
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
#
# blank separated list of ports
# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
#
smtpd_additional_outgoung_ports=""
marker: "# Marker set by modify-ipt-server.yml (smtpd_additional_listen_ports)"
# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
# dass eine manuelle IP-Konfiguration erforderlich ist.
#
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
#
# Zusammengefasst:
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
#
drop_mndp=true
# -------------
# --- Drop Multicast DNS Traffic
# -------------
# Multicast Domain Name System (mDNS) protocol
#
# UDP Port 5353/
#
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
# von mDNS) kommunizieren.
#
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
# allows devices to identify themselves on the local network and register and
# resolve names without central DNS servers. This is often used in local
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
# (an open-source implementation of mDNS).
#
drop_mdns=true
marker: "# Marker set by modify-ipt-server.yml (drop_mndp)"
when:
- main_ipv4_exists.stat.exists
- smtpd_additional_listen_ports_ipv4_present is changed
- drop_mndp_ipv4_present is changed
notify:
- Restart IPv4 Firewall
- name: Check if String 'smtpd_additional_listen_ports=..' is present
shell: grep -q -E "^smtpd_additional_listen_ports=" /etc/ipt-firewall/main_ipv6.conf
register: smtpd_additional_listen_ports_ipv6_present
- name: Check if String 'drop_mndp=..' is present
shell: grep -q -E "^drop_mndp=" /etc/ipt-firewall/main_ipv6.conf
register: drop_mndp_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "smtpd_additional_listen_ports_ipv6_present.rc > 1"
changed_when: "smtpd_additional_listen_ports_ipv6_present.rc > 0"
failed_when: "drop_mndp_ipv6_present.rc > 1"
changed_when: "drop_mndp_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (smtpd_additional_listen_ports)
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (drop_mndp)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_smtpd_ips'
insertafter: '^#?\s*drop_icmp'
block: |
# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""
# Additional Ports for outgoing smtp traffic
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
#
# blank separated list of ports
# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
#
smtpd_additional_outgoung_ports=""
marker: "# Marker set by modify-ipt-server.yml (smtpd_additional_listen_ports)"
# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
# dass eine manuelle IP-Konfiguration erforderlich ist.
#
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
#
# Zusammengefasst:
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
#
drop_mndp=true
# -------------
# --- Drop Multicast DNS Traffic
# -------------
# Multicast Domain Name System (mDNS) protocol
#
# UDP Port 5353/
#
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
# von mDNS) kommunizieren.
#
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
# allows devices to identify themselves on the local network and register and
# resolve names without central DNS servers. This is often used in local
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
# (an open-source implementation of mDNS).
#
drop_mdns=true
marker: "# Marker set by modify-ipt-server.yml (drop_mndp)"
when:
- main_ipv6_exists.stat.exists
- smtpd_additional_listen_ports_ipv6_present is changed
- drop_mndp_ipv6_present is changed
notify:
- Restart IPv6 Firewall