Compare commits

..

24 Commits

Author SHA1 Message Date
chris 3b4ba60bb7 Add ipt-server.yml for backup.oopen.de with initial firewall configuration 2026-06-29 16:46:15 +02:00
chris e74fca04a2 Update migration guide: add step to freeze current firewall rules and create ipt-server.yml for a.ns.oopen.de with initial configuration 2026-06-29 11:38:20 +02:00
chris ba5683864a Add sudo to iptables-save commands in migration guide for proper permissions 2026-06-29 08:20:02 +02:00
chris 1171d156b7 Add sudo to iptables-save commands in migration guide for proper permissions 2026-06-29 08:16:53 +02:00
chris 682a08b53e Refactor extract-fw-host-vars.py to improve quoted value handling and add fw_manage_config to generated YAML; create ipt-server.yml for a.mx.oopen.de with initial configuration 2026-06-29 08:13:40 +02:00
chris b9e5b0f5e2 ile-dissens.dissens.netz.yml: add user 'nano.nowak'. 2026-06-29 00:53:10 +02:00
chris db2cdabee1 Update ipt-server role: add Jitsi TCP/UDP ports to defaults and remove obsolete entries from host_vars 2026-06-28 11:45:37 +02:00
chris 25b0e026f2 Update ipt-server role: add Jitsi TCP/UDP ports to defaults and remove obsolete entries from host_vars 2026-06-28 11:35:12 +02:00
chris 48bc4296da Add fw_manage_config to ipt-server.yml for cl-01.oopen.de 2026-06-27 22:56:27 +02:00
chris f149b09892 Refactor ipt-server role: update migration and README for hostname variable usage; remove obsolete ipt-server.yml for cloud-01.oopen.de 2026-06-27 22:38:12 +02:00
chris 7db2b7ee9b Update ipt-server role: specify hosts in ipt-server.yml and add configuration for cloud-01.oopen.de 2026-06-27 22:23:49 +02:00
chris 5a98895b66 Role ipt-server: rename 'host_vars/<server-name>/ipt_firewall.yml' to 'host_vars/<server-name>/ipt-server.yml'. 2026-06-27 02:32:15 +02:00
chris 92d2c31ecc Role ipt-server: rename 'host_vars/<server-name>/ipt_firewall.yml' to 'host_vars/<server-name>/ipt-server.yml'. 2026-06-27 02:28:16 +02:00
chris 9798ca9cd6 Add ipt-server role with firewall configuration and management
- Created handlers for reloading systemd and restarting firewall services.
- Implemented tasks to ensure the existence of configuration directories and files.
- Deployed host-specific and shared configuration files using templates.
- Added scripts for managing IPv4 and IPv6 firewalls.
- Configured systemd service units for ipt-firewall and ip6t-firewall.
- Enabled and started firewall services on system boot.
2026-06-26 19:30:01 +02:00
chris 0158e3738f file-km: add group 'wildvang' to uiserb 'zeina'. 2026-06-26 00:52:43 +02:00
chris f309e8cb1c Add new host entry and update Samba configuration
- Added 'file-km-alt.anw-km.netz' to the hosts file in multiple locations.
- Updated Samba configuration to change the maximum file size for virus filtering from 25 MB to 15 MB, with commented-out options for 50 MB and 25 MB.
- Created a new host variable file for 'file-km-alt.anw-km.netz' with detailed network interface and Samba share configurations, including user definitions and permissions.
2026-06-19 11:49:11 +02:00
chris 84d5a653c5 Update network configurations and add new host variables
- Modified network interface settings for gw-mbr.oopen.de, changing IP addresses and adding an alias for IPMI.
- Refactored network interface configuration for o28.oopen.de, consolidating and updating device settings, including bridge configurations and DNS settings.
- Added new user 'farina' to samba_user in zapata.opp.netz.yml.
- Updated hosts file to include new entries for ak-plan.oopen.de and adjusted existing entries for clarity.
- Created new host variable files for ak-plan.oopen.de, cl-ndm.oopen.de, and psono-ndm.oopen.de with comprehensive configurations for systemd-resolved and cron jobs.
2026-06-18 14:15:47 +02:00
chris 1c7ad75f47 Add virusfilter support to Samba homes and shares configuration 2026-06-01 02:54:54 +02:00
chris 55bdcba049 Add virusfilter support to Samba homes and shares 2026-06-01 02:54:25 +02:00
chris 86afc6263d update some hosts 2026-06-01 01:53:29 +02:00
chris 78d9822d2f Add notifications to reload AppArmor profile and restart clamav-daemon 2026-06-01 01:53:16 +02:00
chris 6e086dbac0 Add virusfilter support for Samba homes and update AppArmor configuration 2026-05-29 18:43:06 +02:00
chris 56a2c8464f Add virusfilter support to Samba shares and configure ClamAV database checks 2026-05-26 14:18:36 +02:00
chris 1f78326503 Adds handlers to reload AppArmor and restart ClamAV
Ensures AppArmor profile for ClamAV is reloaded and the ClamAV daemon is restarted when necessary, improving service reliability and reflecting updated security profiles.
2026-05-26 14:16:45 +02:00
53 changed files with 12285 additions and 813 deletions
+14
View File
@@ -1 +1,15 @@
# Editor
*.swp
*.swo
*~
# Python
__pycache__/
*.py[cod]
# Ansible
*.retry
.vault_pass
# OS
.DS_Store
+732
View File
@@ -0,0 +1,732 @@
#!/usr/bin/env python3
"""
Extract ipt-firewall configuration from a host and generate host_vars YAML.
Reads /etc/ipt-firewall/{interfaces,main}_ipv{4,6}.conf via SSH,
maps all variables to Ansible fw_* names, and writes a host_vars file.
Usage:
./extract-fw-host-vars.py <hostname> [--user USER] [--port PORT] [--dry-run]
Example:
./extract-fw-host-vars.py cl-01.oopen.de
./extract-fw-host-vars.py cl-01.oopen.de --user root --dry-run
"""
import argparse
import re
import subprocess
import sys
from pathlib import Path
# ---------------------------------------------------------------------------
# Defaults matching roles/ipt-firewall/defaults/main.yml
# Only values that differ from these will be emitted.
# ---------------------------------------------------------------------------
DEFAULTS = {
"fw_do_not_firewall_bridged_traffic": False,
"fw_do_not_firewall_lx_guest_systems": False,
"fw_drop_icmp": False,
"fw_drop_mndp": True,
"fw_drop_mdns": True,
"fw_allow_all_outgoing_traffic": False,
"fw_blocked_ifs": "",
"fw_unprotected_ifs": "",
"fw_forward_private_ips_v4": "",
"fw_forward_private_ips_v6": "",
"fw_restrict_local_service_to_net_v4": "",
"fw_restrict_local_service_to_net_v6": "",
"fw_restrict_local_net_to_net_v4": "",
"fw_restrict_local_net_to_net_v6": "",
"fw_allow_ext_service_v4": "",
"fw_allow_ext_service_v6": "",
"fw_allow_ext_net_v4": "",
"fw_allow_ext_net_v6": "",
"fw_allow_local_service_v4": "",
"fw_allow_local_service_v6": "",
"fw_allow_local_service_from_networks_v4": "",
"fw_allow_local_service_from_networks_v6": "",
"fw_vpn_server_ips": "",
"fw_forward_vpn_server_ips": "",
"fw_vpn_ports": "$standard_vpn_port",
"fw_wireguard_server_ips": "",
"fw_forward_wireguard_server_ips": "",
"fw_wireguard_server_ports": "$standard_wireguard_port",
"fw_wireguard_out_ports": "$standard_wireguard_port",
"fw_local_ntp_service": False,
"fw_ntp_port": "$standard_ntp_port",
"fw_ntp_allowed_net": "",
"fw_dhcp_server_ifs": "",
"fw_dhcp_client_ifs": "",
"fw_dns_server_ips": "",
"fw_forward_dns_server_ips": "",
"fw_local_resolver_service": False,
"fw_resolver_port": "$standard_dns_port",
"fw_resolver_allowed_networks_v4": "",
"fw_resolver_allowed_networks_v6": "",
"fw_ssh_server_ips": "$ext_ips",
"fw_forward_ssh_server_ips": "",
"fw_ssh_ports": "$standard_ssh_port",
"fw_http_server_ips": "",
"fw_forward_http_server_ips": "",
"fw_http_ports": "$standard_http_ports",
"fw_log_cgi_traffic_out": False,
"fw_cgi_script_users": "",
"fw_mm_server_ips": "",
"fw_forward_mm_server_ips": "",
"fw_smtpd_ips": "",
"fw_forward_smtpd_ips": "",
"fw_smtpd_additional_listen_ports": "",
"fw_smtpd_additional_outgoing_ports": "",
"fw_mail_server_ips": "",
"fw_forward_mail_server_ips": "",
"fw_mail_user_ports": "$standard_mailuser_ports",
"fw_mail_client_ips": "",
"fw_forward_mail_client_ips": "",
"fw_dovecot_auth_service": False,
"fw_dovecot_auth_port": "$dovecot_external_auth_port",
"fw_dovecot_auth_allowed_networks_v4": "",
"fw_dovecot_auth_allowed_networks_v6": "",
"fw_ftp_server_ips": "",
"fw_forward_ftp_server_ips": "",
"fw_ftp_passive_port_range": "50000:50400",
"fw_xmpp_server_ips": "",
"fw_forward_xmpp_server_ips": "",
"fw_xmmp_tcp_in_ports": "5222 5223 5269",
"fw_xmmp_tcp_out_ports": "5269",
"fw_xmmp_remote_out_services_v4": "",
"fw_xmmp_remote_out_services_v6": "",
"fw_mumble_server_ips": "",
"fw_forward_mumble_server_ips": "",
"fw_mumble_ports": "$standard_mumble_port",
"fw_jitsi_server_ips": "",
"fw_forward_jitsi_server_ips": "",
"fw_jitsi_tcp_ports": "$standard_jitsi_tcp_ports",
"fw_jitsi_udp_port_range": "$standard_jitsi_udp_port_range",
"fw_jitsi_tcp_ports_out": "$standard_turn_service_ports,4443,4444,4445,4446",
"fw_jitsi_udp_ports_out": "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446",
"fw_jitsi_dovecot_auth": False,
"fw_jitsi_dovecot_host": "",
"fw_jitsi_jibri_remote_auth": False,
"fw_jitsi_jibri_remote_ips": "",
"fw_jibri_server_ips": "",
"fw_forward_jibri_server_ips": "",
"fw_jibri_remote_jitsi_server": "",
"fw_nc_turn_server_ips": "",
"fw_forward_nc_turn_server_ips": "",
"fw_nc_turn_ports": "$standard_turn_service_ports",
"fw_nc_turn_udp_ports": "$standard_turn_service_udp_ports",
"fw_tftp_server_ips": "",
"fw_prometheus_local_server_ips": "",
"fw_prometheus_local_client_ips": "",
"fw_prometheus_remote_server_ips": "",
"fw_munin_server_ips": "",
"fw_forward_munin_server_ips": "",
"fw_munin_remote_port": "$standard_munin_port",
"fw_munin_local_port": "4949",
"munin_remote_ipv4": "",
"munin_remote_ipv6": "",
"fw_xymon_server_ips": "",
"fw_local_xymon_client": False,
"fw_xymon_port": "$standard_xymon_port",
"fw_rsync_out_ips": "",
"fw_forward_rsync_out_ips": "",
"fw_rsync_ports": "873",
"fw_tcp_out_ports": "",
"fw_forward_tcp_out_ports": "",
"fw_udp_out_ports": "",
"fw_forward_udp_out_ports": "",
"fw_portforward_tcp_v4": "",
"fw_portforward_udp_v4": "",
"fw_portforward_tcp_v6": "",
"fw_portforward_udp_v6": "",
"fw_blocked_ips": "",
"fw_block_tcp_ports": "111 113 135 137:139 445",
"fw_block_udp_ports": "111 137:139",
"fw_create_traffic_counter": True,
"fw_create_iperf_rules": True,
"fw_protection_against_syn_flooding": True,
"fw_protection_against_port_scanning": True,
"fw_protection_against_ssh_brute_force_attacks": True,
"fw_limit_connections_per_source_IP": True,
"fw_per_IP_connection_limit": "$default_per_IP_connection_limit",
"fw_limit_new_tcp_connections_per_seconds_per_source_IP": True,
"fw_limit_new_tcp_connections_per_seconds_ports": "",
"fw_kernel_activate_forwarding": False,
"fw_kernel_support_dynaddr": False,
"fw_dynaddr_flag": "5",
"fw_kernel_reduce_timeouts": True,
"fw_kernel_tcp_syncookies": True,
"fw_kernel_protect_against_icmp_bogus_messages": True,
"fw_kernel_ignore_broadcast_ping": True,
"fw_kernel_deactivate_source_route": True,
"fw_kernel_dont_accept_redirects": True,
"fw_kernel_activate_rp_filter": True,
"fw_kernel_log_martians": False,
"fw_kernel_forward_between_interfaces": False,
"fw_vpn_ifs": "tun+",
"fw_wg_ifs": "wg+",
"fw_nat_devices": "",
}
# ---------------------------------------------------------------------------
# Variable mapping: (bash_varname, source) → ansible_varname
# source: 'iface_v4', 'iface_v6', 'main_v4', 'main_v6', 'main_shared'
# ---------------------------------------------------------------------------
# Shared service variables (read from main_ipv4.conf, same in both)
MAIN_SHARED = {
"do_not_firewall_bridged_traffic": "fw_do_not_firewall_bridged_traffic",
"do_not_firewall_lx_guest_systems": "fw_do_not_firewall_lx_guest_systems",
"drop_icmp": "fw_drop_icmp",
"drop_mndp": "fw_drop_mndp",
"drop_mdns": "fw_drop_mdns",
"allow_all_outgoing_traffic": "fw_allow_all_outgoing_traffic",
"blocked_ifs": "fw_blocked_ifs",
"unprotected_ifs": "fw_unprotected_ifs",
"vpn_server_ips": "fw_vpn_server_ips",
"forward_vpn_server_ips": "fw_forward_vpn_server_ips",
"vpn_ports": "fw_vpn_ports",
"wireguard_server_ips": "fw_wireguard_server_ips",
"forward_wireguard_server_ips": "fw_forward_wireguard_server_ips",
"wireguard_server_ports": "fw_wireguard_server_ports",
"wireguard_out_ports": "fw_wireguard_out_ports",
"local_ntp_service": "fw_local_ntp_service",
"ntp_port": "fw_ntp_port",
"ntp_allowed_net": "fw_ntp_allowed_net",
"dns_server_ips": "fw_dns_server_ips",
"forward_dns_server_ips": "fw_forward_dns_server_ips",
"local_resolver_service": "fw_local_resolver_service",
"resolver_port": "fw_resolver_port",
"ssh_server_ips": "fw_ssh_server_ips",
"forward_ssh_server_ips": "fw_forward_ssh_server_ips",
"ssh_ports": "fw_ssh_ports",
"http_server_ips": "fw_http_server_ips",
"forward_http_server_ips": "fw_forward_http_server_ips",
"http_ports": "fw_http_ports",
"log_cgi_traffic_out": "fw_log_cgi_traffic_out",
"cgi_script_users": "fw_cgi_script_users",
"mm_server_ips": "fw_mm_server_ips",
"forward_mm_server_ips": "fw_forward_mm_server_ips",
"smtpd_ips": "fw_smtpd_ips",
"forward_smtpd_ips": "fw_forward_smtpd_ips",
"smtpd_additional_listen_ports": "fw_smtpd_additional_listen_ports",
"smtpd_additional_outgoung_ports": "fw_smtpd_additional_outgoing_ports",
"mail_server_ips": "fw_mail_server_ips",
"forward_mail_server_ips": "fw_forward_mail_server_ips",
"mail_user_ports": "fw_mail_user_ports",
"mail_client_ips": "fw_mail_client_ips",
"forward_mail_client_ips": "fw_forward_mail_client_ips",
"dovecot_auth_service": "fw_dovecot_auth_service",
"dovecot_auth_port": "fw_dovecot_auth_port",
"ftp_server_ips": "fw_ftp_server_ips",
"forward_ftp_server_ips": "fw_forward_ftp_server_ips",
"ftp_passive_port_range": "fw_ftp_passive_port_range",
"xmpp_server_ips": "fw_xmpp_server_ips",
"forward_xmpp_server_ips": "fw_forward_xmpp_server_ips",
"xmmp_tcp_in_ports": "fw_xmmp_tcp_in_ports",
"xmmp_tcp_out_ports": "fw_xmmp_tcp_out_ports",
"mumble_server_ips": "fw_mumble_server_ips",
"forward_mumble_server_ips": "fw_forward_mumble_server_ips",
"mumble_ports": "fw_mumble_ports",
"jitsi_server_ips": "fw_jitsi_server_ips",
"forward_jitsi_server_ips": "fw_forward_jitsi_server_ips",
"jitsi_tcp_ports": "fw_jitsi_tcp_ports",
"jitsi_udp_port_range": "fw_jitsi_udp_port_range",
"jitsi_tcp_ports_out": "fw_jitsi_tcp_ports_out",
"jitsi_udp_ports_out": "fw_jitsi_udp_ports_out",
"jitsi_dovecot_auth": "fw_jitsi_dovecot_auth",
"jitsi_dovecot_host": "fw_jitsi_dovecot_host",
"jitsi_jibri_remote_auth": "fw_jitsi_jibri_remote_auth",
"jitsi_jibri_remote_ips": "fw_jitsi_jibri_remote_ips",
"jibri_server_ips": "fw_jibri_server_ips",
"forward_jibri_server_ips": "fw_forward_jibri_server_ips",
"jibri_remote_jitsi_server": "fw_jibri_remote_jitsi_server",
"nc_turn_server_ips": "fw_nc_turn_server_ips",
"forward_nc_turn_server_ips": "fw_forward_nc_turn_server_ips",
"nc_turn_ports": "fw_nc_turn_ports",
"nc_turn_udp_ports": "fw_nc_turn_udp_ports",
"tftp_server_ips": "fw_tftp_server_ips",
"prometheus_local_server_ips": "fw_prometheus_local_server_ips",
"prometheus_local_client_ips": "fw_prometheus_local_client_ips",
"prometheus_remote_server_ips": "fw_prometheus_remote_server_ips",
"munin_server_ips": "fw_munin_server_ips",
"forward_munin_server_ips": "fw_forward_munin_server_ips",
"munin_remote_port": "fw_munin_remote_port",
"munin_local_port": "fw_munin_local_port",
"xymon_server_ips": "fw_xymon_server_ips",
"local_xymon_client": "fw_local_xymon_client",
"xymon_port": "fw_xymon_port",
"rsync_out_ips": "fw_rsync_out_ips",
"forward_rsync_out_ips": "fw_forward_rsync_out_ips",
"rsync_ports": "fw_rsync_ports",
"tcp_out_ports": "fw_tcp_out_ports",
"forward_tcp_out_ports": "fw_forward_tcp_out_ports",
"udp_out_ports": "fw_udp_out_ports",
"forward_udp_out_ports": "fw_forward_udp_out_ports",
"blocked_ips": "fw_blocked_ips",
"block_tcp_ports": "fw_block_tcp_ports",
"block_udp_ports": "fw_block_udp_ports",
"create_traffic_counter": "fw_create_traffic_counter",
"create_iperf_rules": "fw_create_iperf_rules",
"protection_against_syn_flooding": "fw_protection_against_syn_flooding",
"protection_against_port_scanning": "fw_protection_against_port_scanning",
"protection_against_ssh_brute_force_attacks": "fw_protection_against_ssh_brute_force_attacks",
"limit_connections_per_source_IP": "fw_limit_connections_per_source_IP",
"per_IP_connection_limit": "fw_per_IP_connection_limit",
"limit_new_tcp_connections_per_seconds_per_source_IP": "fw_limit_new_tcp_connections_per_seconds_per_source_IP",
"limit_new_tcp_connections_per_seconds_ports": "fw_limit_new_tcp_connections_per_seconds_ports",
}
# IPv4-only variables (from main_ipv4.conf)
MAIN_V4_ONLY = {
"forward_private_ips": "fw_forward_private_ips_v4",
"restrict_local_service_to_net": "fw_restrict_local_service_to_net_v4",
"restrict_local_net_to_net": "fw_restrict_local_net_to_net_v4",
"allow_ext_service": "fw_allow_ext_service_v4",
"allow_ext_net": "fw_allow_ext_net_v4",
"allow_local_service": "fw_allow_local_service_v4",
"allow_local_service_from_networks": "fw_allow_local_service_from_networks_v4",
"portforward_tcp": "fw_portforward_tcp_v4",
"portforward_udp": "fw_portforward_udp_v4",
"munin_remote_ip": "munin_remote_ipv4",
"dovecot_auth_allowed_networks": "fw_dovecot_auth_allowed_networks_v4",
"xmmp_remote_out_services": "fw_xmmp_remote_out_services_v4",
"resolver_allowed_networks": "fw_resolver_allowed_networks_v4",
"dhcp_server_ifs": "fw_dhcp_server_ifs",
"dhcp_client_ifs": "fw_dhcp_client_ifs",
"kernel_activate_forwarding": "fw_kernel_activate_forwarding",
"kernel_support_dynaddr": "fw_kernel_support_dynaddr",
"dynaddr_flag": "fw_dynaddr_flag",
"kernel_reduce_timeouts": "fw_kernel_reduce_timeouts",
"kernel_tcp_syncookies": "fw_kernel_tcp_syncookies",
"kernel_protect_against_icmp_bogus_messages": "fw_kernel_protect_against_icmp_bogus_messages",
"kernel_ignore_broadcast_ping": "fw_kernel_ignore_broadcast_ping",
"kernel_activate_rp_filter": "fw_kernel_activate_rp_filter",
"kernel_log_martians": "fw_kernel_log_martians",
"kernel_deactivate_source_route": "fw_kernel_deactivate_source_route",
"kernel_dont_accept_redirects": "fw_kernel_dont_accept_redirects",
}
# IPv6-only variables (from main_ipv6.conf)
MAIN_V6_ONLY = {
"forward_private_ips": "fw_forward_private_ips_v6",
"restrict_local_service_to_net": "fw_restrict_local_service_to_net_v6",
"restrict_local_net_to_net": "fw_restrict_local_net_to_net_v6",
"allow_ext_service": "fw_allow_ext_service_v6",
"allow_ext_net": "fw_allow_ext_net_v6",
"allow_local_service": "fw_allow_local_service_v6",
"allow_local_service_from_networks": "fw_allow_local_service_from_networks_v6",
"portforward_tcp": "fw_portforward_tcp_v6",
"portforward_udp": "fw_portforward_udp_v6",
"munin_remote_ip": "munin_remote_ipv6",
"dovecot_auth_allowed_networks": "fw_dovecot_auth_allowed_networks_v6",
"xmmp_remote_out_services": "fw_xmmp_remote_out_services_v6",
"resolver_allowed_networks": "fw_resolver_allowed_networks_v6",
"kernel_forward_between_interfaces": "fw_kernel_forward_between_interfaces",
}
# ---------------------------------------------------------------------------
# Parsing
# ---------------------------------------------------------------------------
def parse_bash_config(text):
"""
Parse key=value pairs from a bash config file.
Handles: var="value", var=value, var=true/false
Multiline values (var="line1\n line2\n") are joined as a single string.
Returns dict of {varname: value_string}
"""
result = {}
warnings = []
# Collapse multiline quoted strings: "...\n ..." → "... ..."
# Strategy: scan char by char for opening " after =, collect until closing "
lines = text.splitlines()
i = 0
while i < len(lines):
line = lines[i].strip()
# Skip comments and blank lines
if not line or line.startswith('#'):
i += 1
continue
# Match assignment
m = re.match(r'^([A-Za-z_][A-Za-z0-9_]*)=(.*)', line)
if not m:
i += 1
continue
varname = m.group(1)
rest = m.group(2).strip()
# Quoted value (single or double quotes, may span multiple lines)
if rest and rest[0] in ('"', "'"):
quote_char = rest[0]
collected = rest[1:] # strip opening quote
parts = []
closed = False
while True:
close_pos = collected.find(quote_char)
if close_pos != -1:
parts.append(collected[:close_pos])
# join all parts; split() collapses whitespace and drops empty lines
value = ' '.join(' '.join(parts).split())
result[varname] = value
closed = True
break
else:
parts.append(collected)
i += 1
if i >= len(lines):
break
collected = lines[i].strip()
if not closed:
warnings.append(f" # {varname}: unterminated quoted string — skipped")
else:
# Unquoted value (true, false, $var_ref, number, etc.)
# Strip trailing comment
value = re.sub(r'\s+#.*$', '', rest).strip()
result[varname] = value
i += 1
return result, warnings
def ssh_cat(host, user, port, path, sudo_password=None):
"""Read a file from a remote host via SSH. Returns file content or None."""
ssh_cmd = ["ssh"]
if user:
ssh_cmd += ["-l", user]
if port:
ssh_cmd += ["-p", str(port)]
ssh_cmd += ["-o", "BatchMode=yes", "-o", "ConnectTimeout=10", host]
if sudo_password is not None:
# Use sudo -S to read password from stdin; -p '' suppresses the prompt
ssh_cmd += [f"sudo -S -p '' cat {path}"]
stdin_data = sudo_password + "\n"
else:
ssh_cmd += [f"cat {path}"]
stdin_data = None
try:
result = subprocess.run(
ssh_cmd, input=stdin_data, capture_output=True, text=True, timeout=30
)
if result.returncode != 0:
print(f" WARNING: could not read {path}: {result.stderr.strip()}", file=sys.stderr)
return None
return result.stdout
except subprocess.TimeoutExpired:
print(f" ERROR: SSH timeout reading {path}", file=sys.stderr)
return None
def coerce_bool(value):
"""Convert bash true/false string to Python bool, or return string."""
if value.lower() in ("true", "yes", "1"):
return True
if value.lower() in ("false", "no", "0"):
return False
return value # keep as string (e.g. $standard_ssh_port)
def yaml_value(v):
"""Format a Python value as a YAML-safe string."""
if isinstance(v, bool):
return "true" if v else "false"
if v == "":
return '""'
# Quote if contains special YAML characters
if any(c in str(v) for c in [':', '#', '{', '}', '[', ']', ',', '&', '*', '?', '|', '-', '<', '>', '=', '!', '%', '@', '`', '"', "'"]):
# Use double-quote with escaping
escaped = str(v).replace('\\', '\\\\').replace('"', '\\"')
return f'"{escaped}"'
return str(v)
def build_host_vars(parsed_iface_v4, parsed_iface_v6, parsed_main_v4, parsed_main_v6):
"""
Map parsed bash variables to Ansible fw_* variables.
Returns dict of {ansible_var: value} containing only non-default values.
"""
result = {}
# --- Interfaces: extract lists from numbered vars ---
def extract_list(parsed, prefix, suffix="", count=3):
items = []
for i in range(1, count + 1):
v = parsed.get(f"{prefix}{i}{suffix}", "").strip()
if v:
items.append(v)
return items
fw_ext_interfaces = extract_list(parsed_iface_v4, "ext_if_")
fw_ext_ips_v4 = extract_list(parsed_iface_v4, "ext_", suffix="_ip") # ext_1_ip, ext_2_ip, ext_3_ip
fw_ext_ips_v6 = extract_list(parsed_iface_v6, "ext_", suffix="_ip")
fw_local_interfaces = extract_list(parsed_iface_v4, "local_if_")
fw_local_ips_v4 = extract_list(parsed_iface_v4, "local_", suffix="_ip")
fw_local_ips_v6 = extract_list(parsed_iface_v6, "local_", suffix="_ip")
fw_lxc_guest_ips_v4 = extract_list(parsed_iface_v4, "lxc_guest_", suffix="_ip", count=7)
fw_lxc_guest_ips_v6 = extract_list(parsed_iface_v6, "lxc_guest_", suffix="_ip", count=7)
if fw_ext_interfaces:
result["fw_ext_interfaces"] = fw_ext_interfaces
if fw_ext_ips_v4:
result["fw_ext_ips_v4"] = fw_ext_ips_v4
if fw_ext_ips_v6:
result["fw_ext_ips_v6"] = fw_ext_ips_v6
if fw_local_interfaces:
result["fw_local_interfaces"] = fw_local_interfaces
if fw_local_ips_v4:
result["fw_local_ips_v4"] = fw_local_ips_v4
if fw_local_ips_v6:
result["fw_local_ips_v6"] = fw_local_ips_v6
if fw_lxc_guest_ips_v4:
result["fw_lxc_guest_ips_v4"] = fw_lxc_guest_ips_v4
if fw_lxc_guest_ips_v6:
result["fw_lxc_guest_ips_v6"] = fw_lxc_guest_ips_v6
# vpn_ifs / wg_ifs / nat_devices (same in both interface files)
for bash_var, ansible_var in [("vpn_ifs", "fw_vpn_ifs"), ("wg_ifs", "fw_wg_ifs"), ("nat_devices", "fw_nat_devices")]:
v = parsed_iface_v4.get(bash_var, "")
if v and v != DEFAULTS.get(ansible_var, ""):
result[ansible_var] = v
# --- Shared main variables (read from ipv4) ---
for bash_var, ansible_var in MAIN_SHARED.items():
raw = parsed_main_v4.get(bash_var)
if raw is None:
continue
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
default = DEFAULTS.get(ansible_var)
if v != default:
result[ansible_var] = v
# --- IPv4-only main variables ---
for bash_var, ansible_var in MAIN_V4_ONLY.items():
raw = parsed_main_v4.get(bash_var)
if raw is None:
continue
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
default = DEFAULTS.get(ansible_var)
if v != default:
result[ansible_var] = v
# --- IPv6-only main variables ---
for bash_var, ansible_var in MAIN_V6_ONLY.items():
raw = parsed_main_v6.get(bash_var)
if raw is None:
continue
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
default = DEFAULTS.get(ansible_var)
if v != default:
result[ansible_var] = v
return result
def render_yaml(hostname, host_vars, all_warnings):
"""Render the host_vars as YAML text."""
lines = [
"---",
f"# ipt-firewall configuration for {hostname}",
"# Generated by extract-fw-host-vars.py - review before committing!",
"# Place in: host_vars/<hostname>/ipt_firewall.yml",
"",
]
lines.append("fw_manage_config: false")
lines.append("")
if all_warnings:
lines.append("# WARNINGS — manual review needed:")
for w in all_warnings:
lines.append(w)
lines.append("")
# Group output by section
sections = [
("Network", ["fw_ext_interfaces", "fw_ext_ips_v4", "fw_ext_ips_v6",
"fw_local_interfaces", "fw_local_ips_v4", "fw_local_ips_v6",
"fw_lxc_guest_ips_v4", "fw_lxc_guest_ips_v6",
"fw_vpn_ifs", "fw_wg_ifs", "fw_nat_devices"]),
("Munin", ["munin_remote_ipv4", "munin_remote_ipv6", "fw_munin_local_port",
"fw_munin_server_ips", "fw_forward_munin_server_ips", "fw_munin_remote_port"]),
("Bridged / LXC", ["fw_do_not_firewall_bridged_traffic", "fw_do_not_firewall_lx_guest_systems"]),
("Drop policies", ["fw_drop_icmp", "fw_drop_mndp", "fw_drop_mdns"]),
("Outgoing / interfaces", ["fw_allow_all_outgoing_traffic", "fw_blocked_ifs", "fw_unprotected_ifs"]),
("Forwarding", ["fw_forward_private_ips_v4", "fw_forward_private_ips_v6",
"fw_kernel_activate_forwarding", "fw_kernel_forward_between_interfaces"]),
("Access control IPv4", ["fw_restrict_local_service_to_net_v4", "fw_restrict_local_net_to_net_v4",
"fw_allow_ext_service_v4", "fw_allow_ext_net_v4",
"fw_allow_local_service_v4", "fw_allow_local_service_from_networks_v4"]),
("Access control IPv6", ["fw_restrict_local_service_to_net_v6", "fw_restrict_local_net_to_net_v6",
"fw_allow_ext_service_v6", "fw_allow_ext_net_v6",
"fw_allow_local_service_v6", "fw_allow_local_service_from_networks_v6"]),
("SSH", ["fw_ssh_server_ips", "fw_forward_ssh_server_ips", "fw_ssh_ports"]),
("HTTP", ["fw_http_server_ips", "fw_forward_http_server_ips", "fw_http_ports",
"fw_log_cgi_traffic_out", "fw_cgi_script_users"]),
("Mail", ["fw_smtpd_ips", "fw_forward_smtpd_ips", "fw_smtpd_additional_listen_ports",
"fw_smtpd_additional_outgoing_ports", "fw_mail_server_ips", "fw_forward_mail_server_ips",
"fw_mail_user_ports", "fw_mail_client_ips", "fw_forward_mail_client_ips",
"fw_dovecot_auth_service", "fw_dovecot_auth_port",
"fw_dovecot_auth_allowed_networks_v4", "fw_dovecot_auth_allowed_networks_v6"]),
("DNS", ["fw_dns_server_ips", "fw_forward_dns_server_ips",
"fw_local_resolver_service", "fw_resolver_port",
"fw_resolver_allowed_networks_v4", "fw_resolver_allowed_networks_v6"]),
("NTP", ["fw_local_ntp_service", "fw_ntp_port", "fw_ntp_allowed_net"]),
("DHCP", ["fw_dhcp_server_ifs", "fw_dhcp_client_ifs"]),
("VPN / WireGuard", ["fw_vpn_server_ips", "fw_forward_vpn_server_ips", "fw_vpn_ports",
"fw_wireguard_server_ips", "fw_forward_wireguard_server_ips",
"fw_wireguard_server_ports", "fw_wireguard_out_ports"]),
("FTP", ["fw_ftp_server_ips", "fw_forward_ftp_server_ips", "fw_ftp_passive_port_range"]),
("XMPP", ["fw_xmpp_server_ips", "fw_forward_xmpp_server_ips",
"fw_xmmp_tcp_in_ports", "fw_xmmp_tcp_out_ports",
"fw_xmmp_remote_out_services_v4", "fw_xmmp_remote_out_services_v6"]),
("Mumble", ["fw_mumble_server_ips", "fw_forward_mumble_server_ips", "fw_mumble_ports"]),
("Jitsi", ["fw_jitsi_server_ips", "fw_forward_jitsi_server_ips",
"fw_jitsi_tcp_ports", "fw_jitsi_udp_port_range",
"fw_jitsi_tcp_ports_out", "fw_jitsi_udp_ports_out",
"fw_jitsi_dovecot_auth", "fw_jitsi_dovecot_host",
"fw_jitsi_jibri_remote_auth", "fw_jitsi_jibri_remote_ips",
"fw_jibri_server_ips", "fw_forward_jibri_server_ips", "fw_jibri_remote_jitsi_server"]),
("TURN / STUN", ["fw_nc_turn_server_ips", "fw_forward_nc_turn_server_ips",
"fw_nc_turn_ports", "fw_nc_turn_udp_ports"]),
("Mattermost", ["fw_mm_server_ips", "fw_forward_mm_server_ips"]),
("Prometheus", ["fw_prometheus_local_server_ips", "fw_prometheus_local_client_ips",
"fw_prometheus_remote_server_ips"]),
("Xymon", ["fw_xymon_server_ips", "fw_local_xymon_client", "fw_xymon_port"]),
("Rsync", ["fw_rsync_out_ips", "fw_forward_rsync_out_ips", "fw_rsync_ports"]),
("Out ports", ["fw_tcp_out_ports", "fw_forward_tcp_out_ports",
"fw_udp_out_ports", "fw_forward_udp_out_ports"]),
("Portforwarding", ["fw_portforward_tcp_v4", "fw_portforward_udp_v4",
"fw_portforward_tcp_v6", "fw_portforward_udp_v6"]),
("Block", ["fw_blocked_ips", "fw_block_tcp_ports", "fw_block_udp_ports"]),
("Protection / limits", ["fw_protection_against_syn_flooding",
"fw_protection_against_port_scanning",
"fw_protection_against_ssh_brute_force_attacks",
"fw_limit_connections_per_source_IP", "fw_per_IP_connection_limit",
"fw_limit_new_tcp_connections_per_seconds_per_source_IP",
"fw_limit_new_tcp_connections_per_seconds_ports"]),
("Kernel IPv4", ["fw_kernel_support_dynaddr", "fw_dynaddr_flag",
"fw_kernel_reduce_timeouts", "fw_kernel_tcp_syncookies",
"fw_kernel_protect_against_icmp_bogus_messages",
"fw_kernel_ignore_broadcast_ping",
"fw_kernel_deactivate_source_route", "fw_kernel_dont_accept_redirects",
"fw_kernel_activate_rp_filter", "fw_kernel_log_martians"]),
("Special", ["fw_create_traffic_counter", "fw_create_iperf_rules"]),
]
emitted = set()
for section_name, keys in sections:
section_lines = []
for k in keys:
if k in host_vars:
v = host_vars[k]
if isinstance(v, list):
section_lines.append(f"{k}:")
for item in v:
section_lines.append(f" - \"{item}\"")
elif isinstance(v, bool):
section_lines.append(f"{k}: {'true' if v else 'false'}")
else:
section_lines.append(f"{k}: {yaml_value(str(v))}")
emitted.add(k)
if section_lines:
lines.append(f"# --- {section_name}")
lines.extend(section_lines)
lines.append("")
# Anything not covered by sections
remaining = {k: v for k, v in host_vars.items() if k not in emitted}
if remaining:
lines.append("# --- Other")
for k, v in remaining.items():
if isinstance(v, list):
lines.append(f"{k}:")
for item in v:
lines.append(f" - \"{item}\"")
elif isinstance(v, bool):
lines.append(f"{k}: {'true' if v else 'false'}")
else:
lines.append(f"{k}: {yaml_value(str(v))}")
lines.append("")
return "\n".join(lines)
def main():
parser = argparse.ArgumentParser(description="Extract ipt-firewall host_vars from a remote host")
parser.add_argument("hostname", help="Target hostname (must be in SSH config or known_hosts)")
parser.add_argument("--user", "-u", default="chris", help="SSH user (default: chris)")
parser.add_argument("--port", "-p", type=int, default=None, help="SSH port (default: 22)")
parser.add_argument("--output", "-o", default=None, help="Output file (default: stdout)")
parser.add_argument("--sudo", "-s", action="store_true",
help="Read files via sudo (prompts for sudo password once)")
parser.add_argument("--dry-run", action="store_true", help="Print SSH commands without executing")
args = parser.parse_args()
hostname = args.hostname
conf_dir = "/etc/ipt-firewall"
files = {
"iface_v4": f"{conf_dir}/interfaces_ipv4.conf",
"iface_v6": f"{conf_dir}/interfaces_ipv6.conf",
"main_v4": f"{conf_dir}/main_ipv4.conf",
"main_v6": f"{conf_dir}/main_ipv6.conf",
}
if args.dry_run:
cmd = "sudo -S -p '' cat" if args.sudo else "cat"
for key, path in files.items():
print(f"ssh {args.user}@{hostname} {cmd} {path}")
return
sudo_password = None
if args.sudo:
import getpass
sudo_password = getpass.getpass(f"sudo password for {args.user}@{hostname}: ")
print(f"Connecting to {hostname} as {args.user} ...", file=sys.stderr)
contents = {}
for key, path in files.items():
print(f" Reading {path} ...", file=sys.stderr)
content = ssh_cat(hostname, args.user, args.port, path, sudo_password=sudo_password)
contents[key] = content or ""
all_warnings = []
parsed = {}
for key, text in contents.items():
p, warnings = parse_bash_config(text)
parsed[key] = p
if warnings:
all_warnings.extend([f" # [{key}] {w}" for w in warnings])
host_vars = build_host_vars(
parsed["iface_v4"], parsed["iface_v6"],
parsed["main_v4"], parsed["main_v6"],
)
yaml_text = render_yaml(hostname, host_vars, all_warnings)
if args.output:
out_path = Path(args.output)
out_path.parent.mkdir(parents=True, exist_ok=True)
out_path.write_text(yaml_text)
print(f"Written to {out_path}", file=sys.stderr)
else:
print(yaml_text)
if __name__ == "__main__":
main()
+3 -1
View File
@@ -1916,7 +1916,6 @@ apt_install: {}
apt_install_state: latest
apt_remove:
- rpcbind
- apt-transport-tor
- tor
- tor-geoipdb
@@ -3201,6 +3200,9 @@ samba_user: []
base_home: /home
# include vfs object 'virusfilter' to (private) homes shares
samba_homes_virusfilter: false
# remove_samba_users:
# - name: name1
# - name: name2
+45
View File
@@ -0,0 +1,45 @@
---
# ipt-firewall configuration for a.mx.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
# Place in: host_vars/<hostname>/ipt_firewall.yml
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "95.217.204.247"
fw_ext_ips_v6:
- "2a01:4f9:4a:47e5::247"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- HTTP
fw_http_server_ips: $ext_1_ip
# --- Mail
fw_smtpd_ips: $ext_1_ip
fw_mail_server_ips: $ext_1_ip
fw_mail_client_ips: $ext_1_ip
fw_dovecot_auth_service: true
# - meet.oopen.de -> 159.69.74.155
# - meet.akweb.de -> 148.251.14.136
# - jo.oopen.de -> 94.16.115.62
# -
# - meet.akweb.de -> 2a01:4f8:201:7389::136
# - meet.oopen.de -> 2a01:4f8:231:19a7::155
fw_dovecot_auth_allowed_networks_v4: 159.69.74.155 148.251.14.136 94.16.115.62
fw_dovecot_auth_allowed_networks_v6: "2a01:4f8:231:19a7::155 2a01:4f8:201:7389::136"
# --- Jitsi
fw_jitsi_dovecot_auth: true
# --- Rsync
fw_rsync_out_ips: $ext_1_ip
# --- Protection / limits
fw_per_IP_connection_limit: 250
+27
View File
@@ -0,0 +1,27 @@
---
# ipt-firewall configuration for a.ns.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
# Place in: host_vars/<hostname>/ipt_firewall.yml
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "195.201.179.131"
fw_ext_ips_v6:
- "2a01:4f8:231:19a7::131"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- DNS
fw_dns_server_ips: $ext_ips
# --- VPN / WireGuard
fw_wireguard_server_ips: $ext_ips
# --- Block
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
+142
View File
@@ -0,0 +1,142 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 2a01:4ff:ff00::add:2
- 185.12.64.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
+121
View File
@@ -163,6 +163,127 @@ resolved_fallback_nameserver:
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.52.10
samba_server_cidr_prefix: 24
samba_workgroup: WF
samba_netbios_name: ANITA
samba_groups:
- name: users
group_id: 100
- name: archive
group_id: 1020
- name: intern
group_id: 1030
samba_user:
- name: annette
groups:
- users
- intern
password: '20.18-annette%'
- name: axel
groups:
- archive
- users
- intern
password: 'axel123'
- name: chris
groups:
- users
- archive
- intern
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: kaya
groups:
- users
- intern
password: 'kaya123'
- name: lalix
groups:
- users
- intern
password: 'lalix123'
- name: mariette
groups:
- users
- intern
password: 'mariette123'
- name: sysadm
groups:
- users
- archive
- intern
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31306162383164643133623335323736323837613435333430363336353032323565633130353733
3363646437363062313763636333356436666331396131370a393762363931626166326530373261
62616332643232663432613662646134613539323861383436636364633562646138646538343863
6530336565363934330a363063653533396666373730663062363633363634363337323039363231
3130
base_home: /home
samba_homes_virusfilter: true
samba_shares:
- name: archiv
path: /data/samba/archiv
group_valid_users: users
group_write_list: archive
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: daten2
path: /data/samba/daten2
group_valid_users: users
group_write_list: users
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: verwaltung
path: /data/samba/archiv
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
# ==============================
+6 -2
View File
@@ -270,10 +270,10 @@ samba_user:
- technik
password: 'aS2ifv2.d-FI'
base_home: /data/home
samba_homes_virusfilter: true
# remove_samba_users:
# - name: name1
# - name: name2
@@ -291,6 +291,7 @@ samba_shares:
group_write_list: alle
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -311,6 +312,7 @@ samba_shares:
group_write_list: redakteure
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -321,6 +323,7 @@ samba_shares:
group_write_list: technik
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -331,6 +334,7 @@ samba_shares:
group_write_list: alle
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
+5 -1
View File
@@ -257,6 +257,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmfp+4waTzHxdT5TaxAMsIPDDwNe8Dwuif1jL+9v9GP root@a.mx'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBIyXel+KOTLB6VB2xJwyWaZc0KuCJzocwlziFdovCl root@a.ns'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGi22vcCilahX9KwbqcF8/D0RnzQXvgzTUFTmRHNJsBZ root@anabaena'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5xyeZBGQn4Iz5iV2DMBVll/6n/X0JuoPMDpc8D32ra root@ak-plan'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINU1InXFKZX9emaT5QsY4Nr0tr8CzbyV8Js8RzZC9vGk root@b.mx'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPo7hI8oIS+/xufCUNTTgNoz592udJaU+79L0uADzKJY root@b.ns'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMtIXFS9OrKBvBl+fKtYN/lOOKpPuuc02H8HV+++LeBU root@backup'
@@ -272,6 +273,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvmOpsiL+eiJ3qZVDJiUCFVZge0OQJ1hpZgw7pJ8sq5 root@cl-irights'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjr0aBl2KQTJnlVK03DOs0u+IXSon4VewwAzzSBsmVW root@cl-lubax'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhwPCxVHqABXzyXwVuqbH703RCU0N+SC/cx4TuoHhGU root@cl-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEp6BXQ/v/Hf/IJnI0JIS96RC4NGDMFUbwyW8nH3Xq66 root@cl-ndm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7h6rR+q5bRh/qgzA7ZyiZcRr9vMbo7cxhQsoukWmUn root@cl-vbrg'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcHQfSVG8DM1qHp2ce73ZBWXknZGZFur5s27V58T7ON root@cl-opp'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClnyNS5RQsbXmgOX7NU7i154DElOlha3y0ybF6FwScT root@cl-test'
@@ -319,7 +321,8 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGcgS05xGLPuECQ7E5zjzfSDxdFBO1mAjkSV2bktxld+ root@o23'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEM1SI7Lwk0G8UycysL7ZPdXm1DRGgPnr01B0ewRGEKi root@o24'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJKfPInE9VjXVe+6DQ+4/H1nQJwXljYEK6gwfmTDgGy root@o26'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9ftVcNMv6pW2HDM12fIbOOEvq1fcd74kbO4LHfhGH root@o28'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9ftVcNMv6pW2HDM12fIbOOEvq1fcd74kbO4LHfhGH root@o28-FM-BAK'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyLS+kyfMX0hlv0rMmGyG6huvuqZlEOOf007xuI6io0 root@o28'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtACieGFf34NDepB9GqJjVqji6bf6xrO1LevXgm3aN+ root@o29'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE70FVVu2bsdH2qJITFVSDEPraiI4uSCuzEkYlbl6pRW root@o30'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0+aRoMxzmiQCAIMajNhbTZEumtZ9yCG2Nb4ucqK8lo root@o31'
@@ -339,6 +342,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZ0WNd3rTqHH1tiXAELwssGw6xUP1ROdhgxKbMinYY root@oolm-web'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJJCzTmrRp0s0qpkf9HYyx4lL+zs1jTAYcCsvqpJ72p root@super-opferhilfefonds'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID82UUUkYKYFbJdmTcMYu+vl3M0FVQznXFbngqPoumP+ root@prometheus-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObY/MOgF4QVWROrQCaKCfBOfAwKVcja3q7Ngwo1MEDt root@psono-ndm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU5HzfGYZwWeaoAGGFF7/3VQP19ce6Rgn5wcOR98Q3o root@server26'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfCFz6mPdn3TKVCgffHQAKt3LN/0srS/gBsMoOyZpi root@shop-agr'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHbeMf/CvAYIU/4UW8Ql59FgPo/3vcZ3vI3QzK2kOadE root@srv-cityslang'
+39
View File
@@ -0,0 +1,39 @@
---
# ipt-firewall configuration for backup.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
# Place in: host_vars/<hostname>/ipt_firewall.yml
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "37.27.121.218"
fw_ext_ips_v6:
- "2a01:4f9:3070:2bda::218"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- Access control IPv4
fw_allow_ext_service_v4: "138.201.17.150:1036:tcp o32.oopen.de:2222:tcp"
# --- Access control IPv6
fw_allow_ext_service_v6: "2a01:4f8:171:2895::2,1036,tcp o32.oopen.de,2222,tcp"
# --- HTTP
fw_http_server_ips: $ext_ips
# --- Out ports
# -
# - TCP Ports
# -
# - ssh port k1371.dyndns.org: 51372
# - ssh port k1371.homelinux.org: 51374
# -
fw_tcp_out_ports: 51372 51374
# --- Block
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
+11
View File
@@ -321,6 +321,8 @@ samba_user:
base_home: /home
samba_homes_virusfilter: true
# remove_samba_users:
# - name: name1
# - name: name2
@@ -337,6 +339,7 @@ samba_shares:
guest_ok: !!str no
writeable: !!str no
group_valid_users: buero
vfs_object_virusfilter: true
vfs_object_recycle: false
- name: bhoch3
@@ -345,6 +348,7 @@ samba_shares:
group_write_list: buero
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -354,6 +358,7 @@ samba_shares:
group_write_list: 'team'
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -363,6 +368,7 @@ samba_shares:
group_write_list: 'praktikant'
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -373,6 +379,7 @@ samba_shares:
group_write_list: fnr
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -382,6 +389,7 @@ samba_shares:
group_write_list: buero
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -392,6 +400,7 @@ samba_shares:
group_write_list: gs
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -402,6 +411,7 @@ samba_shares:
group_write_list: gf
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -412,6 +422,7 @@ samba_shares:
group_write_list: matthias
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
+27
View File
@@ -0,0 +1,27 @@
---
# ipt-firewall configuration for cl-01.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
# Place in: host_vars/<hostname>/ipt_firewall.yml
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "162.55.82.74"
fw_ext_ips_v6:
- "2a01:4f8:271:1266::74"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- HTTP
fw_http_server_ips: $ext_1_ip
# --- Mail
fw_mail_client_ips: $ext_1_ip
# --- Block
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
+235
View File
@@ -0,0 +1,235 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
cron_user_entries:
- name: "Check if webservices sre running. Restart if necessary"
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_webservice_load.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
minute: '*/5'
hour: '*'
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Optimize mysql tables"
minute: '53'
hour: '04'
job: /root/bin/mysql/optimize_mysql_tables.sh
- name: "Flush query cache for mysql tables"
minute: '27'
hour: '04'
job: /root/bin/mysql/flush_query_cache.sh
- name: "Flush Host cache"
minute: '17'
hour: '05'
job: /root/bin/mysql/flush_host_cache.sh
- name: "Run occ file:scan for each cloud account"
minute: '02'
hour: '23'
job: /root/bin/nextcloud/occ_maintenance.sh -s cloud.neuemedienmacher.de
- name: "Background job for nextcloud instance 'cloud.neuemedienmacher.de"
minute: '*/15'
hour: '*'
job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud.neuemedienmacher.de/htdocs/cron.php
- name: "Check if certificates for coolwsd service are up to date"
minute: '17'
hour: '05'
job: /root/bin/nextcloud/check_cert_coolwsd.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_privileges:
- name: back
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
+13
View File
@@ -495,6 +495,11 @@ samba_user:
- gubitz-partner
password: '20.mal-te/26%'
- name: jovis
groups:
- intern
password: '20.jo-vis_26!'
- name: hh-lucke
groups: []
password: 'Ole20Steffen_17'
@@ -566,6 +571,8 @@ samba_user:
base_home: /home
samba_homes_virusfilter: true
# remove_samba_users:
# - name: name1
# - name: name2
@@ -580,6 +587,7 @@ samba_shares:
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -589,6 +597,7 @@ samba_shares:
group_write_list: verwaltung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -607,6 +616,7 @@ samba_shares:
group_write_list: hoffmann-elberling
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -616,6 +626,7 @@ samba_shares:
group_write_list: gubitz-partner
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -625,6 +636,7 @@ samba_shares:
group_write_list: gubitz
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -634,6 +646,7 @@ samba_shares:
group_write_list: install
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
+4
View File
@@ -296,6 +296,8 @@ samba_user:
base_home: /home
samba_homes_virusfilter: true
# remove_samba_users:
# - name: name1
# - name: name2
@@ -311,6 +313,7 @@ samba_shares:
group_write_list: buero
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -321,6 +324,7 @@ samba_shares:
group_write_list: verwaltung
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
+12
View File
@@ -446,6 +446,12 @@ samba_user:
- verwaltung
password: '20-mar1o.fr31dank-24+'
- name: nano.nowak
groups:
- projekte
- team
password: '20-n4n0.n0w4k.26!'
- name: olaf.stuve
groups:
- projekte
@@ -525,6 +531,8 @@ samba_user:
base_home: /data/home
samba_homes_virusfilter: true
remove_samba_users: []
#remove_samba_users:
# - name: sebastian.scheele
@@ -540,6 +548,7 @@ samba_shares:
group_write_list: gf
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -550,6 +559,7 @@ samba_shares:
group_write_list: projekte
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -560,6 +570,7 @@ samba_shares:
group_write_list: team
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -570,6 +581,7 @@ samba_shares:
group_write_list: verwaltung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
+10 -2
View File
@@ -436,10 +436,11 @@ samba_user:
- recherche
password: 'me-ebs_2022.!'
base_home: /data/home
samba_homes_virusfilter: true
# remove_samba_users:
# - name: name1
# - name: name2
@@ -455,6 +456,7 @@ samba_shares:
group_write_list: alle
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle.Bin'
@@ -465,6 +467,7 @@ samba_shares:
group_write_list: akten
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle.Bin'
@@ -475,6 +478,7 @@ samba_shares:
group_write_list: archiv
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle.Bin'
@@ -485,6 +489,7 @@ samba_shares:
group_write_list: kanzlei
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle.Bin'
@@ -495,6 +500,7 @@ samba_shares:
group_write_list: recherche
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle.Bin'
@@ -519,6 +525,7 @@ samba_shares:
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_virusfilter: true
vfs_object_recycle: false
@@ -546,6 +553,7 @@ samba_shares:
group_write_list: alle
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: false
+24 -1
View File
@@ -708,9 +708,10 @@ samba_user:
- fhxb-sammlungen
password: 'n7I.fSsR-9vv'
base_home: /home
samba_homes_virusfilter: true
# remove_samba_users:
# - name: name1
# - name: name2
@@ -728,6 +729,7 @@ samba_shares:
group_write_list: administration
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
- name: Altlasten
@@ -737,6 +739,7 @@ samba_shares:
group_write_list: altlasten
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
- name: Archiv
@@ -746,6 +749,7 @@ samba_shares:
group_write_list: archiv
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -756,6 +760,7 @@ samba_shares:
group_write_list: ausstellungen
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -766,6 +771,7 @@ samba_shares:
group_write_list: buero
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -776,6 +782,7 @@ samba_shares:
group_write_list: forschung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -786,6 +793,7 @@ samba_shares:
group_write_list: gedenken-im-stadtraum
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -796,6 +804,7 @@ samba_shares:
group_write_list: intern
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -806,6 +815,7 @@ samba_shares:
group_write_list: leitung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -816,6 +826,7 @@ samba_shares:
group_write_list: museum-organisation
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -826,6 +837,7 @@ samba_shares:
group_write_list: presse-orga-oeffentlichkeit
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -836,6 +848,7 @@ samba_shares:
group_write_list: projekte
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -846,6 +859,7 @@ samba_shares:
group_write_list: publikationen
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -856,6 +870,7 @@ samba_shares:
group_write_list: stolpersteine
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -866,6 +881,7 @@ samba_shares:
group_write_list: team
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -876,6 +892,7 @@ samba_shares:
group_write_list: technik
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -886,6 +903,7 @@ samba_shares:
group_write_list: vze
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -896,6 +914,7 @@ samba_shares:
group_write_list: veranstaltungen
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -906,6 +925,7 @@ samba_shares:
group_write_list: vermietung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -916,6 +936,7 @@ samba_shares:
group_write_list: vermittlung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -926,6 +947,7 @@ samba_shares:
group_write_list: fhxb-bildarchiv
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -936,6 +958,7 @@ samba_shares:
group_write_list: fhxb-sammlungen
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
+5
View File
@@ -473,6 +473,8 @@ samba_user:
base_home: /data/home
samba_homes_virusfilter: true
# remove_samba_users:
# - name: name1
# - name: name2
@@ -491,6 +493,7 @@ samba_shares:
group_write_list: buero
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -501,6 +504,7 @@ samba_shares:
group_write_list: projekte
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -511,6 +515,7 @@ samba_shares:
group_write_list: verwaltung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -24,7 +24,7 @@ network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device eno1np0
headline: br0 - bridge over device enp97s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -33,7 +33,7 @@ network_interfaces:
family: inet
method: static
description:
address: 192.168.122.210
address: 192.168.122.215
netmask: 24
gateway: 192.168.122.254
@@ -53,7 +53,7 @@ network_interfaces:
# maxwait:
# waitport:
bridge:
ports: eno1np0 # for mor devices support a blank separated list
ports: enp97s0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
@@ -61,7 +61,7 @@ network_interfaces:
# inline hook scripts
pre-up:
- !!str "ip link set dev eno1np0 up" # pre-up script lines
- !!str "ip link set dev enp97s0 up" # pre-up script lines
up: [] #up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
@@ -93,13 +93,6 @@ network_interfaces:
# vars used by roles/common/tasks/apt.yml
# ---
apt_install_extra_pkgs:
- lvm2
- kpartx
- ntfs-3g
- swtpm
- swtpm-tools
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
@@ -226,56 +219,6 @@ cron_user_entries:
# vars used by roles/common/tasks/users.yml
# ---
extra_user:
- name: advoware
user_id: 1115
group_id: 1115
group: advoware
home: / data/home/advoware
password: $y$j9T$wuQkVnvJxMIy/2Hvmqm2w/$AlMLFmglx764uNSekaFJ3inN59jiDc8.4F2vhUybF22
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: a-jur
user_id: 1110
group_id: 1110
group: a-jur
home: / data/home/a-jur
password: $y$j9T$wuQkVnvJxMIy/2Hvmqm2w/$AlMLFmglx764uNSekaFJ3inN59jiDc8.4F2vhUybF22
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
home: /home/back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsqkTV7RiYPljwlP/MZA+MBeTgiwZI7oCAD77Ujpm1V root@file-km'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOan+hwlA8B3mk82tsvL1LGlejrF5pqT2J3POrg/QJLX root@gw-km'
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
@@ -312,12 +255,12 @@ sudoers_file_user_back_mount_privileges:
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.122.210
samba_server_ip: 192.168.122.215
samba_server_cidr_prefix: 24
samba_workgroup: ANW-KM
samba_workgroup: WORKGROUP
samba_netbios_name: FILE-KM-01
samba_netbios_name: FILE-KM-ALT
samba_server_min_protocol: !!str NT1
@@ -326,16 +269,12 @@ samba_groups:
group_id: 1100
- name: a-jur
group_id: 1110
- name: advoware
group_id: 1115
- name: intern
group_id: 1120
- name: wildvang
group_id: 1130
#- name: aulmann
# group_id: 1130
#- name: howe
# group_id: 1140
- name: eibelshaeuser
group_id: 1140
- name: stahmann
group_id: 1150
- name: traine
@@ -344,6 +283,8 @@ samba_groups:
group_id: 1170
- name: alle
group_id: 1180
- name: install
group_id: 1190
@@ -352,108 +293,31 @@ samba_user:
- name: advoware
groups:
- advoware
has_rdp: false
password: '9WNRbc49m3'
- name: a-jur
groups:
- a-jur
- alle
- intern
- kanzlei
has_rdp: false
password: 'a-jur'
- name: andrea
groups:
- advoware
- stahmann
- traine
- public
password: 'fXc3bmK9gj'
- name: andreas
groups:
- a-jur
- advoware
- alle
- kanzlei
password: 'YKQRa.M9-6rL'
- name: aphex2
groups:
- alle
- stahmann
- traine
- public
password: 'J3KMRprK9H'
- name: berenice
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'berenice'
- name: beuster
groups:
- advoware
- stahmann
- traine
- public
- alle
password: 'zlm17Kx'
- name: buero
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero'
- name: buero2
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero2'
- name: buero3
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero3'
- name: buero4
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero4'
- name: buero7
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero7'
- name: chris
groups:
- a-jur
- advoware
- alle
- intern
- install
- kanzlei
- eibelshaeuser
- stahmann
- traine
- wildvang
- public
has_rdp: true
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
30383265366434633965346530666535363761396165393434643665393137353765653739636364
@@ -462,14 +326,202 @@ samba_user:
3837613337343533650a663061366230353531316535656433643162353063383534323833323138
3430
- name: christina
- name: sysadm
groups:
- a-jur
- advoware
- alle
- intern
- install
- kanzlei
- eibelshaeuser
- stahmann
- traine
- wildvang
- public
has_rdp: false
password: 'Ax_GSHh5'
- name: winadm
groups:
- a-jur
- advoware
- alle
- intern
- install
- kanzlei
- eibelshaeuser
- stahmann
- traine
- wildvang
- public
has_rdp: false
password: 'Ax_GSHh5'
# ---
# Andreas Eibelhäuser
# ---
- name: andreas
groups:
- advoware
- alle
- eibelshaeuser
- public
has_rdp: true
password: 'YKQRa.M9-6rL'
- name: philipp
groups:
- advoware
- alle
- eibelshaeuser
- public
has_rdp: true
password: '20-phi.lip.26%'
- name: ref.eibelshaeuser
groups:
- advoware
- alle
- eibelshaeuser
- public
has_rdp: true
password: '20-ref-eibels.haeuser.26+'
# ---
# Berenice Böhlo
# ---
- name: berenice
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: true
password: 'berenice'
- name: annabel
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: true
password: '20+an-na.bel/26!'
- name: jens-uwe
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: '20_jens-uwe.thomas.26!'
- name: mariami
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: '20.ma-ri-ami/26!'
- name: nina
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: true
password: '20-ni.ha-ger%26%'
- name: zeina
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
- wildvang
has_rdp: true
password: '20/ze.ina-26+'
- name: rm-buero1
groups:
- advoware
- alle
- a-jur
- kanzlei
- public
has_rdp: false
password: '20+rm.buero-1/26!'
- name: rm-buero2
groups:
- advoware
- alle
- a-jur
- kanzlei
- public
has_rdp: false
password: '20_rmbuero.2-26%'
# ---
# Rolf Stahmann
# ---
- name: irina
groups:
- advoware
- alle
- stahmann
- traine
- public
password: 'qvR7zX4Lhs'
has_rdp: false
password: 'W9NKv39pXW'
- name: rolf
groups:
- alle
- stahmann
- traine
- public
has_rdp: true
password: '4xNVNFXgP4'
- name: Tresen
groups:
- a-jur
- advoware
- alle
- kanzlei
- stahmann
- traine
- public
has_rdp: false
password: 'maltzwo2'
# ---
# Federico Traine
# ---
- name: andrea
groups:
- advoware
- alle
- stahmann
- traine
- public
has_rdp: true
password: 'fXc3bmK9gj'
- name: federico
groups:
@@ -478,8 +530,147 @@ samba_user:
- stahmann
- traine
- public
has_rdp: true
password: 'zHfj9g3NcC'
- name: thomas
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: '55-tho-mas-550'
- name: leonora
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: '20/le-o-nora.26!'
- name: kristin
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: '20.kris_tin-26/'
- name: jule
groups:
- advoware
- alle
- traine
- public
has_rdp: true
password: '20_ju-le%26!'
- name: luanda
groups:
- advoware
- alle
- traine
- public
has_rdp: false
password: '20-lu.anda+26!'
# ---
# Wiebke Wildvang
# ---
- name: wiebke
groups:
- alle
- wildvang
- public
has_rdp: true
password: 'uJ5gF/m53p.P'
- name: aphex2
groups:
- alle
- stahmann
- traine
- public
has_rdp: false
password: 'J3KMRprK9H'
- name: beuster
groups:
- advoware
- stahmann
- traine
- public
- alle
has_rdp: false
password: 'zlm17Kx'
- name: buero
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: 'buero'
- name: buero2
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: 'buero2'
- name: buero3
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: 'buero3'
- name: buero4
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: 'buero4'
- name: buero7
groups:
- advoware
- kanzlei
- a-jur
- alle
- public
has_rdp: false
password: 'buero7'
- name: christina
groups:
- advoware
- alle
- stahmann
- traine
- public
has_rdp: false
password: 'qvR7zX4Lhs'
# - name: gerhard
# groups:
# - advoware
@@ -495,6 +686,8 @@ samba_user:
groups:
- alle
- stahmann
- public
has_rdp: false
password: '44-Ro-440'
# - name: howe-staff-1
@@ -505,15 +698,6 @@ samba_user:
# - howe
# password: ''
- name: irina
groups:
- advoware
- alle
- stahmann
- traine
- public
password: 'W9NKv39pXW'
- name: jessica
groups:
- advoware
@@ -521,6 +705,7 @@ samba_user:
- stahmann
- traine
- public
has_rdp: false
password: 'bV3pjPtjkR'
# - name: laura
@@ -539,6 +724,7 @@ samba_user:
- stahmann
- traine
- public
has_rdp: false
password: 'fndvLmrt7W'
- name: lenovo4
@@ -548,6 +734,7 @@ samba_user:
- stahmann
- traine
- public
has_rdp: false
password: 'tpCMmTKj7H'
- name: lenovo5
@@ -557,6 +744,7 @@ samba_user:
- stahmann
- traine
- public
has_rdp: false
password: 'L5Hannover51'
- name: lenovo6
@@ -565,84 +753,15 @@ samba_user:
- alle
- stahmann
- traine
- public
has_rdp: false
password: '66koeln66'
- name: rm-buero1
groups:
- advoware
- alle
- a-jur
- kanzlei
password: ''
- name: rm-buero2
groups:
- advoware
- alle
- a-jur
- kanzlei
password: ''
- name: rolf
groups:
- alle
- stahmann
- traine
- public
password: '4xNVNFXgP4'
- name: sysadm
groups:
- a-jur
- advoware
- alle
- intern
- kanzlei
- stahmann
- traine
- wildvang
- public
password: 'Ax_GSHh5'
- name: thomas
groups:
- advoware
- alle
- traine
password: '55-tho-mas-550'
- name: Tresen
groups:
- a-jur
- advoware
- alle
- kanzlei
- stahmann
- traine
- public
password: 'maltzwo2'
- name: wiebke
groups:
- alle
- wildvang
- public
password: 'uJ5gF/m53p.P'
- name: winadm
groups:
- a-jur
- advoware
- alle
- intern
- kanzlei
- public
password: 'Ax_GSHh5'
base_home: /data/home
samba_homes_virusfilter: true
remove_samba_users:
- name: howe-staff-1
- name: gerhard
@@ -661,6 +780,7 @@ samba_shares:
group_write_list: a-jur
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
@@ -672,6 +792,7 @@ samba_shares:
group_write_list: kanzlei
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
@@ -679,12 +800,25 @@ samba_shares:
- name: install
comment: Install auf Fileserver
path: /data/samba/no-backup-shares/install
group_valid_users: intern
group_write_list: intern
group_valid_users: install
group_write_list: install
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: false
- name: eibelshaeuser
comment: Eibelshaeuser auf Fileserver
path: /data/samba/eibelshaeuser
group_valid_users: eibelshaeuser
group_write_list: eibelshaeuser
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: wildvang
comment: Wildvang auf Fileserver
path: /data/samba/Wildvang
@@ -692,6 +826,7 @@ samba_shares:
group_write_list: wildvang
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
@@ -703,6 +838,7 @@ samba_shares:
# group_write_list: aulmann
# file_create_mask: !!str 660
# dir_create_mask: !!str 2770
# vfs_object_virusfilter: true
# vfs_object_recycle: true
# recycle_path: '@Recycle'
# vfs_object_recycle_is_visible: true
@@ -714,6 +850,7 @@ samba_shares:
# group_write_list: howe
# file_create_mask: !!str 660
# dir_create_mask: !!str 2770
# vfs_object_virusfilter: true
# vfs_object_recycle: true
# recycle_path: '@Recycle'
# vfs_object_recycle_is_visible: true
@@ -725,6 +862,7 @@ samba_shares:
group_write_list: stahmann
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
@@ -736,6 +874,7 @@ samba_shares:
group_write_list: traine
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
@@ -747,6 +886,7 @@ samba_shares:
group_write_list: public
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
@@ -758,6 +898,7 @@ samba_shares:
group_write_list: advoware
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
@@ -769,6 +910,7 @@ samba_shares:
group_write_list: intern
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: false
@@ -780,6 +922,7 @@ samba_shares:
group_write_list: alle
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
@@ -791,6 +934,7 @@ samba_shares:
# group_write_list: web
# file_create_mask: !!str 660
# dir_create_mask: !!str 2770
# vfs_object_virusfilter: true
# vfs_object_recycle: true
# recycle_path: '@Recycle'
File diff suppressed because it is too large Load Diff
+19 -3
View File
@@ -21,13 +21,21 @@ network_interface_required_packages:
network_interfaces:
# - device: enp0s20f0
# headline: enp0s20f0 - Uplink DSL via Fritz!Box
# auto: true
# family: inet
# method: static
# address: 172.16.112.1/24
# gateway: 172.16.112.254
- device: enp0s20f0
headline: enp0s20f0 - Uplink DSL via Fritz!Box
headline: enp0s20f0 - Uplink
auto: true
family: inet
method: static
address: 172.16.112.1/24
gateway: 172.16.112.254
address: 217.6.72.202/30
gateway: 217.6.72.201
- device: enp0s20f1
@@ -53,6 +61,14 @@ network_interfaces:
method: static
address: 192.168.113.254/24
- device: enp0s20f1:ipmi
headline: enp0s20f1:ipmi - Alias on enp0s20f1 (IPMI)
auto: false
family: inet
method: static
address: 172.16.112.254/24
# ---
# vars used by roles/ansible_dependencies
# ---
+27 -175
View File
@@ -22,59 +22,21 @@ network_interface_required_packages:
network_interfaces:
# Many device configurations are possible (as many as needed)
#
- device: enp41s0
- device: br0
# use only once per device (for the first device entry)
headline: enp41s0 - primary device
headline: br0 - bridge over device eno1
# auto & allow are only used for the first entry of that devicei-name)
#
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
# The statisc Mode
# Options
# address <dotted quad address[/netmask]>
# gateway <dotted quad address>
# pointopoint <Address of other end point (dotted quad). Note the spelling of "point-to">
# hwaddress <mac-address>
# mtu <size>
# scope <Address validity scope. Possible values: global, link, host>
#
# The manual Method
# Options
# hwaddress <mac-address>
# mtu <size>
#
# The dhcp Method
# Options
# hwaddress <mac-address>
# hostname <Hostname to be requested (pump, dhcpcd, udhcpc)>
# metric <metric>
# leasehours <Preferred lease time in hours (pump)>
# leasetime <Preferred lease time in seconds (dhcpcd)>
# vendor <Vendor class identifier (dhcpcd)>
# client <Client identifier (dhcpcd), or "no" (dhclient)>
#
# The bootp Method
# Options
# bootfile: <file: Tell the server to use 'file' as the bootfile.>
# server: <address: Use the IP address 'address' to communicate with the server.>
# hwaddr <mac-address: Use addr as the hardware address instead of whatever it really is.>
#
method: static
hwaddress:
hwaddress: 08:bf:b8:a4:09:e0
description:
address: 65.108.238.45
# dotted quad or number of bits
#
# the entry will be: address/netmask
netmask: 26
gateway: 65.108.238.1
address: 88.198.56.204
netmask: 27
gateway: 88.198.56.193
metric:
pointopoint:
mtu:
@@ -101,15 +63,10 @@ network_interfaces:
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
#nameservers:
# - 185.12.64.1
# - a01:4ff:ff00::add:2
#search:
# optional additional subnets/ips subnets: []
# subnets:
# - '192.168.123.0/24'
# - '192.168.124.11/32'
# ** MOVED TO systemd-resolved
#
nameservers:
search:
# optional bridge parameters bridge: {}
# bridge:
@@ -118,14 +75,19 @@ network_interfaces:
# fd:
# maxwait:
# waitport:
bridge: {}
bridge:
ports: eno1 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
# master
# primary
# slave
# mode:
# method:
# miimon:
# lacp-rate:
# ad-select-rate:
@@ -139,97 +101,23 @@ network_interfaces:
vlan: {}
# inline hook scripts
#
# example:
#
# up:
# - !!str "route add -net 135.181.79.192 netmask 255.255.255.192 gw 135.181.79.193 dev enp41s0"
#
pre-up: [] # pre-up script lines
up:
- !!str "route add -net 65.108.238.0 netmask 255.255.255.192 gw 65.108.238.1 dev enp41s0"
- !!str "route add -net 88.198.56.192 netmask 255.255.255.224 gw 88.198.56.193 dev br0" # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
- device: enp41s0
# use only once per device (for the first device entry)
headline:
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto:
- device: br0
family: inet6
method: static
address: 2a01:4f9:1a:b226::2
address: '2a01:4f8:222:2c2::2'
netmask: 64
gateway: fe80::1
metric:
pointopoint:
mtu:
scope:
gateway: 'fe80::1'
# additional user by dhcp method
#
hostname:
leasehours:
leasetime:
vendor:
client:
# additional used by bootp method
#
bootfile:
server:
hwaddr:
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
nameservers:
search:
# optional additional subnets/ips subnets: []
# subnets:
# - '192.168.123.0/24'
# - '192.168.124.11/32'
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge: {}
# optional bonding parameters bond: {}
# bond:
# mode:
# miimon:
# master:
# slaves:
# lacp-rate:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
pre-up: []# pre-up script lines
up: [] # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
@@ -255,8 +143,6 @@ network_interfaces:
# vars used by roles/common/tasks/apt.yml
# ---
#apt_manage_sources_list: false
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
@@ -308,10 +194,10 @@ systemd_resolved: true
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 185.12.64.2
- 2a01:4ff:ff00::add:1
- 185.12.64.1
- 2a01:4ff:ff00::add:2
# search domains
#
@@ -337,7 +223,7 @@ resolved_fallback_nameserver:
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
@@ -351,9 +237,9 @@ cron_user_special_time_entries:
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed."
- name: "Check if Check if all autostart LX-Container are running."
special_time: reboot
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
insertafter: PATH
@@ -379,28 +265,6 @@ cron_user_entries:
hour: '*'
job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
- name: "Backup internet hosts and then print out hdd-usage for all backuped hosts"
minute: '06'
hour: '00'
weekday: '1-6'
job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N
- name: "On sunday morning also determin diskspace usage"
minute: '06'
hour: '00'
weekday: 7
job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
- name: "Check hard disc usage."
minute: '43'
hour: '6'
@@ -411,18 +275,6 @@ cron_user_entries:
# vars used by roles/common/tasks/users.yml
# ---
create_sftp_group: true
extra_system_user:
- name: www-data
home: /var/www
groups: sftp_users
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
+235
View File
@@ -0,0 +1,235 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
#cron_user_special_time_entries:
#
# - name: "Restart DNS Cache service 'systemd-resolved'"
# special_time: reboot
# job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
# insertafter: PATH
#
#
#cron_user_entries:
#
# - name: "Check if webservices sre running. Restart if necessary"
# minute: '*/5'
# hour: '*'
# job: /root/bin/monitoring/check_webservice_load.sh
#
# - name: "Check if SSH service is running. Restart service if needed."
# minute: '*/5'
# hour: '*'
# job: /root/bin/monitoring/check_ssh.sh
#
# - name: "Check if Postfix Mailservice is up and running?"
# minute: '*/15'
# hour: '*'
# job: /root/bin/monitoring/check_postfix.sh
#
# - name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
# minute: '*/5'
# hour: '*'
# job: /root/bin/postfix/check-postfix-fatal-errors.sh
#
# - name: "Optimize mysql tables"
# minute: '53'
# hour: '04'
# job: /root/bin/mysql/optimize_mysql_tables.sh
#
# - name: "Flush query cache for mysql tables"
# minute: '27'
# hour: '04'
# job: /root/bin/mysql/flush_query_cache.sh
#
# - name: "Flush Host cache"
# minute: '17'
# hour: '05'
# job: /root/bin/mysql/flush_host_cache.sh
#
# - name: "Run occ file:scan for each cloud account"
# minute: '02'
# hour: '23'
# job: /root/bin/nextcloud/occ_maintenance.sh -s cloud.neuemedienmacher.de
#
# - name: "Background job for nextcloud instance 'cloud.neuemedienmacher.de"
# minute: '*/15'
# hour: '*'
# job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud.neuemedienmacher.de/htdocs/cron.php
#
# - name: "Check if certificates for coolwsd service are up to date"
# minute: '17'
# hour: '05'
# job: /root/bin/nextcloud/check_cert_coolwsd.sh
#
# - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
# minute: '23'
# hour: '05'
# job: /var/lib/dehydrated/cron/dehydrated_cron.sh
#
# - name: "Check whether all certificates are included in the VHOST configurations"
# minute: '33'
# hour: '05'
# job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_privileges:
- name: back
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
+39
View File
@@ -0,0 +1,39 @@
---
# ipt-firewall configuration for test.mx.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
- "eth1"
fw_ext_ips_v4:
- "83.223.85.205"
- "83.223.85.206"
fw_ext_ips_v6:
- "2a01:30:0:505:2eb:f4ff:feaa:d996 2a01:30:0:13:2eb:f4ff:feaa:d996"
- "2a01:30:0:505:2eb:f4ff:feaa:d997 2a01:30:0:13:2eb:f4ff:feaa:d997"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- HTTP
fw_http_server_ips: $ext_1_ip $ext_2_ip
# --- Mail
fw_smtpd_ips: $ext_1_ip
fw_mail_server_ips: $ext_1_ip
fw_mail_client_ips: $ext_1_ip $ext_2_ip
fw_dovecot_auth_service: true
fw_dovecot_auth_allowed_networks_v4: 192.68.11.79
# --- Mumble
fw_mumble_server_ips: 138.201.33.54
# --- Rsync
fw_rsync_out_ips: $ext_1_ip
# --- Block
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
+12
View File
@@ -297,6 +297,12 @@ samba_user:
- buero
password: '20-printer-18'
- name: farina
groups:
- buero
- beratung
password: 'ADB_far!na_26'
- name: hanna
groups:
- buero
@@ -424,6 +430,8 @@ samba_user:
base_home: /home
samba_homes_virusfilter: true
# remove_samba_users:
# - name: name1
# - name: name2
@@ -442,6 +450,7 @@ samba_shares:
file_create_mask: !!str 660
dir_create_mask: !!str 2770
wide_links: !!str yes
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -452,6 +461,7 @@ samba_shares:
group_write_list: beratung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -462,6 +472,7 @@ samba_shares:
group_write_list: verwaltung
file_create_mask: !!str 0660
dir_create_mask: !!str 2770
vfs_object_virusfilter: true
vfs_object_recycle: true
recycle_path: '@Recycle'
@@ -474,6 +485,7 @@ samba_shares:
guest_ok: !!str no
file_create_mask: !!str 0664
dir_create_mask: !!str 0755
vfs_object_virusfilter: true
vfs_object_recycle: false
+67 -25
View File
@@ -32,6 +32,7 @@ o13-staging-board.oopen.de
o25.oopen.de
o41.oopen.de
dc-opp.oopen.de
ak-plan.oopen.de
discourse.oopen.de
test-nd.oopen.de
formbricks-nd.oopen.de
@@ -76,6 +77,7 @@ file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
@@ -203,16 +205,20 @@ mm-irights.oopen.de
# IL - PAD
o25.oopen.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
o26.oopen.de
# - o27.oopen.de
o27.oopen.de
cl-fm.oopen.de
mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
# - o28 NDM - neue deutsche Medienmacher*innen
o28.oopen.de
o26.oopen.de
cl-ndm.oopen.de
psono-ndm.oopen.de
# - o29.oopen.de Dissens Host System
o29.oopen.de
@@ -222,6 +228,7 @@ cl-dissens.oopen.de
o30.oopen.de
meet.akweb.de
cloud.akweb.de
ak-plan.oopen.de
# o31.oopen.de - Cadus e.V.
o31.oopen.de
@@ -420,16 +427,20 @@ cl-irights-neu.oopen.de
# IL - PAD
o25.oopen.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
o26.oopen.de
# - o27.oopen.de
o27.oopen.de
cl-fm.oopen.de
mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
# - o28 NDM - neue deutsche Medienmacher*innen
o28.oopen.de
o26.oopen.de
cl-ndm.oopen.de
psono-ndm.oopen.de
# - o29.oopen.de
o29.oopen.de
@@ -439,6 +450,7 @@ cl-dissens.oopen.de
o30.oopen.de
meet.akweb.de
cloud.akweb.de
ak-plan.oopen.de
# o31.oopen.de - Cadus e.V.
o31.oopen.de
@@ -556,6 +568,7 @@ gw-irights.oopen.de
# - Kanzlei Berenice
gw-km.oopen.de
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
@@ -734,13 +747,16 @@ cl-test.oopen.de
cl-irights.oopen.de
cl-irights-neu.oopen.de
# Backup Faire Mobilitaet
o26.oopen.de
# o27.oopen.de
cl-fm.oopen.de
mail.faire-mobilitaet.de
# Backup Faire Mobilitaet
o28.oopen.de
o26.oopen.de
# - o28 neue deutsche Medienmacher*innen - NDM Host System
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de
cl-dissens.oopen.de
@@ -911,6 +927,10 @@ mm-irights.oopen.de
# Hetzner Cloud CX31 - AK
# o28 NDM - neue deutsche Medienmacher*innen
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de . Dissens
cl-dissens.oopen.de
@@ -1045,6 +1065,10 @@ mm-irights.oopen.de
# o27.oopen.de
mail.faire-mobilitaet.de
# o28.oopen.de
cl-ndm.oopen.de
psono-ndm.oopen.de
# o35.oopen.de
e.mx.oopen.de
d.mx.oopen.de
@@ -1141,12 +1165,15 @@ mm-irights.oopen.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
o26.oopen.de
# o27.oopen.de
cl-fm.oopen.de
# Backup Faire Mobilitaet
o28.oopen.de
o26.oopen.de
# - o28 neue deutsche Medienmacher*innen - NDM Host System
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de - Dissens
cl-dissens.oopen.de
@@ -1256,14 +1283,15 @@ cl-test.oopen.de
cl-irights.oopen.de
cl-irights-neu.oopen.de
# o26.oopen.de
o26.oopen.de
# o27.oopen.de
cl-fm.oopen.de
# o28.oopen.de
o28.oopen.de
# o26.oopen.de
o26.oopen.de
# - o28 neue deutsche Medienmacher*innen - NDM Host System
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de - Dissens
cl-dissens.oopen.de
@@ -1394,7 +1422,6 @@ backup.oopen.de
devel-root.wf.netz
# Backup Faire Mobilitaet
o28.oopen.de
o26.oopen.de
# ---
@@ -1411,7 +1438,7 @@ o17.oopen.de
# ---
# Warenform
# ---
#anita.wf.netz
anita.wf.netz
# ---
# Büro Netzwerke
@@ -1425,6 +1452,7 @@ file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
@@ -1527,6 +1555,7 @@ o22.oopen.de
o23.oopen.de
o24.oopen.de
o27.oopen.de
o28.oopen.de
o29.oopen.de
o30.oopen.de
o31.oopen.de
@@ -1560,6 +1589,7 @@ file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ah-alt.kanzlei-kiel.netz
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
@@ -1656,12 +1686,17 @@ mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
# o28.oopen.de NDM - neue deutsche Medienmacher*innen
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de - Dissens
cl-dissens.oopen.de
# o30.oopen.de - AK Server Nextcloud/Jitsi Meet
meet.akweb.de
cloud.akweb.de
ak-plan.oopen.de
# BigBlueButton - O.OPEN
@@ -1727,6 +1762,7 @@ file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
@@ -1866,16 +1902,20 @@ mm-irights.oopen.de
# IL - PAD
o25.oopen.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
o26.oopen.de
# - o27.oopen.de
o27.oopen.de
cl-fm.oopen.de
mail.faire-mobilitaet.de
# Hetzner Cloud CX31 - AK
# Backup Faire Mobilitaet
# o28.oopen.de NDM - neue deutsche Medienmacher*innen
o28.oopen.de
o26.oopen.de
cl-ndm.oopen.de
psono-ndm.oopen.de
# o29.oopen.de
o29.oopen.de
@@ -1885,6 +1925,7 @@ cl-dissens.oopen.de
o30.oopen.de
meet.akweb.de
cloud.akweb.de
ak-plan.oopen.de
# - o31.oopen.de
o31.oopen.de
@@ -1974,6 +2015,7 @@ file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-alt.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
+5
View File
@@ -0,0 +1,5 @@
---
- hosts: oopen_server:warenform_server:!no_ipt_firewall
roles:
- ipt-server
+7
View File
@@ -112,3 +112,10 @@
daemon_reload: yes
state: restarted
- name: Reload AppArmor profile clamd
command: apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd
- name: Restart clamav-daemon
service:
name: clamav-daemon
state: restarted
+134 -31
View File
@@ -1,24 +1,23 @@
---
# ---
# Samba Server
# ---
- name: (samba-install.yml) Ensure samba packages server are installed.
- name: (samba-config-server.yml) Ensure samba packages server are installed.
package:
pkg: '{{ apt_install_server_samba }}'
pkg: "{{ apt_install_server_samba }}"
state: present
when:
- inventory_hostname in groups['samba_server']
tags:
- samba-server
- name: (samba-install.yml) Ensure quarantine directory exists
- name: (samba-config-server.yml) Ensure quarantine directory exists
file:
path: /data/samba/QUARANTINE
owner: root
group: root
mode: '0750'
mode: "0750"
state: directory
when:
- inventory_hostname in groups['samba_server']
@@ -37,7 +36,7 @@
recurse: no
with_items: "{{ samba_shares }}"
loop_control:
label: '{{ item.name }}'
label: "{{ item.name }}"
when:
- inventory_hostname in groups['samba_server']
tags:
@@ -47,9 +46,9 @@
# Virusfilter (ClamAV) - only when at least one share has vfs_object_virusfilter: true
# ---
- name: (samba-install.yml) Ensure virusfilter (ClamAV) packages are installed
- name: (samba-config-server.yml) Ensure virusfilter (ClamAV) packages are installed
package:
pkg: '{{ apt_install_server_samba_virusfilter }}'
pkg: "{{ apt_install_server_samba_virusfilter }}"
state: present
when:
- inventory_hostname in groups['samba_server']
@@ -58,13 +57,13 @@
- samba-server
- samba-virusfilter
- name: (samba-install.yml) Ensure clamav-daemon and clamav-freshclam services are enabled
service:
name: "{{ item }}"
enabled: yes
loop:
- clamav-daemon
- clamav-freshclam
- name: (samba-config-server.yml) Check if ClamAV virus databases are present
find:
paths: /var/lib/clamav
patterns:
- "*.cvd"
- "*.cld"
register: clamav_db_files
when:
- inventory_hostname in groups['samba_server']
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
@@ -72,7 +71,67 @@
- samba-server
- samba-virusfilter
- name: (samba-install.yml) Ensure clamav user is member of all Samba groups
- name: (samba-config-server.yml) Stop clamav-freshclam service before initial database download
service:
name: clamav-freshclam
state: stopped
failed_when: false
when:
- inventory_hostname in groups['samba_server']
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
- clamav_db_files.files | length == 0
tags:
- samba-server
- samba-virusfilter
- name: (samba-config-server.yml) Ensure clamav-daemon service is started before database update
service:
name: clamav-daemon
state: started
enabled: yes
failed_when: false
when:
- inventory_hostname in groups['samba_server']
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
tags:
- samba-server
- samba-virusfilter
- name: (samba-config-server.yml) Download initial ClamAV virus databases via freshclam
command: freshclam
when:
- inventory_hostname in groups['samba_server']
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
- clamav_db_files.files | length == 0
tags:
- samba-server
- samba-virusfilter
- name: (samba-config-server.yml) Ensure clamav-daemon service is enabled and started
service:
name: clamav-daemon
state: started
enabled: yes
when:
- inventory_hostname in groups['samba_server']
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
tags:
- samba-server
- samba-virusfilter
- name: (samba-config-server.yml) Ensure clamav-freshclam service is enabled and started
service:
name: clamav-freshclam
state: started
enabled: yes
when:
- inventory_hostname in groups['samba_server']
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
tags:
- samba-server
- samba-virusfilter
- name: (samba-config-server.yml) Ensure clamav user is member of all Samba groups
user:
name: clamav
groups: "{{ item.name }}"
@@ -89,18 +148,65 @@
- samba-server
- samba-virusfilter
- name: (samba-install.yml) Configure AppArmor local profile for clamd (data paths)
blockinfile:
path: /etc/apparmor.d/local/usr.sbin.clamd
create: yes
- name: (samba-config-server.yml) Ensure clamav user is member of all Samba user groups (homes virusfilter)
user:
name: clamav
groups: "{{ item.name }}"
append: yes
loop: "{{ samba_user }}"
loop_control:
label: "{{ item.name }}"
when:
- inventory_hostname in groups['samba_server']
- samba_homes_virusfilter | default(false) | bool
- samba_user | length > 0
tags:
- samba-server
- samba-virusfilter
- name: (samba-config-server.yml) Get home directories of samba users via getent (homes virusfilter)
ansible.builtin.getent:
database: passwd
key: "{{ item.name }}"
loop: "{{ samba_user }}"
loop_control:
label: "{{ item.name }}"
register: samba_user_getent
when:
- inventory_hostname in groups['samba_server']
- samba_homes_virusfilter | default(false) | bool
- samba_user | length > 0
tags:
- samba-server
- samba-virusfilter
- name: (samba-config-server.yml) Ensure home directories are group-traversable for clamd (homes virusfilter)
file:
path: "{{ item.ansible_facts.getent_passwd[item.item.name][4] }}"
mode: "0750"
state: directory
loop: "{{ samba_user_getent.results | default([]) }}"
loop_control:
label: "{{ item.item.name }}"
when:
- inventory_hostname in groups['samba_server']
- samba_homes_virusfilter | default(false) | bool
- item.ansible_facts is defined
tags:
- samba-server
- samba-virusfilter
- name: (samba-config-server.yml) Configure AppArmor local profile for clamd (data paths)
template:
src: etc/apparmor.d/local/usr.sbin.clamd.j2
dest: /etc/apparmor.d/local/usr.sbin.clamd
owner: root
group: root
mode: "0644"
marker: "# {mark} ANSIBLE MANAGED - smba virusfilter paths"
block: |
/data/** r,
/data/samba/QUARANTINE/** rw,
notify: Reload AppArmor profile clamd
notify:
- Reload AppArmor profile clamd
- Restart clamav-daemon
when:
- inventory_hostname in groups['samba_server']
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') |
@@ -109,7 +215,7 @@
- samba-server
- samba-virusfilter
- name: (samba-install.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
- name: (samba-config-server.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
lineinfile:
path: /etc/clamav/clamd.conf
regexp: "^#?\\s*AllowAllMatchScan\\s"
@@ -124,7 +230,6 @@
- samba-server
- samba-virusfilter
# ---
# /etc/samba/smb.conf
# ---
@@ -204,7 +309,7 @@
- name: (samba-config-server.yml) Check if cleaning up trash dirs is configured
ansible.builtin.lineinfile:
path: /root/bin/samba/conf/clean_samba_trash.conf
regexp: '^trash_dirs=*'
regexp: "^trash_dirs=*"
state: absent
check_mode: true
changed_when: false
@@ -262,7 +367,5 @@
job: "{{ samba_cronjob_permissions.job }}"
when:
- inventory_hostname in groups['samba_server']
- (clean_samba_trash_dirs.found | int) > 0 # << int -> bool
- (clean_samba_trash_dirs.found | int) > 0 # << int -> bool
tags: [samba-server, samba-cron]
+1
View File
@@ -55,6 +55,7 @@
loop: "{{ default_user }}"
loop_control:
label: '{{ item.name }}'
when: item.name != ansible_user
tags:
- users-exists
@@ -0,0 +1,11 @@
# {{ ansible_managed }}
# see: roles/common/tasks/samba-config-server.yml
/data/** r,
/data/samba/QUARANTINE/** rw,
{% if samba_homes_virusfilter | default(false) | bool %}
{{ base_home }}/** r,
{% if base_home != '/home' %}
/home/** r,
{% endif %}
{% endif %}
+49 -2
View File
@@ -305,6 +305,14 @@
# next parameter to 'no' if you want to be able to write to them.
read only = no
{% if samba_homes_virusfilter | default(false) | bool %}
# Virusfilter aktiv: Gruppe benötigt Leserecht, damit clamd (als Gruppenmitglied)
# Dateien und Verzeichnisse direkt öffnen kann (SCAN-Kommando an clamd).
create mask = 0640
force create mode = 0040
directory mask = 0750
force directory mode = 0050
{% else %}
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
@@ -312,6 +320,7 @@
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
{% endif %}
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
@@ -319,6 +328,37 @@
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
{% if samba_homes_virusfilter | default(false) | bool %}
# --- Virusfilter-Einstellungen [homes] ---
vfs objects = virusfilter
virusfilter:scanner = clamav
virusfilter:socket path = /var/run/clamav/clamd.ctl
virusfilter:infected file action = delete
virusfilter:cache entry limit = 1000
virusfilter:cache time limit = 60
#virusfilter:max file size = 52428800 # 50 MB max
#virusfilter:max file size = 26214400 # 25 MB max
virusfilter:max file size = 15728640 # 15 MB max
virusfilter:min file size = 10
virusfilter:scan on open = yes
virusfilter:scan on close = yes
# Fehlercode bei infizierter Datei (beim Öffnen)
virusfilter:infected file errno on open = EACCES
# Fehlercode beim Schließen
virusfilter:infected file errno on close = EACCES
virusfilter:connect timeout = 30000
virusfilter:io timeout = 60000
{% endif %}
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
@@ -484,12 +524,19 @@
# Dateigröße: Was wird gescannt?
#virusfilter:max file size = 52428800 # 50 MB max
virusfilter:max file size = 26214400 # 25 MB max
#virusfilter:max file size = 26214400 # 25 MB max
virusfilter:max file size = 15728640 # 15 MB max
virusfilter:min file size = 10 # unter 10 Byte ignorieren
# Scan-Zeitpunkt: nur beim Öffnen, nicht beim Schließen
virusfilter:scan on open = yes
virusfilter:scan on close = no
virusfilter:scan on close = yes
# Fehlercode bei infizierter Datei (beim Öffnen)
virusfilter:infected file errno on open = EACCES
# Fehlercode beim Schließen
virusfilter:infected file errno on close = EACCES
# Timeouts (Millisekunden)
virusfilter:connect timeout = 30000
+221
View File
@@ -0,0 +1,221 @@
# ipt-server — Migrationsleitfaden
Dieser Leitfaden beschreibt, wie ein bestehender Host vom alten Verfahren
(manuell verwaltete `/etc/ipt-firewall/`-Dateien, ggf. `firewall`- oder
`modify-ipt-server`-Rolle) auf die neue `ipt-server`-Ansible-Rolle umgestellt
wird.
---
## Überblick
Das alte Verfahren:
- Firewall-Skripte und Conf-Dateien wurden manuell oder über die alte `firewall`-Rolle
(lineinfile/blockinfile) gepflegt.
- Änderungen direkt in `/etc/ipt-firewall/` auf dem Host.
Das neue Verfahren:
- Alle Firewall-Einstellungen liegen in `host_vars/${HOSTNAME}/ipt-server.yml`.
- Ansible deployt die Config-Dateien aus Jinja2-Templates.
- Direktes Editieren auf dem Host ist nicht mehr vorgesehen.
Die Migration ist **nicht-destruktiv**: Bestehende Config-Dateien werden erst
dann überschrieben, wenn die Migration explizit freigegeben wird (`fw_manage_config: true`).
---
## Schritt 1 — Aktuellen Stand einfrieren
Vor jeder anderen Änderung den Zustand der laufenden Firewall-Rules sichern.
Das ist der Referenzwert für den späteren Vergleich mit den Ansible-generierten
Rules.
```bash
HOSTNAME=<hostname>
ssh -t ${HOSTNAME} '
sudo iptables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_before_v4.rules
sudo ip6tables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_before_v6.rules
echo "Stand gesichert."
'
```
---
## Schritt 2 — Aktuelle Konfiguration auslesen
Das Skript `extract-fw-host-vars.py` liest die vier Conf-Dateien vom Host via SSH,
mappt alle Variablen auf die `fw_*`-Ansible-Variablen und schreibt eine fertige
`host_vars`-Datei:
```bash
cd /path/to/ansible/oopen-server
HOSTNAME=<hostname>
./extract-fw-host-vars.py ${HOSTNAME} --sudo \
-o host_vars/${HOSTNAME}/ipt-server.yml
```
Das Skript fragt einmalig nach dem `sudo`-Passwort.
**Ergebnis prüfen:**
```bash
cat host_vars/${HOSTNAME}/ipt-server.yml
```
Kontrollpunkte:
- Sind `fw_ext_interfaces`, `fw_ext_ips_v4`, `fw_ext_ips_v6` korrekt?
- Sind aktivierte Dienste (Mail, HTTP, VPN usw.) vorhanden?
- Sind `munin_remote_ipv4` / `munin_remote_ipv6` eingetragen (falls Munin läuft)?
Fehlende oder falsche Werte können direkt in der YAML-Datei korrigiert werden.
Alle Variablen und ihre Bedeutung stehen in `defaults/main.yml`.
---
## Schritt 3 — Erste Ausrollung (Safety-Guard aktiv)
Solange `fw_manage_config` nicht auf `true` gesetzt ist (Default: `false`),
überschreibt Ansible **keine** bestehenden Config-Dateien. Es werden nur
installiert:
- Firewall-Skripte → `/usr/local/sbin/`
- Geteilte Conf-Dateien → `/etc/ipt-firewall/`
- Systemd-Units → `/etc/systemd/system/`
```bash
HOSTNAME=<hostname>
# Vorschau:
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
# Ausrollen:
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
```
Die host-spezifischen Config-Dateien (`main_ipv4.conf`, `main_ipv6.conf`,
`interfaces_ipv4.conf`, `interfaces_ipv6.conf`) bleiben unangetastet.
Ändern sich jedoch Firewall-Skripte, geteilte Conf-Dateien oder Systemd-Units
(typisch bei Erstinstallation), **wird die Firewall neu gestartet** — mit den
bestehenden Config-Dateien, also ohne inhaltliche Regeländerung.
---
## Schritt 4 — Ansible als autoritative Quelle freischalten und verifizieren
Jetzt wird `fw_manage_config: true` gesetzt, damit Ansible die vier
host-spezifischen Config-Dateien aus den Templates schreibt:
```yaml
# host_vars/${HOSTNAME}/ipt-server.yml
---
fw_manage_config: true # ← hinzufügen / auf true setzen
fw_ext_interfaces:
- "eth0"
# ...
```
**Vorschau:** Zeigt genau, was in den Config-Dateien geändert wird — hier
sorgfältig prüfen, ob die neuen Werte den alten entsprechen:
```bash
HOSTNAME=<hostname>
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
```
**Anwenden:** Ansible schreibt die neuen Config-Dateien und startet die Firewall
automatisch neu (da sich die Dateien geändert haben):
```bash
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
```
**Verifizieren:** Jetzt die neuen Rules mit dem gesicherten Stand vergleichen:
```bash
ssh -t ${HOSTNAME} '
sudo iptables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_after_v4.rules
sudo ip6tables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_after_v6.rules
echo "=== IPv4 diff ==="
diff /tmp/fw_before_v4.rules /tmp/fw_after_v4.rules
echo "=== IPv6 diff ==="
diff /tmp/fw_before_v6.rules /tmp/fw_after_v6.rules
'
```
**Erwartetes Ergebnis:** Beide Diffs sind leer — die Ansible-generierten
Config-Dateien produzieren exakt dieselben Rules wie die bisher händisch
verwalteten.
Falls Unterschiede erscheinen: die abweichenden Rules identifizieren, die
entsprechenden Variablen in `host_vars/${HOSTNAME}/ipt-server.yml` nachpflegen,
erneut ausrollen und den Diff wiederholen.
Ab jetzt:
- Ansible überschreibt die vier Config-Dateien bei jedem Run aus den Templates.
- Bei Änderungen an Templates oder host_vars wird die Firewall automatisch
neu gestartet.
- Direktes Editieren von `/etc/ipt-firewall/interfaces_*.conf` oder `main_*.conf`
auf dem Host wird beim nächsten Ansible-Run überschrieben.
---
## Schritt 5 — Altes System deaktivieren
### Altes Ansible-Vorgehen abschalten
Sicherstellen, dass der Host nicht mehr durch die alte `firewall`-Rolle oder
`modify-ipt-server`-Rolle verwaltet wird. Falls der Host in einem Playbook
eingetragen ist, das diese Rollen verwendet, den Host dort entfernen oder das
Playbook anpassen.
### Altes git-Repository auf dem Host entfernen (optional)
Das Repository `/usr/local/src/ipt-server` wird von der neuen Rolle nicht mehr
benötigt. Es kann entfernt werden:
```bash
HOSTNAME=<hostname>
ssh ${HOSTNAME} 'rm -rf /usr/local/src/ipt-server'
```
Vorher prüfen, ob das Verzeichnis noch anderweitig verwendet wird.
### Sicherstellen, dass niemand mehr direkt editiert
Da `fw_manage_config: true` gesetzt ist, werden direkte Änderungen in
`/etc/ipt-firewall/` beim nächsten Ansible-Run überschrieben. Als zusätzliche
Absicherung enthält jede von Ansible generierte Config-Datei oben folgenden
Hinweis (via `{{ ansible_managed }}`):
```ini
# Ansible managed
# DO NOT EDIT - changes will be overwritten on the next Ansible run.
# Edit host_vars/${HOSTNAME}/ipt-server.yml instead.
```
---
## Zusammenfassung
| Schritt | Befehl / Aktion | Wann |
| --- | --- | --- |
| 1 | Aktuellen Rules-Stand auf dem Host sichern | Einmalig pro Host |
| 2 | `extract-fw-host-vars.py` ausführen, Ergebnis prüfen | Einmalig pro Host |
| 3 | Erste Ausrollung (Safety-Guard aktiv) — Skripte + Units | Einmalig pro Host |
| 4 | `fw_manage_config: true` + `--check --diff` + ausrollen + Rules vergleichen | Einmalig pro Host |
| 5 | Alte Rolle deaktivieren, git-Repo auf Host entfernen | Einmalig pro Host |
| — | Änderungen: host_vars editieren + `ansible-playbook` | Ab jetzt immer so |
+206
View File
@@ -0,0 +1,206 @@
# ipt-server — Ansible Role
Verwaltet die iptables/ip6tables-basierte Firewall (`ipt-firewall-server` /
`ip6t-firewall-server`) auf Debian-Hosts.
Die Rolle ist die **einzige** autorisierte Stelle für Firewall-Änderungen. Direkte
Edits in `/etc/ipt-firewall/` auf dem Host werden beim nächsten Ansible-Run
überschrieben, sobald `fw_manage_config: true` gesetzt ist.
---
## Verzeichnisstruktur
```
roles/ipt-server/
├── defaults/main.yml # Alle Variablen mit Defaults
├── files/
│ ├── etc/ipt-firewall/ # Geteilte Conf-Dateien (nicht host-spezifisch)
│ │ ├── default_settings.conf
│ │ ├── include_functions.conf
│ │ ├── logging_ipv4.conf
│ │ ├── logging_ipv6.conf
│ │ ├── post_declarations.conf
│ │ ├── ban_ipv4.list.sample
│ │ └── ban_ipv6.list.sample
│ ├── etc/systemd/system/
│ │ ├── ipt-firewall.service
│ │ └── ip6t-firewall.service
│ └── usr/local/sbin/
│ ├── ipt-firewall-server # IPv4-Firewall-Skript
│ └── ip6t-firewall-server # IPv6-Firewall-Skript
├── handlers/main.yml
├── tasks/main.yml
└── templates/
└── etc/ipt-firewall/
├── interfaces_ipv4.conf.j2 # Host-spezifisch: Interfaces + IPs
├── interfaces_ipv6.conf.j2
├── main_ipv4.conf.j2 # Host-spezifisch: Dienste, Regeln
└── main_ipv6.conf.j2
```
Host-spezifische Konfiguration liegt ausschließlich in:
```
host_vars/${HOSTNAME}/ipt-server.yml
```
---
## Neuen Host aufnehmen
### Voraussetzungen
- Host ist im Ansible-Inventory (`hosts`) eingetragen.
- SSH-Zugang mit `sudo`-Rechten ist vorhanden.
### Schritt 1 — host_vars anlegen
```bash
cd /path/to/ansible/oopen-server
HOSTNAME=<hostname>
mkdir -p host_vars/${HOSTNAME}
cat > host_vars/${HOSTNAME}/ipt-server.yml << 'EOF'
---
fw_manage_config: true
# --- Netzwerk
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "1.2.3.4"
fw_ext_ips_v6:
- "2001:db8::1"
EOF
```
Alle weiteren Variablen sind optional — sie greifen auf die Defaults in
`defaults/main.yml` zurück. Nur abweichende Werte müssen gesetzt werden.
Für eine vollständige Variablenreferenz: `defaults/main.yml`.
### Schritt 2 — Dry-run
```bash
HOSTNAME=<hostname>
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
```
Der Diff zeigt genau, welche Dateien angelegt und welche Config-Werte gesetzt
werden. Prüfen, ob Interfaces, IPs und Dienste stimmen.
### Schritt 3 — Scharf stellen
```bash
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
```
Was passiert:
- Firewall-Skripte werden nach `/usr/local/sbin/` kopiert.
- Geteilte Conf-Dateien werden nach `/etc/ipt-firewall/` kopiert.
- Systemd-Units werden installiert, Dienste werden aktiviert und gestartet.
- Config-Dateien (`interfaces_*.conf`, `main_*.conf`) werden aus den Templates
erzeugt und die Firewall wird gestartet.
---
## Konfiguration ändern
Alle Änderungen erfolgen ausschließlich in der host_vars-Datei des Hosts:
```
host_vars/${HOSTNAME}/ipt-server.yml
```
Danach:
```bash
HOSTNAME=<hostname>
# Vorschau:
ansible-playbook ipt-server.yml --limit ${HOSTNAME} --check --diff
# Anwenden (ändert Config, startet Firewall bei Änderungen neu):
ansible-playbook ipt-server.yml --limit ${HOSTNAME}
```
Ansible erkennt automatisch, ob sich eine Config-Datei geändert hat. Nur bei
tatsächlichen Änderungen wird die Firewall neu gestartet.
### Beispiel: HTTP-Server aktivieren
```yaml
# host_vars/${HOSTNAME}/ipt-server.yml
fw_http_server_ips: "$ext_ips" # oder konkrete IP
```
### Beispiel: SSH auf bestimmten Port einschränken
```yaml
fw_ssh_ports: "2222"
```
### Beispiel: LXC-Gäste eintragen
```yaml
fw_lxc_guest_ips_v4:
- "10.0.3.10"
- "10.0.3.11"
fw_lxc_guest_ips_v6:
- "fd00::10"
- "fd00::11"
```
---
## Firewall-Skripte aktualisieren
Wenn `ipt-firewall-server` oder `ip6t-firewall-server` im `ipt-server`-Repository
aktualisiert werden, müssen die neuen Versionen manuell in die Rolle übernommen
werden:
```bash
SRC=/path/to/ipt-server
DST=roles/ipt-server/files/usr/local/sbin
cp $SRC/ipt-firewall-server $DST/
cp $SRC/ip6t-firewall-server $DST/
chmod 750 $DST/ipt-firewall-server $DST/ip6t-firewall-server
```
Ebenso für geteilte Conf-Dateien in `roles/ipt-server/files/etc/ipt-firewall/`.
Nach dem Commit werden die neuen Skripte beim nächsten Ansible-Run auf alle
Hosts deployed.
---
## Wichtige Variablen
| Variable | Default | Bedeutung |
|---|---|---|
| `fw_manage_config` | `false` | `true` = Ansible verwaltet Config-Dateien vollständig |
| `fw_ext_interfaces` | `[]` | Externe Netzwerk-Interfaces, z.B. `["eth0"]` |
| `fw_ext_ips_v4` | `[]` | Externe IPv4-Adressen |
| `fw_ext_ips_v6` | `[]` | Externe IPv6-Adressen |
| `fw_ssh_server_ips` | `"$ext_ips"` | IPs auf denen SSH erlaubt ist |
| `fw_ssh_ports` | `"$standard_ssh_port"` | SSH-Port(s) |
| `fw_http_server_ips` | `""` | IPs auf denen HTTP/HTTPS erlaubt ist |
| `munin_remote_ipv4` | `""` | Munin-Server IPv4 |
| `munin_remote_ipv6` | `""` | Munin-Server IPv6 |
Alle Variablen mit Beschreibung und Defaults: `defaults/main.yml`.
Variablen die mit `$` beginnen (z.B. `$ext_ips`, `$standard_ssh_port`) sind
Bash-Variablen — sie werden nicht von Ansible aufgelöst, sondern zur Laufzeit
vom Firewall-Skript expandiert.
---
## Ban-Listen
`/etc/ipt-firewall/ban_ipv4.list` und `ban_ipv6.list` werden beim ersten
Ausrollen aus den Beispiel-Dateien der Rolle erzeugt und danach **nicht mehr
durch Ansible angefasst** — sie können auf dem Host direkt bearbeitet werden.
+376
View File
@@ -0,0 +1,376 @@
---
# ---
# ipt-firewall role defaults
# Override per host in host_vars/<hostname>/ipt_firewall.yml
# ---
# ---
# Config management mode.
# false (default): config files are only deployed when absent (safe for unmanaged hosts).
# true: Ansible is authoritative — config is always written from templates and
# the firewall is restarted on any change. Set this after migrating a host.
# ---
fw_manage_config: false
# ---
# Network interfaces and addresses (set per host in host_vars)
# ---
fw_ext_interfaces: [] # e.g. ["eth0"]
fw_ext_ips_v4: [] # e.g. ["83.223.86.98"]
fw_ext_ips_v6: [] # e.g. ["2a01:30:0:13:211:84ff:feb7:7f9c"]
fw_local_interfaces: []
fw_local_ips_v4: []
fw_local_ips_v6: []
fw_vpn_ifs: "tun+"
fw_wg_ifs: "wg+"
fw_lxc_guest_ips_v4: []
fw_lxc_guest_ips_v6: []
fw_nat_devices: ""
# ---
# Munin monitoring (often set in group_vars or role defaults)
# ---
munin_remote_ipv4: ""
munin_remote_ipv6: ""
# ---
# Bridged / LXC traffic
# ---
fw_do_not_firewall_bridged_traffic: false
fw_do_not_firewall_lx_guest_systems: false
# ---
# Drop policies
# ---
fw_drop_icmp: false
fw_drop_mndp: true
fw_drop_mdns: true
# ---
# Outgoing / interface policy
# ---
fw_allow_all_outgoing_traffic: false
fw_blocked_ifs: ""
fw_unprotected_ifs: ""
# ---
# Forwarding (protocol-specific addresses)
# ---
fw_forward_private_ips_v4: ""
fw_forward_private_ips_v6: ""
# ---
# Access control (protocol-specific: IPv4 uses ':', IPv6 uses ',')
# ---
fw_restrict_local_service_to_net_v4: ""
fw_restrict_local_service_to_net_v6: ""
fw_restrict_local_net_to_net_v4: ""
fw_restrict_local_net_to_net_v6: ""
fw_allow_ext_service_v4: ""
fw_allow_ext_service_v6: ""
fw_allow_ext_net_v4: ""
fw_allow_ext_net_v6: ""
fw_allow_local_service_v4: ""
fw_allow_local_service_v6: ""
fw_allow_local_service_from_networks_v4: ""
fw_allow_local_service_from_networks_v6: ""
# ---
# Services: VPN / WireGuard
# ---
fw_vpn_server_ips: ""
fw_forward_vpn_server_ips: ""
fw_vpn_ports: "$standard_vpn_port"
fw_wireguard_server_ips: ""
fw_forward_wireguard_server_ips: ""
fw_wireguard_server_ports: "$standard_wireguard_port"
fw_wireguard_out_ports: "$standard_wireguard_port"
# ---
# Services: NTP
# ---
fw_local_ntp_service: false
fw_ntp_port: "$standard_ntp_port"
fw_ntp_allowed_net: ""
# ---
# Services: DHCP (IPv4 only)
# ---
fw_dhcp_server_ifs: ""
fw_dhcp_client_ifs: ""
# ---
# Services: DNS
# ---
fw_dns_server_ips: ""
fw_forward_dns_server_ips: ""
fw_local_resolver_service: false
fw_resolver_port: "$standard_dns_port"
fw_resolver_allowed_networks_v4: ""
fw_resolver_allowed_networks_v6: ""
# ---
# Services: SSH
# Uses $ext_ips by default so SSH is always reachable via all external IPs.
# Override in host_vars to restrict to specific IPs.
# ---
fw_ssh_server_ips: "$ext_ips"
fw_forward_ssh_server_ips: ""
fw_ssh_ports: "$standard_ssh_port"
# ---
# Services: HTTP(S)
# ---
fw_http_server_ips: ""
fw_forward_http_server_ips: ""
fw_http_ports: "$standard_http_ports"
fw_log_cgi_traffic_out: false
fw_cgi_script_users: ""
# ---
# Services: Mattermost
# ---
fw_mm_server_ips: ""
fw_forward_mm_server_ips: ""
fw_mm_udp_ports_in: "$stansard_mattermost_udp_ports_in"
fw_mm_udp_ports_out: "$stansard_mattermost_udp_ports_out"
# ---
# Services: Mail
# ---
fw_smtpd_ips: ""
fw_forward_smtpd_ips: ""
fw_smtpd_additional_listen_ports: ""
fw_smtpd_additional_outgoing_ports: ""
fw_mail_server_ips: ""
fw_forward_mail_server_ips: ""
fw_mail_user_ports: "$standard_mailuser_ports"
fw_mail_client_ips: ""
fw_forward_mail_client_ips: ""
fw_dovecot_auth_service: false
fw_dovecot_auth_port: "$dovecot_external_auth_port"
fw_dovecot_auth_allowed_networks_v4: ""
fw_dovecot_auth_allowed_networks_v6: ""
# ---
# Services: FTP
# ---
fw_ftp_server_ips: ""
fw_forward_ftp_server_ips: ""
fw_ftp_passive_port_range: "50000:50400"
# ---
# Services: XMPP (Jabber / Prosody)
# ---
fw_xmpp_server_ips: ""
fw_forward_xmpp_server_ips: ""
fw_xmmp_tcp_in_ports: "5222 5223 5269"
fw_xmmp_tcp_out_ports: "5269"
fw_xmmp_remote_out_services_v4: ""
fw_xmmp_remote_out_services_v6: ""
# ---
# Services: Mumble
# ---
fw_mumble_server_ips: ""
fw_forward_mumble_server_ips: ""
fw_mumble_ports: "$standard_mumble_port"
# ---
# Services: Jitsi / Jibri
# ---
fw_jitsi_server_ips: ""
fw_forward_jitsi_server_ips: ""
fw_jitsi_tcp_ports: "$standard_jitsi_tcp_ports"
fw_jitsi_udp_port_range: "$standard_jitsi_udp_port_range"
fw_jitsi_tcp_ports_out: "$standard_turn_service_ports,4443,4444,4445,4446"
fw_jitsi_udp_ports_out: "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446"
fw_jitsi_dovecot_auth: false
fw_jitsi_dovecot_host: ""
fw_jitsi_dovecot_port: "$default_jitsi_dovecout_auth_port"
fw_jitsi_jibri_remote_auth: false
fw_jitsi_jibri_remote_ips: ""
fw_jitsi_jibri_remote_auth_port: "$default_jibri_out_port"
fw_jibri_server_ips: ""
fw_forward_jibri_server_ips: ""
fw_jibri_remote_jitsi_server: ""
fw_jibri_remote_auth_port: "$default_jibri_out_port"
# ---
# Services: TURN / STUN (Nextcloud Talk)
# ---
fw_nc_turn_server_ips: ""
fw_forward_nc_turn_server_ips: ""
fw_nc_turn_ports: "$standard_turn_service_ports"
fw_nc_turn_udp_ports: "$standard_turn_service_udp_ports"
# ---
# Services: TFTP
# ---
fw_tftp_server_ips: ""
# ---
# Services: Prometheus
# ---
fw_prometheus_local_server_ips: ""
fw_prometheus_remote_client_ports: "$standard_prometheus_ports"
fw_prometheus_local_client_ips: ""
fw_prometheus_local_client_ports: "$standard_prometheus_ports"
fw_prometheus_remote_server_ips: ""
# ---
# Services: Munin
# ---
fw_munin_server_ips: ""
fw_forward_munin_server_ips: ""
fw_munin_remote_port: "$standard_munin_port"
fw_munin_local_port: "4949"
# ---
# Services: Xymon
# ---
fw_xymon_server_ips: ""
fw_local_xymon_client: false
fw_xymon_port: "$standard_xymon_port"
# ---
# Protocols out: Rsync
# ---
fw_rsync_out_ips: ""
fw_forward_rsync_out_ips: ""
fw_rsync_ports: "873"
# ---
# Special ports (OUT)
# ---
fw_tcp_out_ports: ""
fw_forward_tcp_out_ports: ""
fw_udp_out_ports: ""
fw_forward_udp_out_ports: ""
# ---
# Portforwarding (protocol-specific formats)
# IPv4: "<device>:<src-ip>:<port-in>:<ip-fwd>:<port-out>"
# IPv6: "<device>,<src-ip>,<port-in>,<ip-fwd>,<port-out>"
# ---
fw_portforward_tcp_v4: ""
fw_portforward_udp_v4: ""
fw_portforward_tcp_v6: ""
fw_portforward_udp_v6: ""
# ---
# Blocked IPs / ports
# ---
fw_blocked_ips: ""
fw_block_tcp_ports: "111 113 135 137:139 445"
fw_block_udp_ports: "111 137:139"
# ---
# Special / counters
# ---
fw_create_traffic_counter: true
fw_create_iperf_rules: true
# ---
# Protection
# ---
fw_protection_against_syn_flooding: true
fw_protection_against_port_scanning: true
fw_protection_against_ssh_brute_force_attacks: true
# ---
# Connection limits
# ---
fw_limit_connections_per_source_IP: true
fw_per_IP_connection_limit: "$default_per_IP_connection_limit"
fw_limit_new_tcp_connections_per_seconds_per_source_IP: true
fw_limit_new_tcp_connections_per_seconds_ports: ""
# ---
# Kernel parameters — IPv4
# ---
fw_kernel_activate_forwarding: false
fw_kernel_support_dynaddr: false
fw_dynaddr_flag: "5"
fw_kernel_reduce_timeouts: true
fw_kernel_tcp_syncookies: true
fw_kernel_protect_against_icmp_bogus_messages: true
fw_kernel_ignore_broadcast_ping: true
fw_kernel_deactivate_source_route: true
fw_kernel_dont_accept_redirects: true
fw_kernel_activate_rp_filter: true
fw_kernel_log_martians: false
# ---
# Kernel parameters — IPv6
# ---
fw_kernel_forward_between_interfaces: false
@@ -0,0 +1,36 @@
# - IPv4 addresses listet here will be completly banned by the firewall
# -
# - - Line beginning with '#' will be ignored.
# - - Blank lines will be ignored
# - - Only the first entry (until space sign or end of line) of each line will be considered.
# -
# - Valid values are:
# - complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
# - partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
# - network/nn CIDR notation like 1.2.3.0/27
# - network/netmask notaions like 1.2.3.0/255.255.255.0
# - network/partial_netmask like 1.2.3.4/255
# -
# - Note:
# - - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
# -
# - Example:
# - 79.171.81.0/24
# - 79.171.81.0/255.255.255.0
# - 79.171.81.0/255.255.255
# - 79.171.81
# CHINANET-JS
222.184.0.0/13
61.160.0.0/16
# CHINANET-GX
116.8.0.0/14
# BAIDU-HK - Hong Kong
103.235.44.0/22
# UNICOM-HE - China Unicom Hebei province network
110.240.0.0/12
# CMNET - China Mobile Communications Corporation
39.128.0.0/10
@@ -0,0 +1,20 @@
# - IPv6 addresses listet here will be completly banned by the firewall
# -
# - - Line beginning with '#' will be ignored.
# - - Blank lines will be ignored
# - - Only the first entry (until space sign or end of line) of each line will be considered.
# -
# - Valid values are:
# - complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c
# - network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56
# -
# -
# - Note:
# - - If no mask is given mask will be set to '64'
# - - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored
# -
# - Example:
# - 240e:ec:4ab1:feba:e8b4:4fb1:7984:4c
# - 2a01:30:0:13:5054:ff::1
# - 2a01:30:0:13:5054:ff::1/56
@@ -0,0 +1,157 @@
#!/usr/bin/env bash
# -------------
# --- Default Parameter / Options
# -------------
default_per_IP_connection_limit=111
# -------------
# --- Default Ports for Services out
# -------------
standard_checkmk_port=6556
standard_cpan_wait_port=1404
standard_dns_port=53
standard_ftp_port=21
standard_ftp_data_port=20
standard_git_port=9418
standard_hbci_port=3000
standard_http_port=80
standard_https_port=443
standard_ident_port=113
standard_ipp_port=631
standard_cups_port=$standard_ipp_port
standard_irc_port=6667
standard_jabber_port=5222
standard_ldap_port=389
standard_ldaps_port=636
standard_mdns_port=5353
standard_mndp_port=5678
standard_mumble_port=64738
standard_munin_port=4949
standard_mysql_port=3306
standard_ntp_port=123
standard_pgp_keyserver_port=11371
standard_print_port=9100
standard_print_raw_port=515
standard_remote_console_port=5900
standard_silc_port=706
standard_smtp_port=25
standard_snmp_port=161
standard_snmp_trap_port=162
standard_ssh_port=22
standard_telnet_port=23
standard_tftp_udp_port=69
standard_timeserver_port=37
standard_vpn_port=1194
standard_wireguard_port=51820
standard_whois_port=43
standard_xymon_port=1984
# - Prometheus services
# -
standard_prometheus_ports="9100,9256"
# - Mattermost (MM) Service
# -
stansard_mattermost_udp_ports_in="8443"
stansard_mattermost_udp_ports_out="3478"
# - IPsec - Internet Security Association and
# - Key Management Protocol
standard_isakmp_port=500
standard_ipsec_nat_t=4500
# - Comma separated lists
# -
standard_http_ports="80,443"
standard_mailuser_ports="587,465,110,995,143,993"
# - Dovecot Service
# -
dovecot_external_auth_port="44444"
# - Jitsi Video Conference Service
# -
standard_jitsi_tcp_ports="$standard_http_ports"
standard_jitsi_udp_port_range="10000:20000"
default_jitsi_dovecout_auth_port="$dovecot_external_auth_port"
# - Jibri Service
# -
default_jibri_out_port=5222
# default_outbound_streaming_tcp_ports
#
# - outbound port 1935/TCP : outbound streaming over RTMP to most
# streaming providers such as YouTube Live, Vimeo or Twitch
#
# - outbound port 1936/TCP : outbound streaming over RTMP to LinkedIn
# Live (port 1935 is also used for RTMP streaming to LinkedIn)
#
# - outbound ports 2935/TCP and 2396/TCP : outbound streaming over
# RTMPS to LinkedIn Live
#
# - outbound port 443/TCP (HTTPS) : used for authentication with the
# built-in providers such as YouTube Live, Facebook Live, Ustream,
# Livestream, and Twitch
#
# - outbound port 53/UDP (DNS) used for DNS lookups converting
# hostnames to IP addresses
#
default_outbound_streaming_tcp_ports="1935,1936,2935,2396"
# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
# -
standard_turn_service_ports="3478:3479,5349:5350"
standard_turn_service_udp_ports="49152:65535"
# -------------
# --- Predefined Ports
# -------------
# - unpriviligierte Ports
# -
unprivports="1024:65535"
# -------------
# --- Some IPv4-Address Configuration
# -------------
# - Loopback
loopback_ipv4="127.0.0.0/8"
# - Private Networks
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"
link_local_rfc_5735="169.254.0.0/16"
test_net_1_rfc_5735="192.0.2.0/24"
this_net_rfc_5735="0.0.0.0/8"
# - Multicast Addresse
class_d_multicast="224.0.0.0/3"
# Reserved Addresse
class_e_reserved="240.0.0.0/5"
# -------------
# --- Some IPv6-Address Configuration
# -------------
# unique local address (ULA) - private address block
ula_block="fc00::/7"
link_local_unicast_block="fe80::/10"
multicast_ipv6="ff00::/8"
# - Loopback
loopback_ipv6="::1/128"
@@ -0,0 +1,268 @@
#!/usr/bin/env bash
# - Set firewall command (either iptables or ip6tables)
#
if [[ -x "${ip6t}" ]] ; then
fw_command="${ip6t}"
elif [[ -x "${ipt}" ]] ; then
fw_command="${ipt}"
fi
# -------------
# --- Some functions
# -------------
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
echo_done() {
echo -e "\033[75G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[75G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
}
fatal (){
echo ""
echo -e "fatal Error: $*"
echo ""
echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
return 1
}
is_number() {
return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
# - also possible
# -
#[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1
#return $([[ ! -z "${1##*[!0-9]*}" ]])
}
trim() {
local var="$*"
var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters
var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters
echo -n "$var"
}
is_container() {
command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1
}
# -------------
# - IPv6 handling
# -------------
ENABLE_IPV6="auto" # auto | yes | no
IPV6_ACTIVE=0
ipv6_sysctl_enabled() {
sysctl -n net.ipv6.conf.all.disable_ipv6 2>/dev/null | grep -qx 0
}
has_ipv6_addr() {
ip -6 addr show scope global 2>/dev/null | grep -q "inet6"
}
detect_ipv6() {
case "$ENABLE_IPV6" in
yes) return 0 ;;
no) return 1 ;;
auto) ipv6_sysctl_enabled ;;
*) return 1 ;;
esac
}
# -------------
# - Network Device Stuff
# -------------
# get virtual ethernet interfaces and the master of the given bridge
#
get_vth_ports() {
local br="$1"
# lists virtual interfaces (veth*)) and the master interface of the given bridge
ip -o link show master "$br" 2>/dev/null | awk -F': ' '{print $2}'
}
# -------------
# - Fail2ban
# -------------
FAIL2BAN_CONFIG_FILE="/etc/fail2ban/jail.local"
FAIL2BAN_WAS_RUNNING=false
fail2ban_client="$(command -v fail2ban-client 2>/dev/null)"
has_fail2ban() {
command -v fail2ban-client >/dev/null 2>&1
}
fail2ban_running() {
systemctl is-active --quiet fail2ban >/dev/null 2>&1
}
# -------------
# - Debian 12/13 compatibility helpers (best effort)
# -------------
ensure_mod() {
# ---
# Load a kernel module if possible (no hard failure).
# NOTE: In containers module loading is not possible; modules must be loaded on the host.
# ---
local m="$1"
# Already loaded?
if lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$m" ; then
return 0
fi
# Skip in containers/guests without module loading capability
#
is_container && return 0
# Best effort modprobe
/sbin/modprobe "$m" >/dev/null 2>&1 || warn "Loading module '$m' failed (ok if not needed on this host)."
}
# --- Feature detection helpers (Debian 12/13 + containers)
module_loaded() {
lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$1"
}
can_use_recent() {
# xt_recent is the kernel module behind "-m recent"
# In containers lsmod may be restricted; also accept presence of /proc/net/xt_recent.
module_loaded xt_recent && return 0
[ -d /proc/net/xt_recent ] && return 0
# As a last resort, ask iptables to parse the match (works if userspace has it)
"$ipt" -m recent -h >/dev/null 2>&1 && return 0
return 1
}
can_use_hashlimit() {
# xt_hashlimit is the kernel module behind "-m hashlimit"
module_loaded xt_hashlimit && return 0
[ -d /proc/net/xt_hashlimit ] && return 0
"${fw_command}" -m hashlimit -h >/dev/null 2>&1 && return 0
return 1
}
can_use_connlimit() {
# xt_connlimit is the kernel module behind "-m connlimit"
module_loaded xt_connlimit && return 0
"${fw_command}" -m connlimit -h >/dev/null 2>&1 && return 0
return 1
}
can_use_owner() {
# xt_owner is the kernel module behind "-m owner"
module_loaded xt_owner && return 0
"${fw_command}" -m owner -h >/dev/null 2>&1 && return 0
return 1
}
can_use_ct_target() {
# Check if iptables CT target exists (iptables-nft should support it when kernel has nf_tables CT support)
"${fw_command}" -t raw -j CT -h >/dev/null 2>&1 && return 0
return 1
}
can_use_helper_match() {
# Check if helper match exists
"${fw_command}" -m helper -h >/dev/null 2>&1 && return 0
return 1
}
can_use_nft() {
command -v nft >/dev/null 2>&1 && return 0
return 1
}
setup_ftp_conntrack_helper_output() {
# Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
if can_use_ct_target ; then
"${fw_command}" -A OUTPUT -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
return 0
fi
# nft fallback (nft-native helper assignment); keeps us "nft-ready"
if can_use_nft ; then
# Best-effort; may fail in containers without CAP_NET_ADMIN
nft add table ip fwhelper >/dev/null 2>&1 || true
nft add chain ip fwhelper output '{ type filter hook output priority raw; policy accept; }' >/dev/null 2>&1 || true
nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
nft add rule ip fwhelper output tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
fi
warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP active/passive may fail; FTPS workaround relies on recent/port rules."
return 1
}
setup_ftp_conntrack_helper_prerouting() {
# Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
if can_use_ct_target ; then
"$ipt" -A PREROUTING -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
return 0
fi
# nft fallback (nft-native helper assignment); keeps us "nft-ready"
if can_use_nft ; then
nft add table ip fwhelper >/dev/null 2>&1 || true
nft add chain ip fwhelper prerouting '{ type filter hook prerouting priority raw; policy accept; }' >/dev/null 2>&1 || true
nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
nft add rule ip fwhelper prerouting tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
fi
warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP server traffic may fail; consider enabling passive port ranges."
return 1
}
@@ -0,0 +1,62 @@
#!/usr/bin/env bash
# -------------
# --- Logging
# -------------
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
tag_log_prefix="--nflog-prefix"
LOG_TARGET="NFLOG --nflog-group 11"
else
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
LOG_TARGET="LOG --log-level $log_level"
tag_log_prefix="--log-prefix"
fi
log_all=false
log_syn_flood=false
log_port_scanning=false
log_ssh_brute_force=false
log_fragments=false
log_mdns=false
log_mndp=false
log_new_not_sync=false
log_syn_with_suspicious_mss=false
log_invalid_packets=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_private_network_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_forwarding_priv_ip=false
log_prohibited=false
log_voip=false
log_rejected=true
log_blocked_ip=false
log_ssh=false
# - logging messages
# -
log_prefix="[ IPv4 ]"
# ---
# - Log all traffic for givven ip address
# ---
# - You can also give hostname(s)
# -
# - Blank seoarated list of ips/hostnames
# -
log_ips=""
@@ -0,0 +1,63 @@
#!/usr/bin/env bash
# -------------
# --- Logging
# -------------
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
tag_log_prefix="--nflog-prefix"
LOG_TARGET="NFLOG --nflog-group 12"
else
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
LOG_TARGET="LOG --log-level $log_level"
tag_log_prefix="--log-prefix"
fi
log_all=false
log_syn_flood=false
log_port_scanning=false
log_ssh_brute_force=false
log_fragments=false
log_mdns=false
log_mndp=false
log_new_not_sync=false
log_syn_with_suspicious_mss=false
log_invalid_packets=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_private_network_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_forwarding_priv_ip=false
log_prohibited=false
log_voip=false
log_rejected=true
log_blocked_ip=false
log_ssh=false
# - logging messages
# -
log_prefix="[ IPv6 ]"
# ---
# - Log all traffic for givven ip address
# ---
# - You can also give hostname(s)
# -
# - Blank seoarated list of ips/hostnames
# -
log_ips=""
@@ -0,0 +1,621 @@
#!/usr/bin/env bash
# -----------
# --- Define Arrays
# -----------
# ---
# NAT (Masquerade) Network interfaces
# ---
declare -a nat_device_arr=()
for _dev in $nat_devices ; do
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
nat_device_arr+=("$_dev")
fi
done
# ---
# IP Addresses LX Guest System
# ---
declare -a lxc_guest_ip_arr=()
for _ip in $lxc_guest_ips ; do
lxc_guest_ip_arr+=("$_ip")
done
# ---
# local Interfaces
# ---
declare -a local_ip_arr=()
for _ip in $local_ips ; do
local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses to log
# ---
declare -a log_ip_arr
for _ip in $log_ips ; do
log_ip_arr+=("$_ip")
done
# ---
# - LOG CGI script Traffic out
# ---
declare -a cgi_script_user_arr=()
for _user in $cgi_script_users ; do
cgi_script_user_arr+=($_user)
done
# ---
# - IP-Addresses (Host, Guests (VServer, LX_Container)
# ---
declare -a ext_ip_arr
for _ip in $ext_ips ; do
host_ip_arr+=("$_ip")
done
# ---
# - Extern Interfaces
# ---
declare -a ext_if_arr
for _dev in $ext_ifs ; do
ext_if_arr+=("$_dev")
done
# ---
# - VPN Interfaces
# ---
declare -a vpn_if_arr
for _dev in $vpn_ifs ; do
vpn_if_arr+=("$_dev")
done
# ---
# - WireGuard Interfaces
# ---
declare -a wg_if_arr
for _dev in $wg_ifs ; do
wg_if_arr+=("$_dev")
done
# ---
# - Local Network Interfaces
# ---
declare -a local_if_arr
for _dev in $local_ifs ; do
local_if_arr+=("$_dev")
done
# ---
# - Network Interfaces completly blocked
# ---
declare -a blocked_if_arr
for _dev in $blocked_ifs ; do
blocked_if_arr+=("$_dev")
done
# ---
# - Network Interfaces not firewalled
# ---
declare -a unprotected_if_arr
for _dev in $unprotected_ifs ; do
unprotected_if_arr+=("$_dev")
done
# ---
# - Restrict local Servive to given IP-Address/Network
# ---
declare -a restrict_local_service_to_net_arr
for _val in $restrict_local_service_to_net ; do
restrict_local_service_to_net_arr+=("$_val")
done
# ---
# - Restrict local Network to given IP-Address/Network
# ---
declare -a restrict_local_net_to_net_arr
for _val in $restrict_local_net_to_net ; do
restrict_local_net_to_net_arr+=("$_val")
done
# ---
# - Allow extern Service
# ---
declare -a allow_ext_service_arr
for _val in $allow_ext_service ; do
allow_ext_service_arr+=("$_val")
done
# ---
# - Allow extern IP-Address/Network
# ---
declare -a allow_ext_net_arr
for _net in $allow_ext_net ; do
allow_ext_net_arr+=("$_net")
done
# ---
# - Allow (non-standard) local Services
# ---
declare -a allow_local_service_arr
for _val in $allow_local_service ; do
allow_local_service_arr+=("$_val")
done
# ---
# - Allow (non-standard) local Services from specified network
# ---
declare -a allow_local_service_from_network_arr
for _service in $allow_local_service_from_networks ; do
allow_local_service_from_network_arr+=("$_service")
done
# ---
# - Generally block ports
# ---
declare -a block_tcp_port_arr
for _port in $block_tcp_ports ; do
block_tcp_port_arr+=("$_port")
done
declare -a block_udp_port_arr
for _port in $block_udp_ports ; do
block_udp_port_arr+=("$_port")
done
# ---
# - Private IPs / IP-Ranges allowed to forward
# ---
declare -a forward_private_ip_arr
for _ip in $forward_private_ips ; do
forward_private_ip_arr+=("$_ip")
done
# ---
# - Network Interfaces DHCP Service
# ---
declare -a dhcp_server_if_arr
for _dev in $dhcp_server_ifs ; do
dhcp_server_if_arr+=($_dev)
done
declare -a dhcp_client_if_arr
for _dev in $dhcp_client_ifs ; do
dhcp_client_if_arr+=($_dev)
done
# ---
# - IP Addresses DNS Server
# ---
# - local
declare -a dns_server_ip_arr
for _ip in $dns_server_ips ; do
dns_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_dns_server_ip_arr
for _ip in $forward_dns_server_ips ; do
forward_dns_server_ip_arr+=("$_ip")
done
# ---
# - Netwoks allowed access to local DNS Resolver
# ---
declare -a resolver_allowed_network_arr
for _net in $resolver_allowed_networks ; do
resolver_allowed_network_arr+=("$_net")
done
# ---
# - IP Addresses VPN Server
# ---
# local
declare -a vpn_server_ip_arr
for _ip in $vpn_server_ips ; do
vpn_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_vpn_server_ip_arr
for _ip in $forward_vpn_server_ips ; do
forward_vpn_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses WireGuard Service
# ---
# local
declare -a wireguard_server_ip_arr
for _ip in $wireguard_server_ips ; do
wireguard_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_wireguard_server_ip_arr
for _ip in $forward_wireguard_server_ips ; do
forward_wireguard_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses SSH Server
# ---
# local
declare -a ssh_server_ip_arr
for _ip in $ssh_server_ips ; do
ssh_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_ssh_server_ip_arr
for _ip in $forward_ssh_server_ips ; do
forward_ssh_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses HTTP Server
# ---
# local
declare -a http_server_ip_arr
for _ip in $http_server_ips ; do
http_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_http_server_ip_arr
for _ip in $forward_http_server_ips ; do
forward_http_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses MatterMost Service
# ---
# local
declare -a mm_server_ip_arr
for _ip in $mm_server_ips ; do
mm_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_mm_server_ip_arr
for _ip in $forward_mm_server_ips ; do
forward_mm_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses FTP Server
# ---
# local
declare -a ftp_server_ip_arr
for _ip in $ftp_server_ips ; do
ftp_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_ftp_server_ip_arr
for _ip in $forward_ftp_server_ips ; do
forward_ftp_server_ip_arr+=("$_ip")
done
# ---
# - Mail SMTP Server
# ---
# local
declare -a smtpd_ips_arr
for _ip in $smtpd_ips ; do
smtpd_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_smtpd_ip_arr
for _ip in $forward_smtpd_ips ; do
forward_smtpd_ip_arr+=("$_ip")
done
# ---
# Additional SMTP Listen Ports
# ---
declare -a smtpd_additional_listen_port_arr
for _port in $smtpd_additional_listen_ports ; do
smtpd_additional_listen_port_arr+=("$_port")
done
# ---
# Additional SMTP Outgoing Ports
# ---
declare -a smtpd_additional_outgoung_port_arr
for _port in $smtpd_additional_outgoung_ports ; do
smtpd_additional_outgoung_port_arr+=("$_port")
done
# ---
# - IP Addresses XMPP Service (Jabber - Prosody)
# ---
declare -a xmpp_server_ip_arr
for _ip in $xmpp_server_ips ; do
xmpp_server_ip_arr+=("$_ip")
done
declare -a forward_xmpp_server_ip_arr
for _ip in $forward_xmpp_server_ips ; do
forward_xmpp_server_ip_arr+=("$_ip")
done
# ---
# - XMPP Remote Dovecote Out Service
# ---
declare -a xmmp_remote_out_service_arr
for _val in $xmmp_remote_out_services ; do
xmmp_remote_out_service_arr+=("$_val")
done
# ---
# - Mail Services (smtps/pop(s)/imap(s)
# ---
# local
declare -a mail_server_ips_arr
for _ip in $mail_server_ips ; do
mail_server_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_mail_server_ip_arr
for _ip in $forward_mail_server_ips ; do
forward_mail_server_ip_arr+=("$_ip")
done
# ---
# - Mail client (smtps/pop(s)/imap(s)
# ---
# local
declare -a mail_client_ips_arr
for _ip in $mail_client_ips ; do
mail_client_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_mail_client_ip_arr
for _ip in $forward_mail_client_ips ; do
forward_mail_client_ip_arr+=("$_ip")
done
# ---
# - (local) Dovecot auth service
# ---
declare -a dovecot_auth_allowed_network_arr
for _ip in $dovecot_auth_allowed_networks ; do
dovecot_auth_allowed_network_arr+=("$_ip")
done
# ---
# - IP Addresses Mumble Server
# ---
# local
declare -a mumble_server_ip_arr
for _ip in $mumble_server_ips ; do
mumble_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_mumble_server_ip_arr
for _ip in $forward_mumble_server_ips ; do
forward_mumble_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Jitsi Video Conferencing Server
# ---
declare -a jitsi_server_ip_arr
for _ip in $jitsi_server_ips ; do
jitsi_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_jitsi_server_ip_arr
for _ip in $forward_jitsi_server_ips ; do
forward_jitsi_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Remote Jibri Server
# ---
declare -a jitsi_jibri_remote_ip_arr
for _ip in $jitsi_jibri_remote_ips ; do
jitsi_jibri_remote_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Jibri Recording / Streaming Server
# ---
declare -a jibri_server_ip_arr
for _ip in $jibri_server_ips ; do
jibri_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_jibri_server_ip_arr
for _ip in $forward_jibri_server_ips ; do
forward_jibri_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses TURN Server (Stun Server) (for Nextcloud 'talk' app)
# ---
# local
declare -a nc_turn_server_ip_arr
for _ip in $nc_turn_server_ips ; do
nc_turn_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_nc_turn_server_ip_arr
for _ip in $forward_nc_turn_server_ips ; do
forward_nc_turn_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Telephone Systems
# ---
declare -a tel_sys_ip_arr
for _ip in $tel_sys_ips ; do
tel_sys_ip_arr+=("$_ip")
done
# ---
# - Prometheus Monitoring - local Server
# ---
declare -a prometheus_local_server_ip_arr
for _ip in $prometheus_local_server_ips ; do
prometheus_local_server_ip_arr+=("$_ip")
done
# ---
# - Prometheus Monitoring - local Client
# ---
declare -a prometheus_local_client_ip_arr
for _ip in $prometheus_local_client_ips; do
prometheus_local_client_ip_arr+=("$_ip")
done
declare -a prometheus_remote_server_ip_arr
for _ip in $prometheus_remote_server_ips ; do
prometheus_remote_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Munin
# ---
# local
declare -a munin_server_ip_arr
for _ip in $munin_server_ips ; do
munin_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_munin_server_ip_arr
for _ip in $forward_munin_server_ips ; do
forward_munin_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses XyMon
# ---
declare -a xymon_server_ip_arr
for _ip in $xymon_server_ips ; do
xymon_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Rsync Out
# ---
# local
declare -a rsync_out_ip_arr
for _ip in $rsync_out_ips ; do
rsync_out_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_rsync_out_ip_arr
for _ip in $forward_rsync_out_ips ; do
forward_rsync_out_ip_arr+=("$_ip")
done
# ---
# - SSH Ports
# ---
declare -a ssh_port_arr
for _port in $ssh_ports ; do
ssh_port_arr+=("$_port")
done
# ---
# - XMPP Service (Jabber - Prosody)
# ---
declare -a xmmp_tcp_in_port_arr
for _port in $xmmp_tcp_in_ports ; do
xmmp_tcp_in_port_arr+=("$_port")
done
declare -a xmmp_tcp_out_port_arr
for _port in $xmmp_tcp_out_ports ; do
xmmp_tcp_out_port_arr+=("$_port")
done
# ---
# - VPN Ports
# ---
# local
declare -a vpn_port_arr
for _port in $vpn_ports ; do
vpn_port_arr+=("$_port")
done
# ---
# - Wireguard Ports (local Service)
# ---
# local
declare -a wireguard_server_port_arr
for _port in $wireguard_server_ports ; do
wireguard_server_port_arr+=("$_port")
done
# ---
# - Wireguard out Ports
# ---
# local
declare -a wireguard_out_port_port_arr
for _port in $wireguard_out_ports ; do
wireguard_out_port_port_arr+=("$_port")
done
# ---
# - Rsync Out Ports
# --
declare -a rsync_port_arr
for _port in $rsync_ports ; do
rsync_port_arr+=("$_port")
done
# ---
# - Special TCP Ports OUT
# ---
# local
declare -a tcp_out_port_arr
for _port in $tcp_out_ports ; do
tcp_out_port_arr+=("$_port")
done
# DMZ
declare -a forward_tcp_out_port_arr
for _port in $forward_tcp_out_ports ; do
forward_tcp_out_port_arr+=("$_port")
done
# ---
# - Special UDP Ports OUT
# ---
# local
declare -a udp_out_port_arr
for _port in $udp_out_ports ; do
udp_out_port_arr+=("$_port")
done
# DMZ
declare -a forward_udp_out_port_arr
for _port in $forward_udp_out_ports ; do
forward_udp_out_port_arr+=("$_port")
done
# ---
# - Portforwrds TCP
# ---
declare -a portforward_tcp_arr
for _str in $portforward_tcp ; do
portforward_tcp_arr+=("$_str")
done
# ---
# - Portforwrds UDP
# ---
declare -a portforward_udp_arr
for _str in $portforward_udp ; do
portforward_udp_arr+=("$_str")
done
@@ -0,0 +1,13 @@
[Unit]
Description=IPv6 Firewall with ip6tables
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ip6t-firewall-server start
ExecStop=/usr/local/sbin/ip6t-firewall-server stop
User=root
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,13 @@
[Unit]
Description=IPv4 Firewall with iptables
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ipt-firewall-server start
ExecStop=/usr/local/sbin/ipt-firewall-server stop
User=root
[Install]
WantedBy=multi-user.target
File diff suppressed because it is too large Load Diff
File diff suppressed because it is too large Load Diff
+15
View File
@@ -0,0 +1,15 @@
---
- name: Reload systemd daemon
systemd:
daemon_reload: true
- name: Restart IPv4 Firewall
service:
name: ipt-firewall
state: restarted
- name: Restart IPv6 Firewall
service:
name: ip6t-firewall
state: restarted
+215
View File
@@ -0,0 +1,215 @@
---
# ===
# Ensure /etc/ipt-firewall directory exists
# ===
- name: Create /etc/ipt-firewall if not present
file:
path: /etc/ipt-firewall
state: directory
owner: root
group: root
mode: "0750"
# ===
# Check presence of host-specific config files
# ===
- name: Check if interfaces_ipv4.conf exists
stat:
path: /etc/ipt-firewall/interfaces_ipv4.conf
register: interfaces_ipv4_exists
- name: Check if interfaces_ipv6.conf exists
stat:
path: /etc/ipt-firewall/interfaces_ipv6.conf
register: interfaces_ipv6_exists
- name: Check if main_ipv4.conf exists
stat:
path: /etc/ipt-firewall/main_ipv4.conf
register: main_ipv4_exists
- name: Check if main_ipv6.conf exists
stat:
path: /etc/ipt-firewall/main_ipv6.conf
register: main_ipv6_exists
# ===
# Deploy host-specific config files from templates.
#
# Safety guard: by default (fw_manage_config: false) a file is only written
# when it does not yet exist on the host — so existing hosts are never touched
# accidentally.
#
# Once a host has been migrated (host_vars populated and diff verified), set
# fw_manage_config: true
# in its host_vars. From that point on Ansible is the authoritative source and
# will update the config on every run, triggering a firewall restart on changes.
# ===
- name: Deploy interfaces_ipv4.conf from template
template:
src: etc/ipt-firewall/interfaces_ipv4.conf.j2
dest: /etc/ipt-firewall/interfaces_ipv4.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not interfaces_ipv4_exists.stat.exists
notify:
- Restart IPv4 Firewall
- name: Deploy interfaces_ipv6.conf from template
template:
src: etc/ipt-firewall/interfaces_ipv6.conf.j2
dest: /etc/ipt-firewall/interfaces_ipv6.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not interfaces_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
- name: Deploy main_ipv4.conf from template
template:
src: etc/ipt-firewall/main_ipv4.conf.j2
dest: /etc/ipt-firewall/main_ipv4.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not main_ipv4_exists.stat.exists
notify:
- Restart IPv4 Firewall
- name: Deploy main_ipv6.conf from template
template:
src: etc/ipt-firewall/main_ipv6.conf.j2
dest: /etc/ipt-firewall/main_ipv6.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not main_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
# ===
# Firewall scripts
# ===
- name: Deploy ipt-firewall-server
copy:
src: usr/local/sbin/ipt-firewall-server
dest: /usr/local/sbin/ipt-firewall-server
owner: root
group: root
mode: "0750"
- name: Deploy ip6t-firewall-server
copy:
src: usr/local/sbin/ip6t-firewall-server
dest: /usr/local/sbin/ip6t-firewall-server
owner: root
group: root
mode: "0750"
# ===
# Shared conf files (not host-specific — always kept in sync with the role)
# ===
- name: Deploy shared conf files
copy:
src: "etc/ipt-firewall/{{ item }}"
dest: "/etc/ipt-firewall/{{ item }}"
owner: root
group: root
mode: "0640"
loop:
- default_settings.conf
- include_functions.conf
- logging_ipv4.conf
- logging_ipv6.conf
- post_declarations.conf
# ===
# Ban lists — copy from sample once; the file can be customised per host.
# ===
- name: Check if ban_ipv4.list exists
stat:
path: /etc/ipt-firewall/ban_ipv4.list
register: ban_ipv4_exists
- name: Copy ban_ipv4.list from sample (first install only)
copy:
src: etc/ipt-firewall/ban_ipv4.list.sample
dest: /etc/ipt-firewall/ban_ipv4.list
owner: root
group: root
mode: "0640"
when: not ban_ipv4_exists.stat.exists
- name: Check if ban_ipv6.list exists
stat:
path: /etc/ipt-firewall/ban_ipv6.list
register: ban_ipv6_exists
- name: Copy ban_ipv6.list from sample (first install only)
copy:
src: etc/ipt-firewall/ban_ipv6.list.sample
dest: /etc/ipt-firewall/ban_ipv6.list
owner: root
group: root
mode: "0640"
when: not ban_ipv6_exists.stat.exists
# ===
# Systemd service units
# ===
- name: Deploy ipt-firewall.service
copy:
src: etc/systemd/system/ipt-firewall.service
dest: /etc/systemd/system/ipt-firewall.service
owner: root
group: root
mode: "0644"
notify:
- Reload systemd daemon
- Restart IPv4 Firewall
- name: Deploy ip6t-firewall.service
copy:
src: etc/systemd/system/ip6t-firewall.service
dest: /etc/systemd/system/ip6t-firewall.service
owner: root
group: root
mode: "0644"
notify:
- Reload systemd daemon
- Restart IPv6 Firewall
# ===
# Enable and start services
# ===
- name: Enable and start ipt-firewall
systemd:
name: ipt-firewall
enabled: true
state: started
daemon_reload: true
- name: Enable and start ip6t-firewall
systemd:
name: ip6t-firewall
enabled: true
state: started
daemon_reload: true
@@ -0,0 +1,74 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
# -------------
# --- Network Interfaces
# -------------
# - External interface(s)
#
ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
# - VPN Interfaces
# - (comma separated list)
vpn_ifs="{{ fw_vpn_ifs }}"
# - Wireguard Interfaces
# - (comma separated list)
wg_ifs="{{ fw_wg_ifs }}"
# - Local Interfaces
local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
local_ifs="{{ fw_local_interfaces | join(' ') }}"
# -------------
# --- IP-Addresses
# -------------
# - Extern IP Addresses on this Host
#
ext_1_ip="{{ fw_ext_ips_v4[0] if fw_ext_ips_v4 | length >= 1 else '' }}"
ext_2_ip="{{ fw_ext_ips_v4[1] if fw_ext_ips_v4 | length >= 2 else '' }}"
ext_3_ip="{{ fw_ext_ips_v4[2] if fw_ext_ips_v4 | length >= 3 else '' }}"
ext_ips="{{ fw_ext_ips_v4 | join(' ') }}"
local_1_ip="{{ fw_local_ips_v4[0] if fw_local_ips_v4 | length >= 1 else '' }}"
local_2_ip="{{ fw_local_ips_v4[1] if fw_local_ips_v4 | length >= 2 else '' }}"
local_3_ip="{{ fw_local_ips_v4[2] if fw_local_ips_v4 | length >= 3 else '' }}"
local_ips="{{ fw_local_ips_v4 | join(' ') }}"
# -------------
# --- IP-Addresses LXC Guest Systems
# -------------
lxc_guest_1_ip="{{ fw_lxc_guest_ips_v4[0] if fw_lxc_guest_ips_v4 | length >= 1 else '' }}"
lxc_guest_2_ip="{{ fw_lxc_guest_ips_v4[1] if fw_lxc_guest_ips_v4 | length >= 2 else '' }}"
lxc_guest_3_ip="{{ fw_lxc_guest_ips_v4[2] if fw_lxc_guest_ips_v4 | length >= 3 else '' }}"
lxc_guest_4_ip="{{ fw_lxc_guest_ips_v4[3] if fw_lxc_guest_ips_v4 | length >= 4 else '' }}"
lxc_guest_5_ip="{{ fw_lxc_guest_ips_v4[4] if fw_lxc_guest_ips_v4 | length >= 5 else '' }}"
lxc_guest_6_ip="{{ fw_lxc_guest_ips_v4[5] if fw_lxc_guest_ips_v4 | length >= 6 else '' }}"
lxc_guest_7_ip="{{ fw_lxc_guest_ips_v4[6] if fw_lxc_guest_ips_v4 | length >= 7 else '' }}"
lxc_guest_ips="{{ fw_lxc_guest_ips_v4 | join(' ') }}"
# - Devices given in list "nat_devices" will be natted
# -
# - Blank separated list
# -
nat_devices="{{ fw_nat_devices }}"
@@ -0,0 +1,67 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
# -------------
# --- Network Interfaces
# -------------
# - External interface(s)
#
ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
# - VPN Interfaces
# - (comma separated list)
vpn_ifs="{{ fw_vpn_ifs }}"
# - Wireguard Interfaces
# - (comma separated list)
wg_ifs="{{ fw_wg_ifs }}"
# - Local Interfaces
local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
local_ifs="{{ fw_local_interfaces | join(' ') }}"
# -------------
# --- IP-Addresses
# -------------
# - Extern IP Addresses on this Host
#
ext_1_ip="{{ fw_ext_ips_v6[0] if fw_ext_ips_v6 | length >= 1 else '' }}"
ext_2_ip="{{ fw_ext_ips_v6[1] if fw_ext_ips_v6 | length >= 2 else '' }}"
ext_3_ip="{{ fw_ext_ips_v6[2] if fw_ext_ips_v6 | length >= 3 else '' }}"
ext_ips="{{ fw_ext_ips_v6 | join(' ') }}"
local_1_ip="{{ fw_local_ips_v6[0] if fw_local_ips_v6 | length >= 1 else '' }}"
local_2_ip="{{ fw_local_ips_v6[1] if fw_local_ips_v6 | length >= 2 else '' }}"
local_3_ip="{{ fw_local_ips_v6[2] if fw_local_ips_v6 | length >= 3 else '' }}"
local_ips="{{ fw_local_ips_v6 | join(' ') }}"
# -------------
# --- IP-Addresses LXC Guest Systems
# -------------
lxc_guest_1_ip="{{ fw_lxc_guest_ips_v6[0] if fw_lxc_guest_ips_v6 | length >= 1 else '' }}"
lxc_guest_2_ip="{{ fw_lxc_guest_ips_v6[1] if fw_lxc_guest_ips_v6 | length >= 2 else '' }}"
lxc_guest_3_ip="{{ fw_lxc_guest_ips_v6[2] if fw_lxc_guest_ips_v6 | length >= 3 else '' }}"
lxc_guest_4_ip="{{ fw_lxc_guest_ips_v6[3] if fw_lxc_guest_ips_v6 | length >= 4 else '' }}"
lxc_guest_5_ip="{{ fw_lxc_guest_ips_v6[4] if fw_lxc_guest_ips_v6 | length >= 5 else '' }}"
lxc_guest_6_ip="{{ fw_lxc_guest_ips_v6[5] if fw_lxc_guest_ips_v6 | length >= 6 else '' }}"
lxc_guest_7_ip="{{ fw_lxc_guest_ips_v6[6] if fw_lxc_guest_ips_v6 | length >= 7 else '' }}"
lxc_guest_ips="{{ fw_lxc_guest_ips_v6 | join(' ') }}"
@@ -0,0 +1,357 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
## ----------------------------------------------------------------
## --- Main Configurations IPv4 Firewall
## ----------------------------------------------------------------
# -------------
# --- Bridged / LXC traffic
# -------------
do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
# -------------
# --- Drop ICMP / MNDP / mDNS
# -------------
drop_icmp={{ fw_drop_icmp | lower }}
drop_mndp={{ fw_drop_mndp | lower }}
drop_mdns={{ fw_drop_mdns | lower }}
# -------------
# --- Outgoing traffic
# -------------
allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
# -------------
# --- Interface policy
# -------------
blocked_ifs="{{ fw_blocked_ifs }}"
unprotected_ifs="{{ fw_unprotected_ifs }}"
# -------------
# --- Forwarding / Routing
# -------------
# Private IPs to forward (CIDR notation, blank separated)
forward_private_ips="{{ fw_forward_private_ips_v4 }}"
# -------------
# --- Access control (source-based)
# -------------
# restrict_local_service_to_net="ext-net:local-address:port:protocol"
restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v4 }}"
# restrict_local_net_to_net="<src-ext-net>:<dst-local-net>"
restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v4 }}"
# allow_ext_service="<ext-ip>:<ext_port>:<protocol>"
allow_ext_service="{{ fw_allow_ext_service_v4 }}"
# allow_ext_net="<ext-ip/net>" (blank separated)
allow_ext_net="{{ fw_allow_ext_net_v4 }}"
# allow_local_service="<port>:<protocol>" (blank separated)
allow_local_service="{{ fw_allow_local_service_v4 }}"
# allow_local_service_from_networks="<ext-net>:<local-port>:<protocol>"
allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v4 }}"
# -------------
# --- Services: VPN / WireGuard
# -------------
vpn_server_ips="{{ fw_vpn_server_ips }}"
forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
vpn_ports="{{ fw_vpn_ports }}"
wireguard_server_ips="{{ fw_wireguard_server_ips }}"
forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
wireguard_server_ports="{{ fw_wireguard_server_ports }}"
wireguard_out_ports="{{ fw_wireguard_out_ports }}"
# -------------
# --- Services: NTP
# -------------
local_ntp_service={{ fw_local_ntp_service | lower }}
ntp_port="{{ fw_ntp_port }}"
ntp_allowed_net="{{ fw_ntp_allowed_net }}"
# -------------
# --- Services: DHCP (IPv4 only)
# -------------
# Comma separated list of interfaces providing DHCP
dhcp_server_ifs="{{ fw_dhcp_server_ifs }}"
# Comma separated list of interfaces acting as DHCP clients
dhcp_client_ifs="{{ fw_dhcp_client_ifs }}"
# -------------
# --- Services: DNS
# -------------
dns_server_ips="{{ fw_dns_server_ips }}"
forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
local_resolver_service={{ fw_local_resolver_service | lower }}
resolver_port="{{ fw_resolver_port }}"
# resolver_allowed_networks="192.68.11.64/27 194.150.169.139"
resolver_allowed_networks="{{ fw_resolver_allowed_networks_v4 }}"
# -------------
# --- Services: SSH
# -------------
ssh_server_ips="{{ fw_ssh_server_ips }}"
forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
ssh_ports="{{ fw_ssh_ports }}"
# -------------
# --- Services: HTTP(S)
# -------------
http_server_ips="{{ fw_http_server_ips }}"
forward_http_server_ips="{{ fw_forward_http_server_ips }}"
http_ports="{{ fw_http_ports }}"
log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
cgi_script_users="{{ fw_cgi_script_users }}"
# -------------
# --- Services: Mattermost
# -------------
mm_server_ips="{{ fw_mm_server_ips }}"
forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
# -------------
# --- Services: Mail (SMTP / IMAP / POP)
# -------------
smtpd_ips="{{ fw_smtpd_ips }}"
forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
mail_server_ips="{{ fw_mail_server_ips }}"
forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
mail_user_ports="{{ fw_mail_user_ports }}"
mail_client_ips="{{ fw_mail_client_ips }}"
forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
dovecot_auth_port="{{ fw_dovecot_auth_port }}"
# dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139"
dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v4 }}"
# -------------
# --- Services: FTP
# -------------
ftp_server_ips="{{ fw_ftp_server_ips }}"
forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
# -------------
# --- Services: XMPP (Jabber / Prosody)
# -------------
xmpp_server_ips="{{ fw_xmpp_server_ips }}"
forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
# xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444"
xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v4 }}"
# -------------
# --- Services: Mumble
# -------------
mumble_server_ips="{{ fw_mumble_server_ips }}"
forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
mumble_ports="{{ fw_mumble_ports }}"
# -------------
# --- Services: Jitsi / Jibri
# -------------
jitsi_server_ips="{{ fw_jitsi_server_ips }}"
forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
jibri_server_ips="{{ fw_jibri_server_ips }}"
forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
# -------------
# --- Services: TURN / STUN (Nextcloud Talk)
# -------------
nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
nc_turn_ports="{{ fw_nc_turn_ports }}"
nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
# -------------
# --- Services: TFTP (not yet implemented)
# -------------
tftp_server_ips="{{ fw_tftp_server_ips }}"
# -------------
# --- Services: Prometheus
# -------------
prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
# -------------
# --- Services: Munin
# -------------
munin_server_ips="{{ fw_munin_server_ips }}"
forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
munin_remote_port="{{ fw_munin_remote_port }}"
munin_remote_ip="{{ munin_remote_ipv4 }}"
munin_local_port="{{ fw_munin_local_port }}"
# -------------
# --- Services: Xymon (not yet implemented)
# -------------
xymon_server_ips="{{ fw_xymon_server_ips }}"
local_xymon_client={{ fw_local_xymon_client | lower }}
xymon_port="{{ fw_xymon_port }}"
# -------------
# --- Protocols out: Rsync
# -------------
rsync_out_ips="{{ fw_rsync_out_ips }}"
forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
rsync_ports="{{ fw_rsync_ports }}"
# -------------
# --- Special ports (OUT)
# -------------
tcp_out_ports="{{ fw_tcp_out_ports }}"
forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
udp_out_ports="{{ fw_udp_out_ports }}"
forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
# =============
# --- Portforwarding (IPv4)
# --- Format: "<device-in>:<src-ip>:<port-in>:<ip-to-forward>:<port-out>"
# =============
portforward_tcp="{{ fw_portforward_tcp_v4 }}"
portforward_udp="{{ fw_portforward_udp_v4 }}"
# -------------
# --- Blocked IPs / Ports
# -------------
blocked_ips="{{ fw_blocked_ips }}"
block_tcp_ports="{{ fw_block_tcp_ports }}"
block_udp_ports="{{ fw_block_udp_ports }}"
# -------------
# --- Special / Counters
# -------------
create_traffic_counter={{ fw_create_traffic_counter | lower }}
create_iperf_rules={{ fw_create_iperf_rules | lower }}
# -------------
# --- Protection
# -------------
protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
# -------------
# --- Connection limits
# -------------
limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
per_IP_connection_limit={{ fw_per_IP_connection_limit }}
limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
# -------------
# --- Kernel parameters (IPv4)
# -------------
kernel_activate_forwarding={{ fw_kernel_activate_forwarding | lower }}
kernel_support_dynaddr={{ fw_kernel_support_dynaddr | lower }}
dynaddr_flag="{{ fw_dynaddr_flag }}"
kernel_reduce_timeouts={{ fw_kernel_reduce_timeouts | lower }}
kernel_tcp_syncookies={{ fw_kernel_tcp_syncookies | lower }}
kernel_protect_against_icmp_bogus_messages={{ fw_kernel_protect_against_icmp_bogus_messages | lower }}
kernel_ignore_broadcast_ping={{ fw_kernel_ignore_broadcast_ping | lower }}
kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}
kernel_activate_rp_filter={{ fw_kernel_activate_rp_filter | lower }}
kernel_log_martians={{ fw_kernel_log_martians | lower }}
@@ -0,0 +1,337 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
## ----------------------------------------------------------------
## --- Main Configurations IPv6 Firewall
## ----------------------------------------------------------------
# -------------
# --- Bridged / LXC traffic
# -------------
do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
# -------------
# --- Drop ICMP / MNDP / mDNS
# -------------
drop_icmp={{ fw_drop_icmp | lower }}
drop_mndp={{ fw_drop_mndp | lower }}
drop_mdns={{ fw_drop_mdns | lower }}
# -------------
# --- Outgoing traffic
# -------------
allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
# -------------
# --- Interface policy
# -------------
blocked_ifs="{{ fw_blocked_ifs }}"
unprotected_ifs="{{ fw_unprotected_ifs }}"
# -------------
# --- Forwarding / Routing
# -------------
# Private IPs to forward (CIDR notation, blank separated)
forward_private_ips="{{ fw_forward_private_ips_v6 }}"
# -------------
# --- Access control (source-based)
# --- Note: IPv6 uses comma as field separator (not colon)
# -------------
# restrict_local_service_to_net="ext-net,local-address,port,protocol"
restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v6 }}"
# restrict_local_net_to_net="<src-ext-net>,<dst-local-net>"
restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v6 }}"
# allow_ext_service="<ext-ip>,<ext_port>,<protocol>"
allow_ext_service="{{ fw_allow_ext_service_v6 }}"
# allow_ext_net="<ext-ip/net>" (blank separated)
allow_ext_net="{{ fw_allow_ext_net_v6 }}"
# allow_local_service="<port>,<protocol>" (blank separated)
allow_local_service="{{ fw_allow_local_service_v6 }}"
# allow_local_service_from_networks="<ext-net>,<local-port>,<protocol>"
allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v6 }}"
# -------------
# --- Services: VPN / WireGuard
# -------------
vpn_server_ips="{{ fw_vpn_server_ips }}"
forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
vpn_ports="{{ fw_vpn_ports }}"
wireguard_server_ips="{{ fw_wireguard_server_ips }}"
forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
wireguard_server_ports="{{ fw_wireguard_server_ports }}"
wireguard_out_ports="{{ fw_wireguard_out_ports }}"
# -------------
# --- Services: NTP
# -------------
local_ntp_service={{ fw_local_ntp_service | lower }}
ntp_port="{{ fw_ntp_port }}"
ntp_allowed_net="{{ fw_ntp_allowed_net }}"
# -------------
# --- Services: DNS
# -------------
dns_server_ips="{{ fw_dns_server_ips }}"
forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
local_resolver_service={{ fw_local_resolver_service | lower }}
resolver_port="{{ fw_resolver_port }}"
# resolver_allowed_networks="2001:678:a40:3000::/64"
resolver_allowed_networks="{{ fw_resolver_allowed_networks_v6 }}"
# -------------
# --- Services: SSH
# -------------
ssh_server_ips="{{ fw_ssh_server_ips }}"
forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
ssh_ports="{{ fw_ssh_ports }}"
# -------------
# --- Services: HTTP(S)
# -------------
http_server_ips="{{ fw_http_server_ips }}"
forward_http_server_ips="{{ fw_forward_http_server_ips }}"
http_ports="{{ fw_http_ports }}"
log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
cgi_script_users="{{ fw_cgi_script_users }}"
# -------------
# --- Services: Mattermost
# -------------
mm_server_ips="{{ fw_mm_server_ips }}"
forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
# -------------
# --- Services: Mail (SMTP / IMAP / POP)
# -------------
smtpd_ips="{{ fw_smtpd_ips }}"
forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
mail_server_ips="{{ fw_mail_server_ips }}"
forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
mail_user_ports="{{ fw_mail_user_ports }}"
mail_client_ips="{{ fw_mail_client_ips }}"
forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
dovecot_auth_port="{{ fw_dovecot_auth_port }}"
# dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7"
dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v6 }}"
# -------------
# --- Services: FTP
# -------------
ftp_server_ips="{{ fw_ftp_server_ips }}"
forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
# -------------
# --- Services: XMPP (Jabber / Prosody)
# -------------
xmpp_server_ips="{{ fw_xmpp_server_ips }}"
forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
# xmmp_remote_out_services="2a01:4f8:221:3b4e::247,44444"
xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v6 }}"
# -------------
# --- Services: Mumble
# -------------
mumble_server_ips="{{ fw_mumble_server_ips }}"
forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
mumble_ports="{{ fw_mumble_ports }}"
# -------------
# --- Services: Jitsi / Jibri
# -------------
jitsi_server_ips="{{ fw_jitsi_server_ips }}"
forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
jibri_server_ips="{{ fw_jibri_server_ips }}"
forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
# -------------
# --- Services: TURN / STUN (Nextcloud Talk)
# -------------
nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
nc_turn_ports="{{ fw_nc_turn_ports }}"
nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
# -------------
# --- Services: TFTP (not yet implemented)
# -------------
tftp_server_ips="{{ fw_tftp_server_ips }}"
# -------------
# --- Services: Prometheus
# -------------
prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
# -------------
# --- Services: Munin
# -------------
munin_server_ips="{{ fw_munin_server_ips }}"
forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
munin_remote_port="{{ fw_munin_remote_port }}"
munin_remote_ip="{{ munin_remote_ipv6 }}"
munin_local_port="{{ fw_munin_local_port }}"
# -------------
# --- Services: Xymon (not yet implemented)
# -------------
xymon_server_ips="{{ fw_xymon_server_ips }}"
local_xymon_client={{ fw_local_xymon_client | lower }}
xymon_port="{{ fw_xymon_port }}"
# -------------
# --- Protocols out: Rsync
# -------------
rsync_out_ips="{{ fw_rsync_out_ips }}"
forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
rsync_ports="{{ fw_rsync_ports }}"
# -------------
# --- Special ports (OUT)
# -------------
tcp_out_ports="{{ fw_tcp_out_ports }}"
forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
udp_out_ports="{{ fw_udp_out_ports }}"
forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
# =============
# --- Portforwarding (IPv6)
# --- Format: "<device-in>,<src-ip>,<port-in>,<ip-to-forward>,<port-out>"
# =============
portforward_tcp="{{ fw_portforward_tcp_v6 }}"
portforward_udp="{{ fw_portforward_udp_v6 }}"
# -------------
# --- Blocked IPs / Ports
# -------------
blocked_ips="{{ fw_blocked_ips }}"
block_tcp_ports="{{ fw_block_tcp_ports }}"
block_udp_ports="{{ fw_block_udp_ports }}"
# -------------
# --- Special / Counters
# -------------
create_traffic_counter={{ fw_create_traffic_counter | lower }}
create_iperf_rules={{ fw_create_iperf_rules | lower }}
# -------------
# --- Protection
# -------------
protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
# -------------
# --- Connection limits
# -------------
limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
per_IP_connection_limit={{ fw_per_IP_connection_limit }}
limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
# -------------
# --- Kernel parameters (IPv6)
# -------------
kernel_forward_between_interfaces={{ fw_kernel_forward_between_interfaces | lower }}
kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}