update..

ansible-dependencies-ububtu-noble-sudo.yml

@@ -0,0 +1,8 @@
+---
+
+- hosts: initial_setup
+  gather_facts: false
+
+  roles:
+     - ansible_dependencies-ubuntu-noble
+     - ansible_user_debian

environments/ubuntu-server/files

@@ -0,0 +1 @@
+../../files

environments/ubuntu-server/inventory

@@ -0,0 +1,37 @@
+[ansible_dependencies]
+formbricks-nd.oopen.de
+
+[initial_setup]
+formbricks-nd.oopen.de
+
+[lxc_guest]
+formbricks-nd.oopen.de
+
+
+[lxc_host]
+
+
+
+[docker_host]
+
+[kvm_host]
+
+[oopen_office_server]
+
+[samba_server]
+
+[jitsi_meet_server]
+
+[mysql_server]
+
+[postgresql_server]
+
+[apache2_webserver]
+
+[nextcloud_server]
+
+[dns_server]
+
+[mail_server]
+
+[webadmin]

group_vars/all/main.yml

@@ -976,6 +976,122 @@ apt_initial_install_jammy:
   - ifupdown
   - socat
 
+apt_initial_install_ubuntu_noble:
+  - cryptsetup
+  - dbus
+  - openssh-server
+  - rush
+  - bash
+  - bash-completion
+  - vim
+  - vim-common
+  - vim-doc
+  - mc
+  - screen
+  - tmux
+  - cron
+  - bc
+  - figlet
+  - sudo
+  - rsync
+  - dselect
+  - iputils-ping
+  - apt-utils
+  - aptitude
+  - zip
+  - unzip
+  - bzip2
+  - arj
+  - locate
+  - curl
+  - gawk
+  - mawk
+  - lynx
+  - links
+  - w3m
+  - universal-ctags
+  - file
+  - coreutils
+  - moreutils
+  - less
+  - sipcalc
+  - psmisc
+  - dnsutils
+  - rblcheck
+  - whois
+  - gettext
+  - gettext-base
+  - gettext-doc
+  - debian-keyring
+  - patch
+  - patchutils
+  - recode
+  - recode-doc
+  - librecode0
+  - librecode-dev
+  - sharutils
+  - perl
+  - perl-modules
+  - perl-doc
+  - libperl-dev
+  - libreadline-dev
+  - libterm-readline-gnu-perl
+  - libterm-readline-perl-perl
+  - libterm-readkey-perl
+  - libmail-imapclient-perl
+  - libtime-duration-perl
+  - libtimedate-perl
+  - libwww-perl
+  - libpcre3
+  - libio-compress-perl
+  - re2c
+  - util-linux
+  - parted
+  - lshw
+  - gdisk
+  - smartmontools
+  - tcpdump
+  - unhide
+  - lsof
+  - hdparm
+  - groff
+  - iproute2
+  - bridge-utils
+  - vlan
+  - ethtool
+  - wipe
+  - iperf
+  - mtr
+  - iptraf
+  - wget
+  - logrotate
+  - rsyslog
+  - haveged
+  - rdate
+  - ntpdate
+  - wipe
+  - man
+  - groff
+  - iptables
+  - shellcheck
+  - ssl-cert
+  - ssl-cert-check
+  - git
+  - ftp
+  - htop
+  - net-tools
+  - lsb-release
+  - attr
+  - acl
+  - quota
+  - quotatool
+  - needrestart
+  - socat
+  - zsh
+  - lua5.4
+  - btrfs-progs
+  - fdisk
+
 install_compiler_pkgs: false
 apt_compiler_pkgs:
   - g++
@@ -1918,11 +2034,11 @@ tor_hidden_service_port:
 # vars used by modify-munin-ip.yml
 # ---
 
-munin_remote_ipv4: 135.181.136.84
-munin_remote_ipv6: 2a01:4f9:3a:1051::84
+munin_remote_ipv4: 37.27.121.227
+munin_remote_ipv6: 2a01:4f9:3070:2bda::227
 
-munin_remote_ipv4_old: 95.217.64.122
-munin_remote_ipv6_old: 2a01:4f9:4a:2b57::122
+munin_remote_ipv4_old: 135.181.136.84
+munin_remote_ipv6_old: 2a01:4f9:3a:1051::84
 
 
 # ---
@@ -2253,6 +2369,15 @@ bind9_gateway_allow_recursion:
 # vars used by roles/common/tasks/git.yml
 # ---
 
+
+# ---
+# vars used by roles/common/tasks/ntp.yml
+# ---
+
+local_ntp_service: false
+
+ntp_server: {}
+
 # ---
 # Firewall repository
 # ---

group_vars/oopen_office.yml

@@ -110,6 +110,12 @@ sudo_users:
 # vars used by roles/common/tasks/git.yml
 # ---
 
+
+# ---
+# vars used by roles/common/tasks/ntp.yml
+# ---
+
+
 # ==============================
 
 

host_vars/backup.oopen.de.yml

@@ -262,8 +262,10 @@ default_user:
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMtIXFS9OrKBvBl+fKtYN/lOOKpPuuc02H8HV+++LeBU root@backup'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZkez42c+5KVt/ZOhwslO321ibzV02oMImImRGNBIRD root@backup.warenform.de'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKT+QOy+R6O4ojAeB7y/CRMmfbB19rFstvEW7saHpHMX root@c.mx'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXaxrm1MdUsiGviWJX/LaaaTaHga7+GKXYZPjUr5aBV root@chamaesiphon'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPrJu40Up1x9VCTTac6+ANjJ2NFXfDb5v3dP4pVgm+c root@cl-01'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7JBJ0qQJsTlADj/zMoxGlzPCGlnh0ngDS5+tkyVqgf root@cl-02'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORi7e7u0KhCkCB8iCmPud0hzCwnJVhxpPmy8vFFkFgY root@cl-dissens'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3VloFw13vVt8UAV5h0860Wq/vFJEm5EazOqM+cVe17 root@cl-flr'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRaUsGqBvZBDzyh1kuldC/jdbtuoXFgBZ7PbgSqytSn root@cl-fm'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvmOpsiL+eiJ3qZVDJiUCFVZge0OQJ1hpZgw7pJ8sq5 root@cl-irights'
@@ -307,6 +309,7 @@ default_user:
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEM1SI7Lwk0G8UycysL7ZPdXm1DRGgPnr01B0ewRGEKi root@o24'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJKfPInE9VjXVe+6DQ+4/H1nQJwXljYEK6gwfmTDgGy root@o26'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9ftVcNMv6pW2HDM12fIbOOEvq1fcd74kbO4LHfhGH root@o28'
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtACieGFf34NDepB9GqJjVqji6bf6xrO1LevXgm3aN+ root@o29'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE70FVVu2bsdH2qJITFVSDEPraiI4uSCuzEkYlbl6pRW root@o30'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF0+aRoMxzmiQCAIMajNhbTZEumtZ9yCG2Nb4ucqK8lo root@o31'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJvhepf3kho9zJz1QO52aLbr4/Rim/FLdENg1GNKCPx root@o32'

host_vars/backup.warenform.de.yml

@@ -170,16 +170,6 @@ cron_user_entries:
     hour: '*'
     job: /root/bin/postfix/check-postfix-fatal-errors.sh
 
-  - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
-    minute: '23'
-    hour: '05'
-    job: /var/lib/dehydrated/cron/dehydrated_cron.sh
-
-  - name: "Check whether all certificates are included in the VHOST configurations"
-    minute: '33'
-    hour: '05'
-    job: /var/lib/dehydrated/tools/update_ssl_directives.sh
-
   - name: "Check if remote website is online"
     minute: '*/15'
     hour: '7-23'

host_vars/cl-dissens.oopen.de.yml

@@ -0,0 +1,151 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+sshd_permit_root_login: !!str "prohibit-password"
+
+# ---
+# vars used by apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 185.12.64.2
+  - 2a01:4ff:ff00::add:1
+  - 185.12.64.1
+  - 2a01:4ff:ff00::add:2
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+sudo_users:
+  - chris
+  - sysadm
+  - localadmin
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+sudoers_file_user_privileges:
+  - name: back
+    entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+

host_vars/file-blkr.blkr.netz.yml

@@ -339,6 +339,10 @@ samba_user:
     groups:
       - buero
     password: '4/zCNXnVF7+i'
+  - name: refa
+    groups:
+      - buero
+    password: 'Mehringdamm40'
   - name: ref1
     groups:
       - buero

host_vars/file-dissens.dissens.netz.yml

@@ -184,7 +184,7 @@ cron_user_special_time_entries:
 
 sudoers_file_user_aliases:
    - name: MAIN_USER
-     entry: 'malte.taeubrich, ulla.wittenzellner, sarah.klemm, bernard.koennecke, elenor.faellgrem,mario.freidank '
+     entry: 'malte.taeubrich, ulla.wittenzellner, sarah.klemm, bernard.koennecke, elenor.faellgren, mario.freidank '
 
 sudoers_file_cmnd_aliases:
    - name: REBOOT 
@@ -219,6 +219,15 @@ sudoers_file_user_privileges:
 # ---
 
 
+# ---
+# vars used by roles/common/tasks/ntp.yml
+# ---
+
+local_ntp_service: true
+
+ntp_server: gw-dissens.dissens.netz
+
+
 # ---
 # vars used by roles/common/tasks/nfs.yml
 # ---
@@ -264,9 +273,9 @@ samba_groups:
   - name: projekte
     group_id: 1110
   - name: verwaltung
-    group_id: 1120
+    group_id: 1200
   - name: gf
-    group_id: 1120
+    group_id: 1300
 
 samba_user:
   - name: bernard.koennecke
@@ -296,62 +305,113 @@ samba_user:
       - projekte
       - team
       - verwaltung
-    password: '20-da-v1d.g3lh44r_24%'
+    password: '20-dav1d.g3lh44r_24%'
 
-  - name: elenor.faellgrem
+  - name: elenor.faellgren
     groups:
       - projekte
       - team
-    password: '20/313n0r-g3l.h4r/24?'
+      - verwaltung
+    password: '20/3l3n0r-fa3llg3em/24?'
+
   - name: johanna.hess
     groups:
-      - buero
-      - verwaltung
-    password: '20_j0.h4nn4_h3ss-24+'
+      - projekte
+      - team
+    password: '20_j0h4nn4_h3ss-24+'
 
-  - name: leonie
+  - name: johanna.ruekgauer
     groups:
-      - buero
+      - projekte
+    password: '20.j0hanna.ru3kgau3r+24!'
+
+  - name: laura.sasse
+    groups:
+      - projekte
+      - team
+    password: '20/l4ur4-s4sse-24?'
+
+  - name: maite.gabriel
+    groups:
+      - projekte
+    password: '20+m4ite.g4briel-24+'
+
+  - name: malte.taeubrich
+    groups:
+      - gf
+      - projekte
+      - team
       - verwaltung
-    password: '6.4aVX7rQ-9H'
-  - name: philip
+    password: '20%m4lt3-t3ubrich+24!'
+
+  - name: mario.freidank
     groups:
-      - buero
+      - projekte
+      - team
       - verwaltung
-    password: 'fN%749Psv_NR'
-  - name: buero1
+    password: '20-mar1o.fr31dank-24+'
+
+  - name: olaf.stuve
     groups:
-      - buero
-    password: 'Mfr!7tK+d49C'
-  - name: buero2
+      - projekte
+    password: '20-0l4f_stuve_24?"'
+
+  - name: ralph.klesch
     groups:
-      - buero
-    password: 'gW-wg3Pttf4/'
-  - name: buero3
-    groups:
-      - buero
-    password: 'Qc-WyMhJ/3-2'
-  - name: referendariat
-    groups:
-      - buero
-    password: '4/zCNXnVF7+i'
-  - name: ref1
-    groups:
-      - buero
-    password: '???'
-  - name: sebastian
-    groups:
-      - buero
+      - projekte
+      - team
       - verwaltung
-    password: 'bhNC.P5eTy-2'
-  - name: buero-05
+    password: '20/r4lph-kl3sch.24-'
+
+  - name: rositsa.mahdi
     groups:
-      - buero
-    password: '5/SXbV-M3vmQ'
-  - name: buero-06
+      - projekte
+    password: '20.ros1tsa-mahd1+24+'
+
+  - name: sarah.klemm
     groups:
-      - buero
-    password: 'N-ba2R+i/2eM'
+      - gf
+      - projekte
+      - team
+      - verwaltung
+    password: '20.s4r4h_kl3mm-24!'
+
+  - name: sebastian.scheele
+    groups:
+      - projekte
+      - team
+    password: '20/s3-bast1an+sch33l3_24-'
+
+  - name: simon.krugmann
+    groups:
+      - projekte
+    password: '20%sim0n.krugm4nn.24?'
+
+  - name: tabea.koepp
+    groups:
+      - projekte
+      - team
+    password: '20?tab3a/ko3pp.24/'
+
+  - name: till.dahlmueller
+    groups:
+      - projekte
+      - team
+    password: '20.t1ll/d4hlmueller-24!'
+
+  - name: ulla.wittenzellner
+    groups:
+      - gf
+      - projekte
+      - team
+      - verwaltung
+    password: '20+ull4_w1tt3nz3lln3r_24-'
+
+  - name: yannik.markhof
+    groups:
+      - projekte
+      - team
+    password: '20.y4nnik/m4rkhof_24/'
 
 base_home: /data/home
 
@@ -360,14 +420,37 @@ base_home: /data/home
 #   - name: name2
 #
 remove_samba_users: []
+#remove_samba_users: 
+#  - name: elenor.faellgrem
+#  - name: maiken.schiele
 
 samba_shares:
 
-  - name: buero
-    comment: Buero auf Fileserver
-    path: /data/samba/shares/buero
-    group_valid_users: buero
-    group_write_list: buero
+  - name: GF
+    comment: GF auf Fileserver
+    path: /data/samba/shares/GF
+    group_valid_users: gf
+    group_write_list: gf
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+
+  - name: Projekte
+    comment: verwaltung auf Fileserver
+    path: /data/samba/shares/Projekte
+    group_valid_users: projekte
+    group_write_list: projekte
+    file_create_mask: !!str 664
+    dir_create_mask: !!str 2775
+    vfs_object_recycle: true
+    recycle_path: '@Recycle'
+
+  - name: Team
+    comment: verwaltung auf Fileserver
+    path: /data/samba/shares/Team
+    group_valid_users: team
+    group_write_list: team
     file_create_mask: !!str 664
     dir_create_mask: !!str 2775
     vfs_object_recycle: true
@@ -375,11 +458,11 @@ samba_shares:
 
   - name: Verwaltung
     comment: verwaltung auf Fileserver
-    path: /data/samba/shares/verwaltung
+    path: /data/samba/shares/Verwaltung
     group_valid_users: verwaltung
     group_write_list: verwaltung
-    file_create_mask: !!str 664
-    dir_create_mask: !!str 2775
+    file_create_mask: !!str 660
+    dir_create_mask: !!str 2770
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 

host_vars/file-km.anw-km.netz.yml

@@ -413,6 +413,7 @@ samba_user:
 
   - name: irina
     groups:
+      - advoware
       - alle
       - aulmann
       - howe
@@ -423,6 +424,7 @@ samba_user:
 
   - name: jessica
     groups:
+      - advoware
       - alle
       - aulmann
       - howe

host_vars/ga-st-gw.ga.netz.yml

@@ -200,8 +200,10 @@ network_interfaces:
       downdelay: 200
       updelay: 200
     post-up:
-      # VLAN 121 - for Ubiquiti UniFi Accesspoints)
+      # VLAN 121 - for Ubiquiti UniFi Accesspoints
       - /sbin/ip link add link bond1 name bond1.121 type vlan id 121
+      # VLAN 121 - for Ubiquiti UniFi Accesspoints Guests
+      - /sbin/ip link add link bond1 name bond1.131 type vlan id 131
       # Route ???
       - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
 
@@ -215,6 +217,15 @@ network_interfaces:
     netmask: 20
 
 
+  - device: bond1.131
+    headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints Guest Net
+    auto: true
+    family: inet
+    method: static
+    address: 10.131.15.254
+    netmask: 20
+
+
   - device: bond1:ns
     headline: bond1:ns - Alias IP on bond1 device for Nameservice
     auto: true

host_vars/ga-st-gw.oopen.de.yml

@@ -1,551 +0,0 @@
----
-# ---
-# vars used by roles/network_interfaces
-# ---
-
-
-# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
-network_manage_devices: True
-
-# Should the interfaces be reloaded after config change?
-network_interface_reload: False
-
-network_interface_path: /etc/network/interfaces.d
-network_interface_required_packages:
-  - vlan
-  - bridge-utils
-  - ifmetric
-  - ifupdown
-  - ifenslave
-
-network_interfaces:
-
-  - device: eth2
-    headline: eth2 - Uplink static line (radio) to Altenschlirf
-    auto: true
-    family: inet
-    method: static
-    address: 172.16.111.254
-    netmask: 24
-    up:
-      # - For management Antennas
-      - /sbin/ip link add link eth2 name eth2.111 type vlan id 111
-    post-up:
-      # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253)
-      # -
-      # - Telefon Altenshlirf
-      - /sbin/ip route add 172.16.210.0/24 via 172.16.111.253
-      # User Network Altenshlirf
-      - /sbin/ip route add 192.168.10.0/24 via 172.16.111.253
-      # Management Network Altenschlirf
-      - /sbin/ip route add 10.10.10.0/24 via 172.16.111.253
-      # WLan Router (Accesspoints) Altenshlirf
-      - /sbin/ip route add 10.122.1.0/24 via 172.16.111.253
-      # # WLan Networks Altenshlirf
-      - /sbin/ip route add 10.123.0.0/16 via 172.16.111.253
-      # DSL via Fritzbox Altenschlirf
-      - /sbin/ip route add 172.16.10.0/24 via 172.16.111.253
-      # - WLAN Gemeinschaft Altenschlirf (Unifi routet Network)
-      - /sbin/ip route add 10.221.0.0/20 via 172.16.111.253
-      # VPN home Network Altenschlirf
-      #
-      - /sbin/ip route add 10.0.10.0/24 via 172.16.111.253
-      # private networks 'ckubu'
-      #
-      # connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu),
-      # so we route them back to that gateway..
-      - /sbin/ip route add 192.168.63.0/24 via 172.16.111.253
-      - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253
-
-
-  - device: eth2.111
-    headline: eth2.111 - network 10.10.111.0 (management antennas)
-    auto: true
-    family: inet
-    method: static
-    address: 10.10.111.254
-    netmask: 24
-
-
-  - device: eth8 
-    headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen
-    auto: false
-    family: inet
-    method: manual
-    up:
-      - /sbin/ip link add link eth8 name eth8.211 type vlan id 211
-
-
-  - device: eth8.211
-    headline: eth8.211 - Network Telefons Stockhausen
-    auto: true
-    family: inet
-    method: static
-    # Note:
-    #    !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon).
-    #       This LANCom Router IS NOT pngable                                 !!
-    address: 172.16.211.1
-    netmask: 24
-    pre-up:
-      - /sbin/ifconfig eth8 up
-
-
-  - device: eth9
-    headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501)
-    auto: true
-    family: inet
-    method: static
-    address: 172.16.11.1
-    netmask: 24
-    gateway: 172.16.11.254
-
-
-  - device: eth10
-    headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490
-    auto: true
-    family: inet
-    method: static
-    address: 172.16.13.1
-    netmask: 24
-    gateway: 172.16.13.254
-
-
-  - device: eth11
-    headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
-    auto: true
-    family: inet
-    method: static
-    address: 172.16.12.1
-    netmask: 24
-    gateway: 172.16.12.254
-
-
-    # ----------
-    # Note: Install the 'ifenslave' package, necessary to enable bonding:
-    # 
-    #    apt-get install ifenslave
-    # ----------
-  - device: bond0
-    headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4
-    auto: true
-    family: inet
-    method: static
-    address: 10.1.9.254
-    netmask: 24
-    bond:
-      slaves: eth0 eth4
-      # Mode 4 (802.3ad)
-      #
-      #    also possible here:
-      #       - Mode 5: balance-tlb
-      #       - Mode 6: balance-alb
-      mode: 4
-      miimon: 100
-      lacp-rate: 1
-      ad-select: count
-      downdelay: 200
-      updelay: 200
-    post-up:
-      # VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24
-      - /sbin/ip link add link bond0 name bond0.11 type vlan id 11
-      # VLAN 78 for network Georgshaus 192.168.78.0/24
-      - /sbin/ip link add link bond0 name bond0.78 type vlan id 78
-
-
-  - device: bond0.11
-    headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen)
-    auto: true
-    family: inet
-    method: static
-    address: 10.10.11.254
-    netmask: 24
-
-
-  - device: bond0.78
-    headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?)
-    auto: true
-    family: inet
-    method: static
-    address: 192.168.78.254
-    netmask: 24
-
-
-    # ----------
-    # Note: Install the 'ifenslave' package, necessary to enable bonding:
-    # 
-    #    apt-get install ifenslave
-    # ----------
-  - device: bond1
-    headline: bond1 - LAG (Link Aggregation) on devices eth1 and eth5 - Main Network Stockhausen
-    auto: true
-    family: inet
-    method: static
-    address: 192.168.11.254
-    netmask: 24
-    nameservers:
-      - 192.168.11.1
-      - 192.168.10.3
-    search: ga.netz ga.intra
-    bond:
-      slaves: eth1 eth5
-      # Mode 4 (802.3ad)
-      #
-      #    also possible here:
-      #       - Mode 5: balance-tlb
-      #       - Mode 6: balance-alb
-      mode: 4
-      miimon: 100
-      lacp-rate: 1
-      ad-select: count
-      downdelay: 200
-      updelay: 200
-    post-up:
-      # VLAN 121 - for Ubiquiti UniFi Accesspoints)
-      - /sbin/ip link add link bond1 name bond1.121 type vlan id 121
-      # Route ???
-      - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
-
-
-  - device: bond1.121
-    headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints
-    auto: true
-    family: inet
-    method: static
-    address: 10.121.15.254
-    netmask: 20
-
-
-  - device: bond1:ns
-    headline: bond1:ns - Alias IP on bond1 device for Nameservice
-    auto: true
-    family: inet
-    method: static
-    address: 192.168.11.1
-    netmask: 32
-
-
-  - device: bond1:1
-    headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network
-    auto: true
-    family: inet
-    method: static
-    address: 10.10.9.254
-    netmask: 24
-
-
-  - device: bond1:ap
-    headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints
-    auto: true
-    family: inet
-    method: static
-    address: 10.112.1.254
-    netmask: 24
-    post-up:
-      # - Wireless Networks routed through appropriate Accesspoints
-      # -
-      - /sbin/ip route add 10.113.1.0/24 via 10.112.1.1
-      - /sbin/ip route add 10.113.2.0/24 via 10.112.1.2
-      - /sbin/ip route add 10.113.3.0/24 via 10.112.1.3
-      - /sbin/ip route add 10.113.4.0/24 via 10.112.1.4
-      - /sbin/ip route add 10.113.5.0/24 via 10.112.1.5
-      - /sbin/ip route add 10.113.6.0/24 via 10.112.1.6
-      - /sbin/ip route add 10.113.7.0/24 via 10.112.1.7
-      - /sbin/ip route add 10.113.8.0/24 via 10.112.1.8
-      - /sbin/ip route add 10.113.9.0/24 via 10.112.1.9
-      - /sbin/ip route add 10.113.10.0/24 via 10.112.1.10
-      - /sbin/ip route add 10.113.11.0/24 via 10.112.1.11
-      - /sbin/ip route add 10.113.12.0/24 via 10.112.1.12
-      - /sbin/ip route add 10.113.13.0/24 via 10.112.1.13
-      - /sbin/ip route add 10.113.14.0/24 via 10.112.1.14
-      - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15
-
-
-  - device: bond1:ipmi
-    headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen
-    auto: true
-    family: inet
-    method: static
-    address: 10.11.11.254
-    netmask: 24
-
-
-# ---
-# vars used by roles/ansible_dependencies
-# ---
-
-
-# ---
-# vars used by roles/ansible_user
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/basic.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/sshd.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/apt.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/systemd-resolved.yml
-# ---
-
-systemd_resolved: true
-
-# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
-#   Primäre DNS-Adresse: 38.132.106.139
-#   Sekundäre DNS-Adresse: 194.187.251.67
-#
-# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
-#   primäre DNS-Adresse
-#      IPv4: 1.1.1.1
-#      IPv6: 2606:4700:4700::1111
-#   sekundäre DNS-Adresse
-#      IPv4: 1.0.0.1
-#      IPv6: 2606:4700:4700::1001
-#
-# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
-#   primäre DNS-Adresse
-#      IPv4: 8.8.8.8
-#      IPv6: 2001:4860:4860::8888
-#   sekundäre DNS-Adresse
-#      IPv4: 8.8.4.4
-#      IPv6: 2001:4860:4860::8844
-#
-# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
-#   primäre DNS-Adresse
-#      IPv4: 9.9.9.9
-#      IPv6: 2620:fe::fe
-#   sekundäre DNS-Adresse
-#      IPv4: 149.112.112.112
-#      IPv6: 2620:fe::9
-#
-# OpenNIC - https://www.opennic.org/
-#      IPv4: 195.10.195.195 - ns31.de
-#      IPv4: 94.16.114.254  - ns28.de
-#      IPv4: 51.254.162.59  - ns9.de
-#      IPv4: 194.36.144.87  - ns29.de
-#      IPv6: 2a00:f826:8:2::195 - ns31.de
-#
-# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
-#    IPv4: 5.1.66.255
-#    IPv6: 2001:678:e68:f000::
-#    Servername für DNS-over-TLS: dot.ffmuc.net
-#    IPv4: 185.150.99.255
-#    IPv6: 2001:678:ed0:f000::
-#    Servername für DNS-over-TLS: dot.ffmuc.net
-#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
-resolved_nameserver:
-  - 127.0.0.1
-
-# search domains
-#
-# If there are more than one search domains, then specify them here in the order in which
-# the resolver should also search them
-#
-#resolved_domains: []
-resolved_domains:
-  - ~.
-  - ga.netz
-  - ga.intra
-
-resolved_dnssec: false
-
-# dns.as250.net: 194.150.168.168
-#
-resolved_fallback_nameserver:
-   - 192.168.10.1
-
-
-
-# ---
-# vars used by roles/common/tasks/users.yml
-# ---
-
-insert_ssh_keypair_backup_server: false
-ssh_keypair_backup_server:
-  - name: backup
-    backup_user: back
-    priv_key_src: root/.ssh/id_rsa.backup.oopen.de
-    priv_key_dest: /root/.ssh/id_rsa
-    pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
-    pub_key_dest: /root/.ssh/id_rsa.pub
-
-insert_keypair_backup_client: true
-ssh_keypair_backup_client:
-  - name: backup
-    priv_key_src: root/.ssh/id_ed25519.oopen-server
-    priv_key_dest: /root/.ssh/id_ed25519
-    pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
-    pub_key_dest: /root/.ssh/id_ed25519.pub
-    target: backup.oopen.de
-
-
-
-default_user:
-
-  - name: chris
-    password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
-    shell: /bin/bash
-    ssh_keys:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
-
-  - name: maadmin
-    password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
-    shell: /bin/bash
-    ssh_keys:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
-
-  - name: wadmin
-    password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
-    shell: /bin/bash
-    ssh_keys:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
-
-  - name: sysadm
-    user_id: 1050
-    group_id: 1050
-    group: sysadm
-    password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
-    shell: /bin/bash
-    ssh_keys:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
-
-  - name: back
-    user_id: 1060
-    group_id: 1060
-    group: back
-    password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
-    shell: /bin/bash
-    ssh_keys:
-      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
-
-sudo_users:
-  - chris
-  - sysadm
-  - wadmin
-  - maadmin
-
-
-# ---
-# vars used by roles/common/tasks/users-systemfiles.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/webadmin-user.yml
-# ---
-
-
-# ---
-# vars used by roles/common/tasks/sudoers.yml
-# ---
-#
-# see: roles/common/tasks/vars
-
-
-# ---
-# vars used by roles/common/tasks/caching-nameserver.yml
-# ---
-
-install_bind_packages: true
-
-bind9_gateway_acl:
-  - local-net:
-    name: local-net
-    entries:
-      - 127.0.0.0/8
-      - 172.16.0.0/12
-      - 192.168.0.0/16
-      - 10.0.0.0/8
-      - fc00::/7
-      - fe80::/10
-      - ::1/128
-  - internaldns:
-    name: internaldns
-    entries:
-      - '# Nameserver Gateway Stockhausen'
-      - 192.168.11.1
-      - '# Domain Controller Stockhausen'
-      - 192.168.10.3
-      - '# Nameserver Gateway Altenschlirf'
-      - 192.168.10.1
-      - '# Domain Controller Altenschlirf'
-      - 192.168.10.3
-      - 192.168.10.6
-      - 172.16.0.1
-      - '# Nameserver Gateway Novalishaus'
-      - 192.168.81.1
-      - 10.2.11.2
-      - '# Nameserver wolle'
-      - 10.113.12.3
-      - '# Postfix Mailserver'
-      - 192.168.11.2
-      - '# Mail Relay System'
-      - 192.168.10.2
-
-bind9_gateway_listen_on_v6:
-   - none
-
-bind9_gateway_listen_on:
-  - any
-
-#bind9_gateway_allow_transfer: {}
-bind9_gateway_allow_transfer:
-   - internaldns
-
-bind9_transfer_source:  !!str "192.168.11.1"
-bind9_notify_source: !!str "192.168.11.1"
-
-#bind9_gateway_allow_query: {}
-bind9_gateway_allow_query:
-  - local-net
-
-#bind9_gateway_allow_query_cache: {}
-bind9_gateway_allow_query_cache:
-  - local-net
-
-bind9_gateway_recursion:  !!str "yes"
-#bind9_gateway_allow_recursion: {}
-bind9_gateway_allow_recursion:
-  - local-net
-
-
-# ---
-# vars used by roles/common/tasks/git.yml
-# ---
-
-git_firewall_repository:
-  name: ipt-gateway
-  repo: https://git.oopen.de/firewall/ipt-gateway
-  dest: /usr/local/src/ipt-gateway
-
-# ==============================
-
-
-# ---
-# vars used by scripts/reset_root_passwd.yml
-# ---
-
-root_user:
-  name: root
-  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
-

host_vars/mm-migration.oopen.de.yml

@@ -0,0 +1,141 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+sshd_permit_root_login: !!str "prohibit-password"
+
+# ---
+# vars used by apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 185.12.64.1
+  - 2a01:4ff:ff00::add:2
+  - 195.201.179.131
+  - 95.217.204.204
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+

host_vars/o29.oopen.de.yml

@@ -23,7 +23,7 @@ network_interfaces:
 
   - device: br0
     # use only once per device (for the first device entry)
-    headline: br0 - bridge over device enp35s0
+    headline: br0 - bridge over device enp8s0
 
     # auto & allow are only used for the first device entry
     allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -31,11 +31,11 @@ network_interfaces:
 
     family: inet
     method: static
-    hwaddress: a8:a1:59:3e:bd:b8
+    hwaddress: 9c:6b:00:6d:f5:a1
     description:
-    address: 135.181.136.120
+    address: 65.21.220.154
     netmask: 26
-    gateway: 135.181.136.65
+    gateway: 65.21.220.129
     metric:
     pointopoint:
     mtu:
@@ -80,7 +80,7 @@ network_interfaces:
     #   maxwait:
     #   waitport:
     bridge:
-      ports: enp35s0 # for mor devices support a blank separated list
+      ports: enp8s0 # for mor devices support a blank separated list
       stp: !!str off
       fd: 1
       hello: 2
@@ -107,7 +107,7 @@ network_interfaces:
     # inline hook scripts
     pre-up: [] # pre-up script lines
     up: 
-      - !!str "route add -net 135.181.136.64 netmask 255.255.255.192 gw 135.181.136.65 dev br0" # up script lines
+      - !!str "route add -net 65.21.220.128 netmask 255.255.255.192 gw 65.21.220.129 dev br0" # up script lines
     post-up: [] # post-up script lines (alias for up)
     pre-down: [] # pre-down script lines (alias for down)
     down: [] # down script lines
@@ -118,7 +118,7 @@ network_interfaces:
   - device: br0
     family: inet6
     method: static
-    address: 2a01:4f9:3a:1051::2
+    address: 2a01:4f9:3080:318c::2
     netmask: 64
     gateway: fe80::1
 

host_vars/web0.warenform.de.yml

@@ -142,6 +142,28 @@ ssh_keypair_backup_client:
 #
 # see: roles/common/tasks/vars
 
+sudoers_file_user_aliases:
+   - name: WEB_USER
+     entry: 'webadmin, axel, chris'
+   - name: MAIN_USER
+     entry: 'sysadm, axel, chris'
+
+sudoers_file_cmnd_aliases:
+  - name: REBOOT
+    entry: '/sbin/reboot'
+  - name: MANAGE_SERVICE
+    entry: '/usr/bin/systemctl'
+
+sudoers_file_user_privileges:
+  - name: MAIN_USER
+    entry: ALL = REBOOT, MANAGE_SERVICE
+  - name: WEB_USER
+    entry: ALL = MANAGE_SERVICE
+
+
+
+
+
 
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml

hosts

@@ -1,5 +1,4 @@
-
-
+formbricks-nd.oopen.de
 #[so36_server_dehydrated]
 #comm.so36.net ansible_user=ckubu
 #noc.so36.net ansible_user=ckubu
@@ -62,6 +61,7 @@ file-fhxb.fhxb.netz
 file-km.anw-km.netz
 file-kb.anw-kb.netz
 file-blkr.blkr.netz
+file-dissens.dissens.netz
 zapata.opp.netz
 
 gw-replacement.local.netz
@@ -132,6 +132,9 @@ o13-pad.oopen.de
 o13-cryptpad.oopen.de
 o13-web.oopen.de
 
+# Freiheit für daniela
+o14.oopen.de
+
 o17.oopen.de
 test.mx.oopen.de
 
@@ -159,10 +162,12 @@ cp-01.oopen.de
 meet.oopen.de
 mm.oopen.de
 discourse.oopen.de
+mm-migration.oopen.de
 
 o24.oopen.de
 cl-irights.oopen.de
 mm-irights.oopen.de
+mm-irights-migration.oopen.de
 
 # IL - PAD
 o25.oopen.de
@@ -178,8 +183,9 @@ mail.faire-mobilitaet.de
 o28.oopen.de
 o26.oopen.de
 
-# - o29.oopen.de Backup Server
+# - o29.oopen.de Dissens Host System
 o29.oopen.de
+cl-dissens.oopen.de
 
 # AK - Server Nextcloud/Jitsi Meet
 o30.oopen.de
@@ -321,6 +327,9 @@ o13-cryptpad.oopen.de
 o13-web.oopen.de
 o13-git.oopen.de
 
+# Freiheit für daniela
+o14.oopen.de
+
 o17.oopen.de
 test.mx.oopen.de
 test.mariadb.oopen.de
@@ -352,11 +361,13 @@ cp-01.oopen.de
 meet.oopen.de
 mm.oopen.de
 discourse.oopen.de
+mm-migration.oopen.de
 
 # - o24.oopen.de
 o24.oopen.de
 cl-irights.oopen.de
 mm-irights.oopen.de
+mm-irights-migration.oopen.de
 
 # IL - PAD
 o25.oopen.de
@@ -374,6 +385,7 @@ o26.oopen.de
 
 # - o29.oopen.de
 o29.oopen.de
+cl-dissens.oopen.de
 
 # AK - Server Nextcloud/Jitsi Meet
 o30.oopen.de
@@ -443,6 +455,7 @@ mm-rav.oopen.de
 o43.oopen.de
 prometheus-nd.oopen.de
 web-nd.oopen.de
+test-nd.oopen.de
 
 
 lxc-host-kb.anw-kb.netz
@@ -495,6 +508,9 @@ file-kb.anw-kb.netz
 gw-blkr.oopen.de
 file-blkr.blkr.netz
 
+# Dissens
+file-dissens.dissens.netz
+
 # - Kanzlei EBS Leipzig
 gw-ebs.oopen.de
 file-ebs.ebs.netz
@@ -557,6 +573,9 @@ devel-ruby.wf.netz
 # o13.oopen.de
 o13-web.oopen.de
 
+# Freiheit für daniela
+o14.oopen.de
+
 # o20.oopen.de (srv-cityslang.cityslang.com)
 o20.oopen.de
 
@@ -614,6 +633,9 @@ o13-mail.oopen.de
 o13-mumble.oopen.de
 o13-web.oopen.de
 
+# Freiheit für daniela
+o14.oopen.de
+
 # o17.oopen.de
 test.mariadb.oopen.de
 test.mx.oopen.de
@@ -648,6 +670,9 @@ mail.faire-mobilitaet.de
 o28.oopen.de
 o26.oopen.de
 
+# o29.oopen.de
+cl-dissens.oopen.de
+
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
 
@@ -799,12 +824,17 @@ o13-cryptpad.oopen.de
 cp-01.oopen.de
 meet.oopen.de
 mm.oopen.de
+mm-migration.oopen.de
 
 # o24.oopen.de
 mm-irights.oopen.de
+mm-irights-migration.oopen.de
 
 # Hetzner Cloud CX31 - AK
 
+# o29.oopen.de . Dissens
+cl-dissens.oopen.de
+
 # etventure
 o32.oopen.de
 
@@ -924,9 +954,11 @@ o13-mail.oopen.de
 
 # o23.oopen.de
 mm.oopen.de
+mm-migration.oopen.de
 
 # o24.oopen.de
 mm-irights.oopen.de
+mm-irights-migration.oopen.de
 
 # o27.oopen.de
 mail.faire-mobilitaet.de
@@ -989,6 +1021,9 @@ o13-staging-board.oopen.de
 o13-mail.oopen.de
 o13-web.oopen.de
 
+# Freiheit für daniela
+o14.oopen.de
+
 # o17.oopen.de
 test.mx.oopen.de
 test.mariadb.oopen.de
@@ -1011,10 +1046,12 @@ oolm-web.oopen.de
 # o23.oopen.de
 cl-01.oopen.de
 mm.oopen.de
+mm-migration.oopen.de
 
 # o24.oopen.de
 cl-irights.oopen.de
 mm-irights.oopen.de
+mm-irights-migration.oopen.de
 
 # Hetzner Cloud CX31 - AK
 
@@ -1025,6 +1062,9 @@ cl-fm.oopen.de
 o28.oopen.de
 o26.oopen.de
 
+# o29.oopen.de - Dissens
+cl-dissens.oopen.de
+
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
 
@@ -1132,6 +1172,9 @@ o28.oopen.de
 # o26.oopen.de
 o26.oopen.de
 
+# o29.oopen.de - Dissens
+cl-dissens.oopen.de
+
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
 
@@ -1282,6 +1325,7 @@ file-fhxb.fhxb.netz
 file-km.anw-km.netz
 file-kb.anw-kb.netz
 file-blkr.blkr.netz
+file-dissens.dissens.netz
 zapata.opp.netz
 
 
@@ -1289,6 +1333,7 @@ zapata.opp.netz
 [nfs_server]
 
 file-blkr.blkr.netz
+file-dissens.dissens.netz
 file-ah.kanzlei-kiel.netz
 file-ebs.ebs.netz
 file-fhxb.fhxb.netz
@@ -1355,6 +1400,9 @@ o12.oopen.de
 o13.oopen.de
 o17.oopen.de
 
+# Freiheit für daniela
+o14.oopen.de
+
 # Backup Server O.OPEN
 o19.oopen.de
 
@@ -1469,10 +1517,12 @@ cp-01.oopen.de
 meet.oopen.de
 mm.oopen.de
 discourse.oopen.de
+mm-migration.oopen.de
 
 # - o24.oopen.de
 cl-irights.oopen.de
 mm-irights.oopen.de
+mm-irights-migration.oopen.de
 
 # - o27.oopen.de
 cl-fm.oopen.de
@@ -1480,6 +1530,9 @@ mail.faire-mobilitaet.de
 
 # Hetzner Cloud CX31 - AK
 
+# o29.oopen.de - Dissens
+cl-dissens.oopen.de
+
 # o30.oopen.de - AK Server Nextcloud/Jitsi Meet
 meet.akweb.de
 cloud.akweb.de
@@ -1545,6 +1598,7 @@ file-fhxb.fhxb.netz
 file-km.anw-km.netz
 file-kb.anw-kb.netz
 file-blkr.blkr.netz
+file-dissens.dissens.netz
 zapata.opp.netz
 
 
@@ -1628,6 +1682,9 @@ o13-cryptpad.oopen.de
 o13-web.oopen.de
 o13-git.oopen.de
 
+# Freiheit für daniela
+o14.oopen.de
+
 # - o17.oopen.de
 o17.oopen.de
 test.mx.oopen.de
@@ -1660,11 +1717,13 @@ cp-01.oopen.de
 meet.oopen.de
 mm.oopen.de
 discourse.oopen.de
+mm-migration.oopen.de
 
 # - o24.oopen.de
 o24.oopen.de
 cl-irights.oopen.de
 mm-irights.oopen.de
+mm-irights-migration.oopen.de
 
 # IL - PAD
 o25.oopen.de
@@ -1680,6 +1739,10 @@ mail.faire-mobilitaet.de
 o28.oopen.de
 o26.oopen.de
 
+# o29.oopen.de
+o29.oopen.de
+cl-dissens.oopen.de
+
 # AK - Server Nextcloud/Jitsi Meet
 o30.oopen.de
 meet.akweb.de
@@ -1764,6 +1827,7 @@ file-fhxb.fhxb.netz
 file-km.anw-km.netz
 file-kb.anw-kb.netz
 file-blkr.blkr.netz
+file-dissens.dissens.netz
 zapata.opp.netz
 
 

main.yml

@@ -1908,11 +1908,11 @@ tor_hidden_service_port:
 # vars used by modify-munin-ip.yml
 # ---
 
-munin_remote_ipv4: 135.181.136.84
-munin_remote_ipv6: 2a01:4f9:3a:1051::84
+munin_remote_ipv4: 37.27.121.227
+munin_remote_ipv6: 2a01:4f9:3070:2bda::22
 
-munin_remote_ipv4_old: 95.217.64.122
-munin_remote_ipv6_old: 2a01:4f9:4a:2b57::122
+munin_remote_ipv4_old: 135.181.136.84
+munin_remote_ipv6_old: 2a01:4f9:3a:1051::84
 
 
 # ---

mm-irights-migration.oopen.de.yml

@@ -0,0 +1,147 @@
+---
+
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/systemd-resolved.yml
+# ---
+
+systemd_resolved: true
+
+# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
+#   Primäre DNS-Adresse: 38.132.106.139
+#   Sekundäre DNS-Adresse: 194.187.251.67
+#
+# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
+#   primäre DNS-Adresse
+#      IPv4: 1.1.1.1
+#      IPv6: 2606:4700:4700::1111
+#   sekundäre DNS-Adresse
+#      IPv4: 1.0.0.1
+#      IPv6: 2606:4700:4700::1001 
+# 
+# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
+#   primäre DNS-Adresse
+#      IPv4: 8.8.8.8
+#      IPv6: 2001:4860:4860::8888
+#   sekundäre DNS-Adresse
+#      IPv4: 8.8.4.4
+#      IPv6: 2001:4860:4860::8844
+#
+# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
+#   primäre DNS-Adresse
+#      IPv4: 9.9.9.9  
+#      IPv6: 2620:fe::fe 
+#   sekundäre DNS-Adresse
+#      IPv4: 149.112.112.112
+#      IPv6: 2620:fe::9
+#
+# OpenNIC - https://www.opennic.org/
+#      IPv4: 195.10.195.195 - ns31.de 
+#      IPv4: 94.16.114.254  - ns28.de 
+#      IPv4: 51.254.162.59  - ns9.de   
+#      IPv4: 194.36.144.87  - ns29.de
+#      IPv6: 2a00:f826:8:2::195 - ns31.de
+# 
+# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) 
+#    IPv4: 5.1.66.255
+#    IPv6: 2001:678:e68:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    IPv4: 185.150.99.255
+#    IPv6: 2001:678:ed0:f000::
+#    Servername für DNS-over-TLS: dot.ffmuc.net
+#    für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
+resolved_nameserver:
+  - 185.12.64.2
+  - 2a01:4ff:ff00::add:1
+  - 185.12.64.1
+  - 2a01:4ff:ff00::add:2
+
+# search domains
+#
+# If there are more than one search domains, then specify them here in the order in which 
+# the resolver should also search them
+#
+#resolved_domains: []
+resolved_domains:
+  - ~.
+  - oopen.de
+
+resolved_dnssec: false
+
+# dns.as250.net: 194.150.168.168
+#
+resolved_fallback_nameserver:
+   - 194.150.168.168
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+git_firewall_repository:
+  name: ipt-server
+  repo: https://git.oopen.de/firewall/ipt-server
+  dest: /usr/local/src/ipt-server
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
+
+root_user:
+  name: root
+  password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
+

playbook.yml

@@ -0,0 +1,58 @@
+---
+
+# Intended to be run once for every new server to secure the ssh connection allowing the team access
+# with their public keys. This script will lock itself out from every server it is run on.
+# Further playbooks are intended to be run by logging in as one of the created users.
+# It also ensures python2 is installed as it's necessary for the modules used in this playbook at
+# the time of this writing.
+
+# The used login data depends on the used server provider. In most cases the ansible_user will be
+# root, but we can't safely assume anything.
+# The following line is an example for securing a new vagrant maching, after running `vagrant up`:
+# ansible-playbook first_run.yml -i hosts -u vagrant --private-key='~/.vagrant.d/insecure_private_key'
+# For real providers it could look like:
+# ansible-playbook first_run.yml -i hosts -u root --private-key='~/.ssh/id_rsa'
+# If you don't have a ssh-key on the server and the server expects password authentication use:
+# ansible-playbook first_run.yml -i hosts -u root --ask-pass
+
+#- hosts: all
+#  strategy: free
+#
+##  vars_prompt:
+##
+##  - name: ansible_become_password
+##    prompt: "Give your local Password here:"
+#
+#  roles:
+#    - common
+
+- hosts: ansible_dependencies
+  strategy: free
+  gather_facts: false
+
+  roles:
+     - ansible_dependencies-ubuntu-noble
+     - ansible_user_debian
+
+- hosts: initial_setup
+  strategy: free
+
+#  vars_prompt:
+#
+#  - name: ansible_become_password
+#    prompt: "Give your local Password here:"
+
+  roles:
+    - ubuntu-server
+
+#- hosts: debian-server
+#  strategy: free
+#
+##  vars_prompt:
+##
+##  - name: ansible_become_password
+##    prompt: "Give your local Password here:"
+#
+#  roles:
+#    - common
+

roles/ansible_dependencies-ubuntu-noble/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+
+- name: re-synchronize the package index files from their sources
+  raw: apt-get update
+  
+- name: Ensure aptitude is present
+  raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
+
+- name: Ensure python3 is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
+
+- name: Ensure python-is-python3 is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python3 && (apt -y update && apt install -y python-is-python3)
+
+- name: Ensure python-apt-common is present (This is necessary for ansible to work properly)
+  raw: test -e  /usr/bin/python && (apt -y update && apt install -y python-apt-common)
+
+- name: Ensure python-apt is present (This is necessary for ansible to work properly)
+  raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
+
+- name: dpkg --configure -a
+  command: >
+    dpkg --configure -a
+  args:
+    warn: false
+  changed_when: _dpkg_configure.stdout_lines | length
+  register: _dpkg_configure
+  when: apt_dpkg_configure|bool
+  tags:
+    - ansible-dependencies
+
+- name: apt upgrade
+  apt:
+    upgrade: "{{ apt_upgrade_type }}"
+    update_cache: true
+    dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
+  when: apt_upgrade|bool
+  tags:
+    - ansible-dependencies
+
+- name: apt install ansible dependencies
+  apt:
+    name: "{{ apt_ansible_dependencies }}"
+    state: "{{ apt_install_state }}"
+  tags:
+    - ansible-dependencies
+

roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts

@@ -20,9 +20,42 @@
 
 # give hostnames to blocke here
 
+# Werkzeug
+katherina-remberg\.de$
+
+# Mehr Energie für Ihre Schritte
+elcoino\.de$
+
+# Wiederherstellung des Sehvermogens ohne Operation
+toonaca\.or\.mg$
+
+# info re_zeptfrei ordern
+radiotrabajandoparacristoirmp\.com$
+
+# HL Group
+group-hire\.com$
+
+# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet!
+#mtasv\.net$
+
 # edge.toprains.shop:w
 edge\.toprains\.shop$
 
+# Ideal für Apple- und Samsung-Fans
+sdeals\.shop$
+
+# Spiegel.de
+delpieroacademy\.com$
+
+# Kundensupport - photoTAN
+#mailjet\.com$
+
+# LOTTO-Rabatt
+gdwr\.de$
+
+# info mit ETFs die Millionen knacken?
+movingcompanywheaton\.com$
+
 #  Specht Office
 mta3\.dev\.60cr\.com$
 
@@ -31,3 +64,42 @@ lichtbringer\.shop$
 
 # insights.sternenpfad.shop
 insights\.sternenpfad\.shop$
+
+# info rezeptfre-i Bestellung
+ugms\.org$
+
+# info Herrenmeds anfordern
+fullendoscopy\.mx$
+
+# Premium-Werkzeugwagen:
+minillq\.com$
+
+# zaubermoment.shop
+zaubermoment\.shop$
+
+# Lustexperte
+jetztpower\.shop$
+
+# herzenstone.shop
+herzenstone\.shop$
+
+# Versand - Wichtige Neiuheit (a2hosted.com)
+a2hosted\.com$
+
+# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
+game\.cn$
+
+# Ein Sprühstoß für die sofortige Erektion!
+perfektepower\.shop$
+
+# Home Security / preview.glanzpunkt.shop
+glanzpunkt.shop$
+
+# Phishing IHK
+rightappearance\.com$
+
+# info rezeptf-rei Bestellung
+sectiontrading\.com$
+
+# Sofortiger zweisprachiger Sprachübersetzer
+# - kein Eintrag -

roles/common/files/mailserver/etc/postfix/postfwd.bl-nets

@@ -12,9 +12,45 @@
 #
 # ---
 
+# Werkzeug
+5.135.22.148/30
+
+# Mehr Energie für Ihre Schritte
+5.196.53.204/30
+
+# Wiederherstellung des Sehvermogens ohne Operation
+31.28.27.0/24
+
+# info re_zeptfrei ordern
+45.61.128.0/18
+
+# HL Group
+45.132.181.0/24
+
+# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet!
+#50.31.205.0/24
+
 # edge.toprains.shop
 51.89.16.112
 
+# Ideal für Apple- und Samsung-Fans
+51.195.36.112/26
+
+# Bitcoin Boom / GHOSTnet GmbH
+85.93.0.0/19
+
+# Spiegel.de
+85.93.19.234
+
+# Kundensupport - photoTAN
+#87.253.233.0/24
+
+# LOTTO-Rabatt
+89.22.116.0/24
+
+# info mit ETFs die Millionen knacken?
+89.144.4.211
+
 # Specht Office
 91.193.18.0/24
 
@@ -24,5 +60,44 @@
 # insights.sternenpfad.shop
 94.23.152.0/21
 
+# info rezeptfre-i Bestellung
+104.244.72.0/21
+
+# info Herrenmeds anfordern
+107.189.0.0/19
+
+# Premium-Werkzeugwagen:
+162.220.163.128/25
+
+# zaubermoment.shop
+178.32.96.0/19
+
+# Lustexperte
+178.32.136.0/21
+
+# herzenstone.shop
+178.33.112.0/21
+
 # ??
 181.214.99.0/24
+
+# Versand - Wichtige Neiuheit (a2hosted.com)
+185.91.69.0/24
+
+# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
+185.173.235.0/24
+
+# Ein Sprühstoß für die sofortige Erektion!
+188.165.0.0/21
+
+# Home Security / preview.glanzpunkt.shop
+188.165.128.0/21
+
+# Phishing IHK
+191.96.209.0/24
+
+# info rezeptf-rei Bestellung
+198.98.48.0/20
+
+# Sofortiger zweisprachiger Sprachübersetzer
+213.202.222.185

roles/common/files/mailserver/etc/postfix/postfwd.bl-sender

@@ -36,11 +36,45 @@ ludwigpestow@gmail.com
 
 # annoying spammer domains
 @acieu\.co\.uk$
+@inbox\.ru$
 
 # ----
 
+# Werkzeug
+katherina-remberg\.de$
+
+# Mehr Energie für Ihre Schritte
+elcoino\.de$
+
+# Wiederherstellung des Sehvermogens ohne Operation
+toonaca\.or\.mg$
+
+# info re_zeptfrei ordern
+radiotrabajandoparacristoirmp\.com$
+
+# HL Group
+group-hire\.com$
+
+# Erinnerung: Überzahlung entdeckt – Ihre Rückerstattung wartet!
+toldfinancialcapital\.com$
+
 # edge.toprains.shop
-@edge.toprains.shop$
+toprains.shop$
+
+# Ideal für Apple- und Samsung-Fans
+sdeals\.shop$
+
+# Spiegel.de
+delpieroacademy\.com$
+
+# Kundensupport - photoTAN
+#@laurash.net
+
+# LOTTO-Rabatt
+gdwr\.de$
+
+# info mit ETFs die Millionen knacken?
+movingcompanywheaton\.com$
 
 # Specht Offic
 officeuf@jxb669\.com$
@@ -53,10 +87,46 @@ officeuf@
 lichtbringer\.shop$
 
 # insights.sternenpfad.shop
-@insights\.sternenpfad\.shop$
+insights\.sternenpfad\.shop$
+
+# info rezeptfre-i Bestellung
+ugms\.org$
+
+# Premium-Werkzeugwagen:
+ezhifeng.co$
+
+# zaubermoment.shop
+zaubermoment\.shop$
+
+# Lustexperte
+jetztpower\.shop$
+
+# herzenstone.shop
+herzenstone\.shop$
 
 # ??  181.214.99.0/24
-imrx4k.com$
+imrx4k\.com$
+
+# Versand - Wichtige Neiuheit (a2hosted.com)
+a2hosted\.com$
+
+# Eleganz trifft Funktion: Metall-Kugelschreiber mit Logo
+izilian\.com$
+
+# Ein Sprühstoß für die sofortige Erektion!
+perfektepower\.shop$
+
+# Home Security / preview.glanzpunkt.shop
+glanzpunkt\.shop$
+
+# Phishing IHK
+rightappearance\.com$
+
+# info rezeptf-rei Bestellung
+sectiontrading\.com%
+
+# Sofortiger zweisprachiger Sprachübersetzer
+delavers\.de$
 
 # ---
 

roles/common/handlers/main.yml

@@ -93,3 +93,9 @@
   service:
     name: nfs-kernel-server
     state: restarted
+
+- name: Restart ntp
+  service:
+    name: ntpsec
+    daemon_reload: yes
+    state: restarted

roles/common/tasks/apt.yml

@@ -135,6 +135,16 @@
   tags:
     - apt-initial-install
 
+- name: (apt.yml) Initial install ubuntu packages (noble)
+  apt:
+    name: "{{ apt_initial_install_ubuntu_noble }}"
+    state: "{{ apt_install_state }}"
+  when:
+    - ansible_facts['distribution'] == "Ubuntu"
+    - ansible_facts['distribution_release'] == "noble"
+  tags:
+    - apt-initial-install
+
 
 # ---
 # Microcode

roles/common/tasks/main.yml

@@ -1,5 +1,9 @@
 ---
 
+- import_tasks: show.yml
+  tags:
+   - show
+
 # tags supported inside basic.yml
 #
 #    timezone
@@ -148,6 +152,18 @@
   tags: sudoers
 
 
+- import_tasks: motd.yml
+  tags: motd
+
+
+# tags supported inside ntp.yml:
+#
+#    ntp-server
+- import_tasks: ntp.yml
+  tags:
+    - ntp
+
+
 # tags supportetd inside git.yml
 #
 #   git-firewall-repository

roles/common/tasks/motd.yml

@@ -0,0 +1,26 @@
+---
+
+# ----------
+# /etc/motd
+# ----------
+
+- name: (motd.yml) Check if /etc/motd.ORIG exist
+  stat:
+    path: /etc/motd.ORIG
+  register: motd_orig_exist
+
+- name: (motd.yml) Check if /etc/motd exist
+  stat:
+    path: /etc/motd
+  register: motd_exist
+
+
+- name: (motd.yml)  Backup existing file /etc/motd
+  command: cp -a /etc/motd /etc/motd.ORIG
+  when: 
+   - motd_exist.stat.exists == True
+   - motd_orig_exist.stat.exists == False 
+
+- name: (motd.yml) create /etc/motd
+  shell: figlet {{ ansible_hostname }} > /etc/motd
+  when: motd_orig_exist.stat.exists == False

roles/common/tasks/ntp.yml

@@ -0,0 +1,60 @@
+---
+
+# ---
+# NTP Server
+# ---
+
+- name: (ntp.yml) Ensure ntpsec package is installed.
+  apt:
+    name:
+      - ntpsec
+    state: present
+  when:
+    - ansible_os_family == "Debian"
+  tags:
+    - ntp-server
+
+- name: (ntp.yml) Check file '/etc/ntpsec/ntp.conf.ORIG' exists
+  stat:
+    path: /etc/ntpsec/ntp.conf.ORIG
+  register: etc_ntpsec_conf_ORIG
+  when:
+    - ansible_distribution == "Debian"
+  tags:
+    - ntp-server
+
+
+- name: (ntp.yml) Ensure directory '/var/log/ntpsec' is present
+  file:
+    path: /var/log/ntpsec
+    state: directory
+    owner: ntpsec
+    group: ntpsec
+    mode: '0755'
+  when:
+    - ansible_distribution == "Debian"
+
+
+- name: (ntp.yml) Backup installation version of file '/etc/ntpsec/ntp.conf'
+  command: cp /etc/ntpsec/ntp.conf /etc/ntpsec/ntp.conf.ORIG
+  when:
+    - groups['oopen_office_server']|string is search(inventory_hostname)
+    - etc_ntpsec_conf_ORIG.stat.exists == False
+    - local_ntp_service is defined and local_ntp_service|bool
+  tags:
+    - ntp-server
+
+- name: (ntp.yml) Update '/etc/ntpsec/ntp.conf'
+  template:
+    src: "etc/ntpsec/ntp.conf.j2"
+    dest: /etc/ntpsec/ntp.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart ntp
+  when:
+    - groups['oopen_office_server']|string is search(inventory_hostname)
+    - local_ntp_service is defined and local_ntp_service|bool
+  tags:
+    - ntp-server
+

roles/common/tasks/show.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Show hostname
+  debug:
+    msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] }}.{{ ansible_fqdn.split('.')[1] | default('NONE')   }}.{{ ansible_fqdn.split('.')[2] | default('NONE')  }}"
+#    msg: "Host: {{ ansible_fqdn | split('.') | first }} FQDN: {{ ansible_fqdn.split('.')[0] | join( '.') }} | {{ join ( ansible_fqdn.split('.')[1] ) }}"
+

roles/common/templates/etc/ntpsec/ntp.conf.j2

@@ -0,0 +1,52 @@
+# {{ ansible_managed }}
+
+driftfile /var/lib/ntpsec/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
+
+# To enable Network Time Security support as a server, obtain a certificate
+# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
+# nts cert CERT_FILE
+# nts key KEY_FILE
+# nts enable
+
+# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
+#statsdir /var/log/ntpsec/
+#statistics loopstats peerstats clockstats
+#filegen loopstats file loopstats type day enable
+#filegen peerstats file peerstats type day enable
+#filegen clockstats file clockstats type day enable
+
+# This should be maxclock 7, but the pool entries count towards maxclock.
+tos maxclock 11
+
+# Comment this out if you have a refclock and want it to be able to discipline
+# the clock by itself (e.g. if the system is not connected to the network).
+#tos minclock 4 minsane 3
+
+# Specify one or more NTP servers.
+
+# Public NTP servers supporting Network Time Security:
+# server time.cloudflare.com nts
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <https://www.pool.ntp.org/join.html>
+#pool 0.debian.pool.ntp.org iburst
+#pool 1.debian.pool.ntp.org iburst
+#pool 2.debian.pool.ntp.org iburst
+#pool 3.debian.pool.ntp.org iburst
+server {{ ntp_server }}
+
+# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
+# for details.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict default kod nomodify nopeer noquery limited
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1

roles/common/templates/etc/systemd/resolved.conf.d/50-resolved-local.conf

@@ -26,5 +26,5 @@ Domains={{ fact_resolved_domains }}
 {% if (resolved_dnssec is defined) and resolved_dnssec %}
 DNSSEC={{ resolved_dnssec }}
 {% else %}
-#Domains=
+#DNSSEC=allow-downgrade
 {% endif %}

roles/firewall/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 
-munin_remote_ipv4: 95.217.64.122
-munin_remote_ipv6: 2a01:4f9:4a:2b57::122
+munin_remote_ipv4: 37.27.121.227
+munin_remote_ipv6: 2a01:4f9:3070:2bda::227
 
 
 is_dns_server: false

roles/firewall/handlers/main.yml

@@ -7,14 +7,8 @@
   service:
     name: ipt-firewall
     state: restarted
-  when:
-     - interfaces_ipv4_exists.stat.exists
-     - main_ipv4_exists.stat.exists
 
 - name: Restart IPv6 Firewall
   service:
     name: ip6t-firewall
     state: restarted
-  when:
-     - interfaces_ipv6_exists.stat.exists
-     - main_ipv6_exists.stat.exists

roles/ubuntu-server/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: show
+  import_role:
+    name: common
+    tasks_from: show.yml
+
+- name: basic
+  import_role:
+    name: common
+    tasks_from: basic.yml
+
+- name: apt
+  import_role:
+    name: common
+    tasks_from: apt.yml
+
+- name: motd
+  import_role:
+    name: common
+    tasks_from: motd.yml
+
+- name: users
+  import_role:
+    name: common
+    tasks_from: users.yml
+  tags:
+    - users
+
+
+- name: users-systemfiles
+  import_role:
+    name: common
+    tasks_from: users-systemfiles
+  tags:
+    - users
+    - users-systemfiles
+
+- name: sshd
+  import_role:
+    name: common
+    tasks_from: sshd.yml
+
+
+- name: sudoers
+  import_role:
+    name: common
+    tasks_from: sudoers.yml
+  tags: sudoers