--- # --- # vars used by roles/network_interfaces # --- # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted network_manage_devices: True # Should the interfaces be reloaded after config change? network_interface_reload: False network_interface_path: /etc/network/interfaces.d network_interface_required_packages: - vlan - bridge-utils - ifmetric - ifupdown - ifenslave - resolvconf network_interfaces: - device: eth2 headline: eth2 - Uplink static line (radio) to Altenschlirf auto: true family: inet method: static address: 172.16.111.254 netmask: 24 up: # - For management Antennas - /sbin/ip link add link eth2 name eth2.111 type vlan id 111 post-up: # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253) # - # - Telefon Altenshlirf - /sbin/ip route add 172.16.210.0/24 via 172.16.111.253 # User Network Altenshlirf - /sbin/ip route add 192.168.10.0/24 via 172.16.111.253 # Management Network Altenschlirf - /sbin/ip route add 10.10.10.0/24 via 172.16.111.253 # WLan Router (Accesspoints) Altenshlirf - /sbin/ip route add 10.122.1.0/24 via 172.16.111.253 # # WLan Networks Altenshlirf - /sbin/ip route add 10.123.0.0/16 via 172.16.111.253 # DSL via Fritzbox Altenschlirf - /sbin/ip route add 172.16.10.0/24 via 172.16.111.253 # - WLAN Gemeinschaft Altenschlirf (Unifi routet Network) - /sbin/ip route add 10.221.0.0/20 via 172.16.111.253 # VPN home Network Altenschlirf # - /sbin/ip route add 10.0.10.0/24 via 172.16.111.253 # private networks 'ckubu' # # connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu), # so we route them back to that gateway.. - /sbin/ip route add 192.168.63.0/24 via 172.16.111.253 - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253 - device: eth2.111 headline: eth2.111 - network 10.10.111.0 (management antennas) auto: true family: inet method: static address: 10.10.111.254 netmask: 24 - device: eth8 headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen auto: false family: inet method: manual up: - /sbin/ip link add link eth8 name eth8.211 type vlan id 211 - device: eth8.211 headline: eth8.211 - Network Telefons Stockhausen auto: true family: inet method: static # Note: # !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon). # This LANCom Router IS NOT pngable !! address: 172.16.211.1 netmask: 24 pre-up: - /sbin/ifconfig eth8 up - device: eth9 headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501) auto: true family: inet method: static address: 172.16.11.1 netmask: 24 gateway: 172.16.11.254 - device: eth10 headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490 auto: true family: inet method: static address: 172.16.13.1 netmask: 24 gateway: 172.16.13.254 - device: eth11 headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) auto: true family: inet method: static address: 172.16.12.1 netmask: 24 gateway: 172.16.12.254 # ---------- # Note: Install the 'ifenslave' package, necessary to enable bonding: # # apt-get install ifenslave # ---------- - device: bond0 headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4 auto: true family: inet method: static address: 10.1.9.254 netmask: 24 bond: slaves: eth0 eth4 # Mode 4 (802.3ad) # # also possible here: # - Mode 5: balance-tlb # - Mode 6: balance-alb mode: 4 miimon: 100 lacp-rate: 1 ad-select: count downdelay: 200 updelay: 200 post-up: # VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24 - /sbin/ip link add link bond0 name bond0.11 type vlan id 11 # VLAN 78 for network Georgshaus 192.168.78.0/24 - /sbin/ip link add link bond0 name bond0.78 type vlan id 78 - device: bond0.11 headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen) auto: true family: inet method: static address: 10.10.11.254 netmask: 24 - device: bond0.78 headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?) auto: true family: inet method: static address: 192.168.78.254 netmask: 24 # ---------- # Note: Install the 'ifenslave' package, necessary to enable bonding: # # apt-get install ifenslave # ---------- - device: bond1 headline: bond1 - LAG (Link Aggregation) on devices eth1 and eth5 - Main Network Stockhausen auto: true family: inet method: static address: 192.168.11.254 netmask: 24 nameservers: - 192.168.11.1 - 192.168.10.3 search: ga.netz ga.intra bond: slaves: eth1 eth5 # Mode 4 (802.3ad) # # also possible here: # - Mode 5: balance-tlb # - Mode 6: balance-alb mode: 4 miimon: 100 lacp-rate: 1 ad-select: count downdelay: 200 updelay: 200 post-up: # VLAN 121 - for Ubiquiti UniFi Accesspoints) - /sbin/ip link add link bond1 name bond1.121 type vlan id 121 # Route ??? - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 - device: bond1.121 headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints auto: true family: inet method: static address: 10.121.15.254 netmask: 20 - device: bond1:ns headline: bond1:ns - Alias IP on bond1 device for Nameservice auto: true family: inet method: static address: 192.168.11.1 netmask: 32 - device: bond1:1 headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network auto: true family: inet method: static address: 10.10.9.254 netmask: 24 - device: bond1:ap headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints auto: true family: inet method: static address: 10.112.1.254 netmask: 24 post-up: # - Wireless Networks routed through appropriate Accesspoints # - - /sbin/ip route add 10.113.1.0/24 via 10.112.1.1 - /sbin/ip route add 10.113.2.0/24 via 10.112.1.2 - /sbin/ip route add 10.113.3.0/24 via 10.112.1.3 - /sbin/ip route add 10.113.4.0/24 via 10.112.1.4 - /sbin/ip route add 10.113.5.0/24 via 10.112.1.5 - /sbin/ip route add 10.113.6.0/24 via 10.112.1.6 - /sbin/ip route add 10.113.7.0/24 via 10.112.1.7 - /sbin/ip route add 10.113.8.0/24 via 10.112.1.8 - /sbin/ip route add 10.113.9.0/24 via 10.112.1.9 - /sbin/ip route add 10.113.10.0/24 via 10.112.1.10 - /sbin/ip route add 10.113.11.0/24 via 10.112.1.11 - /sbin/ip route add 10.113.12.0/24 via 10.112.1.12 - /sbin/ip route add 10.113.13.0/24 via 10.112.1.13 - /sbin/ip route add 10.113.14.0/24 via 10.112.1.14 - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15 - device: bond1:ipmi headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen auto: true family: inet method: static address: 10.11.11.254 netmask: 24 # --- # vars used by roles/ansible_dependencies # --- # --- # vars used by roles/ansible_user # --- # --- # vars used by roles/common/tasks/basic.yml # --- # --- # vars used by roles/common/tasks/sshd.yml # --- # --- # vars used by roles/common/tasks/apt.yml # --- # --- # vars used by roles/common/tasks/users.yml # --- insert_ssh_keypair_backup_server: false ssh_keypair_backup_server: - name: backup backup_user: back priv_key_src: root/.ssh/id_rsa.backup.oopen.de priv_key_dest: /root/.ssh/id_rsa pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub pub_key_dest: /root/.ssh/id_rsa.pub insert_keypair_backup_client: true ssh_keypair_backup_client: - name: backup priv_key_src: root/.ssh/id_ed25519.oopen-server priv_key_dest: /root/.ssh/id_ed25519 pub_key_src: root/.ssh/id_ed25519.oopen-server.pub pub_key_dest: /root/.ssh/id_ed25519.pub target: backup.oopen.de default_user: - name: chris password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: wadmin password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - name: sysadm user_id: 1050 group_id: 1050 group: sysadm password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - name: back user_id: 1060 group_id: 1060 group: back password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' sudo_users: - chris - sysadm - wadmin # --- # vars used by roles/common/tasks/users-systemfiles.yml # --- # --- # vars used by roles/common/tasks/webadmin-user.yml # --- # --- # vars used by roles/common/tasks/sudoers.yml # --- # # see: roles/common/tasks/vars # --- # vars used by roles/common/tasks/caching-nameserver.yml # --- install_bind_packages: true bind9_gateway_acl: - local-net: name: local-net entries: - 127.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - 10.0.0.0/8 - fc00::/7 - fe80::/10 - ::1/128 - internaldns: name: internaldns entries: - 192.168.11.1 - 192.168.10.3 - 192.168.10.6 - '# Nameserver Gateway Altenschlirf' - 192.168.10.1 - 192.168.10.254 - 172.16.0.1 - '# Nameserver Gateway Novalishaus' - 192.168.81.1 - 10.2.11.2 - '# Nameserver wolle' - 10.113.12.3 - '# Postfix Mailserver' - 192.168.11.2 bind9_gateway_listen_on_v6: - none bind9_gateway_listen_on: - any #bind9_gateway_allow_transfer: {} bind9_gateway_allow_transfer: - none bind9_transfer_source: !!str "192.168.11.1" bind9_notify_source: !!str "192.168.11.1" #bind9_gateway_allow_query: {} bind9_gateway_allow_query: - local-net #bind9_gateway_allow_query_cache: {} bind9_gateway_allow_query_cache: - local-net bind9_gateway_recursion: !!str "yes" #bind9_gateway_allow_recursion: {} bind9_gateway_allow_recursion: - local-net # --- # vars used by roles/common/tasks/git.yml # --- git_firewall_repository: name: ipt-gateway repo: https://git.oopen.de/firewall/ipt-gateway dest: /usr/local/src/ipt-gateway # ============================== # --- # vars used by scripts/reset_root_passwd.yml # --- root_user: name: root password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.