--- # --- # vars used by roles/network_interfaces # --- # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted network_manage_devices: True # Should the interfaces be reloaded after config change? network_interface_reload: False network_interface_path: /etc/network/interfaces.d network_interface_required_packages: - vlan - bridge-utils - ifmetric - ifupdown - ifenslave network_interfaces: # Many device configurations are possible (as many as needed) # - device: enp6s0 # use only once per device (for the first device entry) headline: enp6s0 - primary device # auto & allow are only used for the first entry of that devicei-name) # allow: [] # array of allow-[stanzas] eg. allow-hotplug auto: true family: inet # The statisc Mode # Options # address # gateway # pointopoint
# hwaddress # mtu # scope
# # The manual Method # Options # hwaddress # mtu # # The dhcp Method # Options # hwaddress # hostname # metric # leasehours # leasetime # vendor # client # # The bootp Method # Options # bootfile: # server: # hwaddr # method: static hwaddress: description: address: 37.27.129.85 # dotted quad or number of bits # # the entry will be: address/netmask netmask: 26 gateway: 37.27.129.65 metric: pointopoint: mtu: scope: # additional user by dhcp method # hostname: leasehours: leasetime: vendor: client: # additional used by bootp method # bootfile: server: hwaddr: # optional dns settings nameservers: [] # # nameservers: # - 194.150.168.168 # dns.as250.net # - 91.239.100.100 # anycast.censurfridns.dk # search: warenform.de # #nameservers: # - 185.12.64.1 # - a01:4ff:ff00::add:2 #search: # optional additional subnets/ips subnets: [] # subnets: # - '192.168.123.0/24' # - '192.168.124.11/32' # optional bridge parameters bridge: {} # bridge: # ports: # stp: # fd: # maxwait: # waitport: bridge: {} # optional bonding parameters bond: {} # bond: # master # primary # slave # mode: # miimon: # lacp-rate: # ad-select-rate: # master: # slaves: bond: {} # optional vlan settings | vlan: {} # vlan: {} # raw-device: 'eth0' vlan: {} # inline hook scripts # # example: # # up: # - !!str "route add -net 135.181.79.192 netmask 255.255.255.192 gw 135.181.79.193 dev enp6s0" # pre-up: [] # pre-up script lines up: - !!str "route add -net 37.27.129.64 netmask 255.255.255.192 gw 37.27.129.65 dev enp6s0" post-up: [] # post-up script lines (alias for up) pre-down: [] # pre-down script lines (alias for down) down: [] # down script lines post-down: [] # post-down script lines - device: enp6s0 # use only once per device (for the first device entry) headline: # auto & allow are only used for the first device entry allow: [] # array of allow-[stanzas] eg. allow-hotplug auto: family: inet6 method: static address: 2a01:4f9:3071:1141::2 netmask: 64 gateway: fe80::1 metric: pointopoint: mtu: scope: # additional user by dhcp method # hostname: leasehours: leasetime: vendor: client: # additional used by bootp method # bootfile: server: hwaddr: # optional dns settings nameservers: [] # # nameservers: # - 194.150.168.168 # dns.as250.net # - 91.239.100.100 # anycast.censurfridns.dk # search: warenform.de # nameservers: search: # optional additional subnets/ips subnets: [] # subnets: # - '192.168.123.0/24' # - '192.168.124.11/32' # optional bridge parameters bridge: {} # bridge: # ports: # stp: # fd: # maxwait: # waitport: bridge: {} # optional bonding parameters bond: {} # bond: # mode: # miimon: # master: # slaves: # lacp-rate: bond: {} # optional vlan settings | vlan: {} # vlan: {} # raw-device: 'eth0' vlan: {} # inline hook scripts pre-up: []# pre-up script lines up: [] # up script lines post-up: [] # post-up script lines (alias for up) pre-down: [] # pre-down script lines (alias for down) down: [] # down script lines post-down: [] # post-down script lines # --- # vars used by roles/ansible_dependencies # --- # --- # vars used by roles/ansible_user # --- insert_root_ssh_keypair: true root_ssh_keypair: - name: borg-client_key priv_key_src: o26.oopen.de/root/.ssh/borg-client_key priv_key_dest: /root/.ssh/borg-client_key pub_key_src: o26.oopen.de/root/.ssh/borg-client_key.pub pub_key_dest: /root/.ssh/borg-client_key.pub - name: id_ed25519-borg-backup priv_key_src: o26.oopen.de/root/.ssh/id_ed25519-borg-backup priv_key_dest: /root/.ssh/id_ed25519-borg-backup pub_key_src: o26.oopen.de/root/.ssh/id_ed25519-borg-backup.pub pub_key_dest: /root/.ssh/id_ed25519-borg-backup.pub - name: id_ed25519-gitea priv_key_src: o26.oopen.de/root/.ssh/id_ed25519-gitea priv_key_dest: /root/.ssh/id_ed25519-gitea pub_key_src: o26.oopen.de/root/.ssh/id_ed25519-gitea.pub pub_key_dest: /root/.ssh/id_ed25519-gitea.pub - name: id_ed25519-backup priv_key_src: o26.oopen.de/root/.ssh/id_ed25519-backup priv_key_dest: /root/.ssh/id_ed25519-backup pub_key_src: o26.oopen.de/root/.ssh/id_ed25519-backup.pub pub_key_dest: /root/.ssh/id_ed25519-backup # --- # vars used by roles/common/tasks/basic.yml # --- # --- # vars used by roles/common/tasks/sshd.yml # --- # --- # vars used by roles/common/tasks/apt.yml # --- #apt_manage_sources_list: false # --- # vars used by roles/common/tasks/systemd-resolved.yml # --- systemd_resolved: true # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie # Primäre DNS-Adresse: 38.132.106.139 # Sekundäre DNS-Adresse: 194.187.251.67 # # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen # primäre DNS-Adresse # IPv4: 1.1.1.1 # IPv6: 2606:4700:4700::1111 # sekundäre DNS-Adresse # IPv4: 1.0.0.1 # IPv6: 2606:4700:4700::1001 # # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit # primäre DNS-Adresse # IPv4: 8.8.8.8 # IPv6: 2001:4860:4860::8888 # sekundäre DNS-Adresse # IPv4: 8.8.4.4 # IPv6: 2001:4860:4860::8844 # # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug # primäre DNS-Adresse # IPv4: 9.9.9.9 # IPv6: 2620:fe::fe # sekundäre DNS-Adresse # IPv4: 149.112.112.112 # IPv6: 2620:fe::9 # # OpenNIC - https://www.opennic.org/ # IPv4: 195.10.195.195 - ns31.de # IPv4: 94.16.114.254 - ns28.de # IPv4: 51.254.162.59 - ns9.de # IPv4: 194.36.144.87 - ns29.de # IPv6: 2a00:f826:8:2::195 - ns31.de # # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) # IPv4: 5.1.66.255 # IPv6: 2001:678:e68:f000:: # Servername für DNS-over-TLS: dot.ffmuc.net # IPv4: 185.150.99.255 # IPv6: 2001:678:ed0:f000:: # Servername für DNS-over-TLS: dot.ffmuc.net # für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) resolved_nameserver: - 185.12.64.1 - 2a01:4ff:ff00::add:2 - 185.12.64.2 - 2a01:4ff:ff00::add:1 # search domains # # If there are more than one search domains, then specify them here in the order in which # the resolver should also search them # #resolved_domains: [] resolved_domains: - ~. - oopen.de resolved_dnssec: false # dns.as250.net: 194.150.168.168 # resolved_fallback_nameserver: - 194.150.168.168 # --- # vars used by roles/common/tasks/cron.yml # --- cron_env_entries: - name: PATH job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - name: SHELL job: /bin/bash insertafter: PATH cron_user_special_time_entries: - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" insertafter: PATH - name: "Check if postfix mailservice is running. Restart service if needed." special_time: reboot job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" insertafter: PATH cron_user_entries: - name: "Remote Borg Backup" minute: '04' hour: '00' job: /root/crontab/backup-rborg/rborg.sh - name: "Check if SSH service is running. Restart service if needed." minute: '*/5' hour: '*' job: /root/bin/monitoring/check_ssh.sh - name: "Check connectifity - reboot if needed" minute: '*/10' hour: '*' job: /root/bin/admin-stuff/check-connectivity.sh - name: "Check if Postfix Mailservice is up and running?" minute: '*/15' hour: '*' job: /root/bin/monitoring/check_postfix.sh - name: "Check if NTP service 'ntpsec' is up and running?" minute: '*/30' hour: '*' job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1 # - name: "Backup internet hosts and then print out hdd-usage for all backuped hosts" # minute: '16' # hour: '00' # weekday: '1-6' # job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N # # - name: "On sunday morning also determin diskspace usage" # minute: '16' # hour: '00' # weekday: 7 # job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup # # - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)" # minute: '23' # hour: '05' # job: /var/lib/dehydrated/cron/dehydrated_cron.sh # # - name: "Check whether all certificates are included in the VHOST configurations" # minute: '33' # hour: '05' # job: /var/lib/dehydrated/tools/update_ssl_directives.sh - name: "Check hard disc usage." minute: '43' hour: '6' job: /root/bin/admin-stuff/check-disc-usage.sh -c 85 # --- # vars used by roles/common/tasks/users.yml # --- default_user: - name: chris password: $y$j9T$t0OK33lTuB/3TME5h/GHn.$4EjhvjhelkpUB2vqWPBdDCV3xCwBcJHpDobTkkuHxy. shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: sysadm user_id: 1050 group_id: 1050 group: sysadm password: $y$j9T$LIF1RrShGDGdCXkUubRPR/$N8M5c/dhBdJkJrLP3/Lchyosjg0FxaQ2M4epvuzTI78 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: localadmin user_id: 1051 group_id: 1051 password: $y$j9T$bqr.c39mSZOjjhVo/qmM2.$riPJ81SHLqfJMQ6/ZdeWNP7ma8R5nehI9mo5K8oUkw1 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: back user_id: 1060 group_id: 1060 group: back password: $y$j9T$uYqbl2A6vQ6WsLinzhUfG0$/w02iPud/LURbhY19DGtKWgKNFTpNEP7J.jOu5CZPh. shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup' - name: borg user_id: 1065 group_id: 1065 group: borg password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRaUsGqBvZBDzyh1kuldC/jdbtuoXFgBZ7PbgSqytSn root@cl-fm' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsPJQGHl1GVZ3yPl3Oi3xlH+EUsN1/EWDY2XAohag/P root@mail-fm' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC85aj16Ow1ZPutkp5TmZdxjMsECkhnO64ktc3OYZJHc root@o25-board' extra_system_user: - name: www-data home: /var/www groups: sftp_users sudo_users: - chris - sysadm - localadmin # --- # vars used by roles/common/tasks/users-systemfiles.yml # --- # --- # vars used by roles/common/tasks/webadmin-user.yml # --- # --- # vars used by roles/common/tasks/sudoers.yml # --- # # see: roles/common/tasks/vars # --- # vars used by roles/common/tasks/caching-nameserver.yml # --- # --- # vars used by roles/common/tasks/git.yml # --- git_firewall_repository: name: ipt-server repo: https://git.oopen.de/firewall/ipt-server dest: /usr/local/src/ipt-server # ============================== # --- # vars used by scripts/reset_root_passwd.yml # --- root_user: name: root password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.